Posts tagged Microsoft

Microsoft February 2013 Patch Tuesday Review

0

Microsoft has release, the 12 February 2013, during his February Patch Tuesday, one updated security advisory and twelve security bulletins. On the twelve security bulletins five of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. Update KB2805940 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-05.

MS13-009 - Cumulative Security Update for Internet Explorer

MS13-009 security update, classified as Critical, allowing remote code execution, is the fix for 13 reported vulnerabilities. CVE-2013-0015 (4.3 CVSS base score) was discovered and reported by Masato Kinugawa. CVE-2013-0018 (9.3 CVSS base score) and CVE-2013-0022 (9.3 CVSS base score) were discovered and privately reported by OmairCVE-2013-0019 (9.3 CVSS base score) was discovered and privately reported by SkyLined, working with HP’s Zero Day InitiativeCVE-2013-0020 (9.3 CVSS base score) was discovered and privately reported by Arthur Gerkis, working with the Exodus Intelligence, and by Stephen Fewer of Harmony SecurityCVE-2013-0021 (9.3 CVSS base score) was discovered and privately reported by Tencent PC Manager. CVE-2013-0023 (9.3 CVSS base score) was discovered and privately reported by Arthur Gerkis, working with HP’s Zero Day InitiativeCVE-2013-0024 (9.3 CVSS base score) was discovered and privately reported by an anonymous researcher, working with HP’s Zero Day InitiativeCVE-2013-0025 (9.3 CVSS base score) and CVE-2013-0028 (9.3 CVSS base score) were discovered and privately reported by Scott Bell of Security-Assessment.comCVE-2013-0026 (9.3 CVSS base score) was discovered and privately reported by  Jose A Vazquez of Yenteasy Security Research, working with the Exodus Intelligence. CVE-2013-0027 (9.3 CVSS base score) was discovered and privately reported by Mark Yason of IBM X-Force. CVE-2013-0029 (9.3 CVSS base score) was discovered and privately reported by Stephen Fewer of Harmony Security and Aniway.Aniway@gmail.com, working with HP’s Zero Day Initiative.

MS13-010 - Vulnerability in Vector Markup Language Could Allow Remote Code Execution

MS13-010 security update, classified as Critical, allowing remote code execution, is the fix for one privately reported vulnerability. CVE-2013-0030 (9.3 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-011 - Vulnerability in Media Decompression Could Allow Remote Code Execution

MS13-011 security update, classified as Critical, allowing remote code execution, is the fix for one publicly reported vulnerability. CVE-2013-0077 (9.3 CVSS base score) was discovered and reported by Tencent Security Team.

MS13-012 - Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution

MS13-012 security update, classified as Critical, allowing remote code execution, is the fix for two publicly reported vulnerability linked to Oracle Outside In vulnerabilities fixed during January 2013 Critical Patch Update. These vulnerabilities are CVE-2013-0418 (6.8 CVSS base score) and CVE-2013-0393 (6.8 CVSS base score).

MS13-020 - Vulnerability in OLE Automation Could Allow Remote Code Execution

MS13-020 security update, classified as Critical, allowing remote code execution, is the fix for one publicly reported vulnerability. CVE-2013-1313 (9.3 CVSS base score) was discovered and reported by an anonymous researcher, working with HP’s Zero Day Initiative.

MS13-013 - Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution

MS13-013 security update, classified as Important, allowing remote code execution, is the fix for two publicly reported vulnerability linked to Oracle Outside In vulnerabilities fixed during January 2013 Critical Patch Update. These vulnerabilities are CVE-2012-3214 (2.1 CVSS base score) and CVE-2012-3217 (2.1 CVSS base score).

MS13-014 - Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution

MS13-014 security update, classified as Important, allowing denial of service, is the fix for one privately reported vulnerability. CVE-2013-1281 (7.1 CVSS base score) was discovered and privately reported by an anonymous researcher.

MS13-015 - Vulnerability in .NET Framework Could Allow Elevation of Privilege

MS13-015 security update, classified as Important, allowing elevation of privileges, is the fix for one privately reported vulnerability. CVE-2013-0073 (10.0 CVSS base score) was discovered and privately reported by James Forshaw of Context Information Security.

MS13-016 - Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

MS13-016 security update, classified as Important, allowing elevation of privileges, is the fix for 30 privately reported vulnerability. CVE-2013-1248 (4.9 CVSS base score) and CVE-2013-1249 (4.9 CVSS base score) were discovered and privately reported by Mateusz “j00ru” Jurczyk of Google Inc, and Tencent Security Team. CVE-2013-1251 (4.9 CVSS base score), CVE-2013-1252 (4.9 CVSS base score) and CVE-2013-1253 (4.9 CVSS base score) were discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1250 (4.9 CVSS base score), CVE-2013-1254 (4.9 CVSS base score), CVE-2013-1255 (4.9 CVSS base score), CVE-2013-1256 (4.9 CVSS base score), CVE-2013-1257 (4.9 CVSS base score), CVE-2013-1258 (4.9 CVSS base score), CVE-2013-1259 (4.9 CVSS base score), CVE-2013-1260 (4.9 CVSS base score), CVE-2013-1261 (4.9 CVSS base score), CVE-2013-1262 (4.9 CVSS base score), CVE-2013-1263 (4.9 CVSS base score), CVE-2013-1264 (4.9 CVSS base score), CVE-2013-1265 (4.9 CVSS base score), CVE-2013-1266 (4.9 CVSS base score), CVE-2013-1267 (4.9 CVSS base score), CVE-2013-1268 (4.9 CVSS base score), CVE-2013-1269 (4.9 CVSS base score), CVE-2013-1270 (4.9 CVSS base score), CVE-2013-1271 (4.9 CVSS base score), CVE-2013-1272 (4.9 CVSS base score), CVE-2013-1273 (4.9 CVSS base score), CVE-2013-1274 (4.9 CVSS base score), CVE-2013-1275 (4.9 CVSS base score), CVE-2013-1276 (4.9 CVSS base score) and CVE-2013-1277 (4.9 CVSS base score) were discovered and privately reported by Mateusz “j00ru” Jurczyk of Google Inc.

MS13-017 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

MS13-017 security update, classified as Important, allowing elevation of privileges, is the fix for three privately reported vulnerability. CVE-2013-1278 (7.2 CVSS base score) and CVE-2013-1279 (7.2 CVSS base score) were discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1280 (7.2 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-018 - Vulnerability in TCP/IP Could Allow Denial of Service

MS13-018 security update, classified as Important, allowing denial of service, is the fix for a privately reported vulnerability. CVE-2013-0075 (7.1 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-019 - Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege

MS13-019 security update, classified as Important, allowing elevation of privileges, is the fix for a publicly reported vulnerability. CVE-2013-0076 (7.2 CVSS base score) was discovered and privately reported by Max DeLiso.

Reporters Without Borders Victim of Watering Hole Campaign

4

As mentioned by Jindrich on Twitter, it seems that the entity or entities behind the watering hole attacks don’t care to be caught or detected and it also seems that they don’t care if the Internet Explorer and Java vulnerability are patched. They act as the opportunists and try to take advantage from the timeframe between the patch release and the patch application of some users, companies and non-governmental organizations.

Last week me and Jindrich Kubec reported on watering hole attacks against multiple high value web sites, including as example major Hong Kong political parties. These websites used the latest Internet Explorer (CVE-2012-4792) vulnerability, patched in MS13-008, but also the latest Java (CVE-2013-0422) vulnerability, patched in Oracle Java 7 Update 11.

It seems that one week later, Reporters Without Borders, a French-based international non-governmental organization that advocates freedom of the press and freedom of information, is the new web site used for the watering hole campaign. Such an organization is an ideal target for watering hole campaign, as it seems right now the miscreants concentrate only on human rights/political sites – many Tibetian, some Uygur, and some political parties in Hong Kong and Taiwan which are the latest hits in this operation. In our opinion the finger could be safely pointed to China (again).

Like for the Hong Kong political party, the english version of RWB was doing a javascript inclusion to “hxxp://en.rsf.org/local/cache-js/m.js“.

rsf-en-m.js-file

rsf-en-traffic

The “m.js” file creates a cookie “Somethingbbbbb” with one day expiration date. The cookie name could be linked to the Hong Kong political party “m.js” cookie name which was “Somethingeeee“. This kind of cookies was already used two years ago in similar attacks with different exploits.

If Internet Explorer 8 is used an iframe is loaded from”hxxp://newsite.acmetoy.com/m/d/pdf.html” file. Otherwise two iframes will load “hxxp://98.129.194.210/CFIDE/debug/includes/java.html“ and “hxxp://newsite.acmetoy.com/m/d/javapdf.html“.

newsite.acmetoy.com analysis

newsite.acmetoy.com” web site is hosting the following CVE-2012-4792 related files:

  • pdf.html” (ffe715a312a488daf3310712366a5024) : Traditional “DOITYOUR” obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability, CVE-2012-4792.
  • logo1229.swf” (da0287b9ebe79bee42685510ac94dc4f) : Traditional “DOITYOUR” variant of “today.swf“.
  • DOITYOUR02.html” (cf394f4619db14d335dde12ca9657656) : Traditional “DOITYOUR” variant of “news.html“.
  • DOITYOUR01.txt” (a1f6e988cfaa4d7a910183570cde0dc0) : Traditional “DOITYOUR” variant of “robots.txt“.

newsite.acmetoy.com” web site is also hosting the following Java vulnerabilities related files:

  • javapdf.html” (b32bf36160c7a3cc5bc765672f7d6f2c) : Javascript file for CVE-2013-0422 or CVE-2011-3544 exploitation.
  • AppletHigh.jar” (f02ffa2b293ff370d0ea3499d0ade9bd) : CVE-2013-0422 exploit.
  • AppletLow.jar” (1da8f77dde43f55585896eddaff43896) : CVE-2011-3544 exploit.

98.129.194.210 analysis

98.129.194.210” web site is hosting the following Java vulnerabilities related files, as you can see, they’re completely same as the above and most probably serve only as a backup server in case of takedown.

  • java.html” (b32bf36160c7a3cc5bc765672f7d6f2c) : Javascript file for CVE-2013-0422 or CVE-2011-3544 exploitation.
  • AppletHigh.jar” (f02ffa2b293ff370d0ea3499d0ade9bd) : CVE-2013-0422 exploit.
  • AppletLow.jar” (1da8f77dde43f55585896eddaff43896) : CVE-2011-3544 exploit.

These binaries were dropped by the exploits :

  • 686D0E4FAEE4B0EF93A8B9550BD544BF334A6D9B495EC7BE9E28A0F681F5495C, which is remote access tool (RAT) programmed to contact “luckmevnc.myvnc.com” (112.140.186.252, Singapore) or “luckmegame.servegame.com” (currently parked).
  • A14CCC5922EFC6C7CEC1BB58C607381C99967ED4B7602B7427B081209AAF1656 is an interesting injector which downloads something which pretends to be an error webpage, decodes its content which is in fact position independent code which is later injected to another process. This is also RAT, contacting “d.wt.ikwb.com” (58.64.179.139, Hong Kong).

We’ve contacted RSF webmaster and the code should be already removed. Avast and other anti-virus product users are protected on multiple levels against this threat, also updating to latest versions of the vulnerable software packages is a must. Or getting rid of them, as most users can safely replace MSIE with another browser and completely uninstalling Java, reducing the attack surface.

Watering Hole Campaign Use Latest Java and IE Vulnerabilities

8

Through a collaboration with (Jindrich Kubec (@Jindroush), Director of Threat Intelligence at avast! / Eric Romang (@eromang), independent security researcher), we can confirm that the watering hole campaigns are still ongoing, targeting multiple web high value web sites, including as example a major Hong Kong political party. We can also confirm that a second major Hong Kong political party is victim of this watering hole campaign.

This website is actually using the new version of the original Internet Explorer (CVE-2012-4792) vulnerability attack, patched in MS13-008, but right now it’s also using the latest Java (CVE-2013-0422) vulnerability, patched in Oracle Java 7 Update 11.

We will provide you further details on the affected web sites after their cleaning.

Chinese language version of the targeted web site is doing a remote javascript inclusion to “hxxp://www.[REDACTED].org/board/data/m/m.js“.

malicious-javascript-inclusion

This website is a legitimate compromised website used for hosting the exploit files, hosted in South Korea.

This include file uses the well-known “deployJava” function, aka “deployJava.js“, and creates a cookie “Somethingeeee” with one day expiration date. This cookie is quite strange and it’s also possible to find it in years old exploits, which suggests this is only a part of greater, long-going operation.

mt.html-file-2

If Internet Explorer 8 is used , an iframe is load from”hxxp://www.[REDACTED].org/board/data/m/mt.html” file. Otherwise and if Oracle Java is detected, an iframe will load “hxxp://www.[REDACTED].org/board/data/m/javamt.html“.

Analysis of “mt.html

mt.html” (d85e34827980b13c9244cbcab13b35ea) file is an obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability, CVE-2012-4792, fixed in MS13-008 and provided by Microsoft Monday morning.

https://www.virustotal.com/file/58588ce6d0a1e042450946b03fa4cd92ac1b4246cb6879a7f50a0aab2a84086a/analysis/ (avast detects this code as JS:Bogidow-A [Expl] through Script Shield component).

Comparing to the original CFR and Capstone Turbine versions, this code is not targeting certain browser supported language, but the code is based on the version used on CFR with “boy” and “girl” patterns.

Traditional “today.swf” has been replaced with “logo1229.swf” (da0287b9ebe79bee42685510ac94dc4f), “news.html” has been replaced with “DOITYOUR02.html” (cf394f4619db14d335dde12ca9657656) and “robots.txt” has been replaced with “DOITYOUR01.txt” (a1f6e988cfaa4d7a910183570cde0dc0). The traditional dropper “xsainfo.jpg” is now embedded in the “mt.html” file and obfuscated in the Javascript.

The executable file can be extracted from the string by cutting of first 13 characters, converting hex chars to binary and xoring the whole binary blob with 0xBF. Resulting file with SHA256 CE6C5D2DCF5E9BDECBF15E95943F4FFA845F8F07ED2D10FD6E544F30A9353AD2 is RAT which is communicating with a domain hosted in Hong Kong by New World Telecom.

Analysis of “javamt.html

javamt.html” (b32bf36160c7a3cc5bc765672f7d6f2c) is checking if Oracle Java 7 is present, if yes latest Java vulnerability, CVE-2013-0422, will be executed through “AppletHigh.jar” (521eab796271254793280746dbfd9951). If Oracle Java 6 is present, “AppletLow.jar” (2062203f0ecdaf60df34b5bdfd8eacdc) will exploit CVE-2011-3544. Both these applets contain the very same binary mentioned above (unencrypted).

javamt.html-file

Conclusion

As you see, the watering hole campaign still continues, but has evolved in form but also by using the latest Oracle Java vulnerability. There is just one advise: patch, patch, patch… and see you soon.

MS13-008 Patch Internet Explorer CVE-2012-4792 0day Vulnerability

0

As announced yesterday, in an advanced notification, Microsoft has release an out-of-band patch MS13-008 to fix the an Internet Explorer 0day , CVE-2012-4792, discovered exploited in targeted attacks against different organizations like Council on Foreign Relations (CFR.org), a foreign policy web group.

This vulnerability was acknowledged by Microsoft, in MSA-2794220, the 30 December, but was exploited in targeted attacks since minimum beginning December. Two weeks after the acknowledge, the patch is out and will fix this vulnerability in Internet Explorer 6, 7 and 8. So just, patch, patch, patch until the next Internet Explorer 0day found exploited in targeted attacks… See you in two or three months.

Go to Top