Win XP patched to avert new outbreaks spawned by NSA-leaking Shadow Brokers

(credit: Microsoft)

On Tuesday, Microsoft took the highly unusual step of issuing security patches for XP and other unsupported versions of Windows. The company did this in a bid to protect the OSes against a series of "destructive" exploits developed by, and later stolen from, the National Security Agency.

By Ars' count, Tuesday is only the third time in Microsoft history that the company has issued free security updates for a decommissioned product. One of those came one day after last month's outbreak of the highly virulent "WCry" ransom worm, which repurposed NSA-developed exploits. The exploits were leaked by the Shadow Brokers, a mysterious group that somehow got hold of weaponized NSA hacking tools. (WCry is also known as "WannaCry" and "WannaCrypt.")

Tuesday's updates, this updated Microsoft post shows, include fixes for three other exploits that were also released by the Shadow Brokers. A Microsoft blog post announcing the move said the patches were prompted by an "elevated risk of destructive cyberattacks" by government organizations.

Read 8 remaining paragraphs | Comments

20-year-old Windows bug lets printers install malware—patch now

Enlarge (credit: Vectra Networks)

For more than two decades, Microsoft Windows has provided the means for clever attackers to surreptitiously install malware of their choice on computers that connect to booby-trapped printers, or other devices masquerading as printers, on a local area network. Microsoft finally addressed the bug on Tuesday during its monthly patch cycle.

The vulnerability resides in the Windows Print Spooler, which manages the process of connecting to available printers and printing documents. A protocol known as Point-and-Print allows people who are connecting to a network-hosted printer for the first time to automatically download the necessary driver immediately before using it. It works by storing a shared driver on the printer or print server and eliminates the hassle of the user having to manually download and install it.

Researchers with security firm Vectra Networks discovered that the Windows Print Spooler doesn't properly authenticate print drivers when installing them from remote locations. The failure makes it possible for attackers to use several different techniques that deliver maliciously modified drivers instead of the legitimate one provided by the printer maker. The exploit effectively turns printers, printer servers, or potentially any network-connected device masquerading as a printer into an internal drive-by exploit kit that infects machines whenever they connect.

Read 10 remaining paragraphs | Comments

December Patch Tuesday avalanche of patches includes leaked Xbox certificate

(credit: CyberHades)

Today, Microsoft issued three new security advisories and a dozen new patches in the company’s monthly round of security updates. And one of the advisories was apparently the result of a security fumble by Microsoft's internal IT team—the inadvertent disclosure of the private encryption keys for a wildcard SSL/TLS certificate.

The certificate, which was used for Microsoft's domain, has been revoked on Microsoft's Certificate Trust list, but it could potentially be used to attack systems that haven't been updated in man-in-the-middle attacks that "spoof" the Xbox Live network. Microsoft isn't saying how the certificate was "inadvertently disclosed", but it's likely that the "wildcard" certificate was accidentally shared with a partner. It's unlikely that the certificate will be used for an attack now that it's been revoked, but systems that don't regularly get their certificate trust lists updated might still be vulnerable.

System administrators have a bigger headache to deal with: an update issued today for Microsoft Windows DNS that patches a remote code execution vulnerability. Rated "critical" by Microsoft, the bug in DNS affects Windows Server 2008 and later. It could allow an attacker to send a "specially-crafted" Domain Name Service request to a Windows DNS server that can run commands on the server with the permissions of the Local System account—giving the attackers a wide range of access to the server that could easily be escalated.

Read 1 remaining paragraphs | Comments

Patch Tuesday patches FREAK, Universal XSS

Today's bumper crop of updates for Windows and other Microsoft products doesn't just fix a new version of the Stuxnet shortcut attack. It also provides fixes to two serious flaws, one in the operating system's handling of secure connections and the other in Internet Explorer.

First up is a fix for the FREAK attack that lets miscreants trick software into using crackable encryption. Windows was initially believed to be immune to the attack, but a couple of days after it was publicized, Microsoft announced that its software was vulnerable, though the company did not explain what it had learned or why Windows was initially believed to be safe.

Today the company issued a patch for SChannel, the Windows component that's responsible for handling the details of SSL and TLS connections. This sheds a little light on why Windows might have been overlooked at first; it suggests that Windows can be tricked into using weak encryption even after agreeing to use strong encryption. The update fixes the hole and, accordingly, software that uses SChannel. This category includes Internet Explorer and most built-in Windows features, but it excludes Chrome and Firefox, which have their own SSL and TLS code.

Read 2 remaining paragraphs | Comments