Posts

MICROSOFT PATCHES 20 CRITICAL VULNERABILITIES

/in /by

Microsoft tackled 53 vulnerabilities with today’s Patch Tuesday bulletin. Remote code execution bugs dominated this month’s patches, representing 25 fixes. In total, 20 of Microsoft’s security fixes were rated critical.

Notable are four vulnerabilities with public exploits identified by Microsoft as CVE-2017-11848, CVE-2017-11827, CVE-2017-11883 and CVE-2017-8700. But, according to an analysis of Patch Tuesday fixes by Qualys, none of the four are being used in active campaigns.

Security experts say companies should prioritize patching a half-dozen scripting engine memory corruption vulnerabilities impacting Microsoft’s Edge and Internet Explorer 11 browsers running on versions of Windows 10, Windows 8.1 , Windows 7 and Windows Server (version 1709).

“A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” wrote Microsoft regarding CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873.

Microsoft said if exploited, an attacker could gain the same user rights as the current user. “In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website,” Microsoft wrote. “These websites could contain specially crafted content that could exploit the vulnerability.”

Researchers at Zero Day Initiative said that of the critical vulnerabilities it spotted, a distinct malware bypass theme emerged. It wrote, “CVE-2017-11830 patches a Device Guard security feature bypass vulnerability that would allow malware authors to falsely authenticated files… CVE-2017-11877 fixes an Excel security feature bypass vulnerability that fails to enforce macro settings, which are often used by malware developers.”

“Speaking of malware, this patch fixes a CVE (CVE-2017-11830) that allows Device Guard to incorrectly validates an untrusted file. This means attackers could make an unsigned file appear to be signed. Since Device Guard relies on a valid signature to determine trustworthiness, malicious files could be executed by making untrusted files seem trusted. This is exactly the sort of bug malware authors seek, as it allows them to have their exploit appear as a trusted file to the target,” ZDI wrote.

Part of Patch Tuesday also included an advisory (ADV170020), which is related to Microsoft Office Defense in Depth Update series. “ADV170020 is likely related to the malware abusing Dynamic Data Exchange, and this advisory may help restrict abusing this protocol feature,” wrote Zero Day Initiative researchers.

Despite a number of attacks that have used Dynamic Data Exchange fields in Office, Microsoft has remained insistent that DDE is a product feature and not a vulnerability.

Part of Patch Tuesday also includes something new, according to Greg Wiseman, Rapid7’s senior security researcher, who said Microsoft is applying fixes to some of its open source projects. “Sixteen of the Edge vulnerabilities have been resolved in ChakraCore, the open source part of Edge’s JavaScript engine,” Wiseman said. “.NET Core is being patched for a denial of service (DoS) vulnerability (CVE-2017-11770), and ASP.NET Core has fixes for DoS (CVE-2017-11883), privilege escalation (CVE-2017-11879), and information disclosure (CVE-2017-8700) vulnerabilities this month.”

Lastly, Qualys warns (CVE-2017-11882), a Microsoft Office memory corruption vulnerability rated as important, should be prioritized. “There may be POC code for this vulnerability, so it is recommended that you give the Office updates attention this month as well,” Qualys wrote.

Microsoft patches critical Windows DNS client vulnerabilities

/0 Comments/in /by

Three critical Windows DNS client vulnerabilities were patched today by Microsoft, closing off an avenue where an attacker could relatively simply respond to DNS queries with malicious code and gain arbitrary code execution on Windows clients or Windows Server installations.

The flaws were discovered and privately disclosed to Microsoft by researcher Nick Freeman at Bishop Fox. An attacker on the local network or in a man-in-the-middle position could insert a malicious payload into a DNS response to a Windows machine’s DNS request and trigger the vulnerability.

Windows admins are advised to patch immediately; the bug affects Windows 8 and Windows 10 clients, and Windows Server 2012 and 2016. Bishop Fox said it is not aware of any public attacks using this vulnerability.

“In the majority of cases, the only requirement would be that an attacker is connected to the same network as their target,” Freeman said.

The bug, CVE-2017-11779, traces back to the introduction of DNSSEC in the Microsoft operating system starting with Windows 8 via the DNSAPI.dll library. A DNS Resource Record called NSEC3 handled by the Nsec3_RecordRead function is at the core of the bug because it unsafely parses NSEC3 resource records, Freeman said. Users are at risk regardless of their interaction with the client or server since DNS requests can be made silently by background processes looking up IP addresses, or more noisily via browsing, email applications or streaming music services, for example.

Bishop Fox reasoned in its report that the introduction of DNSSEC into Windows was done in part to reduce the risk posed by the plaintext nature of the protocol making it vulnerable to man-in-the-middle attacks. The NSEC3 vulnerability arrived with DNSSEC.

“The Windows DNS client doesn’t do enough sanity checking when it processes a DNS response that contains an NSEC3 record,” Freeman wrote in a report released today. “Malformed NSEC3 records can trigger this vulnerability and corrupt the memory of the DNS client. If this is done carefully, it can result in arbitrary code execution on the target system.”

There are slight upsides to the bug, Freeman said.

“Because the record is malformed, it doesn’t make it through the normal DNS system. Servers along the way will drop it because it doesn’t fit the standard for NSEC3 record,” he wrote. “This is a good thing, because otherwise this issue would be easier to exploit and have far more serious implications. So, for an attacker to exploit this issue, they need to be between you and the DNS server you’re using.”

However, attackers exploiting the three heap overflow bugs can elevate privileges on a Windows machine, have access to any sensitive data stored locally or run code on the client or server. Since the Nsec3_RecordRead function fails to parse resource records in a secure way, multiple out-of-bounds writes may result, Freeman said.

“The responsible DNSAPI DLL is commonly used by the DnsCache service which runs under svchost.exe as the NT AUTHORITY\NETWORK SERVICE user, and provides the DNS caching service for the DNS client on Windows systems,” Freeman wrote. “It’s also imported by other applications for making DNS queries.”

This bug is especially risky for enterprises because of its potential impact on Windows servers!