|
Microsoft botches still more patches in latest Automatic Update
|
|
AfterDawn Addict
|
11. September 2013 @ 22:02 |
Link to this message
|
Microsoft Botches More Patches In Latest Automatic Update
Posted by Soulskill on Wednesday September 11, 2013 @06:18PM
from the we'll-do-it-live dept.
snydeq writes "'No sooner did Microsoft release the latest round of Black Tuesday patches than screams of agony began sounding all over the Internet,' writes Woody Leonhard, reporting on verified problems with Microsoft Automatic Updates KB 2817630, KB 2810009, KB 2760411, KB 2760588, and KB 2760583. The latest round of MS Auto Update hell comes on the heels of one of the worst runs in MS Patch Tuesday history ? and just in time for Microsoft to expand the scope of its automatic update damage. 'Does this make you feel warm and fuzzy about automatic app updates in Windows 8.1?'"
http://tech.slashdot.org/story/13/09/11...utm_medium=feed
=======================================
Microsoft botches still more patches in latest Automatic Update
It must be Wretched Wednesday -- the day after Black Tuesday. Watch out for automatic patches KB 2817630, KB 2810009, KB 2760411, KB 2760588, and KB 2760583
No sooner did Microsoft release the latest round of Black Tuesday patches, than screams of agony began sounding all over the Internet. At this point, I've seen verified problems with KB 2817630, KB 2810009, KB 2760411, KB 2760588, and KB 2760583. Here's what we know at this point.
KB 2817630 is not a security patch, it's a gratuitously delivered functionality patch for Office 2013, and man has it had an impact on functionality. I've seen dozens of reports that installing this patch, possibly in conjunction with the KB 2810009 patch that is part of MS13-074, causes the folder pane in Outlook 2013 to disappear. An anonymous poster on the SANS Internet Storm Center offers this picture of the effect.
[ For more Patch Tuesday hell, see 17 epic Windows Auto Update meltdowns. ]
Thirteen hours after the first posts complaining about the problem appeared on the Microsoft TechNet forum, Microsoft still hasn't done anything. As of 00:15 a.m. PDT on Wednesday, Sept. 11, the patches are still available, still marked for automatic installation, and the KB articles have not been updated to reflect the screw-up.
It appears as if uninstalling both patches will bring the folders back, although there's a more substantive workaround offered by one of the posters on the TechNet forum:
This behaviour seems to be caused by using the latest version of the shared Office library mso.dll 15.0.4535.1002 from KB2817630 in combination with an outdated version of Outlook. Try installing KB2817503 to update Outlook to the matching version 15.0.4535.1004. I don't have the issue with the missing folder pane in this constellation. Updating Outlook with the August 2013 hotfix (KB2817503) restored the reading pane on multiple machines.
KB 2760411, KB 2760588, and KB 2760583 are parts of the MS13-072 and MS13-073 security patches for Office 2007. There are many reports of the patches being offered and re-offered and re-re- ... you get the idea. On sevenforums, poster harin35 says:
No error messages. Windows Update appears to install them; but the updates have not been installed. These are 'important' updates.When I run Windows Update again, these three updates reappear as 'important' updates.
No guidance for handling the problem is on offer in the usual forums, because the people moderating the forums haven't a clue what went wrong and Microsoft isn't saying a thing.
Again, as of 00:15 am PDT on Wednesday, Microsoft hadn't pulled any of the patches, nor had it updated the KB articles, posted any recommendations on the usual fora, issued a press release, or made one iota of effort to help its customers.
Does this make you feel warm and fuzzy about automatic app updates in Windows 8.1? Terry Myerson, are you listening?
http://www.infoworld.com/t/microsoft-wi...c-update-226594
======================================
Microsoft botches six Windows patches in latest Automatic Update
Microsoft acknowledges problems with KB 2876063, KB 2859537, KB 2873872, KB 2843638, KB 2843639, and KB 2868846, all released earlier this week
n an amazing tour de force, Microsoft's Automatic Update chute released at least six bad patches on Tuesday. Here's what's amazing: It's just 48 hours or so since the bomb bay doors opened, and Microsoft has acknowledged problems with all of these patches. That's a first, I think -- and the biggest positive development in the Automatic Update minefield I've seen in a long time.
