Skip navigation
1 2 3 ... 24 Previous Next

The Laws of Vulnerabilities

353 Posts
0

Apple today published a security update for Mac OS X 10.7 (Lion), 10.8 (Mountain Lion) and 10.9 (Mavericks). The update addresses 13 distinct vulnerabilities in many of the aspects of Apple's Mac OS X, for example:

 

  • CVE-2014-1319 - an overflow in JPEG handling that can lead to Remote Code Execution (RCE) in 10.9 (Mavericks)
  • CVE-2014-1315 - a format string issue in the URL handling can lead to RCE in 10.9 (Mavericks)
  • CVE-2014-1314 - a Sandbox escape vulnerability in 10.8 (Mountain Lion) and 10.9 (Mavericks)
  • CVE-2013-5170 - a PDF parsing vulnerability can lead to RCE in 10.8 (Mountain Lion)

 

An SSL bug was also addressed in CVE-2014-1295 but it is unrelated to the Heartbleed bug in OpenSSL. Apple ships with OpenSSL 0.9.8, a version that is not affected by Heartbleed.

 

Not surprisingly due to their similar heritage Apple also published a new version of iOS that addresses some of the same issues. Version 7.1.1. fixes three CVes in common plus another 16 in Webkit the basis for the Safari browser. Apple had addresses similar vulnerabilities with Safari 7.0.3 and 6.1.3 in early April.

 

We recommend installing the new versions both for Mac OS X and iOS as quickly as possible.

 

 


0

As we are getting into the third week of the Heartbleed vulnerability, the focus for most organizations has shifted from patching the OpenSSL code to finding and replacing SSL certificates that might have been exposed. Qualys will host a webinar on Thursday, April 24, 2014 at 10am PDT entitled A Post-Mortem on Heartbleed – What Worked and What Didn't in which Jonathan Trull, the CISO for the State of Colorado, and I will cover the technical aspects of the bug, testing for its presence, how to exploit (with live examples) and some recovery strategies, both in theory and practice.

 

Looking forward to seeing you there, you can sign up here.

0
0

OracleCPU.jpg

 

Oracle released another massive critical patch update (CPU) today which contains 104 new security fixes. Java SE took the lion’s share of fixes followed by Fusion Middleware and MySQL. Only two vulnerabilities were fixed in the flagship Database Server 11g and 12c and both the vulnerabilities need credentials to be exploited remotely.

 

Java fixes include FX and SE, as well as SE Embedded. Out of the 37 Java vulnerabilities that were fixed, CVE-2014-2398 can be exploited remotely without authentication and we recommend you patch that immediately.

 

All vulnerabilities in the Fusion Middleware can be exploited over the web using HTTP, and 13 out of the 20 can be exploited remotely without authentication.

 

MySQL version 5.5 and 5.6 was patched, and out of the 14 vulnerabilities only CVE-2014-2431 is exploitable remotely without authentication.

 

PeopleSoft received 8 vulnerability fixes, and 5 of them can be exploited remotely without authentication if left unpatched.

 

The large update covering multiple products will be easier to install if a good map of the current versions exists. In any case we recommend addressing vulnerabilities on systems that are Internet accessible first.

0

Tuesday, April 8, 2014 - today Microsoft came out with the bulletins for April Patch Tuesday.  It is a small release with only four bulletins, MS14-017 to MS14-020, a light patch Tuesday for the second month in a row.

 

But the Microsoft bulletin is not the most important item this month (even though MS14-017 fixes the current Word 0-day), but rather two other items:  the new HeartBleed bug that impacts OpenSSL, and the arrival of Windows XP end of life.  I will tackle each in turn:

 

Heartbleed
Yesterday a vulnerability in OpenSSL was disclosed that actually overshadows this Microsoft Patch Tuesday. The so-called “Heartbleed” vulnerability (CVE-2014-0160) is present in all recent OpenSSL versions and can be used to get information from the server that uses OpenSSL, for example, your web server. A remote attacker can get access to your private encryption key and would then be able to decipher the encrypted traffic to and from the website. A patch is available in OpenSSL 1.0.1g, alternatively one can recompile the OpenSSL version in use without the vulnerable “heartbeat” extension. Look to your Linux distro maintainer for updates. We have added the detection for the issue into SSLLabs and into QualysGuard, but stay tuned as we will be providing more information on affected distribution and products.

 

heartbleed.png

 

Windows XP End of Life
Windows XP first came to market in 2001 and was by all measures a tremendously successful operating system. It is fast, user friendly and intuitive.   With the introduction of Service Pack 2 in 2004 several important security features were added, such as a default-on firewall (which severely curtailed the spread of network worms) and the Security Center, a one-stop shop for the security settings - firewall, automatic updates and AV protection. This year, after a 13 year run, it is “game over” for Windows XP.  Microsoft has introduced 3 new operating systems since (Vista, Windows 7 and Windows 8) and all are better equipped than XP, at least as far as security is concerned.

 

Not all of you have migrated away from Windows XP; our measurements show over 10% of you are still on XP, both in the Enterprise sector:

 

bp3_2.png

 

and also in the SMB/home sector (Qualys BrowserCheck users)

 

xp_in_bc.png

 

That is better than the 30% often quoted for general Internet users (admittedly Qualys users are probably more security-conscious than the average user), but is still a very unhealthy posture. I expect Windows XP defensibility to deteriorate quickly over the next few weeks and months as attackers will find ways to exploit certain aspects of the operating system, internet browser, mail programs, office software (Office 2003 is also EOL) and even third-party programs such your PDF reader (Adobe says they will not update Adobe Reader on XP anymore). There are certainly ways to harden the setup, including using a different browser and e-mail program, installing EMET (http://support.microsoft.com/kb/2458544) and implementing additional safeguards such as whitelisting, but the question remains: Isn’t this more work than upgrading to a fully supported system in the first place?

 

But let’s get back to our bulletins for today:

 

  • MS14-017, the top bulletin, addresses 3 vulnerabilities in Microsoft Word, including the 0-day in the RTF (Rich Text Format) parser. The problem was first disclosed by Microsoft in KB2953095 on March 24, where Microsoft acknowledges the existence of exploits in the wild. Microsoft credits the Google Security team with the discovery. As a workaround Microsoft recommends disabling the opening of RTF files with Word, which can be automated with the provided FixIt MSI. The exploit has since been circulated widely and can be found on VirusTotal, meaning we are pretty close to a much wider usage by attackers. The attack vector is a self-contained RTF document that the user has to open with Microsoft Word, resulting in Remote Code Execution (RCE).  Our recommendation: Patch Microsoft Word as quickly as possible.
  • MS14-018, the second critical bulletin addresses six vulnerabilities in Internet Explorer (IE) and affects all versions from IE6 to IE11. Microsoft gives this bulletin an exploitability index rating of “1”, meaning that attacks can be expected with the next 30 days. The attack vector would be a malicious webpage that the user has to browse. Patch together with MS14-017.
  • MS14-019 and MS14-020 are bulletins that cover Windows and Microsoft Publisher. Both provide Remote Code Execution to an attacker, but have lower viability than MS14-017 or MS14-018. The Windows vulnerability only works under very special conditions and Publisher in only sparsely installed and does not have any known exploits. Patch within your normal patch cycle.

 

Together with the detection for MS14-017 to MS14-020 we are also releasing two additional QIDs that "detect" the end-of-life status for both Windows XP and Office 2003:

  • 105543 EOL/Obsolete Operating System: Microsoft Windows XP Detected
  • 105544 EOL/Obsolete Software: Microsoft Office 2003 Detected

 

Adobe is releasing a new version of their Flash player in APSB14-09 which addresses four vulnerabilities, including one that was disclosed at the PWN2OWN contest last month. It is rated critical for Windows and Macintosh and should be high on your list to patch.

0

Tomorrow marks the end of support for Windows XP by Microsoft. There are multiple reasons why we still see XP in use today: the cost of upgrading can be daunting and machines may run critical legacy apps dependent on XP. There is also a lack of awareness of the size and state of the XP device population. Lastly, there are governments and other large organizations who have chosen to buy extended support for the OS from Microsoft. 

 

In 2013, more than 70% of Microsoft’s security patches affected Windows XP, and after April 8,  this trend will continue even though Microsoft will not explicitly state this.  XP use is dropping quickly, but according to BrowserCheck XP data from last month, we’re still seeing 14% usage across enterprises.

 

According to international data from Qualys’ BrowserCheck comprising more than 100,000 monthly vulnerability scans, Windows XP usage in Q1 2014 ranges from 7% to 13% in the U.S., the UK, Germany and France. 

 

bp4_1.pngPercentage of Scans Reporting XP

 

United States and United Kingdom

The UK and US have made the most progress of the countries we studied, reducing exposure in enterprises by more than half since Q1 2013 – down to 8% this quarter from 18%. 

 

France

While French businesses have reduced exposure by nearly half, the country is most at risk with 13 percent of enterprises still using XP, down from 23 percent in Q1 2013 – significantly higher than the other countries we studied. At this rate, it will take at least an entire calendar year for XP exposure to be eliminated. 

 

Germany

Enterprise PCs only had 12 percent of scans showing usage in Q1 2013. However, it has had the slowest progress in reducing exposure – with 7% of scans showing usage in Q1 2014.  At the current rate of decline, it’s likely that it will take Germany at least another year and a half before machines running XP are either retired or upgraded.

 

So how long will XP survive?  Certainly into 2015 and maybe beyond.  A linear extrapolation of the data, which leads one to believe in 2015 as an endpoint,  is too optimistic given that companies and governments will buy extended support from Microsoft and there will be operational barriers in other organizations.

 

In a separate scan of QualysGuard data from 6,700 companies, we identified substantial differences in XP usage by industry:

 

  • Finance: Use of XP is at 21 percent of scans, levels that are too high, especially for an industry dealing with such sensitive data
  • Transport: 14% of scans show usage – though this industry accounts for the sharpest drop (from 55% to 14% in the last twelve months)
  • Retail: 14% of scans show usage
  • Services: 7% usage rate
  • Healthcare: 3% usage rate

 

There’s clearly a large install base relying upon XP right now, and for these organizations I have two pieces of advice: Upgrade your software or decommission it. While some uses of XP can’t simply be upgraded, examine if it is a critical component to your system. Isolate XP as much as possible, and limit dangerous activity on these devices  (including surfing the web and using email). Secondly, install Microsoft’s EMET – this is a hardening tool and is one that I’ve personally used and recommend. It monitors activity, identifies irregular behavior and aborts suspicious programs. It’s worked against all 0-days I’ve seen this year, and has prevented exploitation of vulnerabilities. It’s not widely publicized, but has very nice capabilities.

 

Of course there is the option to sign up for Extended Support, it is expensive, in the millions of US$ if one has enough machines such as the UK NHS or Dutch government that were recently in the news, but it might be necessary to assure the security and consistency of their respective infrastructures and buy the time needed for the migration.

0

Update2: McAfee published an analysis of an exploit for CHE-2014-1761. Very interesting and eye-opening, as everything is controlled through the RTF document itself:

  • The attackers use an listoverridecount level of 25, which is outside of the 0,1 or 9 specified in the standard. This confuses the RTF handler in Word and makes it possible to control the content of the program counter of the processor.
  • This gives the attacker the basis for arbitrary code execution. In this case the attackers are able to point the program counter to machine code that is included in the document itself, which makes the exploit very self-contained, no additional setup files are needed.

Conclusion: Patch this as quickly as possible, i.e. next Tuesday. The attacks are real and happening now. The exploit does not look that hard to replicate with the information provided. Beyond patching it makes sense to disable RTF opening any way, which is what the FixIt in KB2953095 does. It certainly looks as if there is more potential for this type of vulnerability that can be found with relatively little investment into file fuzzing. See Charlie Miller's presentation on "dumb fuzzing" for some initial reading.

 

Update: Microsoft published a post on the SRD blog with more details, including some test data of the exploit with EMET. It seems that EMET ASLR enforcements efficiently counters the exploit. Good stuff!

 

Original: Microsoft acknowledged today in KB2953095 a vulnerability present in Microsoft Word and Microsoft Outlook that is being exploited in the wild. The vulnerability CVE-2014-1761 is in the file format parser for RTF (Rich Text Format) and could be used by an attacker to gain remote access to the targeted system. The attack vector is a document in RTF format that the victim would have to open with Word. If the target uses Outlook 2007, 2010 or 2013 for e-mail, please be aware that Word is the default viewer for e-mails, and that even looking at the e-mail in the preview pane could lead to an infection through this attack.

 

The current workaround is to disable RTF as a supported format in Microsoft Office. The advisory contains a link to FixIt 51010 that performs the action for the end-user here. A secondary recommended action is to work with plain text in e-mails, which is generally a recommended safeguard that prevents the "drive-by" characters of these types of attacks. It is described in this knowledgebase article at the Microsoft site.

 

Microsoft credits Drew Hintz, Shane Huntley, and Matty Pellegrino from the Google Security team with the discovery.

 

Please note that Mac users are affected. The advisory lists Microsoft Office for the Mac 201 as vulnerable.

 

Stay tuned for more news as the situation is developing.

0

April’s Patch Tuesday Preview has just come out and we are having another light Patch Tuesday with only four bulletins: MS14-017 to MS14-020. This low total number is very atypical, and at least 30% under the numbers for last year -- in April of 2013 we were at 36 bulletins and in 2012 we had 20 bulletins. At the same time there is no shortage of vulnerabilities as we have seen at last month’s CanSecWest, where literally all software packages (Java excepted) fell to security researchers who received cash prizes between $75,000 and $100,000.

 

But back to this month. Four bulletins, two rated critical and two rated important, but all of them enable “Remote Code Execution”, which is something that attackers are ultimately after. Bulletin #1 addresses the current 0-day vulnerability (KB2953095) in Microsoft Word and is applicable to all versions of Word starting with 2003 to the latest 2013, and includes Mac OS X as well. By the way, Office 2003 together with Windows XP are going to be end-of-life after this Patch Tuesday and will stop receiving security updates.  The end of life for XP has received plenty of coverage already, but this vulnerability is a good reminder not to focus only on Windows XP, and that this Office version also deserves attention.

 

Bulletin #2 is a new version of Internet Explorer, applicable to all versions of IE starting with IE6 on XP to IE11 on Windows 8.1 and RT. The only version not affected is IE10 under Windows 7 and I expect it to contain the fixes for the vulnerabilities disclosed at PWN2OWN at CanSecWest.

 

Bulletin #3 and Bulletin #4 are the both rated “important,” but Bulletin #3 is the more urgent one. It affects all versions of Windows and can be used to gain Remote Code Execution. Bulletin #4 addresses a problem in Publisher 2003 and 2007, which is a software package that we do not see widely installed.

0

Next week, Microsoft will deliver its last set of public security patches for Windows XP.

 

bp3_1.png

 

The end-of-life for XP which has been announced for a number of years now, means that computers running XP will be very attackable in the near future. Over 70% Microsoft’s security bulletins in 2013 affected XP, and there is no reason to assume that this will change in the near future. XP will be affected by a large percentage of the problems exposed in May, June and July, but there will be no remedy (except for companies that pay for extended support - an option that is at least US$ 100,000/year).

 

The best solution is to migrate away from this outdated (designed in the 90s) operating system to a newer version, with the best candidates being Windows 7 and Windows 8. Organizations have focused a large amount of resources and money on updating their infrastructures, and we have seen the percentage of Windows XP machines drop from 35% in January 2013 to 14% in February 2014. We now project to be at 10% of Windows XP machines by the end of this month.

 

bp3_2.png

 

Different industry sectors show different XP migration profiles. For example, transportation dropped impressively fast from 55% in January 2013 to 14% in February.

 

bp3_3.png

 

while Healthcare has been consistently low in the ratio of Windows XP in their organizations’ networks.

 

bp3_4.png

 

Both of these industry sectors had significant challenges to overcome, especially in regards to specialized (non-IT managed) equipment that is connected to their networks and that frequently cannot simply be updated. Many industrial control systems and medical devices, configurations that typically have much longer useful lifespans (>10 years) than pure computer equipment (<4 years), have Windows XP systems as vital components in their setups that cannot simply be updated. Nevertheless, these systems are full XP and as attackable as your average office machine if they are used in similar fashion, for email and web browsing. Moving these machines into network segments that do not have direct Internet access and introducing additional firewalls that curb that type of usage are ways to improve security.

 

Stay tuned for more updates on the final days of XP.

0

Updating your computer software for security purposes should be a no-brainer, after all we have been working on this issue for the last 10+ years and it should be a solved problem. Nevertheless, many people use their PCs basically as they received it, ignoring patch warnings, thinking it does not apply to them:

 

bp2_0.png

(from a recent dialogue that I had on a news/comment site) or believe they have more important things to do:

 

 

bp2_1.png

 

The Top 4 Audit gives us the information on Operating System and other Microsoft software in Control 3 - in my case I am missing updates for Internet Explorer, Windows, .NET, Office and others, all pretty much unavoidable since they get updated almost every month, and any new installation will be behind almost automatically.

 

bp2_2.png

 

Anyway, getting the Operating System up-to-date is straightforward, simply run Microsoft Update (the more complete version of Windows Update) a couple of times until all pending updates are applied, and in the process, configure it for automatic installation going forward.

 

bp2_3.png

 

You can do this without leaving your newly set up standard user (for me “wolfgang”, see last week's post), but you will have to give the credentials for your administrator user every once in a while. From Desktop, access the Control Panel, and then click on System and Security, under Windows Updates, click on Check for Updates. If you have not done so before, also opt-in to automatic updates from here on. My first run of Windows Update gave me 920 MB to download, which took about 45 minutes to install.

 

bp2_4.png

 

After installing these 84 patches and rebooting, a second run gave me another 600 MB, which took roughly 30 minutes to install plus reboot. A third run gave me 5 MB and was just the latest Flash player update embedded in Internet Explorer 10, a really important 2-week old update as it fixes a 0-day vulnerability. But my Top 4 Score now looks quite a bit better: A in Control 4 and A in Control 3 for an overall score of “C”.

 

bp2_5.png

 

and even better from now on updates should be relatively easy and quick. Just need to pay pay attention at Patch Tuesday every month and let the machine update itself.

 

Next step: Application Patching - Control 2 - getting rid of that “D”.

0

At the RSA conference a few weeks ago, we introduced a new free service - the Top 4 Control audit.  This service focuses on how to help computer end users and small- to medium-sized companies implement the top 4 security measures first suggested by the Australian government's ASD division. In their internal forensics, using the four measures were able to prevent over 85% of the incidents that had occurred in the government agencies that they were responsible for. In the last year, the Top 4 controls have been starting to gain acceptance, with both the SANS Institute and the Council on CyberSecurity supporting their implementation. CSIS’s Jim Lewis gave them a very favorable mention in his 2013 paper “Raising the Bar for Cybersecurity”.

 

I have used our new Top 4 service on a new machine that I received recently. It was a new laptop, a Lenovo T430. It came with Windows 8.1 installed, an ideal and updated target to work with.

 

In essence, the Top 4 consists of:

 

  1. Whitelisting, which prevents the execution of downloaded malware, as it is not contained in the approved list of software
  2. Patching applications, which shrinks the attack surface in the installed applications focusing directly on the software most abused in recent months: Java, Adobe Flash, Adobe Reader , Microsoft Office and Apple Quicktime
  3. Patching the operating system, which fixes known vulnerabilities in Windows and further shrinks the available attack surface
  4. Running as a standard user, which  makes it harder for malware to install itself permanently on the system, as this usually requires administrator privileges

 

Overall, it is a small, but pretty promising set of controls to try out. Nothing better than a brand new machine to test a quick setup to see how practical the whole suggestion of running the Top 4 audit really is.

 

When I first booted up my new machine, I was prompted to use my Hotmail account at Microsoft, but I opted to use a local account because I felt I would rather maintain a clear separation between my online and local machine accounts. (Hint, click on "Create a new account," then "Sign in without a Microsoft account.")

 

I proceeded to install the Top4 service plugin through the URL retrieved through my account on Qualys BrowserCheck Business Edition (http://tinyurl.com/qgbe4 or https://browsercheck.qualys.com/?uid=de39b22f468a147906fd65041b56719e). If you want to use the Top 4 service, you should really create an account in the Business Edition backend tool and get your personalized URL to get better reporting and trending on your results, but feel free to use the above URL if that is too much effort for you at the moment.

 

Then, after logging into Windows with the newly created user “wkandek”, I clicked on the Desktop tile and started Internet Explorer on the familiar desktop interface and went to the URL tinyurl.com/qgbe4, clicked on “install plugin” and accepted the Terms of Service. Then, I answered “Yes”, and “Yes” to the prompts by Windows. You also need to add the “https://browsercheck.qualys.com” site into your trusted sites in Internet Explorer by clicking on “Tools” (the little gear icon in the top right corner), “Internet Options,” “Security,” “Trusted Sites,” “Sites” and then “Add.” Then select “Advanced Scan” in the drop-down menu in the top right corner and hit the “Scan” (or “Re-Scan”) button.

 

The first scan gave me a pretty bad grade: overall “D”, composed of 2 * “F” grades, and a “D” and a “B”.

 

bp1_1.png

 

I decided to attack "control 4" from the Top 4 list first, because it should be simple to address. I started the control panel, clicked on ‘Users and Accounts” and created a second local user “wolfgang” that would serve as my day to day account. Logging out of my admin account “wkandek” and into the account “wolfgang”, I reran the scan by going to http://tinyurl.com/qgbe4 (I had to add http://browsercheck.qualys.com to my trusted sites again) and got a better score, an “A” in item 4: “User Privileges”, but still a “D” for overall security, mainly caused by the two “F” grades in controls 1 and 2.

 

bp1_2.png

 

OK, that was straightforward; so far under 30 minutes spent on getting better. Moving on to the next controls. Let’s do Windows Operating System Patching next.

0

The CanSecWest security conference in Vancouver in currently under way. In addition to their normal presentation lineup CanSecWest also hosts the PWN2OWN competition organized by ZDI where researcher's bring their exploits and try them against the latest software versions. The competition is both technically challenging and politically loaded - two  years ago research company VUPEN made it into the headlines when they said they would not sell their Chrome exploit to Google for even 1 Million US Dollars.

 

This year the controversy was around Google and ZDI themselves entering the competition, which some of the other competitor thought unfair. All prize money from these exploits where Google exploited Safari and ZDI Internet Explorer was donated to charity - the Red Cross Canada.

 

On Day 1 the other competitors were successful as well:

 

  • VUPEN exploited Adobe Reader XI, Adobe Flash, Mozilla Firefox and Internet Explorer 11 on Win 8.1.
  • Mariusz Mlynski exploited Mozilla Firefox
  • Jüri Aedla exploited Mozilla Firefox

 

On Day 2 further successes:

 

  • Keen Team exploited Safari and Adobe Flash
  • VUPEN exploited Google Chrome
  • George Hotz exploited Firefox
  • Sebastian Apelt and Andreas Schmidt exploited Internet Explorer
  • An anonymous researcher exploited partially Google Chrome

 

Out of the US$ 850,000 VUPEN claimed almost half: US$ 400,000 went to the exploit specialist from France.

 

Some surprises: Overall only one exploit attempt failed (against IE), even though VUPEN withdrew from two targets Safari and Java (another potential US$ 95,000), Java ended up making it through the contest without any exploit attempts and so did the combination Windows 8.1 plus EMET via IE11, codename Exploit Unicorn , which had a prize money of US$ 150,000 assigned to it. One more reason to look at EMET for your workstations.

 

 

0
0

Today Microsoft released the bulletins for March Patch Tuesday. We have five bulletins, MS14-012 to MS14-016, a light patch tuesday by all comparisons, even with Adobe chiming in with an update that is non-critical.  If it wasn't for the Internet Explorer (IE) patch that addresses the 0-day that was found during last month's Patch Tuesday, one could call it almost uneventful.

 

Here is our lineup for today:

 

  • MS14-012, a critical bulletin which addresses 18 vulnerabilities in all versions of IE, from IE6 on Windows XP, to IE11 on Windows 8.1. It also includes the fix for a 0-day vulnerability that was identified by FireEye on February 11, first on the website of the organization of the US Veterans of Foreign Wars. The attack used a previously unknown flaw in IE 10 (CVE-2014-0322), plus a known vulnerability in Adobe Flash to bypass ASLR protections and gave the attackers control over the computers visiting the site with that particular configuration. Microsoft has acknowledged the problem and provided a FixIT in KB2934088, but this is the permanent patch for the problem. Apply it as soon as possible.
  • MS14-013, the second critical bulletin, addresses one critical vulnerability. The attack also uses the webpage vector, but rather than going against IE directly, involves the DirectShow Windows component. Microsoft states that exploitation is hard and gives it an exploitation index of 3, but you should give it priority in your patch cycle.
  • The remaining bulletins, MS14-014, MS14-015 and MS14-016, are all rated important and do not provide Remote Code Execution (RCE) capabilities. MS14-014 is an ASLR bypass vulnerability that needs to be paired with a code execution vulnerability in order to become useful (see also the recent 0-day that used Adobe Flash exactly for that purpose). MS14-015 is a Windows Kernel driver fix addressing two CVEs, and MS14-016 is a change in the Windows API that allowed an attacker to bypass password shutout rules, which could be used in brute force attack attempts. Take a look at Microsoft SRD blog to see where ASLR fixes fit in overall.
  • Adobe's update to Flash (APSB14-08) addresses two vulnerabilities in Adobe Flash V12 and V11 on Windows, Mac OS X and Linux. Both are rated as important, meaning they cannot be used to gain remote code execution on the targeted platforms. Organizations that run Chrome or a modern version of IE will get their Flash update delivered through their browsers, others will need to update their software directly via Adobe.

 

The other major Microsoft issue is the coming end-of-life of Windows XP. We are now less than 28 days away from the final set of patches that XP will receive. Nevertheless, we are not seeing a reduction in vulnerabilities. All of today's bulletins apply to Windows XP and there is really no reason to expect any change in the near future: the majority of vulnerabilities found in the Windows OS and IE will apply also to Windows XP, but IT admins won't have access to patches for these problems anymore. This will make any Windows XP machine an easy target for attackers, and within a few weeks, new tools will be developed that make these exploits widely available.Your best choice is to migrate away from Windows XP to a newer version of the operating system.

 

So far, you have done an incomplete job. In our latest survey of roughly 35 Million monthly scans, we are still seeing 14% of Windows XP machines, down from 16% In January and 17% in December of 2013. If that trend continues, we are projecting 10% by the end-of-life date, at least in the enterprise space that is covered by QualysGuard.

 

 

win_xp_2014.png

Two weeks ago at the RSA US 2014 conference in San Francisco Microsoft released a preview version of their EMET 5 (Enhanced Mitigation Experience Toolkit) security toolkit. EMET implements additional restrictions on Windows, monitoring programs for violations of policy and, optionally, shutting down the offending programs. It has been effective against all 0-day attacks of  2013 and 2014, starting with MS13-008, MS13-021, and MS13-038. In the known exploit against this month's MS14-012, the attacker acknowledges that power and tests for the presence of EMET beforehand, proactively forfeiting when the EMET DLL is detected. I recommend IT admins to take a look at this toolkit and test its compatibility with their installations. The new EMET version 5 introduces a plugin whitelisting capability that could be a great asset in controlling browser plugins, for example only allowing Java to run on a controlled subset where the plugin is actually required.

 

That is it for this month's bulletins, but stay tuned for more coverage about XP in the SMB and home market, plus a breakdown of the numbers that takes geography into account.

0

Microsoft just published the preview for March's Patch Tuesday with five bulletins (two critical and three important) and there are two big priorities:

 

  1. Patch the Internet Explorer vulnerability addressed in Bulletin #1, as it covers the current 0-day that was discovered about three weeks ago. Microsoft has so far addressed it with a Fix-It in KB2934088, but this will be the permanent patch reaching a much larger audience.
  2. Windows XP is affected by all five updates, and there is really no reason to expect this picture to change; Windows XP will continue to be impacted by the majority of vulnerabilities found in the Windows ecosystem, but you will not be able to address the issues anymore. Windows XP is getting its penultimate update and is now very close (just over 30 days) to its declared end of of life date:

 

xp_end_of_support.png

 

So you need a strategy for the XP machines remaining in your infrastructure. We are still seeing a significant number of XP machines in our scans, ranging from around 25% in our consumer oriented service BrowserCheck to under 20% in our entreprise oriented data from QualysGuard.

 

Back to the March bulletins: priority one should be the two critical bulletins: Bulletin #1 for all versions of Internet Explorer, starting with v6 all the way to v11 and bulletin #2 for Windows, affecting all Windows OS versions from XP to 2012, with the exception being WIndows RT. Bulletin #3 and #4 address important vulnerabilities in Windows, and Bulletin #5 will be for users of Silverlight on Mac and Windows.

 

Stay tuned for our coverage next week, when we get more details on the patches.

1 2 3 ... 24 Previous Next

About the Author

Headshot of Wolfgang Kandek
Wolfgang Kandek
CTO, Qualys, Inc.
laws@qualys.com
LinkedIn

Bookmarked By (0)

Actions