Posts Tagged: microsoft


18
Nov 14

Microsoft Releases Emergency Security Update

Microsoft today deviated from its regular pattern of releasing security updates on the second Tuesday of each month, pushing out an emergency patch to plug a security hole in all supported versions of Windows. The company urged Windows users to install the update as quickly as possible, noting that miscreants already are exploiting the weaknesses to launch targeted attacks.

brokenwindowsThe update (MS14-068) addresses a bug in a Windows component called Microsoft Windows Kerberos KDC, which handles authenticating Windows PCs on a local network. It is somewhat less of a problem for Windows home users (it is only rated critical for server versions of Windows) but it poses a serious threat to organizations. According to security vendor Shavlik, the flaw allows an attacker to elevate domain user account privileges to those of the domain administrator account.

“The attacker could forge a Kerberos Ticket and send that to the Kerberos KDC which claims the user is a domain administrator,” writes Chris Goettl, product manager with Shavlik. “From there the attacker can impersonate any domain accounts, add themselves to any group, install programs, view\change\delete date, or create any new accounts they wish.  This could allow the attacker to then compromise any computer in the domain, including domain controllers.  If there is a silver lining in this one it is in the fact that the attacker must have a valid domain user account to exploit the vulnerability, but once they have done so, they have the keys to the kingdom.”

The patch is one of two that Microsoft had expected to release on Patch Tuesday earlier this month, but unexpectedly pulled at the last moment.  “This is pretty severe and definitely explains why Microsoft only delayed the release and did not pull it from the November Patch Tuesday release all together,” Goettl said. Continue reading →


11
Nov 14

Adobe, Microsoft Issue Critical Security Fixes

Adobe and Microsoft today each issued security updates to fix critical vulnerabilities in their software. Microsoft pushed 14 patches to address problems in Windows, Office, Internet Explorer and .NET, among other products. Separately, Adobe issued an update for its Flash Player software that corrects at least 18 security issues.

brokenwindowsMicrosoft announced 16 bulletins, but curiously two of those are listed as pending. Topping the list of critical updates from Microsoft is a fix for a zero-day vulnerability disclosed last month that hackers have been using in targeted cyber espionage attacks. Another critical patch targets 17 weaknesses in Internet Explorer, including a remotely exploitable vulnerability in all supported versions of Windows that earned a CVSS score of 9.3 (meaning it is highly likely to be exploited in drive-by attacks, and probably soon).

That flaw is a rare “unicorn-like” bug according to IBM X-Force, which discovered and reported the issue privately to Microsoft. In a blog post published today, IBM researchers described how the vulnerability can be used to sidestep the Enhanced Protected Mode sandbox in IE11, as well as Microsoft’s EMET anti-exploitation tool that Microsoft offers for free.

“In this case, the buggy code is at least 19 years old, and has been remotely exploitable for the past 18 years,” writes IBM researcher Robert Freeman. “Looking at the original release code of Windows 95, the problem is present. In some respects this vulnerability has been sitting in plain sight for a long time, despite many other bugs being discovered and patched in the same Windows library (OleAut32).”

Freeman said while unpatched Internet Explorer users are most at risk from this bug, the vulnerability also could be exploited through Microsoft Office files. “The other attack vectors this vulnerability could work with are Microsoft Office with script macros, for example in Excel documents,” Freeman told KrebsOnSecurity. “Most versions of Office (since about 2003) have macros disabled by default so the user would have to enable them (which can be a fairly mindless YES click at the top of the screen). Or if a user is using an old enough version of Office, the macros will be enabled by default.”

macrosms

Continue reading →


9
Oct 14

Signed Malware = Expensive “Oops” for HP

Computer and software industry maker HP is in the process of notifying customers about a seemingly harmless security incident in 2010 that nevertheless could prove expensive for the company to fix and present unique support problems for users of its older products.

ProblemsEarlier this week, HP quietly produced several client advisories stating that on Oct. 21, 2014 it plans to revoke a digital certificate the company previously used to cryptographically sign software components that ship with many of its older products. HP said it was taking this step out of an abundance of caution because it discovered that the certificate had mistakenly been used to sign malicious software way back in May 2010.

Code-signing is a practice intended to give computer users and network administrators additional confidence about the integrity and security of a file or program. Consequently, private digital certificates that major software vendors use to sign code are highly prized by attackers, because they allow those attackers to better disguise malware as legitimate software.

For example, the infamous Stuxnet malware – apparently created as a state-sponsored project to delay Iran’s nuclear ambitions — contained several components that were digitally signed with certificates that had been stolen from well-known companies. In previous cases where a company’s private digital certificates have been used to sign malware, the incidents were preceded by highly targeted attacks aimed at stealing the certificates. In Feb. 2013, whitelisting software provider Bit9 discovered that digital certificates stolen from a developer’s system had been used to sign malware that was sent to several customers who used the company’s software.

But according to HP’s Global Chief Information Security Officer Brett Wahlin, nothing quite so sexy or dramatic was involved in HP’s decision to revoke this particular certificate. Wahlin said HP was recently alerted by Symantec about a curious, four-year-old trojan horse program that appeared to have been signed with one of HP’s private certificates and found on a server outside of HP’s network. Further investigation traced the problem back to a malware infection on an HP developer’s computer.

HP investigators believe the trojan on the developer’s PC renamed itself to mimic one of the file names the company typically uses in its software testing, and that the malicious file was inadvertently included in a software package that was later signed with the company’s digital certificate. The company believes the malware got off of HP’s internal network because it contained a mechanism designed to transfer a copy of the file back to its point of origin.

Continue reading →


8
Jul 14

Microsoft, Adobe Push Critical Fixes

If you use Microsoft products or Adobe Flash Player, please take a moment to read this post and update your software. Adobe today issued a critical update that plugs at least three security holes in the program. Separately, Microsoft released six security updates that address 29 vulnerabilities in Windows and Internet Explorer.

brokenwindowsMost of the bugs that Microsoft addressed with today’s updates (24 of the 29 flaws) are fixed in a single patch for the company’s Internet Explorer browser. According to Microsoft, one of those 24 flaws (a weakness in the way IE checks Extended Validation SSL certificates) was already publicly disclosed prior to today’s bulletins.

The other critical patch fixes a security problem with the way that Windows handles files meant to be opened and edited by Windows Journal, a note-taking application built in to more recent versions of the operating system (including Windows Vista, 7 and 8).

More details on the rest of the updates that Microsoft released today can be found at Microsoft’s Technet blog, Qualys’s site, and the SANS Internet Storm Center.

Adobe’s Flash Player update brings Flash to version 14.0.0.145 on Windows, Mac and Linux systems. Adobe said it is not aware of exploits in the wild for any of the vulnerabilities fixed in this release.

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 14.0.0.125.

brokenflash-aFlash has a built-in auto-updater, but you might wait days or weeks for it to prompt you to update, regardless of its settings. The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 14.0.0.137 for Windows, Mac, and Android.

flash-14-0-0-125


1
Jul 14

Microsoft Darkens 4MM Sites in Malware Fight

Millions of Web sites were shuttered Monday morning after Microsoft executed a legal sneak attack against a malware network thought to be responsible for more than 7.4 million infections of Windows PCs worldwide.

A diagram showing how crooks abused no-ip.com's services to control malware networks. Source: Microsoft.

A diagram showing how crooks abused no-ip.com’s services to control malware networks. Source: Microsoft.

In its latest bid to harness the power of the U.S. legal system to combat malicious software and cybercrooks, Microsoft convinced a Nevada court to grant the software giant authority over nearly two dozen domains belonging to no-ip.com, a company that provides dynamic domain name services.

Dynamic DNS services are used to map domain names to numeric Internet address that may change frequently. Typically, the biggest users of dynamic DNS services are home Internet users who wish to have a domain name that will always point back to their home computer, no matter how many times their ISP changes the numeric Internet address assigned to that computer.

In this case, however, the attackers responsible for leveraging two malware families — remote-access Trojans known as “njrat” and “njw0rm” — were using no-ip.com’s services to guarantee that PCs they infected would always be able to reach the Internet servers.

Microsoft told the court that miscreants who were using these two malware strains were leveraging more than 18,400 hostnames that belonged to no-ip.com. On June 26, the court granted Microsoft the authority to temporarily seize control over 23 domains owned by no-ip.com — essentially all of the domains that power no-ip.com’s free dynamic DNS services.

Microsoft was supposed to filter out the traffic flowing to and from those 18,400+ hostnames, and allow the remaining, harmless traffic to flow through to its rightful destination. But according to no-ip.com marketing manager Natalie Goguen, that’s not at all what happened.

“They made comments that they’d only taken down bad hostnames and were supposedly redirecting all good traffic through to users, but it’s not happening, and they’re not able to handle our traffic volumes,” Goguen said. “Many legitimate users that use our services have been down all day.”

Goguen said while Microsoft claimed that there were more than 18,000 malicious hostnames involved, no-ip.com could only find a little more than 2,000 from that list that were still active as of Monday morning. Meanwhile, some four million hostnames remain offline, with customer support requests piling up.

“So, to go after 2,000 or so bad sites, [Microsoft] has taken down four million,” Goguen said. Continue reading →


29
May 14

True Goodbye: ‘Using TrueCrypt Is Not Secure’

The anonymous developers responsible for building and maintaining the free whole-disk encryption suite TrueCrypt apparently threw in the towel this week, shuttering the TrueCrypt site and warning users that the product is no longer secure now that Microsoft has ended support for Windows XP.

tcSometime in the last 24 hours, truecrypt.org began forwarding visitors to the program’s home page on sourceforge.net, a Web-based source code repository. That page includes instructions for helping Windows users transition drives protected by TrueCrypt over to BitLocker, the proprietary disk encryption program that ships with every Windows version (Ultimate/Enterprise or Pro) since Vista. The page also includes this ominous warning:

“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”

“This page exists only to help migrate existing data encrypted by TrueCrypt.”

“The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”

Doubters soon questioned whether the redirect was a hoax or the result of the TrueCrypt site being hacked. But a cursory review of the site’s historic hosting, WHOIS and DNS records shows no substantive changes recently.

What’s more, the last version of TrueCrypt uploaded to the site on May 27 (still available at this link) shows that the key used to sign the executable installer file is the same one that was used to sign the program back in January 2014 (hat tip to @runasand and @pyllyukko). Taken together, these two facts suggest that the message is legitimate, and that TrueCrypt is officially being retired.

That was the same conclusion reached by Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute and a longtime skeptic of TrueCrypt — which has been developed for the past 10 years by a team of anonymous coders who appear to have worked diligently to keep their identities hidden.

“I think the TrueCrypt team did this,” Green said in a phone interview. “They decided to quit and this is their signature way of doing it.”

Green last year helped spearhead dual crowdfunding efforts to raise money for a full-scale, professional security audit of the software. That effort ended up pulling in more than $70,000 (after counting the numerous Bitcoin donations) —  far exceeding the campaign’s goal and demonstrating strong interest and support from the user community. Earlier this year, security firm iSEC Partners completed the first component of the code review: an analysis of TrueCrypt’s bootloader (PDF). Continue reading →


1
May 14

Microsoft Issues Fix for IE Zero-Day, Includes XP Users

Microsoft has issued an emergency security update to fix a zer0-day vulnerability that is present in all versions of its Internet Explorer Web browser and that is actively being exploited. In an unexpected twist, the company says Windows XP users also will get the update, even though Microsoft officially ceased supporting XP last month.

IEwarning

The rushed patch comes less than five days after the software giant warned users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. This flaw can be used to silently install malicious software without any help from users, save for perhaps browsing to a hacked or malicious site.

“We have made the decision to issue a security update for Windows XP users,” writes Dustin C. Childs, group manager, response communications at Microsoft. “Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.”

Microsoft says the majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. Windows users who don’t take advantage of the automatic updates feature of Windows (or who don’t wish to wait around for it to install the patch) can do so by visiting Windows Update.


11
Feb 14

Security Updates for Shockwave, Windows

Adobe and Microsoft today each issued patches to fix critical security flaws in their software. Microsoft’s February Patch Tuesday includes seven patch bundles addressing at least 31 vulnerabilities in Windows and related software. Adobe pushed out an update that fixes two critical bugs in its Shockwave Player.

crackedwinMore than half of the updates issued by Microsoft today earned a “critical” rating — Microsoft’s most dire. That rating is assigned to vulnerabilities that can be exploited by malware or malcontents to take complete, remote control over vulnerable systems — with no help from users.

Microsoft is urging Windows users to apply all of the available fixes, but for those who need to prioritize patches (organizations that typically test patches before deploying them enterprise-wide), Redmond places a special focus on MS14-007, a graphics vulnerability in Windows 7/8/8.1 and Windows Server 2007, 2012 and Windows RT.

The cumulative, critical security update for all versions of Internet Explorer (MS14-010) fixes two dozen vulnerabilities, including one that Microsoft says has already been publicly disclosed. The other patch that Microsoft specifically called out — MS14-011 — addresses a vulnerability in VBScript that could cause problems for IE users.

Microsoft also once again is encouraging Windows users who haven’t already done so to consider installing and using its Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help to significantly beef up the security of third-party applications that run on top of Windows. I would second their recommendation, and have reviewed EMET 4.0 here. The latest version — 4.1 — is available at this link and requires Microsoft’s .NET Framework 4 platform.

Continue reading →


28
Jan 14

Feds to Charge Alleged SpyEye Trojan Author

Federal authorities in Atlanta today are expected to announce the arrest and charging of a 24-year-old Russian man who allegedly created and maintained the SpyEye Trojan, a sophisticated botnet creation kit that has been implicated in a number of costly online banking thefts against businesses and consumers.

The Justice Department alleges that 24-year-old Aleksander Panin was responsible for SpyEye. Image courtesy: RT.

24-year-old Aleksander Panin is thought to be responsible for SpyEye. Image courtesy: RT.

According to sources, the U.S. Justice Department is charging Aleksander Panin of Tver, Russia with being part of a gang that robbed banks via the Internet. He was reportedly arrested in the Dominican Republic in June 2013.

Update, 4:34 p.m. ET: Panin just pleaded to conspiracy to commit wire and bank fraud for his role as the primary developer and distributor of SpyEye, according to a press release from U.S. Attorney Sally Quillian Yates.

The government alleges that Panin sold SpyEye to at least 150 “clients,” one of whom is reported to have made more than $3.2 million in a six month period using the virus. The Justice Department further states that the investigation also has led to the arrests by international authorities of four of Panin’s SpyEye clients and associates in the United Kingdom and Bulgaria.

Panin’s attorney Arkady Bukh said his client is facing up to 30 years in prison. “We are happy with the plea,” Bukh said. “It will greatly limit the client’s exposure in this case at the time of sentencing.”

Original story:

It’s not clear why Panin was in the Dominican Republic, which has strong relations with the United States. According to Wikipedia, the Dominican Republic has worked closely with U.S. law enforcement officials on issues such as the extradition of fugitives. According to Russian news station RT, Panin was high on Interpol’s “red list,” wanted for embezzlement through Internet banking scams totaling USD $5 million.

Panin’s arrest and subsequent extradition to Atlanta, Georgia caused a minor diplomatic dust-up in July 2013, when news of his arrest first came to light in Moscow. “Of course, we are seriously concerned about the fact that it again concerns the arrest of a Russian citizen with a US warrant in a third country,” said Russian Foreign Ministry Information and Press Department Deputy Director Maria Zakharova, in a television interview aired by RT. “We think the fact that such practices are becoming a vicious tendency is absolutely unacceptable and inadmissible.”

A SpyEye version from 2011.

A SpyEye version from 2011.

The arrest caps a dramatic rise and fall of a crimeware package that evolved as a major headache for security professionals, and for Microsoft in particular. In March 2012, Microsoft executed a carefully-planned takedown of dozens of botnets powered by SpyEye and ZeuS — a competing botnet creation kit that was later briefly subsumed by SpyEye.

As part of that effort, Microsoft published email addresses and other information on the alleged SpyEye author, who went by the nicknames “Gribodemon” and “Harderman.” At the time, the software giant identified the alleged author only as an unknown “John Doe.”

Continue reading →