Advisories

1.0 Introduction

Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

• Application Virtualization
• Azure
• Azure DevOps
• Azure Sphere
• Internet Explorer
• Microsoft ActiveX
• Microsoft Exchange Server
• Microsoft Edge (Chromium-based)
• Microsoft Graphics Component
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office PowerPoint
• Microsoft Office SharePoint
• Microsoft Office Visio
• Microsoft Windows Codecs Library
• Power BI
• Role: DNS Server
• Role: Hyper-V
• Visual Studio
• Visual Studio Code
• Windows Admin Center
• Windows Container Execution Agent
• Windows DirectX
• Windows Error Reporting
• Windows Event Tracing
• Windows Extensible Firmware Interface
• Windows Folder Redirection
• Windows Installer
• Windows Media
• Windows Overlay Filter
• Windows Print Spooler Components
• Windows Projected File System Filter Driver
• Windows Registry
• Windows Remote Access API
• Windows Storage Spaces Controller
• Windows Update Assistant
• Windows Update Stack
• Windows UPnP Device Host
• Windows User Profile Service
• Windows WalletService
• Windows Win32K

4.0 Recommendations
Users and administrators are recommended to review the below URLs and perform the necessary update.

• https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar
• https://msrc.microsoft.com/update-guide

Generally, MyCERT advises the users of these applications to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar
• https://msrc.microsoft.com/update-guide

1.0 Introduction

Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

• Windows 10 v20H2, v2004, v1909, v1809, and v1803
• Windows Server 2019, Windows Server 2016, and Server Core installations (2019, 2016, v20H2, v2004, and v1909)
• Windows 8.1, Windows Server 2012 R2, and Windows Server 2012
• Microsoft Office-related software
• Microsoft SharePoint-related software
• Microsoft Lync/Skype for Business
• Microsoft Exchange Server
• Microsoft .NET-related software
• Microsoft Visual Studio
• Microsoft Dynamics-related software
• Microsoft Azure-related software
• Developer tools

4.0 Recommendations

Users and administrators are recommended to review the below URLs and perform necessary update. Kindly refer to the below URL:
https://msrc.microsoft.com/update-guide
https://msrc.microsoft.com/update-guide/releaseNote/2021-Feb

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://msrc.microsoft.com/update-guide
• https://msrc.microsoft.com/update-guide/releaseNote/2021-Feb

1.0 Introduction

Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2010, 2013, 2016, and 2019.

2.0 Impact

A remote attacker can exploit four remote code execution vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—to take control of an affected system and can exploit one vulnerability—CVE-2021-26855—to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.

3.0 Affected System and Devices

• Microsoft Exchange Server 2010
• Microsoft Exchange Server 2013  
• Microsoft Exchange Server 2016  
• Microsoft Exchange Server 2019

4.0 Recommendations
Users and system administrators are advised to review the following URL and apply the necessary updates:

• https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

Generally, MyCERT advises the users of this application to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

1. https://us-cert.cisa.gov/ncas/current-activity/2021/03/02/microsoft-releases-out-band-security-updates-exchange-server
2. https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
3. https://www.tenable.com/blog/cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-27065-four-microsoft-exchange-server-zero-day-vulnerabilities

1.0 Introduction

A Remote Code Execution vulnerability has been identified in Microsoft Teams (MS Teams) desktop which can be triggered by a novel Cross Site Scripting (XSS) injection in the web application (teams.microsoft.com). A specially-crafted chat message can be sent to any Microsoft Teams member or channel which will execute arbitrary code on victim devices without users interaction.

Remote Code Execution has been achieved in desktop applications across all supported platforms (Windows, macOS, Linux). Code execution gives attackers full access to victim devices and company internal networks via those devices.

Even without arbitrary code execution on victim device, with the demonstrated XSS it's possible for an attacker to obtain SSO authorisation tokens for Microsoft Teams and other Microsoft Services (e.g. Skype, Outlook, Office365). Furthermore, the XSS vulnerability by itself allows to access confidential or private conversations and files from within MS Teams.

As for the CVE part, it's currently Microsoft's policy to not issue CVEs on products that automatically updates without user's interaction.

2.0 Impact

A remote attacker could sends or edits an existing message that executes code when the message is viewed.

3.0 Affected System and Devices

• Microsoft Teams (teams.microsoft.com)
• Microsoft Teams macOS v 1.3.00.23764 
• Microsoft Teams Windows v 1.3.00.21759 
• Microsoft Teams Linux v 1.3.00.16851

4.0 Recommendations

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17091
• https://github.com/oskarsve/ms-teams-rce
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17091

1.0 Introduction

Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

• Microsoft Windows
• Microsoft Edge (EdgeHTML-based)
• Microsoft Edge (Chromium-based)
• ChakraCore
• Internet Explorer
• Microsoft Office and Microsoft Office Services and Web Apps
• Windows Defender
• Visual Studio
• Microsoft Dynamics
• Microsoft Apps for Android
• Microsoft Apps for Mac

Below is the CVE list:

4.0 Recommendations

Generally, MyCERT advises the users of this products to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.us-cert.gov/ncas/current-activity/2020/04/14/microsoft-releases-april-2020-security-updates
• https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr
• https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2020-patch-tuesday-fixes-3-zero-days-15-critical-flaws/
• https://www.thezdi.com/blog/2020/4/14/the-april-2020-security-update-review

1.0 Introduction

MyCERT received many inquiries on the safety and security aspects of video tele-conferencing (VTC) platforms such as Zoom, Microsoft Teams, Cisco Webex and several others. Ever since the Movement Control Order (MCO) was announced, many organizations and individuals shifted to VTC tools to communicate, conduct online classes and for business transactions.

Most VTC providers already enhanced their applications according to security reports as evaluated by security practitioners. It is user’s responsibility to choose a secure and safe VTC platform for web conferencing. As a precaution, MyCERT recommend the following general guidelines when using VTC.

2.0 Security Guidelines

A. All VTC User

1. Use the latest version of VTC and security software
   • Only download software from its official website or official app store.
   • Update regularly the software to its latest version.
   • Update operating system and security software on desktop computers, mobile devices, frequently.

2. Never share confidential information during a meeting
   • Avoid discussing any confidential information to prevent leakage.
   • Enable non-recordable videos and audios, and limit file sharing.

3. Protect VTC account and watch for suspicious account activity
   • Create a strong password for the account.
   • If something is suspicious, log out from clients VTC. If you lost your computer or mobile phone, log out from all clients immediately and change your login password.
   • Do not share or publish the conference ID and URL sent by the organizer
   • Log out from the application when you finish the meeting.

B. Unit hosting the Meeting

1. Protect meeting privacy and prevent illegal intruders
   • Share the meeting ID and website only with intended participants. Never share it on social media or public online platforms
   • Create a high-intensity meeting password and send the meeting URL to participants separately
   • Use the pre-registration function to monitor list of participants
   • Disable "Join before Host" option to ensure the host is present before other participants join the meeting. This enables the host to identify participants in advance
   • Utilize the waiting room function to monitor participants log in
   • Lock the meeting immediately after all participants join the meeting
   • Enable the sharing screen to "Only Host" and when necessary only, enable this function to participants
2. Monitoring meeting
   • Use another device to log in as participant
   • Monitor any inappropriate content shared by participants, remove inappropriate information and unidentified participant
   • Ensure all participants to log out before the main host end the session.
3. Ensure participants safety and privacy during video conference
   • Notify all participants in advance if recording is required
   • If the recording contains sensitive information, do not save it in the cloud. Save the recording on a personal computer, with restricted access and sharing
4. Secure your account Personal Meeting ID
   • This ID can be linked to your VTC account for personal use only
   • Do not share this ID or use it in general meetings
5. Develop security policy for web conferences
   • Organization is advised to develop security policy for employees to follow when hosting and participating in online meetings
   • This policy should include VTC usage and safety guidelines

For additional references, the following websites also provide detailed guidelines on Online Video Tele-conferencing:

• https://www.us-cert.gov/ncas/current-activity/2020/04/02/fbi-releases-guidance-defending-against-vtc-hijacking-and-zoom
• https://www.bleepingcomputer.com/news/software/how-to-secure-your-zoom-meetings-from-zoom-bombing-attacks/
• https://www.forbes.com/sites/kateoflahertyuk/2020/04/03/use-zoom-here-are-7-essential-steps-you-can-take-to-secure-it/#3757da2a7ae1
• https://zoom.us/security
• https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview
• https://help.webex.com/en-us/8zi8tq/Cisco-Webex-Best-Practices-for-Secure-Meetings-Hosts
• https://help.webex.com/en-us/v5rgi1/Cisco-Webex-Best-Practices-for-Secure-Meetings-Site-Administration

In general, MyCERT advise all users and administrators of Online Video Tele-conferencing to follow latest security announcements by the vendor and adhere to security policies, according to best practices, to determine applicable updates.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

1.0 Introduction

According to Microsoft, there were ongoing exploitations in the wild targeting the unpatched vulnerabilities related to Adobe Type Manager (ATM) Library.

Two remote code execution vulnerabilities have been identified existing in Microsoft Windows ATM Library related to improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.

Microsoft has confirmed the issues, released an advisory “ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability”, and is currently working on a fix.

2.0 Impact

By causing a Windows system to open a specially crafted document or view it in the Windows preview pane, an unauthenticated remote attacker may be able to execute arbitrary code with kernel privileges on a vulnerable system. Windows 10 based operating systems would execute the code with limited privileges, in an AppContainer sandbox.

3.0 Affected System and Devices

• Windows 10 for 32-bit Systems
• Windows 10 for x64-based Systems
• Windows 10 Version 1607 for 32-bit Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows 10 Version 1709 for 32-bit Systems
• Windows 10 Version 1709 for ARM64-based Systems
• Windows 10 Version 1709 for x64-based Systems
• Windows 10 Version 1803 for 32-bit Systems
• Windows 10 Version 1803 for ARM64-based Systems
• Windows 10 Version 1803 for x64-based Systems
• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for ARM64-based Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 1903 for 32-bit Systems
• Windows 10 Version 1903 for ARM64-based Systems
• Windows 10 Version 1903 for x64-based Systems
• Windows 10 Version 1909 for 32-bit Systems
• Windows 10 Version 1909 for ARM64-based Systems
• Windows 10 Version 1909 for x64-based Systems
• Windows 7 for 32-bit Systems Service Pack 1
• Windows 7 for x64-based Systems Service Pack 1
• Windows 8.1 for 32-bit systems
• Windows 8.1 for x64-based systems
• Windows RT 8.1
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for Itanium-Based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2019
• Windows Server 2019 (Server Core installation)

4.0 Recommendations

According to Microsoft, they are currently working to mitigate the addressed issue. In the meantime, users could follow suggested workaround by Microsoft on details below:

• Disable the Preview Pane and details pane in Windows Explorer.
• Disable the WebClient service.
• Rename the ATMFD.DLL.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200006
• https://www.tenable.com/blog/adobe-type-manager-library-font-parsing-remote-code-execution-vulnerabilities-exploited-in-the
• https://threatpost.com/microsoft-warns-of-critical-windows-zero-day-flaws/154040/

1.0 Introduction

Microsoft published a security update pertaining to a Remote Code Execution vulnerability targeting Microsoft SharePoint Services. The vulnerability, (CVE-2019-0604) would allow an attacker who has successfully exploited the service, to run arbitrary code in the context of Sharepoint Application pool and the SharePoint server farm account.

2.0 Impact

By exploiting this vulnerability, a remote, unauthenticated attacker may be able to execute arbitrary code on vulnerable systems. 

3.0 Affected Products

The vulnerability affects the following SharePoint Versions:

• Microsoft SharePoint Enterprise Server 2016    
• Microsoft SharePoint Foundation 2010 Service Pack 2    
• Microsoft SharePoint Foundation 2013 Service Pack 1    
• Microsoft SharePoint Server 2010 Service Pack 2    
• Microsoft SharePoint Server 2013 Service Pack 1    
• Microsoft SharePoint Server 2019    

4.0 Recommendations

Users and organizations using the affected products are advised to update and patch their systems immediately. Patches for the vulnerability can be found at Microsoft's Portal:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604
• https://nvd.nist.gov/vuln/detail/CVE-2019-0604
• https://www.cvedetails.com/cve/CVE-2019-0604/
• https://www.helpnetsecurity.com/2019/05/13/sharepoint-servers-attack-cve-2019-0604/

1.0 Introduction

Microsoft Windows CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC) that let an attacker to spoof the validity of digital certificate. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

2.0 Impact

A successful exploit could allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

3.0 Affected Products

• Windows 10 operating system (32 and 64 bit)
• Windows Server 2016
• Windows Server 2019

4.0 Recommendations

MyCERT highly recommended users to install all January 2020 Security Updates patches to effectively mitigate the vulnerability on all Windows 10, Windows Server 2016 and Windows Server 2019 systems.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
• https://kb.cert.org/vuls/id/849224/
• https://www.us-cert.gov/ncas/alerts/aa20-014a

1.0 Introduction

Recently, MyCERT received information from valid resources about exploits in Internet Explorer. Exploit known to be a remote code execution (RCE) that will corrupt memory to execute arbitrary code within the current user context. Aside from that, an attacker could also embed this exploit in Microsoft Office application that hosts the IE rendering engine.

2.0 Impact

The attacker will craft a malicious website and sent out to targeted users to access the website through internet explorer, allowing attacker to gain user rights that have administrative privilege. This will enable attacker to take control of affected system and allow them to modify, delete or create new user with full user rights.

3.0 Affected System and Devices

• Microsoft Internet Explorer below or equal version 11

4.0 Recommendations

As of the writing of this advisory, Microsoft has not released any security patches for this vulnerability. However, users can use the following step as a temporary workaround if they need to use Microsoft Internet Explorer:

• Avoid clicking any suspicious links until maintainers release patch to the public.
• Browse the software with least privilege user to limit the execution of the malicious file.
• Consider using alternative web browsers to browse the Internet. Please make sure you use the latest version and stay up-to-date as well.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429