The Operation SnowMan espionage campaign, which targeted military intelligence earlier this year via an Internet Explorer zero day, exposed a weak spot in Microsoft’s vulnerability management efforts. What was unique about the SnowMan operation is that it included a check as to whether the compromised computer was running Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), and if so, the attack would not execute.
As it turns out, attackers were taking advantage of an information disclosure bug that revealed whether EMET and other antimalware protections were active. Today, Microsoft took steps to close that gap in its latest cumulative update for IE.
The critical patch is one of four released today by Microsoft as part of its monthly Patch Tuesday security bulletins. The IE update patches 37 vulnerabilities, including the publicly known disclosure bug. The three remaining bulletins for .NET, Windows Task Scheduler, and Microsoft Lync, were rated important by Microsoft and likely don’t result in remote code execution.
EMET is a free toolkit provided by Microsoft that midmarket and enterprise IT shops can deploy as a temporary stopgap for a zero-day vulnerability being exploited in the wild. The toolkit provides a host of exploit mitigations that protect against common memory corruption vulnerabilities. The vulnerability patched in IE allows resources loaded into memory to be queried, Microsoft said, giving attacker a head’s up as to what protections are running on a machine.
The IE patch, MS14-052, is the highest priority bulletin for IT shops this month, experts said.
The IE patch, MS14-052, is the highest priority bulletin for IT shops this month, experts said.
“This patch is Microsoft’s attempt to limit the capability of exploit kits that have been identified as using an information disclosure technique to determine if particular security software were installed,” said Craig Young, a security researcher with Tripwire. “The flaw allows a malicious website to determine if a software package is installed by querying the availability of a DLL used by that software. Information regarding active security products on a target is very useful for an attacker; it allows them to avoid raising alarms by sending detectable payloads.”
The update also patches vulnerabilities in the browser going back to IE6 running on Windows Server through current versions.
The next bulletin worth watching, experts said, is MS14-054, a privilege escalation vulnerability in Task Scheduler. In order to exploit the bug, an attacker would need to have valid credentials and local access to an affected system in order to run their exploit.
The vulnerability affects Windows 8, Windows 8.1, Windows RT and Windows RT 8.1, as well as Windows Server 2012 and Windows Server 2012 R2.
“MS14-054 should also be high on IT admins patch list as Microsoft expects to see reliable task scheduler exploits developed within a month,” Young said. “Successful exploitation of this vulnerability would allow any user to take complete control of the affected system.”
Microsoft also patched a denial-of-service vulnerability in its .NET framework. MS14-053 affects most versions of .NET, and also affects ASP.NET installations if it’s enabled on IIS.
“If left unpatched, remote un-authenticated attackers can send HTTP/HTTPs request to cause resource exhaustion which will ultimately lead to deal-of-service condition on the ASP.NET web server,” said Amol Sarwate, director of vulnerability labs at Qualys.
The final bulletin, MS14-055, patches three denial-of-service vulnerabilities in Microsoft’s messaging server, Lync.
“The security update addresses the vulnerabilities by correcting the way Lync Server sanitizes user input and by correcting the way Lync Server handles exceptions and null dereferences,” Microsoft said in its advisory.
Microsoft also updated three security advisories today:
threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619
threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272
technet.microsoft.com/en-us/library/security/2755801.aspx
technet.microsoft.com/library/security/2871997.aspx
technet.microsoft.com/library/security/2905247.aspx
technet.microsoft.com/library/security/MS14-052
technet.microsoft.com/library/security/MS14-053
technet.microsoft.com/library/security/MS14-054
technet.microsoft.com/library/security/MS14-055
technet.microsoft.com/library/security/ms14-sep