BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

February 2014 Patch Tuesday

Posted February 11, 2014    BeyondTrust Research Team

February’s Patch Tuesday comes to us with patches for XML Core Services, IPv6, Direct2D, Forefront, .NET, Internet Explorer, and VBScript. There are a total of seven bulletins (4 critical, 3 important) addressing 31 unique vulnerabilities.

Most notable this month is the patch for Internet Explorer, MS14-010, which fixes 24 vulnerabilities: over two thirds of this month’s patched vulnerabilities. Every supported version of Internet Explorer is affected (versions 6 through 11). Multiple types of bugs are fixed in this patch, including memory corruptions (1 of which was publicly disclosed), an elevation of privileges vulnerability that permits escalation from low integrity to user privileges, and a cross-domain information disclosure vulnerability. Also noteworthy is CVE-2014-0271, a VBScript memory corruption vulnerability, which is only fixed in Internet Explorer 9 with this bulletin. For all other affected versions of Internet Explorer, CVE-2014-0271 can be addressed by installing MS14-011. It is important to roll both MS14-010 and MS14-011 out as soon as possible.

Going back to the beginning of the bulletin list, we have MS14-005, a patch for Microsoft XML Core Services. This vulnerability, CVE-2014-0266, has been publicly disclosed and used in targeted attacks, seen in November 2013 during the IE zero-day watering hole attacks, as reported by FireEye. The vulnerability lies only within XML Core Services version 3.0, leaving versions 4.0, 5.0, and 6.0 unaffected. This bulletin affects every supported version of Windows because XML Core Services 3.0 is shipped with every version of Windows. Since this vulnerability has exploited in targeted attacks, it is important to roll it out as soon as possible.

The next critical bulletin is MS14-007, which fixes a vulnerability in Direct2D, a graphics component in Windows. This patch applies to Windows 7, 8, 8.1, RT, RT 8.1, Server 2008 R2, Server 2012, and Server 2012 R2. Additionally, exploitation can be achieved by delivering malicious 2D geometric figures through Internet Explorer. Therefore, attackers will be very interested in it, given that it affects the latest versions of Windows and can be exploited via drive-by mechanisms. Deploy this patch as soon as possible.

MS14-008 addresses a critical vulnerability in Microsoft Forefront Protection for Exchange. This vulnerability could allow an attacker to execute arbitrary code on the Exchange server when a malicious email is scanned by Forefront. Code would be executed in the context of the configured service account. This does not affect all Forefront solutions: it only affects Forefront Protection 2010 for Exchange Server. Nonetheless, it is important to get this patch deployed as soon as possible, because attackers will be interested in any way to potentially compromise an Exchange server.

The IPv6 component in Windows 8, RT, and Server 2012 is receiving a fix with MS14-006. This publicly disclosed vulnerability can be used by attackers to cause targeted systems to stop responding. The attacker would need to send a large amount of malicious packets to the affected system in order to achieve the denial of service condition. While this sounds like an ominous vulnerability, the attacker must be on the same subnet as the victim, so this greatly increases the barrier to properly exploiting this vulnerability.

The .NET Framework is receiving a patch this month, MS14-009, which addresses multiple vulnerabilities: a denial of service vulnerability, a type traversal vulnerability, and an ASLR bypass vulnerability. The denial of service vulnerability and the ASLR bypass were both publicly disclosed, and the ASLR bypass has been used in targeted attacks. The denial of service vulnerability would be used to target ASP.NET servers, whereas the other two vulnerabilities could be targeted in any .NET application.

Be sure to patch Internet Explorer (MS14-010), VBScript (MS14-011), XML Core Services (MS14-005), Direct2D (MS14-007), and Forefront Protection for Exchange (MS14-008) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, February 12 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win a Nexus 7!

We frequently mention Chrome as an alternative to Internet Explorer. Has your organization made strides towards adopting a safer browser like Chrome? If not, what is stopping you? Legacy systems? Learning curve? Policies?

Most insightful and/or awesome answer wins!

>> VEF News Articles

NSA’s ‘Dishfire’ program said to capture nearly 200M texts a day

 Spam From Your Fridge

Don’t Believe Everything You Read (Webroot/Novell/Target)

Target Hackers Broke in Via HVAC Company

China Operating System

Microsoft Announces Brussels Transparency Center at Munich Security Conference

>> VEF Questions & Comments

During the VEF, Shelly asked, “Does MS14-007 bypass Java?”. If our understanding of the question is correct (and correct us if we’re wrong!), if an attacker were to exploit MS14-007, they would not need Java in order to gain remote code execution. As we explained during the VEF, Java 6 is often used to bypass DEP and ASLR in Internet Explorer, which is why Java 6 is so dangerous… in addition to all the remote code execution vulnerabilities in Java 6 itself, instantiating Java 6 in a browser also gives attackers the opportunity to use Java 6 libraries to generate ROP-gadgets and leverage other exploitation techniques.

Jay wanted to know, “How are some of these newest exploits related to leveraging off the recent amplification attacks for UDP?” Although some of this Patch Tuesday’s bulletins were networking related (IPv6), none of them were associated with recent amplification DDoS attacks we have been seeing in the wild. The DDoS that we’ve been seeing has to do with a known weakness in NTP (Network Time Protocol), which allowed attackers to generate a massive amount of traffic directed toward targeted hosts. Cloudflare was mitigating the attack and has technical details of the attack on their blog.

Thank you to all who attended this month’s VEF! We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly research@BeyondTrust.com.

Tags:
, , ,

Leave a Reply

6 Responses to “February 2014 Patch Tuesday”

  1. Jeffrey

    Internally we have been using Chrome within our IT Team for years; but externally we have a very difficult time with vendors who insist on writing web based applications that only work with one version of IE or another. Microsoft exacerbates the problem by knitting internet explorer into every aspect of Windows 8. You can’t even uninstall it, which means inevitably it will be used.

    February 12, 2014 2:10:07, Reply
  2. Taylor

    Our organization has adopted chrome already. Original we made the switch because of the spell check feature that wasn’t available in IE9. Because of the amount of information that users key in on a regular basis having spell check was a huge benefit. One of the main concerns we had due to the nature of our work was users being able to bypass proxy servers or connect to google accounts. Chrome has group policy templates that can be downloaded for enterprise use. This allowed us to be able to force chrome to use the settings that we specified. Another very useful feature has been that chrome automatically updates so we don’t have to worry about getting things updated when a vulnerability is discovered. Not only is chrome a more secure browser but it is faster on launch and when rendering web pages. Chrome has a built in pdf viewer and can also be set to use adobe reader if that’s what you prefer. Chrome has an enterprise .msi download that can easily be pushed out silently using WSUS Package Publisher or Group policy. Occasionally we have issues with websites that require IE so we are forced to keep it around. Overall the migration was very simple and the benefit has been noticeable.

    February 12, 2014 3:11:55, Reply
  3. Raphael

    Our company has a lot of legacy system which need IE or for which no development is done to migrate to new browser. Even more, old IE is required for a few legacy system. Solution like browsium is used to offer access to these systems transparently for the enduser. Last IE and Chrome are the solution browser available for XP or 7 users.
    besides of the need of IE (7 or more) even java 1.6 is required for some legacy system. These unsecured software are deployed at large in our organization…. even with Win7 deployment, last software version cannot be deployed due to compatibility issue.
    Chrome deployment is done by default for XP enduser but autoupdate is blocked to validate compatibility first.
    Firefox is not deployed to avoid multiple browser, security validation required for each and first to avoid change management as most enduser are not IT specialists.
    IE is kept as default browser and not Chrome as Google policy could change more easily than Microsoft and legal rules required to avoid as much as possible non-Canadian solution especially for data storage or transfer

    February 13, 2014 6:39:36, Reply
  4. "Eric"

    Simply put, Microsoft is a customer and we are a Windows shop. As security practitioners we are taught that ultimately business comes before security and this is a poignant reminder. Even though Chrome is a better, more secure browser. Corporate greed? Call it what you want but the fact remains security is still not the priority with the C levels. Even with everything in the news today, Snowden breach, NSA spying, Target breach, Yahoo password compromise, Ransomeware etc, we are still far from the day a company will make a decision based solely on security and protecting data over short-term financial gain.

    February 14, 2014 8:10:23, Reply
  5. Bo

    I have personally used chrome for years and recommend it very strongly to others for a few different reasons – not only performance, but also the point you made in the “VEF” – “There have been no exploits used in the wild successfully exploiting Chrome”.

    I also operate a side-business supporting the technology needs of local small businesses. I consistently install Chrome & train my end-users in the small businesses I support to utilize Chrome over any other browser.

    Lastly, I function as one of the two Client Systems Administrators in my (fairly large) organization and am able to encourage our IT staff and lightly encourage our end-users here to use it as well. I use the term “lightly encourage” for a number of reasons…

    First and foremost – legacy systems:
    We have a number of systems in our environment that require not only Internet Explorer, but specific (read: older) versions of Internet Explorer. Unfortunately, the business continues to identify what they believe are “higher priorities” than correcting this problem, leaving our ability to address it, falling to a back burner. We are considering mitigation of the problem via application virtualization (as opposed to migration from the legacy systems); however, until we get the time to work towards that goal, it remains a problem.

    Second – the issue of policies, procedures, and really – standards:
    Our Technology Standards Document can almost be considered our “end-point bible”. It determines what is supported (aka: what we’re allowed to tell users to use) and what is not. For a number of reason (e.g. business buy-off, legacy app support, “comfort bubbles”, Etc.) IE remains the standard…Our goal is to work Chrome into that document in the near future; however, due to time and resource constraints, raising awareness has proven difficult.

    In regard to the learning curve being a potential issue, I don’t see us struggling with that. As far as browsers, in general, are concerned – they’ve become similar in terms of basic functionality…”CTRL-N”, “CTRL-T”, “CTRL-TAB”…they may label things slightly different (e.g. favorites Vs. bookmarks), but they have begun to function very similarly *on the outside*.

    Our long-term goal as the Client System Administrators within my organization is ultimately to walk Chrome right into our front door, because Google has done something excellent with it…we just need to overcome some hurdles to get there…

    Thank you.

    February 14, 2014 9:01:57, Reply
  6. Eddie

    We’ve taken several recommendations from BeyondTrust and have used their data in working on making a solid business case, for Chrome to be our default browser. This goes in-line with the BYOD ever increasing, and users being more productive safely with this multifunction browser. In
    addition we are in the process of getting PowerBroker approved, as that will be the tool to help us enforce that policy due to the “work arounds” users currently have when trying to use other “preferred” browsers that has caused our security posture to decline. Culture has been the
    challenge. Getting past the “old mentality” and “on with the new” better safer way of doing things. Chrome has been used more in the last year in our organisation due to the increase of users using personal Android devices. The integration of such mobile devices has increased the demand by
    the users, but the “old mentality” still resides in our environment. Mobile is not only changing the way we view BYOD, but the internet browsers and apps we use to conduct business. The “Old mentality” of a firewall for instance. Back in the day it was about blocking ports, well, with Cloud
    most of the traffic is done via TWO ports! 80 + 443, so the new mentality is more focusing on WAF’s and such in that realm. Not discounting the mere essence of the “old” technologies offcourse like firewalls, but moving towards a better posture which is one of the areas BeyondTrust excels,
    as they are meeting those needs before they become demands.

    February 14, 2014 11:06:17, Reply

Additional articles

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

There is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field. Consider the challenge of privileged access:…

Tags:
, , , , ,
PowerBroker Password Safe Password Age Report

Reshaping Privileged Password Management with Password Safe 5.2

Posted July 21, 2014    Martin Cannard

Today, we’re pleased to unveil the latest edition of our privileged password management solution, PowerBroker Password Safe. I’ll start with a brief intro of what’s new and then tell you a little about the driving factors behind Password Safe development. New features for mitigating password risk and ensuring accountability enterprise-wide Here’s the 10,000-foot overview of…

Tags:
, , ,
PowerBroker for Windows tamper protection

PowerBroker for Windows 6.6 Tamper Protection

Posted July 18, 2014    Morey Haber

I have a bone to pick: Stopping an administrator from performing an action on a system is futile endeavor. As an administrator, there is always a way to circumvent a solution’s from tampered protection. Really! By default, Windows administrators have unrestricted access to the system – and even though an application, hardened configuration, or group policy…

Tags:
, ,