The September 2016 Patch Tuesday release from Microsoft includes 14 total bulletins, seven of which were rated critical, but six of those bulletins all highlight issues of browser security in various forms.

For September's Patch Tuesday release, experts said MS16-104 and MS16-105 are standard bulletins for Microsoft's Internet Explorer and Edge browsers, respectively, and should be prioritized because they include patches for remote code execution (RCE) vulnerabilities. But these bulletins do not stand alone because the web browser is a popular attack vector.

Amol Sarwate, director of Vulnerability Labs at Qualys, Inc., noted that MS16-106, for the Microsoft Graphics Component, MS16-109, for Silverlight, and MS16-116, for the VBScript Scripting Engine, each remediate critical RCE flaws that can be exploited by coercing a victim to visit a malicious website. Additionally, MS16-117 contains critical fixes for Adobe Flash libraries contained in Internet Explorer 10 and 11 and Microsoft Edge.

Lane Thames, security research and software development engineer at Tripwire, said enterprises should note MS16-116. "The catch here is that the vulnerability, identified by CVE-2016-3375, is not fully resolved until the Internet Explorer security updates in MS16-104 are applied." 

MS16-107 includes critical patches for Microsoft Office and SharePoint to resolve a total of 13 vulnerabilities.

Chris Goettl, product manager with Shavlik, said IT should note this bulletin includes "all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007."

"You may see this show up on machines more than once depending on what products and viewers are on each system," Goettl said. "This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management."

The final critical bulletin for September's Patch Tuesday is MS16-108, which handles vulnerabilities in Microsoft Exchange Server, but the most severe flaw could allow remote code execution in some Oracle Outside libraries that are built into Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server.

However, Goettl said the risk of this vulnerability would be mitigated if an enterprise moved to the cloud.

"At this point, the number of enterprises running Microsoft Exchange on-premises is dwindling as many have moved to Office365.  If you are on Office365,  it's assumed that Microsoft has already rolled this patch out and you can ignore this patch," Goettl said. "If you are still running Exchange on premises, this update should be installed soon. However, after installation, it's worth moving your mail to the cloud."

Thames saw a trend regarding attack vectors and MS16-115, an update to Microsoft's PDF Library.

"PDF has long been a favorite for cyber attackers and criminals. A new trend to notice is Microsoft Window’s PDF library appearing more and more often as a common Patch Tuesday bulletin," Thames said. "Today, Microsoft is releasing MS16-115 as a security update for its PDF Library, which resolves two information disclosure vulnerabilities. This new trend can be seen by the following sequence of bulletins: MS16-012, MS16-068, MS16-080, MS16-102, MS16-105, and MS16-115. This is a collection of security bulletins introduced this year for various vulnerabilities related to PDF in Windows. Administrators should ensure that critical systems, such as servers or other machines that contain sensitive data, do not have these components installed if it is not needed."

Rounding out the rest of the September Patch Tuesday are important bulletins MS16-110 and MS16-114, which fix RCE flaws in Windows and SMBv1 Server; MS16-111 and MS16-112, which resolve elevation of privilege vulnerabilities in the Windows Kernel and Windows Lock Screen; and, MS16-113, which handles an information disclosure issue in the Windows Secure Kernel.

Overall, Craig Young, cybersecurity researcher for Tripwire, said he noticed a positive trend in Microsoft's security bulletins.

"This month Microsoft has indicated that there are only nine vulnerabilities rated as 'exploitation likely' which can result in code execution with all but two of these CVEs existing within browser code. As a point of comparison, there has been a general gradual decline in the number of easily exploited Microsoft bugs over time and even just looking at the past three months, the bulletins averaged having twice as many easily exploited vulnerabilities," Young said. "This trend is even more interesting if we look back at the September 2015 bulletin when there were roughly three times as many vulnerabilities with the 'exploitation likely' rating."

Next Steps

Catch up on the August 2016 Patch Tuesday news.

Learn more about the advantages, disadvantages and surprises of Office 365.

Find out how to spot and prevent emerging PDF attacks.

SearchSecurity: Security Wire Daily News

The FBI is taking "very seriously" the possibility a foreign country is trying to meddle with America's electoral process and even influence voting outcomes, the agency's director James Comey said Thursday.

US agencies, companies and individuals are frequently targeted by overseas hackers, and Democratic presidential nominee Hillary Clinton's campaign has accused Moscow of hacking into Democratic National Committee (DNC) emails.

The recent breach of DNC data, along with other electronic intrusions, has raised concerns about cyber incidents that could affect the outcome of the US presidential race, or other contests.

FBI agents "take very seriously the notion that a state actor is messing someway in our electoral process -- whether that is to disrupt, to influence, to sow discord, or to create doubt," Comey said at a Washington security summit, without specifically mentioning Russia.

The FBI is "working very hard" to understand the size and scope of any hacking attempts, he said, but tried to reassure the public that the old-fashioned way of tallying ballots in many states protects them from hackers.

"The actual vote counting in this country tends to be kind of clunky, in a way that's a blessing because it makes it more resilient," he said.

Director of National Intelligence James Clapper on Wednesday said Russia hacks US computer networks "all the time."

view counter

© AFP 2016


SecurityWeek RSS Feed

Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it isn't good enough, a researcher demonstrated this week.

Rob Fuller, principal security engineer at R5 Industries, found out that all it takes to copy an OS account password hash from a locked Windows computer is to plug in a special USB device for a few seconds. The hash can later be cracked or used directly in some network attacks.

[ Also from InfoWorld: The 10 Windows group policy settings you need to get right. | Survive and thrive with the new OS: The ultimate Windows 10 survivor kit. | Stay up on key Microsoft technologies with the Windows newsletter. ]

For his attack, Fuller used a flash-drive-size computer called USB Armory that costs $ 155, but the same attack can be pulled off with cheaper devices, like the Hak5 LAN Turtle, which costs $ 50.

The device needs to masquerade as an USB-to-Ethernet LAN adapter in such a way that it becomes the primary network interface on the target computer. This shouldn't be difficult because: 1) operating systems automatically start installing newly connected USB devices, including Ethernet cards, even when they are in a locked state and 2) they automatically configure wired or fast Ethernet cards as the default gateways.

For example, if an attacker plugs in a rogue USB-to-Gigabit-Ethernet adapter into a locked Windows laptop that normally uses a wireless connection, the adapter will get installed and will become the preferred network interface.

Furthermore, when a new network card gets installed, the OS configures it to automatically detect the network settings through the DHCP (Dynamic Host Configuration Protocol). This means that an attacker can have a rogue computer at the other end of the Ethernet cable that acts as a DHCP server. USB Armory is a computer on a stick that's powered via USB and can run Linux, so no separate machine is required.

Once an attacker controls a target computer's network settings via DHCP, he also controls DNS (Domain Name System) responses, can configure a rogue internet proxy through the WPAD (Web Proxy Autodiscovery) protocol and more. He essentially gains a privileged man-in-the-middle position that can be used to intercept and tamper with the computer's network traffic.

According to Fuller, computers in a locked state still generate network traffic, allowing for the account name and hashed password to be extracted. The time it takes for a rogue USB device to capture credentials from a system using this attack is around 13 seconds, he said.

He tested the attack successfully on Windows and OS X. However, he's still working on confirming if OS X is vulnerable by default or if it was his Mac's particular configuration that was vulnerable.

"First off, this is dead simple and shouldn’t work, but it does," the researcher said in a blog post. "Also, there is no possible way that I’m the first one who has identified this, but here it is."

Depending on the Windows version installed on the computer and its configuration, the password hashes will be in NT LAN Manager (NTLM) version 2 or NTLMv1 format. NTLMv2 hashes are harder to crack, but not impossible, especially if the password is not very complex and the attacker has access to a powerful password cracking rig.

There are also some relay attacks against network services where NTLM hashes can be used directly without having to know the user's plaintext password.

The lesson from all this is, as Fuller noted on Twitter: "Don't leave your workstation logged in, especially overnight, unattended, even if you lock the screen."

At Black Hat 2016 in Las Vegas, security researchers presented new vulnerabilities in key web protocols, including a set of four flaws in the next-generation HTTP/2 protocol and a new twist on compression-based attacks that makes it easier to decrypt HTTPS data.

Tom Van Goethem and Mathy Vanhoef, Ph.D. researchers at the University of Leuven in Belgium, described a vulnerability they call HEIST -- "HTTP Encrypted Information can be Stolen through TCP-windows" -- which builds on a method for determining the exact size of TCP responses and makes old attacks easier because the SSL/TLS protocols do nothing to obscure packet lengths. The HEIST vulnerability can allow attackers to easily infer the length of plaintexts being transmitted.

"Concretely, this means that compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring a man-in-the-middle position. Moreover, we also show that our length-exposing attacks can be used to obtain sensitive information from unwitting victims by abusing services on popular websites," the researchers wrote.

The researchers were able to "increase the damaging effects of our attacks by abusing new features of HTTP/2," in particular, the ability to use a single TCP circuit to open parallel requests over HTTP/2. Mitigations will be difficult: "One of the few, if not the only, adequate countermeasure is to disable third-party cookies," Goethem and Vanhoef wrote.

Meanwhile, Imperva presented a report at Black Hat describing four attack vectors in the HTTP/2 web protocol that enabled vulnerabilities in five HTTP/2 server implementations, including Microsoft IIS, Apache, Nginx, Jetty and nghttpd.

"In this study, we found an exploitable vulnerability in almost all of the new components of the HTTP/2 protocol," the report read. "The four different attack vectors we discovered are Slow Read, HPACK (Compression), Dependency DoS and Stream abuse. The five popular servers under test from various vendors were found to be vulnerable to at least one attack vector, with Slow Read being the most prevalent."

While only five servers were tested, Imperva concluded that the vulnerabilities could probably also be found in other HTTP/2 servers. The Imperva Defense Center research team worked with the vendors of the servers they tested so that the vulnerabilities they found were patched before the report was published.

In other news

  • Banner Health, the non-profit hospital system headquartered in Phoenix, Ariz., is notifying approximately 3.7 million people -- including patients, health plan members and beneficiaries, food and beverage customers and physicians and healthcare providers -- that their personal data was exposed after they "discovered that cyber attackers may have gained unauthorized access to computer systems that process payment card data at food and beverage outlets at some Banner Health locations." Banner Health responded by hiring Kroll, the New York-based security and risk management firm, to investigate the attack, and put up a dedicated website to provide information about the attack to the people exposed in the attack.
  • In another blow to a key web protocol, a feature in HTML5 meant to allow web servers to check the charge remaining on mobile device batteries, and serve less processing-intensive content to users who are running low on charge, turns out to enable a different feature: battery fingerprinting. In a paper on online tracking, Ph.D. student Steven Englehardt and Arvind Narayanan, assistant professor of computer science, both at Princeton University, described a technique for using the Battery Status API to extract enough battery status information to describe devices sufficiently to track users across different websites. Security researcher Lukasz Olejnik wrote: "Frequency of changes in the reported readouts from Battery Status API potentially allowed the monitoring of users' computer use habits; for example, potentially enabled analyzing of how frequently the user's device is under heavy use. This could lead to behavioral analysis." Battery status readouts for a particular device, which include the current battery level, the time, in seconds, to discharge and recharge the battery provide sufficient precision -- and changes to those values updated slowly enough -- to allow the fingerprinting of devices and track them across websites.
  • At Black Hat, Kaspersky Lab announced its own bug bounty program, in association with bug bounty platform provider HackerOne. For the initial phase of the program, Kaspersky is offering up to $ 50,000 in bounty rewards to researchers who report vulnerabilities in Kaspersky Internet Security 2017 and Kaspersky Endpoint Security 10 SP1MR3 running on Microsoft Windows 8.1, or a more recent Microsoft desktop OS. Payouts for flaws that enable local privilege escalation will be $ 1,000, while flaws that compromise user data or enable remote code execution will average $ 2,000. "Our bug bounty program will help amplify the current internal and external mitigation measures we use to continuously improve the resiliency of our products," said Nikita Shvetsov, CTO at Kaspersky Lab, in a press statement. "We think it's time for all security companies, large and small, to work more closely with external security researchers by embracing bug bounty programs as an effective and necessary tool to help keep their products secure and their customers protected."

Next Steps

Find out more about how to protect against the BREACH attack on HTTPS traffic exploits.

Read about how HTTP/2 may be the answer to improving app performance.

Learn more about how HTTP Strict Transport Security (HSTS) addresses web security.



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News