One of the operating system updates Microsoft released on Tuesday of this week — KB3033929 — is causing a reboot loop for a fair number of Windows 7 users, according to postings on multiple help forums. The update in question does not appear to address a pressing security vulnerability, so users who have not yet installed it should probably delay doing so until Microsoft straightens things out. Continue reading →
Posts Tagged: Microsoft Windows
Microsoft today released nine update bundles to plug at least 55 distinct security vulnerabilities in its Windows operating system and other software. Three of the patches fix bugs in Windows that Microsoft considers “critical,” meaning they can be exploited remotely to compromise vulnerable systems with little or no help from users, save for perhaps clicking a link or visiting a hostile Web site.
The bulk of the flaws (41) addressed in this update apply to Internet Explorer, the default browser on Windows. This patch should obviously be a priority for any organizations that rely on IE. Other patches fix bugs in the Windows OS itself and in various versions of Microsoft Office. A full breakdown of the patches is available here.
Among the more interesting critical patches is a fix for a vulnerability in Microsoft Group Policy that could present unique threats for enterprises that rely on Active Directory, the default authentication mechanism on corporate Windows networks. The vulnerability is remotely exploitable and can be used to grant attackers administrator-level privileges on the targeted machine or device – that means 10s of millions of PCS, kiosks and other devices, if left untreated.
Several readers who’ve already applied these updates report that doing so may require multiple restarts of Windows. Patches are available via Windows Update, the patching mechanism built into all recent and supported versions of Windows. For more granular information about these patches, check out this blog post by Qualys as well as the always-useful roundup at the SANS Internet Storm Center.
As always, if you experience any issues applying these patches or after applying them, please leave a note in the comments section below describing your experience.
Adobe today released updates to fix at least a dozen critical security problems in its Flash Player and AIR software. Separately, Microsoft pushed four update bundles to address at least 42 vulnerabilities in Windows, Internet Explorer, Lync and .NET Framework. If you use any of these, it’s time to update! Continue reading →
Microsoft has issued security updates to fix at least 23 distinct vulnerabilities in its Windows operating systems and other software. Three of the patch bundles released today address flaws rated “critical,” meaning that malware or miscreants can use them to break into Windows PCs without any help from users.
Leading the critical updates is a cumulative patch for Internet Explorer (MS13-059) that affects every version of the browser on nearly all supported versions of Windows. In its advisory, Microsoft warns it is highly likely that attackers will soon develop exploit code to attack the flaws addressed in this patch. Indeed, according to Ross Barrett, manager of security engineering at Rapid7, the IE patch addresses a vulnerability first demonstrated at the Pwn2Own contest at the CanSecWest conference in March of this year.
Another critical update, MS13-060, is a browse-and-get-owned font vulnerability that affects users on Windows XP and Server 2003. The final critical patch, MS13-061, tackles several flaws in Microsoft Exchange that stem from a third-party component from Oracle called Outside In.
Attackers are breaking into Microsoft Windows computers using a newly discovered vulnerability in Internet Explorer, security experts warn. While the flaw appears to have been used mainly in targeted attacks so far, this vulnerability could become more widely exploited if incorporated into commercial crimeware kits sold in the underground.
In a blog posting Friday evening, Milpitas, Calif. based security vendor FireEye said it found that the Web site for the Council on Foreign Relations was compromised and rigged to exploit a previously undocumented flaw in IE8 to install malicious software on vulnerable PCs used to browse the site.
According to FireEye, the attack uses Adobe Flash to exploit a vulnerability in the latest (fully-patched) version of IE8. Dustin Childs, group manager for response communications at Microsoft, said the vulnerability appears to exist in previous versions of IE.
“We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,” Childs said in an emailed statement. “We will take appropriate action to help keep customers protected once our analysis is complete. People using Internet Explorer 9-10 are not impacted.”
As FireEye notes, this is another example of a “watering hole” attack, which involves the targeted compromise of legitimate websites thought to be of interest to or frequented by end users who belong to organizations that attackers wish to infiltrate. Earlier this year, I wrote about similar zero-day attacks against visitors to the Web sites of the National Democratic Institute, The Carter Center, and Radio Free Europe.
Update, Dec. 30, 9:25 a.m. ET: Microsoft has officially acknowledged this vulnerability in an advisory, which contains some advice for IE users about how to mitigate the threat. As IE versions 9 and 10 are not impacted, users running Windows Vista or higher can upgrade to the latest browser version here.
Update, Jan.1 8:56 p.m. ET: Microsoft’s advisory now includes a link to a stopgap “FixIt” solution that may help to blunt attacks until the company issues an official patch for this vulnerability.
Hackers have released exploit code that can be used to compromise Windows PCs through a previously unknown security flaw present in all versions Internet Explorer, Microsoft warned today.
Dave Forstrom, director of trustworthy computing at Microsoft, said although the software giant is not aware of any attacks wielding this flaw against Windows users, “given the public disclosure of this vulnerability, the likelihood of criminals using this information to actively attack our customers may increase.”
Microsoft’s security advisory says the problem has to do with the way IE handles CSS style sheets. A posting on Microsoft’s Security Research & Defense blog notes that the Metasploit Project recently published an exploit for this flaw that evades two of the key security defenses built into Windows Vista and Windows 7 — Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
Microsoft Corp. today warned Internet Explorer users that attackers are exploiting a previously unknown security hole in the browser to install malicious software. The company is urging users who haven’t already done so to upgrade to IE8, which includes technology that makes the vulnerability more difficult to exploit.
According to the advisory Microsoft published, this is a browse-to-a-malicious-site-and-get-owned vulnerability. The company reports that the exploit code was discovered on a single Web site that is no longer online. But if past attacks against unpatched IE flaws are any indicator, it will probably not be long before the attack is stitched into plenty of other hacked and malicious Web sites.
Redmond says Data Execution Prevention (DEP) technology enabled by default in IE8 helps protect against attacks, and that the same protection is enabled on all supported platforms, including Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7. IE9 beta apparently is not at risk from this threat.
In a post to its Microsoft Security Response Center blog, the company said that it is working to develop a security update to address this attack against the flaw, but that at the moment it “does not meet the criteria for an out-of-band release.” Microsoft is expected to issue another round of security updates next week as part of its regular “Patch Tuesday” cycle, which generally occurs on the second Tuesday of each month.
Symantec Corp. has posted a fascinating blog entry that details just how targeted the attacks have been so far. It offers a peek at how these types of critical flaws in widely-used applications can be used in pinprick attacks to extract very specific information from targeted organizations and individuals. From that post:
“One such case started few days ago when we received information about a possible exploitation using older versions of Internet Explorer as targets. Hackers had sent emails to a select group of individuals within targeted organizations. Within the email the perpetrators added a link to a specific page hosted on an otherwise legitimate website.
….Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations. The files on this server had been accessed by people in lots of organizations in multiple industries across the globe. Very few of them were seen accessing the payload file, which means that most users were using a browser which wasn’t vulnerable or targeted.”
Read more from the Symantec writeup here.
I’ve received several e-mails from readers concerned about a mysterious, undocumented software patch that Microsoft began offering to Windows 7 users through Windows Update this week. Some Microsoft users have been spinning conspiracy theories about this patch because it lacks any real description of its function, and what little documentation there is about it says that it cannot be removed once installed and that it may be required as a prerequisite for installing future updates.
Normally, when Microsoft offers a patch through Windows Update, it also will publish a corresponding “knowledgebase” article that describes in great detail what the patch does and why users should install it — and how applying the update may impact current and future operations on the system.
This fix went out via Windows Update on Oct. 26 as a “recommended” and “important” patch, but it lacked any additional details, prompting conspiracy theories and speculation on message boards from users wondering whether they should ignore or install this update — which for many users was sandwiched between the dozens of security patches Microsoft began offering earlier this month as part of its regular Patch Tuesday security update cycle.
To make matters worse, many Windows 7 users said the patch was no longer offered after they declined installing it the first time, leading some curious researchers to dub it the “Blackhole” update.
I have verified with Microsoft that this update is designed to smooth the way for the deployment of future updates on Windows 7 systems (read on to the very end if you’d like the official response from Microsoft). The confusion appears to stem from a timing mistake by the folks at Microsoft, but this incident illustrates the hysteria that can ensue when the world’s largest software company fails — for whatever reason — to be fully transparent with a user base that has come to expect detailed advisories with every patch.
When I was researching this patch, I found an amusing thread on the Microsoft Answers forum — where several Microsoft most valuable professional experts urged other forum members to hold off installing the patch until more information was available. Others offered more speculative answers, suggesting that the patch was instead:
-A new service pack for Windows 7
-A “heuristic scanner to the machine that turned on whenever the machine went idle, and searched all attached storage devices for ‘terrorism-related’ information, then alerting ‘somebody’ over the Internet”
-The result of Microsoft having been hacked, with the patch being some kind of malicious third-party code being sent out to infect all Windows machines
-A new anti-piracy check from Microsoft.
Microsoft today released software updates to fix at least five security vulnerabilities in computers running its Windows operating system and Office applications. Today also marks the planned end-of-life deadline for Windows XP Service Pack 2, a bundle of security updates and features that Microsoft first released in 2004.
Four out of five of the flaws fixed in today’s patch batch earned a “critical” rating, Redmond’s most severe. Chief among them is a bug in the Help and Support Center on Windows XP and Server 2003 systems that’s currently being exploited by crooks to break into vulnerable machines. Microsoft released an interim “FixIt” tool last month to help users blunt the threat from this flaw,
and users who applied that fix still should install this patch (and no, you don’t need to undo the FixIt setting first). Update 5:50 p.m. ET: I stand corrected on this — it looks like Microsoft won’t offer the patch for this flaw if you’ve already used the FixIt tool.