Tag Archives: windows8

Microsoft slates critical IE, Windows patches for Tuesday

One month left for businesses to migrate from Windows 8.1 to Windows 8.1 Update

Microsoft today said it will ship six security updates to customers next week, patching all versions of Internet Explorer (IE) and nearly all supported editions of Windows.

The IE update, one of two classified as “critical” — Microsoft’s most serious threat ranking — will patch IE6 on Windows Server 2003, IE7, IE8, IE9, IE10 and the newest, IE11.

It’s unlikely that July’s IE update will match June’s in size: Microsoft fixed a record 60 flaws in the browser on June 10. (Originally, Microsoft said it had patched 59 IE bugs last month, but a week later acknowledged it had forgotten to add one to the list, and so upped the count to an even 60.)

Windows 7 users who have not freshened IE11 with a mandatory April update will not receive next week’s browser fixes.

According to Thursday’s advanced notice, which briefly described the July updates, the second critical bulletin will patch all client editions of Windows — from Vista to Windows 8.1 — and all server versions except for those running on systems powered by Intel’s Itanium processors. Windows Server 2008 and Server 2012 systems provisioned by installing only the Server Core — a minimal install with many features and services omitted to lock down the machine — are also exempt from Bulletin 2, Microsoft said.

Of the remaining four updates, three were labeled “important” by Microsoft — the threat step below critical — while the fourth was pegged “moderate.” All will offer patches for some or all Windows editions, both on the desktop and in the data center.

Security researchers pointed to the two critical bulletins as the obvious first-to-deploy for most Microsoft customers.

They also remarked on Bulletin 6, the single moderate update, which will patch Microsoft Service Bus for Windows Server. The bus is a messaging and communications service that third-party developers can use to tie their code to Windows Server and Microsoft Azure, the Redmond, Wash. company’s cloud service.

“The odd one out this month is the Moderate Denial of Service in ‘Microsoft Service Bus for Windows Server,'” said Ross Barrett, senior manager of security engineering at Rapid7, in an email. “It’s part of the Microsoft Web Platform package and is not installed by default with any OS version.”

Although Microsoft did not mention it in today’s advance notice, or in the blog post by the Microsoft Security Response Center (MSRC), enterprises have one more month to deploy April’s Windows 8.1 Update and Server 2012 R2 Update before losing patch privileges for devices running Windows 8.1 or servers running 2012 R2.

Hardware powered by Windows 8.1 or Server 2012 R2 must be updated before Aug. 12, the next scheduled Patch Tuesday, to receive that month’s updates, as well as any future security fixes.

Or in some cases, even present patches, said Chris Goettl, a program product manager at Shavlik, in an email.

“One thing to watch out for [next week] will be [something similar to] the many exceptions we saw last month,” Goettl cautioned. “Many of the updates we saw in June required other updates to be in place, depending on the platform. For those running Windows 8.1 or Server 2012 R2, they need to be prepared for more of these updates to require Update 1 before they can apply them. Microsoft has stated they would delay a hard enforcement until August, but more and more of the patches [have] had variations that required Update 1. So look out for that cut over — it’s coming quick.

 


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCP Training at certkingdom.com

 

 

Microsoft confirms zero-day bug in IE6, IE7 and IE8

Second time in two years it’s had to deal with late-December vulnerabilities

Microsoft on Saturday confirmed that Internet Explorer (IE) 6, 7 and 8 contain an unpatched bug — or “zero-day” vulnerability — that is being used by attackers to hijack victims’ Windows computers.

The company is “working around the clock” on a patch, its engineers said. They have also released a preliminary workaround that will protect affected IE customers until the update is ready.

In a security advisory issued Dec. 29, Microsoft acknowledged that attacks are taking place. “Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8,” the alert stated.

Newer versions of IE, including 2011’s IE9 and this year’s IE10, are not affected, Microsoft said. It urged those able to upgrade to do so.

According to multiple security firms, the vulnerability was used by hackers to exploit Windows PCs whose owners visited the website of the Council on Foreign Relations (CFR), a non-partisan foreign policy think tank with offices in New York and Washington, D.C.

On Friday, FireEye corroborated earlier reports that the CFR website had been compromised by attackers and was hosting exploit code as early as Dec. 21. As of mid-day Wednesday, Dec. 26, the site was still conducting “drive-by” attacks against people running IE8, said Darien Kindlund, senior staff scientist at FireEye, in a Friday blog.

Kindlund added that the malware hidden on the CFR website used Adobe Flash Player “to generate a heap spray attack” against IE8. It wasn’t clear whether Flash also contained a zero-day bug, or whether the attackers leveraged an already-known and previously patched vulnerability that had not been fixed on the victims’ PCs.

On Saturday, Jaime Blasco, the labs manager at AlienVault, weighed in on the IE zero-day as well, noting that the exploit was able to circumvent Microsoft’s anti-exploit technologies, DEP (data execution prevention) and ASLR (address space layout randomization), and successfully compromise Windows XP and Windows 7 PCs running IE8. He identified the IE bug as a likely “use-after-free” vulnerability, a type of memory management flaw.

AlienVault, said Blasco, had begun looking into the “watering hole” attacks stemming from the CFR website at the beginning of the week, and had alerted the Microsoft Security Response Center (MSRC) that it suspected IE harbored a zero-day vulnerability.

In a watering hole campaign, hackers identify their intended targets, even to the individual level, then scout out which websites they frequently visit. Attackers next compromise one or more of those sites, plant malware on them, and like a lion waits at a watering hole for unwary wildebeests, wait for unsuspecting users to surf there.

The CFR did not immediately reply to a request for comment on its site’s current status.

Other researchers claimed that attacks using the IE vulnerability started as early as Dec. 7, and alleged that Chinese hackers were responsible for the CFR website hack.

In an email to Computerworld and in a follow-up blog Saturday, Microsoft said it is working on a patch for IE6, IE7 and IE8. The company did not set a timetable for an update’s release, however.

Jonathan Ness and Cristian Craioveanu, engineers on Microsoft’s security team, provided some details on the IE flaw in a separate post to the Security Research & Defense blog. “We’re working around the clock on the full security update,” Ness and Craioveanu wrote.

They also announced the availability of a “shim” that can protect IE6, IE7 and IE8 users if they’re running the most up-to-date versions of those browsers.

Shim is a term used to describe an application compatibility workaround. Microsoft has applied shims in the past to help customers ward off active attacks against IE.

The shim will be used as the foundation for a soon-to-be-shipped “Fixit,” Microsoft’s name for the one-click workarounds it often publishes to automate processes, including security mitigations, that most users would feel uncomfortable doing on their own.

To apply the available shim, for instance, users must download the small files from the SRD blog, then enter one or more strings in Windows’ Command Prompt.

This was the second year in a row that Microsoft has had to deal with an emergency update in the waning days of December.

In 2011, the company issued a Dec. 28 security advisory about a flaw in its ASP .Net programming language that hackers could use to cripple website servers. On Dec. 29, 2011, Microsoft released an “out-of-band,” or emergency, update.

Microsoft reminded customers that IE9 and IE10 do not contain the vulnerable code, and are safe to use. Windows XP users, however, cannot use either of those browsers, as Microsoft has limited IE9 to Vista and Windows 7, and IE10 to Windows 7 and Windows 8.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification,
Microsoft MCITP Training at certkingdom.com