Software

Microsoft Updates June 2014 – Almost 60 IE and GDI+/TrueType RCE

Microsoft fixes a smaller set of software product code this month for “Critical” vulnerabilities, and a handful for “Important” fixes with MS014-030 through MS014-036. But whoa, almost 60 remote code execution flaws exist in the six versions of Internet Explorer and the Microsoft components that render fonts on your system! Not only is that a very long list of memory corruption issues, but one of the IE bug reports, credited to Peter Van Eeckhoutte, is over 180 days old. The fix and testing effort must have been a large one over the past few months.

Microsoft releases two critical Bulletins today for Internet Explorer (on Windows client systems, but important on servers) and GDI+, and five important Bulletins for Microsoft Word, the network stack (TCP), their IM system Lync, and the MSXML component used by Internet Explorer.

The IE 0day reported 180 days ago is yet another “use-after-free” vulnerability enable by IE code’s handling of javascript CMarkup objects. While the bug’s finder thought that the vulnerability affected Internet Explorer 8, Microsoft’s CVE-2014-1770 fixes in MS014-035 are rated Critical for RCE across IE 6,7,8,9,10 and 11 on Windows clients, and rated moderate on Windows servers. It has been publicly reported, and raises risk of exploitation Itw. So far, we have not identified related 0day being used, but we will continue to review our data.

MS014-035 also follows the flood of discussion on the heartbleed vulnerability with another TLS Bulletin. A team of researchers, including one from Microsoft Research, published a substantial paper titled “Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS”. It details a variety of encrypted network session MiTM attacks enabled by TLS implementations from Microsoft, Google, Apple, and Mozilla. This Bulletin is Microsoft’s fix for their own code – the others use implementations of GnuTLS, OpenSSL, and GNU SASL.

Also interesting in this month’s critical rated vuln is the variety of software affected by the two TrueType font handling bugs patched with MS014-036 – USP10 (the same dll implementing “Uniscribe”), GDI+, gdi32, DirectWrite, the Microsoft Office 2007 and 2010 software (but not Office for Mac 2011), the Live Meeting 2007 Console, and Lync 2010 and 2013 software. That is a broad distribution of user-mode code. I suppose these are a couple more reasons to keep reading all of your email in plaintext.

Lastly, it is very important for enterprise admins to pay attention to Microsoft’s ongoing work fighting decade old Pass-the-Hash techniques, as demonstrated by last night’s discussion of the APT Shanghai group report, also known as MsUpdater or Putter Panda and the three week old charges against the APT Beijing group that includes Ugly Gorilla and Comment Crew members.
Separate from the regular update cycle, KB2871997 was released a couple of weeks ago. It applies to most versions of their Windows platform in enterprise environments – Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012, but unfortunately not all. The new features provide a “Protected Users” group by replacing past authentication schemes with Kerberos for selected users, restricted admin RDP mode, and LSA credential cleanup. They provide guidance on checking for WDigest use in DC/server logs, and while attackers’ toolsets contain capabilities to alter or delete events from these logs, it is very important to monitor for indications of anomalous WDigest activity.
208193615

Microsoft Updates June 2014 – Almost 60 IE and GDI+/TrueType RCE

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox