Microsoft and Adobe have released updates for their products, September 2013
Microsoft announced the release of a series of updates aimed at eliminating vulnerabilities in their products. Reported earlier in the pre-release (September 5), security fixes cover more than 50 unique vulnerabilities (4 fixes with the Critical status and 10 with the Important status). A detailed report (including correlation fixes with CVE ID) can be found here . One of the MS13-069 updates is aimed at fixing ten Critical vulnerabilities in Internet Explorer (from version 6 to the latest IE 10 for all Windows XP - 8 - RT, x32 and x64, server versions of OS as Moderate). Vulnerabilities are of type Remote Code Execution (memory-corruption) and can be used to stealthily install malicious code (drive-by). A reboot is required to apply the patch.
In September, the details of the exploitation of the RCE vulnerability in win32k.sys, which was closed by MS13-053 and can be used to bypass the limitations of the sandbox mode in the Google Chrome browser, became known (Google Chrome, WebKit / Blink flaws via CVE-2013- 0912, CVE-2013-1300). A successful demonstration of a bunch of exploits for conducting a drive-by attack in the latest [at that time] version of Chrome was demonstrated at Pwn2Own 2013, which we already wrote about earlier . Last month, Microsoft closed vulnerabilities in the latest version of Internet Explorer and the ASLR mechanism, which were used to successfully conduct a drive-by attack as part of Pwn2Own 2013.
')
In addition to Internet Explorer, the OS components of various versions, the Outlook and MS SharePoint e-mail client, were updated. This month's patch tuesday differs from other large number of fixed Remote Code Execution (RCE) vulnerabilities in Microsoft Office, SharePoint, Windows and IE. Only 8 updates fix these vulnerabilities through which an attacker can successfully run remote code on a system with vulnerable software.
In the case of the vulnerability in win32k.sys CVE-2013-1300 ( MS13-053 ), which can be used to execute arbitrary code, it is a question of using the undocumented function win32k! NtUserMessageCall .
W32KAPI LRESULT NtUserMessageCall (IN HWND hwnd, IN UINT msg, IN WPARAM wParam, IN LPARAM lParam, IN ULONG_PTR xParam, IN DWORD xpfnProc, IN BOOL bAnsi);
This function is used to transfer messages between threads during GUI interaction within the Win32 subsystem (Windows). For some types of messages, it allocates a memory buffer, which will then be filled by the called party, i.e., the thread that is waiting for the message. The following shows the function call stack when a message is sent by the caller.
The following shows the stack of function calls when a message is received by the receiving party, and the buffer allocated by xxxSendMessageEx -> ...-> Win32AllocPoolWithQuota is filled .
xxxInterSendMsgEx is an important function because it is responsible for directly delivering a message from one thread to another. An error in the code is present when the last argument NtUserMessageCall bAnsi is incorrectly interpreted by a function that allocates memory and the function that fills it . The function that allocates memory treats this argument as a boolean type. In this case, the value 0 for it is false and indicates the use of WCHAR characters. A non-zero value is considered a function as an indication of the use of ASCII characters and the allocation of a block of memory of the appropriate size. However, the function that performs the symbol copy operation assumes that this argument is a bitmask and is used to distinguish between ASCII and WCHAR. Thus, when this argument is an even number and is not zero, both functions will interpret this value differently. For example, in the case of a value of 2, the selection function will assume that you should allocate a buffer of the appropriate size to store the string of ASCII characters. When it comes to copying, the CopyOutputString function will treat the string as WCHAR and copy twice as much memory as needed, thus causing a buffer overflow. Using the ability to exploit this vulnerability and CVE-2013-0912, an attacker can execute arbitrary code from the browser, thus bypassing the restrictions of the sandbox mode.
The MS13-067 update (Critical) fixes ten vulnerabilities in Microsoft Office Server software (Office Web Apps / Server Software). Vulnerabilities CVE-2013-3847, CVE-2013-3848, CVE-2013-3849, CVE-2013-3857 and CVE-2013-3858 are present in Word (as part of Office Web Apps 2010 and SharePoint Server 2010) and through them an attacker can execute the remote code through a specially formed file.
The MS13-068 update (Critical) fixes the RCE vulnerability CVE-2013-3870 in the Outlook 2007-2010 mail client. The attacker can execute arbitrary code through a specially crafted message for the vulnerable version of the client. Exploit code would be difficult to build .
The MS13-070 update (Critical) fixes a CVE-2013-3863 vulnerability in the OLE mechanism of Windows XP SP3 [x64 SP2] and Windows Server 2003 SP2. The attacker can execute arbitrary code with the rights of the current user through a specially formed OLE object. Exploit code likely .
Update MS13-071 (Important) resolves a CVE-2013-0810 vulnerability in Windows XP SP3, Server 2003 SP2 and Windows Vista SP2, Server 2008 SP2. An attacker can execute a remote code in the system through a specially formed theme file (theme file). Such a file should be delivered to the user, for example, using a phishing message. Thus, the user himself must initiate the opening of the file, otherwise the attack can not be successful. Exploit code likely .
The MS13-072 update (Important) fixes 13 vulnerabilities in Microsoft Office 2003 (Microsoft Word 2003 and Microsoft Word Viewer), Office 2007 (Word 2007 and Office Compatibility Pack), and Microsoft Word 2010 - memory corruption. Most vulnerabilities can be exploited through specially crafted Office files and lead to remote code execution and retrieving current user rights.
Update MS13-073 (Important) fixes three vulnerabilities in Microsoft Excel 2003-2007-2010-2013 and Microsoft Office for Mac 2011. Vulnerabilities can be exploited through specially created Office files and lead to remote code execution with obtaining the rights of the current user. Exploit code unlikely .
Update MS13-074 (Important) fixes three vulnerabilities in Microsoft Office (Microsoft Access 2007-2010-2013). Vulnerabilities can be exploited through specially created Access files and lead to remote execution of the code to obtain the rights of the current user. Exploit code likely .
Update MS13-075 (Important) fixes Elevation of Privilege vulnerability CVE-2013-3859 in the Chinese version of Windows, Chinese IME (Input Method Editors). The attacker can execute arbitrary code in kernel mode. Exploit code likely .
The MS13-076 update (Important) fixes seven Elevation of Privilege vulnerabilities in the Win32 subsystem driver, win32k.sys for all Windows XP-Vista-Seven-8-RT x32 and x64. Exploit code likely / Exploit code would be difficult to build .
The MS13-077 update (Important) fixes a Elevation of Privilege type vulnerability in the service manager (SCM) services.exe for Windows 7 SP1 and Windows Server 2008 SP1 x32 and x64. Exploit code would be difficult to build .
Update MS13-078 (Important) fixes Information Disclosure VEVE-2013-3137 vulnerability in Microsoft FrontPage 2003 Service Pack 3. Exploit code unlikely .
Update MS13-079 (Important) fixes a CVE-2013-3868 type Denial of Service vulnerability in Active Directory for Windows Vista, Server 2008, Seven, Server 2008 R2, Windows 8, and Windows Server 2012 ... Exploit code unlikely .
1 - Exploit code likely
The probability of exploiting the vulnerability is very high, attackers can use an exploit, for example, for remote code execution.
2 - Exploit code would be difficult to build
The exploitation probability is average, since attackers are unlikely to be able to achieve a situation of sustainable exploitation, as well as due to the technical peculiarities of vulnerability and the complexity of developing an exploit.
3 - Exploit code unlikely
The exploitation probability is minimal and attackers are unlikely to be able to develop successfully working code and take advantage of this vulnerability to conduct an attack.
We recommend that our users install updates as soon as possible and, if you have not already done so, enable automatic delivery of updates using Windows Update (this option is enabled by default).
Adobe has announced the release of updates for its products Adobe Flash Player , Adobe Acrobat and Reader , Shockwave Player .
Patches for Flash Player fix four RCE vulnerabilities CVE-2013-3361, CVE-2013-3362, CVE-2013-3363, CVE-2013-5324, which can be used to remotely execute code through memory-corruption.
Components and versions to be fixed.
We recommend that users check the version of Flash Player used by your browser, for this you can use the official. adobe source here or here . Note that browsers such as Google Chrome and Internet Explorer 10 are automatically updated with the release of the new version of Flash Player. You can get information on updating Flash for your browser via this link .
Currently, the current Flash Player versions for browsers are:
Updates for Adobe Acrobat, Reader fix eight RCE vulnerabilities.
be secure.
In September, the details of the exploitation of the RCE vulnerability in win32k.sys, which was closed by MS13-053 and can be used to bypass the limitations of the sandbox mode in the Google Chrome browser, became known (Google Chrome, WebKit / Blink flaws via CVE-2013- 0912, CVE-2013-1300). A successful demonstration of a bunch of exploits for conducting a drive-by attack in the latest [at that time] version of Chrome was demonstrated at Pwn2Own 2013, which we already wrote about earlier . Last month, Microsoft closed vulnerabilities in the latest version of Internet Explorer and the ASLR mechanism, which were used to successfully conduct a drive-by attack as part of Pwn2Own 2013.
')
In addition to Internet Explorer, the OS components of various versions, the Outlook and MS SharePoint e-mail client, were updated. This month's patch tuesday differs from other large number of fixed Remote Code Execution (RCE) vulnerabilities in Microsoft Office, SharePoint, Windows and IE. Only 8 updates fix these vulnerabilities through which an attacker can successfully run remote code on a system with vulnerable software.
In the case of the vulnerability in win32k.sys CVE-2013-1300 ( MS13-053 ), which can be used to execute arbitrary code, it is a question of using the undocumented function win32k! NtUserMessageCall .
W32KAPI LRESULT NtUserMessageCall (IN HWND hwnd, IN UINT msg, IN WPARAM wParam, IN LPARAM lParam, IN ULONG_PTR xParam, IN DWORD xpfnProc, IN BOOL bAnsi);
This function is used to transfer messages between threads during GUI interaction within the Win32 subsystem (Windows). For some types of messages, it allocates a memory buffer, which will then be filled by the called party, i.e., the thread that is waiting for the message. The following shows the function call stack when a message is sent by the caller.
00000008 ffb80530 00000000 nt! ExpReleasePoolQuota + 0x21
fd6b7168 00000000 ffb80530 nt! ExFreePoolWithTag + 0x779
ffb80530 00000000 2ba8aa2a win32k! UnlinkSendListSms + 0x70
00243c78 0000000d 00000008 win32k! XxxInterSendMsgEx + 0xd0a
fe243c78 0000000d 00000008 win32k! xxxSendMessageTimeout + 0x13b
fe243c78 0000000d 00000008 win32k! xxxSendMessageEx + 0xec <- the function through which the allocation of exploited memory is initiated through Win32AllocPoolWithQuota
fe243c78 0000000d 00000008 win32k! NtUserfnOUTSTRING + 0xa7
0001037c 0000000d 00000008 win32k! NtUserMessageCall + 0xc9 <- function called via shadow SDT KeServiceDescriptorTableShadow
0001037c 0000000d 00000008 nt! KiFastCallEntry + 0x12a
The following shows the stack of function calls when a message is received by the receiving party, and the buffer allocated by xxxSendMessageEx -> ...-> Win32AllocPoolWithQuota is filled .
a9de17d0 825c4759 a9de1850 a9dd9a84 00000008 win32k! CopyOutputString <- direct copy operation
a9de1aa4 82625d85 fe2389a0 0000000d 00000008 win32k! SfnOUTSTRING + 0x336
a9de1aec 825f5ad1 0a2389a0 0000000d 00000008 win32k! xxxSendMessageToClient + 0x175
a9de1b68 82638034 fd96c5a0 2bad6b5a 0171fed8 win32k! xxxReceiveMessage + 0x3b8
a9de1bb8 8263b7e6 a9de1be8 000025ff 00000000 win32k! xxxRealInternalGetMessage + 0x252
a9de1c1c 82a4e89a 0171fed8 00000000 00000000 win32k! NtUserGetMessage + 0x3f <- shadow SDT function
a9de1c1c 77677094 0171fed8 00000000 00000000 nt! KiFastCallEntry + 0x12a
0171ff00 7769377b 00000000 76fed4be 00000000 ntdll! KiFastSystemCallRet
0171ff40 7769374e 013d1340 00000000 00000000 ntdll! __ RtlUserThreadStart + 0x70
0171ff58 00000000 013d1340 00000000 00000000 ntdll! _RtlUserThreadStart + 0x1b
xxxInterSendMsgEx is an important function because it is responsible for directly delivering a message from one thread to another. An error in the code is present when the last argument NtUserMessageCall bAnsi is incorrectly interpreted by a function that allocates memory and the function that fills it . The function that allocates memory treats this argument as a boolean type. In this case, the value 0 for it is false and indicates the use of WCHAR characters. A non-zero value is considered a function as an indication of the use of ASCII characters and the allocation of a block of memory of the appropriate size. However, the function that performs the symbol copy operation assumes that this argument is a bitmask and is used to distinguish between ASCII and WCHAR. Thus, when this argument is an even number and is not zero, both functions will interpret this value differently. For example, in the case of a value of 2, the selection function will assume that you should allocate a buffer of the appropriate size to store the string of ASCII characters. When it comes to copying, the CopyOutputString function will treat the string as WCHAR and copy twice as much memory as needed, thus causing a buffer overflow. Using the ability to exploit this vulnerability and CVE-2013-0912, an attacker can execute arbitrary code from the browser, thus bypassing the restrictions of the sandbox mode.
The MS13-067 update (Critical) fixes ten vulnerabilities in Microsoft Office Server software (Office Web Apps / Server Software). Vulnerabilities CVE-2013-3847, CVE-2013-3848, CVE-2013-3849, CVE-2013-3857 and CVE-2013-3858 are present in Word (as part of Office Web Apps 2010 and SharePoint Server 2010) and through them an attacker can execute the remote code through a specially formed file.
The MS13-068 update (Critical) fixes the RCE vulnerability CVE-2013-3870 in the Outlook 2007-2010 mail client. The attacker can execute arbitrary code through a specially crafted message for the vulnerable version of the client. Exploit code would be difficult to build .
The MS13-070 update (Critical) fixes a CVE-2013-3863 vulnerability in the OLE mechanism of Windows XP SP3 [x64 SP2] and Windows Server 2003 SP2. The attacker can execute arbitrary code with the rights of the current user through a specially formed OLE object. Exploit code likely .
Update MS13-071 (Important) resolves a CVE-2013-0810 vulnerability in Windows XP SP3, Server 2003 SP2 and Windows Vista SP2, Server 2008 SP2. An attacker can execute a remote code in the system through a specially formed theme file (theme file). Such a file should be delivered to the user, for example, using a phishing message. Thus, the user himself must initiate the opening of the file, otherwise the attack can not be successful. Exploit code likely .
The MS13-072 update (Important) fixes 13 vulnerabilities in Microsoft Office 2003 (Microsoft Word 2003 and Microsoft Word Viewer), Office 2007 (Word 2007 and Office Compatibility Pack), and Microsoft Word 2010 - memory corruption. Most vulnerabilities can be exploited through specially crafted Office files and lead to remote code execution and retrieving current user rights.
Update MS13-073 (Important) fixes three vulnerabilities in Microsoft Excel 2003-2007-2010-2013 and Microsoft Office for Mac 2011. Vulnerabilities can be exploited through specially created Office files and lead to remote code execution with obtaining the rights of the current user. Exploit code unlikely .
Update MS13-074 (Important) fixes three vulnerabilities in Microsoft Office (Microsoft Access 2007-2010-2013). Vulnerabilities can be exploited through specially created Access files and lead to remote execution of the code to obtain the rights of the current user. Exploit code likely .
Update MS13-075 (Important) fixes Elevation of Privilege vulnerability CVE-2013-3859 in the Chinese version of Windows, Chinese IME (Input Method Editors). The attacker can execute arbitrary code in kernel mode. Exploit code likely .
The MS13-076 update (Important) fixes seven Elevation of Privilege vulnerabilities in the Win32 subsystem driver, win32k.sys for all Windows XP-Vista-Seven-8-RT x32 and x64. Exploit code likely / Exploit code would be difficult to build .
The MS13-077 update (Important) fixes a Elevation of Privilege type vulnerability in the service manager (SCM) services.exe for Windows 7 SP1 and Windows Server 2008 SP1 x32 and x64. Exploit code would be difficult to build .
Update MS13-078 (Important) fixes Information Disclosure VEVE-2013-3137 vulnerability in Microsoft FrontPage 2003 Service Pack 3. Exploit code unlikely .
Update MS13-079 (Important) fixes a CVE-2013-3868 type Denial of Service vulnerability in Active Directory for Windows Vista, Server 2008, Seven, Server 2008 R2, Windows 8, and Windows Server 2012 ... Exploit code unlikely .
1 - Exploit code likely
The probability of exploiting the vulnerability is very high, attackers can use an exploit, for example, for remote code execution.
2 - Exploit code would be difficult to build
The exploitation probability is average, since attackers are unlikely to be able to achieve a situation of sustainable exploitation, as well as due to the technical peculiarities of vulnerability and the complexity of developing an exploit.
3 - Exploit code unlikely
The exploitation probability is minimal and attackers are unlikely to be able to develop successfully working code and take advantage of this vulnerability to conduct an attack.
We recommend that our users install updates as soon as possible and, if you have not already done so, enable automatic delivery of updates using Windows Update (this option is enabled by default).
Adobe has announced the release of updates for its products Adobe Flash Player , Adobe Acrobat and Reader , Shockwave Player .
Patches for Flash Player fix four RCE vulnerabilities CVE-2013-3361, CVE-2013-3362, CVE-2013-3363, CVE-2013-5324, which can be used to remotely execute code through memory-corruption.
Components and versions to be fixed.
We recommend that users check the version of Flash Player used by your browser, for this you can use the official. adobe source here or here . Note that browsers such as Google Chrome and Internet Explorer 10 are automatically updated with the release of the new version of Flash Player. You can get information on updating Flash for your browser via this link .
Currently, the current Flash Player versions for browsers are:
Updates for Adobe Acrobat, Reader fix eight RCE vulnerabilities.
- RCE via stack overflow: CVE-2013-3351
- RCE via memory corruption: CVE-2013-3352, CVE-2013-3354, CVE-2013-3355
- RCE via buffer overflow: CVE-2013-3353, CVE-2013-3356
- RCE via integer overflow: CVE-2013-3357, CVE-2013-3358.
be secure.
Source: https://habr.com/ru/post/193064/
All Articles