WatchGuard Security Center | Category Archive

WatchGuard Security Week in Review: Episode 63 – Patch Bonanza

May 17, 2013 by Corey Nachreiner 0 Comments

Zero Day Patches, Nasty New Malware, and Jailed Hackers

Ready for a dose of InfoSec news? Your weekly security highlights reel is spooled up and ready to go.

This week was all about software updates. Not only did Microsoft and Adobe’s monthly Patch Day bring us patches for critical zero day vulnerabilities, but we saw security updates for Firefox and iTunes as well. In today’s video, I talk about all those updates, as well as two new interesting malware variants, and the sentencing and jailing of a team of well-known hackers. View the video for all the details.

A quick note… Next week I’ll be attending the AusCERT security conference in Australia. Though I still expect to bring you a weekly video, I may post it earlier or later than normal due to travel and the time zone differences. Keep safe out there and see you next week.

(Episode Runtime: 7:17)

Direct YouTube Link: http://www.youtube.com/watch?v=gjAx6PdFY0k

Episode References:

Microsoft Patch Day, May 2013
- Microsoft May Patch Day Summary - WGSC
- Microsoft Patches 0day IE vulnerability and more - WGSC
- Microsoft’s Windows updates for May - WGSC
- Microsoft’s Office updates for May - WGSC
- Minor Microsoft Essentials update - WGSC
Adobe fixes Reader, Flash, and ColdFusion flaws - WGSC
Mozilla releases Firefox 21 to fix eight vulnerabilities – Mozilla
Latest version of Apple iTunes fixes 41 vulnerabilities - Apple
New Mac malware leverages valid developer ID – The Register
New Dorkbot variant spreads via Facebook chat and MediaFire - PC Magazine
Four members of Lulzsec sentenced and Jailed – Wired

Extras:

Linux kernal exploit in circulation - The H Open
Breaking: Syrian Electronic Army hijacks The Financial Times web site and Twitter - The Register
Auto regulators thinking about car hacking (one of my predictions last year) - Bloomberg
Cyber fraud campaign discovered targeting Australian banks - ComputerWorld
Software vulnerabilities found in Skyrim and Fallout 3 (fairly benign, but interesting) - The Inquirer

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates

Adobe Patch Day: Update for ColdFusion Zero Day and More

May 15, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

These vulnerabilities affect: Adobe Reader and Acrobat, Flash Player, and ColdFusion
How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
Impact: Various results; in the worst case, an attacker can gain complete control of your computer
What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Yesterday, Adobe released three security bulletins describing vulnerabilities in Reader and Acrobat, Flash Player, and ColdFusion. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. Attackers have been exploiting one of the ColdFusion issues in the wild, so we recommend you patch quickly.

The summary below details some of the vulnerabilities in these popular software packages.

APSB13-15: Multiple Reader and Acrobat Memory Corruption Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 27 vulnerabilities that affect Adobe Reader and Acrobat X 11.0.2 and earlier, running on any platform (Windows, Mac, Linux). Adobe’s alert only describes the flaws in minimal detail, but the majority of them involve memory corruption-related vulnerabilities, such as buffer overflows, integer overflows, use-after-free issues, and so on. For the most part, they share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit many of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 2 (Patch within 30 days) for most, though 1 for Windows systems with 9.x and below

APSB13-14: Multiple Flash Player Memory Corruption Flaws

Adobe’s bulletin describes 13 vulnerabilities in Flash Player running on all platforms (including Linux and Android). More specifically, the flaws consist of various memory corruption flaws. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe rates these flaws with their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

APSB13-13: Critical Zero Day ColdFusion Vulnerability Patched

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. This bulletin fixes two serious vulnerabilities; one of which attackers are currently exploiting in the wild. We mentioned this zero day flaw in passing during last week’s security news video. Adobe’s bulletin doesn’t share many details, but the primary flaw is a remote code execution vulnerability. If you expose certain default ColdFusion directories, an attacker could exploit this flaw to execute code on you web server simply by sending specially crafted HTTP packets. Though not quite as bad, the second vulnerability allows attackers to remotely retrieve sensitive files from your server. Adobe rates these flaws Priority 1, so we highly recommend ColdFusion administrators update immediately–especially if you have public facing servers.

You can find a bit more detail about the zero day ColdFusion flaw in a security advisory Adobe released earlier this month.

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

APSB13-15:
- Adobe Reader X 11.0.3
  - For Windows
  - For Mac
- Adobe Acrobat X 11.0.2
- Adobe Reader 9.5.4 for Linux
APSB13-14: Upgrade to the latest Flash Player (11.7.700.202 for Windows)
- Note: Android users should update via Google Play. Both Chrome and Internet Explorer (IE) 10 have Flash built in. You need to update these browsers separately. Find more details about the IE10 update here.
APSB13-13: Apply the corresponding ColdFusion hotfix. More details in this Adobe technote.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Reader files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Reader or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Reader via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe has released patches correcting these issues.

References:

Adobe Security Update APSB13-13
Adobe Security Update APSB13-14
Adobe Security Update APSB13-15

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Security Updates

adobe, Flash Player, patch, shockwave, updates

Windows Essentials: Free Programs Need Patches Too

May 14, 2013 by Corey Nachreiner 3 Comments

Do you use Windows Essentials? If so, let the Windows Automatic Updater do its job, but no hurry.

Along with their nine other Patch Day bulletins, Microsoft released a less significant software update for Windows Essentials; a suite of free and optional productivity applications for Windows. Essentials consists of a menagerie of applications, including basic photo gallery, blogging, email, instant messenger, and movie editing software. Many of the applications are cloud-based.

In any case, according to one of today’s bulletins, Windows Essentials suffers from a relatively minor information disclosure vulnerability. If an attacker can get a Windows Live Writer (the blogging app) user to click a specially crafted link, he can leverage this flaw to overwrite some of that user’s files. Certainly not a good thing, but also not the worst flaw in the world.

I personally doubt many business user leverage the Essentials suite, so I don’t think this particular issue poses a huge risk to our readers. That said, if you do use the Windows Essentials Live Writer program, then you certainly wouldn’t want to lose content based on this sort of attack. So I would definitely apply Microsoft’s patch, though there’s no rush. You can find more details about the update in the “Affected and Non-Affected Software” section of Microsoft’s bulletin. — Corey Nachreiner, CISSP (@SecAdept)

Security Updates

Office Patches Mend Word, Visio, Publisher, and Lync

May 14, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

These vulnerabilities affect: Microsoft Office related products, including Word, Visio, Publisher, and Lync
How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents
Impact: In the worst case, an attacker can gain complete control of your Windows computer
What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins that fix 14 vulnerabilities in a range of Microsoft Office products, including Word, Visio, Publisher, and Lync. We summarize these four security bulletins below, in order from highest to lowest severity.

MS13-041: Lync Remote Code Execution (RCE) Vulnerability

Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from an unspecified memory corruption vulnerability that attackers could leverage to execute arbitrary code on your computer. If an attacker can convince one of your users to join a Lync or Communicator session containing specially crafted content, they could execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could gain complete control of affected computers. This flaw only affects certain versions of Lync and Communicator. See the “Affected and Non-Affected Software” section of Microsoft’s bulletin for more details.

Microsoft rating: Critical

MS13-042: Multiple Publisher Memory Corruption Vulnerabilities

Publisher is Microsoft’s basic desktop publishing and layout program, and part of the Office suite. It suffers from eleven memory corruption vulnerabilities. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Publisher document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Publisher except 2013.

Microsoft rating: Important

MS13-043 : Word RCE Vulnerability

Word is the popular word processor that ships with Office. It suffers from a remote code execution (RCE) vulnerability having to do with how it handles Word or RTF documents containing maliciously crafted shape data. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word and Word Viewer 2003.

Microsoft rating: Important

MS13-044 : Visio Information Disclosure Vulnerability

Microsoft Visio is a popular diagramming program often used to create network diagrams. Visio suffers from a complex information disclosure vulnerability, involving the way it parses specially crafted XML content. At a high level, XTM documents can contain “external entities;” essentially text or binary data from an external location. If an attacker can entice one of your users into downloading and opening a malicious Visio document (containing XTM content), he can exploit this flaw to read data from files on the victim’s computer. This flaw affects all versions of Visio except 2013.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed a signature that can detect and block the Visio Information Disclosure issue:

EXPLOIT Microsoft Visio XML External Entities Resolution Vulnerability (CVE-2013-1301)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

Microsoft Security Bulletin MS13-041
Microsoft Security Bulletin MS13-042
Microsoft Security Bulletin MS13-043
Microsoft Security Bulletin MS13-044

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates

Lync, memory corruption, microsoft patch day, office, Patches, publisher, RCE, remote code execution, updates, visio, word

Trio of Windows Bulletins Correct Moderate Vulnerabilities

May 14, 2013 by Corey Nachreiner 1 Comment

Severity: Medium

Summary:

These vulnerabilities affect: All current versions of Windows or components often packaged with it (like the .NET Framework)
How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or running malicious programs locally
Impact: Varies, ranging from a remote Denial of Service (DoS) attack to local attackers gaining complete control of your Windows computer
What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that describe six vulnerabilities affecting Windows or components related to it (like the .NET Framework). They only rate these bulletins as Important, due to limited impact or mitigating factors. Each of these vulnerabilities affects different versions of Windows to varying degrees. In the worst case, a local attacker could exploit one of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates at your earliest convenience.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

MS13-039: HTTP.sys DoS Vulnerability

The HTTP Protocol Stack (HTTP.sys) is a Windows component that listens for and handles HTTP requests before passing them to a web server like IIS. It suffers from a Denial of Service (DoS) vulnerability having to do with its inability to properly handle HTTP requests with specially malformed headers. By sending a specially crafted HTTP request, a remote attacker can leverage this flaw to cause your system to stop responding. While this sort of DoS attack doesn’t result in any breach or data loss, attackers can leverage it to knock your public web server offline, which could have significant business implications. You should download, test, and deploy Microsoft’s HTTP.sys update as soon as possible.

Microsoft rating: Important

MS13-040: Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. The .NET Framework component suffers from two new security vulnerabilities.

The first issue is an XML digital signature spoofing vulnerability. XML files can contain digital signatures, which .NET applications can use to verify the integrity of XML files (ensuring they haven’t been improperly modified). However, the .NET Framework component (CLR) responsible for validating these signatures doesn’t do it right. As a result, attackers can modify the contents of an XML file without invalidating the signature. The impact of this flaw depends on if and how your custom .NET applications leverage this functionality.

The second issue is an authentication bypass vulnerability. The Windows Communication Foundation (WCF) is essentially a set of .NET APIs that developers can use to make applications that communicate securely with one another. However, WCF suffers from an authentication bypass flaw. By sending specially crafted packets, an attacker could gain unauthenticated access to computers that run WCF services. The impact of this bypass depends on your custom .NET application. If you custom application gives your users access to sensitive data, then in can pose a significant risk. If you install the .NET framework, you should download, test, and install Microsoft’s update as soon as you can.

Microsoft rating: Important

MS13-046: Kernel-Mode Driver Elevation of Privilege Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from three new local elevation of privilege flaws. They all differ technically, but share the same basic scope and impact. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers (or cause it to become unstable). However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of this vulnerability.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows and .NET Framework patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:

WEB Microsoft Windows 2012 Server HTTP.sys Denial of Service Vulnerability (CVE-2013-1305)
EXPLOIT Microsoft XML Digital Signature Spoofing Vulnerability (CVE-2013-1336)

Your XTM appliance should get this new IPS update shortly.

However, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

Microsoft Security Bulletin MS13-039
Microsoft Security Bulletin MS13-040
Microsoft Security Bulletin MS13-046

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates

.NET Framework, buffer overflow, elevation of Privilege, HTTP.sys, IPS, Kernel-mode drivers, microsoft patch day, updates, windows

Two Critical IE Bulletins Fix Zero Day Vulnerability and More

May 14, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

These vulnerabilities affect: Internet Explorer (IE) versions 6 – 10
How an attacker exploits them: Typically, by enticing one of your users to visit a web page with malicious content
Impact: In the worst case, an attacker can execute code on your user’s computer, often gaining complete control of it
What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released two security bulletins (MS13-037/MS13-038) describing a dozen new security vulnerabilities that affect all current versions of Internet Explorer (IE). They rate both updates as Critical.

Over the last few months, most of the new flaws affecting IE are what developers call “use after free” vulnerabilities – a type of memory corruption flaw that attackers can leverage to execute arbitrary code. May’s duo of IE bulletins continues this theme, with all but one of the vulnerabilities falling under this class of flaw.

Though these dozen vulnerabilities differ technically, they share the same general scope and impact (with one small exception). If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer. Keep in mind, attackers often hijack legitimate web pages and booby trap them with this sort of malicious code, in what the industry refers to as a “watering hole” attack.

Typically, Microsoft only releases one IE cumulative update a month. However, over the last few weeks attackers have exploited a zero day IE8 vulnerability in the wild—most notably against the Department of Labor (DoL) web site. We talked about this exploit in last week’s security video. Although Microsoft had released a temporary “FixIt” to mitigate this serious vulnerability, today’s second IE bulletin (MS13-038) rectifies the issue more completely. Attackers are still exploiting this flaw in the wild. They’ve worked it into their underground exploit toolkits, and even the popular Metasploit framework contains a public version of the exploit. We highly recommend you install both of Microsoft’s IE updates immediately (after testing, of course).

If you’d like more technical detail about any of these flaws, see the “Vulnerability Information” section in both of Microsoft’s bulletins (MS13-037/MS13-038).

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletins:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the “use after free” vulnerabilities described in Microsoft’s alert:

WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-2551)
WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1309)
WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1311)
WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1312)
WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1307)
WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1308)
WEB-CLIENT Microsoft Internet Explorer JSON Array Information Disclosure Vulnerability (CVE-2013-1297)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates

0day, DoL, drive-by download, ie, IE8, internet explorer, microsoft, remote code execution, use after free, zero day

WatchGuard Security Week in Review: Episode 62 – Major Cyber Heist

May 10, 2013 by Corey Nachreiner 4 Comments

The Onion Hack, IE8 0day, and ATM Cyber Heist

Are you an over-worked IT administrator with no time to learn about the latest internet threats? Do you want to keep your network safe, but don’t know what the bad guys are up to? If that’s you, then our weekly information security highlights video is just the thing for you. For just three easy payments of… well, nothing… you can have all that and more!

Today’s episode covers Syrian cyber attackers hijacking The Onion’s twitter feed, a serious zero day vulnerability affecting Internet Explorer 8 (IE8), a major cyber bank heist, and more. For all the details, and some tips to protect yourself, watch the video below or check out the stories in the Reference section.

Have a great weekend.

(Episode Runtime: 7:46)

Direct YouTube Link: http://www.youtube.com/watch?v=hdN9YMjKTXM

Episode References:

Microsoft releases FixIT for IE8 0day - Microsoft
Patch day advanced notification for May - Microsoft
The Onion’s twitter feed hacked – NYTimes
Darkleech attack now affects nginx and lighthttpd - The Register
Crime gang steals 45mil in huge cyber bank heist – NYTimes

Extras:

Hacking group gains access to .edu domains - The H Security
Suspect SpyEye author extradited to US - Naked Security
Anonymous’ so called OpUSA project an epic fail - eWeek
“Honeywords” may help protect password databases - Ars Technica
Name.com discovers a security breach - The Next Web
Researchers find security flaws in Google’s “smart building” system - Cylance blog
Critical 0day Cold Fusion exploit in the wild - InfoWorld

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates

WatchGuard Security Week in Review: Text Edition

May 3, 2013 by Corey Nachreiner 1 Comment

Welcome to our weekly network and information security (Infosec) news highlights. Typically, I deliver these security highlights as a short video. However, I’m traveling this week for both business and personal reasons, and was unable to produce the video version during my hectic travel schedule. The video will return next week from the Interop IT conference in Vegas. Until then, enjoy this text summary of the biggest Infosec stories from the week.

This week’s stories includes a big credential leak, the hijacking of a government web site, and news of a flaw in Google’s latest wearable computer. Read below for more details, and join us next week when the video version returns:

Living Social breach leaks 50mil user credentials - Attackers breached Living Social’s network and made off with the personal info of 50 million users. The stolen information included things like your email address, date of birth, and your hashed password. Though the passwords were hashed, attackers can still leverage brute force attacks to figure out the weaker ones of the bunch. If you use Living Social, you need to change your password immediately. More importantly, if you use the same password at other sites, stop doing that and change your passwords there too.
Latest on the mysterious Apache web site mass hijackings - Over the past few months, we’ve pointing out multiple incidents where thousands of Apache web servers were hijacked with a very sneaking backdoor. While researchers understood the complex backdoor attackers were injecting, no one really knew how attackers were initially gaining access to vulnerable sites (though many suspected Cpanel or WordPress vulnerabilities). In any case, ESET and Sucuri have released new research on the complex backdoor used in this attack campaign. It’s a very interesting read for the security conscious and a must-read for web administrators. Thanks to our friend and reader, Ryan, for pointing out this new research.
Hackers pwn Google Glass - You’ve probably seen Google Glass; the latest wearable computer. It’s not really out yet, but a group of select developers with cash to spare have gotten their hands on preview copies of this interesting new product. This week, one of those developers have learned how to jailbreak or root the device. Jailbreaking or rooting are terms used to describe when a user gains full administrative control of a device that was somehow locked down by the manufacturer. Usually, the devices owner is the one that wants to root a device, in order to do things that the manufacturer didn’t originally intend. However, the techniques used to root devices often leverage software vulnerabilities, which attackers could also leverage to take full control of your device. Obviously, you don’t want that. In any case, Google Glass is really still in beta, and not available to consumers. I wouldn’t be overly worried about this supposed flaw, as I’m sure Google will correct it before the official release. Still, an interesting read.
Reader vulnerabilities allows attackers to track PDF documents - Mcafee discovered an Adobe Reader flaw that attackers could leverage to find out when users open a particular Reader document, and what IP there are opening it from. This is not a critical issue, in that attackers can’t leverage it to execute code, but it does pose a privacy risk. There is no fix for the flaw yet, but you should expect one in an upcoming release.
Chinese attackers force Department of Labor site to serve malware - According to Alienvault, the Department of Labor web site was hijacked by China-based attackers, and then forced to serve malicious code, which then tries to infect anyone that visits the site. The Department of Labor has since cleaned their site, but if you happen to have visited it lately you should definitely scan your computer for malware.
Serious Flaw in IBM Notes - It’s hard for me to imagine anyone still using the Notes email client, but I have learned there are still some of you out there. This week, researchers reported a serious security flaw in this client, involving how it handles Java applets and javascript. IBM plans to fix the flaw soon, but until then you should disable javascript and Java applets in the Notes client.
State-sponsered attackers breach US government defense contractor - Investigators find evidence of a long term breach of a US defense contracter that makes some pretty interesting defense and spy gear.

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates

adobe, Apache, China, Darkleech, Department of Labor, Google Glass, hacking, Living Social, malware, Notes, Patches, Reader, updates, vlog, WatchGuard Security Week in Review

WatchGuard Security Week in Review: Episode 61 – InfoSec UK 2013

April 26, 2013 by Corey Nachreiner 1 Comment

AP Twitter Hack, Serial Offenders, and InfoSec UK

This week’s security highlights video comes a bit early due to my travels in London to attend InfoSec UK.

If you’re looking for a quick summary of the week’s top security news, this is the vlog for you. In today’s video, I share a few themes from the biggest security conferences in Europe, news of the AP twitter feed hijack, warnings of a new Java exploit, and information about industry-wide flaws affecting serial port servers. Watch for all the details, and check the Reference section below for other interesting stories from the week.

(Episode Runtime: 7:35)

Direct YouTube Link: http://www.youtube.com/watch?v=pWAMN7j0yyg

Episode References:

AP Twitter feed hijacked - The Age
Newly patch Java flaw exploited in the Wild - Ars Technica
HD Moore uncovers serial port service vulnerabilities – Rapid7 blog
Moore’s Serial Offenders presentation - Speaker Deck
InfoSec UK 2013 News
- Security Policy must align with business goals – Tech World
- All businesses at risk of cyber attack - ITPro
- Cyber Intelligence sharing helps security – Computer Weekly

Extras:

Hacking laws used to convict someone who didn’t hack - The Verge
FBI legally denied Strickback capability (installing malware to spy on criminal) - Ars Technica
My article on why Strickback will strick out - Network World
Major Lulzsec hacker arrested in Australia - ReadWrite
World of Tanks servers breached - Kotaku
CISPA dies again in Senate - ZDNet

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates

WatchGuard Security Week in Review: Episode 60 – Oracle CPU

April 19, 2013 by Corey Nachreiner 1 Comment

Router Hacks, WordPress Attack, and Huge Oracle Update

During a week of such tragedy, it’s hard to give much thought to network and information security (InfoSec). Yet, we must stay vigilant, lest abhorrent cyber criminals leverage such tragedies against us in social networking campaigns.

In this week’s InfoSec news summary, I cover Oracle’s quarterly Critical Patch Update (CPU), a research project that uncovered vulnerabilities in consumer routers, a WordPress password cracking botnet, and how scammers are exploiting this week’s tragedies in their spam campaigns. Watch the video below for the highlights and some defensive tips.

As an aside, I will be traveling next week so I may not post the weekly video at its normal time.

(Episode Runtime: 7:38)

Direct YouTube Link: http://www.youtube.com/watch?v=Mvikhwg12k8

Episode References:

WordPress password cracking campaign - Softpedia
One of Microsoft’s April patches broken - CRN
Oracle Critical Patch Update April 2013
- Oracle April 2013 CPU alert – Oracle
- Oracle April 2013 Java SE update - Oracle
- Apple Java update associated with Oracle CPU - Apple
- Article on Oracle CPU for April - ZDNet
Research on exploiting SOHO routers - Security Evaluators
Spammers exploit news of Boston Bombing – Information Week
Spammers exploit news of accidental fertilizer plant explosion - Naked Security blog

Extras:

House passes the latest version of CISPA – InfoWorld
“Badnews” android botnet found on Google Play - TechWorld
Reddit suffers DDoS attack - Express
Syrian Electronic Army hacks NPR - Huffington Post
Password security hits primetime (on Ellen Degeneres Show) - Softpedia
New “magic code” trojan - Seculert
US and China create cyber security working group - IT News
LulzSec hacker gets a year in prison - The Inquirer

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates

Zero Day Patches, Nasty New Malware, and Jailed Hackers

Episode References:

Share this:

Like this:

Severity: High

Summary:

Exposure:

Solution Path:

For All WatchGuard Users:

Status:

References:

Share this:

Like this:

Share this:

Like this:

Severity: High

Summary:

Exposure:

Solution Path:

For All WatchGuard Users:

Status:

References:

Share this:

Like this:

Severity: Medium

Summary:

Exposure:

Solution Path:

For All WatchGuard Users:

References:

Share this:

Like this:

Severity: High

Summary:

Exposure:

Solution Path:

For All WatchGuard Users:

Status:

References:

Share this:

Like this:

The Onion Hack, IE8 0day, and ATM Cyber Heist

Episode References:

Share this:

Like this:

Share this:

Like this:

AP Twitter Hack, Serial Offenders, and InfoSec UK

Episode References:

Share this:

Like this:

Router Hacks, WordPress Attack, and Huge Oracle Update

Episode References:

Share this:

Like this:

Email Subscription

Links

Tags

Top Posts

Archives

Follow “WatchGuard Security Center”