Caution With MS13-061 !!

Posted on August 16, 2013 by kohi10

Microsoft has pulled its MS13-061 Exchange patch. After reports of content damage to Exchange Server 2013 after deployment, Microsoft has withdrawn the MS13-061 update for Exchange Server released this past Tuesday. MS013-61 is very important because it allows someone to send an email and get arbitrary code to run on the Exchange server itself. It’s already publicly disclosed so expect the bad guys to move on this quickly.

Problems do not affect Exchange Server 2007 or 2010 and Microsoft says that those versions can proceed with testing and deployment. In the meantime, they have removed the patch from Windows Update and other distribution systems.

Knowledge Base article KB2874216 explains the problem in more detail and provides remediation guidance.

Problems:

The content index (CI) for mailbox databases shows “Failed” on the affected server.
The Microsoft Exchange Search Host Controller service is missing.
You see a new service that is named “Host Controller service for Exchange.”

The KB article describes 2 registry key changes to make. After rebooting the server, the problem should be bypassed.

That is 2 months in a row that MS has pulled a buggy patch back from distribution.

Busy Day For Patches

Posted on February 14, 2012 by kohi10

Happy Valentines Day everyone. Our vendors are bringing us the gifts of security vulnerability patches. Lots of them. Yes, it’s extra work for our IT teams, but removing these vulnerabilities could mean that we all get to keep our jobs, and remain in business. I was hearing on the news today that Nortel is now coming clean regarding the fact that hackers 0wn3d their network for roughly 10 years, with full and complete access to everything.

Wonder how they got that?

Where is Nortel today? Something to think about…

Microsoft released the expected batch of 9 patches:

MS12-008: Critical Remote Code Execution Vulnerabilities in Windows Kernel-Mode Drivers
MS12-009: Important Elevation of Privilege Vulnerabilities in Ancillary Function Driver
MS12-010: Critical Cumulative Security Update for Internet Explorer
MS12-011: Important Elevation of Privilege Vulnerabilities in Microsoft SharePoint
MS12-012: Important Remote Code Execution Vulnerability in Color Control Panel
MS12-013: Critical Remote Code Execution Vulnerability in C Run-Time Library
MS12-014: Important Remote Code Execution Vulnerability in Indeo Codec
MS12-015: Important Remote Code Execution Vulnerabilities in Microsoft Visio Viewer 2010
MS12-016: Critical Remote Code Execution Vulnerabilities in .NET Framework and Silverlight (This one I would recommend holding off on, as Microsoft is expected to re-release after identifying a “metadata (logic) error”.)

Microsoft has also released Update Rollup 1 for Exchange Server 2010 SP2 http://www.microsoft.com/download/en/details.aspx?id=28809 to the Download Center.

Adobe released 2 Security Bulletins:

APSB12-02: Critical Security update available for Adobe Shockwave Player. This update addresses critical vulnerabilities in Adobe Shockwave Player 11.6.3.633 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
APSB12-04: Important Security update available for RoboHelp for Word. This update addresses an important vulnerability in RoboHelp 9 (or 8) for Word on Windows. A specially crafted URL could be used to create a cross-site scripting attack on Web-based output generated using RoboHelp for Word.

There have also been vulnerabilities and patches announced for Mozilla Thunderbird, Firefox, and an as yet unpatched local exploit POC code release for Yahoo Instant Messanger 11.5.

UPDATE: Oracle released also patches fixing 14 vulnerabilities in:

JDK and JRE 7 Update 2 and earlier
JDK and JRE 6 Update 30 and earlier
JDK and JRE 5.0 Update 33 and earlier
SDK and JRE 1.4.2_35 and earlier
JavaFX 2.0.2 and earlier

http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

Start planning, testing, and patching, folks.

14 Patches Coming From Microsoft For February

Posted on February 3, 2012 by kohi10

Microsoft will release 14 bulletins for next Tuesday’s update.

3 items are rated “critical” and 11 are rated as “important”.

All three critical items deal with remote code execution vulnerabilities in Windows.
The important rated bulletins consist of vulnerabilities in Windows, Office, IE, Media Player and Publisher.
- Seven remote code execution vulnerabilities
- Three elevation of privileges issues
- One information disclosure flaw

Get ready to drop some patches next week. These remote code execution vulnerabilities will only remain “important” for as long as it takes to reverse engineer the patch code and identify the changes. After that, they become critical.

Microsoft Prepares Threat Intelligence Service

Posted on January 12, 2012 by kohi10

ThreatPost reports that Microsoft is testing a new service to distribute information from captured botnets and other sources to partners, including foreign governments, Computer Emergency Response Teams (CERTs) and private corporations.

Microsoft expects to offer three realtime feeds, which third parties could access for free. Organizations would provide Microsoft with information on their IT infrastructure, such as an IP address block that they own. Microsoft would then filter its threat feed by that information, supplying subscribers with data relevant to their infrastructure. Companies could use the data to look for malware infections, or correlate data on botnet hosts with data on click fraud and other scams. CERTs might be interested in threats relevant to their region. Microsoft hopes this service will also help smaller organizations battle large, powerful, global botnets, lowering the cost of monitoring and responding to infections. The company wouldn’t give a timeline for the real time threat feed.

Despite the proliferation of “Bad Microsoft, just fix your code” comments on the ThreatPost site, I see this personally as the right track to take given the current state of things, and applaud the moxy Microsoft is showing in the battle against malware. Yes, Microsoft and EVERY other vendor needs to constantly improve their code and coding practices. Blah blah blah. What will NEVER happen is one day we will wake up and all code will be impervious to attack and exploitation. We have yet to perfect human creativity, and we are light years away from producing unflawed anything. Give it a rest.

My concerns with this I hope are addressed before Microsoft opens the feed-gates. How will the data that is captured from botnet command and control servers, and I suspect from data repositories associated with those C&Cs be managed? Will it be handed over intact, leaving anyone infected subject to their own personal wiki-leaks in reverse (Government gets your goodies), or will it be properly sanatized to protect individual privacy? How will this data cleansing be made transparent? I trust everybody at the table, as long as I can cut the cards and watch the deal…

ASP.NET Attack Code Published

Posted on January 11, 2012 by kohi10

Well, that didn’t take long, did it? Aren’t you glad you took the advice of so many security bloggers and patched December’s out-of-cycle Microsoft ASP.NET Web development platform vulnerability?

Exploit code for the recently patched denial-of-service (DoS) vulnerability has been published online, increasing the risk of potential attacks.

Webmasters who maintain ASP.NET Web applications should deploy the patches in Microsoft’s MS11-100 security bulletin immediately if they haven’t already done so. The patch also addresses other ASP.NET vulnerabilities as well.

http://www.networkworld.com/news/2012/011012-attack-code-published-for-serious-254730.html

January 2012 Microsoft Patches

Posted on January 10, 2012 by kohi10

Happy New Year, and here are the first significant Microsoft security patches for 2012.

This month’s patch batch contains 7 new Microsoft Security Bulletins.

MS12-001	Windows Kernel SafeSEH Bypass Vulnerability	MS12-001 Introduces a new “Security Impact” type to the Microsoft Bulletins, “Security Feature Bypass”. This issue is a bypass of the SafeSEH setting on software compiled with Microsoft Visual C++ .NET 2003. In order to make use of it, there must also be a vulnerability in your compiled software. The bypass exists within Windows, and compiled software will not need to be recompiled.
MS12-002	Object Packager Insecure Executable Launching Vulnerability	MS12-002 Similar to the DLL preloading attack, except with Executables rather than DLLs, which means SafeDllSearchMode cannot help mitigate this issue. The issue applies to Microsoft Publisher (.PUB) files, where an attacker could place a malicious file in the same directory as a .PUB file.
MS12-003	CSRSS Elevation of Privilege Vulnerability	MS12-003 Affects the Windows Client Server Runtime Subsystem (CSRSS) on double-byte (Unicode) locale (such as Chinese, Japanese, or Korean system locales). Keep in mind that the locale on any system can be changed, so this patch should be applied regardless of the current locale.
MS12-004	DirectShow Remote Code Execution Vulnerability	MS12-004 This patch contains two fixes for all except Windows 7 systems. One for DirectShow.
MS12-004	MIDI Remote Code Execution Vulnerability	One for the Windows Multimedia Library. This is the only critical patch for the month, providing a potential drive-by vector related to MIDI files.
MS12-005	Assembly Execution Vulnerability	MS12-005 This patch fixes an issue related to malicious EXEs deployed as a ClickOnce application and embedded within Office Documents.
MS12-006	SSL and TLS Protocols Vulnerability	MS12-006 This patch fixes the well known “BEAST” vulnerability. Apply this patch as soon as possible.
MS12-007	AntiXSS Library Bypass Vulnerability	MS12-007 This patch resolves a bypass in the Microsoft AntiXSS Library similar to MS12-001. Although this should be in the new “Security Feature Bypass” category, the impact is considered Information Disclosure. Again when combined with a flaw in the website that lies behind the AntiXSS library, this vulnerability could be dangerous.

As always, these patches should be tested and implemented as quickly as possible.

Microsoft Sues UK Retail Chain For Pirating Windows

Posted on January 5, 2012 by kohi10

ComputerWorld reports that Microsoft is suing a UK retail electronics chain for selling Windows recovery discs to customers, claiming that the practice amounts to piracy. I think that they are going to be challenged to make a strong case. It will be interesting to see how this one unfolds.

Microsoft accuses Comet Group PLC of illegally copying Windows XP and Vista to create operating system recovery discs. These copies were then sold to Windows desktop and laptops cutomers in 2008 and 2009. Comet, operating about 250 UK stores, believes it was on solid legal ground.

Comet approached 95,000 PC customers over a 2 year period, and offered to sell them unnecessary recovery discs, according to Microsoft’s anti-piracy legal team. The recovery software was already provided on the hard drive by the computer manufacturer.

The total take for Comet from this exercise is estimated at about 2.2 million dollars. Not bad.

So is Comet just fulfilling a need that Microsoft has stopped providing in order to cut costs, or does Comet have some accountability or obligation for controlling how these recovery CDs are used after sale? My understanding is that Microsoft’s own VAR agreement states that these CDs can be provided by the reseller “for a nominal fee”. Is $25 a nominal fee? If the recovery software is on the hard drive, does that preclude the VAR’s abaility to collect the nominal fee and distribute the CDs? What’s your take on this?

Microsoft Out-of-Cycle Patches Released

Posted on December 29, 2011 by kohi10

Uh-oh. Looks liek Microsoft has announced a substantial “out-of-cycle” patch release for today. There are at least 4 Critical patches, and 10 that are rated as Important. 10 of the patches are for Remote Code Execution, and the remainder are for Elevation of Privilege. They are all over the map, from IE, to Office, to Windows Kernel.

That ought to keep any IT New Years merriment to a minimum. Get in there and patch ’em, ASAP. Take this seriously, it is out-of-cycle, a large patch bundle, and I personally believe, conservatively rated by the vendor.

http://technet.microsoft.com/en-us/security/bulletin/ms11-dec

Continue reading →

Denial of Service Vulnerability in ASP.NET

Posted on December 29, 2011 by kohi10

Detailed information has been published describing a new method to exploit hash tables, known as hash collision attacks. These attacks are not specific to Microsoft technologies and affect other web service software providers as well. This particular vulnerability affects all versions of Microsoft .NET Framework and could allow for an unauthenticated denial of service attack on servers that serve ASP.NET pages.

Sites that only serve static content or disallow dynamic content types are not vulnerable. The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision. It is possible for an attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition.

Microsoft is not aware of any active attacks, but detailed information about the attack methodology is available. Details of a workaround to help protect sites against this vulnerability are provided in this article. Individual implementations for sites using ASP.NET will vary. Evaluate the impact of the workaround for applicability to your implementations.

Microsoft Tuesday for December

Posted on December 13, 2011 by kohi10

Happy Microsoft Tuesday. Here we go, as expected, 14 patches for 20 vulnerabilities. There are many Remote Code Execution vulnerabiities in this lot, and many of them have received a rating of Improtant because they were responsibly disclosed to the vendor.

Remember, this rating is time sensitive, because as soon as the patches are available, the reverse engineering clock starts ticking. It takes a matter of hours, not days, to figure out what was patched, and with that information, it is trivial to figure out how to exploit it. I would recommend applying this months’ patches as quickly as possible to avoid seeing your resources attacked, abused, and stolen.

Ripped right off of the Microsoft site: http://technet.microsoft.com/en-us/security/bulletin/ms11-dec