Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

July, 2013

  • Assessing risk for the July 2013 security updates

    Today we released seven security bulletins addressing 34 CVE’s. Six bulletins have a maximum severity rating of Critical, and one has a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

    Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability rating Likely first 30 days impact Platform mitigations and key notes
    MS13-055

    (Internet Explorer)

    Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days. 17 CVE’s being addressed.
    MS13-053

    (win32k.sys and TTF font parsing)

    Most likely to be exploited attack vector requires attacker to already be running code on a machine and then uses this vulnerability to elevate from low-privileged account to SYSTEM.

    Additional attack vector involves victim browsing to a malicious webpage that serves up TTF font file resulting in code execution as SYSTEM.

    Critical 1 Public proof-of-concept exploit code currently exists for CVE-2013-3660. Public EPATHOBJ issue (CVE-2013-3660) addressed by this update.

    Kernel-mode portion of TTF font parsing issue (CVE-2013-3129) addressed by this update.

    MS13-052

    (.NET Framework and Silverlight)

    Victim browses to a malicious Silverlight application hosted on a website. Critical 1 Likely to see reliable exploits developed within next 30 days. .NET Framework and Silverlight exposure to TTF font parsing issue (CVE-2013-3129) addressed by this update.
    MS13-054

    (GDI+)

    Victim opens a malicious TTF file using an application that leverages GDI+ for font parsing. Critical 1 Likely to see reliable exploits developed within next 30 days. User-mode (gdiplus.dll) exposure to TTF font parsing issue (CVE-2013-3129) addressed by this update.
    MS13-056

    (DirectShow)

    Victim opens malicious .GIF file using a 3rd-party application that leverages the DirectShow library. Critical 1 Likely to see reliable exploits developed within next 30 days. No Microsoft end-user applications are known to be vulnerable to the single CVE being addressed by this update.
    MS13-057

    (Windows Media)

    Victim browses to a malicious webpage or opens a malicious Windows Media file. Critical 2 Difficult to build a reliable exploit for this issue. Less likely to see an exploit developed within next 30 days. One CVE being addressed.
    MS13-058

    (Windows Defender)

    Attacker having write access to the root of the system drive (C:\) places malicious file that is run as LocalSystem by Windows Defender during its signature update process. Important 1 Likely to see reliable exploits developed within next 30 days.

    Unlikely to see wide-spread infection as low privileged users do not have permission to write to root of system drive by default.

    To exploit the vulnerability addressed by this update, attacker must have permission to create a new file at the root of the system drive. (C:\malicious.exe)

    - Jonathan Ness, MSRC Engineering

  • Running in the wild, not for so long

    Over the weekend we received a report from our partners about a possible unpatched Internet Explorer vulnerability being exploited in the wild. The exploit code uses a memory corruption bug triggered from a webpage but it deeply leverages a Flash SWF file in order to achieve reliable exploitation and code execution. The Flash file is made of a sophisticated ActionScript code that allocates certain objects in memory in such a way that they can be corrupted later by the Internet Explorer bug in order to give unsafe access to memory regions to the Flash ActionScript code that will carry on the entire exploitation.

    In summary, our analysis of this exploit sample revealed the following:

    • ASLR is bypassed by the attacker through a use-after-free IE vulnerability that corrupts the size of a Flash Vector<> object and generates the possibility for Flash ActionScript to access memory unsafely and disclose module addresses, including NTDLL base;
    • DEP is bypassed with a ROP gadget which calls into ntdll!NtProtectVirtualMemory in order to change protection of non-executable memory pages to executable;

    The good news is that the memory corruption vulnerability used in this attack - CVE-2013-3163 - has been already addressed by yesterday’s Microsoft Security Bulletin MS13-055. If you have not yet updated, please do so at the earliest possible. EMET 4.0 was able to stop this exploit variant before the patch with the following mitigations:

    • HeapSpray (also effective for EMET 3.0)
    • Multiple ROP mitigations: StackPivot, CallerCheck, MemProt when “DeepHooks” is enabled

    Advice for detection and indicators

    The common pattern for this limited targeted attack is a drive-by webpage “vid.aspx” or “list.aspx” used as starting point to trigger the bug and run the secondary Flash payload; below we are providing some URL patterns that can be useful for log and network traffic analysis:

    h**p://profiles.johnhoward.org/archives/vid.aspx?id=[ALPHANUMERIC CHARS]
    h**p://johnhoward.org/archives/vid.aspx?id=[ALPHANUMERIC CHARS]
    h**p://visit.ccgeo.org/act/list.aspx?id=[ALPHANUMERIC CHARS]

    As of July 7th, some of the specific Flash samples were still undetected by most of the AV community according to VirusTotal; hashes and filenames of these samples are listed also below to facilitate detection for AV vendors:

    MD5 SHA1 FILENAME
    d055742371ca82c996dce3672818c28f 2a698512d9b75565be747ba6914fe795bfa98e27 ad.swf
    e2fe34c58765b4f6e41e4b096203d04a 81fe2ae7a685014cafc12c3abbcc5ffc9ab27b7e movie.swf
    507d8f868c27feb88b18e6f8426adf1c 2c03a983e147631639b9bbfb697fa35ba10be632 AD1.swf

    The shellcode used by the sample received attempts to download a graphic file (pageerror.gif) which contains appended an encrypted and compressed malicious executable, possibly launched from %TEMP% folder using “javae.exe” filename.

    Stay safe,

    Cristian Craioveanu, Elia Florio

    MSRC Engineering

  • Try something new – Beat the BlueHat Challenge!

    We were inspired by the Matasano Crypto Challenges. So we built a similar series of fun challenges to exercise reverse engineering, vulnerability discovery, and web browser manipulation attack concepts. The Xbox team helped us develop custom Xbox Live avatar items to be awarded to anyone who completes any track of the BlueHat Challenge. Beat all three tracks for access to all three avatar items (“hacker” T-shirt, “MSRC” T-shirt, “hacker” blue hat).

    The challenges are all about fun and trying new things. To sign up for any of the three tracks (reverse engineering, vulnerability discovery, design-level web browser manipulation tricks), just email us at bhchall@microsoft.com. In the subject line or in the body of the message, include either [reverse], [vulns], or [web] (or click on any of those three links). Signing up for any of the three tracks will also include instructions on participating in all tracks so you can send just one email to get started.

    The Challenge is designed to appeal to a wide range of people, so if the first few sets of problems seem easy, stick with it. They’ll get harder!

    More information

    • There’s no restriction on who can participate, no time limit, and no way to fail.
    • There is no monetary reward, and this is not a contest. Your answers should be your own work. We hope that the fun and learning you gain from completing the Challenge is reward enough. We do plan on publicly recognizing people who finish the Challenge.
    • If you find this sort of thing fun, you’d probably like working at Microsoft in the Trustworthy Computing group. We solve problems like this every day and we have lots of open positions. You can see a list of our available positions at http://www.twccareers.com, and we encourage you to submit an application!

    You may also be interested in the Microsoft Security Bounty Programs, which provide cash rewards for eligible individuals who identify security vulnerabilities.

    A quick word from our lawyers…

    By participating in the Challenge, you understand that we cannot control the incoming information you will disclose to our representatives in the course of submitting your answers in the Challenge, or what our representatives will remember about your submission. You also understand that we will not restrict work assignments of representatives who have had access to your submission. By participating in the Challenge, you agree that use of information in our representatives’ unaided memories in the development or deployment of our products or services does not create liability for us in connection with the Challenge or under copyright or trade secret law.

    If you do not want to grant us these rights to your answers, please do not participate in the Challenge.

    FAQ

    What is the BlueHat Challenge?

    The BlueHat Challenge is a series of computer security problems of increasing difficulty to help you build and test your skills in three areas: reverse engineering, vulnerability discovery, and web browser manipulation attack concepts.

    How does it work?

    The problems are given and reviewed over email. As you complete each level, send us your answers and we’ll send you the next set of problems.

    Why is Microsoft doing this?

    We hope to spur interest in computer security and help people improve their skills through a self-directed learning process. We also want to give something back to the community—we think these problems are going to be a lot of fun for you to solve. We had a lot of fun coming up with them!

    How long should I expect to wait for my submitted answers to be evaluated?

    The timeline for evaluating the problems will depend on the number of participants in the program, the difficulty of the problem, and the clarity of your answer. Your answers are being evaluated by real people, so please be patient with us!

    How long will the program continue?

    We plan to continue the program as long as there is sufficient community interest. Of course, we may change the program’s design over time as we learn what works best, and we may cancel the program at any time without notice.  If there is a particular aspect of the program you like, or one track that you think is better developed than others, please let us know so we can do more of that and less of other things.

    Is this the new monetary incentive/bounty program I’ve heard about?

    No. This program is an educational challenge with no monetary reward. The new programs that offer monetary incentive are the Security Bounty Programs.

    Where can I find information on Microsoft jobs?

    Check out http://www.twccareers.com for careers in Microsoft Trustworthy Computing group. See http://www.microsoft.com/careers for more general Microsoft career information.

    If I complete the Challenge and do well, am I guaranteed an interview or a job?

    No. Your completion of the Challenge or your performance will not guarantee that you will get an interview or a job, nor will it preclude you from doing so. If you are interested in careers with Microsoft Trustworthy Computing, we encourage you to visit http://www.twccareers.com, where you can submit an application for any open positions that interest you.

    Acknowledgements

    Many people came together to make the BlueHat Challenge possible:

    • Couldn’t have happened without David Seidman’s logistics magic!
    • Thanks Fred Raynal and the Quarkslab team for help with the vulnerability and RE challenges
    • Thanks Manuel Caballero and Mario Heiderich for developing the web design-level challenges
    • Thanks Bill Barlowe, Andrew Ciccarelli, and Shonn Gilson for the back-end infrastructure help
    • Thanks Rollie Watson and John Doyle from Xbox and Rajat and Mike from Lakshya Digital
    • Thanks Dan Beenfeldt, Tim Hermann, and Nanae Toyozato for the “Eli the Zombie” flash game ([reverse] level 2)
    • Thanks Katie Moussouris, Mike Reavey, Leah Lease, Bruce Dang, and David Ross for inspiration

    - Jonathan Ness, MSRC Engineering