Windows Updates Fix GDI+, RDP, and TCP Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like XML Core Services)
  • How an attacker exploits them: Multiple vectors of attack, including enticing you to malicious web sites, or into interacting with malicious documents or images.
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as XML Core Services. An attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-036: Two GDI+ Code Execution Vulnerabilities

The Graphics Device Interface (GDI+) is one of the Windows components that helps applications output graphics, to your display or printer. GDI+ suffers from two security flaws. Though they differ technically, the flaws share the same scope and impact, and have to do with how GDI+ handles specially crafted documents or images. If an attack can entice one of your users into viewing a malicious image or document, perhaps embedded in an email or web site, he can exploit either flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer.

Microsoft rating: Critical

  • MS14-033:  MSXML Information Disclosure Vulnerability

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It often ships with various versions of Windows, and other Microsoft products like Office, SharePoint Server, Groove Server, and Expressions. If you have a Windows computer, you very likely have MSXML.

According to today’s bulletin, MSXML suffers from an information disclosure vulnerability. If an attacker can entice one of your users to a specially crafted web site, or into opening a malicious document, she could invoke MSXML and leverage this flaw to obtain sensitive information from your user’s system. Specifically, the attacker can gain access to some local path information, and your user’s username.

Microsoft rating: Important

  • MS14-031:  TCP Protocol Denial of Service Flaw

As you would expect, the Windows TCP/IP stack is a set of networking protocols that allows your computer to get on the Internet and participate in modern networking. Unfortunately, the Windows TCP/IP stack suffers from an unspecified Denial of Server (DoS) vulnerability involving its inability to properly parse a specially crafted sequence of TCP packets. By sending a sequence of packets, an attacker could leverage this flaw to cause you computer to stop responding, causing a DoS situation. However, the attacker would have to initiate a large number of connections, and have control over the TCP options field of each packet.

Microsoft rating: Important

  • MS14-030:  RDP traffic tampering vulnerability

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network to directly control your desktop. Unfortunately, the RDP component that ships with Windows doesn’t use very robust encryption by default. If an attacker can intercept your RDP traffic in a Man-in-the-Middle (MitM) attack, he could tamper with the RDP session in a way that allowed him to read session information or modify the RDP session. You can enable Network Level Authentication (NLA) to mitigate the risk of this flaw

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as blocking TCP traffic), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Humongous IE Patch Fixes 59 Security Issues

Summary:

  • This vulnerability affects: All current versions of Internet Explorer
  • How an attacker exploits it: Mostly by enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes an update that fixes a whooping 59 new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

The biggest story about today’s IE update is the sheer number of vulnerabilities it corrects. I don’t think I remember a Microsoft update that fixed more flaws than this one. While all 59 of these flaws are technically different, most of them share the same general scope and impact, and involve memory corruption flaws having to do with how IE handles certain HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit many of these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

The update also includes fixes some information disclosure and elevation of privileges flaws as well, but the memory corruption issues pose the most risk. Technical differences aside, this is a very important IE update that plugs many serious holes in IE. Furthermore, this update also fixes a zero day IE flaw that the Zero Day Initiative (ZDI) disclosed a few weeks ago. You should download and install the IE cumulative patch immediately.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1802)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1800)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1766)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1805)

Your XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Seven Security Bulletins Include a Huge IE Update

If there is one day of the month you should really focus on software patching, this is the day. The second Tuesday of the month is both Microsoft and Adobe patch day. If you run a Windows shop, or you use Adobe products on any platform, it’s time for you to get patching!

As they promised, Microsoft released seven bulletins today to fix a wide range of security vulnerabilities in a number of their products, including:

  • Windows and its components,
  • Office (Word),
  • Internet Explorer (IE),
  • and Lync Server.

Microsoft rates two of the bulletins as Critical.

The big news here is the major Internet Explorer (IE) update. Not only does it fix a zero day vulnerability I discussed a few weeks ago, but it corrects a whooping total of 59 security flaws in the popular web browser. If you have Windows computers in your network, you need to patch IE immediately. The second Critical update fixes a Windows graphics component (GDI+) flaw, which attackers can leverage simply by tricking your users into viewing maliciously crafted images.

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can or you can also let Windows’ Automatic Update do it for you. You can find more information about these bulletins and updates in Microsoft’s June Summary advisory.

Adobe’s Patch Day, on the other hand, seems a bit lighter than Microsoft’s. They only released one security update fixing six security flaws in Flash Player. That said, the update fixes some pretty serious vulnerabilities that attackers could exploit just by enticing you to the wrong web site. Be sure to update Flash as well.

I’ll share more details about today’s patches on the blog throughout the day, so stay tuned.  — Corey Nachreiner, CISSP (@SecAdept).

GOZeus Down – WSWiR Episode 110

NSA Facial Recognition, OpenSSL Patch, and Zeus Takedown

It’s that time again. If you have a hankering for the latest InfoSec news, this is the place to get it. You can watch me summarize all of the week’s biggest security stories in one short video.

Today I talk about the NSA scanning the Internet for our pictures, a big OpenSSL security update, and the latest botnet takedown that puts a damper on GOZeus and Cryptolocker. Watch the video for the scoop, and check out the Extras below for other news.

Hope you have a great weekend, and stay safe out there.

(Episode Runtime: 8:33)

Direct YouTube Link: https://www.youtube.com/watch?v=gp46hzT6G1E

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

OpenSSL Patches Six Vulnerabilities, Including a MitM Flaw

OpenSSL CCS InjectionToday, the OpenSSL team released a critical update for their popular SSL/TLS package, which fixes six security vulnerabilities in their product, including a relatively serious Man-in-the-Middle (MitM) flaw. If you use OpenSSL, you should read up on these issues and update OpenSSL immediately. WatchGuard products, like many others that use OpenSSL, are affected by these issues to different extents. Our engineers are diligently working to release patches for these flaws as soon as possible.

OpenSSL is a very popular implementation of the SSL/TLS cryptography protocols, used to encrypt many network communications, including secure web communications. This week, the OpenSSL team released an update that fixes six vulnerabilities, including some publicly reported ones. Combined, the flaws affect all current versions of OpenSSL to some extent.

The flaws differ technically, and in scope and impact. For instance, one is a buffer overflow flaw that could allow attackers to execute code, assuming you use a particular OpenSSL feature (DTLS), while another allows attackers to crash OpenSSL, resulting in a Denial of Service (DoS) situation. However, the flaw recieving the most attention is a MitM vulnerability involving OpenSSL’s ChangeCipherSpec functionality. In short, if an attacker can get between a client and server, both of which have vulnerable versions of OpenSSL, he can exploit this flaw to decrypt SSL communications.

While this sounds fairly serious, there are a number of mitigating factor that lessen the severity of the MitM flaw. While all versions of the OpenSSL client are vulnerable to this issue, only two server versions are vulnerable. Also, very few client programs or devices use OpenSSL to make client connections. For instance, the popular browsers aren’t vulnerable to this issue. Finally, the attacker needs to intercept traffic between the client and server for this attack to succeed. Based on these factors, Android devices running on wireless networks pose the most risk, since Android is one of the platforms that uses the OpenSSL client, and wireless networks make it easier to intercept other’s traffic.

In the end, these flaws are not as severe as the previous Heartbleed vulnerability (attackers could exploit that from anywhere, without intercepting traffic). Nonetheless, we highly recommend OpenSSL administrators install the patch immediately, and start looking for updates from other vendors who use OpenSSL in their own products.

WatchGuard Products – (Updated on Jun-17)

Finally, WatchGuard appliances are affected by some of these vulnerabilities (to varying degrees). Although they do not have the same level of impact as Heartbleed, a broader range of OpenSSL versions are vulnerable. WatchGuard products impacted are:

  • Fireware XTM version 11.3 to 11.9 and associated WSM management software
  • SSL VPN clients for XTM
  • XCS
  • SSL VPN appliance

The level of risk is relatively low, but WatchGuard will release updated versions for all affected software for devices that are under support. Unlike Heartbleed, certificates do NOT need to be updated. Our IPS signature team has also released signatures to address one of the vulnerabilities (CVE-2014-3466) in signature set 4.422. Estimated release dates and version numbers for patched firmware, including SSL VPN clients, are:

  • XCS Hotfix – June 10th for version 10, June 11th for version 9. Posted!
  • 11.3.8 – June 12th (for e-Series devices) – Posted
  • 11.6.8 – June 13th (for XTM 21/22/23 devices) - Posted
  • 11.7.5 – June 12th – Posted
  • 11.8.4 – June 23rd – Posted
  • 11.9.1 – June 24th - Posted

These dates are subject to change depending on outcome of Quality Assurance process. WatchGuard will continue to provide latest information about these vulnerabilities and latest status on release dates in this blog post.

— Corey Nachreiner, CISSP (@SecAdept),  Brendan Patterson, CISSP

 

iPhone Ransom Message – WSWiR Episode 109

Iranian Social Hackers, XP Patch Hack, and iPhone Ransom Notes

Did you have time to follow security mailings lists, check out infosec news sites, or find that latest patches this week? If not, don’t worry. This weekly video blog will cover the top three computer security news items each Friday for you. Subscribe to this blog or the YouTube channel to stay informed.

This episode covers an Iranian hacking campaign where attackers pose journalists on social media sites, shares a tip about a Windows XP registry hack that could give you security updates until 2019, and highlights a recent iCloud attack that attackers are using to hold iPhones for ransom. Click play for the details, and check out the reference section for other stories.

(Episode Runtime: 7:38)

Direct YouTube Link: https://www.youtube.com/watch?v=sa-2RLe_sr4

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

New Releases: Fireware XTM 11.9 and Dimension 1.2

WatchGuard has posted major new software releases this month. We are pleased to announce that Fireware 11.9, WSM 11.9, and Dimension 1.2 are now available to download. WatchGuard’s newest releases give WatchGuard NGFW and UTM appliances – including XTM Series and Firebox T10 models – a host of new features. Highlights include:

APT Blocker – WatchGuard’s newest security module. Networks are vulnerable to advanced malware that relies on highly sophisticated detection evasion to hide their attacks. APT Blocker uses a cloud-based sandbox with full system emulation (CPU and memory) to detect and block advanced malware and zero day attacks that signature-only solutions miss.

WatchGuard Dimension™ is the award-winning security intelligence and visibility solution that is included at no charge with all WatchGuard network security solutions. Dimension 1.2 includes new reports for APT Blocker, performance enhancements, and translation into local languages.

Traffic Management: Fireware 11.9 enables administrators to preserve expensive Internet bandwidth connections for those business-critical applications that truly need it, with the ability to control and limit bandwidth use for applications, application categories, IP addresses, and VLANs.

Gateway Wireless Controller:  A new interactive, graphical wireless coverage map helps administrators to quickly achieve the optimal arrangement and configuration of wireless access points in their buildings.

Plus many, many more enhancements including IPv6 dynamic routing, custom DLP rules, Q-Radar SIEM integration, and custom network zones. Full details including screenshots are provided in the presentations: What’s New in 11.9 and What’s New in Dimension 1.2.

Does This Release Pertain to Me?

This release applies to the Firebox® T10 and all XTM appliances, except XTM 21/21-W, 22/22-W, and 23/23-W appliances. Please read the Fireware 11.9 Release Notes and Dimension 1.2 Release Notes before you upgrade, to understand what’s involved and to see the complete list of all resolved issues and new enhancements in the software.

How Do I Get the Release?

XTM and Firebox T10 appliance owners who have a current LiveSecurity® Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller

Ebay Pwned – WSWiR Episode 108

Ebay Data Breach, IE8 0Day, and Alleged Chinese Hackers

With all the information security (InfoSec) news coming out each week, it’s hard to believe anyone can keep up with it; let alone an already busy IT professional with other things on his plate. If that sounds like you, rather than worrying about finding the most important security news you can let my weekly summary video fill you in.

Today’s episode covers the 145M record Ebay breach, and new zero day Internet Explorer (IE) 8 vulnerability released early by the supposedly good guys, and the Department of Justice’s official charges against five alleged Chinese government hackers. Check out the video below for the details, and peruse the Reference section for links to other InfoSec stories.

If you’re in the USA, enjoy your extended holiday weekend. See you next time…

(Episode Runtime: 8:00)

Direct YouTube Link: https://www.youtube.com/watch?v=Ib7nI1H13P8

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

This Month’s Apple Updates Fix Mavericks and iTunes Security Flaws

As much as Apple would like you to think otherwise, their products are not immune to security vulnerabilities. If you use OS X Mavericks or iTunes, you’d best update.

This week, Apple released two security updates to fix vulnerabilities in OS X Mavericks and iTunes. The updates fix a wide range of vulnerabilities, including memory corruption flaws attackers could use to execute code. If you use OS X Mavericks or iTunes, you should download and install Apple’s updates immediately, or let their automatic Software Updater do it for your.

See the links below for more information about each update:

If you’d like to keep up with Apple’s latest security updates, be sure to bookmark their Security page, and you can find links to all their patches on the Download page.— Corey Nachreiner, CISSP (@SecAdept)

TAO Hijack Routers – WSWiR Episode 107

Tons of Patches, NSA Booby-Trapped Routers, and Alleged Iranian Hackers

If you don’t have time to follow all the information security stories popping up each week, you can let our weekly video and blog post summarize the important stuff for you.

In today’s show, I recite the big list of security patches you need to get this week, talk about how the NSA is intercepting and hacking routers to foreigners, and weigh in on whether or not the security industry is blaming advanced attacks on “nation-state” actors a bit too freely. Press play on YouTube for all the details, and don’t forget to check out the Reference section for links to other interesting InfoSec stories.

Hope you have a great weekend, and be careful shopping online!

(Episode Runtime: 8:25)

Direct YouTube Link: https://www.youtube.com/watch?v=LdOHsV88z4Y

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,524 other followers