Home Tags Microsoft Security

Tag: Microsoft Security

Microsoft’s New Security Update Guides Get Mixed Reviews

Microsoft gets a lukewarm response with its new Microsoft Security Guides that replaced Security Bulletins.

Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

PCs can be compromised when Defender scans an e-mail or IM; patch has been issued.

Here’s how to check if your PC got Microsoft’s fix for...

It’s like Pepsi declaring that Coke just won a taste test: Google Project Zero security researchers discovered a security hole in Microsoft’s Malware Protection Engine, and two days later the Microsoft Security Response Center not only fixed the bug but also rolled out the update through the usual Windows Defender update mechanism.The bug in the main Windows Defender program was described in Security Advisory 4022344.

Chances are good your Windows computer got the fix last night.[ InfoWorld’s deep look: Why (and how) you should manage Windows 10 PCs like iPhones. | The essentials for Windows 10 installation: Download the Windows 10 Installation Superguide today. ]Google Project Zero security researchers Tavis Ormandy and Natalie Silvanovich are credited with discovering the vulnerability. Ormandy tweeted that the security hole was “the worst Windows remote code exec in recent memory… crazy bad.”To read this article in full or to leave a comment, please click here

Microsoft rushes emergency fix for critical antivirus bug

The point of antivirus is to keep malware off the system.

A particularly nasty software flaw in Microsoft’s antivirus engine could do the exact opposite and let attackers install malware on vulnerable systems. The critical security vulnerability in the Microsoft Malware Protection Engine affects a number of Microsoft products, including Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection.

These tools are enabled by default in Windows 8, 8.1, 10, and Windows Server 2012.To read this article in full or to leave a comment, please click here

Microsoft patches most NSA Windows exploits, but vulnerabilities remain

Microsoft on Friday said it had patched most of the Windows vulnerabilities purportedly exploited by the National Security Agency (NSA) using tools that were leaked last week.The Windows flaws were disclosed by the hacking gang Shadow Brokers in a l...

VU#921560: Microsoft OLE URL Moniker improperly handles remotely-linked HTA data

Microsoft OLE uses the URL Moniker to open application data based on the server-provided MIME type,which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.

Microsoft Friday false positive: Bluber-A ballsup makes sysadmins blub

Benign and fine but alarms do double-time Enterprises were faced with all sorts of inconvenience on Friday after a Microsoft security tool incorrectly flagged up benign files as infected with a worm.…

Security fixes delayed as Microsoft postpones Patch Tuesday

A surprise announcement yesterday afternoon rattled Microsoft customers: Patch Tuesday is officially being delayed for a month.Microsoft is being close-mouthed.

A curt, unsigned post on the Microsoft Security Resource Center TechNet blog simply states: "UPDATE: 2/15/17: We will deliver updates as part of the planned March Update Tuesday, March 14, 2017."[ InfoWorld's deep look: Why (and how) you should manage Windows 10 PCs like iPhones. | The essentials for Windows 10 installation: Download the Windows 10 Installation Superguide today. ]Microsoft started documenting its security patches with Security Bulletins in 1998, but the patches arrived at random.
Steve Ballmer announced the Patch Tuesday protocol on Oct. 9, 2003 to “reduce the burden on IT administrators by adding a level of increased predictability and manageability.” Starting with MS03-041, security patches were generally held until the second -- sometimes third or fourth -- Tuesday of the month.To read this article in full or to leave a comment, please click here

VU#867968: Microsoft Windows SMB Tree Connect Response denial of service vulnerability

Microsoft Windows contains a memory corruption bug in the handling of SMB traffic,which may allow a remote,unauthenticated attacker to cause a denial of service on a vulnerable system.

Chrome dev explains how modern browsers make secure UI just about...

The 'LINE OF DEATH' between safe content and untrustworthy stuff is receding every year Google Chrome engineer Eric Lawrence has described the battle of browser barons against the 'line of death', an ever-diminishing demarcation between trusted content and the no-man's land where phishers dangle their poison. The line, Lawrence (@ericlaw) says, is a conceptual barrier between content that browser developers control, such as areas around the address bar, and untrusted content like browser windows where attackers can serve malicious material. "If a user trusts pixels above the line of death, the thinking goes, they’ll be safe, but if they can be convinced to trust the pixels below the line, they’re gonna die," Lawrence says. But the line is receding because untrusted content now appears above the line in tabs where attackers can enter their chosen web page title and icon. Chevrons that open small windows can display extended information on usage of HTTPS, requests for location information, and so on extend below the line and send trusted data into untrusted territory. Chevrons with trusted data breach the line.
Image: Lawrence. Those subtle intrusions across the line open avenues for phishers; chevron popups can be faked and 'block' and 'allow' buttons turned into malicious clickable links, for example. In 2005, a remote code execution flaw affecting Firefox was dug up which abused favicons, the untrusted icons websites set that appear in tabs and bookmarks. The line of death deteriorated in 2012 when Microsoft moved Windows 8 Internet Explorer to its full screen minimalistic immersive mode. Lawrence, then program lead for Internet Explorer with Microsoft, opposed the move and says it made the line of death indistinguishable from content, . "... because it (Internet Explorer) was designed with a philosophy of 'content over chrome', there were no reliable trustworthy pixels," he says. "I begged for a persistent trust badge to adorn the bottom-right of the screen - showing a security origin and a lock - but was overruled." He says one Microsoft security wonk built a "visually-perfect" Paypal phishing site that duped the browser and threw fake indicators. "It was terrifying stuff, mitigated only by the hope that no one would use the new mode." The breaching of the line of death is a boon to picture-in-picture phishing attacks, in which attackers create what appear to be fully functional browsers within a browser.
Immaculate reproductions of browsers including the trusted sections above the line of death have been created that fool even eagle-eyed researchers. Microsoft's own security researchers in 2007 would find picture-in-picture attacks to be virtually perfect.

The team of four wrote, in a paper titled An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks wrote in the paper [PDF] that the attack vector was so compelling it beat all other phishing techniques including homograph tricks in which letters of legitimate URLs are replaced with visually similar equivalents from, for example, the Cyrillic alphabet. Everything is untrusted: The line of death dies in HTML5.
Image: Lawrence. Picture-in-picture attacks also rendered ineffective the then-new extended validation SSL certificate scheme for determining malicious sites.

Extended validation, now mainstream, displays a green address bar padlock for participating and verified sites.

The inconvenient research spooked one large certificate vendor then in talks with Redmond over buddying up for the then new certificates. The line of death receded further with the advent of HTML 5, which brought with it the ability for websites, and phishers, to push browsers into fullscreen mode which wiped any line between trusted and untrusted content. And the line is all-but-absent on mobile devices, where simplicity and minimalism is king. "We are seeing a lot more hits on phishing links in mobile because it is so much harder to extract necessary information," Sophos senior technology consultant Sean Richmond tells El Reg . "Expanding the URLs is more difficult and it is harder to get the information users need to make decisions, so security awareness can suffer." Email apps are similarly breaching the line of death. Outlook's modern versions place a trusted message of "this message is from a trusted sender" within the untrusted email contents window, allowing phishers to replicate the notice. "Security UI is hard," Lawrence says. ® Sponsored: Customer Identity and Access Management

Windows 10 Anniversary Update crushed exploits without need of patches

Microsoft security boffins throw fresh CVEs at unpatched OS, emerge smiling Microsoft says its Windows 10 Anniversary Update squashes more exploit delivery chains than ever. The August updates brought in a series of operating system security improvements including boosts to Windows Defender and use of AppContainer, designed to raise the difficulty of having zero day exploits execute on patched systems. Redmond's security team tested its exploit mitigations against two kernel-level then zero-day exploits (CVE-2016-7255, CVE-2016-7256) used by active hacking groups that offer privilege escalation. They find, in a technical analysis designed to stress test the resilience of Windows 10, that the bugs were neutered on Anniversary Update machines even before it issued the respective November patch thanks to the exploit mitigation controls. "Because it takes time to hunt for vulnerabilities and it is virtually impossible to find all of them, such security enhancements can be critical in preventing attacks based on zero-day exploits," the team says. "While fixing a single-point vulnerability helps neutralize a specific bug, Microsoft security teams continue to look into opportunities to introduce more and more mitigation techniques. "Such mitigation techniques can break exploit methods, providing a medium-term tactical benefit, or close entire classes of vulnerabilities for long-term strategic impact." The team points to the benefits of easy and complex mitigations including simple changes against RW primitives that trigger harmless blue screens of death errors. Pushing font-parsing code to isolated containers under improvements to AppContainer and additional validation for font file parsing significantly reduced the ability to use font bugs for privilege escalation, the team says. That shut the door on one South Korean hacking group which used CVE-2016-7256 in small but targeted attacks in the nation. "Windows 10 Anniversary Update introduced many other mitigation techniques in core Windows components and the Microsoft Edge browser, helping protect customers from entire classes of exploits for very recent and even undisclosed vulnerabilities," the team says. The updates follow Microsoft's decision to delay the axing of the lauded enhanced mitigation toolkit to 31 July next year. That move sparked the ire of Carnegie Mellon University CERT boffin Will Dormann who says the toolkit significantly improved the exploit mitigation chops of Windows 10 and should be maintained, not dropped. ® Sponsored: Customer Identity and Access Management

MS17-001 – Important: Security Update for Microsoft Edge (3214288) – Version:...

Security Update for Microsoft Edge (3214288)Published: January 10, 2017Version: 1.0This security update resolves a vulnerability in Microsoft Edge.

This vulnerability could allow elevation of privilege if a user views a specially crafted webpage using Microsoft Edge.

An attacker who successfully exploited the vulnerability could elevate privileges in affected versions of Microsoft Edge.This security update is rated Important for Microsoft Edge on Windows 10 and Windows Server 2016.

For more information, see the Affected Software section.The update addresses the vulnerability by assigning a unique origin to top-level windows that navigate to Data URLs.For more information about the vulnerability, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3214288.The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software past version or edition, see Microsoft Support Lifecycle.The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the January bulletin summary.Note Please see the Security Update Guide for a new approach to consuming the security update information. You can customize your views and create affected software spreadsheets, as well as download data via a restful API.

For more information, please see the Security Updates Guide FAQ.

As a reminder, the Security Updates Guide will be replacing security bulletins as of February 2017. Please see our blog post, Furthering our commitment to security updates, for more details.[1] Windows 10 and Windows Server 2016 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog. Please note that effective December 13, 2016, Windows 10 and Windows Server 2016 details for the Cumulative Updates will be documented in Release Notes. Please refer to the Release Notes for OS Build numbers, Known Issues, and affected file list information.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).Microsoft Edge Elevation of Privilege Vulnerability- CVE-2017-0002An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies with about:blank, which could allow an attacker to access information from one domain and inject it into another domain.

An attacker who successfully exploited this vulnerability could elevate privileges in affected versions of Microsoft Edge.In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability.
In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability.
In all cases, however, an attacker would have no way to force users to view the attacker-controlled content.
Instead, an attacker would have to convince users to take action.

For example, an attacker could trick users into clicking a link that takes them to the attacker's site.The update addresses the vulnerability by assigning a unique origin to top-level windows that navigate to Data URLs.The following table contain a link to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Edge Elevation of Privilege Vulnerability CVE-2017-0002 Yes No Mitigating FactorsMicrosoft has not identified any mitigating factors for this vulnerability.WorkaroundsMicrosoft has not identified any workarounds for this vulnerability.For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See Acknowledgments for more information.The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.V1.0 (January 10, 2017): Bulletin published. Page generated 2017-01-10 10:04-08:00.