The gory details:
MS13-061/KB 2876063 -- a remote code execution hole in Exchange Server -- has been pulled. The problem only affects Exchange 2013. From the Exchange team blog:
Late last night we became aware of an issue with MS13-061 security update for Exchange Server 2013. Specifically, after the installation of the security update, the Content Index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed. For those that have already installed the MS13-061 security update for Exchange Server 2013, we already have KB 2879739 that provides the steps on how to resolve this issue. However, due to this issue and that it affects all Mailbox server installations, we have decided to pull the MS13-061 security update temporarily. Note: This issue does not occur in Exchange 2010 or Exchange 2007.
To give credit where due, Microsoft may or may not be the source of the problem. According to the SANS Internet Storm Center, "Oracle ... disclosed the vulnerabilities in their patch updates in April and July 2013. Microsoft licensed the vulnerable libraries from Oracle. There are also functional changes non security changes rolled up into this update."
MS13-063/KB 2859537 -- another botched Windows Kernel patch -- has not been pulled (at least it's still being offered on the systems I work with), but Microsoft has acknowledged at least one problem in the KB article:
Some users may experience issues with certain games after they install security update 2859537. In some cases, users may not successfully start and sign in to the games. Microsoft is researching this problem and will post more information in this article when the information becomes available.
Apparently, with this patch applied, the game Rift crashes immediately after authentication, as does Defiance. Softpedia reports that the patch causes BSODs on Windows 7 systems. One poster on the Microsoft Answers forum says it triggers an Error 0xc0000005, and "it's not possible to run almost all applications include IE, Personalize screen, components from control panel and many other 'native windows features and applications.'" There's an avalanche of bug reports online, many in Russian.
MS13-066/KB 2873872/KB 2843638/KB 2843639/KB 2868846 -- a cluster of security updates for Active Directory Federation Services -- have all been pulled. The explanation:
Microsoft is aware of problems with the security updates described in MS13-066 that affect Active Directory Federation Services (ADFS) 2.0. The problems could cause ADFS to stop working. Microsoft has removed the updates for ADFS 2.0 from Windows Update and the Download Center. Microsoft is researching this problem and will post more information in this article when the information becomes available.
In addition:
You may experience functionality issues with security update 2843639 if you do not have update 2790338 already applied. We recommend that that customers who are experiencing these issues install update 2790338. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2790338 Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0
Here's the punch line. The SANS Internet Storm Center religiously tracks which Microsoft patches cover holes that are publicly known. For this month's bunch, only two of the eight security bulletins -- MS13-061 and MS13-063 -- have known active exploits; the others have no publicly known exploits. You guessed it: Both security bulletins are causing major headaches.
Microsoft has had no end of problems with patches lately, with at least four botched patches just last month. For a change, this time the company is fessing up to it -- quickly and as best I can tell accurately, and the mea culpas are posted where they're supposed to be posted.
That's a start.
http://www.infoworld.com/t/microsoft-wi...c-update-224988
|
Advertisement
|
|
|
mikebird59
Newbie
|
11. September 2013 @ 22:51 |
Link to this message
|
this mess is causing more problems for me, I cannot even get my pc started much less fix it! And yes, all was fine until black Tuesday. The reinstallation requests I did not get; evedently the hot mess was loaded the 1st time and after logoff, poof! cannot even log in today! I will be up all night working after my pc guy fixes this cluster you know what.
|
Senior Member
|
11. September 2013 @ 23:58 |
Link to this message
|
thanks for the heads up ireland.i run windows 7 and office 2000 premium with the office 2007 compatibility pack and two of those updates applied to me.pretty shitty when you cant trust the so called experts huh?
|
scorpNZ
AfterDawn Addict
4 product reviews
|
12. September 2013 @ 13:43 |
Link to this message
|
Originally posted by mikebird59: this mess is causing more problems for me, I cannot even get my pc started much less fix it! And yes, all was fine until black Tuesday. The reinstallation requests I did not get; evedently the hot mess was loaded the 1st time and after logoff, poof! cannot even log in today! I will be up all night working after my pc guy fixes this cluster you know what.
not even safemode to access system restore
back on topic
It took a number of calamities around 10 years ago that made me decide to get into creating backup images apart from system no restore being useless in xp.There's a number of free imaging softwares this topic is good as any reason to start making them,however just one image won't be enough you need two or more on different hdd's in case of hdd failure & or corruption
|
AfterDawn Addict
|
12. September 2013 @ 17:08 |
Link to this message
|
I always use acronis to back up the day b4 the windows update
I keep one years worth and I never install windows update on the day its out I wait a week..to see if there is a problem with the update..
ALL CHECK THIS OUT
===================
God Mode Maker for Windows 7
Publisher's Description
God Mode Maker is a simple utility designed to create the folder and system icons used to access Windows 7´s "God Mode", which lets the user dive deeply into Windows 7´s settings and controls.
FreewareFiles tested God Mode Maker for Windows 7 NEW on 2013-09-10 using leading antivirus scanners and found it 100% Clean. It does not contain any form of malware, spyware, viruses, trojans, etc. We will re-test each updated version and remove the award as well as the program if found infected.
http://www.freewarefiles.com/God-Mode-M...gram_91454.html
more info
Windows 7 - God Mode Creator
Windows enthusiasts have found a hidden feature in Windows 7 (which also works in Windows Vista). They have named it the Windows' God Mode. This feature is covered in this article : Windows 7 - God Mode
The people at TheWindowsClub has released GodMode Creator a freeware utility which lets you create 38 "GodModes" in Windows 7 & Vista with a click.
http://www.trishtech.com/win7/windows_7_god_mode_creator.php
You can download the God Mode Creater tool from :
http://www.thewindowsclub.com/downloads/GodMode%20Creator.zip
more info
The Windows Club
List of freeware and other releases from The Windows Club
This page list down all the Freeware, eBook, Themes, Screensavers, Wallpaper and other releases from The Windows Club. Maybe you have landed here out of choice or maybe you clicked on a direct .zip link on another website and ended up here! Scroll down to see what interests you. We are that sure you will find something of value here!
http://www.thewindowsclub.com/list-free...he-windows-club
This message has been edited since posting. Last time this message was edited on 12. September 2013 @ 17:11
|
AfterDawn Addict
|
13. September 2013 @ 12:45 |
Link to this message
|
Why all the errors in Microsoft updates lately?
Summary: September makes 3 months in a row that Microsoft has issued buggy patches, 3 of which had to be pulled from distribution. Perhaps Microsoft has too many products to have one patch cycle.
About a month ago I wrote a column celebrating the great things that Patch Tuesday has done for customers and the industry. I still believe in it, but I couldn't have picked a worse time to write it. In the weeks that followed, Microsoft customers have experienced a reign of error under Windows Update.
A few days after my column appeared, Microsoft was forced to withdraw two August patches, beginning with a patch for Outlook Web Access in Exchange Server. The buggy code in this patch turns out, ironically, to be written by Oracle, but that's neither here nor there: Microsoft delivered it as part of their product and it caused problems on Exchange Server 2013. The second patch they withdrew was for ADFS (Active Directory Federation Services), but they re-released it a few days later.
The Exchange Server update wasn't re-released until late in August, at which point they also re-released a separate July patch for Windows Media Services that had not been withdrawn.
Anyone can have one bad month I guess, but it didn't end there. Yesterday Microsoft pulled a buggy non-security update to Outlook 2013. They explained the problem and what was happening in a Technet blog entry, but it's still not over.
There was at least one more buggy patch in September, described in this support Microsoft forum and this Technet thread. The problem seems to be related to the patch for MS13-074, a security update for Access. I was a victim of this one. The first thing I saw was that I couldn't load any Office (2013) apps. I got the same unhelpful "something went wrong" error message.
The problem most users report is that, even after installing the patch, Windows Update reports that it is not installed. Even if you manually install the standalone version of the patch, which appears to install correctly, Windows Update still reports that you need to install it. Go to Programs and Features and look at the installed updates and you'll see the update there (designated by its KB number, KB2810009). You can uninstall it and try again, but it won't make a difference. I wasn't able to run Office programs again until I used System Restore to revert the system back to pre-Patch Tuesday. I haven't seen a response from Microsoft on this one.
Two bad months in a row? And not too long ago, in April, Microsoft had to call on Windows 7 users to uninstall an update that was crashing systems. This level of quality is atypical.
READ MORE HERE
http://www.zdnet.com/why-all-the-errors...ely-7000020628/
|
Senior Member
|
13. September 2013 @ 14:54 |
Link to this message
|
buggers will do anything to push us to win 8.lol.
|
ddp
Moderator
|
13. September 2013 @ 15:19 |
Link to this message
|
not when some of these updates are for win8.
|
Senior Member
|
13. September 2013 @ 15:28 |
Link to this message
|
yeah,only two of them were applicable to me.
|
ddp
Moderator
|
13. September 2013 @ 15:48 |
Link to this message
|
i'm running both xp & win7 computers.
|
AfterDawn Addict
|
13. September 2013 @ 18:55 |
Link to this message
|
Troubleshoot problems with installing updates
Applies to Windows 7
An automatic troubleshooter is available that fixes some problems with Windows Update, and it might resolve this error for you.
To run a Windows Update troubleshooter
Click this button:
Picture of a Fix it buttonFix this problem
In the File Download dialog box, click Run, and then follow the steps in the wizard.
Open Windows Update, and try to install the update again.
If that didn't work, here are solutions to some common problems with installing updates.
Show all
I tried to install updates but one or more didn't get installed.
How will I know what updates have been installed?
I keep being offered an update from Windows that I don?t want or that I already removed.
I hid an update and now I want to install it.
I restored hidden updates but I can?t find the one that I want to install.
My computer was turned off during a scheduled update.
I keep getting prompted to restart my computer to finish installing updates.
I installed updates (or a driver update) and now one of my devices doesn't work.
I tried these troubleshooting steps, but I still can't solve the problem. What should I do next?
http://windows.microsoft.com/en-us/wind...talling-updates
Fix Microsoft Windows Update Issues
Learn how to keep Windows up to date, fix errors and other issues with Windows Update. Fix the problem yourself or get help from the community
Windows 8
Windows 7
Windows Vista
Windows XP
http://support.microsoft.com/gp/windows-update-issues
|
ddp
Moderator
|
13. September 2013 @ 21:12 |
Link to this message
|
ireland, do you want this thread stickied so that anymore ms update botches goes into this thread instead of making another thread on the next botchup?
|
AfterDawn Addict
|
13. September 2013 @ 23:24 |
Link to this message
|
Microsoft reissues September patches after user complaints
A fix to fix the fixes that didn't
Problems with Microsoft's last round of operating system and application patches have forced the company to reissue part of the update on Friday.
"Since the shipment of the September 2013 Security Bulletin Release, we have received reports of updates being offered for installation multiple times, or certain cases where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM)," said Redmond's Office team in a blog post.
"We have investigated the issue, established the cause, and we have released new updates that will cease the unnecessary re-targeting of the updates or the correct offering of these updates."
Register readers ? and many other Microsoft users ? started complaining about the patches shortly after their release on Tuesday. Some readers reported detection issues that left servers stuck in a loop of patching when the updates weren't recognized, while others reported being unable to install flaw fixes.
Eight patches have now been reissued, covering security flaws in Excel, SharePoint Server, and Office suites going back to 2007. Two non-security patches for PowerPoint have also been reissued.
Unusually for Microsoft, not all the patches it promised for Patch Tuesday were in the final release, with one being pulled for quality-control issues. El Reg suspects there have been some harsh exchanges between management and the software testing teams at Redmond.
http://www.theregister.co.uk/2013/09/13...ser_complaints/
===================================================================
quote
ddp
ireland, do you want this thread stickied so that anymore ms update botches goes into this thread instead of making another thread on the next botchup?
===================================================================
ddp
It might be a good idea as the way microsoft is going..with the bad patches.
This message has been edited since posting. Last time this message was edited on 13. September 2013 @ 23:28
|
ddp
Moderator
|
14. September 2013 @ 15:01 |
Link to this message
|
stickied
|
AfterDawn Addict
|
14. September 2013 @ 22:58 |
Link to this message
|
Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 9/14/2013
Time: 2:14:56 AM
User: N/A
Computer: SHANNON-BAFBD38
Description:
Error code 1000007e, parameter1 c0000005, parameter2 af586978, parameter3 f78d2b74, parameter4 f78d2870.
==============================================================
SOMETHING IS GOING ON WITH MICROSOFT ARE THEY TRYING TO SCREW UP XP WITH THE UPDATES.SO THAT WE GO TO WIN-8
I STILL DID NOT VUPDATE MY WIN-7
THIS ERROR SHOWED UP ON XP AFTER I USED WINDOWS UPDATE WHEN I REBOOTED MY COMPUTER AFTER THE UPDATE
NOTE I HAD NO ERRORS FOR OVER A YEAR ON MY XP..
|
AfterDawn Addict
|
15. September 2013 @ 17:23 |
Link to this message
|
[b]Microsoft fixes bad patch detection[/b]
Summary: Several of the security updates released by Microsoft this past Tuesday repeatedly offered themselves even after installation. This has been fixed. If you have hidden the update, unhide it and install.
One of the many problems Microsoft has had lately with their software updates is that several of the updates in the last group, released on Tuesday September 10, had a detection error: For many users, even after apparently accepting and installing the update, several would keep offering for install in Windows Update, Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM).
The company has reissued the following patches to address the problem:
MS13-067 (Critical) ? Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052)
MS13-072 (Important) ? Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537)
MS13-073 (Important) ? Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300)
MS13-074 (Important) ? Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637)
Microsoft says that there are no changes in the actual updates, just in the detection of the update on the system. Customers who have already successfully installed the update need not take any action.
Many users hid the update in order to avoid the notifications. These users should unhide the update and install.
http://www.zdnet.com/microsoft-fixes-ba...ion-7000020676/
|
AfterDawn Addict
|
17. September 2013 @ 23:13 |
Link to this message
|
Microsoft rushes out security patch for Internet Explorer
Normally, Microsoft releases security bulletins for software products on the second Tuesday of each month. That happened last week as scheduled, but today the company announced it has rushed out an additional patch designed to fix an exploit that has been found in Internet Explorer, and is being used in attacks on IE8 and IE9.
In a post on its security response blog, Microsoft says the issue would allow a hacker to launch a remote code execution if a person surfs to a website using IE that contains malicious code. The blog adds, "There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions. "
The company has released a "Fix-it" patch, "CVE-2013-3893 MSHTML Shim Workaround" to plug this security hole in all currently supported versions of IE. In addition, Microsoft recommends that users set their security settings on the web browser to "High" to block any ActiveX Controls and Active Scripting on websites. It also recommends users set up IE so that it informs them ahead of time before running any Active Scripting features. The company plans to release a full security patch that will be a more complete solution to this problem in the near future.
http://www.neowin.net/news/microsoft-ru...ternet-explorer
|
Newbie
|
20. September 2013 @ 11:30 |
Link to this message
|
I noticed something odd going on last time Microsoft updated. It went through the update process at least three times. I was beginning to think it would never finish.
I don't use IE anymore since it became virtually unusable a few months ago. I use FireFox now, although I'm not entirely happy with it. I'm thinking of moving to Opera.
|
Senior Member
|
20. September 2013 @ 15:10 |
Link to this message
|
if you like chrome based browsers comodo dragon is pretty good.
|
Newbie
|
21. September 2013 @ 09:10 |
Link to this message
|
Originally posted by aldan: if you like chrome based browsers comodo dragon is pretty good.
I never considered Google Chrome and for that reason Comodo Dragon after I tried Google Picassa Graphics Editor - it locked my computer up big time. I decided that if they can't make a reliable Graphics Editor then I can't rely on anything else they make.
Are you saying Opera is Chrome based?
-P
|
Senior Member
|
21. September 2013 @ 13:11 |
Link to this message
|
no,dragon is chrome based,but has nothing to do with google.plus it has security features built in from comodo.
|
AfterDawn Addict
|
10. November 2013 @ 16:41 |
Link to this message
|
Patch Tuesday is coming -- here's what Microsoft is NOT fixing
This week, November 12th to be precise, is that holiday we have come to call Patch Tuesday. It's the day when Microsoft rolls out fixes for bugs, both small and large, in its software, from Windows to Office and more. This month's releases are of particular interest, not because of what the company is fixing, but what it has chosen to leave unpatched.
November's update includes eight patches, three of which have been tagged as 'critical'. Microsoft even promises it "will host a webcast to address customer questions on the security bulletins on November 13, 2013, at 11:00 AM Pacific Time".
However, security researchers at Sophos point out a glaring hole in this month's security push. "The recent zero-day, which allows crooks to attack your computer using booby-trapped TIFF images, has created lot of confusion amongst users and administrators trying to work out which of their computers are at direct risk", states Paul Ducklin. The firm has inquired about a fix for this -- "the answer, I am sorry to have to tell you, is, no", Sophos claims.
Why has this flaw caused confusion? Well, because Microsoft has claimed the problem does not affect Windows XP, Windows 7 and Windows 8, but is a danger to Office versions ranging from 2003 to 2010. What happens when one of those suites is running on an "unaffected" operating system?
Microsoft has attempted to clear this up stating that Windows Server 2008 and Windows Vista are vulnerable regardless of software. Office 2003 and 2007 are a danger regardless of the OS they are running on. Finally, Office 2010 on XP is a problem as well.
As a stop-gap, the company has issued a Fix-it to help out users in the short-term.
http://betanews.com/2013/11/10/patch-tu...ntent+Feed+-+BN
This message has been edited since posting. Last time this message was edited on 10. November 2013 @ 16:45
|
AfterDawn Addict
|
10. November 2013 @ 16:42 |
Link to this message
|
New IE zero-day attack reported
Summary: Security company FireEye has found a zero-day exploit in Internet Explorer hosted on a breached web site in the United States. EMET may be used to mitigate.
Researchers at network security company Fireeye have identified a zero-day exploit of Internet Explorer on a breached web site.
The specific exploit targets the English versions of Internet Explorer 7 and 8 on Windows XP and IE8 on Windows 7. FireEye says their analysis indicates that the vulnerability behind it affects IE 7, 8, 9 and 10.
FireEye does not say if IE10 on Windows 8 is affected or if they examined IE11.
There are two vulnerabilities involved in the attack: the first is an information disclosure vulnerability which the exploit uses to retrieve the timestamp from the PE headers of msvcrt.dll (part of the Microsoft Visual C++ runtime). The second is an IE out-of-bounds memory access vulnerability, used to achieve code execution.
Many versions of msvcrt.dll are in distribution, so the exploit sends the timestamp back to the attacker's server, which returns an out-of-bounds exploit specific to the user's version.
The exploit contains a "ROP chain" according to FireEye. ROP is Return-Oriented Programming, a technique generally blocked by Address Space Layout Randomization (ASLR), introduced in Windows Vista (a version of Windows unmentioned by FireEye). That the exploit works on Windows XP is no surprise, but for it to work on Windows 7 is more unusual.
The report doesn't say much about the payload, other than that it is large and multi-stage.
FireEye is in working with Microsoft on researching the attack. The report says that the vulnerability can be mitigated using Microsoft's Enhanced Mitigation Experience Toolkit (EMET) 4.0, presumably focusing on msvcrt.dll. Be careful, as you will likely have multiple copies of multiple versions of this DLL on your system.
http://www.zdnet.com/new-ie-zero-day-attack-reported-7000022998/
|
Senior Member
|
10. November 2013 @ 18:48 |
Link to this message
|
once again thanks for the heads up.
|
Advertisement
|
|
|
AfterDawn Addict
|
10. November 2013 @ 23:31 |
Link to this message
|
Internet Explorer users face drive-by attacks targeting new 0-day bug (Updated)
New exploits targeting IE are in addition to a separate 0day for Office.
Risk Assessment / Security & Hacktivism
Internet Explorer users face drive-by attacks targeting new 0-day bug (Updated)
New exploits targeting IE are in addition to a separate 0day for Office.
by Dan Goodin - Nov 10 2013, 3:09pm EST
Black Hat
Internet Crime
26
Knight Foundation
Researchers have uncovered new, currently unpatched vulnerabilities in multiple versions of Internet Explorer that criminals are actively exploiting to surreptitiously install unusually advanced malware on computers that visit booby-trapped websites.
The vulnerabilities in various configurations of IE versions 7, 8, 9, and 10 running on Windows XP and Windows 7 are separate from the Microsoft Windows and Office graphics flaw that's also under active exploit at the moment. According to researchers at security firm FireEye, the IE-targeted exploits arrive as a classic drive-by attack that's found on at least one breached website located in the US.
The attacks are able to bypass security protections Microsoft engineers have gradually added to later versions of their software. The exploits appear to circumvent the measures, at least in part, by exploiting at least two separate flaws. One flaw allows attackers to access and control computer memory, and another leaks system information needed to capitalize on the first bug.
"The memory access vulnerability is designed to work on Windows XP with IE 7 and 8 and on Windows 7," FireEye researchers Xiaobo Chen and Dan Caselden wrote in a post published Friday. "The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages. Based on our analysis, the vulnerability affects IE 7, 8, 9 and 10."
Early analysis suggests the two vulnerabilities work only against machines running IE 8 on XP and IE 9 running on Windows 7. The research into the attacks is in extremely early stages, so it wouldn't be surprising for the range of vulnerable systems to be wider once more analysis has been done.
An "exceptionally accomplished and elusive" attack
Update: Shortly after Ars published an earlier version of this article on Sunday, FireEye posted a newer analysis of the attack indicating it's part of an unusually sophisticated advanced persistent threat (APT). The attackers embedded the exploit code directly "into a strategically important website, known to draw visitors that are likely interested in national and international security policy," the researchers wrote. The attacks rely on some of the same command and control servers used in a previous APT campaign known as Operation DeputyDog.
Also setting the newly discovered attacks apart from other malware campaigns is the malicious payload that gets installed. Although it's a variant of the previously seen trojan alternately dubbed Hydraq, McRat or Trojan.APT.9002, the new payload runs solely in memory. It doesn't ever write itself to disk, a trait that leaves few to no artifacts for security defenders or forensic investigators to identify infected computers.
"Specifically, the payload is shellcode, which is decoded and directly injected into memory after successful exploitation via a series of steps," the FireEye researchers wrote in the latest post. They went on to write: "By utilizing strategic Web compromises along with in-memory payload delivery tactics and multiple nested methods of obfuscation, this campaign has proven to be exceptionally accomplished and elusive."
As is often the case, the attacks can be blocked by installing the latest version of Microsoft EMET, short for the Enhanced Mitigation Exploitation Toolkit.
===========================
===========================
The Enhanced Mitigation Experience Toolkit
http://support.microsoft.com/kb/2458544
============================
============================
Members of Microsoft's security response team have not yet commented on the report, although they are likely to do so soon. Microsoft representatives contacted by Ars said members of the company's security team are still looking in to the report.
FireEye didn't elaborate on the US-based website that was hosting the drive-by exploit, except to describe it as "breached," meaning the attackers were able to take control of it and cause it to attack people who visited it. Based on the description of the exploit and its ability to bypass defenses Microsoft engineers have built into newer versions of IE and Windows, there's reason to believe the attackers put a fair amount of time and skill into their work. Among other things, the attack code exploits a "new information leakage vulnerability and an IE out-of-bounds memory access vulnerability" so it can force computers to execute malicious code.
"The information leak uses a very interesting vulnerability to retrieve the timestamp from the [program executable] headers of msvcrt.dll," the FireEye researchers explained. "The timestamp is sent back to the attacker's server to choose the exploit with a ROP chain specific to that version of msvcrt.dll. This vulnerability affects Windows XP with IE 8 and Windows 7 with IE 9."
ROP is short for "return oriented programming," a technique that repackages benevolent code found in an exploited application in a way that gives it new, malicious capabilities. Attackers use ROP chains to bypass data execution prevention, a security mitigation added to most Microsoft applications in the past seven or so years. It prevents most data loaded into memory from being executed.
With the active circulation of at least two attacks that successfully exploit unpatched or only temporarily patched vulnerabilities in widely used Microsoft software titles, readers would do well to remain on guard. Those who haven't already installed the temporary fix for the earlier-reported TIFF image rendering bug should do so immediately.
Microsoft Security Advisory: Vulnerability in Microsoft graphics component could allow remote code execution
=========================
=========================
installed the temporary fix
https://support.microsoft.com/kb/2896666
==========================
==========================
Users should also upgrade to versions 7 or 8 of Windows and run version 11 of IE. EMET is also a worthwhile mitigation, as is using a browser other than IE whenever possible until more is known about the scope of the attacks.
http://arstechnica.com/security/2013/11...g-new-0day-bug/
|
|