Vulnerabilities / Threats // Vulnerability Management
5/14/2014
10:55 AM
50%
50%

Microsoft Blocks Zero-Day Attacks Targeting IE, Office

Security updates patch bugs being exploited via in-the-wild attacks, except for Windows XP, which now becomes a sitting duck.

 

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

Microsoft has released a slew of security updates, including fixing two sets of vulnerabilities that are being actively exploited by in-the-wild attacks. But for the first time ever, Windows XP holdouts didn't receive any related security updates.

Microsoft published eight security bulletins Tuesday -- as part of its regularly scheduled monthly patch release cycle -- including fixes for 13 different vulnerabilities in Windows, Internet Explorer, Office, SharePoint Server, Group Policy preferences, as well as the .NET Framework and iSCSI.

Microsoft's cumulative IE security update includes a fix for an "out-of-band" patch that it originally released May 1, to patch a critical IE bug (CVE-2014-1776) that Google's security team found was being actively exploited by attackers to remotely execute arbitrary code. In a surprise twist, Microsoft had released the patch for Windows XP, which it officially stopped supporting last month.

Microsoft also issued a fix for a new critical IE bug Tuesday, saying that it was aware of limited, targeted attacks that attempt to exploit this vulnerability.

[Should government investigators be given expanded powers to battle cybercriminals? Read FBI Seeks License To Hack Bot-Invested PCs.]

Wolfgang Kandek, CTO of Qualys, described the patch in a blog post as "another surgical fix" similar to the May 1 patch. He noted that anyone who has yet to install the May 1 patch -- aside from XP users -- can install Microsoft's May 13 update instead, because it includes the fix.

Microsoft said that most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically.

According to Dustin C. Childs, group manager for incident response communications at Microsoft's Trustworthy Computing Group, the IE update should top the list of enterprise patching priorities, followed by installing fixes a vulnerability in the MSCOMCTL common controls library included in Office -- which Microsoft said is also being actively exploited by in-the-wild attacks -- and a Group Policy preferences flaw.

Kandek concurred with that patch prioritization assessment, noting that the MSCOMCTL fix comes in the form of a new DLL that has ASLR set, an easy fix for the developers to implement (basically a recompile), but one that took extensive testing as this DLL is widely used. Thanks to ASLR -- address space layout randomization -- the update will also better block future attacks. Meanwhile, Kandek added, the Group Policy patch prevents the storage of credentials in Group Policies, where they are relatively easily accessed by hackers and pen testers alike.

CrowdStrike CTO Dmitri Alperovitch, via Twitter, lauded the latter fix. "Very good security update from Microsoft today that disables a number of password dumping tools including Mimikatz," he said.

Rounding up other security updates, any business that uses SharePoint should also prioritize a related patch from Microsoft, Kandek advised, especially if you expose SharePoint to the Internet. That's because the patch fixes a flaw that would allow a remote attacker to upload files to SharePoint and trigger remote-code execution, thus allowing the attacker to take control of the server.

"The silver lining is that this is what's known as an authenticated vulnerability,

Next Page

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/14/2014 | 4:06:20 PM
Microsoft Blocks Zero-Day Attacks Targeting IE, Office
Maybe I am wrong but aren't most vulnerabilities found by someone other than the one who developed it. Seems a little QA would be in order. Microsoft has a history of fixing things that are wrong with their software but it would be nice if they found one themselves. Thoughts?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.