Software

Microsoft Security Updates November 2015

Update 2015.11.13: Haken posted Blackhat slides [pdf] and a full paper [pdf]. The bug itself is related to design of a changing authentication feature. With their own Samba server, an attacker can “poison” the target system’s LSA local cache to enable the bypass by forcing a password reset:

“Fundamentally, this is the root of the issue described in this paper: the password reset exchange does not require the DC to provide authentication (i.e. an unknown machine password) and the client-side implementation of this exchange will update the local credentials cache after a successful exchange.”

Summing it up, the bug appears to be a design flaw in offline password management for domain user accounts. It is a bit of a corner case, but it’s significant for travelers.

“I suspect this weakness in the protocol comes about because this threat model was not applicable when it was originally designed. At that point in time, an attacker having physical control of a client machine meant it was already totally compromised. However, as this paper demonstrates, the threat model needs to be revisited. What was once a perfectly reasonable protocol breaks down under this revised threat model. This is a good lesson to be taken from this research. Threat models can change over time even when the software in question doesn’t. However, when threat models change, the security architecture of applications may need to be carefully revised along with them.”

It also appears that Microsoft’s Bulletin needs to be changed. According to Haken, one requirement is that “the machine has joined a domain and an authorized domain user has previously logged into the machine”, and not “a domain user must be logged on to the target machine”, which wouldn’t make sense.

 

Original content: Microsoft posted four critical bulletins today, along with another eight rated Important and lesser. Microsoft’s summary is at its site. All in all, the software maker is patching a large number of vulnerabilities this month, with 37 CVE listed vulnerabilities being fixed with the four critical Bulletins alone. On the bright side, Microsoft claims that none of these exploits are being publicly exploited at the time of notification.

Software affected with Bulletins rated critical are listed here (MS15-112, MS15-113, MS15-114, MS15-115):

  • Web browsers Microsoft Edge and Internet Explorer
  • Windows Journal
  • Windows’ font handing code

Software affected with Bulletins rated important are listed here (MS15-116, MS15-117, MS15-118, MS15-119, MS15-120, MS15-121, MS15-122, MS15-123):

  • Microsoft Office
  • Windows NDIS, IPSEC, Schannel, and winsock (network software)
  • Microsoft .NET Framework
  • Kerberos
  • Services on Sharepoint and Office Web Apps
  • Skype for Business and Microsoft Lync

Of the Bulletins rated “Important”, 16 CVE listed vulnerabilities were being fixed.

 

For you travelers aware of your own operational security and shunners of pgp, it’s interesting that Bulletin MS15-122 provides fixes against BitLocker-encrypted drive attacks.

According to Microsoft, “Kerberos fails to check the password change of a user signing into a workstation. An attacker could bypass Kerberos authentication on a target machine and decrypt drives protected by BitLocker.
An attacker who has physical access to a target machine could bypass Kerberos authentication by connecting a workstation to a malicious Kerberos Key Distribution Center (KDC).

The following mitigating factors may be helpful in your situation:

  • This bypass can be exploited only if the target system has BitLocker enabled without a PIN or USB key.
  • A domain user must be logged on to the target machine for the attack to succeed.”

Its reporter, Ian Haken, will be presenting the attack in a couple of days at BlackHat EU in Amsterdam. Perhaps this is another indication that hardware assisted drive encryption is the way to go.

Significant updates today also include Google announcing their deprecation of support for the Chrome browser on Windows XP and Windows Vista, along with Mac OS X 10.6, 10.7, and 10.8. While some organizations in the ICS or health care space may want to continue running their investment into these systems on their plant floors or facilities, this deprecation is another reason to upgrade those systems.

Microsoft Security Updates November 2015

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox