Vulnerabilities in Lenovo System Update

(Thanks to Rich Pieri for sharing this news.)

Months after Lenovo was found to have installed dangerous software onto its computers, major vulnerabilities were found in Lenovo’s update system, that could allow hackers to bypass validation checks, replace legitimate Lenovo programs with malicious software and run commands from afar.

What are the vulnerabilities?

1. Lenovo’s System Update software runs a service as SYSTEM and allows unprivileged processes to send it arbitrary commands to execute.

2. Lenovo’s System Update software does not correctly validate CAs of signed updates allowing for the installation of “updates” signed with fake certificates.

3. Lenovo’s System Update software downloads updates to a world writable directory creating a race condition between signature verification and running the saved executable.

The company issued a patch last month that fixes the bugs but owners will need to download the update themselves.

Learn more in the news.

Recent Critical Vulnerability Alerts from Microsoft

Last week on Patch Tuesday, four critical vulnerabilities were disclosed and addressed by Microsoft in Security Bulletins MS14-064, MS14-065, MS14-066 and MS14-067.

Let’s follow up on two of the more severe of these:

MS14-064: Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability

This bulletin refers to two vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS14-066: Microsoft Secure Channel (Schannel) Vulnerability

A critical vulnerability in all supported Microsoft Windows systems could allow a remote attacker to execute arbitrary code (download malware) via specially crafted network traffic. Schannel is a security package that provides SSL and TLS on Microsoft Windows platforms. In order to exploit the vulnerability, an attacker would need to control a malicious Web page with exploit code and have users visit it. According to Microsoft’s bulletin there are no known mitigations or workarounds, but the patch released last week addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets. Johannes Ullrich of the SANS Institute recommends to patch as soon as possible: “My guess is that you probably have about a week, maybe less, to patch your systems before an exploit is released.”

Solution:

Be sure to install the updates released last week by Microsoft on your Windows computer. Managed Windows machines and subscribers of MIT WAUS have received the patches already. You may be required to restart your computer after the installation.

Both vulnerabilities are explained in more detail in this news article.

Skype Fixes Password Reset Mechanism

Skype says it has fixed a flaw in its password reset mechanism; the vulnerability has been known for at least two months, but was not addressed until last week. The flaw allowed anyone who knew a Skype user’s email address to reset that person’s account password. Prior to fixing the problem, Skype disabled the password reset feature.

If you use Skype, you may now want to change your password.

Read the full story in the news.

Microsoft Security Updates for October 2012

Today, October 9, Microsoft will release seven security bulletins to address twenty vulnerabilities. One of the bulletins has the severity rating of critical, the other six are rated important. The updates will affect:

  • Microsoft Office
  • Microsoft Server Software
  • Microsoft Windows
  • Microsoft Lync
  • Microsoft SQL Server

None of the patches this month address vulnerabilities being exploited in the wild; all were privately reported vulnerabilities. The Office vulnerability could affect both Mac OS X and Windows users.

Microsoft will also be issuing an update that will deprecate the use of certificates that are less than 1024 bit encrypted. Customers may encounter issues if their organization still has legacy certificates in production.

Microsoft has released a separate advisory alerting customers of compatibility issues affecting signed Microsoft binaries. The issue involves specific digital certificates that were generated by Microsoft without proper timestamp attributes. To address this issue, Microsoft is providing non-security updates (some of them are re-releases) for supported releases of Microsoft Windows. The update helps to ensure compatibility between Microsoft Windows and affected software binaries.

Critical Zero-Day Bug Found in IE

Researchers uncovered active malware attacks that exploit a critical and previously unknown vulnerability in the latest versions of Microsoft’s Internet Explorer (IE) browser. The attacks install a backdoor Trojan when unsuspecting people browse a booby-trapped website using a fully patched version of Windows XP running the latest versions of IE 7 or IE 8 and also effects versions of IE 9 running on Windows Vista and Windows 7.

A Microsoft representative said that company engineers are investigating the reports and didn’t have immediate comment. The article by arstechnica.com suggests Windows users should avoid using IE until more is known about the vulnerability. Java should be kept up-to-date or uninstalled if not used to enable other software to work.

Read the full article.

Microsoft XML Vulnerability

Attackers are actively exploiting a vulnerability in Microsoft XML Core Services (MSXML) 3.0, 4.0, and 6.0. The flaw was disclosed earlier this month when Microsoft issued its scheduled security update. The company did not provide a patch, but did suggest workarounds, including a “Fix it” solution to prevent the flaw from being exploited on user’s computers.

The flaw, which is exploited through Internet Explorer (IE), is particularly dangerous because users need only visit compromised websites to become infected. At least two compromised sites have been detected: an aeronautical parts supplier and a medical company. Both are European companies.

Adobe Updates Multiple Vulnerabilities

Last week Adobe released Security Bulletin APSB11-30, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. An attacker could exploit these vulnerabilities by convincing a user to open a specifically crafted PDF file. Adobe Reader, a browser plug-in for opening PDF documents hosted on a website, is available for multiple web browsers and operating systems.

Systems affected:

  • Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX
  • Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh

Risk to Macintosh and UNIX users is significantly lower than for Windows users. Windows users should update to Adobe Reader 9.4.7 and Adobe Acrobat 9.4.7.

The latest version of these products can be downloaded from the Adobe site here.

Note: Adobe Reader for Android and Adobe Flash Player are not affected by these issues.

Adobe plans to address the vulnerabilities in Reader X and Acrobat X as well as the vulnerabilities in the Macintosh and UNIX versions of Reader and Acrobat in the next quarterly security update, scheduled for January 10, 2012. Background on the release schedule for these patches is posted here.