Feed aggregator

MS14-075 - Important: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) - Version: 3.0

Microsoft Security Notifications - Thu, 12/11/2014 - 23:00
Severity Rating: Important
Revision Note: V3.0 (December 12, 2014): Rereleased bulletin to announce the reoffering of Microsoft security update 2986475 for Microsoft Exchange Server 2010 Service Pack 3. The rereleased update addresses a known issue in the original offering. Customers who uninstalled the original update should install the updated version of 2986475 at the earliest opportunity.
Summary: This security update resolves four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website, and then convince them to click the specially crafted URL.
Categories: Security Alerts

MS14-057 - Critical: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414) - Version: 1.1

Microsoft Security Notifications - Tue, 12/09/2014 - 23:00
Severity Rating: Critical
Revision Note: V1.1 (December 10, 2014): Bulletin revised to correct update replacement entries for Microsoft .NET Framework 4.5/4.5.1/4.5.2 (update 2972107)
Summary: This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of the vulnerabilities could allow remote code execution if an attacker sends a specially crafted URI request containing international characters to a .NET web application, causing ASP.NET to generate incorrectly constructed URIs. In .NET 4.0 applications, the vulnerable functionality (iriParsing) is disabled by default; for the vulnerability to be exploitable an application has to explicitly enable this functionality. In .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled.
Categories: Security Alerts

MS14-084 - Critical: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711) - Version: 1.0

Microsoft Security Notifications - Mon, 12/08/2014 - 23:00
Severity Rating: Critical
Revision Note: V1.0 (December 9, 2014): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Categories: Security Alerts

MS14-085 - Important: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126) - Version: 1.0

Microsoft Security Notifications - Mon, 12/08/2014 - 23:00
Severity Rating: Important
Revision Note: V1.0 (December 9, 2014): Bulletin published.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user browses to a website containing specially crafted JPEG content. An attacker could use this information disclosure vulnerability to gain information about the system that could then be combined with other attacks to compromise the system. The information disclosure vulnerability by itself does not allow arbitrary code execution. However, an attacker could use this information disclosure vulnerability in conjunction with another vulnerability to bypass security features such as Address Space Layout Randomization (ASLR).
Categories: Security Alerts

MS14-080 - Critical: Cumulative Security Update for Internet Explorer (3008923) - Version: 1.0

Microsoft Security Notifications - Mon, 12/08/2014 - 23:00
Severity Rating: Critical
Revision Note: V1.0 (December 9, 2014): Bulletin published.
Summary: This security update resolves fourteen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS14-081 - Critical: Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301) - Version: 1.0

Microsoft Security Notifications - Mon, 12/08/2014 - 23:00
Severity Rating: Critical
Revision Note: V1.0 (December 9, 2014): Bulletin published.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Categories: Security Alerts

MS14-082 - Important: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349) - Version: 1.0

Microsoft Security Notifications - Mon, 12/08/2014 - 23:00
Severity Rating: Important
Revision Note: V1.0 (December 9, 2014): Bulletin published.
Summary: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS14-083 - Important: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347) - Version: 1.0

Microsoft Security Notifications - Mon, 12/08/2014 - 23:00
Severity Rating: Important
Revision Note: V1.0 (December 9, 2014): Bulletin published.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Excel. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Excel file in an affected version of Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Categories: Security Alerts

MS14-065 - Critical: Cumulative Security Update for Internet Explorer (3003057) - Version: 2.0

Microsoft Security Notifications - Mon, 12/08/2014 - 23:00
Severity Rating: Critical
Revision Note: V2.0 (December 9, 2014): To address issues with Security Update 3003057, Microsoft re-released MS14-065 to comprehensively address CVE-2014-6353. Customers running Internet Explorer 8 on Windows 7 or Windows Server 2008 R2, or Internet Explorer 10 should either install the newly offered update or install the December Internet Explorer Cumulative Update (3008923). See Microsoft Knowledge Base Article 3003057 for more information.
Summary: This security update resolves seventeen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS14-066 - Critical: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) - Version: 3.0

Microsoft Security Notifications - Mon, 12/08/2014 - 23:00
Severity Rating: Critical
Revision Note: V3.0 (December 9, 2014): Bulletin revised to announce the reoffering of the 2992611 update to systems running Windows Vista and Windows Server 2008. The reoffering addresses an issue in the original release. Customers running Windows Vista or Windows Server 2008 who installed the 2992611 update prior to the December 9 reoffering should reapply the update. See Microsoft Knowledge Base Article 2992611 for more information.
Summary: This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.
Categories: Security Alerts

TA14-329A: Regin Malware

US-CERT Security Alerts - Tue, 11/25/2014 - 12:54
Original release date: November 25, 2014
Systems Affected

Microsoft Windows NT, 2000, XP, Vista, and 7

Overview

On November 24, 2014, Symantec released a report on Regin, a sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns. At this time, the Regin campaign has not been identified targeting any organizations within the United States.

Description

Regin is a multi-staged, modular threat—meaning it has a number of components, each dependent on others to perform an attack. Each of the five stages is hidden and encrypted, with the exception of the first stage. The modular design poses difficulties to analysis, as all components must be available in order to fully understand the Trojan.  

Impact

Regin is a remote access Trojan (RAT), able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization. The complex design provides flexibility to actors, as they can load custom features tailored to individual targets. [1]

Solution

Users and administrators are recommended to take the following preventive measures to protect their computer networks:

  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information). [2]
  • Keep your operating system and application software up-to-date – Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).

The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.

MD5s: [1]

Stage 1 files, 32 bit:

06665b96e293b23acc80451abb413e50

187044596bc1328efa0ed636d8aa4a5c

1c024e599ac055312a4ab75b3950040a

2c8b9d2885543d7ade3cae98225e263b

4b6b86c7fec1c574706cecedf44abded

6662c390b2bbbd291ec7987388fc75d7

b269894f434657db2b15949641a67532

b29ca4f22ae7b7b25f79c1d4a421139d

b505d65721bb2453d5039a389113b566

26297dc3cd0b688de3b846983c5385e5

ba7bb65634ce1e30c1e5415be3d1db1d

bfbe8c3ee78750c3a520480700e440f8

d240f06e98c8d3e647cbf4d442d79475

ffb0b9b5b610191051a7bdf0806e1e47

Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:

01c2f321b6bfdb9473c079b0797567ba

47d0e8f9d7a6429920329207a32ecc2e

744c07e886497f7b68f6f7fe57b7ab54

db405ad775ac887a337b02ea8b07fddc

Stage 1, 64-bit system infection:

bddf5afbea2d0eed77f2ad4e9a4f044d

c053a0a3f1edcbbfc9b51bc640e808ce

e63422e458afdfe111bd0b87c1e9772c

Stage 2, 32 bit:

18d4898d82fcb290dfed2a9f70d66833

b9e4f9d32ce59e7c4daf6b237c330e25

Stage 2, 64 bit:

d446b1ed24dad48311f287f3c65aeb80

Stage 3, 32 bit:

8486ec3112e322f9f468bdea3005d7b5

da03648948475b2d0e3e2345d7a9bbbb

Stage 4, 32 bit:

1e4076caa08e41a5befc52efd74819ea

68297fde98e9c0c29cecc0ebf38bde95

6cf5dc32e1f6959e7354e85101ec219a

885dcd517faf9fac655b8da66315462d

a1d727340158ec0af81a845abd3963c1

Stage 4, 64 bit:

de3547375fbf5f4cb4b14d53f413c503

Note: Stages 2, 3, and 4 do not appear on infected systems as real files on disk. Hashes are provided for research purposes only.

Registry branches used to store malware stages 2 and 3:

\REGISTRY\Machine\System\CurrentControlSet\Control\RestoreList

\REGISTRY\Machine\System\CurrentControlSet\Control\Class\{39399744-44FC-AD65-474B-E4DDF-8C7FB97}

\REGISTRY\Machine\System\CurrentControlSet\Control\Class\{3F90B1B4-58E2-251E-6FFE-4D38C5631A04}

\REGISTRY\Machine\System\CurrentControlSet\Control\Class\{4F20E605-9452-4787-B793-D0204917CA58}

\REGISTRY\Machine\System\CurrentControlSet\Control\Class\{9B9A8ADB-8864-4BC4-8AD5-B17DFDBB9F58}

IP IOCs [3]:

61.67.114.73

202.71.144.113

203.199.89.80

194.183.237.145

References Revision History
  • November 25, 2014: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

TA14-323A: Microsoft Windows Kerberos KDC Remote Privilege Escalation Vulnerability

US-CERT Security Alerts - Wed, 11/19/2014 - 00:20
Original release date: November 19, 2014 | Last revised: November 25, 2014
Systems Affected
  • Microsoft Windows Vista, 7, 8, and 8.1
  • Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2
Overview

A remote escalation of privilege vulnerability exists in implementations of Kerberos Key Distribution Center (KDC) in Microsoft Windows which could allow a remote attacker to take control of a vulnerable system. [1]

Description

The Microsoft Windows Kerberos KDC fails to properly check service tickets for valid signatures, which can allow aspects of the service ticket to be forged. The improper check allows an attacker to escalate valid domain user account privileges to those of a domain administrator account, which renders the entire domain vulnerable to compromise.

At the time this release was issued, Microsoft was aware of limited, targeted attacks attempting to exploit this vulnerability.

Impact

A valid domain user can pass invalid domain administrator credentials, gain access and compromise any system on the domain, including the domain controller. [2]

Solution

An update is available from Microsoft. Please see Microsoft Security Bulletin MS14-068 and Microsoft Research Security and Defense Blog for more details, and apply the necessary updates.[1, 3

References Revision History
  • November 19, 2014: Initial Draft
  • November 25, 2014: Revised formatting

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

MS14-068 - Critical: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Version: 1.0

Microsoft Security Notifications - Mon, 11/17/2014 - 23:00
Severity Rating: Critical
Revision Note: V1.0 (November 18, 2014): Bulletin published
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.
Categories: Security Alerts

TA14-318B: Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability

US-CERT Security Alerts - Fri, 11/14/2014 - 14:42
Original release date: November 14, 2014
Systems Affected
  • Microsoft Windows Vista, 7, 8, 8.1, RT, and RT 8.1
  • Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2
Overview

A vulnerability in Microsoft Windows Object Linking and Embedding (OLE) could allow remote code execution if a user views a specially-crafted web page in Internet Explorer.[1]

Description

The Microsoft Windows OLE OleAut32.dll library provides the SafeArrayRedim function that allows resizing of SAFEARRAY objects in memory.[2] In certain circumstances, this library does not properly check sizes of arrays when an error occurs. The improper size allows an attacker to manipulate memory in a way that can bypass the Internet Explorer Enhanced Protected Mode (EPM) sandbox as well as the Enhanced Mitigation Experience Toolkit (EMET).

This vulnerability can be exploited using a specially-crafted web page utilizing VBscript in Internet Explorer. However, it may impact other software that makes use of OleAut32.dll and VBscript.

Exploit code is publicly available for this vulnerability. Additional details may be found in CERT/CC Vulnerability Note VU#158647.

Impact

Arbitrary code can be run on the computer with user privileges. If the user is an administrator, the attacker may run arbitrary code as an administrator, fully compromising the system. 

Solution

An update is available from Microsoft.[3] Please see Microsoft Security Bulletin MS14-064 for more details and mitigation guidance, and apply the necessary updates.

References Revision History
  • November 14, 2014: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

TA14-318A: Microsoft Secure Channel (Schannel) Vulnerability (CVE-2014-6321)

US-CERT Security Alerts - Fri, 11/14/2014 - 07:32
Original release date: November 14, 2014
Systems Affected
  • Microsoft Windows Vista, 7, 8, 8.1, RT, and RT 8.1
  • Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2

Microsoft Windows XP and 2000 may also be affected.

Overview

A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1]

Description

Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]

It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]

Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5]

Impact

This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6]

Solution

Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2]

References Revision History
  • November 14, 2014: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

TA14-317A: Apple iOS "Masque Attack" Technique

US-CERT Security Alerts - Thu, 11/13/2014 - 06:17
Original release date: November 13, 2014 | Last revised: November 17, 2014
Systems Affected

iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.

Overview

A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.

Description

Masque Attack was described by FireEye mobile security researchers [1], Stefan Esser of SektionEins, and Jonathan Zdziarski. This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.  

This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.

Impact

An app installed on an iOS device using this technique may:

  • Mimic the original app’s login interface to steal the victim’s login credentials.
  • Access sensitive data from local data caches.
  • Perform background monitoring of the user’s device.
  • Gain root privileges to the iOS device.
  • Be indistinguishable from a genuine app.
Solution

iOS users can protect themselves from Masque Attacks by following three steps:

  1. Don’t install apps from sources other than Apple’s official App Store or your own organization.
  2. Don’t click “Install” from a third-party pop-up when viewing a web page.
  3. When opening an app, if iOS shows an “Untrusted App Developer” alert, click on “Don’t Trust” and uninstall the app immediately.

Further details on Masque Attack and mitigation guidance can be found on FireEye’s blog [1]. US-CERT does not endorse or support any particular product or vendor.

References Revision History
  • November 13, 2014: Initial Release
  • November 17, 2014: Vulnerability attribution amended

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

MS14-064 - Critical: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Version: 1.0

Microsoft Security Notifications - Mon, 11/10/2014 - 23:00
Severity Rating: Critical
Revision Note: V1.0 (November 11, 2014): Bulletin published.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). The vulnerabilities could allow remote code execution if a user opens a Microsoft Office file that contains a specially crafted OLE object. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Categories: Security Alerts

MS14-071 - Important: Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607) - Version: 1.0

Microsoft Security Notifications - Mon, 11/10/2014 - 23:00
Severity Rating: Important
Revision Note: V1.0 (November 11, 2014): Bulletin published
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an application uses the Microsoft Windows Audio service. The vulnerability by itself does not allow arbitrary code to be run. The vulnerability would have to be used in conjunction with another vulnerability that allowed remote code execution.
Categories: Security Alerts

MS14-072 - Important: Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210) - Version: 1.0

Microsoft Security Notifications - Mon, 11/10/2014 - 23:00
Severity Rating: Important
Revision Note: V1.0 (November 11, 2014): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow elevation of privilege if an attacker sends specially crafted data to an affected workstation or server that uses .NET Remoting. .NET Remoting is not widely used by applications; only custom applications that have been specifically designed to use .NET Remoting would expose a system to the vulnerability.
Categories: Security Alerts

MS14-079 - Moderate: Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (3002885) - Version: 1.0

Microsoft Security Notifications - Mon, 11/10/2014 - 23:00
Severity Rating: Moderate
Revision Note: V1.0 (November 11, 2014): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker places a specially crafted TrueType font on a network share and a user subsequently navigates there in Windows Explorer. In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to persuade users to visit a website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.
Categories: Security Alerts
Syndicate content