Ron  Cartwright

Ron Cartwright

1603018800

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

Microsoft has pushed out fixes for 87 security vulnerabilities in October – 11 of them critical – and one of those is potentially wormable.

There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public exploit is already circulating for this group.

This month’s Patch Tuesday overall includes fixes for bugs in Microsoft Windows, Office and Office Services and Web Apps, Azure Functions, Open Source Software, Exchange Server, Visual Studio, .NET Framework, Microsoft Dynamics, and the Windows Codecs Library.

A full 75 are listed as important, and just one is listed as moderate in severity. None are listed as being under active attack, but the group does include six issues that were known but unpatched before this month’s regularly scheduled updates.

“As usual, whenever possible, it’s better to prioritize updates against the Windows operating system,” Richard Tsang, senior software engineer at Rapid7, told Threatpost. “Coming in at 53 of the 87 vulnerabilities, patching the OS knocks out 60 percent of the vulnerabilities listed, along with over half of the critical RCE vulnerabilities resolved today.”

11 Critical Bugs

One of the most notable critical bugs, according to researchers, is a remote code-execution (RCE) problem in the TCP/IP stack. That issue (CVE-2020-16898) allows attackers to execute arbitrary code with elevated privileges using a specially crafted ICMPv6 router advertisement.

Microsoft gives this bug its highest exploitability rating, meaning attacks in the wild are extremely likely – and as such, it carries a severity rating of 9.8 out of 10 on the CvSS vulnerability scale. True to the season, it could be an administrator’s horror show.

“If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround,” said Dustin Childs, researcher at Trend Micro’s Zero-Day Initiative (ZDI), in his Patch Tuesday analysis. “You should definitely test and deploy this patch as soon as possible.”

Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said that an exploit for the bug could be self-propagating, worming through infrastructure without user interaction.

“An attacker can exploit this vulnerability without any authentication, and it is potentially wormable,” he said. “We expect a proof-of-concept (PoC) for this exploit would be dropped soon, and we highly encourage everyone to fix this vulnerability as soon as possible.”

Threatpost has reached out for more technical details on the wormable aspect of the bug.

#cloud security #vulnerabilities #web security #critical #cve-2020-16898 #microsoft #october 2020 #patch tuesday #patches #publicly disclosed #remote code execution #router advertisements #security bug #security vulnerabilities #tcp/ip #unpatched bugs #wormable

What is GEEK

Buddha Community

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug
Ron  Cartwright

Ron Cartwright

1603018800

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

Microsoft has pushed out fixes for 87 security vulnerabilities in October – 11 of them critical – and one of those is potentially wormable.

There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public exploit is already circulating for this group.

This month’s Patch Tuesday overall includes fixes for bugs in Microsoft Windows, Office and Office Services and Web Apps, Azure Functions, Open Source Software, Exchange Server, Visual Studio, .NET Framework, Microsoft Dynamics, and the Windows Codecs Library.

A full 75 are listed as important, and just one is listed as moderate in severity. None are listed as being under active attack, but the group does include six issues that were known but unpatched before this month’s regularly scheduled updates.

“As usual, whenever possible, it’s better to prioritize updates against the Windows operating system,” Richard Tsang, senior software engineer at Rapid7, told Threatpost. “Coming in at 53 of the 87 vulnerabilities, patching the OS knocks out 60 percent of the vulnerabilities listed, along with over half of the critical RCE vulnerabilities resolved today.”

11 Critical Bugs

One of the most notable critical bugs, according to researchers, is a remote code-execution (RCE) problem in the TCP/IP stack. That issue (CVE-2020-16898) allows attackers to execute arbitrary code with elevated privileges using a specially crafted ICMPv6 router advertisement.

Microsoft gives this bug its highest exploitability rating, meaning attacks in the wild are extremely likely – and as such, it carries a severity rating of 9.8 out of 10 on the CvSS vulnerability scale. True to the season, it could be an administrator’s horror show.

“If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround,” said Dustin Childs, researcher at Trend Micro’s Zero-Day Initiative (ZDI), in his Patch Tuesday analysis. “You should definitely test and deploy this patch as soon as possible.”

Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said that an exploit for the bug could be self-propagating, worming through infrastructure without user interaction.

“An attacker can exploit this vulnerability without any authentication, and it is potentially wormable,” he said. “We expect a proof-of-concept (PoC) for this exploit would be dropped soon, and we highly encourage everyone to fix this vulnerability as soon as possible.”

Threatpost has reached out for more technical details on the wormable aspect of the bug.

#cloud security #vulnerabilities #web security #critical #cve-2020-16898 #microsoft #october 2020 #patch tuesday #patches #publicly disclosed #remote code execution #router advertisements #security bug #security vulnerabilities #tcp/ip #unpatched bugs #wormable

Microsoft’s Patch Tuesday Packed with Critical RCE Bugs

Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. These include 23 critical flaws, 105 that are important in severity and one moderate bug. Fortunately, none are publicly known or under active exploitation, Microsoft said.

The most severe issue in the bunch is CVE-2020-16875, according to researchers. This is a memory-corruption problem in Microsoft Exchange that allows remote code-execution (RCE) just by sending an email to a target. Running arbitrary code could grant attackers the access they need to create new accounts, access, modify or remove data, and install programs.

#bug bounty #cloud security #vulnerabilities #web security #critical security vulnerabilities #cve-2020-16875 #microsoft #microsoft exchange #patch tuesday #remote code execution #september 2020

Wilford  Pagac

Wilford Pagac

1596848400

Critical DNS Bug Opens Windows Server to Infrastructure Takeover

Microsoft gives the ‘wormable’ flaw a security rating of 10 – the most severe warning possible.

A critical Microsoft Windows Server bug opens company networks to hackers, allowing them to potentially seize control of IT infrastructures. Microsoft issued a patch for the bug on Tuesday as part of its July Patch Tuesday roundup.

It turns out that the bug is 17 years old. Impacted are Windows Server versions from 2003-2019. The bug, found by researchers at Check Point, received a severity warning of 10 – the highest allowed. Most concerning to researchers however is that the bug is wormable, meaning a single exploit of the flaw can trigger a chain reaction that allows attacks to spread from one computer to another.

“[The] security flaw would enable a hacker to craft malicious DNS queries to the Windows DNS server, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure,” according to Check Point researcher Sagi Tzaik, who is credited for finding the flaw.

Microsoft released a patch for the vulnerability, identified as CVE-2020-1350, and urged customers to prioritize an update to their systems. Check Point is calling the bug SigRed – a nod to the vulnerable DNS component and function “dns.exe”.

A hacker can gain Domain Administrator rights over the server, “enabling the hacker to intercept and manipulate users’ emails and network traffic, make services unavailable, harvest users’ credentials and more. In effect, the hacker could seize complete control of a corporation’s IT,” researchers wrote, in a technical analysis of the bug, posted Tuesday.

**Patching Is an Imperative     **

Upping the chance for exploitation by a hacker is the relatively simple prerequisites needed to exploit the vulnerability. “The likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug, which means a determined hacker could also find the same resources,” researchers noted.

“This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected,” Microsoft wrote in a post Tuesday. “While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.”

Mechele Gruhn, principal security PM manager at the Microsoft Security Response Center, noted that “if applying the update quickly is not practical, a registry-based workaround is available that does not require restarting the server. The update and the workaround are both detailed in CVE-2020-1350.”

“CVE-2020-1350, a wormable remote code execution vulnerability in Windows DNS Server, could very well be the most critical Windows vulnerability released this year, receiving a rare 10 out of 10 CVSS score,” Chris Hass, director of information security and research at Automox, told Threatpost.

“A wormable vulnerability like this is an attacker’s dream. An unauthenticated hacker could send specially crafted packets to the vulnerable Windows DNS Server to exploit the machine, allowing for arbitrary code to be run in the context of the local system account. Not only will the attacker have full control of the system, but they will also be able to leverage the server as a distribution point, allowing the attacker to spread malware between systems without any user interaction. This wormable capability adds a whole other layer of severity and impact, allowing malware authors to write ransomware similar to notable wormable malware such as Wannacry and NotPetya,” Hass said.

Exploiting a 17-Year-Old Bug

The flaw itself is an integer-overflow bug that can trigger a heap-based buffer overflow attack tied to the DNS module called dns.exe, which is responsible for answering DNS queries on Windows Servers.

By abusing the dns.exe module, two attack surfaces were created by researchers. One is a “bug in the way the DNS server parses an incoming query.” And the second is “a bug in the way the DNS server parses a response (answer) for a forwarded query.”

The attack requires researchers to first force a Windows DNS Server to parse responses from a malicious DNS NameServer. This employs the dns.exe module, which parses all supported response types. One of those supported response types is for a Secure Internet Access (SIG) query called SIG(O). Researchers focused their attention on creating a request that exceeded the maximum size request of 65,535 bytes, and causing the overflow. By using compressed data, researcher were able to create a successful crash.

“Although it seems that we crashed because we were trying to write values to unmapped memory, the heap can be shaped in a way that allows us to overwrite some meaningful values,” they wrote.

This local attack then was replicated remotely, by “smuggling DNS inside HTTP” requests on Microsoft Explorer and Microsoft Edge browsers (Google Chrome and Firefox are not vulnerable to this type of attack). Because DNS can be transported over TCP — and Windows DNS Server supports this connection type – researchers were able to craft a HTTP payload.

“Even though this is an HTTP payload, sending it to our target DNS server on port 53 causes the Windows DNS Server to interpret this payload as if it was a DNS query,” they wrote. Researchers were able to circumvent HTTP protections against similar malicious HTTP payloads by “smuggling” DNS query data inside the POST data located in the HTTP request.

Chromium-class browsers (Google Chrome and Mozilla Firefox) do not allow HTTP requests to port 53, therefore the bug can only be exploited Internet Explorer and Microsoft Edge.

“Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some internet service providers (ISPs) may even have set up their public DNS servers as WinDNS,” Check Point wrote.

#vulnerabilities #web security #critical vulnerability #cve-2020-1350 #dns #dns nameserver #dns.exe #domain administrator #http request #july patch tuesday #microsoft patch #microsoft security response center #security bug #sigred #windns #windows server #wormable

Brain  Crist

Brain Crist

1603094400

Microsoft Fixes RCE Flaws in Out-of-Band Windows Update

Microsoft has issued out-of-band patches for two “important” severity vulnerabilities, which if exploited could allow for remote code execution.

One flaw (CVE-2020-17023) exists in Microsoft’s Visual Studio Code is a free source-code editor made by Microsoft for Windows, Linux and macOS. The other (CVE-2020-17022) is in the Microsoft Windows Codecs Library; the codecs module provides stream and file interfaces for transcoding data in Windows programs.

“Microsoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code,” according to a Friday CISA alert on the patches. “An attacker could exploit these vulnerabilities to take control of an affected system.”

According to Microsoft, one “important” severity flaw (CVE-2020-17022) stems from the way that Microsoft Windows Codecs Library handles objects in memory. This vulnerability has a CVSS score of 7.8 out of 10.

An attacker who successfully exploited the vulnerability could execute arbitrary code, according to Microsoft. While an attacker could be remote to launch the attack, exploitation requires that a program process a specially crafted image file.

Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable. The secure Microsoft installed packed versions are 1.0.32762.0, 1.0.32763.0, and later.

“The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory,” according to Microsoft.

The other “important” severity flaw (which also has a CVSS score of 7.8 out of 10) exists in Visual Studio Code, when a user is tricked into opening a malicious ‘package.json’ file.

According to Microsoft, an attacker who successfully exploited this flaw (CVE-2020-17023) could run arbitrary code in the context of the current user. An attacker would first need to convince a target to clone a repository and open it in Visual Studio Code (via social engineering or otherwise). The attacker’s malicious code would execute when the target opens the malicious ‘package.json’ file.

“If the current user is logged on with administrative user rights, an attacker could take control of the affected system,” said Microsoft. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Microsoft’s update addresses the vulnerability by modifying the way Visual Studio Code handles JSON files.

In a Twitter thread, Justin Steven, who reported the flaw, said that the issue stems from a bypass of a previously deployed patch for an RCE flaw in Visual Studio Code (CVE-2020-16881).

#hacks #vulnerabilities #web security #cve-2020-17022 #cve-2020-17023 #microsoft #microsoft store #patch #patch tuesday #rce #remote code execution #visual studio code #windows #windows codecs library

Micheal  Block

Micheal Block

1602936000

Wormable Apple iCloud Bug Allows Automatic Photo Theft

A group of ethical hackers cracked open Apple’s infrastructure and systems and, over the course of three months, discovered 55 vulnerabilities, a number of which would have given attackers complete control over customer and employee applications.

Of note, a critical, wormable iCloud account takeover bug would allow attackers to automatically steal all of a victim’s documents, photos, videos and more.

The discovery by hackers Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes demonstrated key weaknesses in the company’s “massive” infrastructure while it also earned the team nearly $300,000 to date in rewards for their efforts, Curry wrote in an extensive blog post detailing the team’s findings.

Among the flaws found in core portions of Apple’s infrastructure includes ones that would have allowed an attacker to: “fully compromise both customer and employee applications; launch a worm capable of automatically taking over a victim’s iCloud account; retrieve source code for internal Apple projects; fully compromise an industrial control warehouse software used by Apple; and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources,” he wrote.

Of the 55 vulnerabilities discovered, 11 were rated with critical severity, 29 with high severity, 13 with medium severity and two with low severity. Researchers rated the bugs based on the CvSS vulnerability-severity rating, and “our understanding of the business-related impact,” Curry said.

The wormable iCloud bug is a cross-site scripting (XSS) issue, according to the writeup. iCloud is an automatic storage mechanism for photos, videos, documents, and app related data for Apple products. Additionally, this platform provides services like Mail and Find my iPhone.

“The mail service is a full email platform where users can send and receive emails similar to Gmail and Yahoo,” explained Curry. “Additionally, there is a mail app on both iOS and Mac which is installed by default on the products. The mail service is hosted on www.icloud.com alongside all of the other services like file and document storage.”

He added, “This meant, from an attackers perspective, that any cross-site scripting vulnerability would allow an attacker to retrieve whatever information they wanted to from the iCloud service.”

#bug bounty #cloud security #hacks #iot #mobile security #privacy #vulnerabilities #web security #$300 #000 #apple #apple bug bounty program #applications #authentication bypass #bug bounty #critical bugs #critical flaws #developers #ethical hackers #hackers #hardware #icloud #sam curry #software #source code #takeover #vulnerabilities #wormable #xss