Sophos Cloud Optix
Microsoft’s Tenth Anniversary Patch Tuesday is out, and, yes, Redmond’s security gurus did patch against the recent Internet Explorer zero-day that is being exploited in the wild.
More precisely, the vulnerability CVE-2013-3893 has been fixed, so even if you aren’t using (or couldn’t use) Microsoft’s temporary Fix it, you can now close off that avenue of attack altogether.
Notably the Fix it was for 32-bit platforms only, so computers running 64-bit Windows versions, such as servers and almost any recent laptop, were out of luck.
That’s a creditably quick response from Microsoft, and a great Tenth Birthday result.
By the way, there’s a reliable and easy-to-modify proof of concept exploit floating around on the web, as well as an exploit module for the DIY break-and-enter toolkit Metasploit, so CVE-2013-3893 must be considered a clear and present danger.
The proof of concept I’ve seen is packaged as a single chunk of JavaScript inside a single HTML file, and targets IE 8 and IE 9 on Windows XP, Vista and Seven.
If you view a web page that contains the JavaScript from the proof of concept, then your browser will connect to an external site, download an executable file in the background, and run it.
If you don’t have a decent anti-virus installed (or you have one that hasn’t been updated since the free trial ran out a year ago) then you won’t see anything – not a warning, a dialog box, a progress bar or even a logfile entry – to tell you what happened.
Your browser will eventually crash, but after the download has finished and the secretly installed malware has launched.
→ A decent anti-virus is ilkely to control this exploit. Sophos Anti-Virus, for example, blocks booby-trapped web pages as Exp/20133893-B. But immunising your browser alogether, by neutralising the vulnerability that makes the exploits possible in the first place, is by far the best solution.
There are nine other remotely exploitable holes fixed in the Internet Explorer patch, and although Microsoft describes the others as “privately reported,” any one of them alone would be enough to make this patch a priority.
But don’t concentrate only on the big fix for Internet Explorer.
There are six other bulletins that deal with remote code execution this month, and even though four of them are rated only at Important by Microsoft, rather than Critical, I’d still treat “important” as meaning “important enough to patch right away.”
All the Important vulnerabilities are in various components of the Office suite, and can be triggered via shellcode – that’s executable code buried invisibly in amongst data – in files you are entitled to assume that Office should open without risk.
In theory, if you put executable code in a data file, it ought to be harmless: whether you give your name as text that spells out Paul Ducklin or machine code that corresponds to PUSH-PUSH-CALL-POP should make no difference.
The machine code version of your name should be treated as data, and never get a chance to run.
Programming mistakes do happen, however, sometimes allowing deliberately mangled files to confuse Word or Excel (or other software of that sort) into executing data as if it were code.
The eighth patch this month is for an information disclosure bug in Silverlight.
Microsoft isn’t saying what might be disclosed if this bug is triggered.
But since “information disclosure” is another way of saying “potential data breach,” you probably want to patch the eighth one, too.
For the opinion of SophosLabs on the likelihood of each of the eight vulnerabilities being exploited, and for advice on alternative mitigiations (if you are unwilling to patch) or additional mitigations (if you are patching anyway), please visit our Vulnerabilties page.
Updates – how to check
Readers regularly ask us to remind them where to find the option to kick off a check for updates on Windows, so here’s how.
On Windows 7, ① go to Control Panel | System and Security and, in the Windows Update entry, ② choose Check for updates:
On Windows 8, ① do a search for the word updates, ② click into the Settings section, and ③ choose Check for updates:
Sadly they still have the problem of repeating download/installs! This time it is an update for .Net Framework 3.5. Initial download as part of the group of patches appeared to install but after the required reboot it was saying it needed to be downloaded and installed again. After a second reboot, it is still saying that patch is need to be downloaded yet again and installed yet again!
Not good, Microsoft.
But you only downloaded the update three times. It's version 3.5, so you need half a reboot more.
Bet you can't wait for the Windows 8.1 update, eh 🙂
I applied the Microsoft Fixit that was issued as a temporary fix for the IE problem. Do I need to 'uninstall' the temporary fix before applying the patch?
IIRC you do not. The theory behind the Fix it, I think, is that it's a transient patch – i.e. it adjusts the bad code in memory but leaves the file on disk intact. That way if it breaks, you remove the Fix itm reboot…and you are back where you were.
A full-on Patch Tuesday updates the affected file on disk, so the fix is permanent and the Fix it becomes superfluous.
"Notably the Fix it was for 32-bit platforms only, so servers and recent laptop installs running 64-bit Windows versions were out of luck."
That's not entirely clear. Are desktop installs running 64-bit Windows versions excluded as well, or only servers and laptop installs?
Thanks!
p.s. Typo: "boody-trapped"
Fxed the typo, thanks.
I don't know why I said "laptops." I guess I imagined them having 64-bit Windows because "it came like that in the box." I will change it to make it clearer.
And make another typo in the process lol.
64-bit Windows versions, such as servers and "amlmost" any recent laptop
The brave have also been running 64bit OS's across their enterprise desktops for the last 4 years, yay for more than 4gb of RAM
Aaargh. Sorted, thanks.
If your CPU is good for it, 64-bit Windows has more benefits than just "exceed 4GB."
* Individual processes can have more than 2GB.
* There is more address space for ASLR (layout randomisation).
* There are more CPU registers, and they can crunch twice as much data at a time, which can speed up some programs.
On the downside:
* Compiled 64-bit code tends to be a lot bulkier than 32-bit code.
(The number 1 stored as an Intel 32-bit value is 01 00 00 00, while as a 64-bit value is, of course, 01 00 00 00 00 00 00 00.)
* You end up with 32-bit and 64-bit software, which means having 64-bit and 32-bit libraries, which means more to patch when things go wrrrogongnong.
To kick off a check under XP, use Start > Run > control panel (no quotes). If the Folders button is already pressed, click on it to depress it – so that in the See Also panel "Windows Update" is listed.
No s***, this is a security blog. The readers know how to run Windows Update
At last Microsoft got it right. No niggles or problems with the updates.
Windows Update can be also found at Start –> Windows Update.
Microsoft is the pits now, Twice my computer was affected by cycles on and on and on to infinity, Now its affected Automatic Updates programme as SVCHOST.EXE is blocking the updates so the green light goes on forever trying to download. Its the kerraps, . Not impressed at all with MIcrosoft. How do I solve this problem?
Microsoft updates do not work now as it has affected SVCHOST.EXE and this prevents updates to my computer…How do I solve this problem?
This is the entry from your threat centre regarding MS13-080
http://www.sophos.com/en-us/threat-center/threat-…
Why does the Sophos threat centre not give the same picture that NakedSecuirty does:
SophosLabs testing result: No SophosLabs testing result found
Currently known exploits: No currently known exploits found
First sample seen: No samples found
Discovery date: 08 Oct 2013
You have shown samples, the security industry reports that the exploits have been used in east-asia since June.
How would I gain assurance that my infrastructure is protected and connect the threat to a particular AV alert?
Fixed – thanks for pointing this out. The VET-537 article and this one are now in agreement 🙂
As for the alerts you might see – Sophos detects the exploit itself as Exp/20133983-B.
But if you don't block the exploit itself, then what comes next is up to the crooks, so it's not possible to say what it might be in advance.