Archive | February, 2011

WatchGuard Releases Fireware XTM 11.3.3 for e-Series Appliances

WatchGuard is very pleased to announce that Fireware XTM 11.3.3, the latest operating system for our Firebox X e-Series appliances, is now available for download.

XTM 11.3.3 is a maintenance release that demonstrates WatchGuard’s commitment to quality, with a significant number of bug fixes and enhancements.

Please note, the 11.3.3 firmware is only intended for e-Series hardware. XTM appliance owners should install 11.4, or continue using 11.3.2 or lower. There is no new WatchGuard System Manager release for Fireware XTM v11.3.3. You can use either WatchGuard System Manager v11.4 or WatchGuard System Manager v11.3.2 to connect to a Firebox e-Series device that runs Fireware XTM v11.3.3, although you must use WatchGuard System Manager v11.4 if you want to configure FireCluster in drop-in mode.

XTM 11.3.3’s primary enhancements include:

  • Ability to configure proxy settings from the Fireware XTM Web UI
  • Support for active/passive FireCluster in drop-in mode (with 11.4 WSM only)

Some XTM 11.3.3 fixes of note include:

  • The OpenSSL package used on Firebox devices has been upgraded to 0.9.8o to resolve several reported vulnerabilities.
  • Server load balancing  and policy-based routing no longer stops working when your LiveSecurity subscription expires.
  • Single Sign-On accuracy and scalability has been improved.
  • You can now import the WatchGuard Products MIB without errors.
  • XTM 11.3.3 now includes CLI commands that enable you to see the number of concurrent connections through your Firebox.
  • You can now use addresses from a drop-in network as Mobile VPN (IPSec and SSL) pool addresses.
  • File transfer through the SIP proxy no longer fails in hairpin configurations.
  • You can now bridge wireless to a trusted or optional interface that is bridged to another trusted or optional interface.
  • WatchGuard log traffic, syslog traffic, and Single Sign-On authentication requests are now correctly routed through VPN tunnels.
  • …and many other fixes — please see the Release Notes for complete details.

If you’re an active e-Series LiveSecurity subscriber, you can upgrade to Fireware XTM 11.3.3 free of charge.

NOTE: Besides posting Software Update announcements to the WatchGuard Security Center, we typically also email Software Update alerts directly to our customers base. However, due to some list maintenance, we may not be able to send our typical direct announcement for awhile.

Does This Release Pertain to Me?

Fireware XTM 11.3.3 is a maintenance release that contains a significant number of bug fixes and enhancements. If you have any Firebox e-Series appliances, and wish to take advantage of any of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to version 11.3.3. However, XTM appliance owners should not install 11.3.3, but rather stick with 11.4 or earlier 11.3.x releases. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

Firebox e-Series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Software Downloads web page, which also includes clear installation instructions. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

The HBGary vs. Anonymous Saga: What can we learn?

If you follow security news, then you’ve surely heard about the recent drama between “Anonymous” and the HBGary security firm (more on who Anonymous is below), which took place over the past few weeks. While I’ve personally followed this fiasco with great interest, I’ve avoided commenting about it here, since most of our customers and readers are network administrators who are more concerned with practical business solutions than melodramatic cyber-quarrels. However, recently I read a fantastic article sharing the technical details of the HBGary breach, which I believe is a must-read for any computer security practitioner.

I’ll come back to that article in a minute, but first let me summarize the Anonymous/HBGary saga for those that may not have heard about it (if you have heard about it, feel free to skip to “Learning from Others’ Mistakes”).

I assume most of you are aware of the Wikileaks Cablegate story, since it’s made worldwide news. You know, that incident where Wikileaks — a non-profit organization that shares private or classified information with the press — publicly released some embarrassing U.S. diplomatic cables and royally peeved off the U.S. government. I don’t really want to recap the whole Wikileaks incident. I only bring it up to remind you that some camps oppose Wikileaks’ mission of “outing” sensitive information, while others camps fully endorse it.

Enter the mysterious Internet entity called “Anonymous.”

Who are Anonymous?

If you follow technology news, you’ve probably heard the “Anonymous” name in headlines before. They’re a group attributed for a wide-range of Internet incidents; from attacking Scientology to YouTube porn day (and many in between). However, in my talks with peers, I’ve found that many IT folks don’t really know who or what “Anonymous” is. Some may imagine “Anonymous” as a specific group of attackers, but that’s not really the case.  In a nutshell, Anonymous is a random group of users tied strongly with popular image forums, like 4chan.

Occasionally, this group of random anonymous users decides to take on some fight, and loosely organizes what is essentially a virtual flash mob. For example, someone might post that they dislike Scientology, and ask other users to start figuring out ways to mess with Scientology, online. From there, chaos ensues. This means, the “Anonymous” group is not a specific group of people; rather it is a random group of users that happens to rally behind one cause or another; in other words, “hacktivists.”

Over the last few weeks, Wikileaks was one of those causes. I won’t pretend to speak for Anonymous, but I think it’s pretty safe to say that most 4chan users are pro-Wikileaks. Once the U.S. government started going after Wikileaks and its founder, an “Anonymous” group formed to start “fighting back” in Operation Avenge Assange. Using some very basic attack tools (Low Orbit Ion Canon), Anonymous began launching fairly successful Distributed Denial of Service (DDoS) attacks against various high-profile targets like Visa and MasterCard.

What’s this have to do with HBGary?

That’s the background story, but you might now be wondering where HBGary comes into the situation. HBGary is a security company that provides various security services to customers. It also has an offshoot company called HBGary Federal, which provides those services to the government.

Early on in the Wikileaks battle, HBGary threw its gauntlet into the fight, going after Wikileaks donors. Furthermore, the COO of HBGary Federal, Aaron Barr, thought it would be interesting to infiltrate the Anonymous group and try to find who its leaders were (assuming it has any). He seems to have attempted this by lurking on forums and IRC. Eventually, Barr started sharing his findings with the press, and intended to present them at a security conference. This, of course, set Anonymous off. They had a new target and cause… take out HBGary.

And that they did! Not to mince words, but Anonymous pretty much decimated HBGary’s defenses one brick at a time. By leveraging some very basic security issues in a number of systems, Anonymous was able to deface HBGary’s web site, delete 1 TB of backups, and steal tens of thousands of critical and sensitive emails (including some very embarrassing ones). I’ll get into more detail on how Anonymous did this below, but suffice to say a company, especially one focused on security, couldn’t suffer a more embarrassing public breach. In fact, HBGary was so affected by this attack that they even pulled out of the RSA conference.

So now you’re up-to-date with HBGary internet soap-opera, but why should you care? Well, this incident leads to a fairly obvious question. How did a respected security firm get hacked so quickly and easily?

Learning from Others’ Mistakes

That’s brings us full circle, to the article I mentioned at the beginning of this post. Last week, Ars Technica published an article detailing exactly how Anonymous broke into HBGary’s network (which they learned by talking to those who participated in the attack). This real world incident is a perfect example of how seemingly small chinks in different parts of your defenses can add up to gaping holes that totally compromise your system. Furthermore, it illustrates how not following some of the most basic best practices could land you in a heap of trouble. If you haven’t read the article, I highly recommend you go do so now. I’ll wait…

Ok, you’re back?

As you read, HBGary surprisingly fell victim to some of the most basic security mistakes one could make. To accomplish all of the mayhem I mentioned earlier, Anonymous’ attack included the following components:

  • A SQL injection on a badly coded custom CMS
  • A cracking attack (using rainbow tables) on badly encrypted passwords
  • The discovery of some embarrassingly weak passwords used by high value targets
  • The discovery of rampant password reuse (again, by high value targets)
  • An elevation of privilege attack due to an very unpatched system
  • …and some basic social engineering

None of those attacks are new, nor particularly extraordinary or complex.  In fact, some are as old as hacking itself. All security professionals know basic security best practices to safeguard against them. That’s why this incident should wave a big red flag in the security community. How could such a well-respected security firm, who knows the right things to do, fall victim to such basic attacks? In his article, Peter Bright offers a potential answer to that question. He suggests that, “the standard advice isn’t good enough.”

I don’t think Bright means that the industry’s best practices are wrong; especially considering he also says standard advice would have protected HBGary. Rather, I believe Bright means that if our standard advice is too hard or time consuming for normal people to follow, they will ignore it. I agree with this sentiment. Few will follow technically sound best practices if they are impractical.

Let’s take the whole password reuse issue. Every security practitioner knows you should not reuse the same password at multiple sites. If you do reuse your password and an attacker gains access to it via one insecure site, then the attacker has the keys to your entire kingdom. Obviously, you should use different passwords everywhere, which is the industry best practice. However, following this best practice isn’t easy. At the very least, it takes extra time and thought. Most normal users don’t know about the password vault or keychain software that might help them manage multiple passwords, Even when they do, users don’t always use them because they adds extra steps, or roadblocks to their daily processes. As a result, many people reuse passwords.

This is the crux of the problem; the industry’s technically correct advice may not be “good enough” if normal people find it impractical. Security experts, in their white towers, often forget that security is not the core mission of most businesses. Many administrators consider security a necessary chore; something they have to do, but don’t really want to spend time on. The average user cares even less. No one like roadblocks that make doing their job harder, and users often see security controls as roadblocks.

Unfortunately, there is no easy answer to this dilemma. In order to secure things, you have to put access controls in front of them. However, I see Bright’s comment as a call to arms for the security industry. The best security mechanism in the world won’t do a thing if your users turn it off.  So we need to design our security controls with ease of use in mind, which is something WatchGuard is focused on. We need to protect networks, while still facilitating business.

My second takeaway seems obvious in its simplicity, yet many people don’t really do it. That is, “Do what you know.” Over the last few years, my cohorts and I have ended many of our security presentations sharing a statistic we learned from a study done by the Verizon RISK team. Over the years, the RISK team has researched real world security breaches to study why the breach happened, and how it could have been prevented. They found that in almost 90% of the cases, the victim organization had the proper policies and technologies to have prevented the breach; they just didn’t follow their own policies, or configure their technology properly. This is what happened with HBGary. They obviously know how to prevent the simple attacks that succeeded against them; they just didn’t.

I’m not pointing fingers at HBGary. As the Verizon RISK team found, it seems like most organizations don’t follow through with best security practice. However, if we want to avoid security incidents, this is something we need to improve. When I was a kid, I remember fondly watching the G.I. Joe cartoon that always ended by saying, “and knowing is half the battle.” We need to remember that doing what you know is the other, arguably more important, half of that battle.

Learn from HBGary, and do what you know.

Critical Oracle (Sun) Java Update Closes 21 Holes

Severity: High

16 February, 2011

Summary:

  • These vulnerabilities affect: All versions of Sun Java Runtime Environment (JRE) and Java Development Kit (JDK) released before 14 February, running on Windows, Solaris, and Linux platforms
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate JRE (or JDK) update as soon as possible

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Most operating systems today implement a Java interpreter to recognize and process Java code from websites and other sources. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

Yesterday, Oracle released a security alert warning of 21 vulnerabilities that affect all previous versions of Sun JRE (as well as Sun Java SDK) running on Windows, Solaris and Linux platforms. While the vulnerabilities differ quite a bit technically, an attacker can exploit many of them in a similar manner – by enticing your users to a malicious web page containing specially crafted Java. In the worst case, if your users visit such a site, an attacker could leverage some of these Java flaws to execute attack code on your user’s computer. If your user has local administrative privileges, the attacker could potentially leverage these flaws to gain complete control of that user’s machine. Some of the other vulnerabilities allow an attacker to launch Denial of Service attacks or to expose sensitive information on your users’ computer.

Recently, attackers have increasingly targeted new Java vulnerabilities to leverage in their drive-by download attacks. For that reason, we consider this Java update fairly critical. If you have installed Java, which most users have, we recommend you download and install Oracle’s updates as soon as you can.

Solution Path:

Sun has released various JRE and SDK updates to correct these issues. If you use Sun JRE in your network, download and deploy the appropriate updates as soon as possible:

Previous releases of Java have reached end of service life (EOSL) or end of life. For more information about these releases, see this page.

Note: Your Sun JRE client may also automatically inform you of an update. If it does, be sure to let it install this update for you.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading Java applets from websites. However, doing so also cripples legitimate websites using Java applets. If you do not want to block Java applets, download the appropriate Sun JRE updates as soon as possible. Furthermore, blocking Java applets may mitigate the risk of some of these vulnerabilities, but not all of them. Sun’s update is the best solution.

To learn how to use your Firebox’s HTTP proxy to block Java applets, see the “Deny Java Applets” section of the HTTP Proxy Advanced FAQ.

Status:

Sun has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

Zero Day SMB Vulnerability Affects Windows Server 2003 and XP

Yesterday, a gray hat going by the alias Cupidon-3005 posted details about a zero day Windows SMB vulnerability that could potentially allow attackers to gain control of fully patched Windows Server 2003 and XP computers. Microsoft is currently investigating this surprise release, but hasn’t had time to post an early Security Advisory about the issue yet, let alone deliver a patch.

Specifically, the vulnerability involves a buffer overflow flaw within the SMB component’s mrxsmb.sys file. By sending a specially crafted browser election request packet containing an overly long server name, an attacker could exploit this flaw to either crash your computer, or execute code on it, potentially gaining complete control of your PC.

Since Microsoft just learned of this flaw on the 15th, they haven’t had time to release a patch yet. However, your WatchGuard firewall can help. By default, our appliances block SMB and broadcast traffic (the exploit leverages broadcast requests), which prevents Internet-based attackers from leveraging this flaw against you (assuming you haven’t opened SMB ports, which you should never do). That said, worms quite regularly rely on SMB vulnerabilities to help them automatically spread within networks, once they infect the first victim. So in general, I consider SMB vulnerabilities high risk. I’ll continue to monitor Microsoft’s investigation into this flaw, and will post updates when they release any workaround or patch.

[UPDATE]: In a blog post, Microsoft claims that though theoretically possible, they believe it’s impractical for attackers to leverage this flaw to execute code. As such, they believe it primarily represents a DoS risk. Other security researchers have been quick to point out that attackers have figured out way to leverage impractical vulnerabilities in the past, though. Microsoft has still not released a patch, and based on their severity analysis of this flaw, they likely will not release any rushed out-of-cycle patch either.

Corey Nachreiner, CISSP

Cupidon-3005

Adobe Drops Reader, Shockwave, and Flash Updates on Patch Day

Severity: High

10 February, 2011

Summary:

  • These vulnerabilities affects: Recent versions of Adobe Reader, Acrobat, Shockwave, Flash, and ColdFusion
  • How an attacker exploits it: In various ways, but most commonly by enticing your users into visiting a website containing malicious Flash, Reader, or Shockwave content
  • Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you use these popular Adobe products, you should download and install their various updates as soon as possible.

Exposure:

Sharing the same day as Microsoft’s Black Tuesday (the second Tuesday of the month), Adobe’s quarterly Patch Day often gets buried under the flood of Microsoft’s updates. Nonetheless, attackers have increasingly targeted flaws in 3rd party programs, which makes Adobes’ numerous patches just as important.

On Tuesday, Adobe released four security bulletins, which included updates to fix several security vulnerabilities in many of their popular applications. The affected software includes Reader, Acrobat, Shockwave Player, Flash Player, and Coldfusion. We summarize these four bulletins below.

  • APSB11-01: Shockwave Update Fixes 21 Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin warns of 21 security vulnerabilitys that affect Shockwave Player 11.5.9.615 and earlier for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail. It only describes the nature and basic impact of each flaw. For the most part, the flaws consist of unspecified memory corruption vulnerabilities. Though these flaws differ technically, most of them share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.
Adobe Severity: Critical

  • APSB11-02 : Flash Update Corrects 13 Security Flaws

Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia stats that 99% of Windows computers have Adobe Flash Player installed, so you users very likely have it.

Adobe’s update fixes 13 security vulnerabilities in Flash Player (for Windows, Mac, Linux, and Solaris), which they don’t describe in much technical detail. However, they do describe the general scope and impact of these flaws. In the worst case, if an attacker can lure one of your users to a malicious website, they could exploit some of these flaws to gain control of that user’s computer. We assume the attacker would only gain the privileges of the logged in user. However, since most Windows users have local administrator privileges, the attacker would likely gain full control of Windows machines.
Adobe Severity: Critical

  • APSB11-03: Reader Update Patches 29 Security Flaws

Adobe’s Reader bulletin describes 29 security vulnerabilities (number based on CVE-IDs) that affect Adobe Reader X and Acrobat X and earlier, running on Windows, Mac, and UNIX computers. The flaws differ technically, but consist mostly of various code execution flaws, which share the same general scope and impact. In the worst case, if an attacker can entice one of your users into downloading and opening a maliciously crafted PDF document (.pdf), he can exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Last year, we predicted that attackers would increasingly target third-party applications, like Adobe Reader. This prediction has proven true, with many confirming that Adobe Reader is the most exploited application by attackers. For those reasons, we highly recommend you download and install these Reader updates immediately.
Adobe Severity: Critical

  • APSB11-04: ColdFusion Hotfix Corrects Five Vulnerabilities

Adobe ColdFusion is an application server that allows you to develop and deploy web applications.

According to Adobe, ColdFusion 9.0.1, running on all platforms (Win, Mac, and UNIX) suffers from five security vulnerabilities, the worst being a few Cross-Site Scripting (XSS) vulnerabilities that could potentially allow attackers to steal cookies or hijack sessions of users that visit your site. ColdFusion isn’t the most popular server out there, so I don’t expect many of our customers to be affected by these particular flaws.
Adobe Severity: Important

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading certain types of files via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of some of these vulnerabilities by blocking various Adobe-related files using your Firebox’s proxy services. Such files include, .PDF, .SWF, .DIR, .DCR, and .FLV. That said, many websites rely on these files to display interactive content. Blocking them could prevent some sites from working properly. Furthermore, many businesses rely on PDF files to share documents. Blocking them would affect legitimate files as well. For that reason, we recommend the updates above instead.

Nonetheless, if you choose to block some Adobe files, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block files by their file extensions:

Status:

Adobe has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: log into the LiveSecurity Archive.

Two Visio Code Execution Vulnerabilities

Severity: Medium

8 February, 2011

Summary:

  • This vulnerability affects: Visio 2002, 2003, and 2007 (not 2010)
  • How an attacker exploits it: By enticing one of your users into opening a maliciously crafted Visio document
  • Impact: An attacker can execute code, potentially gaining complete control of your users’ computers
  • What to do: Deploy the appropriate Visio patch as soon as possible, or let Windows Update do it for you

Exposure:

Microsoft Visio is a very popular diagramming application, which many administrators use to create network diagrams.

In a security bulletin released today, Microsoft describes two security vulnerabilities that affect all current versions of Visio (but not the standalone viewer application). Though technically different, both vulnerabilities share the same scope and impact: By enticing one of your users into downloading and opening a maliciously crafted Visio document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path:

Microsoft has released patches to fix these vulnerabilities. You should download, test, and deploy the appropriate Visio patch as soon as possible, or let Windows Update do it for you.

For All WatchGuard Users:

If the practice fits your business environment, you can use the HTTP, SMTP, and/or POP3 proxies to block Visio documents with the .VSD extension. However, using this method blocks all such files, both malicious and legitimate. If you would like to use our proxies to block Visio documents, follow the links below for instructions:

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: Log into the LiveSecurity Archive.

Nine Windows Bulletins Correct 15 Security Vulnerabilities

Malicious Thumbnails and Fonts Help Attackers Hack Windows

Severity: High

8 February, 2011

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files, or visiting malicious websites or file shares
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released nine security bulletins describing 15 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS11-006: Windows Shell Graphic Processor Buffer Overflow Vulnerability

The Windows Shell Graphic Processor is one of the Windows components that helps present and organize the Windows User Interface (UI) . It suffers from a buffer overflow vulnerability having to do with its inability to handle specially crafted thumbnail images. By luring one of your users into opening a file share, UNC path, or WebDAV location that contains a maliciously crafted thumbnail, an attacker could leverage this flaw to gain complete control of that user’s computer. This flaw does not affect Windows 7 or 2008 R2.
Microsoft rating: Critical

  • MS11-007: OpenType Font CFF Driver Code Execution Vulnerability

Windows ships with many fonts, including the OpenType Compact Font Format (CFF) font. Unfortunately, the driver that helps Windows display the OpenType CFF font doesn’t properly validate certain parameter values. Attackers can exploit this flaw in one of two ways, depending on whether they are targeting newer or older versions of Windows. Against older versions of Windows (XP and 2003) an attacker would need to run a specially crafted program on one of your Windows computers in order to gain complete control of that system, regardless of the attacker’s original user privileges. The attacker needs to have local access to one of your computers in order to run his malicious program. However, newer versions of Windows (Vista, 2008, 7) have an auto preview feature that will automatically preview fonts in a directory. By luring one of your users into opening a file share that contains a maliciously crafted OpenType font, an attacker could leverage this flaw to gain complete control of newer Windows computers.
Microsoft rating: Critical

  • MS11-005: Windows 2003 Active Directoy DoS Vulnerability

Active Directory (AD) provides central authentication and authorization services for Windows computers and ships with server versions of Windows. It suffers from a Denial of Service (DoS) vulnerability involving specially crafted requests to update the service principal name (SPN). By sending such malicious requests, an attacker could leverage this flaw to cause your domain controller to downgrade to NTLM authentication, or in some cases stop responding totally. However, the attacker would need valid user credentials, and local access to your network in order to leverage this vulnerability. It primarily poses an internal risk. Furthermore, the flaw only affects the 2003 Server versions of Windows.
Microsoft rating: Important

  • MS11-010: CSRSS Local Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It does not properly terminate user processes when a user logs off a system. By running a specially crafted program, an authenticated attacker could leverage this flaw run a malicious monitoring program that would continue to run even after the attacker logged off the system. This program could obtain the credentials of a privileged users, thus allowing the attacker to elevate his privileges. However, the attacker would first need to gain local access to a Windows computer using valid credentials (Guest access would work) in order to exploit this flaw. The flaw only affects Windows XP and Server 2003 computers.
Microsoft rating: Important.

  • MS11-011 & MS11-012: Multiple Kernel-related Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The Windows kernel and this kernel-mode driver suffer from multiple elevation of privilege vulnerabilities. Though these flaws differ technically, most of them share the same scope and impact. By running a specially crafted program, an attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important

  • MS11-013: Kerberos Elevation of Privilege Vulnerabilities

Kerberos is one of the authentication protocols the server versions of Windows use. It suffers from an elevation of privilege vulnerability due to its support of weak hacking mechanisms like CRC32. By installing a specially crafted service, an attacker could leverage this flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws,. The Windows Kerberos component also suffers from a spoofing flaw which an attacker could leverage in a Man-in-the-Middle attack to impersonate another user.
Microsoft rating: Important.

  • MS11-014: LSASS Elevation of Privilege Vulnerability

The Local Security Authority Subsystem Service (LSASS) is a Windows component that handles security policy and authentication tasks for Windows. LSASS suffers from a elevation of privilege vulnerability caused by its inability to handle specially crafted authentication requests. By running a malicious application, an authenticated attacker could exploit this flaw to elevate his privileges, and gain complete control of your computer. Of course, the attacker would need valid credentials and access to your Active Directory server in order to exploit this vulnerability. It primarily poses an internal threat. Furthermore, the flaw only affects Windows XP and Server 2003.
Microsoft rating: Important.

  • MS11-009: Scripting Engines Information Disclosure Vulnerability

VBScript and JScript are both scripting languages created by Microsoft, and used by Windows and its applications. The scripting engine that processes those types of scripts suffers from a memory corruption vulnerability involving the way it decodes specially crafted script. This memory corruption flaw can result in randomly leaked information. By enticing one of your users to a malicious web page, an attacker could leverage this flaw to read data which was not intended to be disclosed. However, the random nature of that data somewhat mitigates the risk of this flaw. This flaw only affects Windows 7 and Server 2008 R2.
Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-006:

* Note: Server Core installations not affected.

MS11-007:

* Note: Server Core installations not affected.

MS11-005:

MS11-010:

MS11-011:

MS11-012:

MS11-013:

MS11-014:

MS11-009:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall could help mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

IIS FTP Service Buffer Overflow Vulnerability

Severity: High

8 February, 2011

Summary:

  • This vulnerability affects: The IIS FTP service running on Windows Vista, 2008, 7, and 2008 R2
  • How an attacker exploits it: By sending a specially crafted FTP command
  • Impact: In the worst case, an attacker gains complete control of your IIS server
  • What to do: Deploy the appropriate IIS update immediately, or let Windows Automatic Update do it for you

Exposure:

Internet Information Services (IIS) is the popular web and ftp server that ships with all server versions of Windows.

In a security bulletin released today as part of Patch Day, Microsoft describes a serious vulnerability that affects the optional FTP server that comes with the latest versions of IIS. Specifically, the IIS FTP service suffers from a buffer overflow vulnerability involving the way it handles a specially crafted FTP commands (or more specifically, specially encoded characters in an FTP response). By sending such a malformed FTP command, an attacker could exploit this vulnerability to either put your FTP server into a Denial of Service (DoS) state, or to gain complete control of it. An attacker does not have to authenticate to your FTP server to launch this attack.

However, IIS does not install or start the IIS FTP service by default. You are only vulnerable to this attack if you have specifically installed and started this service. That said, many administrators do enable IIS’s FTP service in order to give web administrators an easy way to update their web sites. If you are one of those administrators, you should consider this flaw a serious risk.

Researchers have already publicly released Proof-of-Concept (PoC) exploit code demonstrating the DoS version of this flaw. Whether or not you are using the IIS FTP service, we still recommend you download, test and install this update as soon as you can. Being a critical server update, we highly recommend you test it on non-production servers before pushing it to your real web site.

Solution Path:

Download, test, and deploy the appropriate IIS patches immediately, or let Windows Automatic Update do it for you.

For All WatchGuard Users:

This attack leverages seemingly normal FTP response traffic. You should apply the updates above.

Status:

Microsoft has released patches to fix this vulnerability

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: Log into the LiveSecurity Archive.

Cumulative IE Update Fixes Four Code Execution Flaws

Severity: High

8 February, 2011

Summary:

  • This vulnerability affects: All current versions of Internet Explorer, running on all current versions of Windows
  • How an attacker exploits it: Typically, by enticing one of your users to visit a malicious web page
  • Impact: In the worst case an attacker can execute code on your user’s computer, gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes four new vulnerabilities in Internet Explorer (IE) 8.0 and earlier versions, running on all current versions of Windows (including Windows 7 and Windows Server 2008). Researchers reported two of the new vulnerabilities privately to Microsoft, while the other two were disclosed publicly. They rate the aggregate severity of these new flaws as Critical.

The four vulnerabilities differ technically, but all of them share the same general scope and impact. The majority of them involve memory corruption issues having to do with how IE handles various HTML  objects, including Cascading Style Sheets (CSS). If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these four vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker gains complete control of the victim’s computer. Attackers often leverage these type of code execution vulnerabilities to launch Drive-by Download attacks.

Keep in mind, today’s attackers commonly hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and XSS attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: Log into the LiveSecurity Archive.



Microsoft Black Tuesday: A dozen bulletins fix 22 vulnerabilities (but not the zero day MHTML flaw)

As expected, Microsoft posted their first big patch day of 2011 today (the last one was small). Unfortunately, the dozen security updates they released do not fix the unpatched MHTML flaw, which I mentioned in last week’s early notification. Even so, the released updates fix many serious flaws. You should start upgrading as soon as you can.

According to their Bulletin Summary for February, Microsoft released 12 security updates, which fix 22 vulnerabilities in Windows, Internet Explorer (IE), Visio, and Internet Information Services (IIS). The highlights include:

  • A Critical, cumulative IE update
  • An Important IIS patch, which fixes a FTP-related code execution flaw
  • Nine updates for Windows and components that ship with it; two Critical and the rest Important
  • And an Important Visio update

As usual, you should install the Critical updates first, as they tend to fix vulnerabilities that remote attackers can leverage to execute code on affected machines. That said, Important updates often fix serious vulnerabilities too; though ones that typically require more user-interaction or affect services not installed by default. I recommend you take the Important updates just as seriously as you do the Critical ones.

As usual, Microsoft has arranged their Bulletin Summary in order of severity, so you could certainly install them in that order. Personally, though, I would install the IE update first, as the web is currently the biggest vector of attack. Next, I would consider installing the FTP-related IIS update. Microsoft only rates this update as Important, but I suspect they do so only because IIS doesn’t start the FTP service by default. However, if you do use the IIS FTP service, this update fixes a pretty significant flaw. After that, make your way through the Windows updates, starting with the Critical ones. Finally, finish off with the Visio patches, if you use that popular diagramming tool. As always, I recommend you test Microsoft’s patches on non-production machines before deploying them throughout your network – mostly when updating servers, such as IIS.

We will post more detailed information about these flaws, and how to fix them, in alerts posted to the WatchGuard Security Center, shortly. However, due to internal scheduling and travel, we will post these alerts later in the day than normal. Until then, I recommend you expand the “Affected Software and Download Location” section of the Summary to find solution information and get a head start with your patching. Corey Nachreiner, CISSP

Follow

Get every new post delivered to your Inbox.

Join 7,560 other followers

%d bloggers like this: