Microsoft

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

Backdoor Found in Firmware of Some Android Devices

November 21, 2016 , 3:20 pm

Threatpost News Wrap, November 18, 2016

November 18, 2016 , 9:15 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Credentials Accessible in Siemens-Branded CCTV Cameras

November 21, 2016 , 12:10 pm

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am


Threatpost | The first stop for security news

A flaw in Office 365 could have been exploited by attackers to send out malicious emails and make them look as if they were coming from a legitimate microsoft.com address.

The issue was discovered by Utku Sen, a Turkey-based security enthusiast known for releasing an open source ransomware called Hidden Tear for educational purposes.

Sen found the issue while testing the spam filters of email services such as Outlook 365, Gmail and Yandex. During his tests, which he conducted using the Social Engineering Email Sender (SEES) tool, the expert noticed that Yandex identified some of his phishing emails as valid and marked them with a green icon after performing a DomainKeys Identified Mail (DKIM) verification.

It turned out that the emails detected as valid came from a spoofed microsoft.com email address and they were forwarded through Outlook 365 to Yandex. Further analysis showed that Gmail also accepted the fake microsoft.com emails forwarded from Outlook as legitimate.

The method only worked with emails coming from a spoofed microsoft.com address. When other domains were used, the fake emails went straight to the spam folder.

Sen was unable to figure out the cause, but Reddit user “ptmb” said the problem was likely that Outlook was signing redirected messages with its own DKIM key.

“That means that instead of having an email with a proof of identity from the original sender, you received an email with a proof of identity from the ‘redirector’,” ptmb explained. “And because Outlook was blindly signing these messages it was redirecting, if the message had a fake from field saying something(at)microsoft.com, then after Outlook blindly redirected it, it’d have a genuine DKIM signature from Microsoft by coincidence, even though the original email wasn’t from Microsoft at all.”

Sen informed both Microsoft and Yandex about his findings in September. Microsoft confirmed the issue and patched it in late October, and listed the researcher on its acknowledgements page. Yandex removed the green validation icon, but it’s unclear if it was due to the expert’s report.

Related Reading: Email Is Forever - and It's Not Private

Related Reading: Cisco Patches 9 Flaws in Email Security Appliance

Related Reading: Hackers Can Hijack Dell Email Security Appliances

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
thirteenth entry in that series. Unfortunately I won't be able to
publish everything within one month at the current rate, so I may
continue to publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161117001.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

Microsoft Internet Explorer 11 iertutil LCIEGetTypedComponentFromThread
use-after-free
=======================================================================
(The fix and CVE number for this issue are unknown)

Synopsis
--------
A specially crafted web-page can cause the iertutil.dll module of
Microsoft Internet Explorer 11 to free some memory while it still holds
a reference to this memory. The module can be made to use this reference
after the memory has been freed. Unlike many use-after-free bugs in
MSIE, this issue, and apparently all code in this module, is not
mitigated by MemGC. This issue appears to have been addressed in July
2016, as it failed to reproduce after the July security updates were
installed.

Known affected software, attack vectors and mitigation
------------------------------------------------------
+ Microsoft Internet Explorer 11

An attacker would need to get a target user to open a specially
crafted web-page and allow the web-page to open a popup. The target
user may need to run MSIE in the non-default single process mode.
Disabling JavaScript should prevent an attacker from triggering the
vulnerable code path.

Description
-----------
This looks like a pretty straightforward use-after-free, but I did not
investigate at what point in the repro the memory gets freed and when it
gets re-used, so I do not know if an attacker has any chance to force
reallocation of the freed memory before reuse.

The issue can be triggered with MemGC enabled; the object that is freed
does not appear to be protected by MemGC.

The repro requires that MSIE is run in single-process mode in order to
trigger the use-after-free. It is not known if it is possible to tweak
the repro to have MSIE take a similar code-path that leads to a
use-after-free when MSIE is not in single-process mode.

MSIE can be started in single process mode by setting the following
registry key before starting MSIE:

`HKCU\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = DWORD:0`

To revert this change, remove the registry key or set the value to 1 and
restart MSIE.

