Microsoft fixes include patch for in-the-wild Office 365 token-grabbing attack that enabled silent eavesdropping.

Mathew J. Schwartz, Contributor

December 11, 2013

6 Min Read

9 Android Apps To Improve Security, Privacy

9 Android Apps To Improve Security, Privacy

9 Android Apps To Improve Security, Privacy (click image for larger view)

Microsoft Tuesday released fixes for critical vulnerabilities in Internet Explorer, Microsoft Office, SharePoint, and the Windows operating system, including patches for two different zero-day vulnerabilities. But it has yet to patch a zero-day vulnerability that was first spotted in late November.

The fixes came as part of Microsoft's regular patch-release cycle, which this month addressed 24 different vulnerabilities, as documented in 11 Microsoft security bulletins. Five of those bulletins were rated as "critical," meaning the flaws could be exploited remotely by attackers to take full control of a vulnerable system.

Which flaws should IT administrators patch first? Multiple information security experts have recommend starting with the fix for a zero-day Microsoft Graphics component memory corruption vulnerability (CVE-2013-3906), which was first discovered in early November via in-the-wild attacks. "The vulnerability could allow a remote-code execution if a user views TIFF files in shared content," said Microsoft. Exploit code for this bug has also already been built into the open-source Metasploit penetration testing tool.

[ What security worries are in store for Google's Internet-connected glasses? Read Hack My Google Glass: Security's Next Big Worry? ]

"This vulnerability is currently under targeted attacks in the Middle East and Asia, and the exploits typically arrive in an Office document," Wolfgang Kandek, CTO of Qualys, said in an email interview. "If your machines run on later versions of Microsoft software, you are not affected. However, if you are behind, you should install this patch as soon as possible as you are most likely on a vulnerable configuration, such as Windows XP or an older version of Office -- 2003 or 2007."

Three other must-install fixes, according to BeyondTrust CTO Marc Maiffret, include patches for multiple vulnerabilities in all versions of Internet Explorer; a privately reported flaw in the Windows Scripting runtime that is distributed with every version of Windows; and fixes for four different vulnerabilities in Microsoft Exchange. Microsoft also patched a WinVerifyTrust signature validation vulnerability in Windows that can be used to disguise malicious applications as trustworthy, signed executables. "Exploits targeting this vulnerability have been seen in the wild, so deploy this patch as soon as possible," Maiffret said via email.

Another vulnerability patched by Microsoft affects cloud tie-ins to its Office 365 products, which was discovered by SaaS security vendor Adallom after it traced back a Word 2013 client that was requesting documents via a Tor gateway. Ultimately, the company discovered that the Office 365 desktop client, and in particular Microsoft Word, wasn't verifying authentication headers by comparing them against SSL certificates. As a result, attackers were able to tell a Word client that they were a SharePoint server, when in reality the server was malicious.

"This means that if I can get you to click on a link to a Word document -- for example a link in a mail or a webpage -- I can remotely compromise your organization's SharePoint site without anyone knowing or any alerts being raised," said Noam Liran, chief software architect at Adallom, in a blog post.

"Sadly there's no workaround for solving this vulnerability that doesn't impair work with SharePoint Online," Liran said. In other words, Office 365 users will remain vulnerable to related attacks until they install Microsoft's update.

Other security fixes released by Microsoft cover ASP.NET, SharePoint 2010 and 2013, and two vulnerabilities in Oracle Outside In, which is used by Exchange. The Outside In vulnerabilities had already been patched by Oracle.

Another update released by Microsoft was of the proactive variety, because it has added an attack-mitigation technique -- address space layout randomization (ASLR) -- to the hxds.dll system library in Windows.

"This fix will go a long way toward protecting customers from future zero-day attacks," said Tripwire security researcher Craig Young via email. "This particular library, hxds.dll, has been used by numerous attacks in the wild with great success because it can be easily loaded into memory from a web page by using the 'ms-help:' protocol handler."

He added: "Until today the only options that protect against this were the removal of Office 2007/2010 installs or enabling Microsoft's Enhanced Mitigation Experience Toolkit (EMET)." He recommended installing the update as soon as possible, given that attackers already know how to exploit the vulnerability.

One flaw Microsoft has yet to patch is a zero-day vulnerability (CVE-2013-5065) that was first spotted in November. "This elevation of privilege vulnerability affects both Windows XP and Server 2003," said BeyondTrust's Maiffret. "A workaround is available, but it breaks functionality such as VPN networking. A fix is forthcoming, but with no date publicly announced." On the upside, all related attacks -- at least, those seen to date -- require an older version of Adobe Reader to be present on targeted systems.

Kandek said that the latest batch of Microsoft patches -- which take the 2013 count of security bulletins issued by the company to more than 100, which is consistent with recent years -- reinforce the need to ditch older versions of Windows, and especially Windows XP, which Microsoft soon plans to stop patching. "The zero days show that being on the latest version of operating systems and application software is a clear advantage in terms of resilience, and it helps IT to run a safer infrastructure," he said. "I hope you are already in the category of organizations that have migrated away from XP, Server 2003 and Office 2003, or are at least in the group that is quickly moving towards 0% by April 2014."

In other patching news, Adobe Tuesday released fixes for two vulnerabilities in Flash Player, which attackers could exploit -- via malicious Word documents with embedded Flash (.swf) -- to remotely execute code. Adobe also updated its Shockwave Player to patch two other flaws that can be exploited to remotely execute code on any Windows or Mac OS X system that has the plug-in installed.

Flash Player should automatically update to the latest version, but Shockwave Player for Mac and PC will need to be manually updated; for both platforms, that will be to Shockwave version "So if you have Shockwave Player installed, today is a good day to update, either right before or right after the Microsoft reboot," said Rob VandenBrink, a consultant at Metafore, on the Internet Storm Center.

Adobe, of course, could make this process easier by adding an option to Shockwave to make it automatically update. "You'd think by now most major products would have an auto update or a 'click here to update' feature," VandenBrink said.

Mathew Schwartz reports on information security for InformationWeek. He is a freelance writer, editor, and photographer.

Pen testing helps companies become more secure by finding and analyzing their insecurities, but pen test services can be fraught with their own kind of risk. This Dark Reading report, Choosing, Managing And Evaluating A Penetration Testing Service, recommends what to look for in a provider and its wares, how to get what you pay for, and how to ensure that pen testing itself doesn't open the company or its employees up to new risk. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights