Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1 2 3 Previous Next

Business

35 Posts tagged with the microsoft tag
0

Patch Tuesday April 2014

Posted by dneuman Apr 8, 2014

Hello Everyone,

 

For April’s edition of Patch Tuesday, we are presenting the final patches for the beloved Windows XP. Those of you still running Windows XP systems in your environment are highly recommended to speak with your McAfee sales team about Application Control. Application Control can provide your EOL systems protection against an unpatched vulnerability.  In addition to XP, Microsoft has also ended support for Exchange 2003 and Office 2003.  To continue with today’s updates, Microsoft has officially released 4 patches addressing 11 individual vulnerabilities. 

 

Of the four releases, Microsoft identifies two as “critical.”  The remaining patches are labeled “important” by Microsoft.  This month’s patches are as follows:

 

  • MS14-017 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)
  • MS14-018 Cumulative Security Update for Internet Explorer (2950467)
  • MS14-019 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229)
  • MS14-020 Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145)

Looking over the patches, I would like to highlight the following two critical updates:

 

MS14-017

(CVE-2014-1757, CVE-2014-1758, CVE-2014-1761)

The first update I would like to highlight is one of the critical patches affecting multiple versions of Microsoft Word found in the Office suite. This update resolves three CVEs found in all supported versions of Microsoft Office including 2003-2013, 2013 RT, and Office 2011 for Mac. Of the three CVEs, one has been publicly disclosed and exploited in the wild.  This vulnerability takes advantage of RTF (Rich Text Format) parser. With a properly crafted RTF document, an adversary may either execute remote code that will allow them to install programs and copy, delete, and move data or create new accounts for future access. This is undoubtedly an important update and immediate patching should be priority number one on all systems running any version of Office including Macs and Windows Tablets.

 

MS14-018

(CVE-2014-0235, CVE-2014-1751, CVE-2014-1752, CVE-2014-1753, CVE-2014-1755, CVE-2014-1760)

The second critical patch addresses a vulnerability in multiple versions of Internet Explorer. This update resolves six CVEs in Internet Explorer versions 6-11.  All of the six vulnerabilities take advantage of memory corruption vulnerabilities found in IE. With a properly crafted website or phishing email, an adversary may obtain complete remote access with the same privileges of the current logged on user. Immediate patching should be priority number one on all systems running IE 6-11.

 

Aggregate coverage (combining host- and network-based countermeasure together) is 10 out of 11. McAfee Vulnerability Manager has the ability to scan and detect all 11 vulnerabilities.  Specifically, coverage for each of the two most critical related vulnerabilities (MS14-017 and MS14-018) are covered by the following McAfee endpoint security software and McAfee Enterprise Firewall:

  • BOP (Buffer Overflow Protection ww/ VSE)
  • HIPS
  • NSP
  • App Control
  • MVM

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email or listening to AudioParasitics, the official McAfee Labs podcast.

 

Finally, in case you’re interested, these briefings are archived on the McAfee Community site and newly archived here.

 

For additional useful “security” information, please make note of the following links:

 

McAfee Labs Security Advisory

McAfee Security Content Release Notes

McAfee SNS archives

You can also review a Microsoft Summary for April at the Microsoft site.

 

Happy patching!

0

Hello Everyone,

 

Welcome to another round of patches released by Microsoft. This is probably one of the most important Patch Tuesdays we have seen in a while with Microsoft releasing seven patches that address 34 individual vulnerabilities. Of the seven patches released, six are identified by Microsoft as “critical".  The remaining patch is labeled “important” by Microsoft.  This month’s patches are as follows:

 

  • MS13-052 Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code   Execution (2861561)
  • MS13-053 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)
  • MS13-054 Vulnerability in GDI+ Could Allow Remote Code Execution (2848295)
  • MS13-055 Cumulative Security Update for Internet Explorer (2846071)
  • MS13-056 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187)
  • MS13-057 Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883)
  • MS13-058 Vulnerability in Windows Defender Could Allow Elevation of Privilege (2847927)

Looking over the patches I would like to highlight the following three:

 

MS13-053

This update consists of patches for eight critical vulnerabilities found in all currently supported desktop, tablet, and server versions of Windows. The security update addresses these vulnerabilities by correcting the way Windows handles specially crafted TrueType Font (TTF) files and by correcting the way that Windows handles objects in memory. At this time, Microsoft claims CVE-2013-3172 and CVE-2013-3660 have been publicly disclosed while the other six were privately reported.  There is no doubt that this is the most important patch of the month in Microsoft’s listing.

 

MS13-052

The second highlighted patch is also critical not only for all currently supported Microsoft OSes running .NET but also for Macs and PCs running MS Silverlight. The vulnerability found in MS Silverlight is extremely critical to subscribers of on-demand video services (Netflix) that use Silverlight on both Windows and Mac OSes. The vulnerability (CVE-2013-3129) is an issue with font parsing that affects font implementations in both of these programs, which, due to architectural reasons, are separate from the Windows and Mac OSes.

 

MS13-055

The final highlighted bulletin addresses 17 privately reported vulnerabilities for Internet Explorer (IE) that affects current supported versions of IE 6 to IE10.  I believe this bulletin should be highlighted because the patch fixes multiple vulnerabilities that can result in remote code execution from a web browser (browse and own).  Though these 17 vulnerabilities have not yet been exploited, it would be easy for an adversary to setup a malicious web page to take advantage of this vulnerability

A look at McAfee’s coverage for this month’s vulnerabilities:

 

•             McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 18 out of 34 vulnerabilities this month.

•             McAfee Host Intrusion Prevention is expected to provide protection against exploits of 19 out of 34 vulnerabilities this month.

•             McAfee Application Control is expected to provide protection against exploits of 21 out of 34 vulnerabilities this month.

•             McAfee's Network Security Platform has new signatures confirmed to protect exploits of 9 out of 34 vulnerabilities this month.

•             McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

Aggregate coverage (combining host- and network-based countermeasure together) is 22 out of 34.  Additional research is being performed by McAfee Labs and coverage may improve as supplemental results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

Finally, in case you’re interested, these briefings are archived on the McAfee Community site.

 

Happy patching!

0

This week brings us the latest round of security bulletins from Microsoft.  Today, Microsoft released 10 patches, addressing 33 individual vulnerabilities.  Only two of the patches are identified by Microsoft as critical, both addressing issues in Internet Explorer.  One of these is a zero-day vuln that has been actively exploited in the wild over the last couple of weeks, and deserves some immediate attention.  This month’s patches include the following:

 

  • (MS13-037) Cumulative Security Update for Internet Explorer (2829530)
  • (MS13-038) Security Update for Internet Explorer (2847204)
  • (MS13-039) Vulnerability in HTTP.sys Could Allow Denial of Service (2829254)
  • (MS13-040) Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)
  • (MS13-041) Vulnerability in Lync Could Allow Remote Code Execution (2834695)
  • (MS13-042) Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution
  • (MS13-043) Vulnerabilities in Microsoft Word Could Allow Remote Code Execution
  • (MS13-044) Vulnerability in Visio Could Allow Information Disclosure
  • (MS13-045) Vulnerability in Windows Essentials Could Allow Information Disclosure
  • (MS13-046) Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege

 

Both IE patches are labeled as critical.  MS13-037 addresses 11 new vulns in various flavors of IE,  but by far the more sensitive one is MS13-038, which addresses a single zero-day vulnerability in IE 8.  This vulnerability first surfaced on May 3rd, when it became clear that it was being used to push drive-by-download malware from a hacked US Department of Labor microsite.  Days after the initial disclosure, an exploit for this vulnerability was packaged into an easy-to-use module for the popular Metasploit framework.  This neatly weaponizes the exploit, and makes it easily accessible to anyone with the inclination to download it.  From here it’s only a matter of time before the attack is rolled into the common black market exploit kits.  When that happens, it becomes a common part of every attacker’s bag-of-tricks for the foreseeable future.

 

This threat gives us a good window into how McAfee provides layered protection for our customers, from the endpoint out to the network perimeter.  Subscribers to McAfee Labs Security Advisories would have seen a steady stream of information coming from our threat researchers describing the threat, and how our products provide protection:

 

  • On May 6th  McAfee Labs released vulnerability check content to allow MVM customers to identify vulnerable systems across the enterprise
  • On May 6th McAfee Labs released a new Network Security Platform IPS signature to identify and block exploits of this vulnerability
  • On May 7th  McAfee Labs verifies that existing behavioral and application whitelisting techniques included in McAfee VirusScan, McAfee Host Intrusion Prevention, and McAfee Application Control provide protection from exploits on the endpoint. 
  • On May 12th McAfee Labs released specific signatures designed to detect and block known exploits in McAfee VirusScan and McAfee Web Gateway.

 

In summary, customers running the current McAfee Endpoint Protection suite on their endpoints enjoyed protection from this exploit from the moment it surfaced.  As the details of the vulnerability and exploits emerged, additional signatures provided customers with greater visibility and awareness of how their networks are being attacked, as well as additional options for protection at the network layer.  This is how security should work, demonstrating great resilience as well as deep situational awareness.

 

McAfee’s coverage for this month’s vulnerabilities is as follows:

 

  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 13 out of 33 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 24 out of 33 vulnerabilities this month.
  • McAfee Application Control is expected to provide protection against exploits of 22 out of 33 vulnerabilities this month.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 7 out of 33 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

Aggregate coverage (combining host and network-based countermeasure together) is 26 out of 33.  In particular, coverage for the most critical IE vulns is excellent across the board.  Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

Happy patching!

 

Scott

0

Hi all,

 

Now that Daylight Savings Time is behind us here in the US, we’ve got an extra hour of daylight to ensure our systems are protected against the latest batch of vulnerabilities disclosed by Microsoft.  Today Microsoft released 7 patches addressing a total of 20 new vulnerabilities.  This month’s Microsoft patches include:

 

  • (MS13-021) Cumulative Security Update for Internet Explorer (2809289)
  • (MS13-022) Vulnerability in Silverlight Could Allow Remote Code Execution (2814124)
  • (MS13-023) Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2801261)
  • (MS13-024) Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2780176)
  • (MS13-025) Vulnerability in Microsoft OneNote Could Allow Information Disclosure (2816264)
  • (MS13-026) Vulnerability in Office Outlook for Mac Could Allow Information Disclosure (2813682)
  • (MS13-027) Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2807986)

 

The patches are fairly heavily weighted toward desktop applications this month, with only a single server-focused patch addressing a collection of issues in SharePoint (MS13-024).

 

Most immediately threatening is a typical roll-up patch for Internet Explorer (MS13-021).  It addresses 9 distinct “use after free” vulnerabilities, any of which allow an attacker to execute code in the context of the logged on user, if they can lure the user to a malicious web page.  One of these vulns has been disclosed publically, but none of them are known to have been leveraged in any actual attacks in the wild.

 

Also interesting are 3 kernel vulnerabilities in the Windows USB drivers.  With these vulns, an attacker who inserts (or convinces a user to insert) a USB stick into a vulnerable system can automatically run code of their choice in kernel mode without further user interaction, even if there is no user logged on.  Insert stick/pwn box.  While the requirement for physical access might seem to be a high bar for an attacker to meet, this attack vector is ripe for targeted social engineering attacks.  If someone sent me a USB stick in the mail, with the label “Star Wars Episode VII – Draft Script”, I’d load that thing up at point five past lightspeed, no questions asked.  Also remember that there are often plenty of people who have casual access to our workstations (custodial staff, disgruntled co-workers), and a screen lock is no defense against this particular attack vector. 

 

McAfee’s coverage for this month’s vulnerabilities is as follows:

 

  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 9 out of 20 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 11 out of 20 vulnerabilities this month.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 8 out of 20 vulnerabilities this month.
  • McAfee Application Control is expected to provide protection against exploits of 11 out of 20 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

Aggregate coverage (combining host and network-based countermeasure together) is 12 out of 20.  Coverage is particularly good for the 9 IE code execution vulns, with broad coverage across all countermeasures.

 

Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

Happy patching!

 

Scott

0

When it rains, it pours.  Today MS released 12 patches, addressing a staggering 57 separate vulnerabilities.  This marks the most individual vulnerabilities addressed by MS in a single month since April 2011.  This month’s security bulletins include the following:

 

  • (MS13-009) Cumulative Security Update for Internet Explorer (2792100)
  • (MS13-010) Vulnerability in Vector Markup Language Could Allow Remote Code Execution (2797052)
  • (MS13-011) Vulnerability in Media Decompression Could Allow Remote Code Execution (2780091)
  • (MS13-012) Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2809279)
  • (MS13-013) Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution (2784242)
  • (MS13-014) Vulnerability in NFS Server Could Allow Denial of Service (2790978)
  • (MS13-015) Vulnerability in .NET Framework Could Allow Elevation of Privilege (2800277)
  • (MS13-016) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2778344)
  • (MS13-017) Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2799494)
  • (MS13-018) Vulnerability in TCP/IP Could Allow Denial of Service (2790655)
  • (MS13-019) Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2790113)
  • (MS13-020) Vulnerability in OLE Automation Could Allow Remote Code Execution (2802968)

 

The bulk of the this month’s vulns come from just two individual patches.  MS13-009 addresses 13 separate vulnerabilities in Internet Explorer, several of which allow an attacker to perpetrate remote code execution if they can lure a victim to visit a malicious web page.  MS13-016 fixes 30 instances of an Elevation of Privilege vulnerability in the Windows kernel; this is really the same vuln present in 30 different places, resulting in a somewhat inflated count.  Factor out these 2 patches, and you have a fairly mundane month.

 

In total, 5 of the 12 patches released today support some sort of remote code execution (MS13-009, -010. -011, -012, and -020), and are listed as critical.  The remaining ones address Denial of Service and Elevation of Privilege vulnerabilities, and are reported by Microsoft as Important.  Of these critical vulns, one has been exploited in limited, targeted attaches (MS13-010).

 

While this represents a fairly heavy workload, it only tells a part of the story that enterprises face every day.  The last few weeks have brought a notable onslaught of new vulnerabilities and public attacks.  Here’s a brief snapshot of the most critical events since last Patch Tuesday:

 

Jan 10:  0-day exploits in Java gain broad attention.

Jan 13: Oracle releases Java patch.

Jan 14: MS releases out-of-cycle patch to IE, to address ongoing targeted attacks.

Jan 16: Oracle releases numerous patches to a variety of products, addressing a total of 86 vulns.

Jan 18: Red October attacks disclosed, hitting numerous governments and critical infrastructure providers.

Jan 31: Chinese hacks of multiple news outlets disclosed, including NY Times, Wall Street Journal, Washington Post.

Feb 1: Oracle releases another Java patch, addressing 50 separate vulnerabilities.

Feb 2: Twitter discloses that 250,000 twitter account details have leaked.

Feb 5: Federal Reserve admits they have been hacked by Anonymous, in retribution for death of Internet activist Aaron Schwartz.

Feb 7: Adobe releases surprise patch to address 0-day exploits in Flash

Feb 12: Adobe releases patches to address 17 more vulns in Flash and 2 in Shockwave Player

Feb 12: Oracle announces another Java patch will be forthcoming on Feb 19th

 

And so it goes.  If it seems like threats are escalating, you’re not imagining things.  In late January, Mitre (the organization that administers the CVE registry, the standard tool used to name and label vulnerabilities) announced that they would be expanding the CVE format.  Today’s format supports naming “only” up to 9,999 new vulnerabilities each year (we saw 5,289 in 2012), and Mitre anticipates running out of space in the near future. 

 

No one can be expected to react this incredible rate of change as it comes.  The only possible successful strategy to defending against this is a proactive stance, based on overlapping, complementary layers of security wrapped in a cohesive management framework.  Now is the time to be talking to your most trusted security partners about how they can help you build a robust platform to address this escalating threat landscape.

 

As for McAfee’s coverage of this month’s vulns, there’s a lot of good news.  Factoring out MS13-016 (no specific coverage for this collection of 30 identical privilege escalation vulns) McAfee’s confirmed coverage for this month’s vulns, is as follows:

 

  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 16 out of 27 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 20 out of 27 vulnerabilities this month.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 13 out of 27 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

Aggregate coverage (combining host and network-based countermeasure together) is 20 out of 27.  Coverage is excellent for all of the critical vulnerabilities: 100% of the vulns that support RCE.  Without going into the full details, coverage is very good for the various Java and Adobe vulnerabilities that have been patched over the last month as well.  Additional research is being performed by McAfee Labs, andcoverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat CenterYou might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast

 

Happy patching!

 

Scott

0

A quick update to last week’s Patch Tuesday briefing.  Today, MS released a rare out-of-cycle patch to address a critical issue in Internet Explorer, which I discussed in my write-up last week. This patch (I dub thee MS13-008) affects IE 6, 7, and 8.  This is a critical one to address; public exploits to date have targeted government employees and contractors, but this genie is out of the bottle, and broader use is inevitable. 

 

While we’re on the topic of critical patches and miscreants who love them, there’s another one worth talking about.  Yesterday, Oracle released a critical patch to Java, which has also been exploited in the wild.  The cross-platform nature of Java ensures that this vulnerability affects a wide range of browsers and operating systems, making it a profitable attack vector.  The icing on the cake here is that this vulnerability appears to have been baked into a range of crimeware kits, including Blackhole, Cool Exploit Kit, Nuclear Pack, and Red kit, in addition to Metasploit.  This is being actively used in attacks all over the globe, and has been for at least the last 1-2 weeks.  McAfee Labs has a good analysis of the ongoing attacks

 

Calls are going out for users to change their browser, uninstall Java, eliminate enterprise applications that require Java, roll out emergency patches, and otherwise take drastic and labor intensive actions to reduce their exposure to these threats.  But that’s a shell game.  Software is written by humans, it all has flaws, and it always will.  There are better ways to deal with these threats. 

 

I’ve attached the McAfee Labs security advisory covering these 2 vulnerabilities.  The advisories show that technologies like McAfee Application Control, Host Intrusion Prevention, and VirusScan Buffer Overflow Protection are all effective in blocking both of these exploits.  McAfee Network Security Platform released updated signatures on Jan 1 effective against the IE vuln, and the Java vuln is under investigation.  These technologies allow organizations to take critical vulns in stride, and to avoid costly, knee-jerk reactions.  McAfee’s Rees Johnson said it well in a recent blog post: relying on anti-virus only will cost you more and make you less secure.

 

Be safe,

 

Scott

0

Hello all!

 

Happy New Year!  Todaywas the first Patch Tuesday of 2013, and Microsoft released 7 patchesaddressing 12 new vulnerabilities.  Twoof the patches are identified as Critical by Microsoft, addressing Remote CodeExecution (RCE) issues in the Print Spooler and MS XML Core Services.  The remaining 5 bulletins are labeled asImportant, and none has been disclosed or exploited in the wild previous totoday’s announcement.  This month’spatches are as follows:

 

  • (MS13-001) Vulnerability in Windows PrintSpooler Components Could Allow Remote Code Execution (2769369)
  • (MS13-002) Vulnerabilities in Microsoft XML CoreServices Could Allow Remote Code Execution (2756145)
  • (MS13-003) Vulnerabilities in System CenterOperations Manager Could Allow Elevation of Privilege (2748552)
  • (MS13-004) Vulnerability in .NET Framework CouldAllow Elevation of Privilege (2769324)
  • (MS13-005) Vulnerability in Windows Kernel-ModeDriver Could Allow Elevation of Privilege (2778930)
  • (MS13-006) Vulnerability in Microsoft WindowsCould Allow Security Feature Bypass (2785220)
  • (MS13-007) Vulnerability in Open Data ProtocolCould Allow Denial of Service (2769327)

 

What’s most interesting at this time, however, is whatMicrosoft has *not* done, which is to patch a known, criticalvulnerability in Internet Explorer.  Inlate December, Microsoft disclosed (but has not yet patched) a vulnerabilityaffecting IE 6, 7, and 8.  Thisvulnerability can be used to perform remote code execution on a vulnerablebrowser, and has been actively exploited in the wild in several targetedattacks.  Most notably, the web site forthe Council on Foreign Relations was found to be subverted on or around Dec 21,2012, and has been serving up exploit code to visitors in the form ofdrive-by-downloads.  The CFR has somevery influential members, including former Presidents, Vice Presidents,Secretaries of State, and nationally-known journalists, giving this all themakings of a classic “Watering Hole” attack. In addition, a Metasploit module has been published, arming the scriptkiddies of the world with a weaponized exploit. We can expect that this one will not quietly disappear.

 

MS has documented some workarounds (for example, upgradingto IE 9 or 10, which are not vulnerable) as well as a Fix It, which acts as atemporary mitigation until a proper patch is released.  Unfortunately, the documented mitigations areeither largely impractical or not 100% effective, and it is very likely thatexploits of this vulnerability will accelerate in the time until a patch isreleased.  MS will surely be keeping aclose eye on the activity surrounding this vulnerability, and it would not besurprising to see an out-of-cycle patch released in the coming weeks.

 

The patches released this month are not especially concerning.  The critical patch to MS XML Core Services(MS13-002) is the most noteworthy, as it affects a very broad range of MSoperating systems, applications, and tools, and can be exploited relativelyeasily by luring an unsuspecting browser to a malicious web page.   The other critical patch (MS13-001) fixes aremote code execution vulnerability in the Windows Print Spooler.  While remote code execution vulns are alwaysnoteworthy, this one requires a pretty torturous series of conditions to occurin order to be successfully exploited. It’s unlikely to see widespread exploits, but could serve well incertain kinds of targeted attacks.

 

McAfee’s confirmed coverage for this month’s vulns, plus theadditional unpatched IE vuln discussed above, is as follows:

 

  • McAfee VirusScan's buffer overflow protection isexpected to provide proactive protection against exploits of 4 out of 13vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected toprovide protection against exploits of 6 out of 13 vulnerabilities this month.
  • McAfee's Network Security Platform has newsignatures confirmed to protect exploits of 6 out of 13 vulnerabilities thismonth.
  • McAfee Application Control is confirmed toprovide protection against exploits of  4out of 13 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditorwill very shortly have content to assess whether your systems are exposed toany of these new vulnerabilities.

 

Aggregate coverage (combining host and network-basedcountermeasure together) is 7 out of 13. In particular, coverage is excellent for all of the criticalvulnerabilities: of the 4 vulns that support RCE (1 vuln in MS13-001, 2 vulnsin MS13-002, 1 unpatched IE vuln), *all 4* are covered by VirusScan’s buffer overflow protection, HIPS, andApplication Control, and 3 out of 4 are covered by NSP.  In addition, there are DATs available forVirusScan, Web Gateway, and other products that identify and eradicate knownexploits when they are found.

 

Additional research is being performed by McAfee Labs, andcoverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat CenterYou might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast

 

Happy patching!

 

Scott

0

Hello all!

 

Happy holidays and welcome to the final (knock on wood!) Patch Tuesday of 2012.  This week Microsoft released 7 new patches, covering a total of 12 new vulnerabilities.  The overall volume this month is fairly light, a trend which has more-or-less stayed true through all of 2012.  In fact, this year MS patched the fewest vulnerabilities in any year since 2009.  While the volume this month is low, the criticality is high, with critical patches for IE, MS Word, most flavors of Windows, and Exchange.

 

This month’s patches include the following:

 

  • (MS12-077) Cumulative Security Update for Internet Explorer (2761465)
  • (MS12-078) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2783534)
  • (MS12-079) Vulnerability in Microsoft Word Could Allow Remote Code Execution (2780642)
  • (MS12-080) Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2784126)
  • (MS12-081) Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2758857)
  • (MS12-082) Vulnerability in DirectPlay Could Allow Remote Code Execution (2770660)
  • (MS12-083) Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass (2765809)

 

All bulletins MS12-077 through -081 are reported by MS as critical, with -082 and -083 listed as Important.  Highest priority this month should be MS12-077 (browser exploits are always juicy targets, often exploited soon after disclosure), MS12-079 (ditto for MS Word) and MS12-080.  The latter addresses vulns in an Oracle library embedded in Exchange, first disclosed by Oracle back in October.  These vulnerabilities have been known for a while, have received a good deal of analysis, and it deserve quick attention.

 

It’s also striking to take a step back and consider the diversity of exploit vectors.  With the vulnerabilities included in just these 7 patches, an attacker could subvert a system by:

 

  • Tricking an IE user to visit a malicious web page (MS12-077)
  • Convincing a user to open a document with a malicious embedded font (MS12-078)
  • Sending a Word or Outlook user a specially-crafted Rich Text email message or document (MS12-079)
  • Fooling a user into subscribing to a malicious RSS feed (MS12-080)
  • Getting a user to just LOOK at a document with a malicious filename  (MS12-081)

 

In all these cases, MS rates the exploitability index at “1”, indicating reliable exploits are likely in the next 30 days.  While the raw numbers of vulnerabilities may be down this year, the methods available to the bad guys to do their dirty work continue to expand at a fairly alarming rate. 

 

McAfee’s confirmed coverage for this month’s vulns is as follows:

 

•             McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 6 out of 12 vulnerabilities this month.

•             McAfee Host Intrusion Prevention is expected to provide protection against exploits of 8 out of 12 vulnerabilities this month.

•             McAfee's Network Security Platform has new signatures confirmed to protect exploits of 4 out of 12 vulnerabilities this month (more analysis is underway).

•             McAfee Application Control is confirmed to provide protection against exploits of  8 out of 12 vulnerabilities this month.

•             McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

Aggregate coverage (combining host and network-based countermeasure together) is 9 out of 12.  Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat Center.

 

You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast.

 

Happy patching!

 

Scott

0

Hi all,

 

Strap on your patching shoes…today is once again Microsoft Patch Tuesday.  This week Microsoft released 6 patches, addressing a total of 19 vulnerabilities.  4 of the 6 patches are rated Critical by Microsoft, including patches to Internet Explorer, .NET Framework, and the Windows Kernel and Shell.  The remaining patches address issues in MS Excel (Important) and IIS (Moderate).  None of this month’s vulnerabilities have been seen to be exploited in the wild.

 

This month’s patches include:

 

  • (MS12-071) Cumulative Security Update for Internet Explorer (2761451)
  • (MS12-072) Vulnerabilities in Windows Shell Could Allow Remote Code Execution (2727528)
  • (MS12-073) Vulnerabilities in Microsoft Internet Information Services Could Allow Information Disclosure (2733829)
  • (MS12-074) Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2745030)
  • (MS12-075) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2761226)
  • (MS12-076) Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2720184)

 

This bunch of patches is noteworthy as it includes the very first security patches to Microsoft’s shiny new OSs: Windows 8 and Windows RT.  MS12-072, -074, and -075 all affect Win 8, and -074 and -075 affect Win RT as well.  Windows RT, as you may know, is Microsoft’s OS designed for low-power devices like tablets.  These patches mark the entry of tablets into mainstream security management processes. 

 

Up until now, security patches have typically been delivered as part of monolithic OS upgrades for the devices.  For example, in iOS 6.0, Apple patched 197 security vulnerabilities.  iOS 6.0.1, released 43 days later, patched 4 more.  Many users never get around to upgrading their mobile device OS, either out of ignorance, or deliberately.  There’s an entire proud community stuck on iOS 5.x in order to avoid the “upgrade” to from Google Maps to Apple Maps (Google, we had no idea how much we loved you until you were gone…)  These unpatched devices are a risk to enterprises, and there is often very little that can be done about it.  Windows RT introduces a much-needed new paradigm for these devices.  It will be interesting to see how this affects adoption of Windows RT in the enterprise.

 

McAfee’s confirmed coverage for this month’s vulns is as follows:

 

  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 9 out of 19 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 11 out of 19 vulnerabilities this month.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 6 out of 19 vulnerabilities this month.
  • McAfee Application Control is confirmed to provide protection against exploits of  9 out of 19 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

Aggregate coverage (combining host and network-based countermeasure together) is 13 out of 19.  Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in. 

As more details become available, you’ll find them on the McAfee Threat Center.

You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast:

 

Happy patching!

 

Scott

0

Hi all,

 

It’s everyone’s favorite Tuesday: Microsoft Patch Tuesday!  This month Microsoft released 7 patches, addressing a total of 20 vulnerabilities.  One of these patches is rated critical by Microsoft (MS12-064), which addresses a pair of code execution vulns in MS Word. The rest are rated Important by Microsoft.

 

Before diving into the regular monthly patches, let’s start with a quick wrap-up of the recent out-of-cycle activity from Microsoft.  On September 21, 2012, MS released a rare out-of-cycle patch for Internet Explorer:

 

  • (MS12-063) Cumulative Security Update for Internet Explorer (2744842)

 

This patch addressed 5 distinct vulnerabilities in IE 6 - IE 9.  One of these was quite concerning, as it had been fairly broadly exploited in the wild, including a published exploit module in the popular framework, Metasploit.  Given the high-profile nature of the threat, MS expedited a patch rather than wait for the next regularly scheduled patch cycle.  This is the first out-of-cycle Microsoft patch since December 2011.  Much has been written about this patch (and the related exploits) elsewhere, including some excellent write-ups by McAfee Labs:

 

Never-Ending Zero-Day Story

               McAfee Labs Threat Advisory: Exploit-CVE 2012-4969

 

This month’s patches include the following:

 

  • (MS12-064) Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2742319)
  • (MS12-065) Vulnerability In Microsoft Works Could Allow Remote Code Execution (2754670)
  • (MS12-066) Vulnerabilities in HTML Sanitization Component Could Allow Elevation of Privilege (2741517)
  • (MS12-067) Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Elevation of Privilege (2742321)
  • (MS12-068) Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2724197)
  • (MS12-069) Vulnerability in Kerberos Could Allow Denial of Service (2754673)
  • (MS12-070) Vulnerability in SQL Server Could Allow Elevation of Privilege (2754849).

 

Of this month’s patches, most noteworthy is the patch to Microsoft Word (MS12-064).  This patch addresses 2 vulnerabilities in MS Word.  These are fairly typical client-side application vulns, where an attacker who convinces their victim to open a specially crafted, malicious document could execute arbitrary code as the victim user.  A similar vulnerability in MS Works 9 (MS12-065) would be equally critical, although this application is rarely deployed in enterprise environments.

 

McAfee’s confirmed coverage for this month’s vulns, as well as last month’s IE zero-day, is excellent:

 

  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 25 out of 25 vulnerabilities this month.  100% coverage!
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 25 out of 25 vulnerabilities this month.  100% coverage!
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 10 out of 25 vulnerabilities this month,  including all the out-of-cycle IE vulns as well as the critical MS Word vulns.
  • McAfee Application Control is confirmed to provide protection against exploits of 8 out of 25, including all the out-of-cycle IE vulns as well as the critical MS´╗┐ Word vulns.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

In short, excellent coverage across the board.  McAfee’s customers are quite well protected via a range of countermeasures.  Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat Center.

 

You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast:

 

Happy patching!

 

Scott

 

Scott Taschler

Solutions Architect
McAfee, Inc.

 

Direct: 612.821.1169
Mobile: 612.210.8317
Email: scott_taschler@mcafee.com

0

Did you hear that?  Listen carefully for the soft whooshing sound on the early autumn breeze.  That’s collective sigh of relief accompanying this month’s Microsoft Patch Tuesday release.  This week Microsoft released 2 patches, addressing just 2 new privilege escalation vulnerabilities, described below.

 

  • (MS12-061) Vulnerability in Visual Studio Team Foundation Server Could Allow Elevation of Privilege (2719584)
  • (MS12-062) Vulnerability in System Center Configuration Manager Could Allow Elevation of Privilege (2741528)

 

Both vulnerabilities are rated Important by Microsoft…none Critical.  None can be used to deliver malicious code to an unsuspecting user.  None affect desktops, or widely-deployed server applications.  None have been used in targeted attacks, or disclosed in any public forums.  In short, it’s the least eventful Patch Tuesday in at least 2 years.  This is a welcome respite after recent critical Java patches from Oracle, as well as Reader and Flash patches from Adobe.  Enjoy the tranquility.

 

McAfee Labs is still investigating coverage for this month’s vulns.  As details become available, you’ll find them on the McAfee Threat Center.

 

You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast.

 

Happy patching!

 

Scott

0

Hello all,

 

This week, once again, brings us the latest Microsoft PatchTuesday.  This week Microsoft released 9 new security patches (5 ratedcritical) covering a total of 27 vulnerabilities.  Nearly half of thevulns are addressed in a single patch, to MS Exchange Server.  Theremaining vulns are a pretty typical mix of OS, server apps, and workstationapps, including another new rollup patch for Internet Explorer.

 

This month’s patches include the following:

 

  • (MS12-052) Cumulative Security Update forInternet Explorer (2722913)
  • (MS12-053) Vulnerability in Remote Desktop CouldAllow Remote Code Execution (2723135)
  • (MS12-054) Vulnerabilities in Windows NetworkingComponents Could Allow Remote Code Execution (2733594)
  • (MS12-055) Vulnerability in Windows Kernel-ModeDrivers Could Allow Elevation of Privilege (2731847)
  • (MS12-056) Vulnerability in JScript and VBScriptEngines Could Allow Remote Code Execution (2706045)
  • (MS12-057) Important Vulnerability in MicrosoftOffice Could Allow for Remote Code Execution (2731879)
  • (MS12-058) Vulnerabilities in Microsoft ExchangeServer WebReady Document Viewing Could Allow Remote Code Execution (2740358)
  • (MS12-059) Vulnerability in Microsoft VisioCould Allow Remote Code Execution (2733918)
  • (MS12-060) Vulnerability in Windows CommonControls Could Allow Remote Code Execution (2720573)

 

The MS Exchange patch (MS12-058) sticks out this month,initially simply for the volume of vulnerabilities it addresses (13 individualvulns).  The vulns all have the same underlying root cause: a flawedlibrary supplied by Oracle to MS (and other ISVs), which has been incorporatedinto MS Exchange.  The Oracle “Outside In” libraries provide previews ofvarious document types to users of Outlook Web Access (OWA), allowing users toread docs directly in their web browser, without needing to download and openthe docs on their local PC.  In order to exploit one of these vulns, anattacker would send a user a malicious crafted doc, and the result would be theability to run arbitrary code on the Exchange server.  Oracle disclosedthe vulnerabilities in their libraries back in July, and MS quickly acknowledgedthat the issue affected Exchange.  Several weeks later, we have a patchfrom MS that deploys the updated Oracle libraries.

 

MS12-060 is important as well, as MS has disclosed that thisvulnerability has seen limited, targeted attacks, and there is reason tobelieve that more will be coming.  This vuln affects the TabStrip control,one of a set of ActiveX Common Controls within the Windows OS.  Anattacker who sent a user a malicious document, or lured the user to aspecially-crafted web page could install and execute payload code without theuser’s knowledge.  Attacks to date have primarily leveraged RTF documents.

 

McAfee’s confirmed coverage for this month’s vulns isexcellent:

 

  • McAfee VirusScan's buffer overflow protection isexpected to provide proactive protection against exploits of 23 out of 27vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected toprovide protection against exploits of 25 out of 27 vulnerabilities this month.(HIPS FTW!)
  • McAfee's Network Security Platform has newsignatures confirmed to protect exploits of 15 out of 27 vulnerabilities thismonth.
  • McAfee Application Control is confirmed toprovide protection against exploits of all 13 vulns included in MS12-060, andadditional analysis is underway on the remaining vulns.
  • McAfee Vulnerability Manager and Policy Auditorwill very shortly have content to assess whether your systems are exposed toany of these new vulnerabilities.

 

Total aggregate coverage thismonth: 26 out of 27!  Additional research is being performed by McAfeeLabs, and we expect coverage may improve as additional results roll in. As more details become available, you’ll find them on the McAfee Threat Center.

 

You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-timeupdates via email, or listening to AudioParasitics, the official McAfee Labspodcast:

 

Happy patching!

 

***Edit 8/15/12 ***

 

Some have asked about McAfee's exposure to the Oracle Outside In vulnerabilities. Several McAfee products use the Outside In libraries and are vulnerable, including:

 

  • McAfee Email and Web Security (EWS) 5.x Appliances
  • McAfee Email Gateway (MEG) 7.0 Appliance
  • McAfee GroupShield 7.0.x for Microsoft Exchange
  • McAfee Host Data Loss Prevention (Host DLP) 9.0
  • McAfee Security for Email Servers (Exchange & Domino)
  • McAfee Security for Microsoft SharePoint 2.5

 

For details on mitigating the risk of these, see https://kc.mcafee.com/corporate/index?page=content&id=SB10031

Scott

1

Hello all,

 

It’s that magical time again: Microsoft Patch Tuesday.  This week Microsoft released 9 new security patches covering a total of 16 vulnerabilities.  Along with the typical batch of vulnerabilities in Internet Explorer and a handful of privilege escalation vulns, MS has also patched a couple of vulns that have been actively leveraged by criminals for cyberattacks over the last few weeks.

 

This month’s patches include the following:

 

  • (MS12-043) Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)
  • (MS12-044) Cumulative Security Update for Internet Explorer (2719177)
  • (MS12-045) Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (2698365)
  • (MS12-046) Vulnerability in Visual Basic for Applications Could Allow Remote Code Execution (2707960)
  • (MS12-047) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2718523)
  • (MS12-048) Vulnerability in Windows Shell Could Allow Remote Code Execution (2691442)
  • (MS12-049) Vulnerability in TLS Could Allow Information Disclosure (2655992)
  • (MS12-050) Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502)
  • (MS12-051) Vulnerability in Microsoft Office for Mac Could Allow Elevation of Privilege (2721015)

 

Of primary importance this month is MS12-043, which addresses a vulnerability in MS XML Core Services.  This vulnerability was first disclosed by Microsoft back in mid-June.  Within days we saw a working exploit incorporated into the popular Metasploit framework, quickly followed by other less reputable exploit kits.  This vulnerability provides an attacker with a means to push malicious code to a victim by luring them to a specially crafted web page (more commonly termed a drive-by-download).  The easy availability of exploits for this vuln make it a high risk in most organizations, and it deserves special attention.  In addition, MS12-046 has also seen limited exploits in the wild.

 

McAfee’s confirmed coverage for this month’s vulns is as follows:

 

  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 4 out of 16 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 7 out of 16 vulnerabilities this month.
  • McAfee Application Control is confirmed to provides protection against exploits of the critical MS12-043, and additional analysis is underway on the remaining vulns.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 9 out of 16 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

Our coverage for MS12-043 in particular is confirmed to be very good across the board.  On the endpoint we have coverage with HIPS and Application Control, and we have released DAT signatures to detect, block, and clean known exploits wherever they appear.  On the network we have IPS signatures designed to block attacks in progress, and coverage at the Web Gateway as well.  While many organizations might be tempted to pull the panic button on this patch, it’s worth taking a step back and considering the many layers of countermeasures that are likely already in place that mitigate the risk here.  These are the days when security technology pays for itself, giving you time to breathe and patch on your own schedule.

 

Additional research is being performed by McAfee Labs, and we expect coverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat Center.

You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast:

Scott

Solutions Architect
McAfee, Inc.

0

Hello all,

 

Welcome to the first Patch Tuesday of Summer 2012!  This week brings us 7 new security bulletins from Microsoft, addressing 26 unique flaws in various Microsoft products.  The bulletins include a heavy concentration of vulnerabilities in Internet Explorer, a new critical RDP vulnerability, and a handful of others.

 

This month’s patches include the following:

 

  • (MS12-036) Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)
  • (MS12-037) Cumulative Security Update for Internet Explorer (2699988)
  • (MS12-038) Vulnerability in .NET Framework Could Allow Remote Code Execution (2706726)
  • (MS12-039) Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)
  • (MS12-040) Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (2709100)
  • (MS12-041) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)
  • (MS12-042) Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)

 

Observant readers will immediately note that we have yet another patch for Remote Desktop Protocol (RDP), MS12-036.   With this vuln, an attacker who is able to reach an RDP server can send an exploit that allows the perpetrator to execute code and deliver payload of their choice.  The attack does not require authentication or any other special privileges.  MS patched a similar RDP vulnerabilities in March 2012 (MS12-020), which caused a flurry of activity in many organizations, as security admins struggled to identify RDP servers that were exposed to the Internet, often in violation of good security policy.  Exploits for MS12-020 surfaced in the wild shortly after publication, and we should expect no different with this one. 

 

I’ve been asked by some about best practices for identifying rogue, Internet-facing RDP servers.  Two tools I’ve seen used to good effect include vulnerability scanners (looking for any Internet facing systems listening on port 3389) as well as firewall logs/SIEM (monitoring network devices for successful inbound traffic on port 3389).  Now is a great time to dust off your tools and run a quick report or two to ensure you’re not exposing services you don’t expect.

 

Also noteworthy, if only for pure volume, is MS12-037, which addresses 12 new vulnerabilities in all versions of Internet Explorer 6-9 (one of which was discovered by McAfee’s own Yichong Lin.  Exploits for one of these vulns have been seen in the wild, as part of limited, targeted attacks.  Expect more in the future.  Thankfully, most organizations have become very good at testing and rolling out IE patches, since they’ve had so much practice over the years. 

 

Finally, Microsoft has also implemented a new OS feature that allows them to more easily revoke trust from digital certificates that are often used to digitally sign Windows code.  Over the last several week there has been a great deal of attention drawn to signed malicious code, mostly due to the Flame/Skywiper malware, which used signed code to spread the attack components.  However, digitally signed malware is nothing new.  McAfee Labs has cataloged more than 200,000 unique pieces of malware with valid digital signatures in the first quarter of 2012 alone.  Having the ability to quickly remove trust from untrustworthy certificates is an important tool for fighting this class of malware, but is still a reactive technique.  McAfee’s Deep Defender, an exciting of technology co-developed with our parent company Intel, also has an important, proactive role to play. 

 

McAfee’s confirmed coverage for this month’s vulns is as follows:

 

  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 10 out of 26 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 10 out of 26 vulnerabilities this month.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 14 out of 26 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

Additional research is being performed by McAfee Labs, and we expect coverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat Center.

 

You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast:

 

 

Happy patching!

 

Scott

0

Welcome to Patch Tuesday, May 2012 edition!  This week brings us 7 new security bulletins from Microsoft, addressing 23 flaws in various Microsoft products.  This month’s vulnerabilities are heavily weighted toward desktop applications, with critical vulns in MS Word, Excel, Visio and other components.

 

This month’s patches include the following:

 

  • (MS12-029) Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352)
  • (MS12-030) Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2663830)
  • (MS12-031) Vulnerabilities in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2597981)
  • (MS12-032) Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338)
  • (MS12-033) Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege (2690533)
  • (MS12-034) Vulnerabilities in GDI+ and TrueType Font Engine Could Allow Remote Code Execution (2681578)
  • (MS12-035) Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777)

 

Top of the list of this month for many organizations will be MS12-034.  This modest-sounding patch revisits a vulnerability we last discussed in December 2011 (MS11-087).  The vuln was notably exploited by the Duqu rootkit, a sophisticated, targeted attack that circulated late last year, with new variants seen as recently as March 2012.  Recently, MS has done additional analysis, and found duplicate copies of the flawed code in several other Windows components, ranging from the TrueType font engine to Silverlight.  While patching this vuln, MS also rolled in a number of fixes for other issues they had stacked up, for a total of 10 diverse vulns addressed in this single bulletin.  The volume and variety of issues combined in this bulletin make it a high priority.

 

The vulns in MS Word, Excel, Visio, and .NET are also fairly concerning.  In all cases, an attacker would deliver a specially-crafted malicious document, via email or web channels, or perhaps via a USB stick.  If the attacker can convince the user to open the malicious doc, the vulnerabilities allow the attacker to take complete control of the user’s system.  There are no lack of client-side attacks similar to these, and they remain one of the most common vectors for attacks, both random and targeted.

 

McAfee’s confirmed coverage for this month’s vulns is as follows:

 

  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 10 out of 23 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 10 out of 23 vulnerabilities this month.
  • McAfee Application Control is expected to provide protection against exploits of 13 out of 23 vulnerabilities this month.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 15 out of 23 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

In particular, coverage is excellent for the vulnerabilities in the MS Office apps for all listed countermeasures.  Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat Center.

 

 

You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast.

 

Happy patching!

 

Scott

1 2 3 Previous Next