Archive | May, 2012

What is the “Flame” Worm and Should I Worry About It?

If you’ve followed security or technical news over the last few days, you’ve probably heard about the “Flame” worm. This interesting new piece of malware belongs to a class of attack called an Advanced Persistent Threat (APT), and it’s making headlines worldwide. As a result, many of you may be wondering whether or not this nasty sounding malware will affect your organization. My short answer is, “probably not,” but read on to learn more.

Let’s start with the basics. Kaspersky Labs — one of WatchGuard’s Antivirus (AV) partners — was one of the first to discover and analyze the “Flame” worm (Worm.Win32.Flame). According to their analysis so far, Flame is one of the largest and most complex malware samples they have ever seen. As such, they haven’t finished their full investigation of this malware, but here’s a quick summary of what they know so far:

  • Flame is primarily an information stealing toolkit and backdoor trojan, but it also has worm-like capabilities that allows it to spread over local networks and USB storage.
  • Its information stealing capabilities include network sniffing, keystroke logging, screenshot snapping, and even audio recording. It also can collect data about Bluetooth devices in the vicinity. It shares all this stolen data over an encrypted Command and Control (C&C) channel.
  • It is one of the largest pieces of malware Kaspersky has seen, at around 20MB, and it contains over 20 different modules. Its author also created it using a scripting language (Lua) that malware writers don’t typically use.
  • Rather than running as an executable file like typical malware, Flame loads itself as a number of malicious DLL files at boot.
  • Kaspersky believes the author originally created the malware in 2010.
  • Flame is targeted. Its infections seem limited to various organizations in Middle Eastern countries, with a primary focus on Iran. It also does not appear to have spread widely (under 400 known infections).

All that said, one thing we don’t know yet is how Flame initially infects its victim. Since this is a very targeted attack, I doubt Flame’s initial infection vector is automated in any way, nor launched on a massive scale. Rather, the attackers probably directly target specific organizations, and may even leverage different infection vectors for each target. If you add up all these facts, you can probably see why many experts consider Flame an APT attack similar to Stuxnet and Duqu. While none of the researchers analyzing this malware can prove it yet, most suspect that a nation-state actor created the Flame malware for cyber-espionage.

This brings us back to our original question, “Should I worry about the Flame malware?” Unless you’re an administrator of a state or education related industry in the Middle East, Flame will probably never directly affect you. So, no. I don’t think typical organizations have anything to worry about Flame. Furthermore, now that AV organizations have identified Flame, they have released signatures to detect and remove its known variants. If you use any of the top AV products, and keep those products up-to-date, you are protected from Flame infections. More specifically, if you’re a WatchGuard customer, our XCS and XTM appliances will protect you from the Flame worm. We partner with both Kaspersky and AVG to deliver Gateway Antivirus to these appliances, and both our partners have signatures to detect Flame.

From a security industry perspective, Flame is a very interesting malware sample. It leverages more advanced attack techniques than typical malware and likely comes from a nation-state attacker, which is why it has garnered so much media attention. However, Flame is probably not going to directly affect normal organizations. If you’ve been worried about this headline-grabbing worm, you can probably stop. Even if this targeted attack started affecting organizations outside the Middle East, WatchGuard and Antivirus products have you covered.  — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 19

Facebook Malware, SecureID Hack, and DoJ Breach

Another week, another security summary video… This week, I clue you in on two new Facebook-related malware attacks, some new research that allows local attackers to clone SecureID tokens, and a major Anonymous-related breach that has put 1.7 gigabytes of Department of Justice data into the hands of the public. Watch the video below for details on these stories and more.

If you have no time for video, you’ll also find links to all this week’s stories in the Reference section below; where you can pick and choose whichever topics interest you. Leave your comments if you have any, and I’ll see you again next week.

(Episode Runtime: 9:27)

Direct YouTube Link: http://www.youtube.com/watch?v=MIdAGH4p0hk

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Announces Fireware XTM 11.5.3 Update 1

Available for All XTM Appliances

WatchGuard has released Fireware XTM OS v11.5.3 Update 1. This update is for appliance software only, and is intended to improve stability and provide additional key bug fixes for all XTM customers. For a list of issues resolved in Update 1, see the Resolved Issues section of our Release Notes. We recommend XTM v11.5.3 appliances administrators update to v11.5.3 Update 1 to take advantage of this update.

There are no updates to WatchGuard System Manager or any auxiliary software (such as Mobile VPN client software, Single Sign-On software, etc.). You can find more information about this update, and the issues it corrects, in the Release Notes.

Does This Release Pertain to Me?

Fireware XTM 11.5.3 Update 1 is designed to increase the stability of your XTM appliance, and to improve our product based on customer feedback. If you manage an XTM appliance running Fireware XTM OS v11.5.3 or earlier, we recommend you download and install v11.5.3 Update 1. Please read the Release Notes before you upgrade to understand what’s involved.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button. Fireware XTM OS  v11.5.3 Update 1 only updates the appliance software. You do not have to update WatchGuard System Manager, or any auxiliary software.

As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

WatchGuard Security Week in Review: Episode 18

AusCERT 2012, QuickTime Updates, and a New Zeus Variant

This week’s “on the road” edition of WatchGuard Security Week in Review comes to you from the sunny Gold Coast of Australia, where I’ve spent the week learning about the latest mobile attacks, cloud threats, and SCADA security issues with the vibrant Australian security community. In this week’s video podcast, I quickly summarize a few of the presentations I saw at AusCERT this year.

Of course, normal security news continued marching along despite my little jaunt to the land down under. So I also cover this week’s important software updates, some new malware variants, and a potentially catastrophic antivirus update mistake. If you’re ready to catch up on the week’s most interesting security stories, check out the video below.

If you’d like to read the original sources for many of these stories, be sure to check out the Reference section. Also, make sure to post any feedback or questions in the comments section below, and share this podcast with your friends if you like it. Cheers!

(Episode Runtime: 5:35)

Direct YouTube Link: http://www.youtube.com/watch?v=KI9astTaRjU

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 17

Twitter Hacks, Gas Pipeline Cyber Attacks, and FBI Wiretaps

Though the primary theme for this week was, “patch, patch, patch,” I saw many other interesting, non-update related security stories in the news as well. This week’s vlog packs all those stories into a brisk eight and a half minutes. Topics include:

  • Highlights on Microsoft, Adobe, and Apple security updates
  • FBI lobbying for online wiretaps
  • Warnings of Gas Pipeline Cyber Attacks
  • Some new Geo-aware malware
  • A seemingly big Twitter breach
  • Some hacker arrests

For details on all these stories, and a few security tips along the way, check out the latest WatchGuard Security Week in Review video below.

As always, if you don’t have time for a video but want to check out individual stories later, you can find links to all the issues I cover in the “Reference” section at the end of this post. You can also let us know what you think about this video series in the comments section.

Finally, I’m attending AusCERT next week; a security conference in Australia. Though I plan to release an episode next week, I will either post it significantly earlier or later than normal, due to the time zone difference. So keep your eyes peeled for next week’s episode, but don’t expect it at the regular time.

(Episode Runtime: 8:31)

Direct YouTube Link: http://www.youtube.com/watch?v=guqTuUatEwc

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Apple OS X Patch Corrects Clear Text Password Issue

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.6.x (Snow Leopard) and OS X 10.7.x (Lion).
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various images or media files.
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer. Attackers could combine these issues to gain full control of your Mac.
  • What to do: OS X administrators should download, test and install OS X 10.7.4 or Security Update 2012-002 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Late Yesterday, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 36 (number based on CVE-IDs) security issues in 19  components that ship as part of OS X or OS X Server, including QuickTime, the Kernel, Time Machine, and many others. Some of the corrected vulnerabilities include:

  • Local File Vault Password Disclosure Vulnerability. File Vault is an OS X component that encrypts files on a Mac, while Login Window is the component that allows you to log in to your Mac. Earlier this week, researchers disclosed a flaw in Apple’s File Vault that potentially exposes your password locally. The researcher found that when you upgrade OS X Snow Leopard to OS X Lion, the upgrade process sets a debug flag, which results in your passwords being stored to a local log file, in clear text. This means anyone with local access to that Mac can see the passwords for everyone that logged into that system.  Today’s Login Window update corrects this issue, preventing your passwords from being stored in this file. However, it does not clear out any existing passwords already in the log. To learn how to manually clear these logs, see this article.
  • Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle and display various images. It suffers from four security vulnerabilities (two being buffer overflow vulnerabilities) involving the way it handles TIFF image files. Though these vulnerabilities differ technically, most of them share the same general scope and impact. If an attacker can trick you into viewing a specially crafted image file (perhaps hosted on a malicious website), he could exploit the worst of these flaws to either crash an image application or to execute attack code on your Mac, with your privileges. The attacker could also exploit other vulnerabilities described in Apple’s alert to gain full control of your Mac.
  • Several QuickTime Vulnerabilities. QuickTime is the popular video and media player that ships with OS X (and iTunes). QuickTime suffers from four security issues (number based on CVE-IDs) involving how it handles certain  video files and streaming media. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted content in QuickTime, she could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. Again, attackers could then leverage other flaws described in Apple’s alert to gain complete control of your Mac.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, elevation of privilege vulnerabilities, and information disclosure flaws. Components patched by this security update include:

Login Window Bluetooth
curl Directory Service
HFS ImageIO
Kernel libarchive
libsecurity libxml
LoginUIFramework PHP
Quartz Composer Quicktime
Ruby Samba
Security Framework Time Machine
X11

Please refer to Apple’s OS X 10.6.x and 10.7.x alert for more details.

Note: Apple also released a Safari alert and update, which fixes four vulnerabilities in the Mac and Windows version of Apple’s web browser. Attackers could leverage at least one of these flaws in a drive-by download attack. If you use Safari on a Mac or PC, you should update it to version 5.1.7, or let Apple’s automatic updater do it for you.

Solution Path:

Apple has released OS X Security Update 2012-002 and OS X 10.7.4 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can, or let Apple’s automatic Software Update utility do it for you.


Mac or PC Safari users should also update it to version 5.1.7.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack. Therefore, installing these updates is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Adobe Patch Day: Shockwave, Flash Professional, Photoshop, and Illustrator Updates

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Shockwave Player, Flash Professional, Photoshop, and Illustrator
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released four security bulletins describing vulnerabilities in many of their popular software packages, including Shockwave Player, Flash Professional, Photoshop, and Illustrator.

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

  • APSB12-13: Five Shockwave Code Execution Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin warns of five security vulnerabilities that affect Shockwave Player 11.6.4.634 and earlier for Windows and Macintosh. Adobe’s bulletin doesn’t describe the flaws in technical detail, only characterizing them as memory corruption vulnerabilities. All five flaws share the same impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

Adobe Priority Rating: 2 (Patch within 30 days)

  • APSB12-12: Flash Professional Buffer Overflow Vulnerability

Adobe Flash is a platform for creating interactive or animated web content and video. Flash Professional is the Adobe authoring environment used to create Flash content.

Flash Professional 11.5.1.348 and earlier for Windows and Mac suffers from a buffer overflow vulnerability. Adobe does not share any relevant detail about this flaw, nor how an attacker might exploit it. However, we assume that if you open specially crafted Flash content in Flash Professional, an attacker can leverage this flaw to execute code on your computer, with your privileges. As usual, if you have administrative or root privileges, the attacker would gain complete control of your machine.

Adobe Priority Rating: (Patch at your discretion)

  • APSB12-11: Photoshop TIFF Handling Vulnerability

Photoshop is a popular image editing program. Photoshop CS5.5 (for Windows and Mac) suffers from two vulnerabilities; a vulnerability involving its inability to properly handle specially crafted TIFF images, and an unspecified buffer overflow vulnerability. By tricking you into downloading and opening a malicious image in Photoshop, an attacker can exploit the TIFF flaw to execute code on your machine, with your privileges. If you have local admin privileges, the attacker gains complete control of your computer. Adobe doesn’t describe how an attacker might leverage the second buffer overflow vulnerability.

Adobe Priority Rating(Patch at your discretion)

  • APSB12-10 Five Illustrator Code Execution Vulnerabilities

Illustrator is Adobe’s vector drawing software. It suffers from five unspecified memory corruption vulnerabilities. Adobe doesn’t describe these flaws in any other detail, other than calling them code execution vulnerabilities. If forced to guess, we assume that if you handle specially crafted, Illustrator-compatible files (perhaps an image), an attacker could exploit this flaw to execute code on your computer with your privileges. Again, if you are an administrator, the attacker gains full control.

