Application Security

01:05 PM

Microsoft Patches Windows, Office, IE, SharePoint

Microsoft fixes include patch for in-the-wild Office 365 token-grabbing attack that enabled silent eavesdropping.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)

Microsoft Tuesday released fixes for critical vulnerabilities in Internet Explorer, Microsoft Office, SharePoint, and the Windows operating system, including patches for two different zero-day vulnerabilities. But it has yet to patch a zero-day vulnerability that was first spotted in late November.

The fixes came as part of Microsoft's regular patch-release cycle, which this month addressed 24 different vulnerabilities, as documented in 11 Microsoft security bulletins. Five of those bulletins were rated as "critical," meaning the flaws could be exploited remotely by attackers to take full control of a vulnerable system.

Which flaws should IT administrators patch first? Multiple information security experts have recommend starting with the fix for a zero-day Microsoft Graphics component memory corruption vulnerability (CVE-2013-3906), which was first discovered in early November via in-the-wild attacks. "The vulnerability could allow a remote-code execution if a user views TIFF files in shared content," said Microsoft. Exploit code for this bug has also already been built into the open-source Metasploit penetration testing tool.

[ What security worries are in store for Google's Internet-connected glasses? Read Hack My Google Glass: Security's Next Big Worry? ]

"This vulnerability is currently under targeted attacks in the Middle East and Asia, and the exploits typically arrive in an Office document," Wolfgang Kandek, CTO of Qualys, said in an email interview. "If your machines run on later versions of Microsoft software, you are not affected. However, if you are behind, you should install this patch as soon as possible as you are most likely on a vulnerable configuration, such as Windows XP or an older version of Office -- 2003 or 2007."

Three other must-install fixes, according to BeyondTrust CTO Marc Maiffret, include patches for multiple vulnerabilities in all versions of Internet Explorer; a privately reported flaw in the Windows Scripting runtime that is distributed with every version of Windows; and fixes for four different vulnerabilities in Microsoft Exchange. Microsoft also patched a WinVerifyTrust signature validation vulnerability in Windows that can be used to disguise malicious applications as trustworthy, signed executables. "Exploits targeting this vulnerability have been seen in the wild, so deploy this patch as soon as possible," Maiffret said via email.

Another vulnerability patched by Microsoft affects cloud tie-ins to its Office 365 products, which was discovered by SaaS security vendor Adallom after it traced back a Word 2013 client that was requesting documents via a Tor gateway. Ultimately, the company discovered that the Office 365 desktop client, and in particular Microsoft Word, wasn't verifying authentication headers by comparing them against SSL certificates. As a result, attackers were able to tell a Word client that they were a SharePoint server, when in reality the server was malicious.

"This means that if I can get you to click on a link to a Word document -- for example a link in a mail or a webpage -- I can remotely compromise your organization's SharePoint site without anyone knowing or any alerts being raised," said Noam Liran, chief software architect at Adallom, in a blog post.

"Sadly there's no workaround for solving this vulnerability that doesn't impair work with SharePoint Online," Liran said. In other words, Office 365 users will remain vulnerable to related attacks until they install Microsoft's update.

Other security fixes released by Microsoft cover ASP.NET, SharePoint 2010 and 2013, and two vulnerabilities in Oracle Outside In, which is used by Exchange. The Outside In vulnerabilities had already been patched by Oracle.

Another update released by Microsoft was of the proactive variety, because it has added an attack-mitigation technique -- address space layout randomization (ASLR) -- to the hxds.dll system library in Windows.

"This fix will go a long way toward protecting customers from future zero-day attacks," said Tripwire security researcher Craig Young via email. "This particular library, hxds.dll, has been used by numerous attacks in the wild with great success because it can be easily loaded into memory from a web page by using the 'ms-help:' protocol handler."

He added: "Until today the only options that protect against this were the removal of Office 2007/2010 installs or enabling Microsoft's Enhanced Mitigation Experience Toolkit (EMET)." He recommended installing the update as soon as possible, given that attackers already know how to exploit the vulnerability.

One flaw Microsoft has yet to patch is a zero-day vulnerability (CVE-2013-5065) that was first spotted in November. "This elevation of privilege vulnerability affects both Windows XP and Server 2003," said BeyondTrust's Maiffret. "A workaround is available, but it breaks functionality such as VPN networking. A fix is forthcoming, but with no date publicly announced." On the upside, all related attacks -- at least, those seen to date -- require an older version of Adobe Reader to be present on targeted systems.

Kandek said that the latest batch of Microsoft patches -- which take the 2013 count of security bulletins issued by the company to more than 100, which is consistent with recent years -- reinforce the need to ditch older versions of Windows, and especially Windows XP, which Microsoft soon plans to stop patching. "The zero days show that being on the latest version of operating systems and application software is a clear advantage in terms of resilience, and it helps IT to run a safer infrastructure," he said. "I hope you are already in the category of organizations that have migrated away from XP, Server 2003 and Office 2003, or are at least in the group that is quickly moving towards 0% by April 2014."

In other patching news, Adobe Tuesday released fixes for two vulnerabilities in Flash Player, which attackers could exploit -- via malicious Word documents with embedded Flash (.swf) -- to remotely execute code. Adobe also updated its Shockwave Player to patch two other flaws that can be exploited to remotely execute code on any Windows or Mac OS X system that has the plug-in installed.

Flash Player should automatically update to the latest version, but Shockwave Player for Mac and PC will need to be manually updated; for both platforms, that will be to Shockwave version "So if you have Shockwave Player installed, today is a good day to update, either right before or right after the Microsoft reboot," said Rob VandenBrink, a consultant at Metafore, on the Internet Storm Center.

Adobe, of course, could make this process easier by adding an option to Shockwave to make it automatically update. "You'd think by now most major products would have an auto update or a 'click here to update' feature," VandenBrink said.

Mathew Schwartz reports on information security for InformationWeek. He is a freelance writer, editor, and photographer.

Pen testing helps companies become more secure by finding and analyzing their insecurities, but pen test services can be fraught with their own kind of risk. This Dark Reading report, Choosing, Managing And Evaluating A Penetration Testing Service, recommends what to look for in a provider and its wares, how to get what you pay for, and how to ensure that pen testing itself doesn't open the company or its employees up to new risk. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
From DevOps to DevSecOps: Structuring Communication for Better Security
Robert Hawk, Privacy & Security Lead at xMatters,  2/15/2018
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.