WatchGuard Security Center | Tag Archive

Make Sure to Update Your Apple Devices

March 21, 2013 by Corey Nachreiner 1 Comment

If you follow my weekly security video, WatchGuard Security Week in Review, you probably already know that Apple released both an OS X and Safari security update last week. Hopefully, you’ve already applied those two updates, but if not I highly recommend you do so immediately. Among other things, the OS X update includes a Java related security fix. Lately, cyber criminals have really targeted Java in attacks against both Macs and PCs, so it’s important you apply all Java related updates as quickly as you can.

This week, Apple also released iOS and Apple TV security updates. These updates fix a number of security issues in these popular products. High on the list of fixed issues was a very highly publicized lock screen bypass flaw in iOS, which an attacker could exploit to gain access to the data on your phone when lost or stolen. iOS 6.1.3 fixes that particular lock screen issues, and a few other vulnerabilities. However, later in the week news emerged of another lockscreen flaw that affects iPhone 4s. So it looks like Apple will have some more lock screen related updates in their future.

In any case, if you use Apple devices, you’re probably affected by at least one of these issues. So I recommend you go get the corresponding updates, or let Apple’s automatic update mechanisms do their job. — Corey Nachreiner, CISSP (@SecAdept)

Security Updates

apple, Apple TV, IOS, OS X, patch, Safari, Update

Four Office-related Updates Fix Productivity Software Vulnerabilities

March 12, 2013 by Corey Nachreiner 0 Comments

Severity: High

Summary:

These vulnerabilities affect: Microsoft Visio Viewer 2010, SharePoint Server 2010, OneNote 2010, and Outlook for Mac
How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting malicious URLs
Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing vulnerabilities in some of their Office-related productivity packages, including Visio Viewer, SharePoint, OneNote, and Outlook for Mac. We summarize the four security bulletins below, in order of severity:

MS13-023: Visio Viewer Code Execution Vulnerability

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from a memory-related code execution vulnerability, having to do with the way it handles specially crafted Visio diagrams. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit this vulnerability to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects the 2010 version of Visio Viewer.

Microsoft rating: Critical

MS13-024: Various SharePoint Vulnerabilities

SharePoint and SharePoint Foundation are Microsoft’s web and document collaboration and management platforms. They suffer from four different security issues, including a few elevation of privilege flaws, a Cross-Site Scripting vulnerability (XSS), and a Denial of Service (DoS) issue. By either enticing one of your users into clicking a malicious URL, or by inputting a specially crafted URL into a vulnerable SharePoint server, an attacker could exploit the worst of these flaws to gain elevated access to your SharePoint server, allowing him to view or change the documents your user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Critical.

MS13-025: OneNote 2010 Information Disclosure Flaw

Microsoft OneNote is a digital notebook that provides you a place to easily take notes on your digital device. It ships with most recent versions of Office. OneNote suffers from an information disclosure flaw. If an attacker can entice one of your users into downloading and opening a maliciously crafted OneNote (.ONE) file, she can leverage this flaw to read arbitrary data from your computer’s memory. Depending on what you are doing on your computer at the time, this flaw could allow the attacker to gain access to some of your sensitive information, including usernames and passwords. The issue only affects the 2010 version of OneNote.

Microsoft rating: Important

MS13-026: Outlook for Mac Information Disclosure Flaw

Outlook for Mac (the Apple OS X version of Microsoft’s email client) suffers from a relatively minor information disclosure vulnerability having to do with how it previews certain HTML email messages. If an attacker can lure you into opening a specially crafted HTML email, they can verify your email address is accurate and confirm you previewed the message. At best, this vulnerability may help attackers enumerate valid email addresses for later use in their spam and phishing attacks. However, it does not give attackers any further access to your email messages or computer. For that reason, we believe it poses a fairly low risk.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

Attackers can exploit these vulnerabilities using diverse methods. Though you can configure WatchGuard appliances to block some of the Office documents related to a few of these attacks, and you can leverage our security services to mitigate the risk of malware delivered via these attacks, we cannot protect you against all of them; especially the local ones. We recommend you apply Microsoft’s patches to best protect your network.

That said, our IPS signature team has developed new signatures that can detect and block some of the SharePoint attacks:

WEB Microsoft SharePoint Server Callback Function Vulnerability (CVE-2013-0080)
WEB Microsoft SharePoint XSS Vulnerability (CVE-2013-0083)
WEB Microsoft Share Point Directory Traversal Vulnerability -1 (CVE-2013-0084)
WEB Microsoft Share Point Directory Traversal Vulnerability -2 (CVE-2013-0084)
WEB Microsoft Share Point Directory Traversal Vulnerability -3 (CVE-2013-0084)

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates

apple, mac, microsoft office, office, OneNote, Outlook for Mac, sharepoint, visio, visio viewer

Another Emergency Java Update Fixes Two New Flaws

March 5, 2013 by Corey Nachreiner 5 Comments

Severity: High

Summary:

These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 15 and earlier, on all platforms
How an attacker exploits them: Typically by luring your users to a malicious web page containing specially crafted Java
Impact: In the worst case, an attacker can gain complete control of your computer
What to do: Install JRE and JDK 7 Update 17 (or Apple’s OS X update)

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

I’ll keep this short since Oracle has been releasing many Java updates lately. Yesterday, Oracle released yet another emergency Java update to fix two critical vulnerabilities in the popular web plugin. By enticing you to a web site with malicious content, attackers can leverage these flaws to execute code on your computer, with your privileges. If you are an administrator, it’s game over.

Java is very dangerous right now. Attackers are currently leveraging these vulnerabilities in the wild. Other research organizations have also found additional Java vulnerabilities. Cyber criminals are even selling a Java exploit kit on the underground market. In short, this is an extremely important update for Java users. We highly recommend you apply Oracle’s emergency update immediately. In fact, if you can do without Java, I suggest you remove it from your computer.

In related news, Apple has also released a Java update for OS X. Mac users should update Java as well.

Solution Path:

Oracle has released JRE and JDK Update 17 to correct these issues (as well as some legacy version updates). If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the updates in the Patch Table section of Oracle’s alert.

Remember, attackers have heavily targeted Java lately. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

WatchGuard XTM appliances can often help protect you from these sorts of Java vulnerability in a number of ways:

If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well.
WatchGuard constantly develops AV signatures to catch wild Java exploits. If you use our Gateway AntiViris (GAV) service, it can protect you from some of these attacks.
WatchGuard’s IPS signature writers also develop generic Java signatures, which can block some variants of this attack.
WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.

Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.

Status:

Oracle has issued updates to correct these issues.

References:

Oracle’s Out-of-Cycle March Java Security Advisory

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

Security Updates

0day, apple, drive-by download, java, Oracle, OS X, patch, sun, Update, zero day

Apple and Facebook Breaches Result in Multi-Platform Java Updates

February 20, 2013 by Corey Nachreiner 3 Comments

If you’re still using Java, you need to patch it yet again—even if you’re using a Mac.

Over the last few days both Facebook and Apple have reported network breaches. In both cases, employees at those companies visited a particular web site that was infected with a zero day Java exploit, which then infected the victims with malware. Though Facebook and Apple admit that they found malware on their systems, both claim that there is no evidence suggesting the attackers stole any sensitive customer data.

With all the zero day Java vulnerabilities we’ve reported recently, this probably doesn’t come as a huge surprise. Attackers are obviously targeting this popular web plugin. Yet, this incident is a very significant admission from Apple. Not only does it prove what security professionals have been arguing for years—that Macs aren’t immune from malware—but it demonstrates that even large enterprises, like Apple are suffering from cyber attacks.

Attack disclosures aside, both Oracle and Apple have released Java security updates as a result of these attacks. Despite just releasing an earlier Java update this month, Oracle released yet another emergency update on February 19th, fixing five more security vulnerabilities in Java. If you use Java on Windows, Linux, or Solaris computers, you should go get that update immediately. Apple also released their own Java update for OS X today. If you’re a Mac user, you should also install either Java for OS X 2013-001 or Mac OS X v10.6 Update 13 immediately.

After repeated cases of zero day exploits over the past fews months, you’ve probably discerned that Java is very dangerous right now. Apparently, it is rife with security holes and there is no doubt that attackers have focused their efforts on finding them before Oracle does. I’ve said this before, but if there is any way you can live without Java on your computer, you should remove it. Frankly, this advice is easier said than done. Unfortunately, many business applications (even some security ones) rely on Java to function. These applications may prevent you from removing Java immediately. That said, with the current prevalence of Java attacks, perhaps it’s time to re-evaluate any applications that forces Java upon you.— Corey Nachreiner, CISSP (@SecAdept)

Security Updates

apple, Facebook, java, mac, OS X, patch, zero day

WatchGuard Security Week in Review: Episode 43 – Tumblr Worm

December 7, 2012 by Corey Nachreiner 1 Comment

Tumblr Worm, Spoofed Tweets, and Madcap McAfee

Wow. I knew information security news was picking up over the past few years, but lately it seems like our own little industry reality show; complete with mysterious murders, border-crossing heists, and random heart attacks (not to mention, colorful personalities).

This week’s security news episode covers updates on the John McAfee melodrama, news of a fast-spreading Tumblr worm, and a Twitter SMS spoofing issue that can allow attackers to hijack your tweets. It also informs you about the latest important software vulnerabilities and updates. If you’d like a short video to quickly fill you in on the biggest security headlines from the week, click play below.

Of course if video isn’t your thing, you can also read about these stories using the helpful reference links I’ve provided. I’ve even thrown in a few extra news items for your enjoyment.

Let us know what you think in the comments, and see you next week.

(Episode Runtime: 12:41)

Direct YouTube Link: http://www.youtube.com/watch?v=9Cwvuz_TpXM

Episode References:

Story Updates
- Parastoo steals more from IAEA than first suspected - PasteBin
- Photo EXIF data reveals John McAfee’s location - Naked Security Blog
- John McAfee has heart attacks in Guatemalan Jail - Huffington Post
Software Vulnerabilities and Updates
- Kingcope finds many MySQL Vulnerabilities - Slashdot
- IPv6 DoS flaw in Bind - The H-Online
- December Microsoft Patch Day notification - WGSC
Tumblr worm caused by XSS flaw - Help Net Security
Twitter SMS Spoofing allows rogue tweets - Threat Post

Extra Stories
- Anonymous targets the ITU – Network World
- Obama signs the Safe Web Act - Engadget
- Foreign attackers target ex-US Gov. Official - Reuters
- Japanese NASA (JAXA) hit by hackers again - Network World
- CIA and MI6 get pwned - ZDNet
- More Mac Dalai Lama Malware - Ars Technica

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates

WatchGuard Security Week in Review: Episode 42 – Vulnerability Markets

November 30, 2012 by Corey Nachreiner 1 Comment

Vuln Market 0day, Printer Backdoors, and Downed Internet

We’re back from hiatus. After a two week break, our weekly security news podcast has returned.

This week’s episode covers interesting new malware that leverages new command & control channels or targets specific victims, lots of zero day exploits being sold on vulnerability markets, a security industry murder mystery, and much more. If you’d like the latest information security updates, watch below.

As always, I’ve also included a Reference section, which contains links to all the stories mentioned in the video, as well as a few extra ones. Don’t forget to leave your feedback in our comments section.

Enjoy the show, and see you next week.

(Episode Runtime: 11:41)

Direct YouTube Link: http://www.youtube.com/watch?v=_DW3EcXbFlM

Episode References:

South Carolina SSN Breach Investigation results - SC Government
New Malware
- Malware uses Google Docs & Drive for C&C - Computer World
- Malware targets Iran and corrupts MSSQL DB fields - Gizmodo
Vulnerability Markets
- Yahoo Mail 0day for sale - Naked Security blog
- Java 0day for sale - SC Magazine
- R evuln to auction off SCADA vulnerabilities - eWeek
US-CERT warns of Samsung printer backdoor - US-CERT
Hacktivists Breach UN atomic agency’s servers - NBC News
UN atomic agency breach PasteBin post - PasteBin
Syria mysteriously drops from the Internet - NBC News
UPDATE: Syria Internet blackout likely caused by government despite claims otherwise - CNN
UPDATE: Anonymous reacts to Syria Internet blackout - CNet
J ohn McAfee wanted for questioning in murder case - Huffington Post

Extra Stories
- Consumer routers vulnerable to email hack – Acunetix Blog
- French claim Sarkozy’s office affected by Flame - Ars Technica
- Ebay fixes two web application flaws - ZDnet
- Xtreme RAT targets governments - Computer World
- Major Domains hijacked in Romania - TechWorld

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates

WatchGuard Security Week in Review: Episode 41 – Coke Cracked

November 9, 2012 by Corey Nachreiner 0 Comments

Coca-Cola Cracked, Fawkes Day Fail, and Lots of Updates

This week’s security news round-up includes a story about an old Coca-Cola network breach, the results of Anonymous’ Fawkes Day fiasco, a little Twitter password hiccup, and lots of software security updates. If you have a little extra time on Fridays to catch up on the latest information security news, watch the video below.

Of course, if you have no time for videos, and would prefer to pick and choose your news items, see the Reference section below for link to all this week’s security headlines.

Show Note: I will be out for vacation starting the middle of next week, so will not be posting any WatchGuard Security Week in Review videos for the next couple of weeks. See you again at the end of November, and stay frosty out there.

(Episode Runtime: 10:42)

Direct YouTube Link: http://www.youtube.com/watch?v=S3LyJUK3MLw

Episode References:

Apple’s November Quicktime security update - Apple
Cisco Secure ACS November update - Cisco
Adobe’s Flash update and Reader X zero day - WGSC
More detail on Reader X zero day - Group-IB
Microsoft November Patch Day notification - WGSC
Anonymous Fawkes Day stories:
- Anonymous Fawkes Day hacking spree - Computer World
- More Anonymous Nov. 5 hacking - The Register
Major Coca-Cola network breach in 2009 - Bloomberg
PixSteal trojan steals images and DMP files – Computer World
Twitter accidentally resets passwords - Ubergizmo
Borderlands 2 graveyard “virus” issue fixed - G4TV

Extra Stories
- Google hacker finds AV file parsing vulnerabilities - PDF Report
- US government says China is cyber enemy #1 - Network World
- Skype accused of illegally sharing users data – Heise Online
- SEC staffer breached at Black Hat - The Register

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates

WatchGuard Security Week in Review: Episode 38 – miniFlame

October 19, 2012 by Corey Nachreiner 2 Comments

Oracle Updates, miniFlame, and Steam Hack

There was once a time when I had to subscribe to many obscure mailing lists, lurk on underground forums and channels, and visit a ton of buried pages at vendor sites to learn about the latest vulnerabilities, exploits, and breaches. That’s no longer the case.

Today, mainstream media reports on more information and network security news every week than most IT administrators can keep up with. Thus, this weekly security news round-up video. We consolidate and concentrate all the most important security stories into one digestible video each week—throwing in some practical security tips along the way.

This week’s episode includes security updates from Oracle and Apple, a new advanced nation-state threat called miniFlame, and a few fun security stories involving popular gaming platforms and zombie apocalypses. Watch the video below for quick highlights, and check out the Reference section for more details.

Thanks for watching, and keep frosty out there.

(Episode Runtime: 11:11)

Direct YouTube Link: http://www.youtube.com/watch?v=hCYaXy5oUnY

Episode References:

Software Updates:
- Oracle CPU patch, and related Apple OS X update - WGSC
- Oracle October CPU advisory - Oracle
- Oracle October Java update - Oracle
- Apple OS X Java update - Apple
Whitehouse finds no proof of backdoor in Huawei devices - Reuters
Kaspersky’s finds new APT threat called miniFlame - Securelist blog
Deep miniFlame analysis - Securelist blog
UK will not extradite NASA hacker (Gary Mckinnon) - Wired
ReVuln finds zero day flaws in Steam - ReVuln
The Walking Dead video streams hide malware - Softpedia

Extra Stories
- Kaspersky to release a secure OS for ICS systems - The Register
- Github DDoS Attack - ZDNet
- Hackers can kill with pacemaker vulnerabilites - The Week
- More DDoS attacks against banks - ZDNet
- iOS 6 tracking you again (but you can disable) - Ars Technica
- Cross platform attack infects mobiles and PCs - HNS

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates

Oracle Issues October CPU and Apple Updates Java

October 18, 2012 by Corey Nachreiner 2 Comments

This week, Oracle released their quarterly Critical Patch Update (CPU) for October 2012, as well as a separate Java SE security patch. Apple also released OS X Java updates, in relation to Oracle’s Java patch. I describe all these updates below.

Oracle CPU for October 2012:

Oracle CPUs are collections of security updates, which fix vulnerabilities in a wide-range of Oracle products. According to their October CPU advisory, this quarter’s updates fix 109 vulnerabilities in many different Oracle products and suites.

Refer to the table below for more details about the affected products and severity of the flaws:

Product or Suite	Flaws Fixed (CVE)	Max CVSS
Database Server	5	10.0
Fusion Middleware	26	10.0
MySQL	2	9.0
Sun Product Suite	18	7.8
E-Business Suite	9	6.4
Supply Chain Product Suite	9	5.5
Financial Service Software	13	5.5
PeopleSoft Products	9	4.3
Siebel CRM	2	4.3
Industry Applications	2	4.3
Virtualization Products	2	4.3

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share CVSS severity ratings. While the severity of the 109 vulnerabilities differs greatly, some of them pose a pretty critical risk.

For instance, the updates for Oracle Database Server and Fusion Middleware both fix vulnerabilities with a CVSS score of 10—the highest possible severity rating. One of these flaws allows unauthenticated, remote attackers to potentially gain complete control of your Oracle database server. If you manage any of the affected Oracle products, you’ll want to install the corresponding updates as soon as you can. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert.

Oracle Java SE CPU:

Oracle also released a separate CPU advisory for Java SE, announcing a security update that fixes 30 vulnerabilities in the popular interpreter used to run Java applications. Again, Oracle doesn’t describe these flaws in technical detail. They only share their severity. However, they’ve assigned ten of the vulnerabilities the maximum CVSS severity score (10), which typically means that remote attackers can leverage them to gain complete control of your computer. In the case of Java attacks, this typically means enticing you to a web site containing malicious Java code.

Personally, I think this Java update is more important than all the patches in Oracle’s primary CPU, simply because almost everybody has Java installed. Right now, Java is one of the most targeted applications for drive-by download attacks, and every major underground web exploit framework has many Java exploits built-in. If you haven’t already, you should patch Java immediately. You can find more information on where to get the update in the Patch Availability Table of Oracle’s advisory.

In a related note, awhile back a research found a serious “sandbox escape” vulnerability in Java. This update still does not fix that particular flaw. The good news is the researcher has not disclosed the technical details about this flaw to the public, so attackers aren’t exploiting it in the wild. Nonetheless, I would still keep my eye out for a patch since I’m sure blackhat hackers are now searching for it.

Apple Releases Java Updates for OS X:

Finally, yesterday Apple also released Java updates for all current versions of OS X. Apple packages their own version of Java for OS X, probably to make it easier for users to run Java apps. This means when Oracle updates Java, Apple has to update their version separately.

Yesterday’s OS X Java updates fix the same vulnerabilities mentioned in the official Oracle update above; only OS X users need to install Apple’s version of the updates. If you use OS X, download and install Java for Mac OS X 10.6 Update 11 or Java for OS X 2012-006 immediately, or let Apple’s Software Update program do it for you.

As an aside, this update also removes the Java applet plugin from all OS X web browsers. This means when you visit a web page containing a Java applet, the browser will direct you to download Oracle’s Java plugin. While this may cause more work for users, it will also ensure OS X users can get the latest version of Java. In the past, Apple has received flak for updating their version of Java much later than the original Oracle update. This change takes the pressure off Apple. — Corey Nachreiner, CISSP (@SecAdept)

Security Updates

apple, drive-by download, java, Oracle, OS X, patch, sun, Update

Apple Posts Security Updates for OS X, iOS, and Safari

September 20, 2012 by Corey Nachreiner 3 Comments

Severity: High

Summary:

These vulnerabilities affect: Apple OS X 10.6.x-10.8.x, Safari 6.0 and below, and iOS 5.1.1 and below.
How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files, or visiting malicious websites
Impact: Various results; in the worst case, an attacker can execute code with your privileges, and leverage other flaws to elevate to root
What to do: Install the appropriate OS X, Safari, and iOS update as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Yesterday, Apple released three security updates to fix many vulnerabilities in OS X, iOS, and Safari (Mac version only). Like the iTunes patch from last week, these updates fix an unusually large number of vulnerabilities. For instance, the iOS update fixes around 197 flaws, many of them affecting the Webkit component. If you use Mac computers, or iOS devices, you should apply these significant updates quickly. I quickly summarize Apple’s three alerts below:

iOS 6 Corrects 197 vulnerabilities

If you paid attention to Apple’s iPhone 5 announcement last week, you may also have been excited about iOS 6, which they posted yesterday. If iOS 6′s new features weren’t enough to sell you on the new firmware, Apple’s iOS 6 security alert should close the deal. According to Apple’s alert, iOS 6 fixes around 197 security vulnerabilities. The flaws differ widely, but attackers can exploit the worst of them to execute arbitrary code on your iOS devices. The attacker only has to lure you to a site containing malicious content, or entice you to interact which some sort of file (whether it be an image, movie, or config file). If you have an iPhone, iPod, or iPad, you should update it to iOS 6 as quickly as possible. See Apple’s security update if you want more details on the individual flaws, including their CVE numbers.
WatchGuard rating: Critical

OS X Update Fixes Leopard, Lion, and Mountain Lion Vulnerabilities

Apple also released a huge OS X security update to fix vulnerabilities in all current versions of OS X. The almost 700MB patch fixes about 35 (number based on CVE-IDs) security issues in many components that ship as part of OS X or OS X Server, including QuickTime, the Kernel, and BIND. Again, the flaws differ in scope and impact, but the worst allow attackers to execute code with your privileges simply by enticing you into viewing malicious file or web content. Furthermore, some of the Kernel flaws allow attackers to elevate their privilege, gaining complete control of your computer. If you use a Mac, you should install the update as quickly as you can. See Apple’s alert for more detail on each flaw.
WatchGuard rating: Critical

Safari for Mac Update

Finally, Apple also released an update to fix about 60 security flaws in Safari for Mac (Apple seems to have discontinued supporting Safari for Windows). Many of these flaws are the same Webkit component issues that Apple recently patched in iTunes. Like those flaw, by enticing you to a web site containing malicious code, attackers can execute code with your privileges. Many of the vulnerabilities are ideal for drive-by download attacks. Again, if you have a Mac, I recommend you patch Safari, even if you don’t use it as your primary browser.
WatchGuard rating: Critical

Solution Path:

Apple has released update for all these products. If you use Mac computers, or iOS devices, you should download and install the updates as soon as you can, or let Apple’s Software Updater do it for you. That said, the OS X update is rather large, and will require a reboot, so plan that update accordingly. Personally, I have had few issues with Apple’s Automatic Updater. I recommend you use the Automatic Updater to download and remind you of patches regularly, at least on your client machines (you may need to plan your OS X server updates more carefully).

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM appliance can help mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Apple’s updates are your best solution.

Status:

Apple has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

Security Updates

apple, IOS, iPad, iPhone, mac, OS X, patch, patch day, Safari, vulnerability

Share this:

Like this:

Severity: High

Summary:

Exposure:

Solution Path

For All WatchGuard Users:

Status:

References:

Share this:

Like this:

Severity: High

Summary:

Exposure:

Solution Path:

For All WatchGuard Users:

Status:

References:

Share this:

Like this:

Share this:

Like this:

Tumblr Worm, Spoofed Tweets, and Madcap McAfee

Episode References:

Share this:

Like this:

Vuln Market 0day, Printer Backdoors, and Downed Internet

Episode References:

Share this:

Like this:

Coca-Cola Cracked, Fawkes Day Fail, and Lots of Updates

Episode References:

Share this:

Like this:

Oracle Updates, miniFlame, and Steam Hack

Episode References:

Share this:

Like this:

Oracle CPU for October 2012:

Oracle Java SE CPU:

Apple Releases Java Updates for OS X:

Share this:

Like this:

Severity: High

Summary:

Exposure:

Solution Path:

For All WatchGuard Users:

Status:

References:

Share this:

Like this:

Email Subscription

Links

Tags

Top Posts

Archives

Follow “WatchGuard Security Center”