Internet Security Systems - AlertCon(TM)

April 2013 Super Tuesday

Posted by YongChuan Koh on April 09, 2013 at 1:36 PM EDT.

The Microsoft security update for Apr is relatively 'light' in terms of impact. Of the nine bulletins, only two are rated 'Critical' and seven are rated 'Important'. KB2828223 addresses a single use-after-free in RDP while (not surprising) KB2817183 addresses two use-after-free in IE. I am still waiting for the day which IE is not affected in the monthly MS update :)


KB2828223: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution
This vulnerability exists in mstcax.dll when it tries to access a deleted object. The RDP ActiveX could be loaded easily in webpage. Therefore users are advised to exercise caution during browsing. RDP connection 6.0/6.1/7.0 clients are affected.

 

KB2817183: Cumulative Security Update for Internet Explorer
This bulletin covers CVE-2013-1303 and CVE-2013-1304. Both are use-after-free vulnerabilities leading to remote code execution and affects IE 6-10. However the 0-days that Vupen used at Pwn2Own 2013 are still alive. Perhaps next month? Nonetheless this update should still be applied to all systems immediately.

IBM X-Force 2012 Annual Trend & Risk report has released!

Posted by Leslie Horacek on March 27, 2013 at 9:16 AM EDT.

Key highlights in the IBM X-Force 2012 Trend & Risk Report

March 2013 Super Tuesday Update

Posted by Zubair Ashraf on March 12, 2013 at 1:31 PM EDT.

After having quite a busy patch Tuesday last month and seeing a lot of browser updates in the last week this month's MS Patch Tuesday is pretty usual.
 
We have a few critical Remote Code Execution vulnerabilities being patched in IE with exploit for CVE-2013-1288 being publicly available.
 
One interesting update is MS13-027 which fixes a vulnerability in the USB Driver. This vulnerability enables anyone with the ability to get a malicious USB plugged in to the system to execute arbitrary code as kernel. This attack vector has been seen to be exploited in the past, especially for targeted attacks. I would like to take this opportunity to emphasize the importance of user education on this and other safe practices. 
 
So there you have it, a pretty short entry for patch Tuesday, until next time, have a safe time, and remember its not a good idea to plug in untrusted USB drives into your system, and if somebody from the audience (a fan of yours) asks you for a copy of your presentation at a conference and hands you a USB, thank him for his interest and let him download your slides from your or conference's website.

February 2013 Super Tuesday Update

Posted by YongChuan Koh on February 12, 2013 at 3:42 PM EST.

The Microsoft security update for Feb is huge; there are five 'Critical' and seven 'Important' bulletins covering 57 CVEs. Among these, KB2792100 (Critical, Internet Explorer) addresses 13 CVEs and KB2778344 (Important, Windows Kernel-Mode Drivers) addresses 30 CVEs. It seems that these two components remains an attractive target for attackers. There are 2 bulletins for IE; one for DOM parsing and the other in VML.

Here is a summary of the critical updates, which I feel should be applied to affected systems immediately.

  • MS13-009 (KB2792100) Cumulative Security Update for Internet Explorer
    The majority of the 13 CVEs covered in this bulletin are use-after-free vulnerabilities leading to remote code execution, and affects IE 6-10. This update should be applied to all systems immediately. As a 2nd-line of defense, users are also encouraged to use browsers with sandboxing-capabilities to limit the impact.

  • MS13-010 (KB2797052) Vulnerability in Vector Markup Language Could Allow Remote Code Execution
    The single vulnerability in this bulletin exists in the way IE handles VML objects, leading to memory corruption. This affects IE6-10. Users have to be persuaded to visit a malicious webpage. This update should be applied to all systems immediately.

  • MS13-011 (KB2780091) Vulnerability in Media Decompression Could Allow Remote Code Execution
    This bulletin addresses a single publicly reported vulnerability in the decompression of media content in Microsoft DirectShow. The media content could either be a crafted media file (eg: .MPG) or streaming content. Attackers could also embed such malicious files in Office documents and web pages to reach more victims. This update should be applied immediately.

  • MS13-012 (KB2809279) Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution
    This bulletin addresses two publicly disclosed vulnerabilities, with the more severe allowing remote code execution in Microsoft Exchange Server. These vulnerabilities are due to the Outlook Web App's (OWA) WebReady Document Viewing feature, which uses Oracle's Outside-In technology, to render some types of file formats. This update should be applied immediately.

  • MS13-020 (KB2802968) Vulnerability in OLE Automation Could Allow Remote Code Execution
    This bulletin addresses a single privately reported vulnerability in OLE Automation affecting only Windows XP SP3. However this can be embedded in Office documents, wordpad documents and web pages. So users should still be cautious and apply this update immediately.

January 2013 Super Tuesday Update

Posted by Zubair Ashraf on January 09, 2013 at 10:32 AM EST.

Let's start with the first Patch Tuesday of 2013 Microsoft's January 2013 Security Advance Notification has been made publicly available. The vendor has released 7 bulletins, 12 CVE's today which variously affect Microsoft Windows, Office and .NET Framework, Developer Tools and Server Software. Two of the bulletins are rated by Microsoft as critical and five as important. We encourage customers to refer to the notification for additional information.
       
There are several interesting issues to talk about today.

As you may be aware that the holiday week was not really quiet and we saw targeted attacks exploiting a previously unknown vulnerability in IE 6, 7 and 8.

The vulnerability does not affects IE 9 and 10. Metasploit has also released a POC exploit for it. Microsoft released a FixIt for this vulnerability which has been claimed by reputable sources to be something that can be bypassed. Microsoft is not releasing a patch for it in today's patch.

As a mitigation factor we would recommend looking into deploying Microsoft's Enhanced Mitigation Experience Toolkit (also known as EMET).

Then we have MS13-006 - which fixes MITM attack scenario, the attacker can downgrade the SSL version being used to SSLv2 and then exploit a known weakness in SSL v2. We issue SSLv2_Detected as an audit signature when we detect SSL v2 traffic. We strongly recommend blocking SSLv2 entirely (if you have not done so already). As a bonus, blocking SSLv2 also makes PCI and other security audits much simpler.

Speaking of SSL, Microsoft has also published an advisory about fraudulent certificate for *.google.com that was issued by the Turkish CA, TURKTRUST.

Lastly, I would like to mention, MS13-001: Vulnerability in Print Spooler service The print server itself is not targeted in this case; instead, the potential victims are other clients printing to or querying the status of the shared printer.

The vulnerability is in print spooler service process (running as LocalSystem) and is triggered when using third party software (such as those from printer manufacturers) query or submit to print queue.

It can be used for elevation of privilege by a low privileged user, or by someone that can authenticate to submit jobs to print server MS has a nice write-up on it here: http://blogs.technet.com/b/srd/archive/2013/01/08/ms13-001-vulnerability-in-print-spooler-service.aspx .

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.