Archive | February, 2012

WatchGuard Security Week in Review: Episode 6

Government Cyber Privacy Policy, Web Breaches, RSA Key Flaw Updates, and More

Are you sick of Anonymous-related news? Well, I am. In this week’s WatchGuard Security Week in Review, I purposely ignore Anonymous stories to talk about other security news. If you are interested in new government cyber policies, major web breaches, or FBI controlled malware networks, watch this week’s episode below.

If you’d rather read, the Episode Reference section contains links for this week’s stories. I’ve even thrown in links for this week’s Anonymous stories, even though I ignore them in the video.

As usual, we’d love to hear from you in the comment section, and feel free to share this video podcast with your friends if you like it. (Video Runtime: 9:23)

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 5

Lots of Patches, Big Nortel Breach, and More Anonymous Shenanigans

Are you ready for another week of software updates, Enterprise breaches, and hacktivist cyber-riots? If so, this week’s episode of WatchGuard Security Week in Review is hot off the NLE system. Watch it below, and tell us what you think in the comments section.

As usual, if you’d rather read then look at my ugly mug, see the Reference section below for links to all these stories. (Video Runtime: 8:50)

NOTE: Due to a rendering problem, the intro music is missing from this video. We will upload a corrected version shortly.

 

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Flash Update Plugs Zero Day XSS Hole and Others

Summary:

  • This vulnerability affects: Adobe Flash Player 11.1.102.55 and earlier, running on all platforms. This also affects the Android version of Flash.
  • How an attacker exploits it: By enticing your users to visit a website containing malicious Flash content
  • Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Though Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including some mobiles like Android.

In a security bulletin released yesterday, Adobe warned of seven vulnerabilities (based on CVE numbers) that affect Adobe Flash Player 11.1.102.55 and earlier running on all platforms (including Android). Adobe’s bulletin doesn’t describe the flaws in much detail. However, it does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit many of these unspecified vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

Adobe also warns that attackers are exploiting one of these flaws, a zero day XSS vulnerability, in the wild. If you use Adobe Flash Player in your network, we recommend you download and deploy the latest version throughout your network immediately to mitigate the risk of this current attack.

Solution Path

Adobe has released new versions of Flash Player (11.1.102.62 for computers and 11.1.11x.x for Androids) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately:

  • Download Flash Player for your computer [any platform]:

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

  • .flv –  Adobe Flash file  (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p – Protected Flash video file
  • .f4a – Flash audio  file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • video/mp4 (used for more than just Flash)
  • audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

  • Hex FLV: 46 4C 56 01
  • ASCII FLV: FLV
  • Hex FLA:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Grab Adobe’s Shockwave Update to Avoid Web-based Attacks

Summary:

  • This vulnerability affects: Adobe Shockwave Player 11.6.3.633 and earlier, running on Windows and Macintosh computers
  • How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave content
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (11.6.4.634) of Adobe Shockwave Player as soon as possible.

Exposure:

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on hundreds of millions of PCs.

In a security bulletin released late Tuesday, Adobe warned of nine critical vulnerabilities that affect Adobe Shockwave Player 11.6.3.633 for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail. For the most part, the flaws consist of memory related vulnerabilities, including heap buffer overflows and other memory corruption flaws. Though the flaws differ technically, they all share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit any of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version as soon as you can.

Solution Path

Adobe has released Shockwave Player version 11.6.4.634 to fix these security flaws. If you use Adobe Shockwave in your network, we recommend you download and deploy the updated player as soon as possible. You can get it from the link below.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Shockwave content. Keep in mind, doing so blocks all Shockwave content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify Shockwave files:

File Extension:

  • .swf –  Adobe Shockwave files

MIME types:

  • application/x-shockwave-flash
  • application/x-shockwave-flash2-preview
  • application/futuresplash
  • image/vnd.rn-realflash

FILExt.com reported Magic Byte Pattern:

  • Hex: 46 57 53

(We believe this pattern is too short, thus prone to false positives. We don’t recommend you use it) 

If you decide you want to block Shockwave files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:

Oracle Shores Up 14 Major Java Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: All versions of Sun Java Runtime Environment (JRE) and Java Development Kit (JDK) released before today
  • How an attacker exploits them: Typically by luring your users to a malicious web page containing specially crafted Java
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate JRE (or JDK) update as soon as possible

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters used today.

Yesterday, Oracle released a security alert warning of 14 vulnerabilities that affect all previous versions of Sun JRE (as well as Sun Java SDK) running on Windows, Solaris and Linux platforms. While the vulnerabilities differ technically, an attacker can exploit many of them in a similar manner – by enticing your users to a malicious web page containing specially crafted Java. In the worst case, if your users visit such a site, an attacker could leverage some of these Java flaws to execute code on those users’ computers, with their privileges. If your users have local administrative or root privileges, the attacker could potentially leverage these flaws to gain complete control of their machines.

Attackers are increasingly targeting Java vulnerabilities in drive-by download attacks — even more so than web browser flaws. For that reason, we consider this Java update as critical. If you have installed Java, which most users have, we recommend you download and install Oracle’s updates as soon as you can.

Solution Path:

Sun has released various JRE and SDK updates to correct these issues. If you use Sun JRE in your network, download and deploy the appropriate updates as soon as possible. You can find the updates in the “Patch Availability Table” within Oracle’s alert.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading Java applets from websites. However, doing so also cripples legitimate websites using Java applets. If you do not want to block Java applets, download the appropriate Sun JRE updates as soon as possible. Furthermore, blocking Java applets may mitigate the risk of some of these vulnerabilities, but not all of them. Oracle’s update is the best solution.

To learn how your Firebox’s HTTP proxy can block Java bytecode, see this help page.

Status:

Oracle has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

Microsoft Office Updates Correct Sharepoint and Visio Flaws

Summary:

  • These vulnerabilities affect: SharePoint, SharePoint Foundation, and Visio Viewer 2010, which are all part of Microsoft’s Office suite of products
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web site or link, and enticing them to open malicious Visio files
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate SharePoint and Visio patches as soon as you can, or let Windows Update do it for you.

Exposure:

Yesterday, Microsoft released two Office-related  security bulletins describing eight vulnerabilities found in SharePoint, SharePoint Foundation, and Visio Viewer 2010 — all part of Microsoft’s Office suite of products. Microsoft rates both bulletins as Important. We summarize the bulletins below:

  • MS12-011: Three SharePoint XSS Vulnerabilities

SharePoint and SharePoint Foundation are Microsoft’s web and document collaboration and management platforms. They both suffer from three  Cross-Site Scripting vulnerabilities (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to visit a malicious web page or into clicking a specially crafted link, an attacker could exploit any of these flaws to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Important.

  • MS12-015: Five Visio Viewer Memory Corruption Vulnerabilities

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams.  Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from five code execution vulnerabilities, all involving the way it handles specially crafted Visio documents. Though the flaws differ technically, they share the same scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. These flaws only affect Visio Viewer 2010, not the commercial Visio product.

Microsoft rating: Important

Solution Path

Microsoft has released SharePoint and SharePoint Foundation patches that correct these vulnerabilities. You should download, test, and deploy the appropriate SharePoint patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

If you choose, you can configure the HTTP, SMTP, and FTP proxies on your XTM appliance to block Microsoft Visio documents from entering your network. Keep in mind, doing so blocks both legitimate and malicious Visio files. If your business regularly transfers Visio files outside your network, you may not want to block them with our appliance. However, if you can block them, it will help mitigate the risk of the Visio Viewer vulnerabilities until you are able to patch.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify Visio files:

File Extensions:

  • .vsd – Visio Drawing files
  • .vst – Visio Template files
  • .vss – Visio Stencil files
  • .vdx – Visio XML Drawing files
  • .vtx  – Visio XML Template files
  • .vsx – Visio XML Stencil files

MIME types:

  • application/visio
  • application/x-visio
  • application/vnd.visio
  • application/visio.drawing
  • application/vsd
  • application/x-vsd
  • image/x-vsd
  • zz-application/zz-winassoc-vsd
  • application/x-visiotech

FILExt.com reported Magic Byte Pattern:

  • Hex: D0 CF 11 E0 A1 B1 1A E1 00

If you do decide you want to block Visio files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Microsoft has released SharePoint and Visio updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Six Windows Updates Fix Nine Security Vulnerabilities

Bulletins Affect .NET Framework, Kernel-Mode Drivers, Indeo Codec, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it. Also affects the .NET Framework and Silverlight
  • How an attacker exploits them: Multiple vectors of attack, including  luring your users to a malicious web site or enticing them to open malicious media or files.
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released six security bulletins describing nine vulnerabilities affecting Windows and components that ship with it. One of the bulletins also describes flaws in the .NET Framework and Silverlight, two optional yet popular Windows development frameworks.

Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-008: Two Kernel-Mode Driver Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers from two vulnerabilities. The worst is a serious code execution flaw, stemming from the kernel-mode driver’s lack of input validation when handling inputs passed from the Windows GDI. By enticing one of your users to either visit a malicious web site, open a specially crafted email, or run an evil program, an attacker could exploit this flaw to gain complete control of your Windows computer. This is a very serious flaw, which you should patch as quickly as possible.

Microsoft rating: Critical

  • MS12-013: Msvcrt.dll Buffer Overflow Vulnerability

Msvcrt.dll is a Dynamic Link Library (DLL) that many of Windows’ system level components call on to perform routine tasks. It suffers from an unspecified buffer overflow vulnerability. By enticing you to open a specially crafted media file (either via email or the web), an attacker can exploit this flaw to execute code on your computer with your privileges. If you are a local administrator, the attacker gains full control of your PC.

Microsoft rating: Critical

  • MS12-016: Two .NET Framework Code Execution Flaws

The .NET Framework is software framework used by developers to create new Windows and web applications. The .NET Framework and SilverLight suffers from two code execution vulnerabilities. Though the two issues differ technically, they share the same scope and impact. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As always, if your users have local administrator privileges, attackers can leverage this to gain full control of their computers. This flaw can also affect Web servers and sites that use .NET Framework or Silverlight elements, as well as any custom .NET-based programs, which you might develop and run in house. In short, if you’ve installed the .NET framework on your servers or clients, you should update them.

