Only Four Microsoft Security Bulletins in April

Yesterday, Microsoft released their advanced notification, warning that they plan to release four security bulletins next Tuesday. The bulletins will include patches for Windows, Office, and Internet Explorer, and two have received Microsoft’s Critical severity rating. I suspect the Office updates will include a fix for the recent zero day Word flaw I mentioned in an earlier post.

Also note, April’s Patch Day marks the last time Microsoft will release Windows XP updates. They’ve been warning about XP’s End-of-Life for awhile now, and it’s finally upon us. Though some people think Microsoft’s using the opportunity to force people to upgrade, I believe XP has hung around longer than any operating system before it (13 years), and frankly it’s about time you update. I suspect hackers are holding onto an XP zero day or two, so it may be dangerous to keep it around much longer. That said, WatchGuard will continue to release IPS signatures for any future XP network flaws and AV signatures for XP malware.

In any case, I’ll post details about Microsoft bulletins next week, and if Adobe releases any updates you’ll hear about them here too. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Releases SSL VPN 3.2 Update 1

A critical update has been released for WatchGuard SSL VPN appliances.

The SSL VPN 3.2 Update 1 release includes an updated Java certificate that will prevent certificate expiration warnings each time you use a Java-based access client. The SSL certificate used by the software to sign Java applications expires on 8 April 2014. This release also resolves a compatibility issue with Java version 7u51 and later. It includes many bug fixes which were previously only provided in Cumulative Service Packs (CSPs). The Release Notes list all resolved issues in the software.

Does This Release Pertain to Me?

This release applies to all WatchGuard SSL VPN 100 and 560 appliances. WatchGuard recommends that all SSL VPN customers should deploy this upgrade to avoid unnecessary java warnings.

How Do I Get the Release?

SSL appliance owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button. Please read the Release Notes before you upgrade, to understand what’s involved.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Paranoia 2014 – WSWiR Episode 100

Word 0day, Cisco DoS, and Bricked Androids

My weekly InfoSec summary arrives bit late this time due to business travel. Last week, I spoke at Watchcom’s Paranoia conference in Oslo Norway, so I couldn’t post my security news summary until the weekend. Nonetheless, why not start your week off by quickly catching up on last week’s news.

This week’s episode includes a quick summary of the Paranoia show, news of a new Word zero day flaw, information about Cisco IOS updates, and a story about a new android vulnerability attackers can use to brick phones. Check out the video for the details, and scroll down to the Reference section for a few extra stories.

As an aside, I’ll be traveling the next two weeks as well, so my weekly video may show up either earlier or later than normal, due to travel.

(Episode Runtime: 5:27)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Out-of-Cycle Word FixIt Corrects Zero Day Vulnerability

If you’re worried about spear phishing attacks (and if you’re not, you should be), grab Microsoft’s emergency FixIt to mitigate a zero day vulnerability attackers are exploiting in the wild.

In a security advisory released yesterday, Microsoft warned of a zero day vulnerability in Word, which attackers are exploiting in what Microsoft describes as limited, targeted attacks. Apparently, the exploit in the wild targets Word 2010, but the flaw affects other versions of Word as well. Since this is an early advisory, it doesn’t describe the flaw in much technical detail. However, it does mention attackers can trigger the flaw with specially crafted rich text format (RTF) files. If an attacker can entice you to view a malicious RTF in Word, he could exploit this vulnerability to execute code on you computer, with your privileges. If you are an administrator, the attacker gains complete control of your PC.

By default, most current version of Office use Word as Outlook’s email viewer. This mean attackers can trigger this flaw just by getting you to open an RTF attached to an email. According to some on Twitter, simply previewing an email with a malicious RTF triggers the flaw.

While Microsoft hasn’t had time to release a full patch yet, they have posted a FixIt that mitigates the risk of this vulnerability. If you use Office, I highly recommend you install the FixIt as soon as you can. Also, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) can mitigate the risk of any type of memory corruption flaw. In general, I recommend you install EMET on Windows machines to protect them from any zero day, memory-related issues.

I’ll post more details about this flaw during an upcoming Patch Day, when Microsoft releases the final update. In the meantime, if you’d like more information about it you can check out Microsoft’s security blog post— Corey Nachreiner, CISSP (@SecAdept


Operation Windigo – WSWiR Episode 99

MH370 Scams, Google Play DDoSed, and Operation Windigo

Each week I summarize the biggest information security news in a short video, so you don’t have to go searching for it yourself. If you’re interested in the latest infosec updates, be sure to watch each Friday. 

Today’s late episode covers a few cyber security stories around the disappeared MH370 flight, news about a penetration tester downing Google Play, and a report about a cyber attack campaign that hijacked 25,000 Linux servers. Watch the video for the full scoops, and check the Reference section below for more info.

Have a great weekend.

(Episode Runtime: 8:41)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

You Got Your Walking Dead in My Cyber Security

Keep Calm and Eat Pudding

Sometimes two things that don’t seem to go together, make the most magical combinations; things like peanut butter and chocolate, maple and bacon, and even Jon Snow and Ygritte. In hopes of adding to such delightful duos, I have started a new series of security articles trying to uncover another unexpected pairing—information security and pop culture.

What can popular movies, TV shows, books, or video games teach us about cyber security? Maybe nothing, maybe everything. In my new Help Net Security series, I plan to see if your favorite guilty pleasures can uncover any cyber security insights you’d never have expected. Join me for my first article at Help Net Security, where I share eight information security tips I learned from The Walking Dead (TWD).

By the way, if you like the article, or you love The Walking Dead, feel to share some TWD cyber security tips of your own? Come back here and add your own interesting infosec parallels to the comments section below. Feel free to draw parallels to other pop culture media too! — Corey Nachreiner, CISSP (@SecAdept)

NSA’s Turbine – WSWiR Episode 98

Patch Day, Missed Logs, and Snowden’s Latest

What to learn about the latest information security (infosec) news in under eight minutes? You’ve found the right place. Check out my weekly security news summary video below.

This week’s episode covers all the big updates from this month’s Adobe & Microsoft Patch Day, the latest news suggesting Target’s breach could have been averted, and another top secret document leak, detailing how the NSA hacks its targets. Check out the video below for the details, and don’t forget the Reference section for links to other stories. 

Enjoy your weekend, and stay safe!

(Episode Runtime: 8:21)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Shockwave Update Misses Adobe Patch Day

A few days ago, I posted an alert mentioning how Adobe Patch Day was particularly light, and pointing out the one minor Flash Player update. Turns out Adobe had other updates in store for us, they just missed their self-appointed patch day.

Today, Adobe released a Shockwave Player update fixing a single critical Shockwave Player vulnerability. They share almost no technical detail about the flaw, other than it is a memory corruption issue that remote attackers could leverage to execute code on a victim’s computer; presumably by getting them to view or interact with malicious Shockwave content. Though it doesn’t look like attackers are exploiting it in the wild yet, this flaw is quite a bit more severe than the Flash flaws mentioned earlier in the week. Nonetheless, Adobe only assigns them a priority (severity) rating of 2, which means you should update in the next 30 days. I think this is a slightly bigger deal than that, and recommend you update Shockwave as soon as you can. If you are using Adobe’s automatic updater, it should be relatively easy to do so.  — Corey Nachreiner, CISSP (@SecAdept

Fireware XTM 11.8.3 Update Corrects XSS Flaw

Overall Severity: Medium


  • This vulnerability affects: WatchGuard Fireware XTM 11.8.1 and earlier
  • How an attacker exploits it: Either by enticing an XTM administrator into clicking a specially crafted link or by directly interacting with the appliance’s web management UI (requires authentication)
  • Impact: An attacker can execute script in the context of the XTM management web UI, which could allow him to attempt to phish your credentials or gain access to your cookies or session information
  • What to do: Install Fireware XTM 11.8.3 (and limit access to the XTM web management interface)


Recently, we released WSM and Fireware XTM 11.8.3, which delivers many customer requested fixes and enhancements to XTM administrators. It also corrects a web application vulnerability reported to us by William Costa (a security researcher and consultant) via US-CERT’s coordinated disclosure process.

Fireware XTM includes a Web UI, which you can use to manage your XTM appliance through a web browser. One of the parameters in the firewall policy management pages (pol_name) suffers from a reflective cross-site scripting (XSS) vulnerability (CVE-2014-0338), due to it’s lack on input validation. If an attacker can trick your XTM administrator into clicking a specially crafted link, he could exploit this vulnerability to execute script in that user’s browser under the context of the XTM Web UI. Among other things, this could mean the attacker might do anything in the Web UI that your user could do.

However, it takes significant interaction for this attack to succeed. It is a reflected XSS attack, which means the attacker must trick an XTM administrator into clicking a link before the attack can take place (unless the attacker has direct access to the Web UI, and valid credentials of his own). Furthermore, the link does not bypass the Web UI authentication. This means that unless the victim is already logged into the Web UI, she would also have to enter her XTM credentials before this malicious link would work. Despite these mitigating factors, we still recommend you install 11.8.3 to fix this XSS flaw quickly.

We’d like to thank William Costa for discovering and responsibly disclosing this flaw, and thank the US-CERT team for coordinating the disclosure and response. You can find more information about this vulnerability in US-CERT’s vulnerability note

Solution Path:

WatchGuard Fireware XTM 11.8.3 corrects this security issue. We recommend you download and install 11.8.3 to fix this vulnerability. You can find more details about 11.8.3 in our release notes.

If, for some reason, you are unable to update your XTM appliances immediately, a few simple workarounds can significantly mitigate these vulnerabilities.

  • Restrict access to your appliance’s web management UI using the WatchGuard Web UI policy.  By default, our physical appliances do not allow external access to the web management UI; meaning Internet-based attackers can’t directly exploit this XSS flaw. If you like, you can fine-tune our policy even more, further limiting access. For instance, you can restrict access to very specific IP addresses or subnets,  use our user authentication capabilities to restrict access to certain users, or use our mobile VPN options to restrict access to VPN users. The more you limit access to the web interface, the less likely an attacker could directly exploit this flaw. Furthermore, this XSS attack does not bypass authentication. So even if an external attacker had access to your Web UI they’d need valid credentials to directly exploit this issue (making it a moot issue since they’d already have access to the web management interface).
  • Train administrators against clicking unsolicited links. In order to exploit this flaw, and attacker would have to trick one of your administrators into clicking a maliciously crafted link, and then entering his valid XTM management credentials. We recommend you train your XTM administrators about the dangers of clicking unsolicited links, especially ones that connect you to security appliances, and ask for additional authentication.


Are any of WatchGuard’s other products affected?

No. These flaws only affect Fireware 11.8.1 and below running on our XTM appliances.

What exactly is the vulnerability?

A reflective cross-site scripting (XSS) vulnerability (CVE-2014-0338) that could allow an attacker to run malicious script, and possibly gaining unauthorized access to your Web UI, assuming he can trick an administrator into clicking a malicious link.

Do these give attackers access to my XTM security appliance?

Potentially. The XSS vulnerability allows attackers to execute script in the context of your XTM appliance’s web UI. Attackers could leverage this to do many things, including stealing your session cookie, or designing a pop-up window designed to phish your credentials. It is possible the attacker might gain enough information to hijack your web session, or login to the web UI.

How serious is the vulnerability?

The XSS flaws poses a medium to low risk. Though attackers can use reflective XSS flaws to gain access to sensitive information, they require significant user interaction; in this case, both clicking a link and entering your credentials. This mitigating factors lessen the severity of this flaw. However, we still recommend you apply this update to fix it.

How was this vulnerability discovered?

These flaws were discovered by an external security researcher, William Costa, who reported them responsibly through US-CERT‘s coordinated disclosure process. We thank them both for working with us to keep our customers secure.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Director of Security Strategy and Research
WatchGuard Technologies, Inc.

New Release: Fireware XTM 11.8.3 and WSM 11.8.3

WatchGuard is pleased to announce that Fireware XTM OS 11.8.3 and WSM 11.8.3 are now available. The Release Notes list all resolved issues and new enhancements in the software.

Highlights include:

  • An updated Gateway Wireless Controller dashboard in the WebUI now gives you connection information for your AP devices and the clients connected to your AP devices, including manufacturer details.
  • Support for the new Firebox T10
  • A fix for a cross-site scripting vulnerability (CERT VU#807134) in the Web UI
  • Support for  Netgear 341U 3G/4G modem.

Full details including screenshots are provided in the What’s New in 11.8.3 presentation.

Does This Release Pertain to Me?

This release applies to all XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances. If you or your customers need one of the bugfixes or new enhancements we recommend upgrading to the 11.8.3 release. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article”, “Support Alerts”, and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller ?


Get every new post delivered to your Inbox.

Join 7,384 other followers