Feed aggregator

MS17-013 - Critical: Security Update for Microsoft Graphics Component (4013075) - Version: 1.1

Microsoft Security Notifications - Fri, 03/24/2017 - 09:00
Severity Rating: Critical
Revision Note: V1.1 (March 24, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Categories: Security Alerts

MS16-084 - Critical: Cumulative Security Update for Internet Explorer (3169991) - Version: 1.1

Microsoft Security Notifications - Fri, 03/17/2017 - 09:00
Severity Rating: Critical
Revision Note: V1.1 (March 17, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Categories: Security Alerts

TA17-075A: HTTPS Interception Weakens TLS Security

US-CERT Security Alerts - Thu, 03/16/2017 - 04:40
Original release date: March 16, 2017
Systems Affected

All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected.

Overview

Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. The CERT Coordination Center (CERT/CC) explored the tradeoffs of using HTTPS interception in a blog post called The Risks of SSL Inspection [1].

Organizations that have performed a risk assessment and determined that HTTPS inspection is a requirement should ensure their HTTPS inspection products are performing correct transport layer security (TLS) certificate validation. Products that do not properly ensure secure TLS communications and do not convey error messages to the user may further weaken the end-to-end protections that HTTPS aims to provide.

Description

TLS and its predecessor, Secure Sockets Layer (SSL), are important Internet protocols that encrypt communications over the Internet between the client and server. These protocols (and protocols that make use of TLS and SSL, such as HTTPS) use certificates to establish an identity chain showing that the connection is with a legitimate server verified by a trusted third-party certificate authority.

HTTPS inspection works by intercepting the HTTPS network traffic and performing a man-in-the-middle (MiTM) attack on the connection. In MiTM attacks, sensitive client data can be transmitted to a malicious party spoofing the intended server. In order to perform HTTPS inspection without presenting client warnings, administrators must install trusted certificates on client devices. Browsers and other client applications use this certificate to validate encrypted connections created by the HTTPS inspection product. In addition to the problem of not being able to verify a web server’s certificate, the protocols and ciphers that an HTTPS inspection product negotiates with web servers may also be invisible to a client. The problem with this architecture is that the client systems have no way of independently validating the HTTPS connection. The client can only verify the connection between itself and the HTTPS interception product. Clients must rely on the HTTPS validation performed by the HTTPS interception product.

A recent report, The Security Impact of HTTPS Interception [2], highlighted several security concerns with HTTPS inspection products and outlined survey results of these issues. Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data, allowing the possibility of a MiTM attack. Furthermore, certificate-chain verification errors are infrequently forwarded to the client, leading a client to believe that operations were performed as intended with the correct server. This report provided a method to allow servers to detect clients that are having their traffic manipulated by HTTPS inspection products. The website badssl.com [3] is a resource where clients can verify whether their HTTPS inspection products are properly verifying certificate chains. Clients can also use this site to verify whether their HTTPS inspection products are enabling connections to websites that a browser or other client would otherwise reject. For example, an HTTPS inspection product may allow deprecated protocol versions or weak ciphers to be used between itself and a web server. Because client systems may connect to the HTTPS inspection product using strong cryptography, the user will be unaware of any weakness on the other side of the HTTPS inspection.

Impact

Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties.

Solution

Organizations using an HTTPS inspection product should verify that their product properly validates certificate chains and passes any warnings or errors to the client. A partial list of products that may be affected is available at The Risks of SSL Inspection [1]. Organizations may use badssl.com [3] as a method of determining if their preferred HTTPS inspection product properly validates certificates and prevents connections to sites using weak cryptography. At a minimum, if any of the tests in the Certificate section of badssl.com prevent a client with direct Internet access from connecting, those same clients should also refuse the connection when connected to the Internet by way of an HTTPS inspection product.

In general, organizations considering the use of HTTPS inspection should carefully consider the pros and cons of such products before implementing [1]. Organizations should also take other steps to secure end-to-end communications, as presented in US-CERT Alert TA15-120A [4].

Note: The U.S. Government does not endorse or support any particular product or vendor.

References Revision History
  • March 16, 2017: intial post

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

MS17-015 - Important: Security Update for Microsoft Exchange Server (4013242) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Exchange Server.
Categories: Security Alerts

MS17-011 - Critical: Security Update for Microsoft Uniscribe (4013076) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Categories: Security Alerts

MS17-008 - Critical: Security Update for Windows Hyper-V (4013082) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.
Categories: Security Alerts

MS17-010 - Critical: Security Update for Microsoft Windows SMB Server (4013389) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Windows SMBv1 server.
Categories: Security Alerts

MS17-012 - Critical: Security Update for Microsoft Windows (4013078) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker running inside a virtual machine runs a specially crafted application.
Categories: Security Alerts

MS17-007 - Critical: Cumulative Security Update for Microsoft Edge (4013071) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Categories: Security Alerts

MS17-009 - Critical: Security Update for Microsoft Windows PDF Library (4010319) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow information disclosure if a user views specially crafted PDF content online or opens a specially crafted PDF document.
Categories: Security Alerts

MS17-014 - Important: Security Update for Microsoft Office (4013241) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS17-017 - Important: Security Update for Windows Kernel (4013081) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application.
Categories: Security Alerts

MS17-0113 - Critical: Security Update for Microsoft Graphics Component (4013075) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Categories: Security Alerts

MS17-018 - Important: Security Update for Windows Kernel-Mode Drivers (4013083) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
Categories: Security Alerts

MS17-021 - Important: Security Update for Windows DirectShow (4010318) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow an Information Disclosure if Windows DirectShow opens specially crafted media content that is hosted on a malicious website. An attacker who successfully exploited the vulnerability could obtain information to further compromise a target system.
Categories: Security Alerts

MS17-022 - Important: Security Update for Microsoft XML Core Services (4010321) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user visits a malicious website. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.
Categories: Security Alerts

MS17-019 - Important: Security Update for Active Directory Federation Services (4010320) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Active Directory Federation Services (ADFS). The vulnerability could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system.
Categories: Security Alerts

MS17-020 - Important: Security Update for Windows DVD Maker (3208223) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves an information disclosure vulnerability in Windows DVD Maker. The vulnerability could allow an attacker to obtain information to further compromise a target system.
Categories: Security Alerts

MS17-023 - Critical: Security Update for Adobe Flash Player (4014329) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
Categories: Security Alerts

MS17-016 - Important: Security Update for Windows IIS (4013074) - Version: 1.0

Microsoft Security Notifications - Tue, 03/14/2017 - 09:00
Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Click here to enter text.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts
Syndicate content