Posts tagged Windows

6 min Metasploit

Flipping bits in the Windows Kernel

Recently, the MS15-061 bulletin has received some attention. This security bulletin includes patches for several Windows Kernel vulnerabilities, mainly related to win32k.sys. Details of one of them, discovered by Udi Yavo, have been very well covered. First, the same Udi Yavo published details about the Use After Free on a blog entry [http://breakingmalware.com/vulnerabilities/class-dismissed-4-use-after-free-vulnerabilities-in-windows/] . Later, Dominic Wang [https://twitter.com/d0mzw] wrote a

4 min Microsoft

From Windows to Office 365: Detecting Intruder Behavior in Microsoft Infrastructures

Microsoft infrastructures have traditionally been on-premise. This is about to change as Microsoft is getting incredible traction with Office 365 deployments. As the corporate infrastructure is changing, many security professionals are concerned about security and transparency of their new strategic cloud services and need to change their incident detection and response programs. This blog post is a quick introduction to this topic. If you're interested in more info, check out our webcast Increa

4 min Microsoft

Microsoft Attack Surface Analyzer (ASA): It's for defenders too!

Attack Surface Analyzer [http://www.microsoft.com/en-us/download/details.aspx?id=24487], a tool made by Microsoft and recommended in their Security Development Lifecycle Design Phase [http://www.microsoft.com/en-us/sdl/default.aspx], is meant primarily for software developers to understand the additional attack surface their products add to Windows systems. As defenders, this tool can be very useful. The tool is meant to identify changes on a system that can have an impact on security, such as

20 min Metasploit

A debugging session in the kernel

Last week, an awesome paper [https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/] about the MS15-078 vulnerability and it's exploitation was published by Cedric Halbronn [https://twitter.com/saidelike]. This vulnerability, originally found and exploited by Eugene Ching [https://twitter.com/eugeii], already has a work-in-progress module in Metasploit, which you can follow on github [https://

5 min Exploits

Revisiting an Info Leak

Today an interesting tweet [https://twitter.com/Laughing_Mantis/status/631170614720462848] from Greg Linares [https://twitter.com/Laughing_Mantis] (who has been posting awesome analysis on twitter lately!) came to our attention, concerning the MS15-080 [https://technet.microsoft.com/en-us/library/security/ms15-080.aspx] patch: This patch (included in MS15-080) may have been intended stop one of the Window kernel bugs exploited by Hacking Team. But, after our analysis, it appears that there is

3 min Microsoft

Update Tuesday, August 2015

This month's update includes 14 Microsoft security bulletins (52 CVEs), with three being rated as critical. One of these vulnerabilities has already affected MS office (MS15-081) and has been detected as being exploited in the wild. As per the norm, Adobe has also released a high priority Air\Flash security patch (APSB15-19) to address 34 CVEs on multiple affected platforms (IE, Edge, Windows, Macintosh, Android and iOS). Microsoft seems to have implemented a new strategy for Windows 10, as the

9 min Windows

Reducing Windows Attack Surface with User Rights Assignment

As we know, attackers leverage legitimate credentials to move through systems, escalate privileges or get access to data. Managing privileged accounts such as administrator accounts, shared accounts and service accounts is a difficult problem to solve. Even if service account passwords are managed securely, they still remain at risk of being compromised through exploitation of services using them, lack of support for encrypted configuration files on some systems, pass-the-hash attacks, or the

2 min Microsoft

A Closer Look at February 2015's Patch Tuesday

This month's Patch Tuesday covers nine security bulletins from Microsoft, including what seems like a not-very-unusual mix of remote code execution (RCE) vulnerabilities and security feature bypasses. However, two of these bulletins – MS15-011 [https://technet.microsoft.com/en-us/library/security/ms15-011] and MS15-014 [https://technet.microsoft.com/en-us/library/security/ms15-014] – require a closer look, both because of the severity of the vulnerabilities that they address and the changes Mi

8 min Windows

12 Days of HaXmas: Does it Blend Like a Duck?

This post is the fifth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014._ Writing portable software is not hard. It's just like walking through a minefield! Getting to the other side, that's the tricky part. Sure, if you target C, Unix-like systems and GCC or LLVM, you may not run into too many hassles these days. There are still a few annoying differences between BSDs and Linux, but POSIX a

6 min Haxmas

12 Days of HaXmas: MS14-068, now in Metasploit!

This post is the first in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2014. Hello everyone and Happy HaXmas! In November of 2014, a really interesting vulnerability was published on Microsoft Windows Kerberos, maybe you have already heard about it... MS14-068 [https://technet.microsoft.com/en-us/library/security/ms14-068.aspx]. Microsoft published an blog post [http://blogs.technet.com/b/srd/archive/2014/1

2 min Windows

Mitigating Service Account Credential Theft

I am excited to announce a new whitepaper, Mitigating Service Account Credential Theft [https://hdm.io/writing/Mitigating%20Service%20Account%20Credential%20Theft%20on%20Windows.pdf] on Windows. This paper was a collaboration between myself, Joe Bialek of Microsoft, and Ashwath Murthy of Palo Alto Networks. The executive summary is shown below, Over the last 15 years, the Microsoft Windows ecosystem has expanded with the meteoric rise of the internet, business technology, and computing in gene

3 min Metasploit

Federal Friday - 4.11.14 - Another Quiet Week...

Can you believe how quiet it was this week? Nothing going on, everyday slowly dragging on, the tick, tick tick of the clock getting louder and louder by the second. Reminds me of the late-night drip from your faucet but more annoying because you're stuck at work. Oh wait, totally forgot this was a cybersecurity blog and mistook it for my crochet blog. You, much like us here at R7, were probably pretty busy this week. In that case let me officially say, happy freaking Friday, Federal friends! I'

3 min Microsoft

It's the end of XP as we know it, April Patch Tuesday 2014, and, oh yeah... heartbleed.

So this is it, the last hurrah for the once beloved XP, the last kick at the can for patching up the old boat.  Sure, by today's standards it's a leaky, indefensible, liability, but… hey, do you even remember Windows 98?  Or (*gasp*) ME?  At least we can all finally put IE 6 to rest, once and for all, the final excuse for corporate life-support has been pulled… except for legacy apps built so poorly that they depend on IE 6 and are “too costly” to replace. As everyone should know by now, ther

2 min Metasploit

Federal Friday - 3.21.14 - A Day of Reckoning

Friday at last... Hello federal friends! I'm pleased to announce that the sun is setting here in Boston at 6:58pm tonight and there is major League Baseball being played this weekend. Spring officially happened yesterday which should make those of you in DC put Monday's snow-day out of sight and out of mind. Did my ominous title catch your attention? Don't worry, this is not the end of times, or even the end of days [http://www.imdb.com/title/tt0146675/] for that matter (thank goodness) and mo

3 min Microsoft

Patch Tuesday, Sept 2013

September's Patch Tuesday is live! The 14 bulletins predicted were cut to 13, with the .NET patch landing on the cutting room floor. A patch getting pulled after the advance notice is up usually indicates that late testing revealed an undesired interaction with another product or component. Of the 13 bulletins remaining they are split 7/6 between the MS Office family and Windows OS patches, if we are counting the Internet Explorer patch as part of the OS patching, anti-trust lawsuits notwiths