Time to Patch


13
Oct 20

Microsoft Patch Tuesday, October 2020 Edition

It’s Cybersecurity Awareness Month! In keeping with that theme, if you (ab)use Microsoft Windows computers you should be aware the company shipped a bevy of software updates today to fix at least 87 security problems in Windows and programs that run on top of the operating system. That means it’s once again time to backup and patch up.

Eleven of the vulnerabilities earned Microsoft’s most-dire “critical” rating, which means bad guys or malware could use them to gain complete control over an unpatched system with little or no help from users.

Worst in terms of outright scariness is probably CVE-2020-16898, which is a nasty bug in Windows 10 and Windows Server 2019 that could be abused to install malware just by sending a malformed packet of data at a vulnerable system. CVE-2020-16898 earned a CVSS Score of 9.8 (10 is the most awful).

Security vendor McAfee has dubbed the flaw “Bad Neighbor,” and in a blog post about it said a proof-of-concept exploit shared by Microsoft with its partners appears to be “both extremely simple and perfectly reliable,” noting that this sucker is imminently “wormable” — i.e. capable of being weaponized into a threat that spreads very quickly within networks.

“It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations,” McAfee’s Steve Povolny wrote. “The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable.”

Trend Micro’s Zero Day Initiative (ZDI) calls special attention to another critical bug quashed in this month’s patch batch: CVE-2020-16947, which is a problem with Microsoft Outlook that could result in malware being loaded onto a system just by previewing a malicious email in Outlook.

“The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted,” said ZDI’s Dustin Childs.

While there don’t appear to be any zero-day flaws in October’s release from Microsoft, Todd Schell from Ivanti points out that a half-dozen of these flaws were publicly disclosed prior to today, meaning bad guys have had a jump start on being able to research and engineer working exploits. Continue reading →


8
Sep 20

Microsoft Patch Tuesday, Sept. 2020 Edition

Microsoft today released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software. None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users.

The majority of the most dangerous or “critical” bugs deal with issues in Microsoft’s various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server.

“That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” said Dustin Childs, of Trend Micro’s Zero Day Initiative. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon. This should be your top priority.”

Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that’s been exploited for cybercriminal gains since April 2019.

Microsoft fixed at least five other serious bugs in Sharepoint versions 2010 through 2019 that also could be used to compromise systems running this software. And because ransomware purveyors have a history of seizing upon Sharepoint flaws to wreak havoc inside enterprises, companies should definitely prioritize deployment of these fixes, says Alan Liska, senior security architect at Recorded Future. Continue reading →


17
Aug 20

Microsoft Put Off Fixing Zero Day for 2 Years

A security flaw in the way Microsoft Windows guards users against malicious files was actively exploited in malware attacks for two years before last week, when Microsoft finally issued a software update to correct the problem.

One of the 120 security holes Microsoft fixed on Aug. 11’s Patch Tuesday was CVE-2020-1464, a problem with the way every supported version of Windows validates digital signatures for computer programs.

Code signing is the method of using a certificate-based digital signature to sign executable files and scripts in order to verify the author’s identity and ensure that the code has not been changed or corrupted since it was signed by the author.

Microsoft said an attacker could use this “spoofing vulnerability” to bypass security features intended to prevent improperly signed files from being loaded. Microsoft’s advisory makes no mention of security researchers having told the company about the flaw, which Microsoft acknowledged was actively being exploited.

In fact, CVE-2020-1464 was first spotted in attacks used in the wild back in August 2018. And several researchers informed Microsoft about the weakness over the past 18 months.

Bernardo Quintero is the manager at VirusTotal, a service owned by Google that scans any submitted files against dozens of antivirus services and displays the results. On Jan. 15, 2019, Quintero published a blog post outlining how Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer files (those ending in .MSI) signed by any software developer.

Quintero said this weakness would be particularly acute if an attacker were to use it to hide a malicious Java file (.jar). And, he said, this exact attack vector was indeed detected in a malware sample sent to VirusTotal.

“In short, an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according Microsoft Windows,” Quintero wrote.

But according to Quintero, while Microsoft’s security team validated his findings, the company chose not to address the problem at the time.

“Microsoft has decided that it will not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly,” his blog post concluded.

Tal Be’ery, founder of Zengo, and Peleg Hadar, senior security researcher at SafeBreach Labs, penned a blog post on Sunday that pointed to a file uploaded to VirusTotal in August 2018 that abused the spoofing weakness, which has been dubbed GlueBall. The last time that August 2018 file was scanned at VirusTotal (Aug 14, 2020), it was detected as a malicious Java trojan by 28 of 59 antivirus programs.

Continue reading →


11
Aug 20

Microsoft Patch Tuesday, August 2020 Edition

Microsoft today released updates to plug at least 120 security holes in its Windows operating systems and supported software, including two newly discovered vulnerabilities that are actively being exploited. Yes, good people of the Windows world, it’s time once again to backup and patch up!

At least 17 of the bugs squashed in August’s patch batch address vulnerabilities Microsoft rates as “critical,” meaning they can be exploited by miscreants or malware to gain complete, remote control over an affected system with little or no help from users. This is the sixth month in a row Microsoft has shipped fixes for more than 100 flaws in its products.

The most concerning of these appears to be CVE-2020-1380, which is a weaknesses in Internet Explorer that could result in system compromise just by browsing with IE to a hacked or malicious website. Microsoft’s advisory says this flaw is currently being exploited in active attacks.

The other flaw enjoying active exploitation is CVE-2020-1464, which is a “spoofing” bug in virtually all supported versions of Windows that allows an attacker to bypass Windows security features and load improperly signed files. For more on this flaw, see Microsoft Put Off Fixing Zero for 2 Years.

Trend Micro’s Zero Day Initiative points to another fix — CVE-2020-1472 — which involves a critical issue in Windows Server versions that could let an unauthenticated attacker gain administrative access to a Windows domain controller and run an application of their choosing. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.

“It’s rare to see a Critical-rated elevation of privilege bug, but this one deserves it,” said ZDI’S Dustin Childs. “What’s worse is that there is not a full fix available.”

Perhaps the most “elite” vulnerability addressed this month earned the distinction of being named CVE-2020-1337, and refers to a security hole in the Windows Print Spooler service that could allow an attacker or malware to escalate their privileges on a system if they were already logged on as a regular (non-administrator) user.

Satnam Narang at Tenable notes that CVE-2020-1337 is a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020. Narang said researchers found that the patch for CVE-2020-1048 was incomplete and presented their findings for CVE-2020-1337 at the Black Hat security conference earlier this month. More information on CVE-2020-1337, including a video demonstration of a proof-of-concept exploit, is available here. Continue reading →


14
Jul 20

‘Wormable’ Flaw Leads July Microsoft Patches

Microsoft today released updates to plug a whopping 123 security holes in Windows and related software, including fixes for a critical, “wormable” flaw in Windows Server versions that Microsoft says is likely to be exploited soon. While this particular weakness mainly affects enterprises, July’s care package from Redmond has a little something for everyone. So if you’re a Windows (ab)user, it’s time once again to back up and patch up (preferably in that order).

Top of the heap this month in terms of outright scariness is CVE-2020-1350, which concerns a remotely exploitable bug in more or less all versions of Windows Server that attackers could use to install malicious software simply by sending a specially crafted DNS request.

Microsoft said it is not aware of reports that anyone is exploiting the weakness (yet), but the flaw has been assigned a CVSS score of 10, which translates to “easy to attack” and “likely to be exploited.”

“We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction,” Microsoft wrote in its documentation of CVE-2020-1350. “DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.”

CVE-2020-1350 is just the latest worry for enterprise system administrators in charge of patching dangerous bugs in widely-used software. Over the past couple of weeks, fixes for flaws with high severity ratings have been released for a broad array of software products typically used by businesses, including Citrix, F5, Juniper, Oracle and SAP. This at a time when many organizations are already short-staffed and dealing with employees working remotely thanks to the COVID-19 pandemic.

