Patch Tuesday: Microsoft raises alert for dangerous IE, Windows flaws

ZDnet ^ | 12 Jun 2012 | Ryan Naraine

[OldEarlGray]

Summary: Microsoft expects to see exploit code targeting at least one of the vulnerabilities within the next 30 days.

Microsoft today warned that cyber-criminals could soon aim exploits at critical security flaws in Internet Explorer browser and Windows to hijack and take complete control of vulnerable machines.

The warning comes as part of this month’s Patch Tuesday where Microsoft released 7 bulletins with fixes for at least 26 documented vulnerabilities affecting the Windows ecosystem.

The company is urging users to pay special attention to MS12-037 and MS12-036, which provides cover for “remote code execution” vulnerabilities that could be used in worm attacks and drive-by downloads without any user interaction.

MS12-037, which affects all supported versions of the IE browser, fixes 13 vulnerabilities that expose users to computer hijack attacks if a user simply surfed to a rigged web site. Microsoft expects to see exploit code targeting at least one of the vulnerabilities within the next 30 days.follow Ryan Naraine on twitter

The company warned that information on one of the browser flaw is already publicly available which means that hackers have already gotten a head start on preparing attacks. [ Exploit code published for RDP worm hole; Does Microsoft have a leak? ]

The second high-priority bulletin is MS12-036, which covers a dangerous flaw in the way Microsoft implements the Remote Desktop Protocol (RDP) in Windows. “Attack vectors for this issue include maliciously crafted websites and e-mail,” the company warned.

This is the second major RPD flaw haunting Windows in the space of a few months.

According to Marc Maiffret, CTO at BeyondTrust, the Internet Explorer and RDP issues present the “more immediate exploitable threats.”

“Given the value of Remote Code Execution on RDP there will surely be a lot of folks trying to weaponize that vulnerability. Only time will tell if people are successful with this RDP flaw where they were not with the one in March,” Maiffret added.

Windows users and administrators will also want to treat the MS12-038 bulletin with the highest possible priority. From the bulletin:

This security update resolves one privately reported vulnerability in the Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions.

Microsoft also expects to see exploit code for this vulnerability within the next 30 days.

In addition to the security bulletins, Redmond’s security response team is also releasing an automatic updater feature for Windows Vista and Windows 7 untrusted certificates.

The new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted.

With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update. This new automatic update mechanism, which relies on a list of untrusted certificates known as a Disallowed Certificate Trust List (CTL), is detailed on the PKI blog. We encourage all customers to install this new feature immediately.

In August, Microsoft is also planning to release a change to how Windows manages certificates that have RSA keys of less than 1024 bits in length. “Once this key length update is released, we will treat all of these certificates as invalid, even if they are currently valid and signed by a trusted certificate authority,” Microsoft explained.

These changes follow the incredible discovery that attackers with nation-state backing hacked the Windows Update utility to spoof certificates and spread the Flame malware within Windows networks

[OldEarlGray]

"These changes follow the incredible discovery that attackers with nation-state backing hacked the Windows Update utility to spoof certificates and spread the Flame malware within Windows networks"

Hmm. Let us ask the good Lutheran question: "What does this mean?"

Anybody? Anybody? Buuuuhler?

[OldEarlGray]

“All your base classes are belong to us, hahaha” ping.

[Revolting cat!]

That means that your next automatic “Windows Update” could come all the way from North Korea.

[bossmechanic]

It means you should be using Firefox.

[Lancey Howard]

to hijack and take complete control of vulnerable machines.

Wouldn't you notice if your computer was hijacked?
And wouldn't you then just unplug it?

[OldEarlGray]

>>it means you should be using firefox.

The compromise of(or the ability to spoof/fake) Microsoft’s signing certificates is much more than just a browser issue.

[OldEarlGray]

>>Wouldn’t you notice if your computer was hijacked?

Not if the attacker is operating “low and slow”.

This has been a topic of discussion here at Microsoft’s TechEd all week.

[markman46]

I never do auto updates, I want to see what it is

[dayglored]

HUH? How could anybody be caught out with a cert key less than 1024 bits??

I haven't allowed anything shorter than 2048 bits to be generated in our shop in a couple of years. It's not hard -- just specify the number when making the key.

How tough is that? WTF?

[OldEarlGray]

Say hello to the WU Man in the Middle.

[Carolina_Thor]

Queue the apple evangelics 1...2...3...

[Revolting cat!]

Naw, it’s the EUNUCHS boys we’re expecting!

[Revolting cat!]

And Lie-Nooks!

[OldEarlGray]

Some shops have development tools that are more than just a couple of years old.

Dunno how many bits those dlls were signed with, but I’d expect good FR SA folks might want to inventory their legacy software artifacts post haste.

[FunkyZero]

Malware can be a thing of the past of you familiarize yourself with and use a program called "Sandboxie".

It's cheap and it works. I started using it after I got sick and tired of having to clean up malware. A lot of times, you sit around wondering if you are infected and don't even know it. Are you? anyway, I got sick of it and I won't use a web browser anymore unless it runs in a sandbox. I highly encourage people to investigate and use this. There is a 30 day free trial... just google the program name.

This is no substitute for keeping your PC patched up to date, but it takes all the worry out of using email or web browsers.

[OldEarlGray]

Are the "Microsoft" assemblies listed here real...



...or are they, something else?

Personally, I don't find it disturbing at all that centrifuges under the control of insane religious tyrant thugs had an "accident"; and if that's what it takes to keep our wives and daughters from being forced to wear a burkha, then by all means - CHARLIE MIKE and blow up some more shyte.

But, folks should know that at least one of the [foreign born] security presenters here at MS TechED was quacking all indignantly about that incident -- whilst lamenting the demise of the Anonymice.

[OldEarlGray]

You don’t have to use a web browser to be infected with malware.

[FunkyZero]

Web browsing is how 90% of PC's get infected. The other 10% come from email (normally running in a web browser as well).

Also, if you actually looked at the program, you would see that ANY executable program can be ran sandboxed, not just web browsers.

[OldEarlGray]

>>This is no substitute for keeping your PC patched up to date

Keeping your PC patched up to date is important but that’s not enough.

How many folks are reading this whilst [needlessly] logged in using a UserID that has Administrative privileges [by default] assigned to it?

Or without a firewall and up to date virus protection?

Or without the most recent OS security patches applied by the Automated Updated Utility, that’s signed by Microsoft... or not?

[OldEarlGray]

Baloney.

SQL injection uses neither “Web Browsing” nor “Email”.

If I want a sandbox, I’ll use a VM.