Remotely Exploitable Vulnerability Discovered in MikroTik’s RouterOS

A vulnerability exists in MikroTik’s RouterOS in versions prior to the latest 6.41.3, released Monday, March 12, 2018. Details were discovered February and disclosed by Core Security on Thursday.

MikroTik is a Latvian manufacturer that develops routers and software used throughout the world. RouterOS is its Linux-based operating system.

The vulnerability, a MikroTik RouterOS SMB buffer overflow flaw, allows a remote attacker with access to the service to gain code execution on the system. Since the overflow occurs before authentication, an unauthenticated remote attacker can exploit it.

The vulnerability exists because the first byte of the source buffer is read and used as the size for the copy operation to the destination buffer — but ultimately, no validation is performed to ensure that the data fits into the destination buffer, potentially allowing a stack overflow.

Core’s vulnerability advisory includes a proof of concept exploit against MikroTik’s x86 Cloud Hosted Router. The function is reached by sending a NetBIOS session request message. Data execution prevention (DEP) is bypassed with a return-oriented programming (ROP) chain that calls ‘mprotect’ to mark a memory region as both writable and executable. Address space layout randomization (ASLR) can be neutralized because the base address of the heap is not randomized. This allows a payload on the heap to jump to a fixed location.

“Our testing,” says Core’s advisory, “showed this approach to be extremely reliable.” The reserved CVE number is CVE-2018-7445.

Core sent its initial vulnerability notice to MikroTik on February 19, 2018. On the same day, Core noticed the flaw was already scheduled for a fix by MikroTik in a new software release candidate. Core asked for a coordinated publication of the new version and its own advisory. It proposed March 1, 2018, which was confirmed by MikroTik. MikroTik then asked for an extension to Thursday, March 8, 2018, and then told Core it still wouldn’t be ready.

On Monday, March 12, 2018, it released the new version. It did not inform Core, and there is no apparent mention of the flaw or the fix in its new version announcement to customers — but it subsequently confirmed that the flaw has been fixed. MikroTik’s advice for customers that cannot upgrade is that they should turn off SMB.

Last week, Kaspersky Lab released a report on a hacking group it calls Slingshot. It has identified around 100 victims. The attackers gain access by first getting control of MikroTik routers, and using that position to download DLL files to the target computer via MikroTik’s Winbox management tool.

It is not clear at this point whether the Slingshot group gained access to the MikroTik routers using the CVE-2018-7445 vulnerability, but it is tempting to think so. Kaspersky Lab informed the company about its research prior to its own publication.

While the router vulnerability would be the first stage of the attack, the second stage would be the use of Winbox to get the malicious downloads. MikroTik claims on its support forum that Winbox is secure. In a thread started by a customer disturbed at learning about Slingshot from reports in the media rather than from MikroTik, MikroTik responded, “There is NO insecure Winbox v3. Winbox v3 was released in 2014. Even if somebody was using a really old Winbox v2, they still had to have an unsecured RouterOS device so that somebody could compromise it (firewall had to be removed). This is why they found only 120 affected machines since 2012.”

The bottom line is that MikroTik is quick fix to issues it knows about, but prefers to maintain a low profile over those problems. The danger here is that existing customers might not be aware of the issues, and be in no hurry to upgrade. MikroTik customers should be aware that a proven proof of concept exploit for vulnerability CVE-2018-7445 is in the public domain, and the ‘patch’ for this exploit is to upgrade RouterOS to version 6.41.3.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/wLnZP3DevCs/remotely-exploitable-vulnerability-discovered-mikrotiks-routeros

Hackers Awarded $267,000 at Pwn2Own 2018

White hat hackers have earned a total of $267,000 at this year’s Pwn2Own competition for exploits targeting Microsoft Edge, Apple Safari, Oracle VirtualBox and Mozilla Firefox.

On the first day, Richard Zhu (aka fluorescence) failed to hack Safari, but he did demonstrate an exploit chain against Edge, which earned him $70,000. Niklas Baumstark from the Phoenhex team received $27,000 for hacking VirtualBox, while Samuel Groß (aka saelo) of Phoenhex earned $65,000 for hacking Safari.

Richard Zhu wins Pwn2Own 2018

On the second day of Pwn2Own 2018, Zhu earned $50,000 for hacking Firefox with an out-of-bounds read flaw in the browser and an integer overflow in the Windows kernel. Zhu actually won this year’s Master of Pwn award, taking home a total of $120,000 and 65,000 ZDI reward points worth roughly $25,000.

Employees of Ret2 Systems demonstrated an exploit chain targeting Safari, but they were successful only on the fourth attempt. Since Pwn2Own rules state that the exploit must be demonstrated in a maximum of three attempts, they did not win any money as part of the contest, but the Zero Day Initiative (ZDI) did purchase the vulnerabilities and disclosed them to Apple via its regular process.

Finally, a team from MWR Labs earned $55,000 for a Safari sandbox escape. They used a heap buffer overflow in Safari and an uninitialized stack variable in macOS to execute arbitrary code.

Pwn2Own 2018 was backed by Microsoft and VMware, and ZDI announced a prize pool of $2 million. The total of $267,000 awarded at the event was far less than in the past years when researchers earned $833,000 (2017), $460,000 (2016) and $552,500 (2015).

ZDI noted that some of the experts who had registered for the event were forced to withdraw due to various reasons, including the fact that Microsoft’s latest updates patched the vulnerabilities they had planned on using.

“While smaller than some of our previous competitions, the quality of research was still extraordinary and highlights the difficulty in producing fully-functioning exploit for modern browsers and systems,” ZDI said.

The highest prizes at Pwn2Own 2018 were offered by Microsoft, including for the Hyper-V client ($150,000), Outlook ($100,000), and Windows SMB ($100,000). The company also offered a total of more than $800,000 for exploits targeting Windows Defender Application Guard for Edge, Windows SMB, and the Hyper-V client running on the latest Windows Insider Preview for Business on a Surface Book 2 device.

Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/gQhIput_3U0/hackers-awarded-267000-pwn2own-2018

Intel Shares Details on New CPUs With Spectre, Meltdown Protections

Intel announced on Thursday that patches designed to address the Spectre vulnerability are now available for all the affected CPUs released in the past five years, and shared more details on the future processors that will include protections against these types of attacks.

Intel CEO Brian Krzanich informed customers that the company has made available microcode updates for “100 percent” of the recent processors vulnerable to Meltdown and Spectre attacks.

The company first released new firmware updates for its Skylake processors, then for Kaby Lake and Coffee Lake, and later for Broadwell and Haswell CPUs. The fixes will be delivered by device manufacturers, but Microsoft has also started providing the microcode patches for Windows 10 devices with Skylake, Coffee Lake and Kaby Lake processors.

Intel building CPUs with Meltdown and Spectre protections

In late January, Krzanich revealed that the company had started working on processors with built-in protections for attacks similar to Meltdown and Spectre. Additional details have now been provided and Intel even published a video that explains on a high level how these side-channel attacks work and how it plans on preventing them.

Meltdown attacks rely on a vulnerability identified as CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Variant 1 can be addressed with software patches, but Variant 2 also requires microcode updates.

Intel’s new CPUs, both for data centers and PCs, will be redesigned to protect against Meltdown and Spectre Variant 2.

“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3. Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors,” Krzanich explained.

These protections are expected to become available in the second half of the year with the release of Intel Xeon Scalable (Cascade Lake) and 8th Generation Intel Core processors.

“As we bring these new products to market, ensuring that they deliver the performance improvements people expect from us is critical. Our goal is to offer not only the best performance, but also the best secure performance,” Krzanich said.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/ttqs3SN0HTw/intel-shares-details-new-cpus-spectre-meltdown-protections

CTS Labs Provides Clarifications on AMD Chip Flaws

As a result of massive backlash from the industry, Israel-based security firm CTS Labs has provided some clarifications about the recently disclosed AMD processor vulnerabilities and its disclosure method.

CTS Labs this week published a report providing a brief description of 13 critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The flaws can allegedly be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware.

The vulnerabilities affect AMD’s Secure Processor, an environment where critical tasks are executed in order to secure the storage and processing of sensitive data and applications. The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine.

AMD was only notified 24 hours before the vulnerabilities were disclosed, but no technical details have been published in order to prevent exploitation for malicious purposes.

CTS Labs was only launched recently and its founders’ work experience has raised some questions. This, combined with the lack of technical details in the report has made many people doubt that the vulnerabilities exist or that they are as critical as the company claims.

However, Dan Guido, CEO of Trail of Bits, and Alex Ionescu, a reputable researcher and Windows security expert, have confirmed CTS Labs’ findings after reviewing technical information provided by the company. Guido was paid to review the work, but Ionescu said he wasn’t.

CTS Labs has come under fire for not giving AMD time to release patches before its disclosure. A disclaimer from the firm and a report from a controversial company named Viceroy Research suggest that the existence of the vulnerabilities was made public as part of an investment strategy, similar to the 2016 incident involving MedSec, Muddy Waters and St. Jude Medical.

In response to criticism, CTS Labs CTO Ilia Luk-Zilberman argued that the company’s approach to “responsible disclosure” is more beneficial for the public. He proposes that instead of notifying vendors and giving them a certain amount of time to release patches before disclosing full technical details, researchers should notify the public and the vendor at the same time without ever making technical details public, unless the flaws have been patched.

Luk-Zilberman admitted that CTS should have asked several third-parties to confirm its findings before going public in order to convince everyone that their claims are true.

While the CTO’s argument might make sense, many members of the industry are not convinced, particularly due to CTS’s disclaimer claiming that it may have, “either directly or indirectly, an economic interest in the performance of the securities [of AMD].” There is also the report from Viceroy, which attempts to persuade that “AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries.”

CTS Labs has not provided any clarifications regarding its financial interests related to the disclosure.

Regardless of CTS Labs’ motives, Ionescu and Guido have confirmed the vulnerabilities and warned that they should not be ignored.

Alex Ionescu confirms vulnerabilities found by CTS in AMD processors

Dan Guido confirms vulnerabilities found by CTS in AMD processors

In an update posted on its AMDflaws.com website, CTS claimed that exploitation of the vulnerabilities does not require physical access; executing a file with local admin privileges on the targeted machine is enough.

“The only thing the attacker would need after the initial local compromise is local admin privileges and an affected machine,” CTS said. “To clarify misunderstandings — there is no need for physical access, no digital signatures, no additional vulnerability to reflash an unsigned BIOS. Buy a computer from the store, run the exploits as admin -– and they will work.”

After the news broke, AMD told customers and the media that it’s investigating CTS Labs’ claims.

AMD is one of the major processor makers affected by Meltdown and Spectre, and while the company has confirmed that the flaws impact some of its products, it has insisted that the risk of attacks is small.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/WqywrqAwKtM/cts-labs-provides-clarifications-amd-chip-flaws

Hackers Can Abuse Text Editors for Privilege Escalation

Several popular text editors can be leveraged for privilege escalation and their developers do not plan on taking any action to prevent abuse, according to SafeBreach, a company that specializes in simulating attacks and breaches.

Some text editors allow users to run third-party code and extend the application’s functionality through extensions. While this provides some benefits, an expert determined that it can also introduce security risks.

SafeBreach researcher Dor Azouri has analyzed the Sublime, Vim, Emacs, Gedit, pico and nano text editors, and found that only pico and its clone, nano, are not prone to abuse, mainly due to the fact that they offer only limited extensibility.

One part of the problem is that users — particularly on Linux servers — may often need to execute text editors with elevated privileges. If an attacker can plant malicious extensions in locations specific to the targeted text editor, their code will get executed with elevated privileges when the application is launched or when certain operations are performed.

Text editors allow privilege escalation

For an attack to work, the attacker needs to somehow hijack a legitimate user account that has regular privileges, which can be achieved through phishing, social engineering and other methods. In the case of a malicious insider, the vulnerability found by SafeBreach can be useful for executing code with elevated privileges if their permissions have been restricted by the system administrator to certain files and commands.

Depending on the targeted editor, the attacker needs to create specially crafted scripts or package files, and place them in specific plugin directories. In some cases, the hacker may need to create additional files and enable extensions in order for the attack to work, but this should not be difficult if they have access to a less-privileged account.

In the case of Emacs, for example, attackers simply need to add one line of code to the “init.el” file in order to get their code executed on startup. Azouri noted that editing the init file does not require root permissions. A report published on Thursday by SafeBreach details how privilege escalation can be achieved through each of the tested editors.

While there are no reports of malicious attacks abusing text editors for privilege escalation, incidents involving abuse of extensibility are not unheard of. For instance, Kite, which offers Python code enhancements and suggestions for several popular editors via extensions, drew criticism last year after integrating promotional links into its users’ coding apps.

SafeBreach also pointed to a couple of incidents related to npm packages that resulted in malicious code getting loaded and applications breaking. Azouri has described several possible scenarios involving post-exploitation techniques that can be leveraged to gain root access on Unix-like systems.

“Badly configured Cron jobs, that are a natural part in Unix-like systems, can be abused to get root access. In a similar manner to the technique we present, an attacker might find binaries in cron jobs which are writable, and modify them to his/her needs. They are then executed as root by the OS (or other users, depending on the cron job settings), giving the attacker privileged execution,” Azouri told SecurityWeek.

Another example involves exploiting file permissions, such as special SUID executables. “SUID is a feature in Unix-like systems that allows configuring some executables to run as a specific user (the owner of the file). Finding a file that is owned by root and is set with SUID, can give a way for an attacker to get privileged execution,” the researcher said.

He added, “Some cases exist where the developers of 3rd party plugins, after gaining popularity for their plugin, updated the plugin’s code with malicious code (either intentionally or unintentionally, the latter can be as a result of getting hacked and the attacker obtained access to the codebase). This update was downloaded by the plugin users, and then executed without them being aware of the malicious change.”

The developers of the text editors analyzed by SafeBreach said they don’t plan on making any changes to prevent this type of abuse. Vim developers admitted that they can take measures, but they appear to believe that it’s the user’s responsibility to defend against these attacks.

Emacs developers will not make any changes to their application due to the fact that this type of privilege escalation can leverage many apps and releasing a patch on their end would not completely address the issue.

Gedit has yet to confirm SafeBreach’s findings and Sublime has not provided researchers any updates after acknowledging their bug report.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/mpEbp1o7HRI/hackers-can-abuse-text-editors-privilege-escalation

Malware attack on 400k PCs caused by backdoored BitTorrent app

A recent malware campaign that attempted to install a resource-draining currency miner on more than 400,000 computers in 12 hours was caused by a malicious backdoor that was sneaked into a BitTorrent application called Mediaget, a Microsoft researcher said Tuesday.

The failed campaign is the latest example of what researchers call a supply-chain attack, which aims to infect large numbers of people by compromising a popular piece of hardware or software. Other examples of recent supply-chain attacks include a backdoored update of the CCleaner disk-maintenence program delivered to 2.27 million people, a tainted version of the Transmission BitTorrent client that installed ransomware on Macs, and a collection of malicious Android apps that came preinstalled on phones from two different manufacturers.

One of the more significant supply-chain attacks to come to light was the tampering of the update process for M.E.Doc, a tax-accounting application that’s widely used in Ukraine. The compromised update seeded the NotPetya wiper worm, which shut down computers all over the world last July.

Last week, Microsoft researchers reported that the company’s Windows Defender antivirus blocked more than 400,000 instances by several advanced trojans to infect computers primarily located in Russia, Turkey, and Ukraine. The trojans were new variants of the Dofoil malware, which also goes by the name Smoke Loader. (Smoke Loader, by the way, is the name of malware that AV provider Kaspersky Lab said infected a poorly secured computer in Maryland when it sent highly sensitive National Security Agency secrets to the Kaspersky Moscow headquarters.) The Dofoil trojans Microsoft analyzed caused infected computers to install a program called CoinMiner, which tried to use infected computer resources to mine cryptocurrencies for the attackers.

Dofoil is most often spread through spam e-mail and exploit kits. On Tuesday, Microsoft researchers said the massive barrage of trojans came from a different source: a poisoned update from Mediaget. The update poisoning happened some time between February 12 and February 19. The attackers waited until March 1 to begin distributing the malware, and it wasn’t until March 6 that Microsoft began to detect it.

To avoid detection, the malware used a valid digital certificate that Microsoft suspects was stolen from an unnamed company. It’s not clear how the attackers managed to obtain the digital certificate. One possibility is from a thriving underground economy that sells counterfeit malware signing credentials that are unique to each buyer. Microsoft also didn’t explain how the Mediaget update system was compromised. Microsoft notified both Mediaget and the unnamed company.

Wednesday’s report is the latest sign of continuing sophistication of malware attacks. A decade ago, multistage malware that relied on counterfeit certificates and compromised supply chains were the stuff of nation-sponsored attack groups. Now, common criminals are relying on the techniques to mine digital coins.

https://arstechnica.com/?p=1275803

Edge, VirtualBox, Safari Hacked at Pwn2Own 2018

White hats managed to hack Microsoft Edge, Apple Safari and Oracle VirtualBox on the first day of the Pwn2Own 2018 competition taking place these days alongside the CanSecWest conference in Vancouver, Canada.

