Blog

cancel
Showing results for 
Search instead for 
Did you mean: 

Blog

Hi Guru's,

Sorry for taking over the main page with document updates. I've been updating the docs with the new logo, as well as cleaning up the formatting. I'm hoping this will make it easier to read the Best Practices.

I hope to have most updated by the end of the year, I'll also be updating some of the videos included in the Best Practices.

Best Regards,

Jon

Read more
0 1 1,288

A ransomware strain known as Scarab, and detected for the first time in June, is now being pushed to millions of users via Necurs, the Internet's largest email spam botnet.

source : Scarab Ransomware Pushed via Massive Spam Campaign

So how did McAfee ENS 10.5 would fare to this attack?

==========================

In the test, we obtained one sample to test it against a Windows 7 that has ENS 10.5 installed

The AV were turned off as to ensure only DAC and RP is providing the protection to the endpoint.

As a result, the malware sample was successfully prevented by the DAC rules (which is shown below).

DAC Rules TriggeredIs this rule enabled in the Best Practices (
https://kc.mcafee.com/corporate/index?page=content&id=KB87843)
Modifying users’ data foldersNO
Executing any child processYES

McAfee ENS Analyzer content creation date for both of the DAC Rules were created on Aug 2016, whereas the ransomware was made known to public on 23 Nov . Taking those two dates, McAfee endpoint solution provided pre-emptive protection of more than 12 months before this ransomware was publicly known

A video of the testing is shown below


Read more
0 2 765

A new variant of the CryptoMix Ransomware being distributed that is appending the .XZZX extension to encrypted file names. While the encryption methods stay the same in this variant, there have been some slight differences. The ransom note is still named _HELP_INSTRUCTION.TXT, but now uses the xzzx@tuta.io, xzzx1@protonmail.com, xzzx10@yandex.com, and xzzx101@yandex.com emails for a victim to contact for payment information.

source : XZZX Cryptomix Ransomware Variant Released

So how did McAfee ENS 10.5 would fare to this attack?

==========================

In the test, we obtained one sample to test it against a Windows 7 that has ENS 10.5 installed

The AV were turned off as to ensure only DAC and RP is providing the protection to the endpoint.

As a result, the malware sample was successfully prevented by the DAC rules (which is shown below).

DAC Rules TriggeredIs this rule enabled in the Best Practices Guide for ENS 10.5(Referring to Default Security) -->
https://kc.mcafee.com/corporate/index?page=content&id=KB87843
Modifying users' data foldersNO
Executing any child processYES
Modifying startup registry locationsYES
Creating files with the .exe extensionYES
Reading files commonly targeted by ransomware-class malwareYES
Modifying files with the .bat extensionNO
Writing to files commonly targeted by ransomware-class malwareYES
Modifying the hidden attribute bitYES

McAfee ENS Analyzer content creation date for both of the DAC Rules were created on Aug 2016, whereas the ransomware was made known to public on 13 Nov . Taking those two dates, McAfee endpoint solution provided pre-emptive protection of more than 12 months before this ransomware was publicly known

A video of the testing is shown below


Read more
0 0 310

A new ransomware strain named Bad Rabbit is wreaking havoc in many Eastern European countries, affecting both government agencies and private businesses alike.

At the time of writing, the ransomware has hit countries such as Russia, Ukraine, Bulgaria, and Turkey.

Confirmed victims include the Odessa airport in Ukraine, the Kiev subway system in Ukraine, the Ukrainian Ministry of Infrastructure, and three Russian news agencies, including Interfax and Fontanka. Ukraine's CERT team has posted an alert and is warning Ukrainian businesses about this new outbreak.

sources :

Bad Rabbit Ransomware Outbreak Hits Eastern Europe

Security Firms Say Bad Rabbit Attack Carried Out by NotPetya Group

Bad Rabbit Ransomware Outbreak Also Used NSA Exploit

So how did McAfee ENS 10.5 would fare to this attack?

==========================

In the test, we obtained one sample to test it against a Windows 7 that has ENS 10.5 installed

The AV were turned off as to ensure only DAC and RP is providing the protection to the endpoint.

As a result, the malware sample was successfully prevented by the DAC rules (which is shown below).

DAC Rules that was Triggered
Is this rule enabled in the Best Practices for McAfee ENS 10.5 (Referring to Default Security)--> https://kc.mcafee.com/corporate/index?page=content&id=KB87843
Modifying users’ data foldersNo
Executing any child processYES

McAfee ENS Analyzer content creation date for both of the DAC Rules were created on Aug 2016, whereas the ransomware was made known to public on 25 Oct 2017 . Taking those two dates, McAfee endpoint solution provided pre-emptive protection of more than 12 months before this ransomware was publicly known

A video of the testing is shown below


Read more
1 0 316

Sounds like a good title for a document someone should create, right? Well, hopefully someone finds some time to work on it and do just that...

In the meantime, here is a list of all of the API calls along with the supported versions in case someone is looking to maintain code compatibility across versions.

See documentation with additional details for your respective version at:

  • 9.x - https://<ESM-IP>/rs/esm/help/commands
  • 10.x v1 - https://<ESM-IP>/rs/esm/help
  • 10.x v2 - https://<ESM-IP>/rs/esm/v2/help

McAfee ESM v10.2.0

API CallDescription
ipsDnsLookupGet DNSLookup object with ip Address and hostName information
miscATILookupGets ATILookup details
sysAddEditRemoteCommandAdd Edit Remote Command
sysDeleteRemoteCommandDelete Remote Command from given ID list

McAfee ESM v10.1.2 / v10.1.3 /v10.1.4

API CallDescription
getAssociatedReceiverReturns a Receiver IPSID associated with a device
grpGetDevicePropertiesGets details of a device

McAfee ESM v10.1.0 / v10.1.1

API CallDescription
assetDeleteAssetSourcesNot implemented yet
assetEnableOrDisableAssetRiskNot implemented yet
assetEnableOrDisableThreatRiskNot implemented yet
assetExportAssetListNot implemented yet
assetGetAllAssetSourceListsNot implemented yet
assetGetAssetDetailsNot implemented yet
assetGetAssetSourceDataNot implemented yet
assetGetAssetSourceListNot implemented yet
assetGetAssetSourceTypesNot implemented yet
assetGetOldAssetDaysNot implemented yet
assetGetOSListNot implemented yet
assetGetThreatCountermeasuresNot implemented yet
assetGetThreatDetailsNot implemented yet
assetImportAssetListNot implemented yet
assetResetAssetTagExceptionsNot implemented yet
assetSetAllAssetThirdPartyConfigNot implemented yet
assetSetOldAssetDaysNot implemented yet
assetGetAssetDetailsObjectGets asset Details
assetGetAssetThreatsGets asset threats
addEditBenchmarkGroupAdds or edits a benchmark group
deleteBenchmarkGroupDeletes a benchmark group
getAssetGroupsGets asset groups
getAssetsByGroupGets assets by group
getBenchmarkGroupListget list of benchmarks
getBenchmarkGroupsGets benchmark groups
getBenchmarkListGets the overall scorecard score
getBenchmarksByGroupGets benchmarks by group
getOverallScoreGets the overall scorecard score
getRulesByBenchmarkGets rules by benchmark
getScorecardSettingsGets scorecard settings
getUserBenchmarkSettingsGets user benchmark settings
setScorecardSettingsSets scorecard settings
setUserBenchmarkSettingsSets user benchmark settings

McAfee ESM v10.0.2 / v10.0.3

API CallDescription
deleteViewRemoved
elasticSearchDeleateSearchHistoryRemoved
essmgtDeleteFileRemoved
essmgtESSRebootRemoved
essmgtESSRestartRemoved
secAuthorizeDownloadRemoved
secAuthorizeUploadRemoved
sysDeleteFolderRemoved
userAuthorizeDownloadRemoved
userAuthorizeUploadRemoved
userSetExtendedLoginInfoRemoved
alarmGetTriggeredAlarmsWithStatusRetrieves a list of all alarms that have been triggered, if no user specified, the current user will be used.
elasticSearchSearchArchiveSearch for an archived item on an els
ipsGetAlertsNowGet job id for alerts
ipsGetFlowsNowGet job id for flows
miscJobsDetailsGets jobs details
miscJobsSummaryGets jobs summary

McAfee ESM v10.0.0MR1 / v10.0.1

API CallDescription
elmDeviceHasELMReturns the ELM configuration for a device
grpFindDeviceInTreeGets the parent for the specified device.
grpSearchDeviceNamesInTreeSearches the device tree for devices/groups/clients that match the name specified.
sysGetUCFTreeReturn the UCF list

McAfee ESM v10.0.0

API CallDescription
getVersionRemoved
userLoginRemoved
alarmGetTriggeredAlarmsRetrieves a list of all alarms that have been triggered
blAddEditNSMBlacklistEntryAdds or edits a blacklist entry
blDeleteNSMBlacklistEntriesDeletes a list of blacklist entries
blEnableGlobalBlacklistingForSensorSets the enabled state for global blacklisting on the specified sensor
blGetAllUseGlobalBlacklistGets the list of blacklists
blGetBlacklistGets the global blacklist entries
blGetSensorBlacklistEntriesGets the entries for the blacklist sensor
blSetUseGlobalBlacklistUpdates the blacklists to use global blacklisting
blSubmitGlobalBlacklistUpdates the entries for the global blacklist
caseAddCaseStatusAdd a case status
caseAddOrganizationAdd a case organization
caseDeleteCaseStatusDelete a case status.
caseGetCaseEventsDetailGet case events details
caseGetCaseUsersGet case users
caseGetOrganizationListGet case organizations
createViewCreate a new View/Widget
deleteViewDelete an existing Views/Widgets
devGetDeviceListRawGet a list of all devices defined in the system
dsGetDataSourceXmlXML datasource list
dsGetEpoListGet a list of valid ePO servers for the given target IPs
elasticSearchDeleateSearchHistoryIf a search is in progress stop it and delete the search
elasticSearchGetSearchHistoryGet search history
elasticSearchGetSearchResultsGet search Results
elasticSearchPerformSearchSearch ELS
elmDownloadLogFileForEventGets the download information for an ELM archive
elmGetElmListGet a list of ELM/ELS devices
essmgtDeleteFileDeletes the file
essmgtGetBuildStampGets the ESM build Stamp
essmgtGetPCapPacketGets the packet token
getActionListGet actions
getAllFlashViewsgets a list of existing flash views
getFlashViewInfoGet view info
getUserLocaleGet user session locale
getUsersInGroupslist of users that can be shared with
getUserViewDefaultsGet view defaults for user
getViewGet an existing View/Widget
grpGetDisplayListThis method gets all of the displays for the ESM
grpGetDSAgentsGets the datasource agents for a datasource
grpGetSystemTreeThis API returns the system tree as an array of root nodes
ipsAddAlertNoteThis function sets the note for the event
ipsGetAFValuesThis function gets the alert flow values
ipsGetAlertDataGets alert data
ipsGetAlertPacketThis function gets the packet for the event
ipsGetCorrRawEventsGet the corr raw events
ipsGetFlowDataGets the flow data values
ipsGetIpsNamesGet the names for ipsids entered
ipsIsEventCorrelationGet a list of all event correlations
ipsWhoIsGets the details for the call
miscCancelJobCancel a job
miscGetFilenameFromTokenGets the filename for a given token (no path)
miscGetRemedyEventEmailDataGets the data to send to the remedy
miscJobStatusThis gets the job status
miscKeepAliveKeeps the session alive
miscMaskIPAddressThis masks a given IP Address using the mask specified
miscSendRemedyEmailSends the event to the remedy
miscSendTestEmailSend a test email with the Email Server Settings
miscSetRemedyCaseIDSets the remedy case id for the specified alert
miscSubmitJobSubmits a new job
notifyAddAddressAdd a notification recipient address
notifyAddCaseIDToTrigAlarmAdds a case to a triggered alarm
notifyAddGroupAdd a notification Email group
notifyDeleteAddressRemove notification recipient address(es)
notifyDeleteGroupDelete a group of email recipients
notifyEditAddressEdit a notification recipient address
notifyEditGroupEdit a group of email recipients
notifyGetAddressListGet list of recipient addresses by type
notifyGetEmailGroupListGet the list of Email Groups
notifyGetNotificationSettingsGet the email server settings
notifyGetTriggeredNotificationGet the triggered notification
notifyGetTriggeredNotificationDetailGets the details for the triggered alarm
notifyGetVisualTriggeredAlarmsGets the list of triggered visual alarms
notifySetNotificationSettingsSet the email server settings
notifySetTriggeredAlarmAssigneeAssigns a user to a triggered alarm
plcyGetAssetGroupsListGet all asset groups defined in the system
plcyGetAssetListGet all assets defined in the system
plcyGetNormalizedRulesGet all normalized rules based on display options given
plcyGetTagListGet tags
qryAllEsmTableFieldsThis function returns a List of all esm available fields without parameters
qryDeleteAlertFlowDataDeletes one or more events or flows
qryExecuteExecute a query against the database.
qryGetFilterSetReturns a filter set by id.
qryGetFilterSetListThis method returns all the folder structure of a filterSet
qryGetIocDataGets all relevant data about a specific IOC
qryGetTrendTimeSliceQry get trend time slice
qryGetWmiTypesGet a list of WMI Types
qryMarkAsReviewedMark an event(s) as reviewed
qrySaveFilterSetSave a new FilterSet or update it
rskGetCorrelationTriggerInfoReturn Esm Correlation Trigger Info
secAuthorizeDownloadAuthorize the user for an download based on Session ID
secAuthorizeUploadAuthorize the user for an upload based on Session ID
setUserViewDefaultsSet view defaults for user
sysCanEditItemsGets the items that can or can't be edited
sysDeleteFolderDelete an existing Folder
sysExecuteRemoteCommandExecute remote system command
sysGetActiveDirectoryGroupsGet Active Directory groups
sysGetADGroupNameReturn de Active Directive group name
sysGetAllChangesReturns all changes since the last check
sysGetAllFoldersAndViewsGet a tree of all folder and all their views
sysGetCustomSettingsGet the details for the custom settings screen
sysGetEventForwardingListGets the event forwarding list
sysGetFilterFieldsListThis method returns the user filter list
sysGetFolderGet an existing Folder
sysGetItemRightsForShareget item rights
sysGetItemRightsForUGGets an arrayList of folders and an arrayList of items
sysGetMaxDaysGet the number of days that events and flows are stored and the time frame when new events and flows may be added to the database
sysGetMaxRecsReturns the database allocation information for index and data drives
sysGetMinutesLeftMinutes left until logout timer
sysGetRemoteCommandDetailsThe Command Details for the item you want
sysGetRemoteCommandListList of remote commands
sysGetSelectProfileListReturns the selected profile type list
sysGetSysInfoThis method returns all the overview system information
sysSaveFolderCreate a new Folder
sysSetCustomSettingsSets the custom settings details
sysSetItemRightsForShareset item rights
sysSetMaxDaysThis method sets the time frames for saving and inserting events flows into the database
sysSetMaxRecsThis method sets the database allocation partitions to the requested format
updateViewUpdate an existing View/Widget
userAuthorizeDownloadAuthorize the user to download the file based upon the fileToken provided
userAuthorizeUploadAuthorize the user for an upload based on Session ID
userGetUserTimeFrameUser time frame
userModifyUserChanges the user password
userSetAutoGetPacketThis function sets the new state of the Auto-Get Packet for the current user
userSetExtendedLoginInfoSend to MW new extended login info: jwt and CSRF data
zoneGetTopLevelZonesGets the top level zones

McAfee ESM v9.x

API Call
Description
alarmAcknowledgeTriggeredAlarmMark a triggered alarm as acknowledged
alarmDeleteTriggeredAlarmDelete a triggered alarm
alarmGetTriggeredAlarmsRetrieves a list of all alarms that have been triggered
alarmGetTriggeredAlarmsPagedRetrieves a paged list of alarms that have been triggered
alarmGetUnacknowledgedTriggeredAlarmsRetrieves a list of alarms that have been triggered and have not been acknowledged
alarmUnacknowledgeTriggeredAlarmMark a triggered alarm as unacknowledged
caseAddCaseAdd a case to the system
caseEditCaseEdit an existing case
caseGetCaseDetailGet detail on an existing case
caseGetCaseListGet a list of cases from the system
caseGetCaseStatusListGet a list of valid case statuses from the system
devGetDeviceListGet a list of all devices defined in the system
dsAddDataSourceAdd a data source
dsAddDataSourceListAdd a list of data sources
dsDeleteDataSourceDelete a data source
dsEditDataSourceEdit a data source's properties
dsGetDataSourceDetailGet the details for a specific data sources
dsGetDataSourceListGet a list of defined data sources
dsGetDataSourceTypesGet all data source types
dsGetUserDefinedDataSourcesGet user defined data sources.
dsSetUserDefinedDataSourcesSet user defined data sources.
essmgtESSRebootReboots the ESM Device
essmgtESSRestartRestarts the services on the ESM Device
essmgtGetESSTimeGet the system time of the ESM Device
geoGetGeoLocRegionListGet the top level geo locations
geoGetGeoLocsGet geo locations within the given location
getActiveResponseCollectorsGet a list of Active Response Collectors
getVersionGet the version information for this ESM
grpGetDeviceTreeGets the basic device tree structure with only basic properties loaded.
grpGetDeviceTreeExThis version of the call returns more detail per device than getDeviceList, wrapped in an esmDeviceList object
plcyGetPolicyListGet the list of all policies defined in the ESM
plcyGetVariableListGet all variables defined in the system
qryCloseCloses the query results, must be called after a query's results have been processed.
qryExecuteDetailExecute a standard detail (non-grouped) query.
qryExecuteGroupedExecute a grouped query on a field.
qryGetCorrEventDataForIDGet the source events and flows for a given correlated event ID
qryGetFilterFieldsGet all fields that can be used in query filters, with type information for each field.
qryGetResultsGet the results for a query.
qryGetSelectFields