The Windows Server vulnerability isn’t the only nasty one addressed this month that malware or malcontents can use to break into systems without any help from users. A full 17 other critical flaws fixed in this release tackle security weaknesses that Microsoft assigned its most dire “critical” rating, such as in Office, Internet Exploder, SharePoint, Visual Studio, and Microsoft’s .NET Framework. Continue reading →


9
Jun 20

Microsoft Patch Tuesday, June 2020 Edition

Microsoft today released software patches to plug at least 129 security holes in its Windows operating systems and supported software, by some accounts a record number of fixes in one go for the software giant. None of the bugs addressed this month are known to have been exploited or detailed prior to today, but there are a few vulnerabilities that deserve special attention — particularly for enterprises and employees working remotely.

June marks the fourth month in a row that Microsoft has issued fixes to address more than 100 security flaws in its products. Eleven of the updates address problems Microsoft deems “critical,” meaning they could be exploited by malware or malcontents to seize complete, remote control over vulnerable systems without any help from users.

A chief concern among the panoply of patches is a trio of vulnerabilities in the Windows file-sharing technology (a.k.a. Microsoft Server Message Block or “SMB” service). Perhaps most troubling of these (CVE-2020-1301) is a remote code execution bug in SMB capabilities built into Windows 7 and Windows Server 2008 systems — both operating systems that Microsoft stopped supporting with security updates in January 2020. One mitigating factor with this flaw is that an attacker would need to be already authenticated on the network to exploit it, according to security experts at Tenable.

The SMB fixes follow closely on news that proof-of-concept code was published this week that would allow anyone to exploit a critical SMB flaw Microsoft patched for Windows 10 systems in March (CVE-2020-0796). Unlike this month’s critical SMB bugs, CVE-2020-0796 does not require the attacker to be authenticated to the target’s network. And with countless company employees now working remotely, Windows 10 users who have not yet applied updates from March or later could be dangerously exposed right now. Continue reading →


12
May 20

Microsoft Patch Tuesday, May 2020 Edition

Microsoft today issued software updates to plug at least 111 security holes in Windows and Windows-based programs. None of the vulnerabilities were labeled as being publicly exploited or detailed prior to today, but as always if you’re running Windows on any of your machines it’s time once again to prepare to get your patches on.

May marks the third month in a row that Microsoft has pushed out fixes for more than 110 security flaws in its operating system and related software. At least 16 of the bugs are labeled “Critical,” meaning ne’er-do-wells can exploit them to install malware or seize remote control over vulnerable systems with little or no help from users.

But focusing solely on Microsoft’s severity ratings may obscure the seriousness of the flaws being addressed this month. Todd Schell, senior product manager at security vendor Ivanti, notes that if one looks at the “exploitability assessment” tied to each patch — i.e., how likely Microsoft considers each can and will be exploited for nefarious purposes — it makes sense to pay just as much attention to the vulnerabilities Microsoft has labeled with the lesser severity rating of “Important.”

Virtually all of the non-critical flaws in this month’s batch earned Microsoft’s “Important” rating.

“What is interesting and often overlooked is seven of the ten [fixes] at higher risk of exploit are only rated as Important,” Schell said. “It is not uncommon to look to the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are rated as Important vs Critical.”

For example, Satnam Narang from Tenable notes that two remote code execution flaws in Microsoft Color Management (CVE-2020-1117) and Windows Media Foundation (CVE-2020-1126) could be exploited by tricking a user into opening a malicious email attachment or visiting a website that contains code designed to exploit the vulnerabilities. However, Microsoft rates these vulnerabilities as “Exploitation Less Likely,” according to their Exploitability Index.

In contrast, three elevation of privilege vulnerabilities that received a rating of “Exploitation More Likely” were also patched, Narang notes. These include a pair of “Important” flaws in Win32k (CVE-2020-1054, CVE-2020-1143) and one in the Windows Graphics Component (CVE-2020-1135). Elevation of Privilege vulnerabilities are used by attackers once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges. There are at least 56 of these types of fixes in the May release.

Schell says if your organization’s plan for prioritizing the deployment of this month’s patches stops at vendor severity or even CVSS scores above a certain level you may want to reassess your metrics.

“Look to other risk metrics like Publicly Disclosed, Exploited (obviously), and Exploitability Assessment (Microsoft specific) to expand your prioritization process,” he advised.