There were only four entries on the first day of Pwn2Own 2018. First, Richard Zhu (aka fluorescence) attempted to perform a sandbox escape on Apple’s Safari web browser, but failed to do it in the 30-minute time slot. He did, however, manage to hack Microsoft Edge using two use-after-free bugs in the browser and an integer overflow in the Windows kernel. This attempt, which involved reworking his exploit on the spot, earned him $70,000.

Niklas Baumstark from the Phoenhex team had a partially successful entry against Oracle VirtualBox. While he did manage to execute code using out-of-bounds read and time of check to time of use (TOCTOU) bugs, he was awarded only $27,000 of the maximum of $35,000.

Finally, Samuel Groß (aka saelo) of the Phoenhex team earned $65,000 for executing code in Safari using a JIT optimization bug in the web browser, a logic flaw in macOS, and a kernel overwrite vulnerability.

Only three attempts are scheduled for the second day of the event, including two that target Safari and one that targets Mozilla Firefox. Contestants earned a total of $162,000 on the first day, and they will probably not earn much more on the second day, unless their exploits include a virtual machine escape via a kernel privilege escalation vulnerability, for which there is a bonus of $50,000-$70,000.

In comparison, last year’s event had roughly 30 entries and spanned across three days. Contestants earned more than $800,000 for a record-breaking 51 vulnerabilities.

The Zero Day Initiative (ZDI), which organizes Pwn2Own, said the number of white hat hackers that registered was initially higher, but some of them were forced to withdraw from the competition for various reasons, including due to their vulnerabilities being patched by Microsoft with the latest security updates.

ZDI announced in January a prize pool of $2 million for Pwn2Own 2018, which is backed by Microsoft and VMware.

While the Edge browser was hacked on the first try, Microsoft seems happy that contestants could not escape its Windows Defender Application Guard (WDAG) isolation protection. Escaping the WDAG container could have earned researchers between $10,000 and $250,000 at Pwn2Own.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/FHpVbIu5iWI/edge-virtualbox-safari-hacked-pwn2own-2018

Microsoft Patches Remote Code Execution Flaw in CredSSP

A vulnerability (CVE-2018-0886) patched by Microsoft with its March 2018 security patches was a remote code execution flaw in the Credential Security Support Provider protocol (CredSSP) used by Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM).

This vulnerability can be exploited by an attacker to relay user credentials to execute code on a target system. The authentication provider, Microsoft explains, processes authentication requests for other applications, meaning that the vulnerability puts all applications that depend on CredSSP at risk.

Preempt, which discovered the bug, explains that this is a logical vulnerability that affects all Windows versions to date. With almost all enterprise customers using RDP, exploitation of this vulnerability could have a vast impact, the researchers say.

Cybercriminals can set up a man-in-the-middle attack, wait for a CredSSP session, and then steal session authentication to perform a Remote Procedure Call (DCE/RPC) attack on the server the user attempted to connect to.

Chris Morales, head of security analytics at Vectra, pointed out to SecurityWeek in an emailed comment that this type of activity could rather be considered a form of internal reconnaissance that any company properly monitoring their internal environment should be able to detect.

“In the big picture, there are a lot of variables that have to be right in a targeted environment for this attack to succeed. Most importantly, the attacker needs to already be on the network and in a position between the clients and servers. If an attacker is already that deep in the network, there are many other things they could do scope out a network, find authentication accounts and compromise a server,” Morales said.

Once they managed to steal the session, the attacker can run commands to install programs, read / modify / delete data, or create new accounts with full user rights.

Scenarios in which the vulnerability can be exploited include those where the attacker has some physical access to the targeted network, those where Address Resolution Protocol (ARP) poisoning is used for lateral movement, or those where the attacker is targeting sensitive servers via vulnerable routers or switches, Preempt says. The company also published a video detailing the vulnerability.

“To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems,” Microsoft explains.

The vulnerability impacts Windows 7, Windows 8.1, and Windows 10 systems, as well as Windows Server 2008, Windows Server 2012, and Windows Server 2016.

To address the issue, Microsoft released an update to correct the manner in which CredSSP validates requests during the authentication process. The update patches the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

“Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible,” Microsoft says.

The software giant also explains that this patch is only the first update it is releasing to address the issue. An update planned for next month should “enhance the error message that is presented when an updated client fails to connect to a server that has not been updated,” while another planned for May should “change the default setting from Vulnerable to Mitigated.”

The company also urges admins to check a compatibility table it published on Tuesday and pay close attention to Group Policy or registry settings pairs that result in “Blocked” interactions between clients and servers.

“Vulnerabilities, like this CredSSP issue that Microsoft is fixing today, become yet another example of how dangerous it can be to rely on security or administration tools without locking them down with hardened configurations. RDP is a widely used tool, but, as this exploit shows, a Man-in-the-Middle attack makes the use of this tool especially dangerous if the user is logging in with an administrator credential of any sort,” Nathan Wenzler, chief security strategist at AsTech, told SecurityWeek in an emailed comment.

“It’s imperative that admins and security practitioners are doing more to reduce the amount of privileged access their administrators possess, that tools such as RDP are disabled if they’re not being used, and doing whatever else they can to limit the amount of administrator-level exposure that an attacker might be able to compromise anywhere along the chain and then use to wreak havoc on the rest of the network,” Wenzler concluded.

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/ZyvlNR9ld1Y/microsoft-patches-remote-code-execution-flaw-credssp

Microsoft Releases More Patches for Meltdown, Spectre

Microsoft informed users on Tuesday that it released additional patches for the CPU vulnerabilities known as Meltdown and Spectre, and removed antivirus compatibility checks in Windows 10.

Meltdown and Spectre allow malicious applications to bypass memory isolation and access sensitive data. Meltdown attacks are possible due to CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre Variant 1 can be resolved with software updates, but Spectre Variant 2 requires microcode patches.

In addition to software mitigations, Microsoft recently started providing microcode patches as well. It initially delivered Intel’s microcode updates to devices running Windows 10 Fall Creators Update and Windows Server 2016 (1709) with Skylake processors.

Now that Intel has developed and tested patches for many of its products, Microsoft has also expanded the list of processors covered by its Windows 10 and Windows Server 2016 updates. Devices with Skylake, Coffee Lake and Kaby Lake CPUs can now receive the microcode updates from Intel via the Microsoft Update Catalog.

Microsoft also informed customers on Tuesday that software patches for the Meltdown vulnerability are now available for x86 editions of Windows 7 and Windows 8.1.

The company has also decided to remove the antivirus compatibility checks in Windows 10. The decision to introduce these checks came after the tech giant noticed that some security products had created compatibility issues with the Meltdown patches. This resulted in users not receiving security updates unless their AV vendor made some changes.

Microsoft has determined that this is no longer an issue on Windows 10 so the checks have been removed. On other versions of the operating system, users will still not receive updates if their antivirus is incompatible.

Microsoft’s Patch Tuesday updates for March 2018 fix over 70 flaws, including more than a dozen critical bugs affecting the company’s Edge and Internet Explorer web browsers.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/1BeuylZzoq0/microsoft-releases-more-patches-meltdown-spectre

Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash

Security updates released by Adobe on Tuesday patch several vulnerabilities in the company’s Dreamweaver, Flash Player and Connect products.

Flash Player 29.0.0.113 for Windows, Mac, Linux and Chrome OS addresses two critical flaws affecting versions 28.0.0.161 and earlier.

The vulnerabilities have been described as a use-after-free bug (CVE-2018-4919) and a type confusion issue (CVE-2018-4920), both of which can be exploited for remote code execution. While they have been classified as critical, Adobe has assigned them a priority rating of “2,” which indicates that the company does not expect to see exploits any time soon.

The security holes were discovered by Yuki Chen of Qihoo 360 Vulcan Team, who reported them to Adobe via the Chromium Vulnerability Rewards Program.

In Dreamweaver CC, Adobe resolved a critical OS command injection vulnerability discovered by researcher Andrea Micalizzi, also known as “rgod.” The flaw is serious, but the product has never been targeted by hackers, at least to Adobe’s knowledge.

The flaw, CVE-2018-4924, affects versions 18.0 and earlier for Windows and it’s related to the Dreamweaver URI handler. An attacker can exploit the weakness for arbitrary code execution in the context of the current user.

The latest version of Adobe Connect patches two important vulnerabilities: an OS command injection flaw that can lead to arbitrary file deletion, and an unrestricted SWF file upload bug that can be exploited for cross-site scripting (XSS) attacks. Micalizzi and Ciaran McNally have been credited for finding the flaws.

Adobe was recently forced to release an out-of-band update for Flash Player after learning of a vulnerability that had been exploited in targeted attacks by a threat actor believed to be from North Korea.

Microsoft’s Patch Tuesday updates for this month fix over 70 vulnerabilities, including more than a dozen critical flaws affecting the Edge and Internet Explorer web browsers.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/06TOu5vEZkI/adobe-patches-critical-code-execution-flaws-dreamweaver-flash