Archive | Security Updates RSS feed for this section

Forbes Forces Malware – Daily Security Byte EP.22

Did you know the Forbes website was serving up targeted malware last December, by exploiting two zero day vulnerabilities? If not, watch the video to learn more.

(Episode Runtime: 2:14)

Direct YouTube Link: https://www.youtube.com/watch?v=nj-S6ss8-dw

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

February Patch Day – Daily Security Byte EP.21

If you’re a Microsoft admin, you know the drill. The second Tuesday of the month means lots of security updates. Watch the video for a quick summary.

(Episode Runtime: 1:27)

Direct YouTube Link: https://www.youtube.com/watch?v=AbCinysV2tQ

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Delivers Nine Security Bulletins for February

As the second Tuesday of the month, it’s time for Microsoft administrators to get patchin’. You can find this month’s Patch Day details at Microsoft’s February Patch Day Summary page, but I’ll summarize some of the highlights below.

By the Numbers:

February Microsoft Patch DayToday, Microsoft released nine security bulletins, fixing a total of 60 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • and Microsoft System Center Virtual Machine Manager (VMM).

They rate three bulletins as Critical, six as Important.

Patch Day Highlights:

The most interesting vulnerability this month is probably Microsoft’s Group Policy remote code execution flaw. This is a rather complex flaw that requires an attacker successfully pull off a man-in-the-middle (MitM) attack on a computer that is configured to connect to an Active Directory domain. Once the attacker can intercept your traffic, he can trick it into running a malicious login script, which allows him to run anything he wants. Since the flaw relies on a domain login, it primarily affects corporate Windows users. Check out this article to learn more.

Internet Explorer (IE) also got a rather beefy patch, which fixes 41 security flaws. The update mostly fixes memory corruption vulnerabilities that bad guys can leverage in drive-by download attacks. However, this update also includes updates to IE’s SSLv3 handling to mitigate the POODLE flaw. Finally, this update does NOT fix the recent IE11 cross-site scripting (XSS) flaw that Google disclosed. That said, I’d recommend you install the IE update first, as web drive-by download attacks are much more popular and targeted than the Group Policy attack mentioned above.

Quick Bulletin Summary:

We summarize February’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS15-009 – Critical – Cumulative Internet Explorer update fixes 41 vulnerabilities – The Internet Explorer (IE) update primarily fixes a bunch of memory corruption flaws remote attackers could leverage to execute code. These are the types of flaws typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC.
  • MS15-010 – Critical- Kernel-mode Driver RCE flaw – The kernel-mode driver that ships with Windows suffers from various elevation of privilege flaws that could allow unprivileged users to execute code with full privileges. However, the attacker needs local system access and credentials to carry out the attack.
  • MS15-011 – Critical – Group Policy Remote Code Execution Flaw – The Windows Active Directory Group Policy Component suffers from complex code execution vulnerability. If an attacker can successfully intercept all the traffic of a Windows computer that connects to a domain, she can exploit this flaw to run arbitrary code on that computer. However, the attacker would most likely have to be on the same network as the victim in order for such a man-in-the-middle attack to succeed.
  • MS15-012 – Important – Office Code Execution Flaws – Various Office components, like Word and Excel, suffer from document handling code execution flaws. If an attacker can get you to open a maliciously crafted document, he could exploit these to gain control of your computer.
  • MS15-013 – Important – Office Security Bypass Flaw - Office doesn’t properly leverage Windows’ Address Space Layout Randomization (ASLR) feature. Since ASLR makes it harder for bad guys to exploit memory corruption issues, this bypass flaw makes it easier for attackers.
  • MS15-014 – Important – Group Policy Security Bypass Flaw - Using a man-in-the-middle attack, an attacker can trick Group Policy into reverting to its less secure, default state. This attack only works against Windows machines that connect to a domain. This flaw can be used in conjunction with MS15-011 to execute code.
  • MS15-015 – Important – Windows Elevation of Privilege Flaw - In short, if a unprivileged user can run code on a Windows machine, he can leverage this flaw to gain system privileges. However, he needs valid credentials and enough access to log in to the computer in the first place.
  • MS15-016 – Important – Windows Graphic Component Information Disclosure Flaw - The Graphics component of Windows suffers from a minor flaw that attackers could leverage to learn about the current memory state of your computer. This flaw serves little purpose alone, but could help attackers exploit other memory corruption vulnerabilities easier. Also, the attacker would have to entice you into viewing a TIFF image in order to exploit this flaw.
  • MS15-017 – Important – VMM Elevation of Privilege Flaw - If an attacker has credentials to login to your Microsoft Virtual Machine Manager (VMM), even as an under-privileged role, that attacker could leverage this flaw to gain full access to VMM and all your virtual machines.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

IMPORTANT NOTE: We have already read rumors about problems with some of today’s Microsoft updates. We highly recommend you test the patches before applying them to production servers.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download February’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-8967)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0017)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0018)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0019)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0020)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0021)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0022)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0023)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0025)
  •  WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0026)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0029)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0030)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0031)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0035)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0036)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0037)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0038)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0039)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0040)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0041)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0042)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0043)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0071)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0070)
  • WEB-CLIENT Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-0069)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0068)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0067)
  • FILE Microsoft Office Word OneTableDocumentStream Remote Code Execution Vulnerability (CVE-2015-0065)
  • FILE Microsoft Office Word Remote Code Execution Vulnerability (CVE-2015-0064)
  • FILE Microsoft Office Excel Remote Code Execution Vulnerability (CVE-2015-0063)
  • FILE Microsoft Office TTF TrueType Font Parsing Remote Code Execution Vulnerability (CVE-2015-0059)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0053)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0052)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0051)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0050)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0049)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0048)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0046)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0045)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0044)
  • FILE Adobe Flash Player BitmapFilter Invalid Object Corruption Remote Code Execution (CVE-2015-0314)
  • FILE Adobe Flash Player Video Event Dispatch Use After Free (CVE-2015-0315)
  • FILE Adobe Flash Player OP_ANYBYTE PCRE Library Memory Corruption (CVE-2015-0316)
  • FILE Adobe Flash Player XMLSocket.connect Type Confusion (CVE-2015-0317)
  • FILE Adobe Flash Player PCRE Regex Compilation Memory Corruption (CVE-2015-0318)
  • FILE Adobe Flash Player Multiple Type Confusion (CVE-2015-0319
  • FILE Adobe Flash Player MessageChannel.send() Use After Free (CVE-2015-0320)
  • FILE Adobe Flash Player Parsing Malformed mp4 Video Memory Corruption (CVE-2015-0321)
  • FILE Adobe Flash Player ActionScript Pushscope Opcode Memory Corruption (CVE-2015-0322)
  • FILE Adobe Flash Player Special Regex Character Sets Heap Overflow (CVE-2015-0323)
  • FILE Adobe Flash Player JSON.stringify Integer Heap Overflow (CVE-2015-0324)
  • FILE Adobe Flash Player RemoveFromDeviceGroup() Use After Free (CVE-2015-0325)
  • FILE Adobe Flash Player ActionScript URLRequest.requestHeaders Type Confusion (CVE-2015-0326)
  • FILE Adobe Flash Player Stringifying Proxy Objects Heap Overflow (CVE-2015-0327)
  • FILE Adobe Flash Player NetConnection Request Null Dereference (CVE-2015-0328)
  • FILE Adobe Flash Player Multibyte UTF-8 Characters Regular Expressions Memory Corruption (CVE-2015-0329)
  • FILE Adobe Flash Player PCRE Regex Heap Overflow (CVE-2015-0330)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Who Cares About Lovely Horse? – Daily Security Byte EP.20

Oh no… The NSA and GCHQ are following security experts on Twitter! The Sky is falling, the sky is falling! Watch today’s video to learn why I don’t think the latest “Snowden leak” qualifies as news.

(Episode Runtime: 1:29)

Direct YouTube Link: https://www.youtube.com/watch?v=vz3v3m2w07w

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Huge Healthcare Breach – Daily Security Byte EP.19

If you’re an Anthem health insurance customer, it’s time to monitor your credit. Anthem warns external hackers stole 80 million records. Learn what this means to you by clicking play below.

(Episode Runtime: 2:03)

Direct YouTube Link: https://www.youtube.com/watch?v=rICT_H76lqs

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

New eBook Explores Unlocking the Promise of UTM-Enabled Network Protection

Combatting enterprise-grade threats, without the resources to deploy enterprise-grade solutions, is a key security challenge for today’s midsize businesses. It often results in a piecemeal approach to network security and a complex, disjointed strategy that leaves significant gaps in protection.

To help overcome these challenges, we’ve teamed up with Frost & Sullivan to release a new eBook titled, “Fulfilling the Promise of Unified Threat Management (UTM): Unlocking Full UTM-Enabled Network Protection.”

Get the eBook now.

UTM

The eBook is broken into four main sections and explores: the challenges facing midsized enterprises; UTM adoption fears for business; WatchGuard’s approach to delivering UTM protection; and three simple steps to future-proof your UTM strategy.

To quote Chris Rodriguez, senior industry analyst for network security at Frost & Sullivan and author of the executive brief that the eBook is based on, “While businesses claim that security considerations drive network planning, the reality is that any security technology that hampers network performance is simply switched off.” This underscores the importance of properly evaluating UTM technologies to ensure these security appliances can deliver the performance you need today, coupled with the flexibility you’ll need tomorrow.

To get you started, here’s a sampling of the three steps that can help future-proof your network security strategy, but for complete tips, checklist and more, download the eBook today:

1. Focus on UTM performance instead of firewall performance. Most vendors promote the performance of the product when used as a stateful firewall. Look for performance with UTM features enabled.
2. Carefully analyze third-party testing data. These tests often compare UTM capabilities when deployed as IPS or in other dedicated security roles, even though UTM products are not designed for a single-function capacity.
3. Consider UTM features for maximum security. These solutions are designed for modularity so that new security features can be added with minimal impact on network performance. Look at features like clustering, which can help future-proof your investment.

Malicious Google Play Apps – Daily Security Byte EP.18

Think you can only get Android malware from third-party sources? Think again! Seemingly legitimate apps on the Google Play market may have infected millions of Android users. Watch today’s Daily Security Byte for details.

(Episode Runtime: 2:16)

Direct YouTube Link: https://www.youtube.com/watch?v=nXgDM6is08g

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Don’t Be ‘fraid of No GHOST; Glibc Vulnerability

GHOST VulnerabilityDuring the blog downtime, observant security practitioners probably read about a serious new vulnerabilities called GHOST, which affects all Linux-based systems to some extent. I actually covered GHOST already, in one of my Daily Security Bytes, but you may have missed it during the downtime. Let me recap the issue here.

GHOST is the name Qualys gave to a newly reported security vulnerability in the very common glibc component that ships with almost all Linux-based software and hardware. If you haven’t heard of glibc, it’s the common GNU C library which contains functions that many Linux program rely on to do common task (such as looking up IP addresses). In a routine audit, Qualys researchers found that part of the gethostbyname() function suffers from a buffer overflow flaw that attackers can use to execute code on your Linux systems.

Because many different Linux application may (or may not) use this glibc function to look up IP addresses, this flaw might get exposed through almost any network service or package. Qualys specifically designed a Proof-of-Concept (PoC) exploit against the Exim email server, which attackers can exploit just by sending email, but they warn that many other Linux packages use the vulnerable function. Some potentially affected packages include:

  • apache
  • cups
  • dovecot
  • gnupg
  • isc-dhcp
  • lighttpd
  • mariadb/mysql
  • nfs-utils
  • nginx
  • nodejs
  • openldap
  • openssh
  • postfix
  • proftpd
  • pure-ftpd
  • rsyslog
  • samba
  • sendmail
  • sysklogd
  • syslog-ng
  • tcp_wrappers
  • vsftpd
  • xinetd
  • WordPress

That said, the  size of the buffer being overwritten is very limited; at only four to eight bytes. This makes it very challenging to actually exploit this flaw in many cases. So while quite a few packages may use the vulnerable function, not all of them actually pose a real-world risk.

It turns out that this particular glibc flaw was discovered and patched over two years ago. If you have glibc 2.18 or higher, you’re not affected. However, at the time it was patched the flaw was considered a bug rather than a security vulnerability, so many Linux distributions didn’t port the glibc update to their distro.

A quick way to check the glibc version on your Linux systems is to type the following command:

ldd --version

If that reports a version lower than 2.18, you need to upgrade. If you’re interested, this blog post has a lot more good information about testing for the flaw. The good news is every major Linux distribution has since updated. If you run Linux systems (especially public servers), I recommend you get your distro’s latest updates to fix this vulnerability.

Also, keep in mind that many hardware devices (often known as the Internet of Things) are actually embedded linux systems, which may need updates as well. Not to mention, some administrators may run Linux software ports on Windows and OS X systems as well. In these cases, it’s possible you might have vulnerable versions of glibc on those non-Linux systems.

Does GHOST Affect WatchGuard Products?

You may know that many WatchGuard product are Linux-based systems, and wonder how this flaw affects them. For the most part, this flaw has little to no impact to most of our products, with a few exceptions. Here are the details:

  • WatchGuard XCS appliances – Not Affected.
  • WatchGuard Wireless Access Points – Not Affected.
  • Dimension v1.3 and higher – Not Affected.
  • Dimension v1.2 and lower – Affected, but Dimension should have already auto-updated. The version of Ubuntu shipping with Dimension v1.2 does use a vulnerable glibc package. However, Dimension auto-updates, and downloads Ubuntu’s latest patches. Since Ubuntu released a patch long ago, your Dimension server should already be patched (as long as you didn’t disable auto-updates).
  • WatchGuard XTM appliances – Affected, but not likely exploitable. XTM Fireware does contain the vulnerable version of glibc. HOWEVER, you are only vulnerable to this issue if a Linux service uses the gethostbyname() funtion. For better security, and IPv6 interoperability, our engineers use the newer getaddrinfo() to resolve hostnames, which is not affected by this vulnerability. We have not found any packages using the vulnerable function, so we believe this flaw has little to no real-world impact on our XTM devices. That said, we have already patched our glibc library, and XTM owners will receive this update in the next scheduled Fireware release. If you’d like to know more about the difference between these functions, I recommend you read this post.
  • WatchGuard SSL VPN appliances - AffectedOur SSL VPN appliance does use the vulnerable library, and is affected by this flaw. We have already patched the flaw internally, and are currently scheduling a release vehicle for the update. I’ll update this post when we know a solid date.

So to summarize. If you use Linux systems, be sure to patch them as soon as you can. Most WatchGuard products aren’t really impacted by this flaw, but we recommend you install firmware updates when we release them. If you want to know more about this interesting and wide-spread issue, I’ve included a few references below. — Corey Nachreiner, CISSP (@SecAdept)

GHOST Vulnerability References:

Microsoft’s Last Patch Day Until 2015; Three Critical Patches

It’s that time of the month again; Microsoft Patch Day. Yesterday, Microsoft posted their regular batch of security updates, so it’s time you patch your Windows systems. I’ll summarize some Patch Day highlights below, but you should visit Microsoft’s December Patch Day Summary page for more details

By the Numbers:

On Tuesday, Microsoft released seven security bulletins, fixing a total of 25 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • and Exchange Server.

They rate three bulletins as Critical, four as Important.

Patch Day Highlights:

The Exchange update is the most interesting one, but lets start with what you should patch first. I’d start with the Internet Explorer (IE) update, as it closes a bunch of holes bad guys can use for drive-by download attacks. Next, even though Microsoft doesn’t rate it as Critical, the Exchange update fixes a few flaws attackers could leverage to access your users’ email (if they can get those users to click links). Since email is so important, I’d take care of that next. Then move on to the various Office updates, to make sure your users aren’t affected by malicious Office documents. Finally, even though it poses minimal risk, finish with the Graphics component update.

Quick Bulletin Summary:

We summarize December’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS14-080 – Critical – Cumulative Internet Explorer update fixes 14 vulnerabilities – The Internet Explorer (IE) update primarily fixes a bunch of memory corruption flaws remote attackers could leverage to execute code. These are the types of flaws typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC.
  • MS14-075 – Important- Four Exchange Server Vulnerabilities – Microsoft’s email server, Exchange, suffers from four security flaws. The worst are a pair of cross-site scripting (XSS) flaws. If an attacker can trick you into clicking a specially crafted link on a system you use for OWA, he could exploit these flaws to gain access to your email as you. The remaining flaws allow attackers to spoof emails to appear to come from someone else, or to spoof links that appear to link to somewhere else.
  • MS14-081 – Critical – Two Word Remote Code Execution Flaws – Word suffers from two flaws involving how it handles specially crafted Office files. In short, if an attacker can get you to open a malicious Office file, she can exploit these flaws to execute code on your computer.
  • MS14-082 – Important – Office Code Execution Flaw – Word, an Office component, suffers from yet another code execution vulnerability, similar to the two described above. I’m not sure why Microsoft included this is a separate bulletin, with a lower severity, since it seems to have a similar impact and mitigating factors as the flaws above.
  • MS14-083 – Important – Two Excel Code Execution Flaws - Excel suffers from a pair of code execution vulnerabilities attackers could exploit by getting you to interact with malicious spreadsheets.
  • MS14-084 – Important – Windows VBScript Memory Corruption Flaw - The Windows VBScript component suffers from a memory corruption flaw that attackers could leverage through your browser. If an attacker can lure you to a website with malicious code, he could exploit this flaw to execute code with your privileges.
  • MS14-085 – Important – Windows Graphic Component Information Disclosure Flaw - The Graphics component of Windows suffers from a minor flaw that attackers could leverage to learn about the current memory state of your computer. This flaw serves little purpose alone, but could help attackers exploit other memory corruption vulnerabilities easier.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download December’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-8966)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6376)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6375)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6374)
  • WEB Microsoft Graphics Component Information Disclosure Vulnerability (CVE-2014-6355)
  • FILE Microsoft Word Remote Code Execution Vulnerability (CVE-2014-6357)
  • FILE Microsoft Excel Global Free Remote Code Execution Vulnerability (CVE-2014-6360)
  • WEB-CLIENT Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6368)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6369)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6373)
  • EXPLOIT Adobe Flash Player Memory Corruption (CVE-2014-0574)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6327)
  • WEB MIcrosoft Internet Explorer XSS Filter Bypass Vulnerability (CVE-2014-6328)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6329)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6330)
  • FILE Microsoft Excel Invalid Pointer Remote Code Execution Vulnerability  (CVE-2014-6361)
  • WEB-CLIENT Microsoft VBScript Memory Corruption Vulnerability (CVE-2014-6363)
  • WEB-CLIENT Microsoft VBScript Memory Corruption Vulnerability (CVE-2014-6366)
  • FILE Adobe Flash Player opcode pushwith Memory Corruption Vulnerability (CVE-2014-0586)
  • FILE Adobe Flash Player opcode pushscope Memory Corruption Vulnerability (CVE-2014-0585)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Follow

Get every new post delivered to your Inbox.

Join 7,839 other followers

%d bloggers like this: