Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 35 min 57 sec ago

ISC StormCast for Friday, November 21st 2014 http://isc.sans.edu/podcastdetail.html?id=4247, (Fri, Nov 21st)

Thu, 11/20/2014 - 19:30
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Google Web "Firing Range" Available, (Thu, Nov 20th)

Thu, 11/20/2014 - 12:03

Google has released a Firing Range for assessing various web application scanners, with what looks like a real focus on Cross Site Scripting. The code was co-developed by Google and Politecnico di Milano

Targets include:

  • Address DOM XSS
  • Redirect XSS
  • Reflected XSS
  • Tag based XSS
  • Escaped XSS
  • Remote inclusion XSS
  • DOM XSS
  • CORS related vulnerabilities
  • Flash Injection
  • Mixed content
  • Reverse ClickJacking

Source code is on github at https://github.com/google/firing-range

App Engine deploy is at http://public-firing-range.appspot.com/

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Critical WordPress XSS Update, (Thu, Nov 20th)

Thu, 11/20/2014 - 11:42

Today, Wordpress4.0.1 was released, which addresses a critical XSS vulnerability (among other vulnerabilities). [1]

The XSS vulnerability deserves a bit more attention, as it is an all too common problem, and often underestimated. First of all, why is XSS Critical? It doesnt allow direct data access like SQL Injection, and it doesnt allow code execution on the server. Or does it?

XSS does allow an attacker to modify the HTML of the site. With that, the attacker can easily modify form tags (think about the login form, changing the URL it submits its data to) or the attacker could use XMLHTTPRequest to conduct CSRF without being limited by same origin policy. The attacker will know what you type, and will be able to change what you type, so in short: The attacker is in full control. This is why XSS is happening.

The particular issue here was that Wordpress allows some limited HTML tags in comments. This is always a very dangerous undertaking. The word press developers did attempt to implement the necessary safeguards. Only certain tags are allowed, and even for these tags, the code checked for unsafe attributes. Sadly, this check wasnt done quite right. Remember that browsers will also parse somewhat malformed HTML just fine.

A better solution would have probably been to use a standard library instead of trying to do this themselves. HTML Purifier is one such library for PHP. Many developer shy away from using it as it is pretty bulky. But it is bulky for a reason: it does try to cover a lot of ground. It not only normalizes HTML and eliminates malformed HTML, but it also provides a rather flexible configuration file. Many lightweight alternatives, like the solution Wordpress came up with, rely on regular expressions. Regular expressions are typically not the right tool to parse HTML. Too much can go wrong starting from new lines and ending somewhere around multi-bytecharacters. In short: Dont use regular expressions to parse HTML (or XML), in particular for security.

[1] https://wordpress.org/news/2014/11/wordpress-4-0-1/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, November 20th 2014 http://isc.sans.edu/podcastdetail.html?id=4245, (Thu, Nov 20th)

Wed, 11/19/2014 - 16:51
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

"Big Data" Needs a Trip to the Security Chiropracter!, (Wed, Nov 19th)

Wed, 11/19/2014 - 11:18

When the fine folks at Portswigger updated Burp Suite last month to 1.6.07 (Nov 3), I was really glad to see NoSQL injection in the list of new features.

Whats NoSQL you ask? If your director is talking to you about Big Data or your Marketing is talking to you about customer metrics, likely what they mean is an app with a back-end database that uses NoSQL instead of real SQL.

Im tripping over this requirement this month in the retail space. Ive got clients that want to track a retail customers visit to the store (tracking their cellphones using the store wireless access points), to see:

  • if customers visit store sections where the sale items are?
  • or, if customers visit area x, do they statistically visit area y next?
  • or, having visited the above areas, how many customers actually purchase something?
  • or, after seeing a purchase, how many feature sale purchases are net-new customers (or repeat customers)

In other words, using the wireless system to track customer movements, then correlating it back to purchase behaviour to determine how effective each feature sale might be.

So what database do folks use for applications like this? Front-runners in the NoSQL race these days include MongoDB and CouchDB. Both databases do cool things with large volumes of data.">Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.

CouchDB has a similar statement at http://guide.couchdb.org/draft/security.html ">it should be obvious that putting a default installation into the wild is adventurous

So, where do I see folks deploying these databases? Why, in PUBLIC CLOUDs, thats where!" />

And what happens after you stand up your almost-free database and the analysis on that dataset is done? In most cases, the marketing folks who are using it simply abandon it, in a running state. What could possibly go wrong with that? Especially if they didnt tell anyone in either the IT or Security group that this database even existed?

Given that weve got hundreds of new ways to collect data that weve never had access to before, its pretty obvious that if big data infrastructures like these arent part of our current plans, they likely should be. All I ask is that folks do the risk assessments tha they would if this server was going up in their own datacenter. Ask some questions like:

  • What data will be on this server?
  • Who is the formal custodian of that data?
  • Is the data covered under a regulatory framework such as HIPAA or PCI? Do we need to host it inside of a specific zone or vlan?
  • What happens if this server is compromised? Will we need to disclose to anyone?
  • Who owns the operation of the server?
  • Who is responsible for securing the server?
  • Does the server have a pre-determined lifetime? Should it be deleted after some point?
  • Is the developer or marketing team thats looking at the dataset understand your regulatory requirements? Do they understand that Credit Card numbers and Patient Data are likely bad candidates for an off-prem / casual treatment like this (hint - NO THEY DO NOT).

Smartmeter applications are another big data thing Ive come across lately. Laying this out end-to-end - collecting data from hundreds of thousands of embedded devices that may or may not be securable, over a public network to be stored in an insecurable database in a public cloud. Oh, and the collected data impinges on at least 2 regulatory frameworks - PCI and NERC/FERC, possibly also privacy legislation depending on the country. Ouch!

Back to the tools to assess these databases - Burp isnt your only option to scan NoSQL database servers - in fact, Burp is more concerned with the web front-end to NoSQL itself. NoSQLMAP (http://www.nosqlmap.net/) is another tool thats seeing a lot of traction, and of course the standard usual suspects list of tools have NoSQL scripts, components and plugins - Nessus has a nice set of compliance checks for the database itself, NMAP has scripts for both couchdb, mongodbb and hadoop detection, as well as mining for database-specific information. OWASP has a good page on NoSQL injection at https://www.owasp.org/index.php/Testing_for_NoSQL_injection, and also check out http://opensecurity.in/nosql-exploitation-framework/.

Shodan is also a nice place to look in an assessment during your recon phase (for instance, take a look at http://www.shodanhq.com/search?q=MongoDB+Server+Information )

Have you used a different tool to assess a NoSQL Database? Or have you had - lets say an interesting conversation around securing data in such a database with your management or marketing group? Please, add to the story in our comment form!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, November 19th 2014 http://isc.sans.edu/podcastdetail.html?id=4243, (Wed, Nov 19th)

Tue, 11/18/2014 - 19:28
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft November out-of-cycle patch MS14-068, (Tue, Nov 18th)

Tue, 11/18/2014 - 16:15

Microsoft November out-of-cycle patch

Note: MS14-066 was also updated today to fix some of the issues previously discussed with the introduction of the additional TLS cipher suites. Folks running Server 2008 R2 and Server 2012 are urged to reinstall

Update (2014-11-18 19:45 UTC) - After reading Microsoft">Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

  • ---------------
    Jim Clausing, GIAC GSE #26
    jclausing --at-- isc [dot] sans (dot) edu

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    Microsoft Will Release MS14-068 Later Today, (Tue, Nov 18th)

    Tue, 11/18/2014 - 08:24

    Today, Microsoft will release MS14-068. This is one of the bulletins that was skipped in Novembers patch Tuesday update.

    The bulletin fixes a privilege escalation vulnerability and Microsoft rated it Critical.

    It does however appear that Microsoft still has process issues with releasing updates. For example, the Monthly Bulletin Summary for November now only lists this one bulletin [1]. The bulletin page itself is still blank, but will likely be released around 1:30pm ET.

    We will update/replace this diary once the full bulletin is released.

    [1] https://technet.microsoft.com/en-us/library/security/ms14-nov.aspx

    ---
    Johannes B. Ullrich, Ph.D.
    STI|Twitter|LinkedIn

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    ISC StormCast for Tuesday, November 18th 2014 http://isc.sans.edu/podcastdetail.html?id=4241, (Tue, Nov 18th)

    Mon, 11/17/2014 - 18:19
    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    Updates for OS X , iOS and Apple TV, (Mon, Nov 17th)

    Mon, 11/17/2014 - 12:22

    Apple today released updates for iOS 8 and OS X 10.10 (Yosemite) . Here are some of the highlights from a security point of view:

    OS 10.10.1

    (approx. listed in order of severity)

    CVE Impact ISC Rating Description 2014-4459 Remote Code Execution critical A vulnerability in Webkit could allow a malicious site to execute arbitrary code 2014-4453 Information Leakage important The index Spotlight creates on a removable drive may include content from other drives. This vulnerability was recently discussed publicly in a blog and the author discovered e-mail fragment in the Spotlight index created on a USB drive. 2014-4460 Information Leakage important Safari may not delete all cached files after leaving private browsing. If a user visits a site without private browsing after visiting the same site with private browsing enabled, then the site may be able to connect the two visits. 2014-4458 Information Leakage important The About this Mac feature includes unnecessary details that are reported back to Apple to determine the system model iOS CVE Impact Severity Description CVE-2014-4452
    CVE-2014-4462 remote code execution critical Webkit issues that will lead to arbitrary code execution when visting a malicious webpage CVE-2014-4455 unsigned code exeuction important A local user may execute unsinged code CVE-2014-4460 information leakage important Safari doesnt delete all cached files when leaving private mode CVE-2014-4461 privilege escalation important A malicious application may execute arbitrary codes using System privileges. CVE-2014-4451 security feature bypass important An attacker may be able to exceed the maximum passcode attempt limit to bypass the lockscreen. CVE-2014-4463 information leakage important the leave message feature in Facetime may have allowed sending photos from the device. CVE-2014-4457 code execution important the debug feature would allow applications to be spawned that were not being debugged. CVE-2014-4453 informtion leakage important iOS would submit the devices location to Spotlight Suggestion servers before the user entered a query Apple TV CVE Impact Severity Description CVE-2014-4462 Code Execution Critical A memory corruption in WebKit may be used to terminate applications or run arbitrary code. CVE-2014-4455 Code Execution Important A local user may execute unsigned code CVE-2014-4461 Privilege Elevation Important A malicious application may be able to execute arbitrary code with system privileges.

    ---
    Johannes B. Ullrich, Ph.D.
    STI|Twitter|LinkedIn

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    ISC StormCast for Monday, November 17th 2014 http://isc.sans.edu/podcastdetail.html?id=4239, (Mon, Nov 17th)

    Sun, 11/16/2014 - 18:02
    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    Microsoft Updates MS14-066, (Sun, Nov 16th)

    Sun, 11/16/2014 - 12:51

    Microsoft updated MS14-066 to warn users about some problems caused by the additional ciphers added with the update [1]. It appears that clients who may not support these ciphers may fail to connect at all. The quick fix is to remove the ciphers by editing the respective registry entry (see the KB article link below for more details).

    One user reported to us performance issues when connecting from MSFT Access to SQL Server, which are related to these ciphers.

    Sadly, MS14-066hasnt been Microsofts best vulnerability announcement. The initial bulletin omitted important details (like the impact of the certificate bypass vulnerability). So far, a total of 3 vulnerabilities are being discussed in conjunction with MS14-066, while the bulletin only lists one CVE number. How the bug was disclosed has also caused confusion, with some Microsoft publications listing external discovery (but private disclosure) and others indicating internal disclosure.

    [1]https://support.microsoft.com/kb/2992611

    ---
    Johannes B. Ullrich, Ph.D.
    STI|Twitter|LinkedIn

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    SChannel Update and Experimental Vulnerability Scanner (MS14-066), (Fri, Nov 14th)

    Fri, 11/14/2014 - 05:19

    Just a quick update on the SChannel problem (MS14-066, CVE-2014-6321). So far, there is still no public available exploit for the vulnerability, and details are still sparse. But apparently, there is some progress in developing a working exploit. For example, this tweet by Dave Aitel :

    " />

    Overall: Keep patching, but I hope your weekend will not be disrupted by a major new exploit being released.

    Emerging Threats also released some public/free snort rules that promise to cover the various vulnerabilities patched by MS14-066. (http://emergingthreats.net/daily-ruleset-update-summary-11132014/)

    I also got a VERY experimental scanner that may be helpful scanning for unpatched hosts. This scanner does not scan for the vulnerability. Instead, it scans for support for the 4 new ciphers that were added with MS14-066. Maybe someone finds it helpful. Let me know if it works. It is a bash script and uses openssl on Unix. You will need at least openssl version 1.0.1h (and you need to connect directly to the test server, not a proxy).

    See: https://isc.sans.edu/diaryimages/MSFT1466test.sh (sig: MSFT1466test.sh.asc)

    feedback welcome.

    ---
    Johannes B. Ullrich, Ph.D.
    STI|Twitter|LinkedIn

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    ISC StormCast for Friday, November 14th 2014 http://isc.sans.edu/podcastdetail.html?id=4237, (Fri, Nov 14th)

    Thu, 11/13/2014 - 20:13
    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    ISC StormCast for Thursday, November 13th 2014 http://isc.sans.edu/podcastdetail.html?id=4235, (Thu, Nov 13th)

    Wed, 11/12/2014 - 18:28
    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    PCRE for malware audits, (Thu, Nov 13th)

    Wed, 11/12/2014 - 16:12

    When auditing a company for their malware defense savvy, you are likely used to be presented with colorful pie charts of all the malware that their Anti-Virus (AV) product of choice successfully intercepted. Odds are that your auditee can show statistics for the past five years, and related trends of doom and gloom.

    The problem is, we arent really interested in that. Counting what the AV caught is like counting the number of hits on the final drop rule of the Internet firewall: It shows scary numbers, but who cares, given that this is stuff that was STOPPED. Way more interesting is stuff that managed to sneak by and was missed ... but how do we find it?

    One approach that I like to use involves Perl Compatible Regular Expressions (PCRE). You likely encountered PCREs before - Perl has one of the most versatile sets of regular expression language that can be used to match any text pattern imaginable. Snort, for example, supports PCREs in its rule language. Amazing Perl, of course, supports PCRE natively. And .. lo and behold, the lowly Unix grep command, on many Unix flavors, supports a grep -P, which gives it alien PCRE powers.

    What to do with them powers, you ask? Well, in an audit, obtain the last 10 days or so of proxy server logs. Most companies have them, and be prepared that they are HUGE. Plunk them onto a Unix system of your choice that supports grep -P. Then, if you are reading malware blogs like Kafeines http://malware.dontneedcoffee.com and Brads http://malware-traffic-analysis.net, you have an ample reservoir of URLs for currently active threats. If you speak PCRE, turning these URLs into patterns is no big deal, and provides good fresh intel. If you dont speak PCRE, you (well, should learn!!) can make use of the current events ruleset of Emergingthreats, for example http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-current_events.rules. Look for recently added rules that cover trojan activity.

    Then, for the analysis, piece the various PCREs together into one big bad*ss PCRE, and run it in a grep -P">daniel@debian$ grep -P (http:\/\/[^\x2f]+\/[a-z0-9]{6,}_[0-9]+_[a-f0-9]{32}\.html|\/[a-f0-9]{60,66}(?:\x3b\d+){1,4}|\/\??[a-f0-9]{60,}\x3b1\d{5}\x3b\d{1,3}|\/[0-9a-z]{32}.php\?[a-z]{1,3}=[0-9a-z]{32})">Nov 10 11:43:18 local7.info squid[20791]: time=2014-11-10 11:43:18 rc=TCP_MISS/200 ip=10.17.22.91 head_type=application/x-shockwave-flash size=10751 req=GET url=214 referrer=http://tblwynx.ddns.net/nrll3fpihn5lzyvnrkk8klq88cnfyapoeivvkbieeeff

    Yes, it will take a while, but if you get any hits, like the Fiesta exploit kit hit shown above, I guarantee that it will be highly entertaining to ask the auditee if and whether they noticed anything amiss on the PC 10.17.22.91 on November 10. The fresher your PCRE, the better the results that you will pull out of the log. With a decently up to date PCRE, I have yet to see an auditee who doesnt have several hits in ten days worth of proxy logs.

    If you have any cool PCRE malware detection tricks up your sleeve, please share via the comments below!

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    How bad is the SCHANNEL vulnerability (CVE-2014-6321) patched in MS14-066?, (Wed, Nov 12th)

    Wed, 11/12/2014 - 08:28

    We had a number of users suggesting that we should have labeled MS14-066 as Patch Now instead of just critical. This particular vulnerability probably has the largest potential impact among all of the vulnerabilities patched this Tuesday, and should be considered the first patch to apply, in particular on servers.

    Just like OpenSSL implements SSL on many Unix systems, SCHANNEL is the standard SSL library that ships with Windows. Expect most Windows software that takes advantage of SSL to use SCHANNEL.

    Microsoft stated that this vulnerability will allow remote code execution and that it can be used to exploitservers. Microsoft also assigned this vulnerability an exploitability of 1, indicating that an exploit is likely going to be developed soon. But other then that, very little has been released publicly about the nature of the vulnerability.

    There is some conflicting information if the bug was found internally or by a third party. The bulletin states: This security update resolves a privately reported vulnerability [1] . A blog post about the vulnerability states: Internally found during a proactive security assessment. [2] . Finally, Microsofts Acknowledgement page does not list a source for the vulnerability [3]. It is not clear how far outside of Microsoft the vulnerability was known prior to the patch release.

    However, as soon as a patch was released, it can be used to learn more about the vulnerability. It is very hard these days to obfuscate a patch sufficiently to hide the nature of a vulnerability.

    So what does this mean for you?

    My guess is that you probably have a week, maybe less, to patch your systems before an exploit is released. You got a good inventory of your systems? Then you are in good shape to make this work. For the rest (vast majority?): While you patch, also figure out counter measures and alternative emergency configurations.

    The most likely target are SSL services that are reachable from the outside: Web and Mail Servers would be on the top of my list. But it cant hurt to check the report from your last external scan of your infrastructure to see if you got anything else. Probably a good idea to repeat this scan if you havent scheduled it regularly.

    Next move on to internal servers. They are a bit harder to reach, but remember that you only need one internal infected workstation to expose them.

    Third: Traveling laptops and the like that leave your perimeter. They should already be locked down, and are unlikely to listen for inbound SSL connections, but cant hurt to double check. Some odd SSL VPN? Maybe some instant messenger software? A quick portscan should tell you more.

    You are doing great if you can get these three groups out of the way by the end of the week. Internal clients are less of an issue, but just like traveling laptops, they may run some software that listens for inbound SSL connections.

    Stick with my old advice: Patching is only in part about speed. Dont let speed get in the way of good operations andprocedures. It is at least as important to patch in a controlled, verifiable and reproducible way. Anything else will leave you open to attack due to incomplete patching. Dont forgetto reboot the system or the patch may not take affect.

    Microsoft didnt mention any workarounds. But this may change as we learn more about the issue. So make sure that you know how to disable certain ciphers or certain SSL modes of operations. And please take this as an other opportunity to get your inventory of hardware and software sorted out.

    Patch Now? Maybe better: Patch first / Patch soon. This vulnerability could turn into a worm like slapper, an OpenSSLworm exploiting Apacheback in the day.

    I am not aware of any publicIDS signatures for this problem so far, but it may make sense to check for SSL error even on non-Windows servers to spot possible exploit attempts.

    To make things more interesting (confusing?), the Cisco Talos blog states that [w]hile it is covered by only a single CVE, theres actually multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses. [4] It would be really odd from Microsoft to only use a single CVE number for various vulnerabilities only related by the common library they happen to be found in. But I do give Cisco some credibility here as they are working closely with Microsoft and may have gotten more details from Microsoft then what was published in the bulletin.

    Cisco also published a number of Snort rules for MS14-066. If you have a VRT subscription, you should see these rules with an SID from 32404 through 32423.

    PLEASE SHARE ANY ATTACK DATA / EXPLOIT SIGHTINGS YOU MAY HAVE ! ( handlers -at- sans.edu or our contact form)

    [1]https://technet.microsoft.com/library/security/MS14-066
    [2]http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-risk-for-the-november-2014-security-updates.aspx
    [3]https://technet.microsoft.com/library/security/dn820091.aspx
    [4]http://blogs.cisco.com/security/talos/ms-tuesday-nov-2014

    ---
    Johannes B. Ullrich, Ph.D.
    STI|Twitter|LinkedIn

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    ISC StormCast for Wednesday, November 12th 2014 http://isc.sans.edu/podcastdetail.html?id=4233, (Wed, Nov 12th)

    Tue, 11/11/2014 - 17:10
    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    Adobe Flash Update, (Tue, Nov 11th)

    Tue, 11/11/2014 - 11:51

    Adobe today released a patch for Flash/Adobe Air which fixes 18 different vulnerabilities [1]. The Flash update is rated with a priority of 1 for Windows and OS X, indicating that limited exploitation has been observed. Please consult the advisory for details.

    [1] http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

    ---
    Johannes B. Ullrich, Ph.D.
    STI|Twitter|LinkedIn

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts

    Microsoft November 2014 Patch Tuesday, (Tue, Nov 11th)

    Tue, 11/11/2014 - 11:07

    Important: Please note that Microsoft released EMET 5.1 yesterday to address conflicts between EMET5.0 / IE 11 and the patches released here (likely MS14-065)

    We are aware that bulletin numbers are skipped below. Not sure if they will come later. It is possible that I used a version of the bulletin page that wasn">MS14-065 Cumulative Security Update for Internet Explorer
    (ReplacesMS14-056 ) Microsoft Windows, Internet Explorer
    , CVE-2014-4143, CVE-2014-6323, CVE-2014-6337, CVE-2014-6339, CVE-2014-6340, CVE-2014-6341, CVE-2014-6342, CVE-2014-6343, CVE-2014-6344, CVE-2014-6345, CVE-2014-6346, CVE-2014-6347, CVE-2014-6348, CVE-2014-6349, CVE-2014-6350, CVE-2014-6351, CVE-2014-6353 KB 3003057 ">MS14-066 Vulnerability in Schannel Could Allow Remote Code Execution
    (ReplacesMS10-085 MS12-049 ) Microsoft Windows

    CVE-2014-6321 KB 2992611 ">MS14-069 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
    (ReplacesMS14-017 MS14-061 ) Microsoft Office

    CVE-2014-6333
    CVE-2014-6334
    CVE-2014-6335 KB 3009710 ">MS14-071 Vulnerability in Windows Audio Service Could Allow Elevation of Privilege Microsoft Windows

    CVE-2014-6322 KB 3005607 ">MS14-072 Vulnerability in .NET Framework Could Allow Elevation of Privilege
    (ReplacesMS14-026 ) Microsoft Windows, Microsoft .NET Framework

    CVE-2014-4149 KB 3005210 ">MS14-073 Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege
    (ReplacesMS13-084 ) Microsoft Server Software

    CVE-2014-4116 KB 3000431 ">MS14-074 Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass
    (ReplacesMS10-085 MS14-030 ) Microsoft Windows

    CVE-2014-6318 KB 3003743 ">MS14-076 Vulnerability in Internet Information Services Microsoft Windows

    CVE-2014-4078 KB 2982998 ">MS14-077 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure Microsoft Windows

    CVE-2014-6331 KB 3003381 ">MS14-079 Vulnerability in Kernel Mode Driver Could Allow Denial of Service
    (ReplacesMS14-058 ) Microsoft Windows

    CVE-2014-6317 KB 3002885 ">Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

  • ---
    Johannes B. Ullrich, Ph.D.
    STI|Twitter|LinkedIn

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Categories: Alerts