Archives for November 2014
On November 25, the US-Computer Emergency Readiness Team issued the following advisory on the Regin Remote Access Trojan.
A definition for this malware has been available for the workstations running Sophos since November 25. Please see the following URLs for additional details.
Microsoft has just provided advance notice of the patches that are scheduled to be released on Tuesday, November 11. The details are available at https://technet.microsoft.com/library/security/ms14-nov . There are a total of sixteen bulletins scheduled to be released. Five of the bulletins are identified as CRITICAL and (at least two) apply to Internet Explorer and all current Windows desktop and also Server operating systems. Nine of the bulletins are designated as IMPORTANT and two are designated as MODERATE.
Bulletins 1-4 are Remote code Execution vulnerabilities.
Bulletin #5 is an Elevation of Privilege vulnerability.
The remaining bulletins address either Remote Code Execution (#6), elevation of privilege (7-10, 12 and 15), security bypass (bulletin #11 and #13), information disclosure (bulletin #14) or denial of service (bulletin #16) vulnerabilities.
As indicated at least one of the bulletins designated as CRITICAL applies to server operating systems even if the server core only installation was selected. The bulletin associated with Internet Explorer is assigned a MODERATE security designation for server installations but is assigned a CRITICAL security designation for workstation operating systems that use Internet Explorer.
Other Microsoft products scheduled to receive security updates include:
- Bulletin #6 for Microsoft Office 2007 sp3, Word Viewer or Office Compatibility Pack sp3 (IMPORTANT)
- Bulletin #9 for Windows .NET frame work (IMPORTANT)
- Bulletin #10 for SharePoint Server 2010 – SharePoint Foundation 2010 sp3 (IMPORTANT)
- Bulletin #11 for Windows Vista sp2 (32 and 64 bit), Windows 7 sp1 (32 and 64 bit), Windows 8/8.1 (32 and 64 bit), Windows RT and RT 8.1, Windows Server 2008 sp2 (32,64 bit and Itanium), Windows Server 2008R2 sp1 (64 bit and Itanium), Server 2012 (base and R2), and all server core only installations of Server 2008, 2012 and 2012 R2.
- Bulletin #12 for Exchange Server 2007, 2010, 2013 – Exchange 2007sp3, Exchange 2010sp3 and Exchange 2013 SP1 and Cumulative update 6 (IMPORTANT)
- Bulletin #13 for Windows 8, 8.1 (32 and 64 bit systems) (IMPORTANT)
- Bulletin #14 for Windows Server 2008 (32 and 64 bit systems), Server 2008R2, Server 2012 base and R2, and Server core only installations of 2012R2 (IMPORTANT)
- Bulletin #15 for Windows Vista sp2 (32 and 64 bit), Windows 7sp1 (32 and 64 bit systems), Server 2003SP2 (32, 64 bit and Itanium systems), Server 2008R2 (64 bit an Itanium systems), Server core only installations of Server 2008 (32, 64 bit and Itanium systems) – (MODERATE)
- Bulletin #16 for Windows Vista sp2 (32 and 64 bit), Windows 7 sp1 (32 and 64 bit), Windows 8 and 8.1 (32 and 64 bit), Windows RT and RT8.1, Windows Server 2003 sp2 (32, 64 bit and Itanium versions), Server 2008 sp2 (32, 64 bit and Itanium versions), Server 2008R2 sp1 (64 bit and Itanium versions), Server 2012 base and R2, Server core only installations of Server 2008 32bit, Server 2008 64 bit, Server 2008R2 (64 bit), Server 2012 and Server 2012 R2. (MODERATE)
Currently, no other vendors have identified patches that are scheduled to be released on November 11. This content will be updated as additional information is made available.
Update November 13 10 a.m.
As expected the patches released on Tuesday, November 11 were extensive. As previously indicated, there were a total of sixteen patches scheduled to be released by Microsoft. However, only fourteen are available as of November 13. The patches are designated Bulletin IDs MS14-064 through MS14-079. Bulletins identified as MS14-068 and MS14-075 have been revised to have release dates that are to be determined.
Based on the severity of vulnerabilities identified in bulletins https://technet.microsoft.com/library/security/MS14-064 (which applies to Object Linking and Embedding and is designated as CRITICAL even for server operating systems) and https://technet.microsoft.com/library/security/MS14-065 (which addresses seventeen privately reported vulnerabilities in Internet Explorer), it is recommended that the patches be applied to both server and workstation operating systems as soon as possible.
Additionally, a CRITICAL vulnerability has been identified for operating systems that use TLS (also known as schannel) for secure communication; commonly used for Https connections to web or email servers. The bulletin for the schannel patch is identified as https://technet.microsoft.com/library/security/MS14-066 is particularly significant as it could allow remote code execution if an attacker sends a specially crafted packets to a windows server. This patch should also be applied (especially to server systems) as soon as possible.
Adobe also issued an update for Flash on November 11. The new version of flash for all browsers should be 22.214.171.124. For browsers other than Google Chrome and Internet Explorer 10/11, the updated version should be downloaded from Adobe. For the Google chrome and IE10/11 browsers they will be updated via the vendor release channel.
The updated version of Flash for Chrome is 126.96.36.199 and will be updated by the Chrome update process.
The updated version of Flash for IE is 31.0 – https://technet.microsoft.com/library/security/2755801 and will be updated along with the Internet Explorer patches provided by Microsoft.
Update November 19 9:00 a.m.
On Tuesday, November 18, Microsoft released one of the two patches that had been originally held on the release date of November 11. The patch is designated as MS14-068.
According to Microsoft, the vulnerability is an elevation of privilege exploit and had not been disclosed publicly prior to November 18. However, other resources – (such as https://nakedsecurity.sophos.com/2014/11/19/microsoft-tops-up-patch-tuesday-issues-delayed-fix-for-zero-day-hole-in-logon-security/ ) indicate the vulnerability had been identified publicly previously. The vulnerability could allow an user with an authorized domain logon ID to elevate the privilege to that of a domain administrator. Most resources are recommending that the patch be applied to all Windows server operating systems as soon as possible.