Adobe Priority Rating(Patch at your discretion)

While we’re on Adobe updates, if you haven’t installed the early Flash Player update that Adobe released last week, we recommend you do so immediately. That update is much more severe than the ones released today.

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

NOTE: Adobe has chosen to only release some of these fixes as paid updates (CS6). If you didn’t already plan to pay for these updates, you will have to decide if these security issues change your mind. On a positive note, attackers don’t often target the products in question (Photoshop, Illustrator, Flash Professional). Nonetheless, it’s difficult for us not to recommend the latest security updates, and we wish that Adobe had extended these security updates to previous versions as well.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM device may mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Windows Security Updates Also Fix Flaws in .NET Framework and Office

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and its optional .NET Framework component. One bulletin also affects Office and Silverlight
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into running specially crafted documents or into visiting web sites with malicious content
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing 15 vulnerabilities that primarily affect Windows and its optional .NET Framework component. However, one of the bulletins also affects Office and Silverlight. Each vulnerability affects different versions of these products to varying degrees. However, a remote attacker could exploit the worst of them to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates — especially the critical ones — as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-034: Various Vulnerabilities in Windows, Office, .NET Framework, and Silverlight

This unusual Microsoft bulletin fixes ten seemingly dissimilar vulnerabilities in four different Microsoft products; Windows, Office, the .NET Framework, and Silverlight. Microsoft combined them into one bulletin since the flaws affect related files found in all of these products.

The ten vulnerabilities differ quite widely, and include various code execution vulnerabilities, drive-by download type issues, local privilege elevation flaws, and even a Denial of Service (DoS) vulnerability. According to the bulletin, researchers or attackers have publicly disclosed three of these vulnerabilities before they were patched, and attackers have leveraged at least one in limited targeted attacks.

We suspect the font and image handling vulnerabilities pose the most risk to typical users. The components Windows uses to handle TrueType fonts and EMF images both suffer from multiple code execution flaws. If an attacker can lure one of your users into interacting with a specially crafted image or TrueType font, he can exploit these flaws to gain access to that user’s computer, with that user’s privileges. If your user has local administrator privileges, the attacker gains full control of the user’s computer. Attackers could embed these malicious fonts and images in web sites, documents, or emails, but some of these attack vectors require more user interaction than others to succeed. Since this bulletin fixes many serious vulnerabilities in many products — one of which attackers have already started exploiting in the wild — we recommend you download, test, deploy the updates as quickly as possible. Note, this update fixes flaws related to the advanced Duqu attack we’ve talked about in previous posts.

Microsoft rating: Critical

  • MS12-035: Two .NET Framework Remote Code Execution Vulnerabilities

The .NET Framework is software framework used by developers to create new Windows and web applications. In computing, serialization is the process of converting a data structure or object to a state that allows for digital storage or transmission. Unfortunately, the .NET Framework suffers from two code execution vulnerabilities involving its serialization process. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit these flaws to execute code on that user’s computer, with that user’s privileges. As always, if your users have local administrator privileges, attackers can leverage these flaws to gain full control of their computers. This flaw can also affect custom .NET Framework-based programs, which you might develop and run in-house. If you use the .NET Framework in your network, you should apply this update as quickly as you can.

Microsoft rating: Critical

  • MS12-032: TCP/IP Elevation of Privilege Flaw and Firewall Bypass

Two of Windows’ networking components suffer from security flaws. The Windows TCP/IP stack suffers from a local elevation of privilege flaw involving the way it binds IPv6 addresses to local network interfaces. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials.

Also, the Windows host-based Firewall suffers from a firewall bypass vulnerability. Apparently, the Windows firewall doesn’t properly apply outbound firewall policies to broadcast packets. Attackers with access to your Windows computers could exploit this issue to get past outbound firewall policies you may have applied to your Windows computer. While this flaw doesn’t allow external attackers to gain access to your system, it could make it easier for malware that infects your system to make its command and control (C&C) connection back to the attacker.

Microsoft rating: Important

  • MS12-033: Partition Manager Elevation of Privilege Flaw

In computing, disk partitioning is the act of dividing your hard drive into more than one logical storage unit. Windows ships with the Partition Manager component to allow you to partition your hard drive. Unfortunately, the Partition Manager suffers from an elevation of privilege vulnerability having to do with how it interacts with another Windows component (specifically, the Plug and Play Configuration Manager). By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials, which significantly lowers the severity of this issue.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run an executable file locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, WatchGuard’s firewalls and XTM security appliances can mitigate the risk of many of these flaws. For instance, though attackers may leverage the Windows Firewall flaw to bypass host-based firewall policies, that attack will not trick our gateway firewall. Furthermore, if you use our Gateway Antivirus our appliance may block the malware attackers try to deliver to your computer when leveraging these vulnerabilities.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Word, Visio, and Excel Suffer from Document Handling Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Microsoft Office for Windows and Mac, and related products like Visio Viewer and the Office Compatibility Packs
  • How an attacker exploits them: Typically, by enticing you to open maliciously crafted Office documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office patches as soon as possible, or let Windows Update do it for you.

Exposure:

Today, Microsoft released three security bulletins describing eight vulnerabilities specifically affecting Microsoft Office and its related components. Some of these issues affect Office running on either Windows or Mac computers, while others also affect components like the Office Compatibility Pack and Visio Viewer.

Microsoft also released a fourth Office-related bulletin (MS12-034), which affects many other Microsoft products as well. Since this fourth bulletin also affects Windows users, we will detail it in our upcoming Windows alert. If you use Office, you should also refer to this Windows bulletin, and apply its update as well.

Microsoft’s three Office-specific bulletins describe eight code execution vulnerabilities, all of which involve the way Office (and its related applications) handle different types of documents. These document-handling flaws differ technically, but share the same general scope and impact. If an attacker can entice one of your users to download and open a maliciously crafted Office document, she can exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

The only difference of note between these flaws is which type of Office document attackers use to trigger them. The affected Office documents include Rich Text Files (RTF) opened in Word, Excel (XLS) documents, and Visio (VSD, VSS, etc.) files.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS12-029: Word RTF Code Execution Vulnerability, rated Critical
  • MS12-030: Multiple Excel Code Execution Vulnerabilities, rated Important
  • MS12-031: Visio Viewer Code Execution Vulnerability, rated Important

Solution Path

Microsoft has released many updates to correct these vulnerabilities. If you use Office or any of the Office-related components mentioned in this alert, you should download, test, and deploy the appropriate patches as quickly as possible, or let Windows Update automatically install them for you.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find the various updates:

For All WatchGuard Users:

Many WatchGuard appliances can block incoming Office documents. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if Office documents are not absolutely necessary to your business, you may consider blocking them using our proxies, at least until you install these patches.

If you would like to use our XTM and Firebox appliance’s proxy policies to block the affected documents, follow the links below for general proxy instructions:

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: May Brings Windows, Office and .NET Patches

Microsoft has offered its May security updates to the masses. As expected, the theme this month seems to revolve around Office document parsing vulnerabilities. If you use Office in your network, you will want to apply these updates as soon as possible.

In their May security bulletin summary, Microsoft highlights seven security bulletins that fix 23 vulnerabilities in four primary products, including:

  • Windows
  • Office
  •  .NET Framework
  • Silverlight

They rate three of these bulletins as Critical, which typically means remote attackers can exploit them to gain control of affected computers.

The two most serious flaws appear to be a vulnerability in Word (MS12-029) involving the way it handles Rich Text Files (RTF), and ten flaws that affect Office, Windows, the .NET Framework, and Silverlight (MS12-034); many of which also have to do with how these products handle documents or fonts. I would apply these updates in the same order Microsoft recommends in their summary post.

I’ll share more details about these issues, and how to fix them, in consolidated alerts I’ll post here shortly.

[UPDATE] I mistakenly published an unfinished version of this post as I was writing it. This may have resulted in you receiving an email containing the incomplete post. I apologize for the confusion this may have caused, and the extra email.  — Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,529 other followers

%d bloggers like this: