Archive | September, 2011

Reader and Acrobat Updates Correct 13 Security Flaws

Summary:

  • This vulnerability affects: Adobe Reader and Acrobat X 10.1 and earlier, on Windows, Mac, as well as Reader 9.4.2 for  UNIX
  • How an attacker exploits it: Typically, by enticing your users into viewing a maliciously crafted PDF document
  • Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
  • What to do: Install Adobe’s Reader and Acrobat X 10.1.1 update as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

As part of their quarterly patch day cycle (which shares the same date as Microsoft Patch Day), Adobe released a security bulletin describing 13 security vulnerabilities (number based on CVE-IDs) that affect Adobe Reader and Acrobat X 10.1 and earlier, running on Windows and Mac, as well as Reader 9.4.2 for UNIX. The flaws differ technically, but consist primarily of buffer overflow and  memory corruption vulnerabilities, and share the same general scope and impact.

In the worst case, if an attacker can entice one of your users into downloading and opening a maliciously crafted PDF document (.pdf), he can exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. Keep in mind, Reader installs helpers in your browser to help it view PDF documents. Simply visiting a web site with a malicious embedded PDF document could trigger this type of attack.

Lately, attackers have leveraged Reader vulnerabilities in many of their email and web-based malware campaigns. We highly recommend you patch these Reader flaws as soon as possible.

Solution Path

Adobe has released Reader and Acrobat X 10.1.1 to fix these vulnerabilities. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you. Adobe plans to release Reader 9.4.6 for UNIX on November 7, 2011. So you UNIX users will have to wait for their patch.

For All WatchGuard Users:

Many WatchGuard Firebox models can block incoming PDF files. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if PDF files are not absolutely necessary to your business, you may consider blocking them using the Firebox’s proxies until the patch has been installed.

If you would like to use our proxies to block PDF documents, follow the links below for instructions:

Status:

Adobe has released patches that correct these vulnerabilities.

References:

Windows Updates Fix WINS Issues & Insecure DLL Loading Vulnerability

Severity: Medium

12 July, 2011

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted WINS messages and enticing users to open malicious documents
  • Impact: Various. In the worst case, an attacker can gain control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing a couple of vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity (according to Microsoft’s summary).

  • MS11-070: WINS Elevation of Privilege Vulnerability

Windows Internet Name Service (WINS) is essentially Microsoft’s version of the NetBIOS Name Service (NBNS) — a service that allows you to give computers human friendly names (kind of like a DNS for your local network computers). According to Microsoft, the WINS service suffers from a elevation of privilege flaw due to its inability to properly handle specially crafted WINS messages on the loopback interface. By sending such WINS packets, an attacker can leverage this flaw to force your WINS server to execute code with SYSTEM privileges, thus gaining full control of the server. However, certain factors significantly mitigate the scope of this flaw:

  1. The attacker needs valid Windows credentials to exploit this flaw
  2. The attack only works locally (not over a network), since it involves the loopback interface.

  Microsoft rating: Important

  • MS11-071  Another Insecure DLL Loading Vulnerability

Over the past year, Microsoft has contended with various “insecure Dynamic Link Library (DLL) loading” vulnerabilities affecting many of their products. This class of flaw is also sometimes referred to as a binary planting flaw. We first described this issue in a September Wire post, which describes this Microsoft security advisory. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of malicious file from the same location as a specially crafted DLL file. If you do open the malicious file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. This new bulletin fixes yet another insecure DLL loading issue. This time, an attacker can trigger the latest issue by enticing you to open, .rtf, .txt, or .doc documents.
Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-070:

MS11-071:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Furthermore, the Firebox cannot protect you from local attacks. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

Office Document Parsing Problems Cause a Predicament

Severity: High

13 September, 2011

Summary:

  • These vulnerabilities affect: Most current versions of Microsoft Office and its components, as well as Office SharePoint and Groove servers and products.
  • How an attacker exploits it: Typically by enticing one of your users to open a malicious Office document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft Office updates as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released three security bulletins describing flaws in Office and it’s components, as well as vulnerabilities in the Office SharePoint and Groove servers and products.

Two of the three bulletins describe seven document handling vulnerabilities found in Office and Excel for Windows or Mac. Though technically different, all of these document handling vulnerabilities share the same general scope and impact.  If an attacker can entice one of your users into downloading and opening a maliciously crafted Office document, he can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

According to Microsoft’s bulletins, an attacker can exploit these flaws using many different types of Office documents, including Excel, Word, and PowerPoint files. Also, some of these issues involve the insecure DLL loading vulnerability that Microsoft has contended with the past year. In those cases, an attacker would have to entice your user to open a document in the same location as a malicious DLL file; somewhat mitigating the risk of the attack.

If you’d like to learn more about the individual document handling flaws, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS11-072: Five Excel Code Execution Vulnerabilities, rated Important
  • MS11-073: Two Office Code Execution Vulnerabilities, rated Important

Microsoft also released a security bulletin detailing six vulnerabilities affecting their SharePoint, Groove, and Forms products. Most of the six flaws are Cross-Site Scripting (XSS) vulnerabilities, which allow attackers to elevate their privileges. More specifically, the attacker might leverage these flaws to execute scripts, launch commands, or perform operations under the context of an authenticated SharePoint victim. Of course, the attacker would have to entice his victim into clicking a specially crafted link or URL for this sort of attack to succeed.

Solution Path

Microsoft has released patches for Office, and the SharePoint and Groove products, to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you. For simplicity sake, we highly recommend letting Windows update select the updates you need if possible.

MS11-072:

Updates for:

MS11-073:

MS11-074:

Due to the complex selection of  update, we recommend you see the “Affected Software” section of Microsoft’s SharePoint and Groove bulletin to find the appropriate set of patches you need to apply. Better yet, Microsoft’s automatic update can apply the correct set of updates for you.

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Microsoft Office documents, most organizations need to allow them in order to conduct business. Therefore, the patches above are your best recourse.

That said, if you want to block Office documents, you can use the HTTP, SMTP, and/or POP3 proxies to block documents by extension (such as .xls, .doc, .ppt, etc…). However, doing so blocks both malicious and legitimate file.

If you would like to use our proxies to block Office documents, follow the links below for instructions:

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Microsoft Black Tuesday: Updates for Mangled Office Documents and Malicious WINS Messages

Unless you’re one of the eagle-eyed viewers that caught Microsoft’s slip last Friday, today is the first day you get to see this month’s batch of MS product patches. As expected, Microsoft only released five Important updates for Windows and Office products this month. While none of the updates fix overly critical issues, I’d still recommend you try to install them at your earliest convenience.

I suspect the two Office bulletins (which fix flaws in the way Office parses documents, like Excel files) pose the greatest risk. Unfortunately, users often seem to fall for the “good old”  malicious Office document trick. That’s why, you should probably install these two Office related updates first — assuming you use Office applications. I’d then follow up with the two Windows updates, one of which fixes another one of those insecure DLL loading vulnerabilities that Microsoft has contended with the past year or so. Finally, if you use SharePoint, be sure to install its patch as well.

You can learn more about today’s updates in Microsoft’s September summary bulletin. As is normally the case with Microsoft updates, you should probably test the patches before deploying them in your production network — especially the ones that affect server software.

We’ll post more detailed alerts about  Microsoft’s, and how to fix them, very shortly.  – Corey Nachreiner, CISSP

Five Microsoft Bulletins Expected for September Patch Day

Tomorrow, Microsoft plans to launch Patch Day for the month of September. It appears relatively minor, especially when compared to last month.

According to their Advanced Notification post for September, Microsoft will only release five bulletins, fixing vulnerabilities in Windows and Office. None of the bulletins are Critical; Microsoft rates them all as Important.

Though Important bulletins fix less dangerous vulnerabilities than Critical bulletins do, the different between these severity ratings tends to have less to do with how much access an attacker gains, but rather more to do with how much user interaction the attack requires. In other words, Important updates still often fix flaws that could allow remote attackers to gain access to your system, only they typically rely on more user interaction to do so. My point is, you’ll still probably will want to install these Important updates as soon as Microsoft releases them.

I’ll know more about these bulletins on Tuesday, September 13. Be sure to return here tomorrow to hear more. — Corey Nachreiner, CISSP (@SecAdept)

More Fraudulent Digital Certificates Leak Online

Back in March, a trusted Root Certification Authority (CA), Comodo, accidentally issued nine fraudulent digital certificates for some very popular domains. Unfortunately, the past has repeated itself,  this time with a CA called DigiNotar.

If you’ve followed security news over the last few weeks, you’ve likely heard that a Dutch CA called DigiNotar has mistakenly issued over 200 fraudulent certificates to Iran (the certs were for Google, Mozilla, Yahoo, and Tor domains). DigiNotar claims the false certificates issuance was due to an intrusion into their CA infrastructure, and they claim to have since revoked the false certificates. However, experts have learned that DigiNotar issued many more fraudulent certificates than they first admitted.

As mentioned in our Comodo post, when you visit sites, digital certificates help ensure that the site you visit really is the one you think it is. Phishers often try to spoof popular sites in order to steal your credentials. Digital signatures can help prevent this by informing you when a site has an improper certificate, which doesn’t match the domain. However, these falsely issued certificates can allow attackers to leverage them to either create very convincing spoofed sites for the affected domains, or to help them carry out Man-in-the-Middle (MitM) attacks, even when valid certificates are required.

Though DigiNotar claims to have revoked the fraudulent certificates, OS vendors have released patches that either ensure these certificates are revoked, or removes DigiNotar from the list of trusted root CAs. Depending on your OS, I recommend you install the corresponding updates below, to protect yourself from these false certs:

Also, if your web browser supports Online Certificate Status Protocol (OCSP), you can enable it so your browser protects you from sites leveraging these false certificates.

Finally, if you use on of WatchGuard’s appliances, you can also enable OCSP in our HTTP-proxy. Simply enable the setting,  “Use OCSP to confirm the validity of certificates.” Our appliances also trust the same root authorities that most web browsers do; so we include DigiNotar in our list of trusted CAs. If you do not want to trust DigiNotar any longer (despite them revoking the false certs), go to Firebox System Manager and click View => Certificates. Then delete the DigiNotar certificate from your trusted list.

If you follow these workarounds, the fraudulent DigiNotar certificates shouldn’t affect you or your network.

For more information about this issue, see the resources below:

Corey Nachreiner, CISSP (@SecAdept)


Follow

Get every new post delivered to your Inbox.

Join 7,671 other followers

%d bloggers like this: