Application Security
12/11/2013
01:05 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Patches Windows, Office, IE, SharePoint

Microsoft fixes include patch for in-the-wild Office 365 token-grabbing attack that enabled silent eavesdropping.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)

Microsoft Tuesday released fixes for critical vulnerabilities in Internet Explorer, Microsoft Office, SharePoint, and the Windows operating system, including patches for two different zero-day vulnerabilities. But it has yet to patch a zero-day vulnerability that was first spotted in late November.

The fixes came as part of Microsoft's regular patch-release cycle, which this month addressed 24 different vulnerabilities, as documented in 11 Microsoft security bulletins. Five of those bulletins were rated as "critical," meaning the flaws could be exploited remotely by attackers to take full control of a vulnerable system.

Which flaws should IT administrators patch first? Multiple information security experts have recommend starting with the fix for a zero-day Microsoft Graphics component memory corruption vulnerability (CVE-2013-3906), which was first discovered in early November via in-the-wild attacks. "The vulnerability could allow a remote-code execution if a user views TIFF files in shared content," said Microsoft. Exploit code for this bug has also already been built into the open-source Metasploit penetration testing tool.

[ What security worries are in store for Google's Internet-connected glasses? Read Hack My Google Glass: Security's Next Big Worry? ]

"This vulnerability is currently under targeted attacks in the Middle East and Asia, and the exploits typically arrive in an Office document," Wolfgang Kandek, CTO of Qualys, said in an email interview. "If your machines run on later versions of Microsoft software, you are not affected. However, if you are behind, you should install this patch as soon as possible as you are most likely on a vulnerable configuration, such as Windows XP or an older version of Office -- 2003 or 2007."

Three other must-install fixes, according to BeyondTrust CTO Marc Maiffret, include patches for multiple vulnerabilities in all versions of Internet Explorer; a privately reported flaw in the Windows Scripting runtime that is distributed with every version of Windows; and fixes for four different vulnerabilities in Microsoft Exchange. Microsoft also patched a WinVerifyTrust signature validation vulnerability in Windows that can be used to disguise malicious applications as trustworthy, signed executables. "Exploits targeting this vulnerability have been seen in the wild, so deploy this patch as soon as possible," Maiffret said via email.

Another vulnerability patched by Microsoft affects cloud tie-ins to its Office 365 products, which was discovered by SaaS security vendor Adallom after it traced back a Word 2013 client that was requesting documents via a Tor gateway. Ultimately, the company discovered that the Office 365 desktop client, and in particular Microsoft Word, wasn't verifying authentication headers by comparing them against SSL certificates. As a result, attackers were able to tell a Word client that they were a SharePoint server, when in reality the server was malicious.

"This means that if I can get you to click on a link to a Word document -- for example a link in a mail or a webpage -- I can remotely compromise your organization's SharePoint site without anyone knowing or any alerts being raised," said Noam Liran, chief software architect at Adallom, in a blog post.

"Sadly there's no workaround for solving this vulnerability that doesn't impair work with SharePoint Online," Liran said. In other words, Office 365 users will remain vulnerable to related attacks until they install Microsoft's update.

Other security fixes released by Microsoft cover ASP.NET, SharePoint 2010 and 2013, and two vulnerabilities in Oracle Outside In, which is used by Exchange. The Outside In vulnerabilities had already been patched by Oracle.

Another update released by Microsoft was of the proactive variety, because it has added an attack-mitigation technique -- address space layout randomization (ASLR) -- to the hxds.dll system library in Windows.

"This fix will go a long way toward protecting customers from future zero-day attacks," said Tripwire security researcher Craig Young via email. "This particular library, hxds.dll, has been used by numerous attacks in the wild with great success because it can be easily loaded into memory from a web page by using the 'ms-help:' protocol handler."

He added: "Until today the only options that protect against this were the removal of Office 2007/2010 installs or enabling Microsoft's Enhanced Mitigation Experience Toolkit (EMET)." He recommended installing the update as soon as possible, given that attackers already know how to exploit the vulnerability.

One flaw Microsoft has yet to patch is a zero-day vulnerability (CVE-2013-5065) that was first spotted in November. "This elevation of privilege vulnerability affects both Windows XP and Server 2003," said BeyondTrust's Maiffret. "A workaround is available, but it breaks functionality such as VPN networking. A fix is forthcoming, but with no date publicly announced." On the upside, all related attacks -- at least, those seen to date -- require an older version of Adobe Reader to be present on targeted systems.

Kandek said that the latest batch of Microsoft patches -- which take the 2013 count of security bulletins issued by the company to more than 100, which is consistent with recent years -- reinforce the need to ditch older versions of Windows, and especially Windows XP, which Microsoft soon plans to stop patching. "The zero days show that being on the latest version of operating systems and application software is a clear advantage in terms of resilience, and it helps IT to run a safer infrastructure," he said. "I hope you are already in the category of organizations that have migrated away from XP, Server 2003 and Office 2003, or are at least in the group that is quickly moving towards 0% by April 2014."

In other patching news, Adobe Tuesday released fixes for two vulnerabilities in Flash Player, which attackers could exploit -- via malicious Word documents with embedded Flash (.swf) -- to remotely execute code. Adobe also updated its Shockwave Player to patch two other flaws that can be exploited to remotely execute code on any Windows or Mac OS X system that has the plug-in installed.

Flash Player should automatically update to the latest version, but Shockwave Player for Mac and PC will need to be manually updated; for both platforms, that will be to Shockwave version 12.0.7.148. "So if you have Shockwave Player installed, today is a good day to update, either right before or right after the Microsoft reboot," said Rob VandenBrink, a consultant at Metafore, on the Internet Storm Center.

Adobe, of course, could make this process easier by adding an option to Shockwave to make it automatically update. "You'd think by now most major products would have an auto update or a 'click here to update' feature," VandenBrink said.

Mathew Schwartz reports on information security for InformationWeek. He is a freelance writer, editor, and photographer.

Pen testing helps companies become more secure by finding and analyzing their insecurities, but pen test services can be fraught with their own kind of risk. This Dark Reading report, Choosing, Managing And Evaluating A Penetration Testing Service, recommends what to look for in a provider and its wares, how to get what you pay for, and how to ensure that pen testing itself doesn't open the company or its employees up to new risk. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.