Get the fields available for selecting in queries.

qryGetStatusGet the status for a query that has been executed.
runActiveResponseSearchExecute a ActiveResponse search and return the results
sysAddWatchlistAdd a watchlist to the system.
sysAddWatchlistValuesAdd values to a watchlist.
sysEditWatchlistEdit properties of a watchlist. (Watchlist Type will not be modified)
sysGetWatchlistDetailsGet detailed information about a watchlist.
sysGetWatchlistFieldsGet watchlist fields/types.
sysGetWatchlistsReturn basic information on all watchlists in the system
sysGetWatchlistValues

Read the content of a watchlist value file.

sysRemoveWatchlistRemove a watchlist from the system.
sysRemoveWatchlistValuesRemove values from a watchlist.
userAddAccessGroupAdd an access group
userAddUserAdd a user to the system.
userDeleteAccessGroupDelete an access group.
userDeleteUserDelete a user from the system.
userEditAccessGroupEdit properties of an access group.
userEditUserUsed by the master user to update information about another user.
userGetAccessGroupDetailGet extended information about an access group.
userGetAccessGroupListGet all user access groups defined in the system.
userGetRightsListGet all rights defined in the system.
userGetTimeZonesGet a list of timezones this system recognizes
userGetUserListGet a list of all users.
userGetUserRightsGet all rights defined for the current user.
userLoginLog into the SIEM with the given username and password.
userLogoutLog the user out of their SIEM session
zoneAddSubZoneAdd a new subzone under a zone
zoneAddZoneCreate a new zone.
zoneDeleteSubZoneDelete the sub zone
zoneDeleteZoneDelete the zone
zoneEditSubZoneEdit the given sub zone.
zoneEditZoneEdit the given zone.
zoneGetSubZoneGet detailed information on a sub zone
zoneGetZoneGet extended detail on a zone.
zoneGetZoneTreeGet the full tree of zones defined in the ESM.

Read more
0 6 1,394

https://securingtomorrow.mcafee.com/business/security-connected/paranoia-opendxl-and-the-second-econ...

Excerpt: By opening DXL to the industry through an open software development kit (SDK), more enterprises, developers, and organizations can participate to expand the value and impact of a DXL deployment: we are activating the Network Effect. The SDK enables a unified model for integrating software vendors’ best ideas with in-house developed and legacy systems to turn an unwieldy, unsustainable set of tools and data sets into a system that functions in real time and is easier to build, test, and maintain consistently. It reduces the error, disruption, and change that create vulnerability up front and over the business’ life. Together—through better sharing of intelligence and tighter integration of the systems that use it—we as an industry create a security operations platform that connects the good guys in a collaborative team. Join the revolution at mcafee.com/opendxl.

Read the entire blog:

https://securingtomorrow.mcafee.com/business/security-connected/paranoia-opendxl-and-the-second-econ...

Read more
0 0 286

Hello everyone,

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for September 13, 2016.

Welcome to the September Patch Tuesday update. This month was busy month where Microsoft released a total of Fourteen(14) new security bulletins, including one for Adobe Flash . For this month, Seven (7) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Seven (7) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This month’s patches include the following:

Bulletin
  Number

KB
  Number

Title

Bulletin
  Rating (highest )

Vulnerability
  Impact

McAfee
  Labs Security Advisory Number

Intel
  Security Coverage

MS16-104

3183038

Cumulative Security Update for Internet Explorer

Critical

-Memory Corruption

-Information disclosure

-Elevation of Privilege

-Security Bypass

MTIS16-049

Covered Products:

  • NSP
  • Application Control
  • BOP
  • Host IPS
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-105

3183043

Cumulative Security Update for Microsoft Edge

Critical

-Memory Corruption

-Information Disclosure

MTIS16-049

Covered Products:

  • NSP
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-106

3185848

Security Update for Microsoft Graphics Component

Critical

-Remote Code Execution

-Elevation of Privileges

-Information Disclosure

MTIS16-050

Covered Products:

  • Application Control
  • Host IPS
  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-107

3185852

Security Update for Office

Critical

-Memory Corruption

-Security Bypass

-Information Disclosure

-Spoofing

MTIS16-050

Covered Products:

  • Application Control
  • NSP
  • Host IPS
  • Vulnerability Manager
  • BOP
  • Under Analysis:
  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-108

3185883

Security Update for Microsoft Exchange Server

Critical

-Open Redirect

-Information Disclosure

-Elevation of Privileges

MTIS16-050

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall  Enterprise

MS16-109

3182373

Security Update for Silverlight

Important

-Memory Corruption

MTIS16-050

Covered Products:

  • Application Control
  • Vulnerability Manager
  • BOP
  • Host IPS

Under Analysis:

  • Firewall Enterprise

MS16-110

3178467

Security Update for Windows

Important

-Elevation of Privilege

-Information Disclosure

-Remote Code Execution

-Denial of Service

MTIS16-051

Covered Products:

  • NSP
  • Web Gateway
  • BOP
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-111

3186973

Security Update for Windows Kernel

Important

-Elevation  of Privilege

MTIS16-051

Covered Products:

  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-112

3178469

Security Update for Windows Lock Screen

Important

-Elevation  of Privilege

MTIS16-051

Covered  Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-113

3185876

Security Update for Windows Secure Kernel Mode

Important

-Information Disclosure

MTIS16-051

Covered Products:

  • Vulnerability  Manager

Under Analysis:

  • Firewall Enterprise

MS16-114

3185879

Security Update for Windows SMBv1 Server

Important

-Remote Code Execution

MTIS16-051

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise
  • Web Gateway

MS16-115

3188733

Security Update for Windows PDF Library

Important

-Remote Code Execution

MTIS16-051

Covered Products:

  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-116

3188724

Security Update  in OLE Automation for VBScript Scripting Engine

Critical

-Information Disclosure

MTIS16-051

Covered Products:

  • Application Control
  • BOP
  • Host IPS
  • NSP
  • Vulnerability Manager

Under  Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS16-117

3188128

Security Update for Adobe Flash Player

Critical

N/A

N/A

Covered  Products:

  • Not  Tested

Under  Analysis:

  • Not  Tested

Read more
0 0 278

Hello everyone,

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for August 8, 2016.

Welcome to the August Patch Tuesday update. This month was a lighter than average month where Microsoft released a total of Nine (9) new security bulletins. For this month, Five (5) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Four (4) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This month’s patches include the following:

Bulletin Number

KB Number

Title

Bulletin Rating (highest )

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-095

3177356

Cumulative Security Update for Internet Explorer

Critical

-Memory Corruption

-Information disclosure

MTIS16-047

Covered Products:

  • NSP
  • Application Control
  • BOP
  • Host IPS
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-096

3177358

Cumulative Security Update for Microsoft Edge

Critical

-Memory Corruption

-Information Disclosure

- PDF Remote Code Execution Vulnerability

MTIS16-047

Covered Products:

  • NSP
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-097

3177393

Security Update for Microsoft Graphics Component

Critical

-Remote Code Execution

MTIS16-047

Covered Products:

  • Application Control
  • BOP
  • Host IPS
  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-098

3178466

Security Update for Kernel-Mode Drivers

Important

- Elevation of Privileges

MTIS16-047

Covered Products:

  • NSP
  • Host IPS
  • Under Analysis:
  • Web Gateway
  • DAT

Firewall Enterprise

MS16-099

3177451

Security Update for Office

Important

-Memory Corruption

-Information Disclosure

MTIS16-048

Covered Products:

  • NSP
  • Application Control
  • BOP
  • Host IPS
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-100

3179577

Security Update for Secure Boot

Important

-Security Bypass

MTIS16-048

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-101

3178465

Security Update for Windows Authentication Methods

Critical

-Elevation  of Privilege

MTIS16-048

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-102

3182248

Security Update for Microsoft Windows PDF Library

Critical

-Remote Code Execution

MTIS16-048

Covered Products:

  • BOP
  • Host IPS
  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-103

3182332

Security Update for ActiveSync Provider

Important

-Information Disclosure

MTIS16-048

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

Let’s take a closer look at each of the Microsoft Security Bulletins:

MS16-095 (CVE-2016-3288, 3289, 3290, 3293, 3321, 3322, 3326, 3327, and 3329 )

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

The update addresses the vulnerabilities by modifying how Internet Explorer and certain functions handle objects in memory.

MS16-096 (CVE-2016-3289, 3293, 3296, 3319, 3322, 3326, 3327, and 3329)

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

The update addresses the vulnerabilities by:

  • Modifying how Microsoft Edge handles objects in memory
  • Modifying how the Chakra JavaScript scripting engine handles objects in memory

MS16-097 (CVE-2016-3301, 3303, and 3304)
This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, and Microsoft Lync. The vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for:

  • All supported releases of Microsoft Windows
  • Affected editions of Microsoft Office 2007 and Microsoft Office 2010
  • Affected editions of Skype for Business 2016, Microsoft Lync 2013, and Microsoft Lync 2010

The security update addresses the vulnerabilities by correcting how the Windows font library handles embedded fonts.

MS16-098 (CVE-2016-3308, 3309, 3310, and 3311)

The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

MS16-099 (CVE-2016-3313, 3315, 3316, 3317, and 3318)

The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Office handles objects in memory

The security update addresses the vulnerabilities by correcting how affected versions of Office and Office components handle objects in memory.

MS16-100 (CVE-2016-3320)

The vulnerability could allow security feature bypass if an attacker installs an affected boot manager and bypasses Windows security features.

This security update is rated Important for all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

The security update addresses the vulnerability by blacklisting affected boot managers.

MS16-101 (CVE-2016-3237, and 3300)

The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a domain-joined system.

This security update is rated Important for all supported releases of Microsoft Windows.

The update addresses the vulnerabilities by modifying how Windows authentication methods handle the establishment of secure channels.


MS16-102 (CVE-2016-3319)

The vulnerability could allow remote code execution if a user views specially crafted PDF content online or opens a specially crafted PDF document. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for all supported editions of Windows 8.1, Windows Server 2012, Windows RT 8.1, Windows Server 2012 R2, and Windows 10.

The update addresses the vulnerability by correcting how affected systems handle objects in memory.

MS16-103 (CVE-2016-3312)

The vulnerability could allow information disclosure when Universal Outlook fails to establish a secure connection.

This security update is rated Important for all supported editions of Windows 10.

The update addresses the vulnerability by preventing Universal Outlook from disclosing usernames and passwords.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

Finally, these briefings are archived on the McAfee Community site.

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for August 2016 at the Microsoft site.

Safe Computing!

Thank you,

Kelly Housman

Read more
0 0 295

Hi Gurus!

The Olympics are just around the corner (August 5th - August 21st) and with that comes extra streaming! The Content and Categorization Team has been working on coverage for the past couple weeks to prepare for the event. I'll highlight some of the categories being used for Olympic related sites as well as some ideas you can use in your MWG to handle the traffic.

Related Categories

There are a number of categories that the team has been using to categorize the streaming sites related to the Olympics:

  • Streaming Media - Web pages that provide streaming media, or contain software plug-ins for displaying audio and visual data before the entire file has been transmitted.
  • Internet/Radio/TV - Web pages that provide software or access to continuous audio or video broadcasting, such as Internet radio, TV programming, or podcasting.
  • Potential Illegal Software - Web pages, which McAfee believes offer information to potentially 'pirated' or illegally distribute software or electronic media, such as copyrighted music or film, distribution of illegal license key generators, software cracks, and serial numbers.

Throughout the Olympics coverage will be added as sites pop up close to or during the event. Streaming Media and Internet/Radio/TV will be used to categorize sites that properly licence the content. Potential Illegal Software will be used to categorize sites which could potentially be hosting the streams illegally (i.e. "Watch for FREE" sites).

If you find a site which is not currently categorized, the quickest way is to use TrustedSource.org's URL submission process (sign up for an account to get higher priority).

Rule Examples

Depending on your organization's policies, you may want to be really restrictive, permissive, or want to play it safe. I'll detail some example rules that you can run with depending on your internal policies. I'm not going to cover the blocking the categories because that's something built into the policy already and can be done by checking some boxes.

Auto-Expire Coaching (on Aug 21)

Let's say you want to Coach or Quota users when they visit Streaming Media or Internet/Radio/TV, and you want that to expire on August 21st (when the Olympics end. This assumes Streaming Media is not blocked in your current policy. First, import the Coaching ruleset from the Ruleset Library, then we'll unlock and add a rule inside the top-level Coaching ruleset. The rule will be setup as follows:

      • Name: Apply ruleset from Aug 5th to Aug 21st 2016
      • Criteria: DateTime.ToNumber less than 1470355200 OR DateTime.ToNumber greater than 1471823999
      • Action: Stop Rule Set

Bandwidth Control for Categories (7.6.2+ -- Direct Proxy)

In 7.6.2, classful bandwidth control was added which allows MWG to prioritize traffic. This allow you to define a maximum bandwidth that certain types of traffic can consume (let's say... URL.Categories equals Streaming Media or Internet/Radio/TV). For more information on implementing Bandwidth Control check out the recently published guide:

Discussion Thread

If you have any thoughts, alternate ideas, cool rulesets, I've started a discussion thread in the MWG Community:

Content and Categorization Team Projects

Throughout the year the Content and Categorization team is working on proactive projects that are important to customers. They are working on providing accurate coverage for major events that matter to you.

Best Regards,

The Web Protection Team

References

Read more
1 2 329

Hello everyone,

Again, apologies for the delay on this. Here is the completed Patch Tuesday newsletter for July.

Welcome to the July Patch Tuesday update. This month was an average month where Microsoft released a total of Eleven (11) new security bulletins including one for Adobe FLASH. For this month, Five (5) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Six (6) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

  This month’s patches include the following:

Bulletin Number

KB Number

0Title

Bulletin Rating (highest )

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-084

3169991

Cumulative Security Update for Internet Explorer

Critical

-Memory Corruption

-Security Bypass

-Information disclosure

-Browser Spoofing

MTIS16-044

Covered Products:

  • NSP
  • Application Control
  • BOP
  • Host IPS
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-085

3169999

Cumulative Security Update for Microsoft Edge

Critical

-Memory Corruption

-Security Bypass

-Information Disclosure

-Browser Spoofing

MTIS16-045

Covered Products:

  • NSP
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-086

3169996

Security Update for Jscript and VBScript

Critical

Memory Corruption

MTIS16-046

Covered Products:

  • Application Control
  • BOP
  • Host IPS
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-087

3170005

Security Update for the Microsoft Print Spooler

Critical

- Remote Code Execution

-Print Spooler Elevation of Privilege.

MTIS16-046

Covered Products:

  • NSP
  • Application Control
  • Vulnerability Manager Under Analysis:
  • Web Gateway
  • DAT

Firewall Enterprise

MS16-088

3170008

Security Updates for Office

Important

-Memory Corruption

-Remote code Execution

MTIS16-046

Covered Products:

  • NSP
  • Application Control
  • BOP
  • Host IPS
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-089

3170050

Security Update for Windows Secure Kernel Mode

Important

Secure Kernel Information Disclosure

MTIS16-046

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-090

3171481

Security Update for Windows Kernel-Mode Drivers

Important

-Elevation  of Privilege

-GDI Information Disclosure

MTIS16-046

Covered Products:

  • NSP
  • Host IPS
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-091

3170048

Security Update for .Net Framework

Important

-.NET Information Disclosure

MTIS16-046

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-092

3171910

Security Update for Windows Kernel

Important

-File System Security Feature Bypass

-Kernel Information Disclosure

MTIS16-046

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-094

3177404

Security Update for Secure Boot

Important

- Secure Boot Security Bypass Feature

MTIS16-046

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-093

3174060

Security Update for Adobe Flash

Critical

Security Update for Adobe Flash Player

N/A

N/A

Let’s take a closer look at each of the Microsoft Security Bulletins:

MS16-084 (CVE-2016-3204, 3240, 3241, 3242, 3243, 3245, 3248, 3259, 3261, 3273, 3274, 3276, and 3277)

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerabilities by:

  • Modifying how Internet Explorer handles objects in memory
  • Modifying how the JScript and VBScript scripting engines handle objects in memory
  • Correcting how the Microsoft Browser XSS Filter validates JavaScript
  • Changing how certain functions in Internet Explorer handle objects in memory
  • Correcting how Internet Explorer parses HTML


MS16-085 (CVE-2016-3244, 3246, 3248, 3259, 3260, 3265, 3269, 3271, 3273, 3274, 3276, and 3277)

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

The update addresses the vulnerabilities by:

  • Ensuring that Microsoft Edge properly implements Address Space Layout Randomization (ASLR)
  • Modifying how Microsoft Edge handles objects in memory
  • Modifying how the Chakra JavaScript scripting engine handles objects in memory
  • Changing the way certain functions handle objects in memory
  • Fixing how the Microsoft Browser XSS Filter validates JavaScript
  • Correcting how the Microsoft browser parses HTTP responses
  • Correcting how Microsoft Edge parses HTML


MS16-086 (CVE-2016-3204)
The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system.

The update addresses the vulnerability by modifying how the JScript and VBScript scripting engines handle objects in memory.

MS16-087 (CVE-2016-3238 and 3239)

The more severe of the vulnerabilities could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network.

The update addresses the vulnerabilities by:

  • Correcting how the Windows Print Spooler service writes to the file system
  • Issuing a warning to users who attempt to install untrusted printer drivers


MS16-088 (CVE-2016-3278 thru 3284)

The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how:

  • Office handles objects in memory
  • Certain functions handle objects in memory
  • Windows validates input before loading libraries


MS16-089 (CVE-2016-3256)

The vulnerability could allow information disclosure when Windows Secure Kernel Mode improperly handles objects in memory. This security update is rated Important for all supported releases of Windows 10.

The security update addresses the vulnerabilities by correcting how:

  • The Windows kernel-mode driver handles objects in memory.
  • The Windows GDI component handles objects in memory.

MS16-090 (CVE-2016-3249, 3250, 3251, 3252, 3254, and 3286)

The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory, and by ccorrecting VPCI memory handling.

MS16-091 (CVE-2016-3255)

The vulnerability could cause information disclosure if an attacker uploads a specially crafted XML file to a web-based application.The security update addresses the vulnerabilities by correcting how:

The update addresses the vulnerability by modifying the way that the XML External Entity (XXE) parser parses XML input.

MS16-092 (CVE-2016-3258 and 3272)

The most severe of the vulnerabilities could allow security feature bypass if the Windows kernel fails to determine how a low integrity application can use certain object manager features.

The security update addresses the vulnerabilities by adding a validation check to the Windows kernel that determines how a low integrity application can use certain object manager features, and by correcting how the Windows kernel handles certain page fault system calls.

MS16-094 (CVE-2016-3287)

The vulnerability could allow Secure Boot security features to be bypassed if an attacker installs an affected policy on a target device. An attacker must have either administrative privileges or physical access to install a policy and bypass Secure Boot.

The security update addresses the vulnerability by blacklisting affected policies.

MS16-093 (N/A)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

Finally, these briefings are archived on the McAfee Community site.

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for June 2016 at the Microsoft site.

Safe Computing!

Thank you,

Kelly Housman

Read more
0 0 275

 

Hello everyone,

   

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for June 2016.

   

Welcome to the June Patch Tuesday update. This is another busy month, Microsoft released a total of Sixteen (16)! new security bulletins. For this month, Five (5) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Eleven (11) are rated Important.

   

Clarification of the Intel Security Coverage column in the table below

  Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

This month’s patches include the following:

 

Bulletin Number

KB Number

Title

Bulletin Rating (highest )

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-063

3163649 Cumulative Security Update for Internet Explorer Critical -Memory Corruption

-Elevation of Privilege

MTIS16-042

Covered Products:

  • Vulnerability Manager
  • NSP
  • Application Control
  • BOP
  • Host IPS
  • Web Gateway

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-068

3163656 Cumulative Security Update for Microsoft Edge Critical-Memory Corruption

-Security Bypass

-PDF Information Disclosure

MTIS16-042 Covered Products:
  • Vulnerability Manager
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-069

3163640 Security Update for Jscript and VBScript Critical Memory Corruption MTIS16-042Covered Products:
  • Vulnerability Manager
  • Host IPS
  • NSP
  • BOP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-070

3163610 Security Update for Microsoft Office Critical- Memory Corruption

- Information Disclosure

-DLL Side Loading

MTIS16-042

Covered Products:

  • Vulnerability Manager
  • NSP
  • BOP
  • Host IPS
  • Application Control
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-071

3164065 Security Update for Microsoft Windows DNS Server Critical -Use After Free MTIS16-042Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS16-072

3163622 Security Update for Group Policy Important Elevation of Privilege MTIS16-043 Covered Products:
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-073

3164028 Security Update for Windows Kernel Mode Drivers Important-Elevation  of Privilege

-Virtual PCI Information Disclosure

MTIS16-043

Covered Products:

  • Vulnerability Manager
  • Host IPS
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-074

3164036 Security Update for Microsoft Graphics Component Important-Information Disclosure

-Elevation of Privilege

MTIS16-043Covered Products:
  • Vulnerability Manager
  • NSP
Under Analysis:
  • Firewall Enterprise

MS16-075

3164038

Security Update for Windows SMB Server Important Elevation of Privilege MTIS16-043

Covered Products:

  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-076

3167691 Security Update for Netlogon Important - Memory Corruption

-Remote Code Execution

MTIS16-043Covered Products:
  • Vulnerability Manager
  • Host IPS
  • BOP
  • Application Control

Under Analysis:

  • Firewall Enterprise
MS16-077 3165191 Security Update for Web Proxy Autodiscovery (WPAD) Important Elevation of Privilege MTIS16-043

Covered Products:

  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-078

3165479 Security Update for Windows Diagnostic Hub Important Elevation of Privilege MTIS16-043

Covered Products:

  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-079

3160339 Security Update for Microsoft Exchange Important Information Disclosure MTIS16-043Covered Products:
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-080

3164302

Security Update for Windows PDF Important-Information Disclosure

-Remote Code Execution

MTIS16-043Covered Products:
  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-081

3164063*


Security Update for Active Directory

Important

Denial of Service MTIS16-043Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise

MS16-082

3165270Security Update for Microsoft Windows StrucutredQuery ComponentImportantDenial of ServiceMTIS16-043Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise

 

* As of this posting this KB article hadn’t been posted. The link should work once Microsoft posts the related KB

Let’s take a closer look at each of the Microsoft Security Bulletins:


MS16-063 (CVE-2016-0199, 0200, 3205, 3205, 3206, 3207, 3210, 3211, 3212 and 3213)

  This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system.

  The update addresses the vulnerabilities by:

    • Modifying how Internet Explorer handles objects in memory
    • Modifying how the JScript and VBScript scripting engines handle objects in memory
    • Fixing how the Internet Explorer XSS Filter validates JavaScript
    • Correcting how Windows handles proxy discovery


MS16-068 (CVE-2016-3198, 3199, 3201, 3202, 3203, 3214, 3215, and 3222) 

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

The update addresses the vulnerabilities by:

    • Correcting how the Edge Content Security Policy (CSP) validates documents

      Modifying how the Chakra JavaScript scripting engine handles objects in memory

      Modifying how Windows parses .pdf files

MS16-069 (CVE-2016-3205, 3206, and 3207)
This security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. 

The update addresses the vulnerabilities by modifying how the JScript and VBScript scripting engines handle objects in memory.

 

MS16-070 (CVE-2016-0025, 3233, 3234, and 3235)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.

The security update addresses the vulnerabilities by correcting how:

    • Office handles objects in memory
    • Certain functions handle objects in memory
    • Windows validates input before loading libraries


MS16-071(CVE-2016-3227) 

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server.

The security update addresses the vulnerability by modifying how DNS servers handle requests.

 

MS16-072 (CVE-2016-3223)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.

The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP.

 

MS16-073 (CVE-2016-3218,  3221, and 3232)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory, and by ccorrecting VPCI memory handling.


MS16-074 (CVE-2016-3216, 3219, and 3220)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if a user opens a specially crafted document or visits a specially crafted website.

The security update addresses the vulnerabilities by correcting how:

    • The Windows Graphics Component (GDI32.dll) handles objects in memory

    • The Windows kernel-mode driver (Win32k.sys) handles objects in memory and helps to prevent unintended elevation of privilege from user-mode
    • The Adobe Type Manager Font Driver (ATMFD.dll) handles objects in memory


MS16-075 (CVE-2016-3225) 

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application.

The security update addresses the vulnerability by correcting how Windows Server Message Block (SMB) Server handles credential forwarding requests.

MS16-076 (CVE-2016-3228)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to a domain controller (DC) on a target network runs a specially crafted application to establish a secure channel to the DC as a replica domain controller.

The update addresses the vulnerability by modifying how Netlogon handles the establishment of secure channels.

MS16-077 (CVE-2016-3213 and 3236)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system.

The update addresses the vulnerabilities by correcting how Windows handles proxy discovery, and WPAD automatic proxy detection in Windows.

MS16-078 (CVE-2016-3231)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. This security update is rated Important for all supported editions of Microsoft Windows 10.

The security update addresses the vulnerability by correcting how the Windows Diagnostics Hub Standard Collector Service sanitizes input, to help preclude unintended elevated system privileges.

 

MS16-079 (CVE-2016-0028)

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.

The security update addresses the vulnerabilities by correcting the way that Microsoft Exchange parses HTML messages.

MS16-080 (CVE-2016-3201, 3203, and 3215)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file.

The update addresses the vulnerabilities by modifying how Windows parses .pdf files.

MS16-081 (CVE-2016-3226)

This security update resolves a vulnerability in Active Directory. The vulnerability could allow denial of service if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability an attacker must have an account that has privileges to join machines to the domain.

The security update addresses the vulnerability by correcting by correcting how machine accounts are created.

MS16-082 (CVE-2016-3230)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application.

The update addresses the vulnerability by correcting how the Windows Search component handles objects in memory.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

Finally, these briefings are archived on the McAfee Community site.

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for June 2016 at the Microsoft site.

Safe Computing!

Thank you,

Kelly Housman

  Note: I also send this posting out via email, If you would like to be added to the distribution list please send an email to Kelly.Housman@intel.com.


Read more
0 0 288

Hello everyone,

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for May 2016.

 

   Welcome to the May Patch Tuesday update. This is a busy month, Microsoft released a total of Sixteen (16)! new security bulletins. Including one for systems with Adobe Flash player installed. For this month, Eight (8) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow remote code execution. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Eight (8) are rated Important.

 

 

Clarification of the Intel Security Coverage column in the table below

   Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

   

This month’s patches include the following:

 

Bulletin Number

KB Number

Title

Bulletin Rating (highest )

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-051 3155533Cumulative Security Update for Internet Explorer Critical - Security Bypass

- Memory Corruption

- Information Disclosure
MTIS16-038Covered Products:
  • Vulnerability Manager
  • NSP
  • Application Control
  • BOP
  • Host IPS

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise
MS16-052 3155538Cumulative Security Update for Microsoft EdgeCriticalMemory Corruption MTIS16-038Covered Products:
  • Vulnerability Manager
  • NSP
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway
MS16-0533156764Security Update for Jscript and VBScriptCriticalMemory CorruptionMTIS16-038Covered Products:
  • Vulnerability Manager
  • Host IPS
  • NSP
  • BOP
  • Application Control
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway
MS16-0543155544Security Update for Microsoft OfficeCritical- Memory Corruption

- Graphics Remote Code Execution

MTIS16-038Covered Products:
  • Vulnerability Manager
  • NSP
  • BOP
  • Host IPS
  • Application Control
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-055

3156754Security Update for Graphics ComponentCritical-Remote Code Execution

- Information Disclosure

MTIS16-038Covered Products:
  • Vulnerability Manager
  • NSP
  • BOP
  • Host IPS
  • Application Control
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway
MS16-0563156761Security Update for Windows Journal CriticalMemory Corruption MTIS16-038Covered Products:
  • Vulnerability Manager
  • BOP
  • Application Control
  • Host IPS
Under Analysis:
  • Firewall Enterprise
MS16-0573156987Security Update for Windows ShellCriticalRemote Code ExecutionMTIS16-038Covered Products:
  • Vulnerability Manager
  • Host IPS
Under Analysis:
  • Firewall Enterprise
MS16-0583141083Security Update for Windows IISImportantRemote Code ExecutionMTIS16-038Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise
MS16-0593150220Security Update for Windows Media CenterImportantRemote Code ExecutionMTIS16-038Covered Products:
  • Vulnerability Manager
  • NSP
Under Analysis:

Firewall Enterprise

MS16-0603154846Security Update for Windows KernelImportantElevation of PrivilegeMTIS16-038Covered Products:
  • Vulnerability Manager
  • Host IPS
  • NSP
Under Analysis:

Firewall Enterprise

MS16-0613155520Security Update for Windows RPCImportantEngine Elevation of PrivilegeMTIS16-038Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • Application Control
  • NSP
Under Analysis:

Firewall Enterprise

MS16-0623158222Security Update for Windows Kernel-Mode DriversImportantElevation of PrivilegeMTIS-039Covered Products:
  • Vulnerability Manager
  • Host IPS
  • NSP

Under Analysis:

Firewall Enterprise

MS16-0643157993Security Update for Adobe Flash PlayerCritical

N/A

N/A

N/A

MS16-0653156757Security Update for .NET FrameworkImportantInformation DisclosureMTIS-039Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise
MS16-0663155451Security Update for Virtual Secure ModeImportantSecurity Feature BypassMTIS-039Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise
MS16-0673155784Security Update for Volume Manager Driver (USB over RDP)ImportantInformation DisclosureMTIS-039Covered Products:
  • Vulnerability Manager

Under Analysis:

Firewall Enterprise

 

 

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

   

MS16-051 (CVE-2016-0187, 0188, 0189, 0192, and 0194)

  The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

 

MS16-052 (CVE-2016-0186, 0191, 0192, and 0193)

  The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights. This security update is rated Critical for Microsoft Edge on Windows 10.

  The update addresses the vulnerability by:

    • Modifying how Microsoft Edge handles objects in memory.
    • Ensuring that cross-domain policies are properly enforced in Microsoft Edge.

 

MS16-053 (CVE-2016-0187 and 0189)
The vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerabilities by modifying how the JScript and VBScript scripting engines handle objects in memory.

 

MS16-054 (CVE-2016-0126, 0140, 0183, and 0198)

The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

The security update addresses the vulnerabilities by correcting how Office handles objects in memory, and by correcting how the Windows font library handles embedded fonts.

 

MS16-055(CVE-2016-0168, 0169, 0170, 0184, and 0195)

The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a specially crafted website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how the Windows GDI component and the Windows Imaging Component handle objects in memory.

 

MS16-056 (CVE-2016-0182)

The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The update addresses the vulnerability by modifying how Windows Journal parses Journal files.

 

MS16-057 (CVE-2016-0179)

The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website that accepts user-provided online content, or convinces a user to open specially crafted content.
The security update addresses the vulnerability by modifying how Windows Shell handles objects in memory.

MS16-058 (CVE-2016-0152)

To exploit the vulnerability, an attacker must first gain access to the local system and have the ability to execute a malicious application.
The security update addresses the vulnerability by correcting how Windows validates input when loading certain libraries.

 

MS16-059 (CVE-2016-0185)

The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The security update addresses the vulnerability by correcting how Windows Media Center handles certain resources in the .mcl file.

 

MS16-060 (CVE-2016-0180)

The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses the vulnerability by correcting how the Windows kernel parses symbolic links.

 

MS16-061 (CVE-2016-0178)

The vulnerability could allow elevation of privilege if an unauthenticated attacker makes malformed Remote Procedure Call (RPC) requests to an affected host.

The security update addresses the vulnerability by modifying the way that Microsoft Windows handles RPC messages.

 

MS16-062 (CVE-2016-0171 thru 0176, 0196, and 0197)

The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses the vulnerabilities by correcting:

    • How the Windows kernel-mode driver handles objects in memory.
    • How the Windows kernel handles memory addresses.
    • The way in which the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) handles certain calls and escapes to preclude improper memory mapping and prevent unintended elevation from user-mode.

  

MS16-064 (N/A)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

 

MS16-065 (CVE-2016-0149)

The vulnerability could cause information disclosure if an attacker injects unencrypted data in the target secure channel and then performs a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server.

The security update addresses the vulnerability by modifying the way that the .NET encryption component sends and receives encrypted network packets.

 

MS16-066 (CVE-2016-0181)

The vulnerability could allow a security feature bypass if an attacker runs a specially crafted application to bypass code integrity protections in Windows.

The update addresses the vulnerability by correcting the security feature’s behavior to preclude incorrect marking of RWX pages under HVCI.

 

MS16-067 (CVE-2016-0190)

The vulnerability could allow information disclosure if a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user.

The security update addresses the vulnerability by ensuring that access to USB disks over RDP is correctly enforced to prevent non-mounting session access.

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

For additional useful security information, please make note of the following links.

You can also review the Microsoft Summary for May 2016 at the Microsoft site.

 

Safe Computing!

Thank you,

Kelly Housman

Read more
0 0 245

5Hello everyone,

 

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for March 2016.

 

Welcome to the March Patch Tuesday update. This month Microsoft released a total of Thirteen (13) new security bulletins. For this month, Five (5) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow remote code execution. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other Eight (8) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

 

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number. 

 

This month’s patches include the following:

 

NOTE: As of this posting McAfee Labs Advisory documents were not posted on the community site. Once they are posted you’ll find them here.  

                                                                 

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-023 3142015 Cumulative Security Update for Internet Explorer CriticalMemory Corruption Vulnerability MTIS16-023 Covered Products:
  • Vulnerability Manager
  • NSP
  • Application Control
  • BOP
  • Host IPS
Under Analysis:
  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-024

3142019Cumulative Security Update for Internet Explorer and Microsoft EdgeCriticalMemory Corruption VulnerabilityMTIS16-023Covered Products:
  • Vulnerability Manager
  • NSP
  • Application Control
  • BOP
  • Host IPS
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway
MS16-0253140709Security Update for Windows Library LoadingImportantRemote Code ExecutionMTIS16-024Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise
MS16-0263144148Security Update for Graphic FontsCriticalRemote Code ExecutionMTIS16-024Covered Products:
  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise
MS16-0273143146Security Update for Windows Media PlayerCriticalRemote Code ExecutionMTIS16-024Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • Application Control
  • NSP

Under Analysis:

  • Firewall Enterprise
MS16-0283143081Security Update for Microsoft Windows PDF LibraryCriticalRemote Code ExecutionMTIS16-024Covered Products:
  • Vulnerability Manager
  • NSP
  • BOP
  • Application Control
  • Host IPS
Under Analysis:
  • Firewall Enterprise
MS16-0293141806Security Update for Microsoft OfficeImportantRemote Code ExecutionMTIS16-024Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • Application Control
  • NSP
Under Analysis:
  • Firewall Enterprise
MS16-0303143136Security Update for Windows OLEImportantRemote Code ExecutionMTIS16-024Covered Products:
  • Vulnerability Manager
  • NSP
  • Host IPS
  • BOP
  • Application Control
Under Analysis:
  • Firewall Enterprise
MS16-0313140410Security Update for Microsoft WindowsImportantElevation of PrivilegeMTIS16-024Covered Products:
  • Vulnerability Manager
  • NSP
Under Analysis:
  • Firewall Enterprise
MS16-0323143141Security Update to Secondary LogonImportantElevation of PrivilegeMTIS16-024Covered Products:
  • Vulnerability Manager
  • NSP
Under Analysis:
  • Firewall Enterprise
MS16-0333143142Security Update for Windows USB Mass Storage Class DriverImportantElevation of PrivilegeMTIS16-024Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise
MS16-0343143145Security Update for Windows Kernel-Mode DriversImportantElevation of PrivilegeMTIS16-024Covered Products:
  • Vulnerability Manager
  • Host IPS
  • NSP
Under Analysis:
  • Firewall Enterprise
MS16-0353141780Security Update for .NET FrameworkImportantSecurity Feature BypassMTIS16-024Covered Products:
  • Vulnerability Manager 
Under Analysis:
  • Firewall Enterprise

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS16-023 (CVE-2016-0102 thru 0114)

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

The security update addresses the vulnerabilities by:

    • Modifying how Internet Explorer handles objects in memory

 

MS16-024 (CVE-2016-0102, 0105, 0109, 0110, 0111, 0116, 0119, 0123, 0124, 0125, 0129, and 0130)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

The update addresses the vulnerability by:

    • Modifying how Microsoft Edge handles objects in memory
    • Changing how Microsoft Edge handles the referrer policy

  

MS16-025 (CVE-2016-0100)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Microsoft Windows fails to properly validate input before loading certain libraries. However, an attacker must first gain access to the local system with the ability to execute a malicious application.

The security update addresses the vulnerability by correcting how Windows OLE validates input on library load.

MS16-026 (CVE-2016-0120 and 0121)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker either convinces a user to open a specially crafted document, or to visit a webpage that contains specially crafted embedded OpenType fonts. This security update is rated Critical for all supported editions of Windows.

The security update addresses the vulnerabilities by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.

 

MS16-027(CVE-2016-0098, and 0101)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens specially crafted media content that is hosted on a website. This security update is rated Critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

The security update addresses the vulnerabilities by correcting how Windows handles resources in the media library.

 

MS16-028 (CVE-2016-0117 and 0118)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file.

An attacker who successfully exploited these vulnerabilities could cause arbitrary code to execute in the context of the current user. If a user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows 10.

The update addresses the vulnerabilities by modifying how Windows parses .PDF files.

 

MS16-029 (CVE-2016-0021, 0057, and 0134)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The security update addresses the vulnerabilities by:

    • Correcting how Office handles objects in memory
    • Providing a validly signed binary

MS16-030 (CVE-2016-0091 and 0092) 

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if Windows OLE fails to properly validate user input. An attacker could exploit the vulnerabilities to execute malicious code. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message. This security update is rated Important for all supported editions of Windows.

The security update addresses the vulnerability by correcting how Windows OLE validates user input.

 

MS16-031 (CVE-2016-0087)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker is able to log on to a target system and run a specially crafted application. This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

The security update addresses the vulnerability by correcting how Windows validates impersonation events.

 

MS16-032 (CVE-2016-0099)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege when the Windows Secondary Logon Service fails to properly manage request handles in memory. This security update is rated Important for all supported editions of Windows.

The security update addresses the vulnerability by correcting how Windows manages request handles in memory.

 

MS16-033 (CVE-2016-0133)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker with physical access inserts a specially crafted USB device into the system. This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

The security update addresses the vulnerability by correcting how Windows handles objects in memory.

 

MS16-034 (CVE-2016-0093 thru 0096)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. This security update is rated Important for all supported editions of Microsoft Windows.

The security update addresses the vulnerabilities by correcting how Windows handles objects in memory.

 

MS16-035 (CVE-2016-0132)

This security update resolves a vulnerability in Microsoft .NET Framework. The security feature bypass exists in a .NET Framework component that does not properly validate certain elements of a signed XML document. This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, and Microsoft .NET Framework 4.6.1 on affected releases of Microsoft Windows.

The update addresses the vulnerability by correcting how the .NET Framework validates XML documents.

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links: 

You can also review the Microsoft Summary for March 2016 at the Microsoft site.

Safe Computing!

Thank you,

Kelly Housman

 

Read more
0 0 224

  Hello everyone,

   

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for February 2016.  

 

Welcome to the February Patch Tuesday update. This month Microsoft released a total of Thirteen (13) new security bulletins including one from Adobe for flash. For this month, Five (5) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow remote code execution. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other Eight (8) are rated Important.

   

Clarification of the Intel Security Coverage column in the table below

 

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

   

This month’s patches include the following:       

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage


MS16-009

3134220

Cumulative Security Update for Internet Explorer

Critical

Memory Corruption & Elevation of Privileges

MTIS16-015

Covered Products:
  • Vulnerability Manager
  • NSP
  • Application Control
  • BOP
  • Host IPS
  • DAT

Under Analysis:

  • Firewall Enterprise

MS16-011

3134225

Cumulative Security Update for Microsoft Edge

Critical

Memory Corruption

MTIS16-015

Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • NSP
  • Application Control
  • DAT

Under Analysis:

  • Firewall Enterprise

MS16-012

3138938

Security Update for Microsoft Windows PDF Library

Critical

Buffer Overflow

MTIS16-015

Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS16-013

3134811

Security Update to Windows Journal

Critical

Memory Corruption and Remote Code Execution

MTIS16-015

Covered Products:

  • Vulnerability Manager
  • Host IPS
  • Application Control
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-014

3134228

Security update for Microsoft Windows

Important

Remote Code Execution

MTIS16-016

Covered Products:
  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise
  • BOP
  • Application Control
  • DAT
  • Web Gateway
  • Host IPS

MS16-015

3134226

Security Update for Microsoft Office

Important

Remote Code Execution

MTIS16-016

Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • Application Control
  • NSP
  • DAT

Under Analysis:

  • Firewall Enterprise

MS16-016

3136041

Security Update for WebDAV

Important

Elevation of Privilege

MTIS16-016

Covered Products:
  • Vulnerability Manager
  • NSP
  • Host IPS

Under Analysis:

  • Firewall Enterprise

MS16-017

3134700

Security Update for Remote Desktop Display Driver

Important

Elevation of Privilege

MTIS16-016

Covered Products:
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-018

3136082

Security Update for Windows Kernel-Mode Driver

Important

Elevation of Privilege

MTIS16-016

Covered Products:
  • Vulnerability Manager
  • NSP
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS16-019

3137893

Security Update for .NET Framework

Important

Denial of Service

MTIS16-016

Covered Products:
  • Vulnerability Manager
  • NSP
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS16-020

3134222

Security Update for Active Directory

Important

Denial of Service

MTIS16-016

Covered Products:
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-021

3133043

Security Update for Network Policy Server RADIUS implementation

Important

Denial of Service

MTIS16-016

Covered Products:
  • Vulnerability Manager 

Under Analysis:

  • Firewall Enterprise

MS16-022

3135782

Security Update for Adobe Flash Player

Critical

Remote Code Execution

APSB16-04


 

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

   

MS16-009 (CVE-2016-0059 thru 0065, 0067 thru 0069, 0071, 0072, and 0086)

  This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

 

    • Twenty-three (23) of these vulnerabilities are Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
    • Three (3) of these vulnerabilities is an XSS Security Bypass. This may allow the attacker to steal cookie-based authentication credentials and other sensitive data that may aid in further attacks.
    • One (1) of these vulnerabilities is a Security Feature Bypass vulnerability. It bypasses the Address Space Layout Randomization (ASLR) feature in the Microsoft Browser.

As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

MS16-011 (CVE-2016-0061, 0062, 0077, 0080, 0082, 0083, and 0084)

  This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

 

The update addresses the vulnerability by:

  • Correcting how Microsoft Edge parses HTTP responses
  • Modifying how Microsoft Edge handles objects in memory
  • Helping to ensure that affected versions of Microsoft Edge properly implement the ASLR security feature

 

MS16-012 (CVE-2016-0046 and 0058)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if Microsoft Windows PDF Library improperly handles application programming interface (API) calls, which could allow an attacker to run arbitrary code on the user’s system. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. However, an attacker would have no way to force users to download or open a malicious PDF document.

 

MS16-013 (CVE-2016-0038)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

   

MS16-014(CVE-2016-0040, 0041, 0042, 0044, and 0049)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker is able to log on to a target system and run a specially crafted application.

 

The security update addresses the vulnerabilities by:

  • Correcting how the Windows kernel handles objects in memory
  • Correcting how Windows validates input before loading DLL files
  • Correcting how Microsoft Sync Framework validates input
  • Adding an additional authentication check

MS16-015 (CVE-2016-0022, 0039, 0052, and 0053 thru 0057) 

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

 

The security update addresses the vulnerabilities by:

  • Correcting how Office handles objects in memory
  • Providing a validly signed binary
  • Helping to ensure that SharePoint Server properly sanitizes web requests

  

MS16-016 (CVE-2016-0051)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server.


MS16-017 (CVE-2016-0036)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an authenticated attacker logs on to the target system using RDP and sends specially crafted data over the connection. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.


MS16-018 (CVE-2016-0048)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

 

MS16-019 (CVE-2016-0033 and 0047)

This security update resolves vulnerabilities in Microsoft .NET Framework. The more severe of the vulnerabilities could cause denial of service if an attacker inserts specially crafted XSLT into a client-side XML web part, causing the server to recursively compile XSLT transforms.

This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, and Microsoft .NET Framework 4.6.1 on affected releases of Microsoft Windows.

 

MS16-020 (CVE-2016-0037)

This security update resolves a vulnerability in Active Directory Federation Services (ADFS). The vulnerability could allow denial of service if an attacker sends certain input data during forms-based authentication to an ADFS server, causing the server to become nonresponsive.

This security update is rated Important for ADFS 3.0 when installed on x64-based editions of Windows Server 2012 R2.

 

MS16-021 (CVE-2016-0050)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could cause denial of service on a Network Policy Server (NPS) if an attacker sends specially crafted username strings to the NPS, which could prevent RADIUS authentication on the NPS.
This security update is rated Important for all supported editions of Windows Server 2008 (excluding Itanium), and Windows Server 2008 R2 (excluding Itanium), and all supported editions of Windows Server 2012 and Windows Server 2012 R2.

 

MS16-022 (CVE-2016-0964 thru 0985)

Finally, This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows 10 Version 1511.

The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.


NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

 

You can also review the Microsoft Summary for December 2015 at the Microsoft site.

 

 

Safe Computing!

Thank you,

Kelly Housman

 

Read more
0 0 221

 

Hello everyone,

 

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for January 2016.

 

Welcome to the January Patch Tuesday update. This month Microsoft released a total of Nine (9) new security bulletins. For this month, Six (6) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow remote code execution. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other Three (3) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

This month’s patches include the following: 

 

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-001 3124903Cumulative Security Update for Internet Explorer

Important /
Critical

Memory Corruption & Elevation of Privileges

MTIS16-005

Covered Products:
  • Vulnerability Mgr.
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS16-002

3124904

Cumulative Security Update for Microsoft Edge

Critical

Memory Corruption

MTIS16-005

Covered Products:
  • Vulnerability Mgr.
  • BOP
  • Host IPS
  • NSP
  • Application Control
Under Analysis:
  • Firewall Enterprise

MS16-003

3125540

Cumulative Security Update for JScript and VBScript

Critical

Remote Code Execution

MTIS16-005

Covered Products:
  • Vulnerability Mgr.
  • BOP
  • Host IPS
  • NSP
  • Application Control
Under Analysis:
  • Firewall Enterprise

MS16-004

3124585

Security Update for Microsoft Office

Critical

Remote Code Execution / ASLR Security Bypass

MTIS16-005

Covered Products:
  • Vulnerability Mgr.
  • BOP
  • Host IPS
  • NSP
  • Application Control
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-005

3124584

Security Update for Windows Kernel-Mode Drivers

Critical

Remote Code Execution

MTIS16-005

Covered Products:
  • Vulnerability Mgr.
  • Host IPS
  • NSP
Under Analysis:
  • Firewall Enterprise

MS16-006

3126036

Security Update for Silverlight

Critical

Remote Code Execution

MTIS16-005

Covered Products:
  • Vulnerability Mgr.
  • BOP
  • Host IPS
  • NSP
  • Application Control
Under Analysis:
  • Firewall Enterprise

MS16-007

3124901

Security Update for Microsoft Windows

Important

Remote Code Execution

MTIS16-005

Covered Products:
  • Vulnerability Mgr.
  • BOP
  • NSP
  • Host IPS
  • Application Control
Under Analysis:
  • Firewall Enterprise

MS16-008

3124605

Security Update for Kernel

Important

Elevation of Privilege

MTIS16-005

Covered Products:
  • Vulnerability Mgr.
  • NSP
Under Analysis:
  • Firewall Enterprise

MS16-010

3124557

Security Update for Exchange server

Important

Spoofing Vulnerability

MTIS16-005

Covered Products:
  • Vulnerability Mgr.
Under Analysis:

Firewall Enterprise



 

 

Let’s take a closer look at each of the Microsoft Security Bulletins:


MS16-001 (CVE-2016-0002 and 0005,)

  This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

  This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

 

  • The security update addresses the vulnerabilities by:
    • Modifying how VBScript handles objects in memory
    • Helping to ensure that cross-domain policies are properly enforced in Internet Explorer


MS16-002 (CVE-2016-0003 and 00024)

  This security update resolves vulnerabilities in Microsoft Edge. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. This security update is rated Critical for Microsoft Edge on Windows 10. The update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory.


MS16-003 (CVE-2016-0002)
This security update resolves a vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system.

 

This security update is rated Critical for affected versions of the VBScript scripting engine on supported editions of Windows Vista, Windows Server 2008, and Server Core installations of Windows Server 2008 R2.

 

MS16-004 (CVE-2016-6117, 0010, 0011, 0012, and 0035)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.

 

  • The security update addresses the vulnerabilities by:
    • Correcting how Microsoft Office handles objects in memory
    • Ensuring that Microsoft SharePoint correctly enforces ACP configuration settings
    • Helping to ensure that Microsoft Office properly implements the ASLR security feature

MS16-005(CVE-2016-0008 and 0009)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if a user visits a malicious website.

This security update is rated Critical for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2; it is rated Important for all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows 10 Version 1511.

 

MS16-006 (CVE-2016-0034)

  This security update resolves a vulnerability in Microsoft Silverlight. The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. An attacker would have no way to force users to visit a compromised website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email or instant message that takes users to the attacker's website.

This security update is rated Critical for Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac or all supported releases of Microsoft Windows.

MS16-007 (CVE-2016-0014 0015, 0016, 0018, 0019, and 0020)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker is able to log on to a target system and run a specially crafted application.

 

MS16-008 (CVE-2016-0006 and 0007)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. This security update is rated Important for all supported releases of Microsoft Windows.


MS16-010 (CVE-2016-0029 thru 0032)

  This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow spoofing if Outlook Web Access (OWA) fails to properly handle web requests, and sanitize user input and email content. This security update is rated Important for all supported editions of Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016.

 


NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

  Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.


The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.


Finally, these briefings are archived on the McAfee Community site.

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for December 2015 at the Microsoft site.

Safe Computing!

Thank you,

  Kelly Housman

 

Read more
0 0 228

Hi All!

Starting January 1, 2016 most browsers are phasing out trust of certificates signed using SHA1. Any certificates signed after January 1 will be untrusted in some way (it varies based on the browser), certificates signed before are still accepted.

With McAfee Web Gateway, it will issue certificates for the sites which are SSL scanned, so the signing date will be after January 1, 2016. To avoid any issues, please ensure that you are not using SHA1 in your SSL scanning settings (use SHA256 instead). If you migrated from older versions to newer versions, this setting will not be updated automatically.

This is configured under Policy > Settings > Engines > SSL Client Context with CA in the digest dropdown. Be sure to configure the digest in all settings containers for "SSL Client Context with CA".

2016-01-04_120359-2.jpg

Firefox actively blocks you from the site, Chrome will display a passive warning in the address bar. Below is a screenshot of the warnings.

2016-01-04_120451-2.jpg  2016-01-04_120635-2.jpg

If the Certificate Authority used in the McAfee Web Gateway was signed using SHA1, you should consider replacing it soon. At the moment the browsers will only complain if the web server certificate is signed using SHA1. However, the same may happen eventually for CA certs signed using SHA1.

For the time being, adjusting the settings above should suffice in avoiding browser errors.

Mozilla Firefox Announcement:

https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/

Google Chrome Announcement:

http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html


Microsoft Announcement:

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode...


Best Regards,

Jon

Read more
3 3 313

 

Hello everyone,

 

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for December 2015.

 

Welcome to the December Patch Tuesday update. This month Microsoft released a total of twelve (12) new security bulletins. For this month, four (8) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other eight (4) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

 

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

       This month’s patches include the following:

 

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS15-124

3116180

Cumulative Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS15-182  MTIS15-183

Covered Products:
  • Vulnerability Mgr
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-125

3116184

Cumulative Security Update for Microsoft Edge

Critical

Remote Code Execution

MTIS15-183

Covered Products:
  • Vulnerability Mgr
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-126

3116178

Cumulative Security Update for JScript and VBScript

Critical

Remote Code Execution

MTIS15-183

Covered Products:
  • Vulnerability Mgr (Nov 10)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-127

3100465

Security Update for Microsoft Windows DNS

Critical

Remote Code Execution

MTIS15-183

Covered Products:
  • Vulnerability Mgr
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-128

3104503

Security Update for Microsoft Graphics Component

Critical

Remote Code Execution

MTIS15-184

Covered Products:
  • Vulnerability Mgr
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-129

3106614

Security Update for Silverlight

Critical

Remote Code Execution

MTIS15-184

Covered Products:
  • Vulnerability Mgr
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-130

3108670

Security Update for Microsoft Uniscribe

Critical

Remote Code Execution

MTIS15-184

Covered Products:
  • Vulnerability Mgr
  • NSP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-131

3116111

Security Update for Microsoft Office

Critical

Remote Code Execution

MTIS15-184

Covered Products:

  • Vulnerability Mgr
  • NSP
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-132

3116162

Security Update for Microsoft Windows

Important

Remote Code Execution

MTIS15-184

Covered Products:

  • Vulnerability Mgr
  • NSP

Under Analysis:

  • Firewall Enterprise

MS15-133

3116130

Security Update for Windows PGM

Important

Elevation of Privileges

MTIS15-184

Covered Products:

  • Vulnerability Mgr
  • Host IPS
  • NSP

Under Analysis:

  • Firewall Enterprise

MS15-134

3108669

Security Update for Windows Media Center

Important

Remote Code Execution

MTIS15-184

Covered Products:

  • Vulnerability Mgr

Under Analysis:

  • Firewall Enterprise

MS15-135

3119075

Security Update for Windows Kernel-Mode Drivers

Important

Elevation of Privileges

MTIS15-184

Covered Products:

  • Vulnerability Mgr
  • Host IPS
  • NSP

Under Analysis:

  • Firewall Enterprise

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS15-124 (CVE-2015-6083, 6134 to 6159, and 6161 to 6164,) 

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

 

This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers. For more information, see the Affected Software section. 

    • Twenty-three (23) of these vulnerabilities are Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
    • Three (3) of these vulnerabilities is an XSS Security Bypass. This may allow the attacker to steal cookie-based authentication credentials and other sensitive data that may aid in further attacks.
    • One (1) of these vulnerabilities is a Security Feature Bypass vulnerability. It bypasses the Address Space Layout Randomization (ASLR) feature in the Microsoft Browser.
    • As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

MS15-125 (CVE-2015-6139, 6140, 6142,6148, 6151,6153-6155,6158 6159, 6161,6168, 6169, 6170, 6176) 

This cumulative security update affects only the Microsoft Edge browser on Windows 10. Ten (10) of these vulnerabilities are Remote Code Execution vulnerabilities and the others are a Security Feature Bypass Vulnerability, Content information Disclosure, and Privilege Escalation.

 

MS15-126 (CVE-2015-6135-6137)
This security updates resolves Two (2) Remote Code Execution vulnerability in Jscript and VBScript Engine and One (1) Information disclosure. This bulletin represents a memory usage fix for vbscript.dll.

 

MS15-127 (CVE-2015-6125) 

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server.
The security update addresses the vulnerability by modifying how DNS servers parse requests.
 

 

MS15-128(CVE-2015-6106, 6107, 6108) 

This security update resolves vulnerabilities in Microsoft Windows, the .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync, and Silverlight. These vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.

 

MS15-129 (CVE-2015-6114,6165,6166)

These Three (3) updates resolves vulnerabilities in MS Silverlight. To exploit the vulnerability, an attacker could host a website that contains a specially crafted Silverlight application and then convince a user to visit a compromised website. The attacker could also take advantage of websites that contain specially crafted content that accept or host user-provided content or advertisements.

 

MS15-130 (CVE-2015-6130)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains specially crafted fonts.

 

MS15-131 (CVE-2015-6040, 6118, 6122, 6124(Exploited), 6172, 6177) 

Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could run arbitrary code in the context of the current user. Exploitation could occur via an email attachment or malicious URL link and convincing the user to either open the attachment or clicking the link. 

 

MS15-132 (CVE-2015-6128, 6129, 6132, 6133) 

Multiple remote code execution vulnerabilities exist when Windows improperly validates input before loading libraries. An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. To exploit the vulnerabilities, an attacker would need access to the local system and the ability to execute a specially crafted application on the system. The security update addresses the vulnerabilities by correcting how Windows validates input before loading libraries.

 

MS15-133 (CVE-2015-6126) 

An elevation of privilege vulnerability exists in the Windows Pragmatic General Multicast (PGM) protocol that is caused when an attacker-induced race condition results in references to memory contents that have already been freed. Microsoft Message Queuing (MSMQ) must be installed and PGM specifically enabled for a system to be vulnerable. MSMQ is not present in default configurations and if it is installed the PGM protocol is available but disabled by default. 

 

MS15-134 (CVE-2015-6127, 6131) 

A vulnerability exists in Windows Media Center that could allow information disclosure if Windows Media Center improperly handles a specially crafted Media Center link (.mcl) file that references malicious code.  

-An attack through Internet Explorer or Microsoft Edge requires the user to accept a security warning. 

If the attacker's executable file is on the localhost or in the same LAN, it will open without a warning.  

However, if the share is outside of the local network, a security warning dialog box will appear. 

-For an attack to succeed, the user must first open Media Center and set it up.

 

MS15-135 (CVE-2015-6171, 6173, 6174, 6175(Exploited)) 

Finally, Multiple elevation of privilege vulnerabilities exist due to the way the Windows kernel handles objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in kernel mode. 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities: 

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site. 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

 

You can also review the Microsoft Summary for December 2015 at the Microsoft site.

 

 

Safe Computing!

Thank you, 

Kelly Housman 

Read more
0 0 228

Hi Gurus!

It appears that there is a bug in Chrome 47 causing problems with NTLM Authentication.

In the mean time it might be best to prevent it from being installed. A fix was mentioned to be ready by Friday, but I'm not clear if that's definitive.

Details on the bug can be found here:

Issue 544255 - chromium - Chrome asks for authentication on http sites on squid - An open-source pro...

A workaround has been discovered! (Dec 4th)

The issue has to do with Chrome receiving the HTTP response, and the HTTP response is too big for it's buffer. So if we reduce the size of the response, Chrome will behave in a better fashion.

To reduce the size of the response, we can change the MWG block page which is used for authentication. To do this, navigate to Policy > Settings, and click edit for any of the block templates. On the Template Editor screen, find the "Authentication Required" block page template and remove the contents of this blockpage (at least for now).

template.jpg change.jpg


Update Dec 8th - Create an empty collection


Some customers reported that the above workaround did not help. If you are using your own custom template collection, we will need to create an empty template collection. This can be done in four steps:

1. Create an "empty" template collection by clicking add next to the Collection dropdown, instead of OK and Edit:

2015-12-08_095821.jpg

2. Verify that the "empty" collection is selected:

2015-12-08_095952.jpg

3. Create an empty "Authentication Required" Template, and click OK:

2015-12-08_100331.jpg

4. Add a single space to the index template:

2015-12-08_101136.jpg

The only other workarounds would be to disable authentication or enable Kerberos authentication. Here is a link to the guide on setting up Kerberos:

Best Regards,

Jon

Read more
1 6 366

Hi All!

With Web Gateway 7.5.x gaining steam it's important to note that it includes a 64-bit AV engine. With this improvement it is recommended to upgrade the RAM in your Web Gateway.

At a minimum it is recommended to have 8GB of RAM when Gateway Anti-Malware is used.

Minimum requirements for all platforms (virtual and appliance) have been updated in the latest Installation Guide: McAfee KnowledgeBase - Web Gateway 7.5.2 Installation Guide

Please check out our guide on for upgrading the memory:

Older KB: Please check out the KB listed below about what kind of memory is supported in our B model appliances (4000B, 4500B, 5000B, 5500B). The KB includes specific memory modules which can be purchased.

McAfee KnowledgeBase - Web Gateway 7.5.0 recommended memory (RAM) upgrade

Best Regards,

Jon

Read more
3 7 465

Hello everyone,

This is Greg Blaum with the Microsoft Patch Tuesday newsletter for November 2015.

Welcome to the November Patch Tuesday update. This month Microsoft released a total of twelve (12) new security bulletins. For this month, four (4) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other eight (8) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This month’s patches include the following:

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS15-112

3104517

Cumulative Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS15-173

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-113

3104519

Cumulative Security Update for Microsoft Edge

Critical

Remote Code Execution

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-114

3100213

Security Update for Windows Journal to Address Remote Code Execution

Critical

Remote Code Execution

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-115

3105864

Security Update for Microsoft Windows to Address Remote Code Execution

Critical

Remote Code Execution

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • Host IPS
  • NSP

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-116

3104540

Security Update for Microsoft Office to Address Remote Code Execution

Important

Remote Code Execution

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-117

3101722

Security Update for NDIS to Address Elevation of Privilege

Important

Elevation of Privilege

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • Host IPS
  • NSP

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-118

3104507

Security Update for .NET Framework to Address Elevation of Privilege

Important

Elevation of Privilege

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • NSP

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-119

3104521

Security Update for Winsock to Address Elevation of Privilege

Important

Elevation of Privilege

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • NSP

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-120

3102939

Security Update for IPSec to Address Denial of Service

Important

Denial of Service

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-121

3081320

Security Update for Schannel to Address Spoofing

Important

Spoofing

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-122

3105256

Security Update for Kerberos to Address Security Feature Bypass

Important

Security Feature Bypass

MTIS15-175

Covered Products:

  • Vulnerability Mgr (Nov 10)

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-123

3105872

Security Update for Skype for Business and Microsoft Lync to Address Information Disclosure

Important

Information Disclosure

MTIS15-175

Covered Products:

  • Vulnerability Mgr (Nov 10)

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

Let’s take a closer look at each of the Microsoft Security Bulletins:

MS15-112 (CVE-2015-2427, 6064, 6065, 6066, 6068 to 6082, and 6084 to 6089)

Here is the standard cumulative Internet Explorer Security Update. This Internet Explorer update addresses 25 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 7 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

  • Twenty-three (23) of these vulnerabilities are Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
  • One (1) of these vulnerabilities is an Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.
  • One (1) of these vulnerabilities is a Security Feature Bypass vulnerability. It bypasses the Address Space Layout Randomization (ASLR) feature in the Microsoft Browser.
  • As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

   

MS15-113 (CVE-2015-6064, 6073, 6078, & 6088)

This cumulative security update affects only the Microsoft Edge browser on Windows 10. Three (3) of these vulnerabilities are Remote Code Execution vulnerabilities and the other one (1) is a Security Feature Bypass Vulnerability.

MS15-114 (CVE-2015-6097)

This security updates resolves a single Remote Code Execution vulnerability in the Windows Journal. It only occurs if a user is convinced to open a specially crafted Journal file. This vulnerability came through coordinated vulnerability disclosure.

MS15-115 (CVE-2015-6100 to 6104, 6109, & 6113)

This bulletin addresses a potpourri of different vulnerabilities in the Windows Kernel. Here we see Memory Elevation of Privilege vulnerabilities, Information Disclosure vulnerabilities, Remote Code Execution vulnerabilities, and a Security Feature Bypass vulnerability. It is for all currently supported versions of the desktop and server flavors of Windows.

MS15-116 (CVE-2015-2503, 6038, 6091 to 6094, 6123, 6038, 6093, & 6094)

Here we have multiple vulnerabilities in Microsoft Office, including five (5) Memory Corruption vulnerabilities, an Elevation of Privilege vulnerability, and a Spoofing vulnerability on the Mac version. Versions covered include: 2007, 2010, 2013, 2016, 2013 RT, Mac 2011, Mac 2016, Excel & Word viewers, Office Web Apps 2010 and 2013, Lync 2013, Skype for Business 2016, as well as SharePoint Server 2007, 2010, and 2013.

MS15-117 (CVE-2015-6098)

This bulletin addresses a single Elevation of Privilege vulnerability in Microsoft Windows NDIS. It could allow elevation of privilege if an attacker is able to log on to the system and run a specially crafted application. This update resolves the issue by addressing how NDIS validates buffer length.

MS15-118 (CVE-2015-6096, 6099, & 6115)

This security update addresses an Information Disclosure vulnerability, an Elevation of Privilege vulnerability, and a Security Feature Bypass vulnerability in multiple versions of the .NET Framework. Since it is possible to have multiple versions of the .NET Framework installed on any given system, users may be required to install multiple software update packages, but they all address the three (3) vulnerabilities in this bulletin.

MS15-119 (CVE-2015-2478)

Similarly to MS15-117, this addresses an Elevation of Privilege vulnerability in Winsock. Like that vulnerability, it could allow elevation of privilege is an attacker is able to log on to the system and run a specially crafted application. This one is addresses by preventing Winsock from accessing invalid memory addresses.

MS15-120 (CVE-2015-6111)

It seems like this is the month for vulnerabilities in the networking components, because here’s one in IPSec that resolves a Denial of Service vulnerability. Each one of these network component updates address a single vulnerability.

MS15-121 (CVE-2015-6112)

This bulletin addresses a Spoofing vulnerability in the Schannel component. In order to be exploited, an attacker needs to perform a man-in-the-middle (MiTM) attack between a client and a legitimate server. It is present in all supported releases of Windows, with the exception of Windows 10. So that’s good news for adopters of Windows 10.

MS15-122 (CVE-2015-6095)

Here we have a Security Feature Bypass vulnerability in Kerberos. While this one is only marked as Important, I’d advise patching it quickly because an attacker could bypass Kerberos and decrypt drives that are protected by BitLocker. However, this can only be accomplished if the affected system has BitLocker enabled without a PIN or USB key, it is domain-joined, or if the attacker has full physical access to the target computer.

MS15-123 (CVE-2015-6061)

Finally, this bulletin covers an Information Disclosure vulnerability in Skype for Business 2016, Lync 2013, Lync 2010, and the Lync Room system. It overlaps somewhat with MS15-116 because of shared components in the affected software.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

Finally, these briefings are archived on the McAfee Community site.

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for November 2015 at the Microsoft site.

This month will be my last Patch Tuesday newsletter. I’m handing this over to another engineer that will be taking it over starting in December. I’d like to thank everyone for reading the Patch Tuesday newsletter, and for all the great suggestions!

Stay safe!

-Greg

Read more
0 0 236

Wireshark is a packet analyzer that can help you analyze network problems and detect network intrusion attempts and network misuse. It can be downloaded free on Wireshark’s website.

 

When there is an issue with Web Defense, our engineering team may request a packet capture to use in troubleshooting. If you want to troubleshoot issues such as a slow network or application, looking at HTTP traffic is simple. Wireshark allows you set up a capture filter that looks at TCP traffic on a particular port such as 80 or for SSL, 443.  Try " tcp port 80 and host xxx.xxx.xxx.xxx" as a filter to only capture packets on port 80 on a particular host.

You can use a display filter to further reduce the results to see errors and transactions for http only. Try the display filter “http” or to find a specific error code you could try “http.response.code==503” for service unavailable errors or “http.response.code==404” for page not found errors.

Packet captures can also be beneficial in troubleshooting issues with spam generating from your network. Again, Wireshark cannot capture only SMTP traffic, but a capture filter can be set up to capture TCP traffic only from a particular port such as 25. You should be able to determine which host, externally or internally is generating unusual amounts of traffic using these results.

You can also further filter the results by FROM or RCPT to attempt to narrow down a sender  or recipient. Try the filter “smtp.req.parameter contains “from”” to see sending addresses.

If you’re ready to get started with Wireshark, check out the Wireshark Wiki, the wiki includes examples of capture and display filters as well as a wealth of sample captures to try your filters on.

Read more
1 0 354

Hello everyone,

This is Greg Blaum with the Microsoft Patch Tuesday newsletter for September 2015.

Welcome to the September Patch Tuesday update. This month Microsoft released a total of twelve (12) new security bulletins. For this month, five (5) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other seven (7) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This month’s patches include the following:

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS15-094

3089548

Cumulative Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS15-139

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS15-095

3089665

Cumulative Security Update for Microsoft Edge

Critical

Remote Code Execution

MTIS15-139

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS15-096

3072595

Vulnerability in Active Directory Service Could Allow Denial of Service

Important

Denial of Service

MTIS15-139

Covered Products:

  • Vulnerability Mgr (Sep 8)

Under Analysis:

  • Firewall Enterprise

MS15-097

3089656

Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-140

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS15-098

3089669

Vulnerabilities in Windows Journal Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-140

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-099

3089664

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-140

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-100

3087918

Vulnerability in Windows Media Center Could Allow Remote Code Execution

Important

Remote Code Execution

MTIS15-140

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS15-101

3089662

Vulnerabilities in .NET Framework Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-140

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • NSP

Under Analysis:

  • Firewall Enterprise

MS15-102

3089657

Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-140

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • NSP

Under Analysis:

  • Firewall Enterprise

MS15-103

3089250

Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure

Important

Information Disclosure

MTIS15-141

Covered Products:

  • Vulnerability Mgr (Sep 8)

Under Analysis:

  • Firewall Enterprise

MS15-104

3089952

Vulnerabilities in Skype for Business Server and Lync Server Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-141

Covered Products:

  • Vulnerability Mgr (Sep 8)

Under Analysis:

  • Firewall Enterprise

MS15-105

3091287

Vulnerability in Windows Hyper-V Could Allow Security Feature Bypass

Important

Security Feature Bypass

MTIS15-141

Covered Products:

  • Vulnerability Mgr (Sep 8)

Under Analysis:

  • Firewall Enterprise

Let’s take a closer look at each of the Microsoft Security Bulletins:

MS15-094 (CVE-2015-2483 to 2487, 2489 to 2494, 2498 to 2501, 2541 & 2542)

Here is the standard cumulative Internet Explorer Security Update. This Internet Explorer update addresses 17 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 7 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

  • Fourteen (14) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
  • Two (2) of these vulnerabilities are Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.
  • One (1) of these vulnerabilities is an Escalation of Privilege vulnerability. If exploited, this potentially allows a script to be run with elevated privileges.
  • As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

   

MS15-095 (CVE-2015-2485 and 2486, 2494, and 2542)

This cumulative security update affects only the Microsoft Edge browser on Windows 10. All four (4) included vulnerabilities that are patched by this bulletin are Memory Corruption vulnerabilities that result in the potential for Remote Code Execution. Similarly to the cumulative Internet Explorer vulnerabilities in MS15-094, attackers would have to convince users with an affected version of Microsoft Edge to view specially crafted content that exploits these vulnerabilities.

MS15-096 (CVE-2015-2535)

This security updates resolves a Denial of Service vulnerability in Active Directory. In this case, an authenticated attacker could create multiple machine accounts and this could cause the Active Directory service to become non-responsive. Note that the attacker much have valid credentials in order to exploit this vulnerability.

MS15-097 (CVE-2015-2506 to 2508, 2510 to 2512, 2517 & 2518, 2527, 2529, & 2546)

This bulletin addresses multiple security vulnerabilities in Microsoft graphics components in Microsoft Windows, Microsoft Office, and Microsoft Lync. These are Elevation of Privilege and Remote Code Execution vulnerabilities. This update replaces updates in MS14-036, MS15-078 and MS15-080. There are multiple update packages offered for each affected software, so be sure to get all updates.

MS15-098 (CVE-2015-2513 & 2514, 2516, 2519, & 2530)

Here we have multiple Remote Code Execution vulnerabilities in the Windows Journal. They exist when a specially crafted Journal file is opened and could cause arbitrary code to be executed in the context of the current user.

MS15-099 (CVE-2015-2520 through 2523, & 2545)

This bulletin covers five (5) vulnerabilities in Microsoft Office and Microsoft SharePoint. For the Microsoft Office vulnerabilities, three (3) of them are Memory Corruption vulnerabilities where Microsoft Office software fails to properly handle objects in memory. The other vulnerability in Microsoft Office is a Remote Code Execution vulnerability when opening a corrupted graphics image file or inserting a corrupted graphics image into a Microsoft Office file. The final update in this bulletin addresses a cross-site scripting (XSS) vulnerability in Microsoft SharePoint. SharePoint fails to properly sanitize user-supplied web requests, which could result in spoofing. Note that the SharePoint update contains additional security-related changes to functionality and replaces previous SharePoint updates.

MS15-100 (CVE-2015-2509)

This security update resolves an Remote Code Execution vulnerability in Windows Media Center. This vulnerability could allow the execution of arbitrary code if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code.

MS15-101 (CVE-2015-2504, 2526)

Here we have a Denial of Service vulnerability and an Elevation of Privilege vulnerability in the Microsoft .NET Framework. This update affects multiple versions of the Microsoft .NET Framework, so users may have to install multiple packages to patch the vulnerability in each version that is installed. The Elevation of Privilege vulnerability has web browsing as an attack scenario, so it is very important to get this update deployed.

MS15-102 (CVE-2015-2524, 2525, & 2528)

This update resolves a trio of Elevation of Privilege vulnerabilities in Windows Task Management. It affects current Windows client and Windows server operating systems.

MS15-103 (CVE-2015-2505, 2543, & 2544)

This bulletin addresses an Information Disclosure vulnerability and two (2) Spoofing vulnerabilities in Microsoft Exchange Server 2013. All three (3) of these vulnerabilities affect Outlook Web Access, so companies utilizing OWA should investigate and schedule the installation of this update.

MS15-104 (CVE-2015-2531, 2532, & 2536)

This security update resolves three (3) cross-site scripting (XSS) vulnerabilities in Skype for Business Server and Microsoft Lync Server. Two (2) of these are Information Disclosure vulnerabilities and the other one is an Elevation of Privilege vulnerability. These only affect the server versions of Skype for Business and Microsoft Lync.

MS15-105 (CVE-2015-2534)

Finally, here we’ve got a Security Feature Bypass vulnerability in Windows Hyper-V. It exists when Windows Hyper-V access control list (ACL) configuration settings are not applied correctly. An attacker can run a specially crafted application that could cause Hyper-V to allow unintended network traffic..

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

Finally, these briefings are archived on the McAfee Community site.

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for September 2015 at the Microsoft site.

Until next month…stay safe!

-Greg

Read more
0 0 237

As an adjunct to our monthly Patch Tuesday updates, Microsoft released an out-of-band patch on August 18th. They only release out-of-band patches for the most critical security bugs, so this one is very important.

Generic Buffer Overflow protection in VSE BOP and Host IPS is expected to cover code execution exploits. Application Control’s runtime control of applications using Execution Control, coupled with Memory Protection helps in protecting against attacks targeting this vulnerability.

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS15-093

3088903

Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS15-133

Covered Products:

  • Vulnerability Mgr (Aug 19)
  • BOP
  • Host IPS
  • NSP
  • Application Control


Under Analysis:

  • DAT
  • Web Gateway
  • Firewall Enterprise

Stay safe!

-Greg

Read more
0 0 218

Hello everyone,

This is Greg Blaum with the Microsoft Patch Tuesday newsletter for August 2015.

Welcome to the first Patch Tuesday update after the release of Windows 10 by Microsoft Corporation. This month Microsoft released a total of fourteen (14) new security bulletins. For this month, four (4) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other ten (10) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This month’s patches include the following:

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS15-079

3082442

Cumulative Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS15-124

Covered Products:

  • Vulnerability Mgr (Aug 11)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS15-080

3078662

Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-124

MTIS15-125

MTIS15-127

Covered Products:

  • Vulnerability Mgr (Aug 11)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-081

3080790

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-125

MTIS15-127

Covered Products:

  • Vulnerability Mgr (Aug 11)
  • BOP
  • Host IPS
  • NSP
  • Application Control
  • DAT

Under Analysis:

  • Firewall Enterprise
  • DAT

MS15-082

3080348

Vulnerabilities in RDP Could Allow Remote Code Execution

Important

Remote Code Execution

MTIS15-125

MTIS15-127

Covered Products:

  • Vulnerability Mgr (Aug 11)

Under Analysis:

  • Firewall Enterprise

MS15-083

3073921

Vulnerability in Server Message Block Could Allow Remote Code Execution

Important

Remote Code Execution

MTIS15-125

MTIS15-127

Covered Products:

  • Vulnerability Mgr (Aug 11)

Under Analysis:

  • Firewall Enterprise

MS15-084

3080129

Vulnerabilities in XML Core Services Could Allow Information Disclosure

Important

Information Disclosure

MTIS15-125

MTIS15-127

Covered Products:

  • Vulnerability Mgr (Aug 11)

Under Analysis:

  • Firewall Enterprise

MS15-085

3082487

Vulnerability in Mount Manager Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-125

MTIS15-127

Covered Products:

  • Vulnerability Mgr (Aug 11)

Under Analysis:

  • Firewall Enterprise

MS15-086

3075158

Vulnerability in System Center Operations Manager Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-125

MTIS15-127

Covered Products:

  • Vulnerability Mgr (Aug 11)

Under Analysis:

  • Firewall Enterprise

MS15-087

3082459

Vulnerability in UDDI Services Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-125

MTIS15-127

Covered Products:

  • Vulnerability Mgr (Aug 11)

Under Analysis:

  • Firewall Enterprise

MS15-088

3082458

Unsafe Command Line Parameter Passing Could Allow Information Disclosure

Important

Information Disclosure

MTIS15-125

MTIS15-127

Covered Products:

  • Vulnerability Mgr (Aug 11)

Under Analysis:

  • Firewall Enterprise

MS15-089

3076949

Vulnerability in WebDAV Could Allow Information Disclosure

Important

Information Disclosure

MTIS15-125

MTIS15-127

Covered Products:

  • Vulnerability Mgr (Aug 11)

Under Analysis:

  • Firewall Enterprise

MS15-090

3060716

Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-125

MTIS15-127

Covered Products:

  • Vulnerability Mgr (Aug 11)
  • NSP

Under Analysis:

  • Firewall Enterprise

MS15-091

3084525

Cumulative Security Update for Microsoft Edge

Critical

Remote Code Execution

MTIS15-126

Covered Products:

  • Vulnerability Mgr (Aug 11)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS15-092

3086251

Vulnerabilities in .NET Framework Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-126

Covered Products:

  • Vulnerability Mgr (Aug 11)

Under Analysis:

  • DAT
  • Web Gateway
  • Firewall Enterprise

Let’s take a closer look at each of the Microsoft Security Bulletins:

MS15-079 (CVE-2015-2423, 2441 through 2452)

Here is the standard cumulative Internet Explorer Security Update. This Internet Explorer update addresses 13 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

  • Ten (10) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
  • Two (2) of these vulnerabilities are Security Feature Bypass vulnerabilities. Both of them bypass the Address Space Layout Randomization (ASLR) feature.
  • One (1) of these vulnerabilities is an Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.
  • As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.


MS15-080 (CVE-2015-2432 & 2433, 2435, 2453 through 2456, and 2458 through 2465)

For this security update, there are multiple vulnerabilities that exist in Microsoft graphics component that is shared amongst multiple applications. It resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. Users will be offered multiple update packages based on what products are installed on their machines.

Here are the vulnerabilities broken down into groups:

  • Six (6) OpenType Font Parsing
  • Five (5) TrueType Font Parsing
  • Office Graphics Component Remote Code Execution (RCE)
  • Kernel Address Space Layout Randomization (ASLR) Security Feature Bypass
  • Client/Server Run-time Subsystem (CSRSS) Elevation of Privilege
  • Windows Kernel-Mode Driver (KMD) Security Feature Bypass
  • Windows Shell Security Feature Bypass

MS15-081 (CVE-2015-1642, 2423, 2466 through 2470, and 2477)

This security update resolves multiple vulnerabilities in Microsoft Office software. It affects the following versions of Microsoft Office software: Office 2007, Office 2010, Office 2013, Office 2013 RT, Office for Mac 2011, Office for Mac 2016, Word Viewer, and the Office Compatibility Pack SP3.

Here are the vulnerabilities broken down into groups:

  • Five (5) Memory Corruption
  • Unsafe Command Line Parameter Passing Information Disclosure (this vulnerability *has* been publicly disclosed)
  • Office Remote Code Execution in failure to properly validate templates
  • Office Integer Underflow Remote Code Execution

MS15-082 (CVE-2015-2472 & 2473)

This bulletin addresses two (2) vulnerabilities in the Remote Desktop Protocol (RDP). It affects multiple versions of Windows, including client and server versions. Please check the bulletin for specifics on the versions affected. Get these updates deployed to hosts with RDP enabled.

The first vulnerability is a failure of the Remote Desktop Session Host (RDSH) to properly validate certificates during authentication. If successfully exploited, an attacker could impersonate the RDP client session. The second vulnerability is a result of the Microsoft Windows Remote Desktop Protocol client improperly handling the loading of certain specially crafted DLL files. A successful exploitation of this vulnerability would result in the attacker being able to take complete control of an affected system.

MS15-083 (CVE-2015-2474)

Here we have a Remote Code Execution vulnerability when Server Message Block (SMB) improperly handles certain logging activities. It only affects Windows Vista and Server 2008 (including the Server Core installation). Server Message Block (SMB) is a network file sharing protocol that is built-in to Windows.

MS15-084 (CVE-2015-2434, 2440, and 2471)

This security update addresses three (3) Information Disclosure vulnerabilities in XML Core Services. Some versions of the XML Core Services are provided as part of Microsoft Windows, other versions ship with additional software such as Microsoft Office.

The following versions of XML Core Services are affected:

  • Microsoft XML Core Services 3.0 and Microsoft XML Core Services 6.0 on all supported releases of Microsoft Windows except Windows 10, which is not affected.
  • Microsoft XML Core Services 5.0 on Microsoft Office 2007 Service Pack 3
  • Microsoft XML Core Services 5.0 on Microsoft InfoPath 2007 Service Pack 3

MS15-085 (CVE-2015-1769)

This security update resolves an Elevation of Privilege vulnerability in the Mount Manager component of Microsoft Windows. It is a result of the Mount Manager improperly processing symbolic links when a USB device is inserted into a target system.

MS15-086 (CVE-2015-2420)

Here we have an Elevation of Privilege vulnerability in Microsoft System Center Operations Manager 2012 and 2012 R2. It is a result of improper validation of input and could allow an attacker to inject a client-side script into the user’s browser. Primary risk profile for this vulnerability are users who are authorized to access the System Center Operations Manager web consoles.

MS15-087 (CVE-2015-2475)

This update resolves an Elevation of Privilege vulnerability in the Universal Description, Discovery, and Integration (UDDI) Services. It affects Windows Server 2008 (including the Server Core installation) and multiple versions of BizTalk Server.

MS15-088 (CVE-2015-2423)

Here we have an Information Disclosure vulnerability in Microsoft Windows, Internet Explorer, and Microsoft Office. To be exploited, it has to be combined with another vulnerability in Internet Explorer. When exploited, an attacker could then use this unsafe command line parameter passing vulnerability to execute Notepad, Visio, PowerPoint, Excel, or Word and have Information Disclosure. This vulnerability *has* been publicly disclosed.

MS15-089 (CVE-2015-2476)

This is a single Information Disclosure vulnerability in the Microsoft Web Distributed Authoring and Versioning (WebDAV) client. Similar to other vulnerabilities we’ve seen, it is a result of the use of SSL 2.0 and is resolved by defaulting to a more secure protocol than SSL 2.0.

MS15-090 (CVE-2015-2428 through 2430)

Here we’ve got a trio of Elevation of Privilege vulnerabilities in Microsoft Windows. They exist in the following components: Windows Object Manager, Windows Registry, and Windows Filesystem. They are present in client and server versions of Microsoft Windows.

MS15-091 (CVE-2015-2441 & 2442, 2446, and 2449)

This is our first Windows 10-only security vulnerability update. It resolves four (4) separate vulnerabilities in Microsoft Edge, the new web browser client that is built-in to Windows 10. Three (3) of the vulnerabilities are Remote Code Execution Memory Corruption vulnerabilities and the other one is an Address Space Layout Randomization (ASLR) Security Feature Bypass vulnerability. Get this deployed to those new Windows 10 systems.

MS15-092 (CVE-2015-2479 through 2481)

Finally, this bulletin addresses three (3) Elevation of Privilege vulnerabilities in the Microsoft .NET Framework. It affects the Microsoft .NET Framework 4.6 on all supported versions of Microsoft Windows, except the Itanium editions.

Bonus Vulnerability Coverage: Although not technically listed as a Microsoft Security Bulletin (listed as a Security Advisory), Microsoft updated Microsoft Security Advisory 2755801 on August 11th to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10, Internet Explorer 11, and Microsoft Edge. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, Windows Server 2012 & 2012 R2, and Windows 10. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB15-19. McAfee Labs Security Advisories for these vulnerabilities will be published on the McAfee Labs Security Advisories Community site.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

Finally, these briefings are archived on the McAfee Community site.

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for August 2015 at the Microsoft site.

Until next month…stay safe!

-Greg

Read more
0 0 216

Hello everyone,

Well, Windows 10 has been released by Microsoft Corporation. I know many people have already upgraded to it from Windows 7, Windows 8, and Windows 8.1. I’ve already taken the plunge on several of my machines and plan to update the rest very shortly. I’ve been running different preview builds of it for some time as part of the Windows Insider program. Many of Intel Security’s customers have been asking for updates on when our Endpoint products will have support for the RTM (final released code) build of Windows 10. I’ve done a lot of digging around and have put together a list that covers the support for Windows 10 by Intel Security products. I plan to keep the blog post updated with more information as it becomes available from our product engineering teams, so make sure you save it in your bookmarks/favorites.

A few notes on this list:

  • This is primarily concentrated on Business/Enterprise versions of products from Intel Security, so you won’t see products for home users here.
  • When possible, I’ve provided a link to an article on the Knowledge Center…the information in that article may be more up-to-date as it is updated directly by our product teams.
  • For customers with Gold and Platinum support, please contact your Support Representative for updates and requests for access to pre-release products for testing purposes.

Article ID

Intel Security Product

Intel Security Product Version

Status

Estimated Timeframe

KB84916

McAfee Agent

5.0.2

The Released to Support (RTS) release of McAfee Agent 5.0.2 is Windows 10 Ready, and will support the Windows 10 launch from day one.

Released

KB84916

McAfee Agent

4.8.0 Patch 3

McAfee Agent 4.8.0 Patch 3 was released as Windows 10 Ready prior to the Windows 10 launch.

Released

KB66741

McAfee Anti-Virus Scanning Engine

5.8.00 (5800)

In testing, release schedule posted in KB article.

  • Release Candidate (RC) in Q3 2015
  • RTW (Elective Download) in Q4 2015
  • RTW (Auto Update) in Q1 2016

KB68147

Data Loss Prevention (DLP) Endpoint

9.3.x, 9.4.x

In development and testing. Windows 10 support is planned for upcoming release and patch levels.

Future

KB84419

McAfee Drive Encryption (DE)

7.1 Patch 3 (7.1.3)

DE 7.1 Patch 3 (7.1.3) was released as Windows 10 Ready prior to the Windows 10 launch.
NOTE: How to upgrade the operating system to Windows 10 with Drive Encryption 7.1 Patch 3 installed

Released

KB84419

McAfee File and Removable Media Protection

4.3.1

FRP 4.3.1 HF1062118 was released as Windows 10 Ready prior to Windows 10 launch.

Released

KB70778

McAfee Host Intrusion Prevention (Host IPS)

8.0 Patch 6

Host IPS 8.0 Patch 6 is required for Windows 10 Support.

Expected RTW on August 13, 2015

KB84419

KB79375

PD26027

McAfee Management of Native Encryption

3.0

3.0.1

MNE 3.0  was released as Windows 10 Ready prior to Windows 10 launch.


MNE 3.0.1 recently released adds a policy setting to provide Administrators with the option to define a customized recovery link (URL) that is displayed on the preboot recovery screen of Windows 10 Microsoft BitLocker clients.

Released

KB51244

SiteAdvisor Enterprise

3.5 Patch 4

In development and testing. SAE 3.5 will require Patch 4 to support Windows 10.

Target support date for Windows 10 is Q3 2015. Patch 4 is not currently available. Patch 4 is targeted for RTW in Q3 2015.

KB51111

VirusScan Enterprise (VSE)

8.8 Patch 6

In development and testing. VSE 8.8 will require Patch 6 to support Windows 10.

  • Private release target on July 30, 2015
  • Full release target on August 26, 2015

Other products will be updated and added to the table as more information becomes available.

Stay safe!

-Greg

Read more
9 0 270

As an adjunct to our monthly Patch Tuesday updates, Microsoft released an out-of-band patch on July 20th. They only release out-of-band patches for the most critical security bugs, so this one is very important.


Application Control with Memory Protection against remote code execution helps in protecting against this attack.

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS15-078

3079904

Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-112

Covered Products:

  • Vulnerability Mgr (July 21)
  • Application Control

Under Analysis:

  • DAT
  • BOP
  • Host IPS
  • NSP
  • Web Gateway
  • Firewall Enterprise

Stay safe!

-Greg

Read more
0 0 226

Hello everyone,

This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for July 2015.

After a light June, we’re back to a heavy July for patches; Microsoft released a total of fourteen (14) new security bulletins. For this month, four (4) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other ten (10) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This month’s patches include the following:

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS15-058

3065718

Vulnerabilities in SQL Server Could Allow Remote Code Execution

Important

Remote Code Execution

MTIS15-105

Covered Products:

  • Vulnerability Mgr (July 14)
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-065

3076321

Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS15-105

MTIS15-106

Covered Products:

  • Vulnerability Mgr (July 14)
  • NSP
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • DAT
  • Web Gateway
  • Firewall Enterprise

MS15-066

3072604

Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-106

Covered Products:

  • Vulnerability Mgr (July 14)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • DAT
  • Web Gateway
  • Firewall Enterprise

MS15-067

3073094

Vulnerability in RDP Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-106

Covered Products:

  • Vulnerability Mgr (July 14)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-068

3072000

Vulnerabilities in Windows Hyper-V Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-106

Covered Products:

  • Vulnerability Mgr (July 14)

Under Analysis:

  • Firewall Enterprise

MS15-069

3072631

Vulnerabilities in Windows Could Allow Remote Code Execution

Important

Remote Code Execution

MTIS15-106

Covered Products:

  • Vulnerability Mgr (July 14)
  • NSP

Under Analysis:

  • Firewall Enterprise

MS15-070

3072620

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

Important

Remote Code Execution

MTIS15-106

Covered Products:

  • Vulnerability Mgr (July 14)
  • NSP
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • DAT
  • Web Gateway
  • Firewall Enterprise

MS15-071

3068457

Vulnerability in Netlogon Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-106

Covered Products:

  • Vulnerability Mgr (July 14)

Under Analysis:

  • Firewall Enterprise

MS15-072

3069392

Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-106

Covered Products:

  • Vulnerability Mgr (July 14)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-073

3070102

Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-107

Covered Products:

  • Vulnerability Mgr (July 14)
  • Host IPS
  • NSP

Under Analysis:

  • Firewall Enterprise

MS15-074

3072630

Vulnerability in Windows Installer Service Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-107

Covered Products:

  • Vulnerability Mgr (July 14)

Under Analysis:

  • Firewall Enterprise

MS15-075

3072633

Vulnerabilities in OLE Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-107

Covered Products:

  • Vulnerability Mgr (July 14)

Under Analysis:

  • Firewall Enterprise

MS15-076

3067505

Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-107

Covered Products:

  • Vulnerability Mgr (July 14)
  • NSP

Under Analysis:

  • Firewall Enterprise

MS15-077

3077657

Vulnerability in ATM Font Driver Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-107

Covered Products:

  • Vulnerability Mgr (July 14)
  • Host IPS
  • NSP

Under Analysis:

  • DAT
  • Web Gateway
  • Firewall Enterprise

Let’s take a closer look at each of the Microsoft Security Bulletins:

MS15-058 (CVE-2015-1761 through 1763)

We don’t often see security bulletins for Microsoft SQL Server. This one is a remote code execution vulnerability exists if an authenticated attacker runs a specially crafted query. Note that the attacker has to already be authenticated and have permissions to create or modify a database. It affects multiple versions of SQL Server, so be sure to check the bulletin for details. Given the widespread use of Microsoft SQL Server and the potential gold-mine of information that may be present in databases, db admins should patch their SQL Servers as soon as they can.

MS15-065 (CVE-2015-1729, 2015-1733, 2015-1738, 2015-1767, 2015-2372, 2015-2383 through 2385, 2015-2388 through 2391, 2015-2397, 2015-2398, 2015-2401 through 2404, 2015-2406, 2015-2408, 2015-2410 through 2414, 2015-2419, 2015-2421, 2015-2422, and 2015-2425)

Here is the standard cumulative Internet Explorer Security Update. This is another big Internet Explorer update, addressing 29 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

  • Twenty-one (21) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
  • Five (5) of these vulnerabilities are Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.
  • Two (2) of these vulnerabilities are Security Feature Bypass vulnerabilities. One of them bypasses the Address Space Layout Randomization feature and the other bypasses the XSS filter.
  • One (1) of these vulnerabilities is an Elevation of Privilege vulnerability. On its own, this vulnerability would not allow arbitrary code execution. It would need to be combined with an unprotected remote code execution vulnerability in order for an attacker to be able to execute arbitrary code.
  • As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.


MS15-066 (CVE-2015-2372)

This security update resolves a Remote Code Execution vulnerability in the VBScript Scripting Engine. It could be triggered if a user visits a specially crafted website, giving the attacker the same user rights as the current user. Note that this is for VBScript on Windows Server 2003, Windows Vista, Windows Server 2008, and Windows Server 2008 Server Core with Internet Explorer 7 or earlier or without Internet Explorer. Anything running Internet Explorer 8 or later will get the fix with the MS15-065 update.

MS15-067 (CVE-2015-2373)

This bulletin addresses a Remote Code Execution vulnerability in the Remote Desktop Protocol (RDP). It affects Windows 7, Windows 8, Windows Server 2012, and Windows Server 2012 Server Core. While the most likely outcome would be a Denial of Service (DOS) attack on the remote desktop, it is possible that remote code execution may occur. VDI environments may be a target for this attack, so administrators should patch their VDI setups with this fix.

MS15-068 (CVE-2015-2361 and 2362)

Here we have a pair of Remote Code Execution vulnerabilities in Windows Hyper-V. For either of these to be exploited, an attacker would need to be authenticated and privileged on a guest virtual machine and then execute a specially crafted application. It would then allow remote code execution within the host context. If you’re using Windows Hyper-V, it is advised to get this patch deployed as soon as possible.

MS15-069 (CVE-2015-2368 and 2369)

This security update addresses two (2) Remote Code Execution vulnerabilities in Microsoft Windows. They both exist regarding the loading of specially crafted dynamic link library (DLL) files and could result in an attacker taking complete control of an affected system. They affect a wide range of client and server Windows operating systems.

MS15-070 (CVE-2015-2375 through 2380, 2015-2415, and 2015-2424)

This security update resolves multiple vulnerabilities in Microsoft Office. Six (6) of these are memory corruption vulnerabilities, one (1) is an Address Space Layout Randomization vulnerability, and the other one (1) is a Remote Code Execution vulnerability. These affect a wide range of Office products, from 2007 through 2013 (including 2013 RT versions), one product on Mac, Viewers, and Excel Services on three (3) different versions of SharePoint. Lots of updates to be applied here, but it is highly advised to get them deployed.

MS15-071 (CVE-2015-2374)

Here we have an Elevation of Privilege vulnerability in Microsoft Windows. It exists in Netlogon and could allow an attacker to get elevated domain credentials by running a specially crafted application that establishes a secure channel to a Primary Domain Controller (PDC) as a Backup Domain Controller (BDC). Therefore, this affects domain controllers…so get those critical infrastructure servers updated.

MS15-072 (CVE-2015-2364)

A vulnerability in a graphics component in Microsoft Windows could potentially allow Elevation of Privilege if the component doesn’t properly process bitmap conversions. The attacker does need to be authenticated in order to exploit this one. It affects client and server versions of Microsoft Windows.

MS15-073 (CVE-2015-2363, 2015-2365 through 2367, 2015-2381 and 2382)

Here we see several three (3) Elevation of Privilege vulnerabilities and three (3) Information Disclosure vulnerabilities in Windows Kernel-Mode drivers. The Elevation of Privilege vulnerabilities are a result of the way the kernel-mode drivers handle objects in memory. The Information Disclosure vulnerabilities could potentially allow the disclosure of kernel memory contents, addresses, or other sensitive kernel information that could potentially be used to attack the system in the future. While these aren’t the more serious Remote Code Execution vulnerabilities, they could lead to future attacks on systems, so it is best to close these holes quickly.

MS15-074 (CVE-2015-2371)

This is a single Elevation of Privilege vulnerability in the Windows Installer service and how it runs custom action scripts. This is a more complex attack vector with a lot of moving parts to exploit this vulnerability. It affects a wide range of client and server Windows operating systems.

MS15-075 (CVE-2015-2416 and 2417)

Here we’ve got a pair of Elevation of Privilege vulnerabilities in Microsoft Windows OLE. They could be combined with another vulnerability to allow arbitrary code to run, but by themselves they don’t allow for remote code execution.

MS15-076 (CVE-2015-2370)

This is a vulnerability in Windows Remote Procedure Call (RPC) authentication. An attacker that is already logged on to the system has to execute a crafted application that would then exploit this vulnerability which allows DCE/RPC connection reflection.

MS15-077 (CVE-2015-2387)

Finally, this bulletin addresses an Elevation of Privilege vulnerability in the Adobe Type Manager (ATM) Font Driver. The attacker would need to already be logged on to the system and then execute a specially crafted application in order to exploit this vulnerability.

Bonus Vulnerability Coverage: Although not technically listed as a Microsoft Security Bulletin (listed as a Security Advisory), Microsoft updated Microsoft Security Advisory 2755801 on July 8th to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB15-16. McAfee Labs Security Advisories for these vulnerabilities is published in MTIS15-104.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

Finally, these briefings are archived on the McAfee Community site.

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for July 2015 at the Microsoft site.

Until next month…stay safe!

-Greg

Read more
0 0 231

This blog is only an introduction-level for this topic but even as an introduction I think there is much you might want to digest. More detailed write-ups of this functionality may be seen in future.

TLDR Version

Access Protection is being replaced by new tech, called Arbitrary Access Control (AAC), which is introduced through our core driver technology SYSCore version 15.3.0 and later.

Over time, more Intel Security products will release with this technology included and they'll use it to protect their own files, registry, etc.

Products that are new to this regime of protecting their files/folders and registry etc, may not have the same scope of functionality available that you're used to seeing with VirusScan Enterprise such as notification events.

Background

Access Protection, as described in an earlier blog, is rudimentary in its purpose and design; it's super effective but with limitations. Well, those limitations are mostly imposed upon you, as in, we opted to _not_ expose its full potential to customers. And considering how some people have used what we did expose, and still manage to shoot themselves in the foot - figuratively turning their machines into bricks - it's no wonder we are cautious about unleashing this technology in all its glory. Maybe we could provide full capability to everyone but have it remain locked until the Admin takes and passes an Access Protection Driver's License Exam , or complete a mini-game that unlocks the "Behavior Blocking Badass" achievement. Hah. I kid, but I still think something like that is appropriate.

A companion concern that has to be assessed by us when entertaining the notion of exposing AP's full potential to customers is the Support cost associated with it, and today, I'm skeptical we have the infrastructure needed (or perhaps even the expertise at this time) to support the needs such exposure could generate. I'd feel better about it if, and perhaps only if, we incorporated the driver license idea or similar because that would ensure a level of proficiency on the Admin's part (I seriously doubt any Product Manager would suppose that a good idea; just let me chuckle to myself about it some more!)

Under-the-hood, we do take advantage of Access Protection's potential as needed. Some of our default AP rules are quite complex in their definition. And I think most everyone who has sought to use this feature has experienced the front-end limitations we've imposed, where only processes can be set as things to include or exclude, along with a singular "thing to protect". Under-the-hood we have rules defined to protect multiple objects; processes, files, folders, registry keys, ports etc, all in a single rule, and each object can be defined as having its own type of restriction (create, read, write, delete etc).

None of the above protection is possible unless VirusScan Enterprise is installed. Access Protection is a VSE feature.  SiteAdvisor 3.5 has a hardening option, but said hardening is only possible if VSE is installed because they leverage Access Protection, laying down a set of rules of their own for AP to enforce. The same is true of the DAT Reputation functionality, now inherent for consumers of our AVV*.DAT files, and there are others who piggyback also.

A problem we wanted to solve was to provide this type of protection for Intel Security products and to not have this dependency upon VSE. This was easily solved in concept. The technology VSE used to provide Access Protection functionality is and has always been a separate component of the product. We simply needed alternate means to distribute that technology into the field. It would become a common component of any/all Windows-based products, be it the Agent, Host Intrusion Prevention, VirusScan, whatever - every release would include that common technology (for installation/upgrade purposes) and the Product would simply convey to that technology what it wants protected. That common technology is called Arbitrary Access Control, or AAC - the name may change in future, who knows, but if you say AAC to someone from our side of the fence hopefully we'll know what it is you're referring to . AAC replaces Access Protection.

SYSCore 15.3.0.x (and later)

This common technology, AAC, exists in SYSCore version 15.3 and later. SYSCore is comprised of various mfe*.sys files, and mfevtps.exe (the validation trust protection service). It is the part of Intel Security software that melds with the brain of your device (kernel code). I've stated elsewhere that when this code changes in version it should be a signal to tell yourself, "We need to do some testing against this release before deploying it".

You might notice that newer software releases from Intel Security, products that in the past relied on VSE to protect their files/registry etc, are now providing their own protection coverage when only their application is installed. It's because they installed AAC and told it what to protect. That being the case, be forewarned that the risk associated with patching VSE should be viewed more generally now, since the newer SYSCore binaries could be accompanying other product releases too.

Some products that come to mind that have already begun to use SYSCore 15.3 (or later) are:  McAfee Agent 5.0, TIE/DxL 1.01, VSE 8.8 Patch 5, HIPS 8.0 Patch 5, Stinger utility. And in saying that I should point out that these products may not install _all_ of SYSCore's components; they install only what they need, so it's feasible and OK to have a mixed bag of file versions for mfe*.sys files when using multiple Intel Security products. Where products do install the same SYSCore components, the highest version wins.

Another thing to add regarding SYSCore files:  You cannot downgrade them; nor can we forcefully overwrite or downgrade them - to do so would result in a BSOD (worst case, continual BSODs); the brain surgery analogy comes to mind again. If any code path accesses the now missing area of code, the result is fatal. An operation could appear successful though, no instability, but it will then mess up internal reference counters that will cause future problems for you.

To be able to install an older version of these files you must remove all Intel Security products that share/use that technology, and then reinstall the desired version. Typically the notion of downgrading only comes up when a product or patch was installed that updated SYSCore, and an unexpected (serious) issue occurs - the desire is to back-pedal and try to reset the system to a known good state. This is understandable, just be mindful that for us to investigate whatever caused the outage we will need data and that might mean having to revisit the setup that failed. See my prior blog on Patching VSE for tips on preparing to adopt new code, because if you prepared well we will have something to work with.

Differences between Access Protection and AAC

As far as VirusScan is concerned, any difference should not be noticeable to you as the customer (unless of course you found a bug ), or to end users as shall be explained herewith. There are differences however...

For products that never provided their own protections before, it's absolutely a new thing that they now install SYSCore and define what objects of theirs are to be protected.

MFEAPFK.SYS, was the driver to provide Access Protection checking and enforcement but this no longer exists in 15.3, being replaced by mfeaack.sys and supporting files. If you still see mfeapfk.sys on your system when SYSCore 15.3 is installed then it means there is still a product installed that needs that older driver's functionality, something that wasn't carried over to mfeaack.sys because it wasn't the appropriate place for that code.
_

Rules are defined differently in AAC. But as I said earlier, from a customer-perspective there should be no observable difference. What happens under-the-hood though is quite different indeed.

  • Access Protection used a simplistic syntax for defining rules which would be interpreted on the client when the rules were being loaded. The rules would be loaded from VSCAN.BOF (where our defaults exist), and the registry (where User-defined rules are stored, as well as any edited default rules which will overwrite those from VSCAN.BOF).
  • AAC uses XML to describe the rules. Each rule is assigned a rule ID, and each product who creates rules is assigned an ID; allowing for a single product to have multiple rules, and for multiple products to share a single rule.

In SYSCore 15.3, since there is no longer an MFEAPFK.SYS driver that will understand Access Protection rules, the newer mfeaack.sys driver comes with a backward compatible shim. Its purpose in life is to read and understand the rule format used by Access Protection, and to convert those rules into AAC-equivalent rules. Eventually, Access Protection rules and that backward compatibility shim may be phased out entirely.
_

AAC is more powerful than Access Protection. It allows for securing more types of objects (this is only going to be leveraged internally of course) and with better control or flexibility, affording more intelligent rules to be defined. VSE probably won't be seeing any of that additional intelligence... the goal for VSE is to provide the same protection level with the newer technology. The future, however, could be quite exciting - I'm not sure what degrees of flexibility and control we're going to expose yet.

Rule matching is expensive in Access Protection. VSE suffered for performance under certain conditions, typically when processing a lot of registry I/O per second where we have various AP rules to compare all that activity against, making string comparisons. And string comparisons with wildcards may create noticeable overhead. AAC's rule matching methodology is faster, depending on the rule; it's not worse than VSE at least, so we can expect some performance gain with this greater protection even with having additional rules (i.e. products provide their own AAC rule sets to protect their own objects).
_

Troubleshooting

In the case of VSE, troubleshooting AAC issues can be done in much the same way as troubleshooting Access Protection issues -

  • disabling the feature
  • adding a process to exclude
  • setting a rule to Report only
  • disabling a specific rule(s), or even all rules but keeping the feature enabled
  • renaming the driver (mfeaack.sys) and rebooting; this is a brutish troubleshooting step, and should only be done with acknowledgement of it being a test only. When used as a means of progressive elimination it can be telling of the nature of an issue.
  • for in-depth view of the functionality, an internal tool (ETLTrace) is required, and must be version 15.3 or later. Support may request you to use this tool when investigating related issues.
  • A non-supported EXE is included with SYSCore 15.3 called "AACINFO.exe" which Support will use to export the in-memory AAC rules (i.e. aacinfo.exe query >aac_rules.xml). This tool cannot be used to configure AAC.

Growing Pains

Security through Obscurity has limited value, but development teams may still implement protections after that manner. Example:  As stated above, this is new technology and other products (like McAfee Agent 5.0) now install and use this technology to provide their own protections - well, VSE has an Event/Alert subsystem for processing events and sending the info to ePO and recording the violation to the local Event logs but MA does not, they only have local logging functionality (at the time of this posting - see KB82881).  We can expect to see some growing pains as products adapt to AAC and recognize other supporting functionality that's needed. Providing visibility into when violations occur, what was blocked and when, is a good example.

That doesn't mean you should postpone an upgrade, it just means there may be another data point to consider when you're investigating a symptom that looks Access Protection-related but troubleshooting has revealed it's clearly not VSE's Access Protection that's involved.

Read more
10 14 1,644

Hello everyone,

This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for June 2015.

June is a lighter month for patches; Microsoft released a total of eight (8) new security bulletins. For this month, two (2) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other six (6) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This month’s patches include the following:

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS15-056

3058515

Cumulative Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS15-092

Covered Products:

  • Vulnerability Mgr (June 9)
  • DAT
  • BOP
  • Host IPS
  • NSP
  • Application Control
  • Web Gateway

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS15-057

3033890

Vulnerability in Windows Media Player Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-092

Covered Products:

  • Vulnerability Mgr (June 9)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-059

3064949

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

Important

Remote Code Execution

MTIS15-093

Covered Products:

  • Vulnerability Mgr (June 9)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-060

3059317

Vulnerability in Microsoft Common Controls Could Allow Remote Code Execution

Important

Remote Code Execution

MTIS15-093

Covered Products:

  • Vulnerability Mgr (June 9)
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-061

3057839

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-093

Covered Products:

  • Vulnerability Mgr (June 9)
  • Host IPS
  • NSP

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS15-062

3062577

Vulnerability in Active Directory Federation Services Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-093

Covered Products:

  • Vulnerability Mgr (June 9)

Under Analysis:

  • Firewall Enterprise

MS15-063

3063858

Vulnerability in Windows Kernel Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-093

Covered Products:

  • Vulnerability Mgr (June 9)

Under Analysis:

  • Firewall Enterprise

MS15-064

3062157

Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-093

Covered Products:

  • Vulnerability Mgr (June 9)

Under Analysis:

  • Firewall Enterprise

Let’s take a closer look at each of the Microsoft Security Bulletins:

MS15-056 (CVE-2015-1687, CVE-2015-1730 through 1732, CVE-2015-1735 through 1737, CVE-2015-1739 through 1745, CVE-2015-1747 and 1748, CVE-2015-1750 through 1755, CVE-2015-1765 and 1766 )

Here is the standard cumulative Internet Explorer Security Update. This is another big Internet Explorer update, addressing 24 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

  • Twenty (20) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
  • Three (3) of these vulnerabilities are Elevation of Privilege vulnerabilities. On their own, these vulnerabilities would not allow arbitrary code execution. They would need to be combined with an unprotected remote code execution vulnerability in order for an attacker to be able to execute arbitrary code.
  • The final one (1) vulnerability in this update is an Information Disclosure vulnerability. An attacker who exploited this vulnerability could potentially get access to the Internet Explorer browser history.
  • As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

MS15-057 (CVE-2015-1728)

This security update resolves a vulnerability in the Windows Media Player. A specially crafted media file could be created that would utilize this Remote Code Execution vulnerability. Typically you’d see these types of media files posted on a malicious site and perhaps a link to them sent to a user in an email.

MS15-059 (CVE-2015-1759, 1760, and 1770)

This bulletin addresses multiple Remote Code Execution vulnerabilities in Microsoft Office. One of these vulnerabilities is specifically in Microsoft Office Compatibility Service Pack 3. Vulnerability CVE-2015-1760 is present in both Microsoft Office 2010 Service Pack 2 and Microsoft Office 2013 Service Pack 1. The final vulnerability, CVE-2015-1770, is present in Microsoft Office 2013 Service Pack 1 and Microsoft Office 2013 RT Service Pack 1. All three (3) vulnerabilities are caused when Office improperly handles objects in memory and would be exploited by opening a specially crafted file with a vulnerable version of Microsoft Office. Note that users with more than one version of Microsoft Office installed may be prompted to install multiple updates.

MS15-060 (CVE-2015-1756)

Here we have a Remote Code Execution vulnerability in Microsoft Common Controls. It occurs when the code in the Common Controls attempts to access an object in memory that has either not been correctly initialized or has already been deleted. Interestingly, it is triggered when a user invokes the F12 Developer Tools in Internet Explorer.

MS15-061 (CVE-2015-1719 through 1727, 1768, and 2360)

This security update addresses ten (10) Elevation of Privilege vulnerabilities and one (1) Information Disclosure vulnerability in Windows Kernel-Mode Drivers. The Information Disclosure vulnerability is a result of improper handling of buffer elements, which allows an attacker to view the contents of specific memory addresses. The Elevation of Privilege vulnerabilities are a result of improperly freeing an object in memory, insufficient validation of data being passed from user mode to kernel mode, improperly validating user input, and attempting to access an object in memory that has either not been correctly initialized or has already been deleted. These vulnerabilities exist in Microsoft’s currently supported Client Operating Systems as well as Server Operating Systems.

MS15-062 (CVE-2015-1757)

This security update resolves an Elevation of Privilege vulnerability in Active Directory Federation Services (AD FS) 2.0 and 2.1. An attacker who would exploit this would be able to perform a cross-site scripting attack, resulting in the malicious script being run in the security context of the currently logged-on user.

MS15-063 (CVE-2015-1758)

Here we have an Elevation of Privilege vulnerability in Microsoft Windows. It exists in LoadLibrary, which loads a specified module (a .DLL or an .EXE) into memory. In order to exploit this vulnerability, an attacker would need to copy a malicious DLL file locally or onto a network share. Then a program would have to execute that would load the malicious DLL file. This vulnerability exists in multiple versions of Microsoft’s Client and Server Operating Systems.

MS15-064 (CVE-2015-1764, 1771, and 2359)

Finally, this bulletin addresses two (2) Information Disclosure vulnerabilities and one (1) Elevation of Privilege vulnerability in Microsoft Exchange Server 2013 Service Pack 1 and Microsoft Exchange Server 2013 Cumulative Update 8. All three (3) vulnerabilities are in Microsoft Exchange web applications. There are no workarounds for these vulnerabilities, so administrators of affected Exchange Servers should implement these fixes as soon as possible.

Bonus Vulnerability Coverage: Although not technically listed as a Microsoft Security Bulletin (listed as a Security Advisory), Microsoft updated Microsoft Security Advisory 2755801 on June 9th to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB15-11. McAfee Labs Security Advisories for these vulnerabilities will be published when available on the McAfee Labs Security Advisories Community site.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

Finally, these briefings are archived on the McAfee Community site.

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for June 2015 at the Microsoft site.

Until next month…stay safe!

-Greg

Read more
0 0 214

The McAfee Email Gateway appliance provides for the ability to generate clusters of appliances.  A cluster may consist of two or more appliances.  This article will go into a few best practices for the creation and management of MEG clusters.

Cluster Creation

When setting up a cluster of MEG appliances, determine what your performance needs are.  If you are going to be handling a lot of mail, you will want more cluster members.  If you are not going to be handling as much mail, but are looking for the redundancy the cluster provides, you may just want two cluster members.

When configuring a cluster for the first time, choose a cluster ID that is not the default.  If you leave the default ID in place, this can result in new devices finding themselves added directly to the already existing cluster, even though you don't mean them to.  Once your cluster ID is set to something other than the default, it will be necessary to reimage the appliance to change the ID.  We use VRRP to do our clustering, so make sure that you note any other VRRP clusters on the same network the MEG will be on before setting this up.

Cluster members must be on the same local network in order to work.  Because we make use of VRRP, if appliances are present in different physical networks and are separated by a router, the devices will be unable to talk to each-other.  If they are separated by a wan link (even on the same VLAN), the devices may be unable to talk to each-other in a reasonable time, thus resulting in the boxes being unable to connect properly.  We do not support configuration of appliances into clusters incorporating a WAN link.

When creating clusters of virtual machines, it is necessary to ensure that either the VMs have direct access to the network to which the host machine is attached, *OR* all the cluster members are present in the same host device.  If not, cluster members may be unable to talk to each-other.

Clusters may have three types of devices in them:

1.  Cluster Master - This device is the main host in the cluster.  It acts as the primary traffic cop for inbound and outbound traffic, and handles all communications with the outside world.  It may or may not also host a scanning device. 

2.  Cluster Failover - This device is the backup host in the cluster.  Should the Master fail and go offline, the Failover appliance will take up the traffic cop duties until the Master comes back online.  If the Master hosts a scanner, this device will also host a scanner.

3.  Cluster Scanner - This is a standalone scanning device.  It receives its configuration, updates, and traffic to scan from the device currently handling all traffic for the cluster.

If a cluster has five or more appliances, the Master (and by extension, the Failover) should not be scanning traffic.  If a cluster has more than six devices, consider purchasing one of our MEG Blade servers instead.  If a cluster has three or fewer members, the Master and Failover devices should be scanners.  Clusters with exactly four members can go either way, as desired.

Cluster Administration

DO NOT use the configuration push feature built into the MEG appliances to push config from the Master to other devices in the same cluster.  KB82172 has additional details about the results of doing so.  Additionally, if using Configuation Push to push between clusters, push from the Master of one cluster to the Master of the other.  Never do config push to other devices in the destination cluster.

When booting your cluster, make sure that the Failover appliance boots first, then the Master.  Any scanners may be brought up any time after the Failover has come up.  Failure to boot in this order may result in communication issues between the master and failover appliances.


When performing software updates, ALWAYS install the update on the Failover first.  After updating the failover, allow it to come back online, then take down the master.  Dedicated scanning devices may be updated any time after the Failover update commences.  Note that if it is necessary to ensure mail flow and your master and failover devices are not scanners, it is necessary to update the failover and at least one scanner, THEN update the master and the rest of the scanners.

All cluster members must be running the same version of the software.  If a device in the cluster is on a different version of the software, it may receive traffic for scanning from the Master for a short time, once its configuration gets too far out of date (since the master can no longer update it), that device will stop being used to scan traffic.  Note that if the Failover appliance is the one on a different version, this may result in mailflow problems in the event of the Master becoming unavailable.

Cluster Reporting

When a cluster is properly formed, all reporting data gets passed to the Master appliance.  Should the Master fail, the Failover will not have the reporting data present on the Master, as it doesn't replicate that data.  Additionally, when the Master comes back online, the Failover's data will not be passed back to the master.  This is due to a limitation present in the way the cluster setup is performed.

External Device Integration

When integrating Clustered MEG appliances with ePO, only the Master should be connected.  The master and failover are the traffic cops for the cluster, providing logging data and accepting configuration changes.  Note, however, that the way the ePO currently handles the MEG data, connecting the Failover appliance to ePO will result in some dashboard data duplication on the ePO server.

When integrating with the MQM, make sure that the master and failover are using the default device ID.  Failure to do so will result in the Master's configuration being pushed to the Failover, and mail may not be quarantined properly (and thus may be unavailable for release).

For additional information, please see the following KB articles which cover some of the topics above.

https://kc.mcafee.com/corporate/index?page=content&id=KB76144&actp=null&viewlocale=en_US&showDraft=f...

https://kc.mcafee.com/corporate/index?page=content&id=KB76204&actp=null&viewlocale=en_US&showDraft=f...

Read more
0 1 371