Advisories

Microsoft has released a security advisory to address improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. According to Microsoft Advisory, the SSL certificates were improperly issued by the National Informatics Centre (NIC), which operates subordinate CAs under root CAs operated by the Government of India Controller of Certifying Authorities (CCA), which are CAs present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows.

2.0 Impact

The improperly issued subordinate CA certificate has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. The subordinate CA certificate may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.

3.0 List of affected google web properties

• google.com
• mail.google.com
• gmail.com
• www.gmail.com
• m.gmail.com
• smtp.gmail.com
• pop.gmail.com
• imap.gmail.com
• googlemail.com
• www.googlemail.com
• smtp.googlemail.com
• pop.googlemail.com
• imap.googlemail.com
• gstatic.com
• ssl.gstatic.com
• www.static.com
• encrypted-tbn1.gstatic.com
• encrypted-tbn2.gstatic.com
• login.yahoo.com
• mail.yahoo.com
• mail.yahoo-inc.com
• fb.member.yahoo.com
• login.korea.yahoo.com
• api.reg.yahoo.com
• edit.yahoo.com
• watchlist.yahoo.com
• edit.india.yahoo.com
• edit.korea.yahoo.com
• edit.europe.yahoo.com
• edit.singapore.yahoo.com
• edit.tpe.yahoo.com
• legalredirect.yahoo.com
• me.yahoo.com
• open.login.yahooapis.com
• subscribe.yahoo.com
• edit.secure.yahoo.com
• edit.client.yahoo.com
• bt.edit.client.yahoo.com
• verizon.edit.client.yahoo.com
• na.edit.client.yahoo.com
• au.api.reg.yahoo.com
• au.reg.yahoo.com
• profile.yahoo.com
• static.profile.yahoo.com
• openid.yahoo.com

4.0 Affected Product

List of affected Microsoft product :

• Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista Service Pack 2
• Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for Itanium-based Systems Service Pack 2
• Windows 7 for 32-bit Systems Service Pack 1
• Windows 7 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
• Windows 8 for 32-bit Systems
• Windows 8 for x64-based Systems
• Windows 8.1 for 32-bit Systems
• Windows 8.1 for x64-based Systems
• Windows RT
• Windows RT 8.1
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for x64-based Systems (Server Core installation)
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2 (Server Core installation)
• Windows Phone 8

5.0 Recommendation

Users are recommended to perform the update immediately for supported releases of Microsoft Windows.

5.1 Automatic update revoke certificate

Included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8.

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070)

Customers do not need to take any action because the Certificate Trust List (CTL) will be updated automatically.

5.2 Customers who choose not to install the automatic updater of revoked certificates

For customers running Windows XP or Windows Server 2003, or for customers who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2917500 update be applied immediately using update management software, by:

• Checking for updates using the Microsoft Update service, or


• Downloading and applying the update manually. See Microsoft Knowledge Base Article 2917500 for download links.

5.3 Additional suggested action

• MyCERT also advises users to install the latest security updates for their computers and make sure their Anti-virus software is updated with latest signature files. Read Understanding Anti-Virus Software for more information.


• Good passwords management. Users are advice to use strong passwords which at least contain 8 characters in length, combination upper and lowercase, numerical character and special character. To maintain secure password, users are advice do not share password with anyone for any reason, change password periodically, avoid reuse a password, use passphrase instead a password, and avoid use same password for multiple accounts.


• Patch operating system and software. Users are advised to ensure that operation systems and any installed software are fully patched, and firewall software are up to date and operational

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail : [email protected] or [email protected]
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: http://www.twitter.com/mycert

6.0 References

• US-CERT: Microsoft Releases Security Advisory for Improperly Issued Digital Certificates
• Microsoft Security Advisory 2916652
• Microsoft warns of fake Google and Yahoo domains
• Security Advisory 2982792 released, Certificate Trust List update

• Cumulative Security Update for Internet Explorer (2969262)
  This security update resolves two publicly disclosed vulnerabilities and fifty-seven privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
  Patch: MS14-035

• Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487)
  This security update resolves two privately reported vulnerabilities in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerabilities could allow remote code execution if a user opens a specially crafted file or webpage. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  Patch: MS14-036

• Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261)
  This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
  Patch: MS14-034

• Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061)
  This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a logged on user visits a specially crafted website that is designed to invoke Microsoft XML Core Services (MSXML) through Internet Explorer. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's website.
  Patch: MS14-033

• Vulnerability in Microsoft Lync Server Could Allow Information Disclosure (2969258)
  This security update resolves a privately reported vulnerability in Microsoft Lync Server. The vulnerability could allow information disclosure if a user tries to join a Lync meeting by clicking a specially crafted meeting URL.
  Patch: MS14-032

• Vulnerability in TCP Protocol Could Allow Denial of Service (2962478)
  This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a sequence of specially crafted packets to the target system.
  Patch: MS14-031

• Vulnerability in Remote Desktop Could Allow Tampering (2969259)
  This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow tampering if an attacker gains access to the same network segment as the targeted system during an active Remote Desktop Protocol (RDP) session, and then sends specially crafted RDP packets to the targeted system. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
  Patch: MS14-030

• https://www.mycert.org.my/portal/articles-content?menu=b9f3fdda-c343-4cb4-99a7-a7506cfb13ba&id=62275f48-f209-4440-af1a-c5425c875fa4

• US-CERT: Microsoft Releases June 2014 Security Bulletin [online],
  http://www.us-cert.gov/ncas/current-activity/2014/06/10/Microsoft-Releases-June-2014-Security-Bulletin
• Microsoft Security Bulletin Summary for June 2014 [online],
  https://technet.microsoft.com/library/security/ms14-jun
• AUSCERT External Security Bulletin Redistribution [online],
  https://www.auscert.org.au/render.html?it=19854   

Microsoft Internet Explorer 8 contains a use-after-free vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This can allow for arbitrary code execution. Additional details may be found in the Zero Day Initiative advisory ZDI-14-140.

2.0 Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code. This vulnerability allows attackers to install malware on your computer, should you click on a malicious link or open a malicious email attachment. Such malware can then allow direct access to your files.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

• Microsoft Internet Explorer 8

4.0 Recommendations

4.1 Upgrade Internet Explorer 8 to Internet Explorer 11 as prevention against this vulnerability.

4.2 If you are unable to upgrade to Internet Explorer 11, users may use the following workaround.

Users can use the following detail steps as a temporary workaround against this exploit:

4.2.1 Windows users are advised to add the EMET support for Internet Explorer (iexplorer.exe). Step by step on how to add the EMET support for specific application can be found in our Protecting Your Windows Computer with Enhanced Mitigation Experience Toolkit (EMET) tutorial at the following URL:

• https://www.mycert.org.my/portal/articles-content?menu=b9f3fdda-c343-4cb4-99a7-a7506cfb13ba&id=ee1c8114-fa55-41c4-9008-6857c28dd46f

4.2.2 Disable Active Script support in the browser, configure the Enhanced Security Configuration for Internet Explorer, and set the Internet Security Zone to "High". Referring to the following URL can disable active Script:

• https://www.mycert.org.my/portal/advisory?id=MA-358.092013

4.2.3 Do not browse to untrusted websites or click on untrusted links especially URLs enclosed in e-mails from an unknown sender.

4.2.4 Browse the Internet through access of a lower privilege user to minimize the impact of the malicious file.

4.2.5 Users are consider using alternative web browsers to browse the Internet. Please make sure you use the alternative browser is latest version and stay up-to-date as well.

MyCERT would like to advise the users of Microsoft product to be vigilant of the latest security announcements by Microsoft and ensure that they automatically update the operating systems. The article on how to enable the auto update feature in Microsoft is available at the following URL:

• https://www.mycert.org.my/portal/articles-content?menu=b9f3fdda-c343-4cb4-99a7-a7506cfb13ba&id=62275f48-f209-4440-af1a-c5425c875fa4

Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:

• http://secunia.com/vulnerability_scanning/personal/

MyCERT generally advise users of this product to keep themselves updated with the latest security announcements by the vendor. In case the public receives any suspicious URL, and requires our further analysis, please reach us through the following channels:

For further enquiries, please contact MyCERT through the following channels:

E-mail : [email protected] or [email protected]
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 09:00 AM - 18:00 PM MYT
Web : https://www.mycert.org.my
Twitter: http://www.twitter.com/mycert

5.0 References

• http://zerodayinitiative.com/advisories/ZDI-14-140/
• http://www.kb.cert.org/vuls/id/239151
• http://xforce.iss.net/xforce/xfdb/92807
• http://blog.emsisoft.com/2014/05/22/zero-day-alert-unpatched-vulnerability-in-internet-explorer-8/

Microsoft has released updates to address vulnerabilities in Windows, Office, Internet Explorer, Server Software, Office Services, Web Apps, and Productivity Software as part of the Microsoft Security Bulletin Summary for May 2014. These vulnerabilities could allow remote code executions.

2.0 The list of the Important vulnerabilities are as below:

2.1 Security Update for Internet Explorer (2965111)

This security update resolves a publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• Patch: http://go.microsoft.com/fwlink/?LinkId=397669

2.2 Security Update for Internet Explorer (2962482)

This security update resolves two privately reported vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

• Patch: http://go.microsoft.com/fwlink/?LinkId=395261

2.3 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)

This security update resolves multiple privately reported vulnerabilities in Microsoft Office server and productivity software. The most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.

• Patch: http://go.microsoft.com/fwlink/?LinkId=386285

2.4 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037)

This security update resolves two privately reported vulnerabilities in Microsoft Office. The most severe vulnerability could allow remote code execution if a user opens an Office file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

• Patch: http://go.microsoft.com/fwlink/?LinkID=393745

2.5 Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486)

This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if Active Directory Group Policy preferences are used to distribute passwords across the domain - a practice that could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences.

• Patch: http://go.microsoft.com/fwlink/?LinkId=396820

2.6 Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732)

This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow elevation of privilege if an unauthenticated attacker sends specially crafted data to an affected workstation or server that uses .NET Remoting. .NET Remoting is not widely used by applications; only custom applications that have been specifically designed to use .NET Remoting would expose a system to the vulnerability.

• Patch: http://go.microsoft.com/fwlink/?LinkId=396825

2.7 Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that uses ShellExecute. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

• Patch: http://go.microsoft.com/fwlink/?LinkId=396823

2.8 Vulnerability in iSCSI Could Allow Denial of Service (2962485)

This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow denial of service if an attacker sends large amounts of specially crafted iSCSI packets over the target network. This vulnerability only affects servers for which the iSCSI target role has been enabled.

• Patch: http://go.microsoft.com/fwlink/?LinkID=393744

2.9 Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033)

This security update resolves one privately reported vulnerability in an implementation of the MSCOMCTL common controls library. The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.

• Patch: http://go.microsoft.com/fwlink/?LinkId=396835

3.0 Recommendation

Users are recommended to perform the update immediately. All of the patches could be done almost automatically via the Windows Update application.

The how-to perform of the Windows Update is available at the following URL:

• https://www.mycert.org.my/portal/articles-content?menu=b9f3fdda-c343-4cb4-99a7-a7506cfb13ba&id=62275f48-f209-4440-af1a-c5425c875fa4

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail : [email protected] or [email protected]
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my
Twitter: http://www.twitter.com/mycert

4.0References

• US-CERT: Microsoft Releases May 2014 Security Bulletin [online].
  https://www.us-cert.gov/ncas/current-activity/2014/05/13/Microsoft-Releases-May-2014-Security-Bulletin


• Microsoft Security Bulletin Summary for May 2014 [online].
  https://technet.microsoft.com/library/security/ms14-may


• AUSCERT, May 2014 [online]. https://www.auscert.org.au/render.html?it=19647
• AUSCERT, May 2014 [online]. https://www.auscert.org.au/render.html?it=19646
• AUSCERT, May 2014 [online]. https://www.auscert.org.au/render.html?it=19645
• AUSCERT, May 2014 [online]. https://www.auscert.org.au/render.html?it=19644
• AUSCERT, May 2014 [online]. https://www.auscert.org.au/render.html?it=19643

Microsoft has released an official announcement that Microsoft is ending support for the Windows XP Operating System and Office 2003 on April 8, 2014.  After this date, both Microsoft products will no longer receive any software or content updates, security patches and assisted technical support from Microsoft.

Customers are required moving to a modern operating system or latest product to avoid from any potential risks such as in security, compliance, lack of independent software vendor (ISV) support and hardware manufacturer support.
 
2.0 Impact

These updates address a security concern for unprotected PCs with no security updates and patch vulnerabilities that may be exploited by malware for possible malicious attack.
 
3.0 Affected Products

Microsoft end support products are affected for the following versions:

• Microsoft Windows XP with Service Pack 3 (SP3) Operating System
• Microsoft Office 2003 Products

4.0 Recommendation

Microsoft recommends users to migrate of Microsoft Windows XP and Microsoft Office 2003 to a current supported product:

4.1 For Enterprise Customers of Windows XP should migrate to a modern operating system, please refer:

• Microsoft Sales Representative or Microsoft Certified Partner.

4.2 For a Small to Medium Business of Windows XP should migrate to a modern operating system, for details please refer:

• Microsoft Certified Partner to understand the best options business needs.
• PCs that meets the system requirements Windows 7 or Windows 8.1, can buy Windows 7 Professional or Windows 8.1 Pro from a local retailer or Microsoft Certified Partner.
• PCs that does not meet the system requirements, can consider purchasing a new business PC with Windows 8.1 Pro.

4.3 For users of Microsoft Office 2003 after this date, shall upgrade to a newer version of Office to get continuation supports and updates via:

• Microsoft Store

Users also could refer for Windows lifecycle fact sheet about detail of Microsoft product lifecycle.

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:
E-mail : [email protected] or [email protected]
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my

5.0 References

• https://www.us-cert.gov/ncas/alerts/TA14-069A-0
• http://www.microsoft.com/en-us/windows/enterprise/endofsupport.aspx
• http://office.microsoft.com/en-us/help/support-is-ending-for-office-2003-HA103306332.aspx

Microsoft Internet Explorer 9 and Internet Explorer 10 contain a use-after-free vulnerability in the MSHTML CMarkup component, which can allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system.

2.0 Impact

The impact of this vulnerability is that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explore.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

• Microsoft Internet Explorer 10
• Microsoft Internet Explorer 9

4.0 Recommendations

4.1 Install the Microsoft Fix It Tool.

The tool can be downloaded at:

• http://support.microsoft.com/kb/2934088

4.2 Use the Microsoft Enhanced Mitigation Experience Toolkit workaround. Windows users are advised to add and enhanced EMET support for Internet Explorer (iexplorer.exe). Step by step on how to add the EMET support for specific application can be found in our Protecting Your Windows Computer with Enhanced Mitigation Experience Toolkit (EMET) tutorial at the following URL:

• https://www.mycert.org.my/portal/articles-content?menu=b9f3fdda-c343-4cb4-99a7-a7506cfb13ba&id=ee1c8114-fa55-41c4-9008-6857c28dd46f

Configure your EMET to protect either

• C:\program files\Internet Explorer\iexplore.exe
• C:\Program Files (x86)\Internet Explorer\iexplore.exe

4.3 Upgrade to Internet Explorer 11, can be downloaded at:

• http://windows.microsoft.com/en-us/internet-explorer/download-ie-MCM

MyCERT would like to advise the users of Microsoft product to be vigilant of the latest security announcements by Microsoft and ensure that they automatically update the operating systems. The article on how to enable the auto update feature in Microsoft is available at the following URL:

• https://www.mycert.org.my/portal/articles-content?menu=b9f3fdda-c343-4cb4-99a7-a7506cfb13ba&id=62275f48-f209-4440-af1a-c5425c875fa4

Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:

• http://secunia.com/vulnerability_scanning/personal/

MyCERT generally advise users of this product to keep themselves updated with the latest security announcements by the vendor. In case the public receives any suspicious URL, and requires our further analysis, please reach us through the following channels:

E-mail : [email protected] or [email protected]
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my

5.0 References

• http://technet.microsoft.com/en-us/security/advisory/2934088
• https://www.us-cert.gov/ncas/current-activity/2014/02/20/Microsoft-Releases-Security-Advisory-Internet-Explorer
• http://www.kb.cert.org/vuls/id/732479
• http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx
• https://www.mycert.org.my/portal/advisory?id=MA-373.022014

Microsoft had released the January Security Bulletins–four Important–which addressed unique CVEs in Microsoft Word and Office Web Apps, Windows Kernel, and Microsoft Dynamics AX. These vulnerabilities could allow remote code execution, elevation of privilege and denial of service. With the release of this security bulletins for January 2014, this bulletin summary replaces the bulletin advance notification originally issued in January 9, 2014 by Microsoft.

2.0 The list of the Important vulnerabilities are as below:

2.1 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605)

This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• Patch: https://technet.microsoft.com/en-us/security/bulletin/ms14-001

2.2 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368)

This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

• Patch: https://technet.microsoft.com/en-us/security/bulletin/ms14-002

2.3 Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a user logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

• Patch: https://technet.microsoft.com/en-us/security/bulletin/ms14-003

2.4 Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826)

This security update resolves one privately reported vulnerability in Microsoft Dynamics AX. The vulnerability could allow denial of service if an authenticated attacker submits specially crafted data to an affected Microsoft Dynamics AX Application Object Server (AOS) instance. An attacker who successfully exploited this vulnerability could cause the target AOS instance to stop responding to client requests.

• Patch: https://technet.microsoft.com/en-us/security/bulletin/ms14-004

3.0 Recommendation

Users are recommended to perform the update immediately. All of the patches could be done almost automatically via the Windows Update application.

The how-to perform of the Windows Update is available at the following URL:

• https://www.mycert.org.my/portal/articles-content?menu=b9f3fdda-c343-4cb4-99a7-a7506cfb13ba&id=62275f48-f209-4440-af1a-c5425c875fa4

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:
E-mail : [email protected] or [email protected]
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my

4.0 References

• https://technet.microsoft.com/en-us/security/bulletin/ms14-jan
• http://www.us-cert.gov/ncas/current-activity/2014/01/14/Microsoft-Releases-January-2014-Security-Bulletin

Microsoft had released the November Security Bulletins–three Critical and five Important–which addressed unique CVEs in Microsoft Windows, Office and Internet Explorer. These vulnerabilities could allow remote code execution, elevation of privilege, information disclosure or denial of service. With the release of the security bulletins for November 2013, this bulletin summary replaces the bulletin advance notification originally issued in November 7, 2013 by Microsoft.

2.0 The list of the critical vulnerabilities are as below:

2.1 Cumulative Security Update for Internet Explorer (2888505)

This security update resolves ten privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Patch: https://technet.microsoft.com/en-us/security/bulletin/ms13-088

2.2 Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution (2876331)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views or opens a specially crafted Windows Write file in WordPad. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Patch: https://technet.microsoft.com/en-us/security/bulletin/ms13-089

2.3 Cumulative Security Update of ActiveX Kill Bits (2900986)

This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability exists in the InformationCardSigninHelper Class ActiveX control. The vulnerability could allow remote code execution if a user views a specially crafted webpage with Internet Explorer, instantiating the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Patch: https://technet.microsoft.com/en-us/security/bulletin/ms13-090

3.0 The list of the Important vulnerabilities are as below:

3.1 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2885093)

This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a specially crafted WordPerfect document file is opened in an affected version of Microsoft Office software. An attacker who successfully exploited the most severe vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Patch: https://technet.microsoft.com/en-us/security/bulletin/ms13-091

3.2 Vulnerability in Hyper-V Could Allow Elevation of Privilege (2893986)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker passes a specially crafted function parameter in a hypercall from an existing running virtual machine to the hypervisor. The vulnerability could also allow denial of service for the Hyper-V host if the attacker passes a specially crafted function parameter in a hypercall from an existing running virtual machine to the hypervisor.

Patch: https://technet.microsoft.com/en-us/security/bulletin/ms13-092

3.3  Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure (2875783)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if an attacker logs on to an affected system as a local user, and runs a specially crafted application on the system that is designed to enable the attacker to obtain information from a higher-privileged account. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability..

Patch: https://technet.microsoft.com/en-us/security/bulletin/ms13-093

3.4 Vulnerability in Microsoft Outlook Could Allow Information Disclosure (2894514)

This security update resolves a publicly disclosed vulnerability in Microsoft Outlook. The vulnerability could allow information disclosure if a user opens or previews a specially crafted email message using an affected edition of Microsoft Outlook. An attacker who successfully exploited this vulnerability could ascertain system information, such as the IP address and open TCP ports, from the target system and other systems that share the network with the target system.

Patch: http://technet.microsoft.com/en-us/security/bulletin/ms13-094

3.4 Vulnerability in Digital Signatures Could Allow Denial of Service (2868626)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service when an affected web service processes a specially crafted X.509 certificate.

Patch: https://technet.microsoft.com/en-us/security/bulletin/ms13-095

4.0 Recommendation

Users are recommended to perform the update immediately. All of the patches could be done almost automatically via the Windows Update application.

The how-to perform of the Windows Update is available at the following URL:

• https://www.mycert.org.my/portal/articles-content?menu=b9f3fdda-c343-4cb4-99a7-a7506cfb13ba&id=62275f48-f209-4440-af1a-c5425c875fa4

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail : [email protected] or [email protected]
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my

5.0 References

• http://technet.microsoft.com/en-us/security/bulletin/ms13-nov
• http://krebsonsecurity.com/2013/11/zero-days-rule-novembers-patch-tuesday/
• http://www.us-cert.gov/ncas/current-activity/2013/11/12/Microsoft-Addresses-New-Watering-Hole-Attack-November-2013-Security

A critical vulnerability has been identified in the Microsoft Internet Explorer version 8 and 9. The vulnerability, if successfully exploited will cause the application to crash and could potentially allow an attacker to take control of the affected system. [1]

Essentially, an attacker can trick users into clicking on a URL that will direct the users to a specially crafted web page containing the exploit. However, based on incident reported, the malicious code was embedded to a well known website and start exploiting the visitors.

MyCERT is aware that a '0-day' exploit is available on the Internet at the time of the publication of this advisory. [2]

2.0 Impact

An attacker who successfully exploits this vulnerability will be able to execute codes remotely and gain the same privilege as the user. Unsuccessful attacks may cause denial-of-service (DoS) outcomes. This vulnerability could be exploited to install malware on the user's computer.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

• Microsoft Internet Explorer 8
• Microsoft Internet Explorer 9

4.0 Recommendations

As of the writing of this advisory, Microsoft has not released any security patches for this vulnerability. However, users can use the following steps as a temporary workaround if they need to use Microsoft Internet Explorer:

4.1 Windows users are advised to apply the Microsoft Fix it solution, "CVE-2013-3893 MSHTML Shim Workaround. However, FixIt ONLY applies to 32-bit versions of Internet Explorer. User must have security update 2870699 installed for this Fix it to provide effective protection against this issue. Step by step on how to apply Fix it can be found at the following URL:

• http://support.microsoft.com/kb/2887505#FixItForMe

To enable or disable this Fix it solution, click the Fix it button or link under the Enable heading or under the Disable heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.

• • Microsoft Fix it 51001 - Enable this fix it
    http://go.microsoft.com/?linkid=9838025
     
  • Microsoft Fix it 51002 - Disable this fix it
    http://go.microsoft.com/?linkid=9838026

4.2 Windows users are advised to add and enhanced EMET support for Internet Explorer (iexplorer.exe). Step by step on how to add the EMET support for specific application can be found in our Protecting Your Windows Computer with Enhanced Mitigation Experience Toolkit (EMET) tutorial at the following URL:

• https://www.mycert.org.my/portal/articles-content?menu=b9f3fdda-c343-4cb4-99a7-a7506cfb13ba&id=ee1c8114-fa55-41c4-9008-6857c28dd46f

Configure your EMET to protect either

• C:\program files\Internet Explorer\iexplore.exe
   
• C:\Program Files (x86)\Internet Explorer\iexplore.exe

4.3 Disable Active Script support in the browser. Active Script can be disabled by referring to the following steps:

On the Tools menu, click Internet Options

Click the Security tab, choose Internet zone and click on Custom Level

Disable the Active Scripting and click OK

Do the same step for Local Intranet Security Zone

4.4 Another option for the recommendation in 4.3 is to configure the Enhanced Security Configuration for Internet Explorer and set the Internet Security Zone and Local Intranet Security Zones to "High".

4.5 Do not browse to untrusted websites or click on untrusted links especially URLs enclosed in e-mails from an unknown sender.

4.6 Browse the Internet through access of a lower privilege user to minimize the impact of the malicious file.

4.7 Consider using alternative web browsers to browse the Internet. Please make sure you use the latest version and stay up-to-date as well.

MyCERT would like to advise the users of Microsoft product to be vigilant of the latest security announcements by Microsoft and ensure that they automatically update the operating systems. The article on how to enable the auto update feature in Microsoft is available at the following URL:

• https://www.mycert.org.my/portal/articles-content?menu=b9f3fdda-c343-4cb4-99a7-a7506cfb13ba&id=62275f48-f209-4440-af1a-c5425c875fa4

Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:

• http://secunia.com/vulnerability_scanning/personal/

MyCERT generally advise users of this product to keep themselves updated with the latest security announcements by the vendor. In case the public receives any suspicious URL, and requires our further analysis, please reach us through the following channels:

E-mail : [email protected] or [email protected]
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my

5.0 References

• http://technet.microsoft.com/en-us/security/advisory/2847140
• http://labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/
• http://blog.malwarebytes.org/intelligence/2013/05/new-internet-explorer-8-zero-day/