Microsoft rating: Critical

  • MS12-009: Two Ancillary Function Driver EoP Vulnerabilities

The Ancillary Function Driver (AFD) is a Windows component that helps manage Winsock TCP/IP communications. It suffers from two local elevation of privilege (EoP) issues. By running a specially crafted application, an attacker can leverage either flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important.

  • MS12-012: Color Control Panel Insecure Library Loading Vulnerability 

Windows 7 ships with various “Desktop Experience” features, including the Color Control Panel. Windows Server 2008 and Server 2008 R2 do not install these Desktop Experience features by default, but  they do offer them as options. Unfortunately, the Server 2008 version of the Color Control Panel suffers from a Dynamic Link Library (DLL) loading class of vulnerability that we’ve described in many previous Microsoft alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a specially crafted, malicious DLL file. If you do open the booby-trapped file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. In this particular case, the vulnerability is triggered by files types associated with the Color Control Panel–specifically .ICM and .ICC files.  This flaw only affects  Windows Server 2008 and Server 2008 R2 users who have installed the optional Color Control Panel feature.

Microsoft rating: Important.

  • MS12-014Windows XP Indeo Codec Insecure Library Loading Vulnerability 

The Indeo codec is a legacy video codec that Windows uses to play specifically compressed and formatted videos. The Indeo codec that ships with Windows XP suffers from an insecure library loading vulnerability exactly like the one described above. The only difference is that an attacker would have to entice you to download an .AVI file from the same location as a malicious DLL. This flaw only affects Windows XP.

Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below should take you directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links for the various updates:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. Furthermore, WatchGuard’s proxy policies can block some of the content necessary to exploit some of these flaws. That said, our appliances cannot protect you from local attacks. You should install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Patch IE To Avoid Drive-by Downloads

Severity: High

Summary:

  • This vulnerability affects: All current versions of Internet Explorer, running on all current versions of Windows (to varying extents)
  • How an attacker exploits it: By enticing one of your users to visit a malicious web page
  • Impact: Various; in the worst case an attacker can execute code on your user’s computer, gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes four new vulnerabilities in Internet Explorer (IE) 9.0 and earlier versions, running on all current versions of Windows. Microsoft rates the aggregate severity of these new flaws as Critical.

The four vulnerabilities differ technically, but two of them share the same general scope and impact. These two issues involve memory corruption flaws related to the way IE mishandles various HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit either of these vulnerabilities to execute code on that user’s computer by inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker gains complete control of your users’ computers.

This update also fixes two less severe information disclosure vulnerabilities, which you can read more about in Microsoft’s bulletin.

Today’s attackers commonly hijack legitimate web pages and booby-trap them with malicious code. Often, even recognizable and authentic websites get hijacked in this way, and are forced to deliver drive-by download attacks. To avoid these types of attacks, we recommend that you install Microsoft’s IE updates as quickly as you can.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.

This link takes you directly to the “Affected and Non-Affected Software” section of Microsoft’s IE bulletin, where you can find links for the various IE updates.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the internet. Therefore, the patches above are your best solution.

Generally, our IPS, AV, and Reputation Enabled Defense (RED) services can help protect you against this class of attack.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Updates Prevent Drive-by Downloads and Malicious Media

Happy Valentine’s Day and happy Microsoft Patch Day. Microsoft has posted their bulletins for February, so drop those chocolates and start patching.

Microsoft delivered on our expectations and released nine security bulletins today, covering flaws in Windows, Internet Explorer (IE), Office, and the .NET framework. They rate four of the bulletins as Critical.

Microsoft’s updates fix a wide range of security issues, from web browser flaws that could allow attackers to launch drive-by download (DbD) attacks (see this DbD video), to media handling vulnerabilities that could allow movies to install malware. I’d recommend that you apply today’s updates as quickly as you can.

In general, the severity order Microsoft lists in their summary bulletin is good. The only change I might make is to install the IE update first. Right now attackers love to target our web browsers and the third party plug-ins they use. If I were to prioritize all patches, I’d focus first on my browser and Adobe additions, like Flash and Reader. After you’ve installed the IE patch, follow with the Windows updates by severity, and finish with the .NET and Office patches.

As usual, don’t forget to test the updates before deploying them; especially ones you apply to critical production servers.

I’ll post more detailed alerts about these flaws, and how to fix them, shortly. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 4

FBI Call Eavesdropping, Stolen Source Code, and Windows Patches

Phew! This was one busy week for security. There were at least four big breaches, many software security updates, and quite a few other security stories I didn’t have time to cover. Check out this week’s episode of WatchGuard Security Week in Review for the highlights.

If you’d rather read about these big security stories, see the Reference section below the video.

Finally, I’d love to hear from you. Let me know if there are stories I should have covered, if there are ways I can make these weekly highlights more useful, and also feel free to share this video and blog with your friends. (Video Runtime: 7:25)


Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,580 other followers

%d bloggers like this: