Jump to content

It's Windows Update day! Critical


RV_

Recommended Posts

I'm exerpting two articles today because there are critical. First the Windows critical updates and then details on the Adobe Flash, REader, and photoshop serious vulnerabilities.

Most folks know by now to look for the Windows updates the second Tuesday of each month. Today's updates fix some serious zero day vulnerabilities already being exploited. Fixed for those who updated Windows today:

Excerpt:

"Microsoft Patches Word Zero-Day Spreading Dridex Malware

"Microsoft on Tuesday released a patch for a zero-day vulnerability that was discovered late last week and used to spread the Dridex banking Trojan.

Attacks were spreading via a massive spam campaign where emails contain Microsoft Word documents with malicious attachments that exploited a vulnerability in the way Microsoft handles OLE2Link objects. According to researchers, the attacks were effective at bypassing most mitigation efforts.

The patch was part of Microsoft’s scheduled Patch Tuesday software updates.

“This is the first campaign we have observed that leverages the newly disclosed Microsoft zero-day,” Proofpoint wrote in a technical analysis of the zero day. “This represents a significant level of agility and innovation for Dridex actors.”

The Microsoft zero-day vulnerability, according to Proofpoint, was extremely effective. “When recipients open the document, the exploit–if successful–is used to carry out a series of actions that lead to the installation of Dridex botnet ID 7500 on the user’s system,” researchers wrote.

“The Microsoft OLE2Link object can open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system,” according an advisory released by the DHS-sponsored CERT hosted at the Software Engineering Institute at Carnegie Mellon University.

The zero-day, first reported by McAfee on Friday, is notable because in most cases macro-laden documents attached to emails are blocked by mitigations built into Office and Microsoft’s Windows 10. In this case, users also do not have to enable macros for the exploit to execute.

In a test by Proofpoint, a system was exploited just by opening an Office 2010 document. As the document opened, users were presented with a dialogue box that asked “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?”

According to Proofpoint, “user interaction was not required” and once the dialogue box appeared, the Dridex malware injection process began.

The attack involves a Microsoft Office RTF document that contain an embedded OLE2link object. “When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file,” according to an analysis of the zero day by FireEye researchers.

The HTA application then loads and executes malicious scripts that halt the winword.exe loading process. Next, the scripts download payloads and load a decoy document for the user to see, according to FireEye.

“The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link,” FireEye researcher wrote.

“Clearly the fact that the RTF file is able download the malicious HTML that enables local execution of malware points to a lack of control in interpreting untrusted input from the outside world,” said Paul Farrington, manager of EMEA Solution Architects at Veracode. “The Microsoft engineers will not only need to devise a patch for this vulnerability, but also to remodel their threat assessment of this type of file interaction,” Farrington said.

The spam campaigns delivering the zero day spoofed the recipient’s domain in the sender’s email address and appear to be from either “copier”, “documents”, “noreply”, “no-reply”, or “scanner”. The subject line in all cases is “Scan Data” and included attachments named “Scan_123456.doc” or “Scan_123456.pdf” – with the numbers randomly generated.

The vulnerability affects Microsoft Office, including the latest Office 2016 edition running on Windows 10.

Mitigation includes installing the Microsoft patch. However, Microsoft notes “you must have the release version of Service Pack 2 for Office 2010 installed on the computer” to apply the security update. Alternatively, security experts recommend blocking RTF documents in Microsoft Word via the File Block Settings in the Microsoft Office Trust Center. They also recommend using Microsoft Office Protected View, which they say can help prevent exploitation without user interaction."

That article is here: https://threatpost.com/microsoft-patches-word-zero-day-spreading-dridex-malware/124906/

However, last month's pwn2own uncovered vulnerabilities that are now known so getting today's updates ASAP is the smart thing to do.

Some RVrs need to find a free WiFi location due to low data plans. But this one also included the very critical Adobe Flash Reader, and Photoshop vulnerabilities.

Adobe Flash is automatically updated with the Windows updates in Windows 10. In Windows 7 go to the Adobe website for the products you have on your system to download the patches.

Excerpt:

"Adobe Patches 59 Vulnerabilities Across Flash, Reader, Photoshop

Adobe patched 59 vulnerabilities in five different products, including Flash Player, Acrobat/Reader, Photoshop, Adobe Campaign, and its Adobe Creative Cloud App as part of its regularly scheduled software update today.

The company warned in a series of security bulletins posted shortly before noon Tuesday that the bulk of the bugs, 44, are critical and could lead to code execution. The 44 code execution bugs marks an uptick over last month, when Adobe only fixed six code execution bugs in Flash and even in February, when it patched 13 code execution bugs in the software.

Among the patches are fixes for vulnerabilities uncovered at Pwn2Own, the hacking competition held alongside CanSecWest last month in Vancouver. A team of hackers from Qihoo 360 exploited a heap overflow in the way Reader parsed JPEG200 to take down the PDF software on the competition’s first day. A group of researchers from Keen Team working for Tencent Security’s Team Sniper, used an info leak in Reader followed by a use after free to get code execution, as well. Keen Team is thanked in the credits of the Reader advisory for finding the info leak and use after free bugs, CVE-2017-3056 and CVE-2017-3057, and reporting them through Pwn2Own’s sponsor, Trend Micro’s Zero Day Initiative. LiuBenjin, a researcher with Qihoo’s 360 CodeSafe Team, is credited by Adobe for finding the heap overflow (CVE-2017-3055).

On Pwn2Own’s second day, hackers from 360 Security Team and Keen Team/Tencent Security exploited two separate use-after-free vulnerabilities in Flash. Both groups were able to elevate Flash to SYSTEM-level as part of their exploits. Yuki Chen, a researcher with 360’s Vulcan Team, and Keen Team were both acknowledged in today’s Flash advisory for their findings, CVE-2017-3062 and CVE-2017-3063, respectively.

Users are being encouraged to update to the latest versions of both platforms, 25.0.0.148 for Flash Player, and 2017.009.20044 for Acrobat and Reader DC continuous track, and 2015.006.30306 for Acrobat and Reader DC’s classic track. Users still running the pre-DC version of the software, Acrobat XI, will want to make sure they update to the latest version, 11.0.20."

There is even more in the original article here:

 https://threatpost.com/adobe-patches-59-vulnerabilities-across-flash-reader-photoshop/124914/

 

 

 

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998


When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius

 

“Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...