Microsoft fixes bugs exploited to hack military and financial firms

Microsoft’s February security update includes fixes for a bug exploited by attackers targeting US defence and financial services firms

Microsoft’s February 2015 security update includes fixes for a bug exploited by attackers targeting US defence and financial services firms and a vulnerability affecting core components of Windows.

This month’s update included nine bulletins, three of which were rated “critical” and the remainder were rated “important”, which should keep system administrators busy in the coming days.

Microsoft’s update comes after a turbulent month for information security professionals, with multiple zero-day vulnerabilities in Adobe’s Flash software.

All of the known issues have been very quickly addressed by Adobe (APSB15-02, 03 and 04), but the number of flaws cyber criminals are finding in software widely used on a daily basis is worrying, wrote Wolfgang Kandek, chief technology officer at Qualys, in a blog post.

He believes the most important Microsoft bulletin – after installing Adobe’s APSB14-04 – is MS15-009, the fix for Internet Explorer (IE) that covers 41 vulnerabilities.

One of these has reportedly been used in the wild by attackers targeting financial services firms and US military and government networks.


Chinese state-sponsored hackers

The flaw was used in conjunction with an Adobe Flash vulnerability to compromise Windows PCs that visited websites reportedly compromised by Chinese state-sponsored group. The group of hackers was dubbed “Codoso” by iSight Partners and “Sunshop Group” by FireEye.

The water hole style attack was detected and blocked in November 2014 by the security systems of a US defence firm, after a user visited the website. was compromised using a software add-on – called a widget – based on a version of Adobe's Flash software that was vulnerable to an exploit believed to have been created by Codoso. This was paired with an IE zero day vulnerability to enable the attackers to take over Windows PCs.

Forbes said the booby-trapped widget was present on its website between 28 November and 1 December 2014.

John Hultquist from iSight Partners told the BBC the security firm’s researchers had been tracking Codoso since 2010 and believe the group was behind the attack.

Once the Codoso malware compromised a Windows machine, it attempted to log what software the machine ran and map networks to find other machines to compromise.

No data was stolen from official US networks using this exploit, according to security firm Invincea. But an analysis of the malware showed it had been used to reach other sites.

Adobe patched the Flash bug on 9 December 2014 and Microsoft has now closed the other flaw exploited by Codoso.

Remote code execution attack

After attending to the IE bug fixes, Kandek said the next priority should be MS15-012 which, although rated “important” rather than “critical”, addresses three vulnerabilities, including a remote code execution type that can be used to gain control over the user’s machine.

An attacker can trick the user into opening a specially formatted document, frequently aided through the use of social engineering such as sending an email with an attachment. “Since this type of attack is quite frequent, we believe this bulletin should be high on your list," said Kandek.

MS15-010 is a “critical” bulletin for the Windows Operating system addressing six vulnerabilities present in all versions of the operating system, starting with Server 2003 through Windows 8.1 and Server 2008 R2. “One of the vulnerabilities, CVE-2015-0010 has been disclosed publicly through the Project Zero from Google, because its 90-day embargo period expired, but Microsoft indicates that it is unaware of any exploitation attempts,” said Kandek.

The vulnerability is a security bypass bug in the kernel driver cng.sys, according to Karl Sigler, threat intelligence manager at Trustwave.

“This driver, in part, allows an application to encrypt memory in specific situations. When encrypting a logon session, the driver generates an encryption key based on the logon session identifier for the user,” he said.

The bug exists in the fact that the driver does not check the impersonation level of the token when capturing the logon session ID.

“This could allow a normal user to impersonate another session and encrypt or decrypt data in memory meant for a different user,” said Sigler.

“By patching this vulnerability, Microsoft has fixed all of the three zero days released by Google at the beginning of the year. We'll have to wait and see whether or not there are more hiding in the rafters,” he said.

Hacker gets admin privileges

MS15-011 is the final “critical” bulletin that deals with a vulnerability in the Microsoft Group Policy mechanism. It can allow remote code execution by granting attackers administrator-level privileges.

“The attacker has to trick a user to connect their client machine to the attacker’s malicious domain, which places the attack squarely into the enterprise realm, with the attacker controlling the domain controller or able to pose as domain controller,” said Kandek.

“Interestingly enough, Microsoft is not addressing the vulnerability in Windows Server 2003, but states that the fix would be too invasive to guarantee 2003 continued functioning. One more reason to get off the Server 2003 platform as soon as possible, in addition to the coming end-of-life of the platform in July of this year,” he said.

The flaw was dubbed the “Jasbug” after an exploit was identified by Jeff Schmidt, founder of JAS Global Advisors in 2014 while he was working on an engagement with Icann, the organisation governing internet standards.

Schmidt has been working with Microsoft for a year to create the newly released patch.

Unlike recent high-profile vulnerabilities – such as Heartbleed, Shellshock, Gotofail and Poodle – this is a design problem, not an implementation problem. This makes it an un usual type of vulnerability and much more difficult to fix.

The patch required Microsoft to re-engineer core components of the operating system and to add several new features.

Security bypass allows arbitrary code run

The remaining Microsoft bulletins for February address local problems in Office (MS15-013), Group Policy (MS15-014), Windows (MS15-015 and MS15-016) and the Virtual Machine Manager in Server 2012 (MS15-017).

MS15-013 resolves one publicly disclosed vulnerability in Microsoft Office. The vulnerability could allow security feature bypass if a user opens a specially crafted Microsoft Office file.

“The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this security feature bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability, to run arbitrary code,” said Sigler.

This security update is rated "important" for all supported editions of Microsoft Office 2007, Microsoft Office 2010 and Microsoft Office 2013.

MS15-014 resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker causes the Group Policy Security Configuration Engine policy file on a targeted system to become corrupted or otherwise unreadable.

“This results in the Group Policy settings on the system to revert to their default and potentially less secure state. The attacker would need to perform a man-in-the-middle attack to exploit this vulnerability,” said Sigler.

This security update is rated "important" for all supported releases of Microsoft Windows.

Credentials let hackers elevate privileges

MS15-015 resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to use the lack of impersonation-level security checks to elevate privileges during process creation.

“An authenticated attacker who successfully exploited this vulnerability could acquire administrator credentials and use them to elevate privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights,” said Sigler.

This security update is rated "important" for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows 2012, Windows RT, Windows 8.1, Windows 2012 R2, and Windows RT 8.1.

MS15-016 resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user browses to a website containing a specially crafted tif image.

“This vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system,” said Sigler.

This security update is rated "important" for all supported releases of Microsoft Windows.

Virtual Machine Manager vulnerability

MS15-017 resolves a privately reported vulnerability in Virtual Machine Manager (VMM). The vulnerability could allow elevation of privilege if an attacker logs on an affected system.

“An attacker must have valid Active Directory logon credentials and be able to log on with those credentials to exploit the vulnerability,” said Sigler.

This security update is rated "important" for Microsoft System Center 2012 R2 Virtual Machine Manager Update Rollup 4.

Read more on Hackers and cybercrime prevention