Exploit
-------
A number of factors appear to be getting in the way of creating a usable
exploit for this issue:
* I did not investigate if it is possible to reproduce the issue without
opening a pop-up to make it exploitable in the presence of a pop-up
blocker.
* I did not investigate if it is possible to reproduce the issue without
running MSIE in single-process process mode to exploit it on a system
with default settings.
* I did not investigate if it is possible to reallocate the freed memory
between the free and the use-after-free in order to modify control
flow.
Because there are so many things that would need to be investigated in
order to write an exploit, I felt it was not cost-effective for me to do so.

Time-line
---------
* July 2016: This vulnerability was found through fuzzing.
* July 2016: This vulnerability was submitted to ZDI and iDefense.
* July 2016: ZDI reports they are unable to reproduce the issue.
* November 2016: Details of this issue are released.

Cheers,
SkyLined

Repro.html

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=5">
<script>
onload = function ()
open("about:blank").close();
createAPopup();
document.write("x");
;
</script>
</head>
</html>


Exploit Files ≈ Packet Storm

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
fourteenth entry in that series. Unfortunately I won't be able to
publish everything within one month at the current rate, so I may
continue to publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161118002.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

Microsoft Edge CTextExtractor::GetBlockText OOB read
=====================================
(MS16-104, CVE-2016-3247)

Synopsis
--------
A specially crafted web-page can cause an integer underflow in Microsoft
Edge. This causes `CTextExtractor::GetBlockText` to read data outside of
the bounds of a memory block.

Known affected software, attack vectors and mitigations
-------------------------------------------------------
* Microsoft Edge 11.0.10240.16384
An attacker would need to get a target user to open a specially
crafted web-page. JavaScript is not necessarily required to trigger
the issue.

Description
-----------
Though I did not investigate thoroughly, I did find out the following:
* The root cause appears to be an integer underflow in a 32-bit
variable used in `CTextExtractor..GetBlockText` as an index to read a
`WCHAR` in a string buffer. This index is decreased once too often
and becomes -1, or a very large positive number depending on how it
is used.
* This does not result in a crash on 32-bit systems, as an integer wrap
causes the code to read one `WCHAR` before the start of the buffer,
which is normally also in allocated memory.
* On 64-bit systems, the 32-bit -1 value is interpreted as 0xFFFFFFFF,
a very large positive value. As this is an index into a `WCHAR`
string, it gets multiplied by two and added to the start of the
buffer to find the location of a `WCHAR` to read. This causes the OOB
read to be around 8Gb (!!) beyond the address at which the buffer is
allocated.
* The crash happens in code that appears to be rendering the web-page,
which does not immediately offer an obvious way of extracting
information using this bug.

Exploit
-------
This is where it gets interesting, as the OOB read happens
approximately 0x2`00000000 bytes after the address at which the buffer
is allocated. This presents us with a problem: how to store some
information that we'd be interested in reading at such a large offset
from the original allocation?

As one might come to expect from me, I used a heap spray. But it needed
to be a special kind of heap spray as I did not want to actually have to
allocate 8Gb of RAM. However, about ten years ago (boy, time flies!) I
developed a heap spray that uses significantly less RAM than a
traditional heap spray does; in practice probably about 33% in most
cases, but theoretically much more in ideal situations. I've been
meaning to blog about it, but never found the time to do so until today:
you can read all about it here:

http://blog.skylined.nl/20161118001.html

That said, I have not actually looked at whether it is possible to
exfiltrate useful information using this bug. However, I did write a
Proof-of-Concept that attempts to make sure something is allocated in
the area where the OOB read happens. This PoC uses these heap spray
tricks to spray the heap while minimizing memory use. The
Proof-of-Concept uses about ~5.3Gb to allocate the memory at around 8Gb
distance from the buffer (up to ~10Gb to be sure). When you load the PoC
in a 64-bit version of Edge, you may notice that, unlike the original
repro, it will not crash Edge (even though it does trigger the
issues): the heap spray has allocated the memory that the out-of-bounds
read accesses, and this prevents an access violation exception.
Refreshing the page is likely to screw up the precise allocation process
needed and will probably cause a crash.

This proves that it is theoretically possible to allocate information at
the address used by the code. All that is left is prove that the
information read by the code can be exfiltrated somehow, and you have a
working exploit. This is left as an exercises to the reader.

Time-line
---------
* June 2016: This vulnerability was found through fuzzing.
* June 2016: This vulnerability was submitted to ZDI and iDefense.
* July 2016: This vulnerability was acquired by ZDI.
* September 2016: This vulnerability was addressed by Microsoft in
MS16-104.
* November 2016: Details of this issue are released.

Cheers,

SkyLined

Repro.html

<!DOCTYPE html>
<style>
*::first-letter border: 0;
* white-space: pre-line;
</style>
<body>
A<script>alert();</script>&#xAD;&#xAD;B
</body>


Exploit Files ≈ Packet Storm

j003-content-microsoft-patch-tuesday-2016_sqAlong with 14 patches, Microsoft introduced a new Security Update Guide web site, as the new location for information on security vulnerabilities.

This month’s Patch Tuesday was also election day in the U.S. and I imagine for once, IT pros are actually happy to see a big load of security updates released – it’s something to take our mind off the culmination of this contentious campaign season.

Along with the fourteen patches released today, the Microsoft Security Response Center (MSRC) team  published a blog post that introduces the new Security Update Guide web site, which the company sees as the “new single destination for security vulnerability information.”

It’s in preview now, and the Microsoft Security Bulletin site is still operational, so if you’re one of many who don’t like change, you can still access the information in the traditional way – at least for a few months. After January 2017, the information about the security fixes will no longer be published to the Bulletins site; you’ll have to transition to the Update Guide.

The good news is that the new portal does give you far more flexibility. You can filter by release date, KB number, CVE identifier, or product. This is great for those who don’t want to waste time scrolling through information about software and services that they don’t have deployed or don’t use.

This month’s updates include six that are rated critical and eight classified as important. There are updates for both Microsoft web browsers, Adobe Flash, and various components of Windows, as well as one for SQL Server and one for Microsoft Office.

Let’s take a look at each of these updates in a little more detail.

MS16-129 (KB 3199057) This is the usual cumulative update for the Edge browser and applies to Edge on all iterations of Windows 10. It is rated critical for all.

The update addresses seventeen vulnerabilities, including multiple memory corruption issues, information disclosure, and a spoofing vulnerability. Twelve of these could be exploited to accomplish remote code execution.

The update fixes the problems by changing how Microsoft browsers handles objects in memory, changing how the XSS filter in Microsoft browsers handle RegEx, modifying how the Chakra JavaScript scripting engine handles objects in memory, and correcting how the Microsoft Edge parses HTTP responses.

MS16-130 (KB 3199172) This is an update for all currently supported versions of the Windows client and server operating systems, including the server core installation. It is rated critical for all.

This update addresses three vulnerabilities: two elevation of privilege issues and one remote code execution vulnerability. The update fixes the problems by correcting how the Windows Input Method Editor (IME) loads DLLs and requiring hardened UNC paths be used in scheduled tasks.

MS16-131 (KB 3199151) This is an update for the Microsoft Video Control component in Windows Vista, 7, 8.1, RT 8.1 and 10. It is rated critical for all. It also affects Windows Server 2016 Preview 5.

The update addresses a single vulnerability based on the way the Video Control component handles objects in memory, which can be exploited to accomplish remote code execution. The update fixes the problems by correcting how Microsoft Video Control handles objects in memory.

MS16-132 (KB 3199120) This is an update for the Graphic component in all currently supported versions of Windows client and server operating systems, including the server core installation. It is rated critical for all.

The update addresses four vulnerabilities: an open type font information disclosure issue (for which a workaround is provided in the security bulletin), two memory corruption vulnerabilities – one in Windows Animation Manager and one in Media Foundation – and an open type font remote code execution vulnerability, which also has a workaround. You can find instructions for the workarounds at https://technet.microsoft.com/en-us/library/security/ms16-132.aspx

The update fixes the problems by correcting how the ATMFD component, the Windows Animation Manager, and the Windows Media Foundation handle objects in memory.

MS16-141 (KB3202790) This is an update for Adobe Flash Player running on Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016. It does not include the server core installation, which doesn’t have a web browser installed by default. It is rated critical for all affected systems.

The update addresses nine vulnerabilities in the Flash Player software, which include type confusion vulnerabilities and use-after-free vulnerabilities, both of which can be exploited to accomplish code execution. The update fixes the problems by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

MS16-142 (KB3198467) This is the usual cumulative update for the Internet Explorer web browser. It is rated Critical for IE 9 and IE 11 on affected Windows clients, and rated Moderate for IE 9, IE 10 and IE 11 on affected Windows server operating systems.

