EMET, AV Disclosure Leak Plugged in IE

Microsoft patched a disclosure leak in Internet Explorer that revealed whether EMET or other antimalware protections were running on a compromised computer.

The Operation SnowMan espionage campaign, which targeted military intelligence earlier this year via an Internet Explorer zero day, exposed a weak spot in Microsoft’s vulnerability management efforts. What was unique about the SnowMan operation is that it included a check as to whether the compromised computer was running Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), and if so, the attack would not execute.

As it turns out, attackers were taking advantage of an information disclosure bug that revealed whether EMET and other antimalware protections were active. Today, Microsoft took steps to close that gap in its latest cumulative update for IE.

The critical patch is one of four released today by Microsoft as part of its monthly Patch Tuesday security bulletins. The IE update patches 37 vulnerabilities, including the publicly known disclosure bug. The three remaining bulletins for .NET, Windows Task Scheduler, and Microsoft Lync, were rated important by Microsoft and likely don’t result in remote code execution.

EMET is a free toolkit provided by Microsoft that midmarket and enterprise IT shops can deploy as a temporary stopgap for a zero-day vulnerability being exploited in the wild. The toolkit provides a host of exploit mitigations that protect against common memory corruption vulnerabilities. The vulnerability patched in IE allows resources loaded into memory to be queried, Microsoft said, giving attacker a head’s up as to what protections are running on a machine.

The IE patch, MS14-052, is the highest priority bulletin for IT shops this month, experts said.

The IE patch, MS14-052, is the highest priority bulletin for IT shops this month, experts said.

“This patch is Microsoft’s attempt to limit the capability of exploit kits that have been identified as using an information disclosure technique to determine if particular security software were installed,” said Craig Young, a security researcher with Tripwire. “The flaw allows a malicious website to determine if a software package is installed by querying the availability of a DLL used by that software.  Information regarding active security products on a target is very useful for an attacker; it allows them to avoid raising alarms by sending detectable payloads.”

The update also patches vulnerabilities in the browser going back to IE6 running on Windows Server through current versions.

The next bulletin worth watching, experts said, is MS14-054, a privilege escalation vulnerability in Task Scheduler. In order to exploit the bug, an attacker would need to have valid credentials and local access to an affected system in order to run their exploit.

The vulnerability affects Windows 8, Windows 8.1, Windows RT and Windows RT 8.1, as well as Windows Server 2012 and Windows Server 2012 R2.

“MS14-054 should also be high on IT admins patch list as Microsoft expects to see reliable task scheduler exploits developed within a month,” Young said. “Successful exploitation of this vulnerability would allow any user to take complete control of the affected system.”

Microsoft also patched a denial-of-service vulnerability in its .NET framework. MS14-053 affects most versions of .NET, and also affects ASP.NET installations if it’s enabled on IIS.

“If left unpatched, remote un-authenticated attackers can send HTTP/HTTPs request to cause resource exhaustion which will ultimately lead to deal-of-service condition on the ASP.NET web server,” said Amol Sarwate, director of vulnerability labs at Qualys.

The final bulletin, MS14-055, patches three denial-of-service vulnerabilities in Microsoft’s messaging server, Lync.

“The security update addresses the vulnerabilities by correcting the way Lync Server sanitizes user input and by correcting the way Lync Server handles exceptions and null dereferences,” Microsoft said in its advisory.

Microsoft also updated three security advisories today:

  • Advisory 2871997 updates credential protection and domain authentication controls for Windows 7 and Windows Server 2008 R2. The update ensures credentials are cleaned up immediately rather than when a new Kerberos TGT ticket has been obtained.
  • Advisory 2905247 is an update for Microsoft ASP.NET that patches a privilege elevation vulnerability in an ASP.NET view state that that was made available last December. As of today’s update, the security update is available via Microsoft Update in addition to the Download-Center-only option provided in December.
  • Advisory 2755801 is an update for Adobe Flash Player in Internet Explorer versions running on Windows 8 and Windows 8.1. Today’s update is for IE 10 on Windows 8, Windows Server 2012 and Windows RT, and IE 11 on Windows 8.1, Windows Server 2012 R2 and Windows RT 8.1.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.