Windows 10 Blocks Zero-Days Before Patches Arrive: Microsoft

Unknown to vendors but exploited by cybercriminals, zero-day vulnerabilities are the most threatening security issues, but Microsoft’s Windows 10 can block exploitation of these vulnerabilities before they are even patched, Microsoft says.

The mitigation techniques that arrived in August 2016 as part of the Windows 10 Anniversary Update make all this possible. The update was meant to harden the platform to ensure it can stop exploits of newly discovered and even undisclosed vulnerabilities before a patch is released, and Microsoft claims that it already proved to be effective against two exploits associated with well-known threat groups.

More precisely, the deployed mitigation techniques did their job and successfully blocked kernel-level exploits for the CVE-2016-7255 and CVE-2016-7256 vulnerabilities before they were patched in November 2016, the tech behemoth explains. The former is a Win32k Elevation of Privilege Exploit, while the latter is an Open Type Font Exploit.

CVE-2016-7255, a type-confusion vulnerability in win32k.sys, was exploited by the STRONTIUM attack group to gain elevated privileges on compromised systems. To get access to the targeted computers, the group used an Adobe Flash Player vulnerability (tracked as CVE-2016-7855). The two exploits were used in a small spear-phishing campaign targeting think tanks and nongovernmental organizations in the United States.

Also known as Fancy Bear, Pawn Storm, APT28, Sednit, and Sofacy, this threat group was recently officially blamed for last year’s cyber-attacks on U.S. elections, albeit the U.S. government failed to provide proper evidence on attribution.

The STRONTIUM group, Microsoft says, leveraged the Win32k exploit in attacks in October 2016, where they attempted to corrupt the tagWND.strName structure and use SetWindowTextW to write arbitrary content anywhere in kernel memory. Abusing the API call to overwrite data of current processes and copy token privileges of the SYSTEM, the exploit allowed attackers to run victim processes with elevated privileges.

The Windows 10 Anniversary Update includes techniques that prevent abusive use of tagWND.strName, thus mitigating the Win32k exploit and similar exploits. According to the software company, tests have proven that exploits abusing this method are ineffective and instead cause exceptions and subsequent blue screen errors.

The CVE-2016-7256 vulnerability in the Windows font library, on the other hand, was being abused to install a backdoor known as Hankray on targeted computers with older versions of Windows. The backdoor had been previously spotted in low-volume attacks primarily focused on targets in South Korea.

“The font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts. This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration,” Microsoft says.

Designed to copy the main body of the shellcode to newly allocated memory and run it, the stage 1 shellcode is very small, the tech giant explains. The main shellcode, which runs after the copy instructions, while also small, performs a token-stealing technique, then copies the token pointer from a SYSTEM process to the target process, achieving privilege escalation.

The Windows 10 Anniversary Update can prevent the exploit because font parsing happens completely in AppContainer instead of the kernel. Because it creates an isolated sandbox, AppContainer can prevent font exploits (among other types of exploits) from achieving privilege escalation. Moreover, the platform includes additional validation for font file parsing.

According to Microsoft, the main idea behind the hardening of Windows 10 is to ensure that mitigation techniques in the platform can tackle multiple exploits instead of focusing on neutralizing a specific bug. These mitigation techniques can either break exploit methods or close entire classes of vulnerabilities, and Microsoft plans on taking this prevention to a new level in Windows 10 Creators Update, which will include generic kernel exploit detection Windows Defender ATP, expected to deliver increased visibility into targeted attacks based on zero-day exploits.

“By delivering these mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers. Even the simple tactical mitigation against popular RW primitives forces the exploit authors to spend more time and resources in finding new attack routes. By moving font parsing code to an isolated container, we significantly reduce the likelihood that font bugs are used as vectors for privilege escalation,” Microsoft also says.

By Ionut Arghire


Cisco, Fortinet Issue Patches Against Alleged Equation Group Malware

Customers of certain Cisco and Fortinet security gear need to  patch exploits made public this week after a purported hack of NSA malware.

Both companies have issued fixes to address exploits that were posted online and after they found the exploits represent real threats to some of their products, including versions of Cisco’s popular PIX and ASA firewalls and versions of Fortinet’s signature Fortigate firewalls.

Other exploits may affect Watchguard and TOPSEC products, but those companies did not immediately respond to inquiries. When they do this story will be updated. The exploits were posted as proof that a group called Shadow Brokers actually had in its possession malware that it claimed it hacked from the NSA.

While the exploits date from 2013 at the latest, Cisco says it just learned about one of them when Shadow Brokers made it public. Cisco already knew about a second one and had patched for it. Fortinet’s lone security advisory is fresh.

Speculation is that Russia is behind releasing the exploits as a political move to blunt U.S. reaction to Russia’s alleged hack of the Democratic National Committee.


Cisco rates the threat level of the newly discovered vulnerability – Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability – as high because it could allow execution of remote code on affected devices and obtain full control. “The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system,” the advisory says.

Here is a list of the affected Cisco devices:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco PIX Firewalls
  • Cisco Firewall Services Module (FWSM)

The other vulnerability – Cisco ASA CLI Remote Code Execution Vulnerability – is one Cisco has known about since 2011 when it issued a fix for it. The company has issueda fresh security advisory for it in order to raise awareness so customers will make sure they’ve got software versions that patch the problem.

This vulnerability is ranked medium, and if exploited “could allow an authenticated, local attacker to create a denial of service (DoS) condition or potentially execute arbitrary code. An attacker could exploit this vulnerability by invoking certain invalid commands in an affected device,” the advisory says.

Cisco has posted a blog that details its vulnerabilities and fixes.


Fortinet has issued a security advisory for what it calls the Cookie Parser Buffer Overflow Vulnerability, whose importance it rates as high because it allows remote administrative access.

It affects certain Fortigate firmware called FOS released before August 2012. The affected versions are:

  • FOS 4.3.8 and below
  • FOS 4.2.12 and below
  • FOS 4.1.10 and below

“Customers running FortiGate firmware 5.0 and above, released in August 2012 are not impacted,” according to an emailed statement from Fortigate. “We continue to investigate this exploit and are conducting an additional review of all of our Fortinet products. If we identify any new information useful to our customers, we will share it through our responsible disclosure policy.”


Source: CSO Online

Ransomware Advice Service to Tackle Extortion Gang

European police agency Europol is teaming up with cybersecurity companies in an initiative aimed at slowing an “exponential” rise in ransomware.

The scheme revolves around a website that connects victims and police, gives advice and helps with data recovery.

The number of ransomware victims tripled in the first three months of 2016, according to one estimate.

Ransomware is malware that typically demands a fee to unscramble important data on a compromised device.

The No More Ransom site will be updated as ransomware gangs are tackled, one of the project’s partners said.

Co-ordinated by Europol, the initiative also involves the Dutch national police, Intel Security and Kaspersky Labs.

“For a few years now ransomware has become a dominant concern for EU law enforcement,” said Wil van Gemert, Europol’s deputy director of operations.

“We expect to help many people to recover control over their files, while raising awareness and educating the population on how to maintain their devices clean from malware.”

No More Ransom brings together information about what ransomware is, how to avoid falling victim and what to do if a person or company is caught out.

“Right now the only option victims have is to pay the ransom or not,” said Raj Samani, European head of Intel Security. “This gives people another option.”

Often, people struggle to find out what they can do when they are hit.

With this website, victims will be able to upload scrambled files to identify which strain of ransomware has locked up their data, he said.

Bitcoin sign

“We’ve seen a threefold increase in infected victims from January to March this year,” he added. “And we’re seeing a rise in new families of ransomware coming up all the time.”

In June, one site that tracks ransomware logged more than 120 separate families of the malicious code being used in different campaigns.

“It’s becoming a hugely profitable economy for the criminals,” said Mr Samani. “They know there’s real money to be made here.

“What’s particularly telling is that historically ransomware victims have been consumers and small businesses,” he said. “But we are now seeing bigger institutions, hospitals and universities, getting hit.”

The site will be kept up to date with information gleaned from international action against gangs that run ransomware campaigns, Mr Samani said.

Other police forces, security companies and researchers will be encouraged to contribute to the site and add advice or tools to help victims.

At present, the site links to decryption software for four well-known families of ransomware – Coinvault, Shade, Rannoh and Rakhni.


Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

Oracle has one-upped itself once again. The company fixed a record 276 vulnerabilities – more than half of which are remotely exploitable – as part of its July Critical Patch Update released Tuesday afternoon.

The quarterly patch update resolves vulnerabilities in 84 different products, including Oracle Database Server, Oracle Fusion Middleware, and Oracle’s E-Business Suite to name a few. The number of fixes exceeds the previous all time high, 248 patches, pushed by Oracle in January and marks more than double the amount of vulnerabilities addressed by the company in its last CPU in April.

Like the April CPU, more than 50 percent of the vulnerabilities, 159 in total, can be exploited remotely without authentication. Oracle Fusion Middleware is the biggest culprit; 35 of the 40 vulnerabilities that affect the software are remotely exploitable.

The company’s E-Business Suite – in which 21 of the 23 vulnerabilities are remotely exploitable – and Oracle Sun Systems Products Suite – in which 21 of the 34 vulnerabilities are remotely exploitable – also merit attention.

Nineteen vulnerabilities across nine different products fetch a CVSS 3.0 rating of 9.8, the most critical vulnerability rating this quarter. While Oracle is encouraging its customers to apply the fixes as soon as possible, users will want to prioritize the update if they’re running one of the nine affected pieces of software: Oracle Fusion Middleware, Supply Chain Products, Oracle Communications Applications, Oracle Health Sciences, Oracle Retail Applications, Oracle Sun Systems Products Suite, and Oracle Virtualization.

All 19 bugs are remotely exploitable without authentication, meaning an attacker wouldn’t need a username or password to exploit them, according to Oracle’s advisory. It wouldn’t be an Oracle CPU without patches for perennial whipping boy Java. This quarter’s update includes 13 patches for Java SE, nine of which are remotely exploitable without authentication. Users running Java SE version(s) 6u115, 7u101, 8u92, or Java SE Embedded, version(s) 8u92, are affected.

Noted researcher David Litchfield, a skilled Oracle bug hunter, uncovered nearly 10 percent of the vulnerabilities, 27 bugs, including a mix of SQL injections, cross-site scripting vulnerabilities, and server-side request forgery attacks. Litchfield outlined the bugs via .PDF documents on Tuesday. Multiple SQLi, XSS, SSRF and more… details for 27 flaws patched in the July 2016 CPU — David Litchfield (@dlitchfield) July 19, 2016 Among them were a slew of XSS flaws in Oracle Primavera, project management software that’s usually used in industries such as engineering, construction, aerospace and other fields.

Litchfield discovered that via arbitrary HTML/script that doesn’t use parentheses or a .write clause an attacker could bypass a XSS filter designed to protect users against exploitation in the software. One of the scariest sounding vulnerabilities he found exists in Agile, Oracle’s Product Lifecycle Management Database.

The vulnerability could allow a user Index Privileges on SYS tables, something that could allow them to execute as SYS and allow “complete compromise of the database.” Litchfield also described a series of SQL injections in eBusiness Suite, a XSS and SSRF flaw in Apex, and XSS vulnerabilities in Oracle Business Intelligence Enterprise Edition. Considering the sheer number of vulnerabilities, experts on Tuesday said it’s likely admins will have their plates full with this quarter’s patches.

“Oracle systems are complex and multi-component, not speaking about numerous customizations every company usually has,”Alexander Polyakov, CTO at ERPScan, a company that helps companies secure Oracle enterprise resource planning (ERP) systems, “So, Oracle admins should be ready for difficult and time-consuming work of implementing all the patches.”



Apple Patches Remote Code Execution Flaws

Apple released a patch for vulnerabilities affecting the iTunes, iOS, Safari, OS X El Capitan, tvOS, and watchOS line of products. The update includes a patch of critical vulnerabilities in iOS and OS X that could allow remote code execution.

Cisco Talos senior security researcher Tyler Bohan discovered flaws in the OS X platform’s image processing format. The vulnerabilities are comparable to the Stagefright vulnerabilities in Android devices discovered a year ago by Joshua J. Drake at Zimperium zLabs. The iOS flaw allows for nearly undetectable theft of passwords from iPhones.

“When rendered by applications that use the Image I/O API, a specially crafted TIFF image file can be used to create a heap based buffer overflow and ultimately achieve remote code execution on vulnerable systems and devices,” Cisco Talos threat researcher Earl Carter wrote in a blog post. “This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images.”

An attacker could deliver a payload to launch the vulnerability using iMessages, malicious web pages, MMS messages, or other malicious file attachments, according to Talos.

Security firm Zscaler discovered a separate vulnerability affecting OS X El Capitan that grants unauthorized access of cookies stored in the Safari browser to applications that do not have appropriate privileges. “This access could result in a malicious application lifting all the persistent cookies for a given user and accessing sites posing as that user,” Zscaler senior software engineer Abhinav Bansal wrote in a company blog post.

In speaking with, Amit Sinha, CTO and EVP of engineering and cloud operations at Zscaler, said the flaw is a “major vulnerability” affecting all Mac users. “Any application that is installed on the Mac App Store has full access” to the persistent cookies stored unencrypted in Safari’s cookie store.

Sinha said it would be “trivial” for an attacker to exploit the vulnerability and access all cookies stored by affected users. A popular application could gain access to victims’ cookies in a widespread attack that requires you to craft specific malicious code. “No special permissions are needed,” he said

Zscaler researchers found three other vulnerabilities affecting Mac OS X and iOS, he told The vulnerabilities were reported to Apple and have not yet been disclosed.

Many of the updates involved situations in which Apple discovered additional related vulnerabilities as a report of vulnerabilities disclosed by external researchers, according to WatchGuard Technologies information security threat analyst Marc Laliberte. “While investigating further into a reported vulnerability should be the status quo, that isn’t always the case,” he wrote in an email to



Faraday: Collaborative pen test and vulnerability management platform

Faraday is an integrated multi-user penetration testing environment that maps and leverages all the knowledge you generate in real time. It gives CISOs a better overview of their team’s job, tools and results. You can run it on Windows, Linux and OS X.


The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multi-user way. Faraday supports more than 50 tools, including Burp Suite, w3af, Maltego, Metasploit, Qualysguard, Nessus, Netsparker, and Shodan.

The tool was first presented at the EkoParty Security Conference in 2010, and included in the prestigious Black Hat USA Arsenal in 2011.

Faraday development challenges

“The challenges were many, but looking back, one of the most important was understanding and correctly assessing all the ideas we had and selecting those which were most important for us to have on the first version so we could have a realistic minimal viable product which was published as the first community version,” Faraday developers told Help Net Security.

Once it took off, this mentality of adding only essential features totally changed the developing process. Nowadays the team works on an agile development cycle, with releases being pushed out every 15 days.

Future plans

Radical changes to the tool – how looks and behaves – are in the works. One is a brand new GTK interface, which will replace the old QT3-based one, and will make the tool more stable as well as more pleasant to use.

“Another change that will come soon is Faraday Server, which will allow the users to experience a better performance when working with the Web UI. From our perspective as developers, this change is also very exciting as it will allow us to add features and fix bugs much more quickly,” the developers added.

Once these modifications are done, the developers plan to start working on changes to the Faraday Cloud, and the way information is extracted for the plugins. “We want to improve the workflow when using Faraday Cloud – Continuous Scanning and start giving Faraday the ability to make decisions with the information it gets from the security tools it works with,” they explained.

By – Editor in Chief


Google Patches Vulnerabilities in Caja Tool


Google has patched several vulnerabilities in Caja that could have been exploited for cross-site scripting (XSS) attacks on the Google Docs and Developers domains.

Poland-based bug bounty hunter Michał Bentkowski started analyzing Google Docs at the beginning of the year. The expert noticed that users can create scripts in Google Docs using the JavaScript-based scripting language Google Apps Script.

Google Apps Script uses the search giant’s Caja tool to safely embed HTML, CSS and JavaScript in a website. Caja ensures that user-supplied code is sandboxed to prevent phishing and XSS attacks.

Before executing user code, Caja identifies variables and either replaces them with a Caja-supplied object or removes them from the global scope. This prevents, for instance, the use of the window object for XSS attacks.

Bentkowski discovered that while Caja developers have taken into account that attackers could try to bypass this protection by using obfuscation methods – such as writing window asFunction(“win”+”dow”) – they neglected Unicode escapes. The researcher found thatwindow can be written as \u0077indow, where the “w” character is replaced with its Unicode representation, \u0077.

An attacker could have used this trick to create a specially crafted Google Docs document that included an XSS payload.

Google addressed this issue after two weeks, but the researcher determined that the fix was not efficient. An attacker could have also replaced the “w” character in window with \u{77}. While this method was not as straightforward as the first one, Bentkowski made it work by using HTML-like comments.

Google later patched this vulnerability as well, but the company forgot to update the version of Caja used for demos on the domain. This oversight could have allowed attackers to launch XSS attacks on in combination with web browser clickjacking vulnerabilities.

Caja developers have made some security improvements based on Bentkowski findings. The researcher said Google awarded him $5,000 for the flaws affecting Google Docs and $3,133.7 for the issue on the domain.

By Eduard Kovacs


Siemens Patches Password Reconstruction Vulnerability in Sicam PAS


The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cautioned users who work in electrical substations to update certain builds of energy automation software this week.

ICS-CERT claims two vulnerabilities exist in the Siemens SICAM Power Automation System, or PAS, that could enable an attacker to reconstruct passwords and obtain sensitive information under certain conditions.

Siemens, the German industrial automation technology company that manufactures the software, released an update to address the first vulnerability this week. Users are being encouraged to update to version 8.07 of SICAM PAS to mitigate that issue. A new advisory has been published: “SSA-444217: Information Disclosure Vulnerabilities in SICAM PAS” — Siemens ProductCERT (@ProductCERT) June 30, 2016 While the first vulnerability (CVE-2016-5848) stemmed from insufficiently protected credentials; the second (CVE-2016-5849) stemmed from an information exposure vulnerability in the database.

“An authenticated local attacker could possibly access sensitive configuration information from the SICAM PAS database file if the database is in a stopped state,” the advisory, published Thursday, warned. Ilya Karpov and Dmitry Sklyarov, two researchers with Positive Technologies, discovered both vulnerabilities. According to Siemens, the software figures into electrical substations that are deployed across the energy sector, worldwide.

The ICS-CERT warning claims that an attacker with a low skill would be able to exploit the vulnerabilities but also claims that to exploit the flaws an attacker would have to have local access to the system and certain database privileges, something that limits the scope, somewhat. Siemens claims that updating to 8.07 will fix the insufficient protected vulnerability but to fix the information exposure vulnerability users will have to email the company directly for further guidance. ICS-CERT also warned of vulnerabilities in two other lines of programming software on Thursday.

The team, which deals with security related to industrial control systems, warned of two buffer overflow vulnerabilities in Eaton’s ELCSoft programming software and of three vulnerabilities – weak credential management, a CSRF vulnerability, and information leakage – in select AirLink gateways manufactured by Sierra Wireless.

See more at: Siemens Patches Password Reconstruction Vulnerability in SICAM PAS