Tag Archives: buffer overflow

Trio of Windows Bulletins Correct Moderate Vulnerabilities

May 14, 2013 by Corey Nachreiner 1 Comment

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows or components often packaged with it (like the .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or running malicious programs locally
  • Impact:  Varies, ranging from a remote Denial of Service (DoS) attack to local attackers gaining complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that describe six vulnerabilities affecting Windows or components related to it (like the .NET Framework). They only rate these bulletins as Important, due to limited impact or mitigating factors. Each of these vulnerabilities affects different versions of Windows to varying degrees. In the worst case, a local attacker could exploit one of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates at your earliest convenience.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

The HTTP Protocol Stack (HTTP.sys) is a Windows component that listens for and handles HTTP requests before passing them to a web server like IIS. It suffers from a Denial of Service (DoS) vulnerability having to do with its inability to properly handle HTTP requests with specially malformed headers. By sending a specially crafted HTTP request, a remote attacker can leverage this flaw to cause your system to stop responding. While this sort of DoS attack doesn’t result in any breach or data loss, attackers can leverage it to knock your public web server offline, which could have significant business implications. You should download, test, and deploy Microsoft’s HTTP.sys update as soon as possible.

Microsoft rating: Important

  • MS13-040Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. The .NET Framework component suffers from two new security vulnerabilities.

The first issue is an XML digital signature spoofing vulnerability. XML files can contain digital signatures, which .NET applications can use to verify the integrity of XML files (ensuring they haven’t been improperly modified). However, the .NET Framework component (CLR) responsible for validating these signatures doesn’t do it right. As a result, attackers can modify the contents of an XML file without invalidating the signature. The impact of this flaw depends on if and how your custom .NET applications leverage this functionality.

The second issue is an authentication bypass vulnerability. The Windows Communication Foundation (WCF) is essentially a set of .NET APIs that developers can use to make applications that communicate securely with one another. However, WCF suffers from an authentication bypass flaw. By sending specially crafted packets, an attacker could gain unauthenticated access to computers that run WCF services. The impact of this bypass depends on your custom .NET application. If you custom application gives your users access to sensitive data, then in can pose a significant risk. If you install the .NET framework, you should download, test, and install Microsoft’s update as soon as you can.

Microsoft rating: Important

  • MS13-046Kernel-Mode Driver Elevation of Privilege Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from three new local elevation of privilege flaws. They all differ technically, but share the same basic scope and impact. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers (or cause it to become unstable). However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of this vulnerability.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows and .NET Framework patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:

  • WEB Microsoft Windows 2012 Server HTTP.sys Denial of Service Vulnerability (CVE-2013-1305)
  • EXPLOIT Microsoft XML Digital Signature Spoofing Vulnerability (CVE-2013-1336)

Your XTM appliance should get this new IPS update shortly.

However, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , , , , ,

Windows Updates Fix a Wide Range of Security Vulnerabilities

February 12, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and some of the components that ship with it (such as DirectShow and the .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets, luring users to view malicious media or email, and so on
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released eight security bulletins that describe around 39 vulnerabilities affecting Windows or components related to it, such as the .NET Framework and DirectShow. Each of these vulnerabilities affects different versions of Windows to varying degrees.

A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-011: DirectShow Media Decompression Vulnerability

DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams and files. It suffers from an unspecified vulnerability having to do with how it handles specially crafted media. By getting your users to interact with malicious media, an attacker could leverage this flaw to execute code on that user’s computer, with the user’s privileges. Attackers might lure users to their booby-trapped media by linking it as a direct download, embedding it in a document, or by hosting it as a malicious media stream.

Microsoft rating: Critical

  • MS13-020: Windows XP OLE Automation Vulnerability

Object Linking and Embedding (OLE) Automation is a Microsoft protocol which allows one application to share data with, or control, another application. It suffers from an unspecified remote code execution flaw having to do with how it parses maliciously crafted  RTF files. If an attacker can convince you to open or preview a specially crafted RTF file in Windows, he could exploit this flaw to execute code on your machine, with your privileges.  If you have administrative rights, the attacker would gain complete control of your computer. This flaw only affects Windows XP.

Microsoft rating: Critical

  • MS13-014: NFS Server DoS Vulnerability

Network File System (NFS) is an industry-wide protocol for sharing files and directories over a network. Windows Server software ships with NFS support to share files in mixed, Unix and Windows environments.

Windows’ NFS service suffers from something called a null dereference vulnerability, which attackers can leverage to cause a Denial of Service (DoS) condition on Windows servers. By attempting to rename a file or folder on a read-only share, an attacker could exploit this flaw to cause the server to stop responding or crash. However, a few factors mitigate the severity of this issue. Specifically, the flaw only affects servers with the NFS role enabled; the attacker needs access to an NFS share and legitimate credentials; and finally, most administrators don’t allow NFS access through their firewall.

Microsoft rating: Important

  • MS13-015: .NET Framework EoP Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework suffers from a technically complex elevation of privilege (EoP) vulnerability, where it unnecessarily elevates the permissions of a callback function when a .NET application creates a particular object. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit this flaw to execute code on that user’s computer with full system privileges. This flaw also can affect non-web .NET applications, which an attacker runs directly on a system. The good news is most versions of IE will either block or warn you about the particular web content (XBAP) attackers use to leverage this flaw, which significantly mitigates its risk.

Microsoft rating: Important

  • MS13-016: Multiple Kernel-Mode Driver Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers 30 race condition vulnerabilities. The vulnerabilities differ technically  but share the same scope and impact. By running a specially crafted program, a local attacker can leverage any of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of these issues.

Microsoft rating: Important

  • MS13-017 Kernel Elevation of Privilege Vulnerability

As mentioned above, the kernel is the core component of any computer operating system. The Windows kernel suffers from three vulnerabilities (two race conditions), which attackers can leverage to  elevate their privilege. By running a specially crafted program, a local attacker could exploit this flaw to gain complete control of your PC. However, the attacker would first need to gain local access to your Windows computer using valid credentials.

Microsoft rating: Important

  • MS13-018: Windows TCP/IP Stack  DoS Vulnerability

As you would expect, the Windows TCP/IP stack is a set of networking protocols that allows your computer to get on the Internet and participate in modern networking. Unfortunately, the Windows TCP/IP stack suffers from a DoS vulnerability involving the way it parses specially crafted packets.  In short, an attacker can lock or crash a Windows computer simply by sending it a sequence of specially crafted packets. Though Microsoft only rates this update as Important, attackers could repeatedly exploit it against your public Windows server, essentially knocking them offline. This could have serious implications for essential production servers. We recommend you test and apply this update immediately.

Microsoft rating: Important

  • MS13-019CSRSS Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from a local privilege elevation issue. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows, DirectShow (quartz.dll), and .NET Framework patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed new signatures that can detect and block the DirectShow Media Decompression and OLE Automation vulnerabilities. Your XTM appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , , , , , , , ,

Windows Updates Include .NET and MSXML Fixes

January 8, 2013 by Corey Nachreiner 2 Comments

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that often ship with it (like XML Core Services and the .NET Framework). Some vulnerable components also affect Office and Server Software products.
  • How an attacker exploits them: Multiple vectors of attack, including sending malicious print jobs to luring victims to malicious web pages.
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released six security bulletins that describe 11 vulnerabilities affecting Windows or components related to it,  such as the .NET Framework and XML Core Services (MSXML). Each of these vulnerabilities affects different versions of Windows to varying degrees. One of the component vulnerabilities (MSXML) also affects other Microsoft products, including Office, SharePoint Server, and Microsoft Expression.

A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-001: Print Spooler Remote Code Execution Vulnerability

The print spooler is a Windows service that manages printing. It suffers from an unspecified vulnerability having to do with its inability to handle specially crafted print jobs. By sending a specially crafted print request, an attacker can exploit this flaw to execute code on a Windows computer with full system privileges.  That said, most administrators do not allow the ports necessary for Windows printing through their firewall. By default, a WatchGuard XTM appliance will block Internet-based attackers from leveraging this flaw, so it primarily poses an internal threat.

Microsoft rating: Critical

  • MS13-002: Two MSXML Remote Code Execution Flaws

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It often ships with various versions of Windows, and other Microsoft products like Office, SharePoint Server, Groove Server, and Expressions. If you have a Windows computer, you very likely have MSXML, and you need to update if you use any of the aforementioned products.

According to today’s bulletin, MSXML suffers from two vulnerabilities – likely memory corruption flaws, but Microsoft doesn’t specify – which remote attackers could leverage to execute code on vulnerable computers with the privileges of the currently logged-in user. An attacker would only have to lure you to a web site containing malicious XML content for his attack to succeed. Since most Windows users have local administrative privileges, this sort of attack often gives the attacker complete control of their computers.

Don’t forget, attackers often booby-trap legitimate web sites with drive-by download code. So it’s possible you could encounter attacks leveraging this sort of vulnerability when visiting perfectly legitimate web sites. We recommend you patch quickly to avoid these sorts of attacks.

Microsoft rating: Critical

  • MS13-004Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework component suffers from four new security vulnerabilities.  The flaws differ in scope and impact, and include an information disclosure issue, and three elevation of privilege vulnerabilities; two due to buffer overflow flaws. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit the worst of these flaws to execute code on that user’s computer with full system privileges. This flaw also can affect non-web .NET applications, including custom ones you may have developed in-house. In short, if you’ve installed the .NET framework on any of your servers or clients, you should update them as quickly as possible.

Microsoft rating: Important

  • MS13-005Kernel-Mode Driver Elevation of Privilege Flaw

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from a new local elevation of privilege flaw having to do with how it improperly handles window broadcast messages. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of this vulnerability.

Microsoft rating: Important

  • MS13-006: Windows SSLv3/TLS Degradation Attack

The Secure Socket Layer and Transport Layer Security (SSL/TLS) protocols are responsible for helping computers establish secure connection over networks. For instance, SSL/TLS is what you use when connecting to secure web sites. Like all operating systems, Windows ships with components necessary to handle SSL/TLS connections.

According to Microsoft’s bulletin, the SSL/TLS implementation that ships with most versions of Windows suffers from what they call a “Security Feature Bypass vulnerability.” Windows supports SSLv3, which includes the latest encryption ciphers. However, if an attacker can perform a Man-in-the-Middle attack on your SSL traffic, he can inject maliciously crafted traffic that forces Windows to downgrade to SSLv2. This doesn’t give the attacker immediate access to the SSL encrypted traffic, but it theoretically makes it easier to crack the SSL encryption, since SSLv2 supports weaker ciphers. Since this attack is relatively difficult to carry out, and doesn’t result in any true decryption of the SSL communication, we believe it poses a relatively low risk in the real world. Of course, we still recommend you patch it.

Microsoft rating: Important

At the highest level, the Open Data (OData) protocol is a standard that web applications can use to query and update data. In short, it’s like the many other protocols developers might use to get a web application to interact with a database. The OData component that ships with the .NET Framework suffers from a Denial of Service (DoS) vulnerability. By sending specially crafted HTTP requests, an attacker can leverage this flaw to disrupt your web server, preventing visitors from accessing it. Any IIS web server that includes the .NET Framework and has the Windows Communication Foundation (WCF) services installed is vulnerable to this DoS flaw, as is any Windows Server 2012 with IIS and the Management OData IIS Extension installed.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows, .NET Framework, and XML Core Services patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed a new signature that can detect and block the OData DoS vulnerability against IIS servers with the .NET Framework. Your XTM appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , , , , , , , ,

Shockwave Update Corrects Five Buffer Overflows

October 26, 2012 by Corey Nachreiner 4 Comments

Summary:

  • This vulnerability affects: Adobe Shockwave Player 11.6.7.637 and earlier, running on Windows and Macintosh computers
  • How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave content
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (11.6.8.638) of Adobe Shockwave Player as soon as possible.

Exposure:

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on hundreds of millions of PCs.

In a security bulletin released this week, Adobe warned of six vulnerabilities that affect Adobe Shockwave Player 11.6.7.637 for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail, though it does say that five of them are buffer overflow vulnerabilities, and the last is another memory related flaw. All six of the security flaws have the same impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit any of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version at your earliest convenience.

Solution Path

Adobe has released Shockwave Player version 11.6.8.638 to fix these security flaws. If you use Adobe Shockwave in your network, we recommend you download and deploy the updated player as soon as possible. You can get it from the link below.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Shockwave content. Keep in mind, doing so blocks all Shockwave content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify Shockwave files:

File Extension:

  • .swf –  Adobe Shockwave files

MIME types:

  • application/x-shockwave-flash
  • application/x-shockwave-flash2-preview
  • application/futuresplash
  • image/vnd.rn-realflash

FILExt.com reported Magic Byte Pattern:

  • Hex: 46 57 53

(We believe this pattern is too short, thus prone to false positives. We don’t recommend you use it) 

If you decide you want to block Shockwave files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:

Security Updates
, ,

Four Updates Repair Office and Server Software Vulnerabilities

October 9, 2012 by Corey Nachreiner 2 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word, Works, Sharepoint, InfoPack, Communicator, Lync, Groove, and more
  • How an attacker exploits them: Multiple vectors of attack, including enticing users to click specially crafted links, or to open specially crafted documents
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins that fix around 20 vulnerabilities in a wide range of Microsoft Office and Server Software products. The affected products include:

  • Word and Word Viewer
  • Works 9
  • Sharepoint Server
  • InfoPath
  • Communicator and the new Lync
  • Groove
  • FAST Search Server
  • and the Office Web Apps

I summarize these four security bulletins below, in order from highest to lowest severity.

  • MS12-064: Two Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It suffers from two memory corruptions vulnerabilities having to do with how it handles maliciously crafted Word or RTF documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage either of these flaws to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could leverage these vulnerabilities to gain complete control of their machines. These flaws affect all current versions of Word; including Word Viewer, the Office Compatibility Pack, and the Office Web Apps.

Microsoft rating: Critical

  • MS12-065: Works 9 Heap Buffer Overflow Vulnerability

Works is a light-weight word processor, which is less expensive that Word but lacking in features. It suffers from a buffer overflow vulnerability having to do with how it handles malformed Word documents. By luring one of your users into downloading and opening a malicious Word document, an attacker can exploit this buffer overflow to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. The flaw only affects Works 9.

Microsoft rating: Important

  • MS12-066 :  Microsoft Server Software XSS Vulnerability

Many of Microsoft’s Server Software products (including Sharepoint Server, Communicator and Lync, InfoPath, and Groove) suffer from a Cross-site Scripting (XSS) vulnerability having to do with the servers’ inability to properly sanitize HTML inputs. The bulletin doesn’t describe exactly what element of these web-based servers suffers from the XSS vulnerability; only that they do. In any case, if an attacker can trick you into clicking a specially crafted link, he could leverage this flaw to to steal your web cookie, hijack your web session, or essentially take any action you could on the vulnerable server. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer.

Microsoft rating: Important

  • MS12-067 : FAST Search Server Oracle Outside In Vulnerabilities

Microsoft’s FAST Search Server improves the searchability of your SharePoint infrastructure. In previous alerts and videos, we warned you that Microsoft Exchange leveraged Oracle’s Outside In technology to parse various types of file attachments, and that Outside In suffered from a number remote code execution vulnerabilities. FAST Search Server implements Outside In, and also suffers from these vulnerabilities. If an attacker can upload a specially crafted file to a share that FAST Search Server indexes, he could leverage these vulnerabilities to execute arbitrary code on the FAST Search Server. However, two factors significantly mitigate the severity of these issues. First, most administrators only use this server to index internal file shares, which means the attacker needs local access and privilege to upload her malicious file. Furthermore, the attacker could only execute code with the limited privileges of a “user account with a restricted token.”

Microsoft rating: Important

Solution Path:

Microsoft has released Office and Server Software patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you. That said, we highly recommend you test server updates before deploying them, so you may not want to turn on automatic updates for your servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

Our XTM security appliances can mitigate the risk of many of these flaws. One of our generic XSS detection signatures already detects and prevents the XSS flaw described in MS12-066. Furthermore, with information from Microsoft’s Active Protections Program (MAPP), we have already developed a signature for the RTF exploit described in MS12-064, which we will include in a new signature set your appliance should get shortly.

Furthermore, WatchGuard’s Gataway Antivirus (GAV) service detects most of the common malware attackers try to deliver when exploiting these flaws. In short, if you have our UTM bundle and enable IPS and GAV, we can protect you from many attacks that try to leverage these flaws.

Nonetheless, Attackers can exploit these flaws in other ways as well, including uploading malicious files locally. We still recommend you install Microsoft’s updates as quickly as possible to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , , , , , , , , , ,

Grab Adobe’s Shockwave Update to Avoid Web-based Attacks

February 15, 2012 by Corey Nachreiner 2 Comments

Summary:

  • This vulnerability affects: Adobe Shockwave Player 11.6.3.633 and earlier, running on Windows and Macintosh computers
  • How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave content
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (11.6.4.634) of Adobe Shockwave Player as soon as possible.

Exposure:

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on hundreds of millions of PCs.

In a security bulletin released late Tuesday, Adobe warned of nine critical vulnerabilities that affect Adobe Shockwave Player 11.6.3.633 for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail. For the most part, the flaws consist of memory related vulnerabilities, including heap buffer overflows and other memory corruption flaws. Though the flaws differ technically, they all share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit any of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version as soon as you can.

Solution Path

Adobe has released Shockwave Player version 11.6.4.634 to fix these security flaws. If you use Adobe Shockwave in your network, we recommend you download and deploy the updated player as soon as possible. You can get it from the link below.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Shockwave content. Keep in mind, doing so blocks all Shockwave content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify Shockwave files:

File Extension:

  • .swf –  Adobe Shockwave files

MIME types:

  • application/x-shockwave-flash
  • application/x-shockwave-flash2-preview
  • application/futuresplash
  • image/vnd.rn-realflash

FILExt.com reported Magic Byte Pattern:

  • Hex: 46 57 53

(We believe this pattern is too short, thus prone to false positives. We don’t recommend you use it) 

If you decide you want to block Shockwave files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:

Security Updates
, ,

Apple OSX: Take Your Leopards In For a Checkup

June 23, 2011 by Corey Nachreiner 0 Comments

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various documents or images
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer
  • What to do: OS X administrators should download, test and install OS X 10.6.8 or Security Update 2011-004 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 39 (number based on CVE-IDs) security issues in 22 components that ship as part of OS X or OS X Server, including Airport, Quicktime, and MobileMe. Some of the fixed vulnerabilities include:

  • Two ImageIO Code Execution Flaws. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from two security vulnerabilities involving the way it handles certain types of image files (such as a buffer overflow vulnerabilities). Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include JEPG2000, and TIFF.
  • ATS Buffer Overflow Vulnerability. The Apple Type Service (ATS) helps OS X machines handle fonts. ATS suffers from a buffer overflow vulnerability having to do with the way it handles embedded fonts TrueType fonts. By tricking one of your users into downloading and viewing a malicious document containing a specially crafted font, an attacker can exploit this flaw to execute code on that user’s computer. By default, the attacker would only execute code with that user’s privileges.
  • Five Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from five security issues  involving how it handles certain image,audio, and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted media in QuickTime, he could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, privilege escalation vulnerabilities, and information disclosure flaws. Components patched by this security update include:

AirPort App Store
ATS Certificate Trust Policy
ColorSync CoreFoundation
CoreGraphics FTP Server
ImageIO International Components for Unicode
Kernel Libsystem
libxslt MobileMe
MySQL OpenSSL
patch QuickLook
QuickTime Samba
servermgrd subversion

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

Solution Path:

Apple has released OS X Security Update 2011-004 and OS X 10.6.8 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

Security Updates
, , , ,

2011′s First OS X Update Patches 57 Vulnerabilities

March 21, 2011 by Corey Nachreiner 2 Comments

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various documents or images
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer
  • What to do: OS X administrators should download, test and install OS X 10.6.7 or Security Update 2011-001 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 57 (number based on CVE-IDs) security issues in 26 components that ship as part of OS X or OS X Server, including Apache, Quicktime, and ClamAV. Some of the fixed vulnerabilities include:

  • Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from various security vulnerabilities involving the way it handles certain types of image files (such as a buffer overflow vulnerabilities). Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include JEPG, TIFF, and XBM.
  • Many ATS Vulnerabilities. The Apple Type Service (ATS) helps OS X machines handle fonts. ATS suffers from various memory related vulnerabilities having to do with the way it handles certain types of embedded fonts. By tricking one of your users into downloading and viewing a malicious document containing a specially crafted font, an attacker can exploit this flaw to execute code on that user’s computer. By default, the attacker would only execute code with that user’s privileges.
  • Five Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from five security issues (number based on CVE-IDs) involving how it handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, he could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, cross-site scripting (XSS) vulnerabilities, and information disclosure flaws. Components patched by this security update include:

AirPort Apache
AppleScript ATS
bzip2 CarbonCore
ClamAV CoreText
File Quarantine HFS
ImageIO Image RAW
Installer Kerberos
Kernel Libinfo
libxml Mailman
PHP QuickLook
QuickTime Ruby
Samba Subversion
Terminal X11

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

On a related note, Apple has released many security updates in the last few weeks. Besides the Java update we alerted about early this month, Apple has also posted the following security-related product updates:

If you use any of those products, we recommend you update them as well, or let Apple’s automatic Software Updater do it for you.

Solution Path:

Apple has released OS X Security Update 2011-001 and OS X 10.6.7 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

Security Updates
, , , , , ,

Mozilla’s Delayed Firefox 3.6.14 Update Corrects 11 Vulnerabilities

March 2, 2011 by Corey Nachreiner 5 Comments

Summary:

  • These vulnerabilities affect: Firefox 3.6.x and 3.5.x for Windows, Linux, and Macintosh
  • How an attacker exploits it: Typically by enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.14 (or 3.5.17), or let Firefox’s automatic update do it for you

Exposure:

Yesterday, Mozilla released a Firefox update fixing 11 (count based on CVE number) vulnerabilities in their popular multi-platform web browser. Mozilla rates most of these vulnerabilities as critical; meaning an attacker can leverage them to execute code and install software without user interaction beyond normal browsing. We summarize three of the most critical Firefox 3.6.13 vulnerabilities below:

  • JPEG-related Code Execution Vulnerability (2011-009).  Firefox suffers a code execution flaw involving the way it decodes JPEG images. By enticing one of your users to a web page containing a maliciously crafted JPEG image, an attacker can leverage this buffer overflow to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • Two JavaScript Engine Buffer Overflow Vulnerabilities (2011-04, 2011-05). According to Mozilla, Firefox’s JavaScript Engine suffers from two buffer overflow vulnerabilities.  By enticing one of your users to a web page containing specially crafted javascript, an attacker can leverage either of these buffer overflows to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. As usual, an attacker may gain full control of your users’ computers if they have administrative privileges.
    Mozilla Impact rating: Critical
  • Two Memory Corruption Vulnerabilities (2011-01). Mozilla’s update fixes two unspecified memory “safety” related vulnerabilities, which can at least crash Firefox. Mozilla’s alert doesn’t say much about these vulnerabilities, other than they lie within Firefox’s browser engine. Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical

Mozilla’s alert describes other critical vulnerabilities, many of which allow attackers to execute code simply by enticing you to a malicious web page. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.14 fixes. On a related note, some of these vulnerabilities also affect Firefox 3.5.x. If you use 3.5.x, we recommend you move to 3.6.14 . However, if you must stay with 3.5.x, Mozilla has also released an update (3.5.17) for that legacy version as well.

As an aside, Mozilla originally intended to release this update earlier in February. However, they had to delay their release due to some hard to fix issues. Since this update contains fixes for outstanding issues, we recommend you download and install it as soon as you can.

Solution Path:

Mozilla has released Firefox 3.6.14 and 3.5.17, to correct these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.14 as soon as possible. If, for some reason, you must remain with Firefox 3.5.x, make sure to upgrade to 3.5.17.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable JavaScript (and other active scripts) by default.

For All Users:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.14 to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, , , ,

Zero Day SMB Vulnerability Affects Windows Server 2003 and XP

February 16, 2011 by Corey Nachreiner 0 Comments

Yesterday, a gray hat going by the alias Cupidon-3005 posted details about a zero day Windows SMB vulnerability that could potentially allow attackers to gain control of fully patched Windows Server 2003 and XP computers. Microsoft is currently investigating this surprise release, but hasn’t had time to post an early Security Advisory about the issue yet, let alone deliver a patch.

Specifically, the vulnerability involves a buffer overflow flaw within the SMB component’s mrxsmb.sys file. By sending a specially crafted browser election request packet containing an overly long server name, an attacker could exploit this flaw to either crash your computer, or execute code on it, potentially gaining complete control of your PC.

Since Microsoft just learned of this flaw on the 15th, they haven’t had time to release a patch yet. However, your WatchGuard firewall can help. By default, our appliances block SMB and broadcast traffic (the exploit leverages broadcast requests), which prevents Internet-based attackers from leveraging this flaw against you (assuming you haven’t opened SMB ports, which you should never do). That said, worms quite regularly rely on SMB vulnerabilities to help them automatically spread within networks, once they infect the first victim. So in general, I consider SMB vulnerabilities high risk. I’ll continue to monitor Microsoft’s investigation into this flaw, and will post updates when they release any workaround or patch.

[UPDATE]: In a blog post, Microsoft claims that though theoretically possible, they believe it’s impractical for attackers to leverage this flaw to execute code. As such, they believe it primarily represents a DoS risk. Other security researchers have been quick to point out that attackers have figured out way to leverage impractical vulnerabilities in the past, though. Microsoft has still not released a patch, and based on their severity analysis of this flaw, they likely will not release any rushed out-of-cycle patch either.

Corey Nachreiner, CISSP

Cupidon-3005
Security Updates
, , , , ,
Older Entries

Follow

Get every new post delivered to your Inbox.

Join 7,114 other followers

%d bloggers like this: