Another week, another WatchGuard Security Week in Review. While this week wasn’t quite as action packed as last, there’s plenty of security stories to cover in this episode. I summarize them in the  brisk video below (runtime: 6:03 minutes).

If you prefer text to moving pictures, you can also find a quick descriptions of these stories, as well as reference links, underneath the video. Let us know what you think in the comments.

Episode References:

• Anonymous continues their online riot, taking down more recording industry sites, and defacing a US government internet security site:
  • Anonymous takes out CBS.com – PC World
  • Anonymous defaces US government site – TechSpot
  • US-CERT Anonymous DDoS Advisory
• TSA claims Pacific Northwest railways fell victim to a cyberattack:
  • US railway signals disrupted by cyberattack - InfoSecurity
  • DHS later denies the attack - eWeek
• HD Moore discloses security risk with videoconferencing systems:
  • Cameras open boardroom to hackers - New York Times
• Microsoft accuses ex-antivirus employee of creating Kelihos botnet:
  • Botnet maker worked for security companies – Computer World
• Symantec warns customers to stop using PC Anywhere due to vulnerability:
  • Disable PC Anywhere – ZDNet
  • Symantec Advisory
• Google Releases a Chrome security update:
  • Google patches serious Chrome bugs – ComputerWorld
• EXTRA:  Attackers are exploiting recent Windows Media vulnerability (MS12-004). This late breaking story didn’t make the video, but I felt I should include it here:
  • Hackers pounce on Media Flaw – ZDNet

— Corey Nachreiner, CISSP (@SecAdept)

The WatchGuard SSL appliances are easy-to-use, all-in-one, secure, remote access solutions for small to medium-sized businesses. WatchGuard SSL 100 supports up to 100 concurrent users to make secure connections. The SSL 560 appliance supports up to 500 concurrent users. The WatchGuard SSL appliances deliver applications directly to the desktop of your remote employees to provide increased productivity—from anywhere, at anytime.

Highlights of the WatchGuard SSL OS v3.1.2 release include:

• Internet Explorer (IE) 9 support. You can now use IE9 to both configure the appliance’s WebUI and to access resources with the Access Client
• The WebUI performs faster on SSL 100 devices
• The Access Client has been improved to provide greater stability
• Corrected various potential security vulnerabilities
• Remote Desktop single sign-on now works with Windows Server 2008
• The Web UI is now more stable, with improved error and exception handling
•  … and many other fixes — please see the Release Notes for complete details.

If you’re an SSL 100 or 560 appliance owner with an active LiveSecurity subscription, you can upgrade to SSL OS v3.1.2 free of charge.

Does This Release Pertain to Me?

SSL OS v3.1.2 is a scheduled maintenance release. If you have an SSL 100 or 560 appliance, and wish to take advantage of any of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to v3.1.2. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

WatchGuard SSL 100 and 560 owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center, which also includes clear installation instructions. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

Fireware XTM v11.3.5 is the newest operating system software release for Firebox X Peak, Core, and Edge e-Series appliances. Fireware XTM v11.3.5 demonstrates a continuing commitment to WatchGuard Firebox X e-Series customers, with a significant number of bug fixes and enhancements. It is primarily a sustaining release that resolves many known issues.

NOTE: There is no new WatchGuard System Manager release to accompany Fireware XTM v11.3.5. You can either use WatchGuard System Manager v11.4.x-v11.5.x or WatchGuard System Manager v11.3.2 to connect to a Firebox e-Series device that runs Fireware XTM v11.3.5, although you must use WatchGuard System Manager v11.4.1 or higher if you want to use the Mobile VPN with IPSec Shrew Soft VPN client.

Some of XTM v11.3.5′s fixes and enhancements include:

• Various authentication enhancements, which improve Active Directory and Radius authentication support.
• Improved PPPOE support in multi-WAN situations
• Blocked Site entries can now accept a /32 subnet mask
• Various FireCluster Improvements
• Fixed a problem that prevented Gateway AV from scanning passive FTP connections
• Various Mobile VPN with SSL improvements which improve the client’s overall interoperability
•  … and many other fixes — please see the Release Notes for complete details.

If you’re an active e-Series LiveSecurity subscriber, you can upgrade to Fireware XTM 11.3.5 free of charge.

Does This Release Pertain to Me?

Fireware XTM 11.3.5 is a sustaining release that contains a significant number of bug fixes and enhancements. If you have any Firebox e-Series appliances, and wish to take advantage of any of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to version 11.3.5. XTM appliance owners should not install 11.3.5, but rather stick with 11.5.x. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM series or Firebox e-Series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center, which also includes clear installation instructions. Keep in mind, Fireware XTM 11.3.5 is an e-Series only release, and does not work on more recent XTM appliances. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

Welcome to my first ever episode of WatchGuard Security Week in Review. This vlog — which I hope to bring you weekly — is dedicated to quickly summarizing the biggest network and information security stories from each week. When appropriate, I’ll also share quick tips on how you can protect yourself from some of the threats I talk about.

Normally, I plan to post this weekly vlog late Friday. However, I posted last week’s episode a bit late, due to unexpected production issues with my first attempt at making this. I believe I have my production wrinkles ironed out for next time. So expect the next episode this Friday.

You’ll find the first episode below. Let me know what you think by leaving a comment.

Episode References:

• Zappos Breach
  • Zappos Email
  • Sans ISC Diary Post
  • Techspot Article
• Oracle Patch Day
  • Oracle Patch Summary
  • InfoWorld Article
• Middle Eastern Cyberwar
  • Great The Next Web Article on Middle Eastern Cyberwar
• Anonymous Returns (Megaupload Raid)
  • Gizmodo Article
• Koobface Gang Unveiled
  • Zdnet Article
  • DailyMail Article
  • Sophos Blog Post

.  — Corey Nachreiner, CISSP (@SecAdept)

Zappos hasn’t released any technical details about the attack, and I don’t expect them to. If forced to guess, I’d assume it probably originated from some web application flaw, which is a pretty common vector these days. That’s why I often suggest that IT and web administrators focus their security resources on their web applications; both by encouraging secure web coding practices, and by leveraging security controls with application-layer inspection capabilities (such as the HTTP and HTTPS proxies that WatchGuard’s XTM appliances offer). However, that’s not what I’m here to talk about today. Today, I want to talk about passwords.

I’ve talked about passwords many times before, but as a core principle of security (technically part of Authentication), the advice bears repeating. Here are some password-related tips; both general and related to password security breaches:

• Change your password(s) after a security breach – If a site you use ever has a security breach where attackers gain access to passwords (hashed or not), change your password immediately. In Zappos case, they are forcing this advice by terminating old passwords. If you use Zappos, be sure to change your password now, before a bad guy does it for you.
• Use strong passwords – I believe passwords should be greater than 10 characters. One easy way you can create long passwords, with enough entropy, is by using passphrases, or more specifically something I call pass-sentences. WatchGuard’s Bud Logs In video talks about these concepts in more detail (and is good for basic endusers).
• Use different passphrases on different web sites – This is crucial aspect of password security, especially when considering these types of web breaches. If you, like most people, use the same password for many different web sites, the attacker that has Zappos’ password archive now may have your password for all web sites. If you have been using the same password everywhere, not only should you change your Zappos password, but you should change your password on every site (and make it different this time). This breach situation is exactly why experts recommend you use different passwords everywhere. That said, many people find this advice hard to implement in practice; which brings me to the next tip…
• Leverage password vault software – Password vaults make it easier for you to manage multiple passwords securely. They are not perfect. If you use multiple machines and OSs, you may have trouble finding password management software that meets all your needs. Plus, password vaults become a single point of potential failure, as they almost literally store all the keys to your kingdom. It’s extremely important to use secure password vaults, and protect them. That said, they offer the only practical solution to managing multiple passwords today. This article suggests a few good ones to use (I have used 1password myself).

• This vulnerability affects: Adobe Reader and Acrobat X 10.1.1 and earlier, on Windows, Mac, and UNIX computers
• How an attacker exploits it: By enticing your users into viewing maliciously crafted PDF documents
• Impact: An attacker can execute code on your computer, potentially gaining control of it
• What to do: Windows users should install Adobe’s Reader and Acrobat X 10.1.2 or 9.5 updates as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

During yesterday’s Patch Day, Adobe released one security bulletin describing six vulnerabilities in Adobe Reader and Acrobat X 10.1.1 and earlier, running on all supported platforms.  Adobe doesn’t describe these flaws in much technically detail, but most of them involve memory corruption issues within Reader and Acrobat components. If an attacker can entice you into opening a specially crafted PDF file, he can exploit these types of issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of you machine.

In a previous post, we described an out-of-cycle Adobe update that fixed two zero day vulnerabilities in Reader and Acrobat 9.4.6 and earlier. Those zero day flaws also affect Reader and Acrobat X. However, Adobe decided not to releases the X updates at the time, since they believe that X’s built-in protection mechanisms would prevent attackers from exploiting the flaws in the real world. Today’s Reader update also corrects those two outstanding issues in Reader and Acrobat X.

UPDATE: Now that Adobe has released their official bulletin, independent researchers and organizations are sharing their details about these Adobe flaws, which often include more technical depth about the issues.  If you’re a technically-minded security professional who likes to know more specifics, I’d recommend you follow some of the security mailing lists (such as FullDisclosure or Security Focus), where you may find more detailed alerts about the individual vulnerabilities like this one.

Solution Path

Adobe has released Reader and Acrobat X 10.1.2 (and 9.5 for legacy users) to fix these vulnerabilities. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.

• Adobe Reader X 10.1.2
  • For Windows
  • For Mac
• Adobe Acrobat X 10.1.2
  • Standard and Pro for Windows
  • Pro Extended for Windows
  • Pro for Mac

For All WatchGuard Users:

Many WatchGuard Firebox models can block incoming PDF files. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if PDF files are not absolutely necessary to your business, you may consider blocking them using the Firebox’s HTTP and SMTP proxy until the patch has been installed.

Keep in mind, our Gateway Antivirus (GAV) service does scan PDF files for malware. In many cases, simply enabling our GAV service will protect you from these well known, public threats.

If you decide you want to block PDF documents, follow the links below for instructions on using your Firebox proxy’s content blocking features to block .pdf files by their file extension:

• XTM Appliance with WSM 11.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP Proxy?

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Adobe has released patches to correct these vulnerabilities.

References:

• Adobe January 2012 Reader and Acrobat Security Bulletin

This alert was researched and written by Corey Nachreiner, CISSP.

Severity: High

Summary:

• These vulnerabilities affect: All current versions of Windows and components that ship with it
• How an attacker exploits them: Multiple vectors of attack, including  enticing your users to download and open malicious media, documents, or other files.
• Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released six security bulletins describing seven vulnerabilities affecting Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS12-004: Two Windows Media Code Execution Flaws
  

Windows ships with media rendering components, such as Windows Media Player and DirectShow, to allow users to play various types of multimedia. Unfortunately, these two Windows Media components suffer from code execution vulnerabilities. Though the flaws differ technically, and affect separate components, they share a similar scope and impact. By enticing you to open a specially crafted media file, an attacker can exploit these flaws to execute code on your user’s computer, with that user’s privileges. Since typical Windows users tend to have local administrative privileges, attackers can often exploit these types of flaws to gain complete control of your machine.

Microsoft rating: Critical

• MS12-001: Windows Kernel SafeSEH Bypass Vulnerability

Over the years. Microsoft has introduced various Data Execution Prevention (DEP) mechanisms into Windows, which are designed to make it more difficult for attackers to leverage memory corruptions vulnerabilities, such as buffer overflow attacks. Without going into too much technical depth, these DEP mechanisms generally make it more difficult for attackers to inject and execute shellcode from memory locations typically reserved for non-executable data. SafeSEH is just another DEP-related mechanisms that tries to prevent attackers from hijacking Windows’ Structured Exception Handler (SEH) during a buffer overflow attack. Unfortunately, an external researcher discovered a way to bypass Windows’ SafeSEH security mechanism. In itself, this security bypass flaw is not a direct vulnerability in Windows. In other words, an attacker can’t directly leverage it to gain control of your computer. However, if an attacker were to discover a new buffer overflow vulnerability in Windows, this SafeSEH flaw would make it easier for the attacker to bypass Windows’ DEP protections, and exploit the buffer overflow attack.

Microsoft rating: Important

• MS12-002: Code Execution Vulnerability in Windows Object Packager
  

According to Microsoft, the Windows Object Packager is “a tool that can be used to create a package that can be inserted into a file.” As that definition is quite vague, we prefer the one found in PC Magazine’s glossary, which relates the Object Packager to Object Linking and Embedding (OLE); a Microsoft technology which allows you to embed one Microsoft document within another. In any case, the Windows Object Packager suffers from an unspecified implementation flaw, which attackers can leverage to trick users into accidentally running potentially malicious executable files. By enticing you to open a seemingly legitimate file containing a specially packaged object from the same share or network location as a malicious executable file, an attacker can force you to run that executable file even though you didn’t specifically interact with it. This Object Packager flaw only affects Windows XP and Server 2003.

Microsoft rating: Important

• MS12-003: CSRSS Elevation of Privilege Vulnerability
  

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from a local privilege elevation issue. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important.

• MS12-005: Microsoft ClickOnce Code Execution Flaw
  

Microsoft ClickOnce is a deployment technology that makes it easy for developers to create self-updating windows applications that are easy to install. Unfortunately, it turns out ClickOnce applications are much to easy to install. Microsoft has not included ClickOnce files in the Windows Packager’s unsafe file type list. As a result, if you open a specially crafted Office documents containing a ClickOnce application, the application runs automatically. Attackers can leverage this flaw to trick your users into accidentally installing malware by simply opening innocuous looking documents.

Microsoft rating: Important.

• MS12-006: SSL/TLS Protocol Vulnerability (BEAST Attack)
  

Last September, researchers at the Ekoparty Security Conference demonstrated the BEAST SSL/TLS attack. BEAST stands for Browser Exploit Against SSL/TLS and takes advantage of vulnerabilities in the  SSL/TLS protocol to intercept and decrypt HTTPS requests. This The Register article contains a fairly good high-level summary of the BEAST tool and this attack. Microsoft’s MS12-006 update mitigates this SSL/TLS protocol vulnerability.

Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

In the past, we’ve shared individual links for all the updates from Microsoft’s security bulletins in our own alert. However, Microsoft does an excellent job of providing and organizing these update links in their own bulletins. In the future, rather than providing these update links individually, we will refer you to the “Affected and Non-Affected Software” section of the individual Microsoft’s bulletins. Feel free to let us know if you don’t like this change in the comments section of this post.

The links below should take you directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links for the various updates:

• MS12-004
• MS12-001
• MS12-002
• MS12-003
• MS12-005
• MS12-006

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. Furthermore, WatchGuard’s proxy policies can block some of the content necessary to exploit some of these flaws. That said, our appliances cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS12-001
• Microsoft Security Bulletin MS12-002
• Microsoft Security Bulletin MS12-003
• Microsoft Security Bulletin MS12-004
• Microsoft Security Bulletin MS12-005
• Microsoft Security Bulletin MS12-006

This alert was researched and written by Corey Nachreiner, CISSP.

As they forewarned in their advanced notification last week, Microsoft released seven security bulletins today, which include six updates for Windows and one update for a Microsoft development tool (specifically an AntiXSS library). They only rate one of the Windows bulletins as Critical, but some of the Important bulletins also fix significant flaws that could allow attackers to execute code (though with more user interaction or difficulty).

One noteworthy aspect of today’s Patch Day is that two of the bulletins fix flaws within some Microsoft security mechanisms. One update fixes a flaw in SafeSEH, a Windows security mechanism that makes it more difficult for attackers to leverage buffer overflow or memory corruption flaws. Another bulletin fixes an information disclosure flaw in AntiXSS, a developer library that Microsoft offers to ASP.NET coders. AntiXSS is essentially an encoding library that helps web developers sanitize user input in their web applications. Sanitizing such input helps prevent your web application from suffering from cross-site scripting (XSS) vulnerabilities.

Though I find the security mechanism issues more interesting, the most severe bulletin in today’s batch corrects two serious issues in Windows’ media handling components. By enticing you to play maliciously crafted media, and attacker could exploit these issues to execute code on your computer, potentially gaining full control of it.

You can learn more about today’s updates in Microsoft’s January summary bulletin, which lists the bulletins from the most to least severe. Microsoft’s severity ratings seem right on to me, this month, so I recommend you apply the updates in that order. As is normally the case with Microsoft updates, you should probably test the patches before deploying them in your production network — especially ones that affect your production servers.

I’ll post a more detail, consolidated Windows alert here, shortly. However, I’ll probably not post a detailed alert about the AntiXSS update,  since I suspect few of our readers and customers use it. That said, if you are a security minded ASP.NET developer that does leverage this library, you should definitely refer to Microsoft’s bulletin for its patch.

NOTE: Today is technically Adobe Patch Day as well, and they have released a security bulletin concerning Reader and Acrobat. We’ll post a more detailed alert about this Reader update too, but concerned Adobe users can download and install it now. Just refer to the Solution section of this bulletin. – Corey Nachreiner, CISSP

According to their advanced notification post, Microsoft plans to release seven security bulletins on Tuesday, January 10. Six of the bulletins fix flaws in Windows or its components, while the remaining bulletin corrects vulnerabilities in one of Microsoft’s developer tools. Microsoft only rates one of the Windows bulletins as Critical, while the rest are Important.

Microsoft Patch Day has become a bit routine over the years (which is a good thing for a patch cycle), but this one does have a slightly noteworthy addition. One of the Important Windows bulletins fixes a “Security Feature Bypass” vulnerability. These types of vulnerabilities don’t really let attackers gain control of your systems, they just bypass security features that might make it easier for attackers to exploit other flaws. As a security professional, I tend to find flaws in security systems interesting as we can learn from them as an industry (similar to the way that mathematicians hammering public crypto algorithms can result in stronger encryption systems).

As usually, I’d apply Microsoft’s Critical patches first. Lately, the order of severity Microsoft has reported in their summaries has matched mine. So I recommend following their order. As usual, we do recommend testing production server updates before applying them, though you can probably get away with allowing clients to auto-update (the quicker the better, as long as it doesn’t break anything).

I’ll be able to share more details about Microsoft’s bulletins next Tuesday. Make sure to check back here then.

UPDATE:

Today, Adobe also released a pre-notification alert for their upcoming patch day. You can read it here. In short, they too plan to release updates next Tuesday, for Reader and Acrobat . Among other things, the updates will include outstanding fixes related to the zero day Reader issue we talked about last month. — Corey Nachreiner, CISSP (@SecAdept)

Over the years, legitimate web sites have increasingly been hijacked, and booby-trapped with malicious code. If you visit such a site with an unpatched system, your computer may automatically and silently download and install some nasty malware. Lately, attackers have often hijacked thousands of web sites at once. What’s to blame for these mass web hijacks? More often than not; automated SQL Injection (SQLi).

According to researchers at SANS, an automated SQL injection (SQLi) attack dubbed Lilupophilupop has infected over one million websites (the strange name is based on a malicious domain the attack references). This latest bout of automated SQLi attacks targets Microsoft web frameworks (IIS servers using ASP.NET, with a MSSQL backend), and first surfaced in early December. Back then, the attack had only affected a handful of sites. However,  SANS’ latest research shows that it has spread to just over a million web sites today.

If you’d like to know more about this attack, you can find details about it, including the malicious SQL string it uses, in SANS’ early December post. That post also shares tips to help IIS administrators and web developers identify vulnerable pages on their site. It’s well worth a read.

In general, the best way to protect yourself from these sorts of web application attacks (whether automated or not)  is to have your developers learn how to follow secure coding practices for web applications. The Open Web Application Security Project (OWASP) is a fantastic resources for web developers to learn these practices. That said, sometimes the web frameworks you rely on will have their own vulnerabilities, which you can’t avoid (until you can patch). That’s why having a security appliance that can do application-layer security inspection, and has strong IPS, doesn’t hurt either.

As an aside, SQLi is a class of attack that many IT professionals have heard of conceptually, but some may not really get technically. Below, I’ve posted a demo video I created for one of my security presentations. It illustrates a very simple, manual SQLi attack. I use this simple SQLi example to help illustrate the concept behind them. You should check it out if you want a better idea how they can work.  Do know, however, today’s modern websites don’t suffer from such obvious examples of SQLi vulnerability as the one I demonstrate in this video. Modern websites still often suffer from SQLi flaws,they are just found in more complex places within today’s web applications. — Corey Nachreiner, CISSP (@SecAdept)