The update addresses seven vulnerabilities, which include four memory corruption issues and three information disclosure vulnerabilities. The most severe of these could be exploited to accomplish remote code execution. The update fixes the problems by correcting how Internet Explorer modifies objects in memory and the way it uses the XSS filter to handle RegEx.

MS16-133 (KB 3199168) This is an update for Microsoft Office that applies to Office 2007, 2010, 2013, 2013 RT, and 2016, as well as Office for Mac 2011 and 2016, the Office Compatibility Pack, and the Excel and PowerPoint Viewers. Also affected are Excel Services and Word Automation Services on SharePoint 2010, Word Automation Services on SharePoint 2013, and Office Web Apps 2010 and 2013. It is rated important for all.

The update addresses twelve vulnerabilities, ten of which are memory corruption issues. The other two are information disclosure and denial of service vulnerabilities. The update fixes the problems by correcting how Microsoft Office initializes variables and how affected versions of Office and Office components handle objects in memory.

MS16-134 (KB3193706) This is an update for the Common Log File System Driver in all currently supported releases of Windows client and server operating system, including the Server Core installation. It is rated important for all.

This update addresses ten vulnerabilities, all of which are elevation of privilege issues. The update fixes the problem by correcting how CLFS handles objects in memory.

MS16-135 (KB3199135) This is an update for the Windows Kernel-mode Drivers in all currently supported releases of Windows client and server operating system, including the Server Core installation. It is rated important for all.

This update addresses five vulnerabilities, which includes two information disclosure issues and three elevation of privilege vulnerabilities. The update fixes the problem by correcting how the Windows kernel-mode driver handles objects in memory.

MS16-136 (KB3199641) This is an update for all currently supported editions of Microsoft SQL Server 2012, 2014 and 2016. It is rated important for all.

The update addresses six vulnerabilities, which includes three SQL RDBMS Engine Elevation of Privilege vulnerabilities, one MDS API XSS vulnerability, and one SQL Analysis Services information disclosure vulnerability, along with one SQL Server agent elevation of privilege vulnerability. The most severe of these vulnerabilities could allow an attacker could to gain elevated privileges that could be used to view, change, or delete data; or create new accounts. The update fixes these most severe vulnerabilities by correcting how SQL Server handles pointer casting.

MS16-137 (KB3199173) This is an update for Windows Authentication Methods in all currently supported releases of Windows client and server operating system, including the server core installation. It is rated important for all.

The update addresses three vulnerabilities, which include a Virtual Secure Mode Information Disclosure vulnerability, a Local Security Authority Subsystem Service Denial of Service vulnerability and a Windows NTLM Elevation of Privilege vulnerability.

The update fixes the problems by updating Windows NTLM to harden the password change cache, changing the way that LSASS handles specially crafted requests and correcting how Windows Virtual Secure Mode handles objects in memory.

MS16-138 (KB3199647) This is an update for the Microsoft Virtual Hard Disk Driver in Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016, including the server core installation. It is rated important for all.

The update addresses four vulnerabilities, all of which are elevation of privilege issues that an attacker could exploit to manipulate files in locations not intended to be available to the user. The update fixes the problem by correcting how the kernel API restricts access to these files.

MS16-139 (KB3199720) This is an update for the Windows kernel in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, including the server core installation. It is rated important for all.

The update addresses a single vulnerability in the way the kernel API enforces permissions, which an attacker could exploit to gain access to information that is not intended for the user, but the attacker would have to be able to locally authenticate. The update fixes the problem by helping to ensure the kernel API correctly enforces access controls.

MS16-140 (KB3193479) This is an update for the Boot Manager in Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016, including the server core installation. It is rated important for all.

The update addresses a single vulnerability when Windows Secure Boot improperly loads a boot policy that is affected by the vulnerability. An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device. The update fixes the problem by revoking affected boot policies in the firmware.

You can find the full summary of all these updates, with links to each security bulletin, at https://technet.microsoft.com/en-us/library/security/ms16-nov.aspx

If you don’t want to miss out on future information about important Microsoft vulnerabilities and patches, subscribe to our blog and receive regular news updates in your inbox.

You may also like:

  • IT automation comes to the rescue for sysadmins
  • Microsoft Patch Tuesday – October 2016
  • Microsoft Patch Tuesday has changed and now all patches are…


GFI Blog

J003-Content-Microsoft-Patch-Tuesday-Oct2016_SQThis Tuesday’s update addresses 49 vulnerabilities within 10 security bulletins, of which five are rated as critical, and four of them are zero-day flaws.

After the start of the announced changes on the way patches are delivered on Patch Tuesday, which we covered in our yesterday’s blog post, Microsoft has released the security bulletins for October 2016. Among affected products are Edge, Internet Explorer, Office, Windows, Skype for Business, and of course Adobe Flash Player, and most of the critical updates are for Remote Code Execution issues.

MS16-118 (KB 3192887) This is a cumulative security update for Internet Explorer fixing issues which could allow remote code execution if a user views a specially crafted webpage using IE9, 10 or 11, gaining the attacker the same user rights as the current user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerabilities by correcting how Internet Explorer handles objects in memory and namespace boundaries.

MS16-119 (KB 3192890) This is a similar cumulative security update like the previous one, this time for Edge browser, resolving remote code execution issues on Windows 10-based computers using Edge as a primary browser.

The patch modifies how Microsoft Edge and certain functions, like the Chakra JavaScript scripting engine, handle objects in memory, and restricts what information is returned to Microsoft Edge. It also changes the way Microsoft Browsers store credentials in memory and handle namespace boundaries, and corrects how Microsoft Edge Content Security Policy validates documents.

MS16-120 (KB 3192884) Yet another critical fix for remote code execution, but this time for the Microsoft Graphics Component, and it resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.

This update is rated critical for all supported Windows versions, Office 2007 and 2010, Lync/Skype for Business 2010, 2013 and 2016, .NET Framework and Silverlight, and it addresses the vulnerabilities by correcting how the Windows font library handles embedded fonts.

Since it affects Windows operating systems since Vista SP2 and Server 2008 SP2 until Windows 10, including Windows RT 8.1, and covers seven vulnerabilities verified by CVE, this patch should not be taken lightly. Also, this is the only zero-day vulnerability on this batch which there were already registered exploits.

MS16-122 (KB 3195360) This vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. Of course, if the user is logged on with administrative user rights, an attacker could take control of the affected system.

This security update is rated Critical for Windows Vista, 7, 8.1, RT 8.1, and Windows 10, and it fixes the vulnerability by correcting how Microsoft Video Control handles objects in memory.

MS16-127 (KB 3194343) And, as usual, this Patch Tuesday brought another update for Adobe Flash Player. It updates the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge, on all supported editions of Windows 8.1, RT 8.1, 10, and on Windows Server 2012 and 2012 R2.

The patch covers a set of 13 CVE vulnerabilities, described in Adobe Security Bulletin APSB16-32, and there are several known workarounds and mitigation actions for these issues. Apart from blocking Adobe Flash Player completely, of course.

MS16-121 (KB 3194063) This update resolves an Office RTF remote code execution vulnerability which exists in Microsoft Office, when the Office software fails to properly handle RTF files. It affects Office 2007, 2010, 2013 (including the RT version), 2016, Office for Mac 2011 and 2016, and some other Office apps and services, such as SharePoint Server 2010 and 2013.

An attacker who would successfully exploit this memory corruption vulnerability could run arbitrary code as the current user, and the update fixes the issue by changing the way Microsoft Office apps handle RTF content.

MS16-123 (KB 3192892) This security update resolves several vulnerabilities in various editions of Microsoft Windows, from Vista to 10 and Servers 2008 and 2012, where the more severe ones could allow elevation of privilege of an attacker.

Microsoft has not identified any mitigating factors or workarounds for these five CVE vulnerabilities, and this security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

MS16-124 (KB 3193227) Like the previous one, this update fixes a vulnerability that allows attackers to perform unauthorized privilege elevation and gain access to registry information, and corrects it by changing the way how the kernel API restricts access to this information.

It applies to variants of Microsoft operating systems from Windows Vista SP2 to Windows 10, and addresses four known CVE vulnerabilities, all marked as important.

MS16-125 (KB 3193229) This security update is rated Important for all supported editions of Windows 10, and resolves a vulnerability which could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses this vulnerability by correcting how the Windows Diagnostics Hub Standard Collector Service sanitizes input, to help preclude unintended elevated system privileges.

MS16-126 (KB 3196067) The last update in today’s batch is marked as Moderate, and addresses an information disclosure vulnerability, when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploits this vulnerability could test for the presence of files on disk, but for an attack to be successful an attacker must persuade a user to open a malicious website.

The security update affects Windows Vista, 7, Server 2008 and 2008 R2, and is rated moderate on client and low on server operating systems. Also, note that you must install two updates to be protected from this vulnerability: this one, and the update in MS16-118.

You will find more details about all the updates listed above in the Security Bulletin Summary for October 2016.

You may also like:

  • Microsoft Patch Tuesday has changed and now all patches are…
  • Third Party Patch Roundup – September 2016
  • Microsoft Patch Tuesday – September 2016


GFI Blog

  • Home
  • Application Development

Microsoft opens up its 'million dollar' bug-finder Credit: Thinkstock

Microsoft is previewing a cloud-based bug detector, dubbed Project Springfield, that it calls one of its most sophisticated tools for finding potential security vulnerabilities.

Project Springfield uses "whitebox fuzzing," which uncovered one-third of the "million dollar" security bugs during the development of Windows 7. Microsoft has been using a component of the project called SAGE since the mid-2000s to test products prior to release, including fuzzing both Windows and Office applications. 

[ From Docker containers and Nano Server to software-defined storage and networking improvements, Windows Server 2016 is packed with great additions: Get the scoop on Windows Server 2016 from InfoWorld. | Stay up on key Microsoft technologies with the Windows Report newsletter. ]

For this project, SAGE is bundled with other tools for fuzz testing, featuring a dashboard and other interfaces that enable use by people without an extensive security background. The tests are run using Microsoft's Azure cloud.

With fuzz testing, the system throws random inputs at software to find instances in which unforeseen actions cause software to crash. This testing, according to Microsoft researcher David Molnar, is ideal for software regularly incorporating inputs like documents, images, videos, or other information that may not be trustworthy. Bad actors are sought out that could launch malicious attacks or crash a system. Whitebox fuzz testing uses artificial intelligence to ask a series of "what if" questions and make decisions about what might cause a crash and signal a security concern.

The code-name, Springfield, previously was used at Microsoft for the now-defunct Popfly web page and mashup creation service. There's no relation between the two projects, a Microsoft representative said. Microsoft is extending preview invitations for Project Springfield to customers, with an initial group to evaluate it for free.

Microsoft has announced a new capability that will make its Edge browser the most secure web browsing option for enterprises: Windows Defender Application Guard.

Windows Defender Application Guard makes isolated sessions look different

Windows Defender Application Guard is a lightweight virtual machine that prevents malicious activity coming from the web from reaching the operating system, apps, data, and the enterprise network.

“Unlike other browsers that use software-based sandboxes, which still provide a pathway for malware and vulnerability exploits, Microsoft Edge’s use of Application Guard isolates the browser and employee activity using a hardware-based container,” Yusuf Mehdi, corporate VP, Windows and Devices Group, explained.

This virtualization technology extends beyond the kernel level.

The technology will be introduced in the next major Windows 10 update, and only in the Enterprise edition.

Enterprise administrators will be able to configure a trusted network site list policy and distribute it to devices across the network.

Websites that are considered untrustworthy (i.e. are not on the list) will automatically launch Microsoft Edge in an isolated session (a virtual container). Once that browsing session is closed, any malware that wanted to enter the network will disappear along with the container.

This also means that any cookies will be destroyed, too. This is the reason why the technology will not be extended to “regular” users for now, as it makes web browsing a less streamlined affair.

For now, Application Guard will only be available for Edge.


Help Net Security

A malware lab in the Cybercrime Center on Microsoft's campus lets members of the company's Digital Crimes Unit work on malicious software in a controlled environment.

One of the biggest security risks for computer users is their web browser. According to Microsoft, 90 percent of phishing emails use the browser to initiate attacks, which can then be used to help attackers establish a beachhead inside a company.

Microsoft is aiming to better protect users and organizations from the threats that they face with a new feature called Windows Defender Application Guard. It's designed to isolate Microsoft Edge from the rest of the files and processes running on a user's computer and prevent computer exploits from taking hold.

[ The essentials for Windows 10 installation: Download the Windows 10 Installation Superguide today. | Stay up on key Microsoft technologies with the Windows Report newsletter. ]

This is a move that could drive greater adoption of Microsoft's browser in the enterprise, at a time when the company is fiercely competing with Google in that space. Security of company assets is a big problem for enterprises, and Microsoft is offering them another way to help protect their users without requiring those users to be security experts.

Here's how it works: when users navigate to untrusted websites in Edge with the feature enabled, Microsoft's browser launches new sessions that run in virtualized containers on their Windows 10 PCs and tablets.

In the event there's malicious code on those sites that tries to deploy on users' machines, it gets deployed into the container, isolated from the operating system and everything else.

When users quit their Edge sessions, the container is destroyed, and the malicious code is supposed to go along with it, thereby protecting users from whatever payload they may have been exposed to.

According to Rob Lefferts, Microsoft's director of program management for Windows Enterprise and Security, the other key thing about the feature is that the container's isolation is enforced using a secure root of trust that runs on the computer's processor itself.  

While Application Guard is a powerful capability, that comes at a cost. Because the container is destroyed whenever a user quits Edge, any cookies or cached items accumulated during that time go with it. In other words, even if users check the "Remember Me" button on a website, they'll have to log back in next time they open Edge. Virtualizing Microsoft's browser will also lead to some loss of performance.

IT administrators will be able to set the service up to whitelist certain trusted sites which will run in a traditional, non-containerized form, so users can get the same sort of browsing experience they're used to from those sites.

Lefferts cautioned that the feature won't be right for every organization, or even every employee.

"It is really [for] environments that want to run locked-down browsers," he said in an interview. "Finance organizations, healthcare organizations, a whole slew of military organizations that I talk to."

Microsoft is still in the process of building the feature, and will be rolling it out to Windows Insiders in the coming months. The company expects Windows Defender Application Guard to be generally available some time in 2017, for organizations that are subscribed to the Windows 10 Enterprise E3 and E5 plans.

That means there are still some questions left unanswered about what Windows 10 Application Guard will mean for users. For example, the company isn't saying yet what sort of impact running Edge in a container will have on its performance.

Lefferts said that the company is still working on getting the performance right, and wants to make both the Edge startup experience and the browsing experience feel good to users.

Looking forward, Microsoft may make the same containerization technology available to other applications, Matt Barlow, the corporate vice president for Windows Marketing, said during a press conference. But right now, the company is working to ship the first version of the feature.

Windows Defender Application Guard is one of a number of security-focused announcements that the company made at its Ignite conference in Atlanta, Georgia on Monday. It also announced that Windows Defender Advanced Threat Protection and Office 365 Advanced Threat Protection will share intelligence across both services to provide IT administrators with an easier way to manage threats.  

The company is also releasing a new Secure Productive Enterprise service, which gives companies an easy way to buy a suite of its advanced security capabilities across Office, Windows and its Enterprise Mobility + Security suite.


InfoWorld Security

blog_microsoft_licensing_changes_SQMicrosoft has announced several new software licensing bundles, with a focus on productivity and security, along with many new models for large companies and different verticals.

Most long-time IT professionals will tell you that Microsoft’s software licensing schemes for business customers are like so many Facebook users’ relationship status: It’s complicated. We had enough difficulty untangling the intricacies of server, client, and applications licenses, CALs, per-user, per-device, and per-processor licensing models. And came along the cloud, to add subscription-based licensing to the mix.

To make matters worse, it’s a moving target; just about the time you think you finally have it figured out, they change things on you, and they have done it again a few months ago, with the introduction of the new subscription plans for Windows desktop operating systems. The good news is that customers, at least in some cases, have benefitted from ongoing efforts to simplify the licensing process, although whether this will actually save you money depends on your use case scenarios.

The most recent change announced in July provides a bundle with both client operating system and cloud productivity services, as well as the Enterprise Mobility + Security (EMS) pack, formerly known as the Enterprise Mobility Suite. “Bundling” is a popular sales model that combines products and services into one often attractively-priced package, so Microsoft’s new bundle includes Windows 10 Enterprise edition, Office 365 and EMS. They’re calling it the Secure Productive Enterprise bundle, and this is a way to simplify licensing for businesses that need these three products/services, all of which work together in today’s security-conscious, highly mobile, collaboration-focused work environment.

Secure Productive Enterprise (SPE) builds on Microsoft’s Enterprise Cloud Suite (ECS), that was introduced in December 2014 as a per-user licensing option through the Microsoft Enterprise Agreement (EA). The SPE bundle will come in two flavors: E3 and E5. The E3 model brings the three products listed above, and the change that is causing much confusion is the name of the Windows version, which is now officially Windows 10 Enterprise E3. This forced many people to think that this is now some sort of subscription-based version of Windows, but essentially this is just a regular Windows 10 Enterprise bundled with Office 365 E3 plan and EMS.

The Secure Productive Enterprise E5 version adds to the equation Microsoft’s new service, Windows Defender Advanced Threat Protection, which uses machine intelligence and the Azure based “intelligent security graph” to increase security levels; we’re preparing a blog post dedicated to this new service, so if you don’t want to miss it, use the form below to subscribe to our blog.

These are only the latest in a series of licensing changes we’ve seen over the last twelve months. We began the year with the news that Windows Server 2016, scheduled for release in late September, would be moving to a per-processor-core licensing model. Many customers weren’t happy with the decision, calling it a “revenue grab” – Microsoft explained it as part of the evolution of Windows Server to support the hybrid cloud.

Enterprises have seen some more licensing changes this summer, and Microsoft has announced additional modifications to enterprise licensing terms coming up in 2017. The first set of changes to Enterprise Agreement (EA) contracts took effect on July 1, and will affect small/mid-sized companies most, as it increased the number of seats qualifying for an EA to 500, up from the previous minimum 250 seats.

Those who no longer fit into the EA parameters aren’t the only ones who’ll be looking for alternatives. There’s more bad news for those companies that currently use a Select Plus agreement: Microsoft has announced that they’re retiring that program, which is a form of “a la carte” software purchasing. The good news is that the Open License program is expected to continue.

Another option is to switch to a Microsoft Products and Services Agreement (MPSA), a program that represents Microsoft’s effort to offer a simpler form of licensing agreement. Microsoft appears to be pushing the MPSA, which does work for those customers who fall into the 250-499 seat range. The MSPA is going to start offering something called Enterprise Advantage, and you might notice that its initials are also EA, so how’s that for confusion? It also has something else in common with the Enterprise Agreement, in that both are contracts of three years’ duration.

Once it becomes available, Microsoft says Enterprise Advantage will provide comparable benefits to the Enterprise Agreement. It will allow organizations to purchase across their entire org under the same agreement, and you’ll have the choice to either purchase company-wide or on a transactional basis. You can purchase whatever you need, whenever you want, without any additional enrollments. You can mix perpetual and subscription software with cloud services, and you can “true up or “true down” your subscriptions and services when necessary as your business changes. Here is Microsoft’s announcement of the impending availability and features of Enterprise Advantage from the Microsoft Volume Licensing Blog on the TechNet web site.

Later in 2017, there will be two more, specialized offerings for public sector and educational institutions, called Government Advantage and Education Advantage. There are currently volume licensing plans for small, mid-size and large businesses, and there are specialized programs for government, education, health-related and non-profit verticals. Small business licensing includes open licensing programs with the ability to add online services to the agreement, for those who are transitioning to the cloud.

Online services such as Office 365 can be covered by the MPSA, and it provides more flexibility than the more traditional licensing plans. Then there is the Cloud Solution Provider (CSP) agreement, which is for Microsoft partners who sell Microsoft cloud services to customers. Of course, if you’re IT is based mostly on-premises and your organization is large enough to have 500 or more seats, you can stick with the traditional Enterprise Agreement. However, if your contract is up for renewal, you should compare the cost and benefits of the EA vs. the MPSA to determine which best fits your needs.

You may also like:

  • 10 new Windows 10 features for sysadmins
  • The top 23 Cmd-line tools on my computer, and where…
  • The top 33 Windows 10 tips, tricks, hacks, and tweaks


GFI Blog