The Hacker News — Cyber Security, Hacking, Technology News

As part of June's Patch Tuesday, Microsoft has released security patches for a total of 96 security vulnerabilities across its products, including fixes for two vulnerabilities being actively exploited in the wild.

This month's patch release also includes emergency patches for unsupported versions of Windows platform the company no longer officially supports to fix three Windows hacking exploits leaked by the Shadow Brokers in the April's data dump of NSA hacking arsenal.

The June 2017 Patch Tuesday brings patches for several remote code execution flaws in Windows, Office, and Edge, which could be exploited remotely by hackers to take complete control over vulnerable machines with little or no interaction from the user.

While two of the vulnerabilities have been exploited in live attacks, another three flaws have publicly available proof-of-concept (POC) exploits that anyone could use to target Windows users.

Vulnerabilities Under Active Attack

The two vulnerabilities currently under active attack include a Windows Search Remote Code Execution flaw (CVE-2017-8543) and an LNK Remote Code Execution bug (CVE-2017-8464).

The more critical of the two is the Windows Search RCE vulnerability which is present in most versions of Windows and resides in the Windows Search Services (WSS) — a feature that allows users to search across multiple Windows services and clients.

The vulnerability, which already has publicly disclosed POC exploit code since early February, could allow a remote code execution in the Windows operating system, enabling an attacker to take over the target machine remotely via a network connection.

"To exploit the vulnerability, the attacker could send specially crafted SMB messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer," Microsoft explains in its advisory. 

"Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer."

The SMB vulnerabilities can be extremely dangerous, and the best example of it is the WannaCry ransomware that exploited an SMB flaw within a network to replicate itself to all unpatched machines very quickly.

Windows Server 2016, 2012, 2008 along with desktop systems such as Windows 10, 7 and 8.1 are all affected by this vulnerability.

Shares Striking Resemblance with Stuxnet Malware

Another critical flaw under active exploitation is LNK RCE vulnerability resides in the way Windows handles LNK desktop shortcuts, which could allow remote code execution if the icon of a specially crafted shortcut is displayed to a user.

"The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary," Microsoft explains. 

"When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system."

According to the Zero Day Initiative (ZDI), the active attack exploiting the LNK vulnerability carries some resemblance to the way the dangerous Stuxnet malware infiltrated and sabotaged critical industrial control systems while carrying out its attacks.

"If you're experiencing déjà vu reading the bug title, it is certainly understandable," ZDI says in its blog post. "This type of vulnerability was used by the Stuxnet malware, then found again several years later through a ZDI program submission."

Another three vulnerabilities that have publicly available proof-of-concept exploits include three flaws in the Edge browser, two of which (CVE-2017-8530 and CVE-2017-8523) could allow security feature bypass, while the third (CVE-2017-8498) allows for information disclosure.

Besides this, the Edge browser also receives patches for three more flaws (CVE-2017-8496, CVE-2017-8497, and CVE-2017-8499) that would enable attackers to carry out remote code execution on vulnerable users.

Other patches include fixes for nine of its own remote code execution flaws in Office that could be targeted via DLL files, email messages, a website, and a PowerPoint file.

Adobe June 2017 Patch Updates

Meanwhile, Adobe has also issued security fixes for its most vulnerable software offerings, Flash Player and Shockwave Player.

The company addresses nine critical bugs in its Flash Player that could allow remote code execution, five of which are due to memory corruption and four are use-after-free conditions in the software.

Users running Chrome, Edge, and Internet Explorer 11 and later will get the update automatically from Google and Microsoft's security teams, while other users should download the patches directly from Adobe.

Shockwave Player received a patch for a single remote code execution vulnerability in the Windows version of its software. Users should download version Shockwave Player 12.2.9.199 in order to protect themselves.

As part of this month's Patch Tuesday, Microsoft has released security patches for a total of 55 vulnerabilities across its products, including fixes for four zero-day vulnerabilities being exploited in the wild.

Just yesterday, Microsoft released an emergency out-of-band update separately to patch a remote execution bug (CVE-2017-0290) in Microsoft's Antivirus Engine that comes enabled by default on Windows 7, 8.1, RT, 10 and Server 2016 operating systems.

The vulnerability, reported by Google Project Zero researchers, could allow an attacker to take over your Windows PC with just an email, which you haven't even opened yet.

May 2017 Patch Tuesday — Out of 55 vulnerabilities, 17 have been rated as critical and affect the company's main operating systems, along with other products like Office, Edge, Internet Explorer, and the malware protection engine used in most of the Microsoft's anti-malware products.

Sysadmins all over the world should prioritize the May's Patch Tuesday as it addresses four critical zero-day vulnerabilities, three of which being actively exploited by cyber-espionage groups in targeted attacks over the past few months.

3 Zero-Days Were Exploited in the Wild by Russian Cyber-Espionage Group

First Zero-Day Vulnerability (CVE-2017-0261) — It affects the 32- and 64-bit versions of Microsoft Office 2010, 2013 and 2016, and resides in how Office handles Encapsulated PostScript (EPS) image files, leading to remote code execution (RCE) on the system.

This Office vulnerability could be exploited by tricking victims into opening a file containing a malformed graphics image in an email. The attack also exploits a Windows privilege escalation bug (CVE-2017-0001) that the company patched on March 14 to gain full control over the system – essentially allowing attackers to install spyware and other malware.

According to the FireEye researchers, the CVE-2017-0261 flaw has been exploited since late March by an unknown group of financially motivated hackers and by a Russian cyber espionage group called Turla, also known as Snake or Uroburos.

Second Zero-Day Vulnerability (CVE-2017-0262) — FireEye and ESET researchers believe that the APT28 hacking group, also known as Fancy Bear, or Pawn Storm, was actively using this EPS-related Microsoft Office zero-day vulnerability which leads to remote code execution on opening a malformed file.

Third Zero-Day Vulnerability (CVE-2017-0263) — The third zero-day bug is an elevation of privilege (EoP) vulnerability in all supported versions of Microsoft's Windows operating system.

This vulnerability exists in the way Windows kernel-mode driver handles objects in memory, allowing attackers to run arbitrary code in kernel mode and then install malware, view, change, or delete data, and even create new accounts with full user rights.

Researchers believe that the Russian cyber-espionage group was also actively exploiting this flaw (CVE-2017-0263) along with the second zero-day vulnerability (CVE-2017-0262).

Fourth Zero-Day Vulnerability (CVE-2017-0222) — Another zero-day vulnerability affects Internet Explorer 10 and 11 and resides in how Internet Explorer handles objects in memory.

Opening a malicious web page can corrupt memory to trigger remote code execution, allowing attackers to take control of an affected system. According to the tech giant, this issue was also exploited in the wild.

Patches for Other Critical Vulnerabilities — This month's security updates also fix critical vulnerabilities in both Edge and Internet Explorer (IE) that could lead to remote code execution by tricking victims into visiting malicious websites or viewing specially crafted advertisements inside the browsers.

Besides this, Microsoft also addresses four critical remote code execution bugs (CVE-2017-0272, CVE-2017-0277, CVE-2017-0278, and CVE-2017-0279) in Windows SMB network file-sharing protocol, which affects Windows 7 through 10 and Windows Server 2008 through 2016.

These vulnerabilities put Windows PCs and server installations at risk of hacking if they use SMBv1, though there have been no reports of any of these flaws exploited in the wild.

As usual, Adobe Flash Players patches are also included in the security update to address 7 CVE-listed flaws in the Windows, macOS, and Linux.

Windows users are strongly advised to install the latest updates as soon as possible in order to protect themselves against the active attacks in the wild.

For the last Patch Tuesday for this year, Microsoft has released 12 security bulletins, half of which are rated 'critical' as they give attackers remote code execution capabilities on the affected computers.

The security bulletins address vulnerabilities in Microsoft's Windows, Office, Internet Explorer and Edge.

The first critical security bulletin, MS16-144, patches a total of 8 security vulnerabilities in Internet Explorer, 3 of which had publicly been disclosed before Microsoft issued patches for them, though the company said they're not being exploited in the wild.

The 3 publicly disclosed vulnerabilities include a Microsoft browser information disclosure vulnerability (CVE-2016-7282), a Microsoft browser security feature bypass bug (CVE-2016-7281) and a scripting engine memory corruption vulnerability (CVE-2016-7202) that allow remote code execution on the affected computer.

The remaining 5 security flaws include a scripting engine memory corruption bug, two memory corruption vulnerabilities, an information disclosure bug, and a Windows hyperlink object library information disclosure bug.

Next critical bulletin, MS16-145, addresses a total of 11 flaws in the Edge browser, 3 of which have also been publicly disclosed but the company they are not actively being exploited.

Two flaws (CVE-2016-7282 and CVE-2016-7281) are the same as in IE, and the third one is an information disclosure vulnerability (CVE-2016-7206) whose existence has also been made public.

Remaining 8 vulnerabilities allow an attacker to perform remote code execution and information disclosure.

Another critical bulletin, MS16-146, includes the monthly security patch for Microsoft graphics components, addressing two RCE flaws in Windows graphics components, as well as one Windows GDI information disclosure flaw.

The most severe flaws in each of the above bulletins are remote code execution (RCE) bugs, wherein viewing a specially crafted web page or opening a malicious document could remotely execute malicious code on a victim's computer.

Other critical bulletins include MS16-147 that addresses a security issue in Windows Uniscribe and MS16-148 that fixes a total of 16 security flaws in Microsoft Office, Office Services, and Web Apps.

Those 16 vulnerabilities include 4 memory corruption, one Office OLE DLL side-loading flaw, 3 security feature bypass bugs, one GDI information disclosure issue, 6 MS Office information disclosure bug, and one elevation of privilege bug in Microsoft Auto Update (MAU).

Last, but not the least, critical bulletin, MS16-154, addresses a total of 17 flaws in the embedded Adobe Flash Player for Edge and Internet Explorer, one of which includes a zero-day exploited in targeted attacks.

This bulletin contains 7 use-after-free vulnerabilities that could lead to remote code execution, 4 buffer overflow flaws, 5 memory corruption bugs that could also result in remote code execution and one security bypass issue.

Remaining are the important security bulletins that address an elevation of privilege bug in the Windows Secure Kernel Mode, an information disclosure bug in the .NET framework, two elevation of privilege bulletins in Windows and the Windows kernel-mode drivers, and an information disclosure bug in Windows.

Users and IT administrators are strongly recommended to apply these critical security updates as soon as possible, since some of the vulnerabilities had already been publicly disclosed, giving hackers chance to get into your systems.

Microsoft was very upset with Google last week when its Threat Analysis Group publically disclosed a critical Windows kernel vulnerability (CVE-2016-7255) that had yet to be patched.

The company criticized Google's move, claiming that the disclosure of the vulnerability, which was being exploited in the wild, put its customers "at potential risk."

The vulnerability affects all Windows versions from Windows Vista through current versions of Windows 10, and Microsoft was set to issue a fix come this month's Patch Tuesday.

So, as part of its monthly Patch Tuesday, Microsoft today patched the security flaw in Windows that was actively being exploited by hackers.

According to Microsoft's security bulletin released today, any hacker who tricked victims into running a "specially-crafted application" could successfully exploit the system bug and gain the ability to "install programs; view, change, or delete data; or create new accounts with full user rights."

Once exploited, the bug could be used to escape the sandbox protection and execute malicious code on the compromised Windows machine.

Rated as "important," the vulnerability was being exploited by Strontium group, also known as Fancy Bear, Sofacy, and APT 28, in targeted attacks.

Fancy Bear is the same group of hackers that has also been accused by the US Intelligence community of hacking the Democratic National Committee, Clinton Campaign Chair John Podesta, and former Secretary of State Colin Powell, among others.

Besides this controversial flaw exposed by Google last week, the security bulletin also fixes multiple elevation of privilege bugs.

Patch Tuesday also contains several critical security patches that affect all versions of Windows as well as other important updates and fixes for both Internet Explorer and Edge.

So, I strongly recommend home users and companies to ensure that their Windows PC is up-to-date with all of Microsoft's latest security fixes as of today.

Microsoft has released 16 security bulletins on Tuesday resolving a total of 44 security holes in its software, including Windows, Office, Exchange Server, Internet Explorer and Edge.

Five bulletins have been rated “critical” that could be used to carry out remote code execution and affected: Windows, Internet Explorer (IE), Edge (the new, improved IE), Microsoft Office and Office services; and the remaining 11 are marked important.

One of the critical issues, MS16-071 that caused alarm bells to go off for many security experts involves a Use-After-Free bug (CVE-2016-3227), which affects Microsoft Windows Domain Name System (DNS) servers for Windows Server 2012 and 2012 R2.

The vulnerability resides in the way servers handle requests. Attackers could send a specially crafted request to a DNS server and convinced it to run arbitrary code in the context of the Local System Account, Microsoft’s advisory warns.

Another critical vulnerability is addressed in MS16-070, which patches some security holes in Microsoft Office.

The crucial Memory Corruption Vulnerability (CVE-2016-0025) resides in Microsoft Word RTF format that could allow an attacker to run arbitrary code and take control of the system if its user was logged on with administrator rights.

An attacker could trigger the exploit with a simple e-mail containing a Microsoft Word RTF file without user interaction.

The remaining two critical bulletins address multiple remote code execution vulnerabilities in Microsoft’s browsers Internet Explorer and Edge.

Rest of the bulletins addresses vulnerabilities in Windows SMB Server, Windows NetLogon, Web Proxy Auto-Discovery (WPAD), Microsoft Exchange, Active Directory, Windows PDF and more.

Meanwhile, Adobe also rolled out security patches for DNG Software Development Kit, Brackets, Creative Cloud Desktop App, and hotfixes for ColdFusion.

However, a patch for a zero-day vulnerability (CVE-2016-4171) in Adobe Flash Player that Adobe claims is being exploited in "limited, targeted attacks" was expected today but will arrive later this week.

Anton Ivanov and Costin Raiu of Kaspersky Labs discovered and reported the zero-day vulnerability in Flash Player version 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. The Flash zero-day exploit is being deployed in active espionage attacks.

"As we shared in late October on the Windows Blog, we are committed to making it easy for our Windows 7 and Windows 8.1 customers to upgrade to Windows 10," a Microsoft spokesperson said. "We updated the update experience today to help our clients, who previously reserved their upgrade, schedule a time for their upgrade to take place."

• Reserve your Copy of Windows 10
• Start the upgrade process, after notifying user

• Windows 10 Installation process will automatically start once you have made a reservation.
• Before upgrade changes the OS, you'll be prompted to choose whether or not to continue.

"If you choose to upgrade, then you will have 31 days to roll back to your previous Windows version if you don’t love it," Microsoft said in its blog post.

Is My Windows PC Being Compromised?

What is WSUS in Windows?

Intercepting WSUS to Inject Malware into Corporate Networks

"By repurposing existing Microsoft-signed binaries, we were able to demonstrate that an attacker can inject malicious updates to execute arbitrary commands," researchers said in the paper.

“Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the 'searching for Drivers' and ‘Windows Update' dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats.”

Windows 10 is Stealing your Internet Bandwidth

How to Disable Windows Update Delivery Optimization (WUDO)?

• Go to Settings in the Start menu
• Search for Update & Security
• Under Windows Update, open Advanced Options
• Under Choose How Updates are Installed, select Choose how updates are delivered
• Disable the toggle under Updated from More than One Place

CompTIA, a global provider of vendor-neutral IT certifications, offers a wide range of popular certifications such as A+, Network+, Cloud+, Linux+, and Security+ certifications [...]

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

• Download and Install Windows Updates Automatically
• Download Windows Updates automatically but Choose when to Install them
• Check for Updates but Choose when to Download and Install them
• Never check for, Download, or Install Updates

• Check, Download, Install, and Reboot automatically
• Check, Download, Install automatically and then choose to Reboot

"Updates. The software periodically checks for system and app updates, and downloads and installs them for you. You may obtain updates only from Microsoft or authorized sources, and Microsoft may need to update your system to provide you with those updates. By accepting this agreement, you agree to receive these types of automatic updates without any additional notice."