Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Today we released seven security bulletins addressing 34 CVE’s. Six bulletins have a maximum severity rating of Critical, and one has a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
(win32k.sys and TTF font parsing)
Additional attack vector involves victim browsing to a malicious webpage that serves up TTF font file resulting in code execution as SYSTEM.
Kernel-mode portion of TTF font parsing issue (CVE-2013-3129) addressed by this update.
(.NET Framework and Silverlight)
Unlikely to see wide-spread infection as low privileged users do not have permission to write to root of system drive by default.
- Jonathan Ness, MSRC Engineering
Over the weekend we received a report from our partners about a possible unpatched Internet Explorer vulnerability being exploited in the wild. The exploit code uses a memory corruption bug triggered from a webpage but it deeply leverages a Flash SWF file in order to achieve reliable exploitation and code execution. The Flash file is made of a sophisticated ActionScript code that allocates certain objects in memory in such a way that they can be corrupted later by the Internet Explorer bug in order to give unsafe access to memory regions to the Flash ActionScript code that will carry on the entire exploitation.
In summary, our analysis of this exploit sample revealed the following:
The good news is that the memory corruption vulnerability used in this attack - CVE-2013-3163 - has been already addressed by yesterday’s Microsoft Security Bulletin MS13-055. If you have not yet updated, please do so at the earliest possible. EMET 4.0 was able to stop this exploit variant before the patch with the following mitigations:
Advice for detection and indicators
The common pattern for this limited targeted attack is a drive-by webpage “vid.aspx” or “list.aspx” used as starting point to trigger the bug and run the secondary Flash payload; below we are providing some URL patterns that can be useful for log and network traffic analysis:
As of July 7th, some of the specific Flash samples were still undetected by most of the AV community according to VirusTotal; hashes and filenames of these samples are listed also below to facilitate detection for AV vendors:
The shellcode used by the sample received attempts to download a graphic file (pageerror.gif) which contains appended an encrypted and compressed malicious executable, possibly launched from %TEMP% folder using “javae.exe” filename.
Cristian Craioveanu, Elia Florio
August 2014 Update: The BlueHat Challenge is on hold. We will make an announcement on this blog when we re-start the BlueHat Challenge. Thanks for your interest!
We were inspired by the Matasano Crypto Challenges. So we built a similar series of fun challenges to exercise reverse engineering, vulnerability discovery, and web browser manipulation attack concepts. The Xbox team helped us develop custom Xbox Live avatar items to be awarded to anyone who completes any track of the BlueHat Challenge. Beat all three tracks for access to all three avatar items (“hacker” T-shirt, “MSRC” T-shirt, “hacker” blue hat).
The challenges are all about fun and trying new things. To sign up for any of the three tracks (reverse engineering, vulnerability discovery, design-level web browser manipulation tricks), just email us at firstname.lastname@example.org. In the subject line or in the body of the message, include either [reverse], [vulns], or [web] (or click on any of those three links). Signing up for any of the three tracks will also include instructions on participating in all tracks so you can send just one email to get started.
The Challenge is designed to appeal to a wide range of people, so if the first few sets of problems seem easy, stick with it. They’ll get harder!
You may also be interested in the Microsoft Security Bounty Programs, which provide cash rewards for eligible individuals who identify security vulnerabilities.
A quick word from our lawyers…
By participating in the Challenge, you understand that we cannot control the incoming information you will disclose to our representatives in the course of submitting your answers in the Challenge, or what our representatives will remember about your submission. You also understand that we will not restrict work assignments of representatives who have had access to your submission. By participating in the Challenge, you agree that use of information in our representatives’ unaided memories in the development or deployment of our products or services does not create liability for us in connection with the Challenge or under copyright or trade secret law.
If you do not want to grant us these rights to your answers, please do not participate in the Challenge.
What is the BlueHat Challenge?
The BlueHat Challenge is a series of computer security problems of increasing difficulty to help you build and test your skills in three areas: reverse engineering, vulnerability discovery, and web browser manipulation attack concepts.
How does it work?
The problems are given and reviewed over email. As you complete each level, send us your answers and we’ll send you the next set of problems.
Why is Microsoft doing this?
We hope to spur interest in computer security and help people improve their skills through a self-directed learning process. We also want to give something back to the community—we think these problems are going to be a lot of fun for you to solve. We had a lot of fun coming up with them!
How long should I expect to wait for my submitted answers to be evaluated?
The timeline for evaluating the problems will depend on the number of participants in the program, the difficulty of the problem, and the clarity of your answer. Your answers are being evaluated by real people, so please be patient with us!
How long will the program continue?
We plan to continue the program as long as there is sufficient community interest. Of course, we may change the program’s design over time as we learn what works best, and we may cancel the program at any time without notice. If there is a particular aspect of the program you like, or one track that you think is better developed than others, please let us know so we can do more of that and less of other things.
Is this the new monetary incentive/bounty program I’ve heard about?
No. This program is an educational challenge with no monetary reward. The new programs that offer monetary incentive are the Security Bounty Programs.
Where can I find information on Microsoft jobs?
Check out http://www.twccareers.com for careers in Microsoft Trustworthy Computing group. See http://www.microsoft.com/careers for more general Microsoft career information.
If I complete the Challenge and do well, am I guaranteed an interview or a job?
No. Your completion of the Challenge or your performance will not guarantee that you will get an interview or a job, nor will it preclude you from doing so. If you are interested in careers with Microsoft Trustworthy Computing, we encourage you to visit http://www.twccareers.com, where you can submit an application for any open positions that interest you.
Many people came together to make the BlueHat Challenge possible: