Archive

Archive for August, 2015

MS15-092 – Important: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3086251) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (August 24, 2015): Updated bulletin to inform customers that on August 18, 2015, a metadata change was implemented on Windows Update for the updates documented in this bulletin. This is an informational change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft .NET Framework. The vulnerabilities could allow elevation of privilege if a user runs a specially crafted .NET application. However, in all cases, an attacker would have no way to force users to run the application; an attacker would have to convince users to do so.

Categories: Uncategorized Tags:

MS15-092 – Important: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3086251) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (August 24, 2015): Updated bulletin to inform customers that on August 18, 2015, a metadata change was implemented on Windows Update for the updates documented in this bulletin. This is an informational change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft .NET Framework. The vulnerabilities could allow elevation of privilege if a user runs a specially crafted .NET application. However, in all cases, an attacker would have no way to force users to run the application; an attacker would have to convince users to do so.

Categories: Uncategorized Tags:

MS15-080 – Critical: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3078662) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (August 21, 2015): Updated bulletin to inform customers running Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows Server 2008 R2 Service Pack 2, and Windows 7 Service Pack 1 that the 3078601 update on the Microsoft Download Center was updated on August 18, 2015. Microsoft recommends that customers who installed the 3078601 update via the Microsoft Download Center prior to August 18 reinstall the update to be fully protected from the vulnerabilities discussed in this bulletin. If you installed update 3078601 via Windows Update, Windows Update Catalog, or WSUS, no action is required.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts.

Categories: Uncategorized Tags:

MS15-067 – Critical: Vulnerability in RDP Could Allow Remote Code Execution (3073094) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (August 21, 2015): Improved the Update FAQ section and the footnote for the Affected Software table to help customers more easily identify the correct update to apply based on the currently installed version of RDP on Windows 7 systems. These are informational changes only. Customers who have already successfully applied the update do not need to take any action. Customers who have not already installed the necessary update should do so to be protected from the vulnerability it addresses.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system with Remote Desktop Protocol (RDP) enabled. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Categories: Uncategorized Tags:

MS15-067 – Critical: Vulnerability in RDP Could Allow Remote Code Execution (3073094) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (August 21, 2015): Improved the Update FAQ section and the footnote for the Affected Software table to help customers more easily identify the correct update to apply based on the currently installed version of RDP on Windows 7 systems. These are informational changes only. Customers who have already successfully applied the update do not need to take any action. Customers who have not already installed the necessary update should do so to be protected from the vulnerability it addresses.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system with Remote Desktop Protocol (RDP) enabled. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Categories: Uncategorized Tags:

MS15-080 – Critical: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3078662) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (August 21, 2015): Updated bulletin to inform customers running Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows Server 2008 R2 Service Pack 2, and Windows 7 Service Pack 1 that the 3078601 update on the Microsoft Download Center was updated on August 18, 2015. Microsoft recommends that customers who installed the 3078601 update via the Microsoft Download Center prior to August 18 reinstall the update to be fully protected from the vulnerabilities discussed in this bulletin. If you installed update 3078601 via Windows Update, Windows Update Catalog, or WSUS, no action is required.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts.

Categories: Uncategorized Tags:

MS15-093 – Critical: Security Update for Internet Explorer (3088903) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (August 20, 2015): Bulletin revised to announce a detection change in the 3087985 update for Internet Explorer. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS15-093 – Critical: Security Update for Internet Explorer (3088903) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (August 20, 2015): Bulletin revised to announce a detection change in the 3087985 update for Internet Explorer. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

Security Update Solution Further Protects Customer Devices

August 18th, 2015 No comments

On Tuesday, August 18, 2015, Microsoft released a security update solution to address a vulnerability. The update is for all supported versions of Internet Explorer.

 

We recommend customers to apply this update as soon as possible by following the directions on the TechNet.com/Security website, in Security Bulletin MS15-093.

More information about this bulletin can be found at Microsoft’s Bulletin Summary page.

MSRC Team

Categories: Uncategorized Tags:

Security Update Solution Further Protects Customer Devices

August 18th, 2015 No comments

On Tuesday, August 18, 2015, Microsoft released a security update solution to address a vulnerability. The update is for all supported versions of Internet Explorer.

 

We recommend customers to apply this update as soon as possible by following the directions on the TechNet.com/Security website, in Security Bulletin MS15-093.

More information about this bulletin can be found at Microsoft’s Bulletin Summary page.

MSRC Team

Categories: Uncategorized Tags:

Security Update Solution Further Protects Customer Devices

August 18th, 2015 No comments

On Tuesday, August 18, 2015, Microsoft released a security update solution to address a vulnerability. The update is for all supported versions of Internet Explorer.

 

We recommend customers to apply this update as soon as possible by following the directions on the TechNet.com/Security website, in Security Bulletin MS15-093.

More information about this bulletin can be found at Microsoft’s Bulletin Summary page.

MSRC Team

Categories: Uncategorized Tags:

MS15-AUG – Microsoft Security Bulletin Summary for August 2015 – Version: 2.0

Revision Note: V2.0 (August 18, 2015): Bulletin Summary revised to add one out-of-band bulletin, MS15-093, to the August security bulletin release. The additional bulletin addresses a vulnerability in Internet Explorer. See MS15-093 for more information.
Summary: This bulletin summary lists security bulletins released for August 2015.

Categories: Uncategorized Tags:

MS15-093 – Critical: Security Update for Internet Explorer (3088903) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (August 18, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS15-AUG – Microsoft Security Bulletin Summary for August 2015 – Version: 2.0

Revision Note: V2.0 (August 18, 2015): Bulletin Summary revised to add one out-of-band bulletin, MS15-093, to the August security bulletin release. The additional bulletin addresses a vulnerability in Internet Explorer. See MS15-093 for more information.
Summary: This bulletin summary lists security bulletins released for August 2015.

Categories: Uncategorized Tags:

August 2015 Security Update Release Summary

August 11th, 2015 No comments

Today we released security updates to provide protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library. 

MSRC Team

Categories: Uncategorized Tags:

August 2015 Security Update Release Summary

August 11th, 2015 No comments

Today we released security updates to provide protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library. 

MSRC Team

Categories: Uncategorized Tags:

MSRT August 2015: Vawtrak

August 11th, 2015 No comments

As part of our ongoing effort to provide better malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month:

Critroni is a ransomware malware family that c​an lock your files and ask you to pay money to regain access to them. Variants in the Kasidet family can steal your sensitive information and send it to a remote attacker. This blog has more information about the Vawtrak malware family.

Vawtrak infection chain

Vawtrak is a family of information-stealing malware that can be used to steal banking credentials. It is also known as NeverQuest and Snifula.

Vawtrak variants are typically distributed through one of three infection vectors:

  • Exploit kits (for example, Angler)
  • Spam email attachments (for example as a malicious zip attachment containing the Vawtrak binary)  
  • Macro malware (for example, Bartallex)

Exploit kits such as Angler exploit vulnerabilities in common software. Keeping your software up-to-date can help reduce the chance of infection through these vulnerabilities. 

Macro malware can install other malware, such as Vawtrak, on your PC when you open a malicious spam email attachment and enable macros on your PC. You can read more about this type of threat on our macro help page.

Figure 1 shows the spam email/Bartallex infection chain:

Infection chain 

Figure 1: Vawtrak infection chain

Vawtrak malware details

The Vawtrak dropper installs a DLL component to %ALLUSERPROFILE%<random folder name><random file name>. The random folder and file names are generated using a linear congruential generator (LCG) algorithm and the volume serial number of system drive as the seed. It is fixed for a specific PC whenever the malware runs.

The malware also uses the same trick to store configuration information to the registry, to make it easier for the threat to retrieve the configuration after reboot or update.

It then injects the DLL into all running processes and browsers.
Once Vawtrak is running in a web browser process it steal your user names and passwords for some websites. The website targeted can vary. The malware also contacts its command and control server to get configuration files and other bot commands.

There are more details about the malware payload in our Win32/Vawtrak family description.

Vawtrak telemetry

Figure 2 shows the number of Vawtrak encounters we have seen during the past two months. Most infections occurred in the United States and the UK, as shown in Figure 3. 

Encounters 

Figure 2: Vawtrak encounters

Affected countries 

Figure 3: Top 10 countries affected by Vawtrak

Stay protected

MSRT cleanup for Vawtrak will remove executable files and registry entries related to the malware. It will also restore the default system settings. Microsoft security products, such as Windows Defender for Windows 10, also include detection for Vawtrak and other malware families.

It’s also always important to:

For enterprise users:   

MMPC
Wei Li & Zhitao Zhou

Categories: Uncategorized Tags:

MSRT August 2015: Vawtrak

August 11th, 2015 No comments

As part of our ongoing effort to provide better malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month:

Critroni is a ransomware malware family that c​an lock your files and ask you to pay money to regain access to them. Variants in the Kasidet family can steal your sensitive information and send it to a remote attacker. This blog has more information about the Vawtrak malware family.

Vawtrak infection chain

Vawtrak is a family of information-stealing malware that can be used to steal banking credentials. It is also known as NeverQuest and Snifula.

Vawtrak variants are typically distributed through one of three infection vectors:

  • Exploit kits (for example, Angler)
  • Spam email attachments (for example as a malicious zip attachment containing the Vawtrak binary)  
  • Macro malware (for example, Bartallex)

Exploit kits such as Angler exploit vulnerabilities in common software. Keeping your software up-to-date can help reduce the chance of infection through these vulnerabilities. 

Macro malware can install other malware, such as Vawtrak, on your PC when you open a malicious spam email attachment and enable macros on your PC. You can read more about this type of threat on our macro help page.

Figure 1 shows the spam email/Bartallex infection chain:

Infection chain 

Figure 1: Vawtrak infection chain

Vawtrak malware details

The Vawtrak dropper installs a DLL component to %ALLUSERPROFILE%<random folder name><random file name>. The random folder and file names are generated using a linear congruential generator (LCG) algorithm and the volume serial number of system drive as the seed. It is fixed for a specific PC whenever the malware runs.

The malware also uses the same trick to store configuration information to the registry, to make it easier for the threat to retrieve the configuration after reboot or update.

It then injects the DLL into all running processes and browsers.
Once Vawtrak is running in a web browser process it steal your user names and passwords for some websites. The website targeted can vary. The malware also contacts its command and control server to get configuration files and other bot commands.

There are more details about the malware payload in our Win32/Vawtrak family description.

Vawtrak telemetry

Figure 2 shows the number of Vawtrak encounters we have seen during the past two months. Most infections occurred in the United States and the UK, as shown in Figure 3. 

Encounters 

Figure 2: Vawtrak encounters

Affected countries 

Figure 3: Top 10 countries affected by Vawtrak

Stay protected

MSRT cleanup for Vawtrak will remove executable files and registry entries related to the malware. It will also restore the default system settings. Microsoft security products, such as Windows Defender for Windows 10, also include detection for Vawtrak and other malware families.

It’s also always important to:

For enterprise users:   

MMPC
Wei Li & Zhitao Zhou

Categories: Uncategorized Tags:

August 2015 Security Update Release Summary

August 11th, 2015 No comments

Today we released security updates to provide protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library. 

MSRC Team

Categories: Uncategorized Tags:

MSRT August 2015: Vawtrak

August 11th, 2015 No comments

As part of our ongoing effort to provide better malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month:

Critroni is a ransomware malware family that c​an lock your files and ask you to pay money to regain access to them. Variants in the Kasidet family can steal your sensitive information and send it to a remote attacker. This blog has more information about the Vawtrak malware family.

Vawtrak infection chain

Vawtrak is a family of information-stealing malware that can be used to steal banking credentials. It is also known as NeverQuest and Snifula.

Vawtrak variants are typically distributed through one of three infection vectors:

  • Exploit kits (for example, Angler)
  • Spam email attachments (for example as a malicious zip attachment containing the Vawtrak binary)  
  • Macro malware (for example, Bartallex)

Exploit kits such as Angler exploit vulnerabilities in common software. Keeping your software up-to-date can help reduce the chance of infection through these vulnerabilities. 

Macro malware can install other malware, such as Vawtrak, on your PC when you open a malicious spam email attachment and enable macros on your PC. You can read more about this type of threat on our macro help page.

Figure 1 shows the spam email/Bartallex infection chain:

Infection chain 

Figure 1: Vawtrak infection chain

Vawtrak malware details

The Vawtrak dropper installs a DLL component to %ALLUSERPROFILE%<random folder name><random file name>. The random folder and file names are generated using a linear congruential generator (LCG) algorithm and the volume serial number of system drive as the seed. It is fixed for a specific PC whenever the malware runs.

The malware also uses the same trick to store configuration information to the registry, to make it easier for the threat to retrieve the configuration after reboot or update.

It then injects the DLL into all running processes and browsers.
Once Vawtrak is running in a web browser process it steal your user names and passwords for some websites. The website targeted can vary. The malware also contacts its command and control server to get configuration files and other bot commands.

There are more details about the malware payload in our Win32/Vawtrak family description.

Vawtrak telemetry

Figure 2 shows the number of Vawtrak encounters we have seen during the past two months. Most infections occurred in the United States and the UK, as shown in Figure 3. 

Encounters 

Figure 2: Vawtrak encounters

Affected countries 

Figure 3: Top 10 countries affected by Vawtrak

Stay protected

MSRT cleanup for Vawtrak will remove executable files and registry entries related to the malware. It will also restore the default system settings. Microsoft security products, such as Windows Defender for Windows 10, also include detection for Vawtrak and other malware families.

It’s also always important to:

For enterprise users:   

MMPC
Wei Li & Zhitao Zhou

Categories: Uncategorized Tags: