Microsoft Patch Tuesday rounds up IE flaws

IDG News Service - For this month's "Patch Tuesday" round of bug fixes, Microsoft has focused on correcting multiple vulnerabilities in Internet Explorer (IE), including one that is already being used in targeted attacks.

Overall, Microsoft issued five bulletins, covering 23 vulnerabilities. Two of the bulletins, covering IE and Windows, are marked critical, which means administrators should test and apply them as soon as possible. The remaining bulletins, marked important, cover Windows and the Silverlight multimedia plug-in.

Administrators should look first at MS-1402, covering 18 patches for IE, including one patch for a publicly disclosed zero-day vulnerability.

The public vulnerability first surfaced during last month's Patch Tuesday, noted Wolfgang Kandek, chief technology officer of IT security firm Qualys.

The public exploit that used this vulnerability worked in conjunction with a flaw in Adobe Flash. "Most of the time a single vulnerability will not get you that far," Kandek said, of today's approaches to compromising systems by chaining together multiple vulnerabilities. A browser vulnerability can get you into a computer, but you'd need another object to give you a specific memory location, in this case Flash.

The patches in MS-1402 cover all versions of IE, though the zero day vulnerability affected versions 9 and 10, and the known attacks using this vulnerability appeared only for IE 10.

Another interesting aspect of this zero day exploitation is that it first appeared on the Web site for the Veterans of Foreign Wars (VFW), leading some to suspect it was part of an attack from another nation, rather than just from profit-minded cybercriminals, who tend to target sites with more traffic.

"In the past, this was called a waterhole attack. You infect a website that you think your targets will go to," Kandek said. Since most of the users of the Veterans Affairs site are military or ex-military personnel, security experts suspect this group was targeted deliberately.

Microsoft is also urging administrators to take a close look at the other critical bulletin, MS-1403. Applying these patches can have "a long term impact in improving your systems' security," advised Dustin Childs, Microsoft Trustworthy Computing group manager, in a statement.

Microsoft stated that while this vulnerability is just as severe as the ones for IE, it would take a malicious user more time to understand it and write code that would exploit its weakness. "Nevertheless you should fix it, though the urgency would be lower than the browser fix," Kandek advised.

All of this month's bulletins affect Windows XP, for which Microsoft will be ending support next month. Microsoft, along with most security organizations, has been urging XP users to upgrade,with somewhat limited results. After April, Microsoft will no longer fix newly discovered XP security holes.

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.

View the original article here

Mozilla patches 20 Firefox flaws, plugs Pwn2Own holes

Computerworld - Mozilla on Tuesday patched five vulnerabilities exploited by researchers last week at the Pwn2Own hacking contest, where they were awarded $200,000 for their collective efforts.

The upgrade to Firefox 28 also added support for OS X's Notification Center and VP9 video decoding on all platforms. VP9 is an open-source video compression standard created by Google, and supported by Chrome, Firefox and Opera Software's Opera.

But Firefox 28 was primarily a security update, patching the five Pwn2Own flaws and 15 others.

At the hacking challenge, co-sponsored by HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program and Google, Firefox fell to four teams or individuals, twice the number of hacks as any other browser. Each successful exploit earned the researcher(s) $50,000, the lowest award for any of the browsers: Apple's Safari, Google's Chrome, Microsoft's Internet Explorer and Firefox.

Google patched the Chrome vulnerabilities last Friday, the day after Pwn2Own ended.

Mariusz Mlynski, Jüri Aedla, and a team from French vulnerability seller Vupen cracked Firefox on the first day of Pwn2Own; George Hotz hacked it on the second.

Firefox's four-peat fail and the low dollar amount of the reward reflected the ease with which attackers can hack the browser, which, unlike Chrome, IE and Safari, does not include anti-exploit "sandboxing" technology that isolates the browser from the rest of the system.

To execute attack code on a device with a sandboxed browser, hackers must not only exploit a vulnerability in the browser, but find a way to bypass the sandbox, often with a second vulnerability.

That was highlighted at Pwn2Own, where three of the four Firefox hacks relied on just one vulnerability. (Mlynski was the only researcher who exploited two bugs in Firefox.)

All five of the Pwn2Own-related bugs were rated "critical" by Mozilla, the firm's highest threat ranking.

Two other critical vulnerabilities were patched Tuesday, identified as "memory safety bugs" in the engine that powers Firefox. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla wrote in the accompanying security bulletin.

Mozilla also patched three vulnerabilities rated "high," seven tagged "moderate," and three judged "low" in Firefox 28. Two of the 13 were for Firefox on Android only, while another was limited to Firefox OS, the lightweight browser-based mobile operating system that Mozilla has sunk serious resources into in an attempt to take a seat at the smartphone table.

Firefox currently accounts for about 17.7% of all desktop browsers, its lowest "user share" since May 2008, according to the latest statistics from Web measurement firm Net Applications.

Windows, Mac and Linux editions of Firefox 28 can be downloaded from Mozilla's site; already installed copies will upgrade automatically. Users of Firefox for Android can retrieve the update from the Google Play store.

The next version of Firefox is scheduled to ship April 29. That version, Firefox 29, is currently slated to debut the browser's new user interface (UI), dubbed " Australis."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Small and midsize businesses are moving to the cloud to host their communications capabilities. Learn how enterprise-quality phone benefits, online management, conferencing, auto attendant, and ease of use are built into a system that is half the cost of a PBX.

Read now.

View the original article here