Continue reading →


14
Apr 20

Microsoft Patch Tuesday, April 2020 Edition

Microsoft today released updates to fix 113 security vulnerabilities in its various Windows operating systems and related software. Those include at least three flaws that are actively being exploited, as well as two others which were publicly detailed prior to today, potentially giving attackers a head start in figuring out how to exploit the bugs.

Nineteen of the weaknesses fixed on this Patch Tuesday were assigned Microsoft’s most-dire “critical” rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.

Near the top of the heap is CVE-2020-1020, a remotely exploitable bug in the Adobe Font Manager library that was first detailed in late March when Microsoft said it had seen the flaw being used in active attacks.

The Adobe Font Manager library is the source of yet another zero-day flaw — CVE-2020-0938 — although experts at security vendor Tenable say there is currently no confirmation that the two are related to the same set of in-the-wild attacks. Both flaws could be exploited by getting a Windows users to open a booby-trapped document or viewing one in the Windows Preview Pane.

The other zero-day flaw (CVE-2020-1027) affects Windows 7 and Windows 10 systems, and earned a slightly less dire “important” rating from Microsoft because it’s an “elevation of privilege” bug that requires the attacker to be locally authenticated.

Many security news sites are reporting that Microsoft addressed a total of four zero-day flaws this month, but it appears the advisory for a critical Internet Explorer flaw (CVE-2020-0968) has been revised to indicate Microsoft has not yet received reports of it being used in active attacks. However, the advisory says this IE bug is likely to be exploited soon.

Researchers at security firm Recorded Future zeroed in on CVE-2020-0796, a critical vulnerability dubbed “SMBGhost” that was rumored to exist in last month’s Patch Tuesday but for which an out-of-band patch wasn’t released until March 12. The problem resides in a file-sharing component of Windows, and could be exploited merely by sending the victim machine specially-crafted data packets. Proof-of-concept code showing how to exploit the bug was released April 1, but so far there are no indications this method has been incorporated into malware or active attacks.

Recorded Future’s Allan Liska notes that one reason these past few months have seen so many patches from Microsoft is the company recently hired “SandboxEscaper,” a nickname used by the security researcher responsible for releasing more than a half-dozen zero-day flaws against Microsoft products last year.

“SandboxEscaper has made several contributions to this month’s Patch Tuesday,” Liska said. “This is great news for Microsoft and the security community at large.” Continue reading →


2
Apr 20

‘War Dialing’ Tool Exposes Zoom’s Password Problems

As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom. But without the protection of a password, there’s a decent chance your next Zoom meeting could be “Zoom bombed” — attended or disrupted by someone who doesn’t belong. And according to data gathered by a new automated Zoom meeting discovery tool dubbed “zWarDial,” a crazy number of meetings at major corporations are not being protected by a password.

zWarDial, an automated tool for finding non-password protected Zoom meetings. According to its makers, zWarDial can find on average 110 meetings per hour, and has a success rate of around 14 percent.

Each Zoom conference call is assigned a Meeting ID that consists of 9 to 11 digits. Naturally, hackers have figured out they can simply guess or automate the guessing of random IDs within that space of digits.

Security experts at Check Point Research did exactly that last summer, and found they were able to predict approximately four percent of randomly generated Meeting IDs. The Check Point researchers said enabling passwords on each meeting was the only thing that prevented them from randomly finding a meeting.

Zoom responded by saying it was enabling passwords by default in all future scheduled meetings. Zoom also said it would block repeated attempts to scan for meeting IDs, and that it would no longer automatically indicate if a meeting ID was valid or invalid.

Nevertheless, the incidence of Zoombombing has skyrocketed over the past few weeks, even prompting an alert by the FBI on how to secure meetings against eavesdroppers and mischief-makers. This suggests that many Zoom users have disabled passwords by default and/or that Zoom’s new security feature simply isn’t working as intended for all users.

New data and acknowledgments by Zoom itself suggest the latter may be more likely.

Earlier this week, KrebsOnSecurity heard from Trent Lo, a security professional and co-founder of SecKC, Kansas City’s longest-running monthly security meetup. Lo and fellow SecKC members recently created zWarDial, which borrows part of its name from the old phone-based war dialing programs that called random or sequential numbers in a given telephone number prefix to search for computer modems.

Lo said zWarDial evades Zoom’s attempts to block automated meeting scans by routing the searches through multiple proxies in Tor, a free and open-source software that lets users browse the Web anonymously.

“Zoom recently said they fixed this but I’m using a totally different URL and passing a cookie along with that URL,” Lo said, describing part of how the tool works on the back end. “This gives me the [Zoom meeting] room information without having to log in.”

Lo said a single instance of zWarDial can find approximately 100 meetings per hour, but that multiple instances of the tool running in parallel could probably discover most of the open Zoom meetings on any given day. Each instance, he said, has a success rate of approximately 14 percent, meaning for each random meeting number it tries, the program has a 14 percent chance of finding an open meeting.

Only meetings that are protected by a password are undetectable by zWarDial, Lo said.

“Having a password enabled on the meeting is the only thing that defeats it,” he said.

Lo shared the output of one day’s worth of zWarDial scanning, which revealed information about nearly 2,400 upcoming or recurring Zoom meetings. That information included the link needed to join each meeting; the date and time of the meeting; the name of the meeting organizer; and any information supplied by the meeting organizer about the topic of the meeting.

The results were staggering, and revealed details about Zoom meetings scheduled by some of the world’s largest companies, including major banks, international consulting firms, ride-hailing services, government contractors, and investment ratings firms.

KrebsOnSecurity is not naming the companies involved, but was able to verify dozens of them by matching the name of the meeting organizer with corporate profiles on LinkedIn.

By far the largest group of companies exposing their Zoom meetings are in the technology sector, and include a number of security and cloud technology vendors. These include at least one tech company that’s taken to social media warning people about the need to password protect Zoom meetings!

The distribution of Zoom meetings found by zWarDial, indexed by industry. As depicted above, zWarDial found roughly 2,400 exposed meetings in less than 24 hours. Image: SecKC.

Continue reading →


20
Mar 20

Zyxel Flaw Powers New Mirai IoT Botnet Strain

In February, hardware maker Zyxel fixed a zero-day vulnerability in its routers and VPN firewall products after KrebsOnSecurity told the company the flaw was being abused by attackers to break into devices. This week, security researchers said they spotted that same vulnerability being exploited by a new variant of Mirai, a malware strain that targets vulnerable Internet of Things (IoT) devices for use in large-scale attacks and as proxies for other cybercrime activity.

Security experts at Palo Alto Networks said Thursday their sensors detected the new Mirai variant — dubbed Mukashi — on Mar. 12. The new Mirai strain targets CVE-2020-9054, a critical flaw that exists in many VPN firewalls and network attached storage (NAS) devices made by Taiwanese vendor Zyxel Communication Corp., which boasts some 100 million devices deployed worldwide.

Like other Mirai variants, Mukashi constantly scans the Internet for vulnerable IoT devices like security cameras and digital video recorders (DVRs), looking for a range of machines protected only by factory-default credentials or commonly-picked passwords.

Palo Alto said IoT systems infected by Mukashi then report back to a control server, which can be used to disseminate new instructions — such as downloading additional software or launching distributed denial of service (DDoS) attacks.

The commands Mukashi botmasters can send to infected devices include scanning for and exploiting other systems, and launching DDoS attacks. Image: Palo Alto Networks.

Zyxel issued a patch for the flaw on Feb. 24, but the update did not fix the problem on many older Zyxel devices which are no longer being supported by the company. For those devices, Zyxel’s advice was not to leave them connected to the Internet.

A joint advisory on CVE-2020-9054 from the U.S. Department of Homeland Security and the CERT Coordination Center rates this vulnerability at a “10” — the most severe kind of flaw. The DHS/CERT advisory also includes sample code to test if a Zyxel product is vulnerable to the flaw.

My advice? If you can’t patch it, pitch it, as Mukashi is not the only thing interested in this Zyxel bug: Recent activity suggests attackers known for deploying ransomware have been actively working to test it for use against targets.