Tag Archives: drive-by download

IE Patch Squashes Six Memory Corruption Flaws

Summary:

  • This vulnerability affects: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes six new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Though these vulnerabilities differ technically, they share the same general scope and impact, and involve various memory corruption flaws having to do with how IE handles certain HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1755)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1753)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1751)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1752)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Out-of-Cycle Word FixIt Corrects Zero Day Vulnerability

If you’re worried about spear phishing attacks (and if you’re not, you should be), grab Microsoft’s emergency FixIt to mitigate a zero day vulnerability attackers are exploiting in the wild.

In a security advisory released yesterday, Microsoft warned of a zero day vulnerability in Word, which attackers are exploiting in what Microsoft describes as limited, targeted attacks. Apparently, the exploit in the wild targets Word 2010, but the flaw affects other versions of Word as well. Since this is an early advisory, it doesn’t describe the flaw in much technical detail. However, it does mention attackers can trigger the flaw with specially crafted rich text format (RTF) files. If an attacker can entice you to view a malicious RTF in Word, he could exploit this vulnerability to execute code on you computer, with your privileges. If you are an administrator, the attacker gains complete control of your PC.

By default, most current version of Office use Word as Outlook’s email viewer. This mean attackers can trigger this flaw just by getting you to open an RTF attached to an email. According to some on Twitter, simply previewing an email with a malicious RTF triggers the flaw.

While Microsoft hasn’t had time to release a full patch yet, they have posted a FixIt that mitigates the risk of this vulnerability. If you use Office, I highly recommend you install the FixIt as soon as you can. Also, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) can mitigate the risk of any type of memory corruption flaw. In general, I recommend you install EMET on Windows machines to protect them from any zero day, memory-related issues.

I’ll post more details about this flaw during an upcoming Patch Day, when Microsoft releases the final update. In the meantime, if you’d like more information about it you can check out Microsoft’s security blog post— Corey Nachreiner, CISSP (@SecAdept

 

Broken Apple SSL – WSWiR Text Edition

RSA 2014, EMET Bypass, and Broken SSL

This week I attended the 2014 RSA Security Conference, one of the biggest information security (and cryptography) conferences of the year. This was the busiest RSA Conference in the show’s history, which suggests that more and more businesses, governments, and organizations are becoming increasingly concerned about cyber security. As a side effect, the show also kept me too busy to produce my normal infosec news video. Instead, I offer a written summary of this week’s major security news and RSA stories below.

  • Apple fixes serious SSL vulnerability in their OSs – This week, Apple released security updates for iOS 6.x and 7.x, OS X, Quicktime, Safari, and Apple TV. Though these updates fix a wide swath of vulnerabilities in those forenamed products, the most astonishing fix corrects a very serious SSL/TLS vulnerability that affects the iOS and OS X operating systems (OS). SSL/TLS is designed to protect and encrypt your network communications, but this flaw allows anyone on the same network as you to intercept and read your communications in a Man-in-the-Middle attack. In short, if you use Apple products, you SSL communications have been open to interception for the last few months, making it especially scary if you joined any open Wifi networks. Apple’s updates fix the issue, and many more, so be sure to go get them. See Apple’s security update summary page for more details.
  • EMET suffers from a bypass vulnerability – EMET—short for Enhanced Mitigation Experience Toolkit—is a free Microsoft tool designed to make it harder for cyber attackers to actually exploit memory corruption type vulnerabilities. I doesn’t prevent a product from having a memory corruption flaw, rather it adds various memory protection mechanisms (like stronger Address Space Layout Randomization or ASLR) to make it harder for attackers to injection their malicious shell code into certain memory locations. It’s a tool I often recommend users install to help mitigate the risk of many vulnerabilities. Well this week, researchers at Bromium Labs proved that EMET is not bulletproof. They released a paper [PDF] showing how attackers could bypass some of EMET’s protections. Microsoft has acknowledged the flaws, and also has a new version in beta (EMET v5.0) that plugs some of the holes.
  • Academic researchers disclose the first AP virus – Researchers from a number of universities in Europe released a paper describing the first ever wireless access point (WAP) virus, which they dub Chameleon. Chameleon first tries to find unsecured wireless APs (for instance, ones using weak WEP encryption, or no encryption). Once it can access the victim AP’s wireless network, it then leverages flaws in the AP firmware to try and infect the AP with its virus. Then it continues scanning for new victim APs. As a research project, this attack was only done in a lab environment, and has never been seen in the wild. However, now that it’s out I suspect criminal hackers might copy this technique in the real world one day.
  • RSA Security Conference Summary – Here are a few of the big themes and news from this year’s RSA Conference.
    • Government and the NSA have broken our trust – In general, the buzz on the show floor was how governments around the world, especially the U.S. and the NSA, have broken our trust with their spying campaigns. While many agree that some sort of international spy agency should exist, most think the NSA has crossed the line with the amount of data they are collecting; which includes data from normal private citizens. The lack of transparency in these government cyber espionage operations has poisoned the industry’s confidence in all online security and communications, making it difficult to know what to trust. Many speakers at the conference criticized these government operations, especially when the governments in question designed malware which they released into the wild.
    • Destructive attacks get more real – In one session, researchers from CrowdStrike demonstrated a vulnerability in Apple computers that they could exploit to actually cause your device to overheat, potentially catching on fire. One of my predictions this year was to expect more destructive malware, and this example may unfortunately help that prediction come true. As an aside, other researchers at the show also demonstrated an attack against Apple iOS devices that allows malicious programs to log touch input—kind of like a keylogger for finger swipes.
    • Lots of vulnerabilities in RSA mobile app – A few weeks before the show, researchers at IOActive checked out the RSA mobile app for the 2014 conference. Turns out it suffered from six vulnerabilities that attackers could leverage to do many things, including disclose the personal information of some of the attendees, or to inject additional code into the app to phish credentials, and other bad things. Check out IOActive’s blog for more details, but it’s ironic that a security conference’s app suffers from the flaws the conference is supposed to educate against.

Well that’s all I have time for this week. However, if you’d like links to other security stories from the week, check out the extra below. I’ll return with my normal video updates next Friday.

Extras Stories:

— Corey Nachreiner, CISSP (@SecAdept)

0day Watering Holes – WSWiR Episode 96

Flash and IE 0day, Watering Holes, and Router Worms

It’s Friday, Friday, gotta get your InfoSec on Friday….

Seriously though. If you are looking for a quick round-up of this week’s biggest security news, this is your show. In it, I cover what I think are the top three information and network security stories of the week, vlog style. If that sounds good, keep reading.

This week’s episode covers an advanced watering hole attack that leverages two zero day vulnerabilities, a worm that’s infecting a popular brand consumer router, and new vulnerabilities that affect devices which fall under “the Internet of things” category. If you’d like all the details, including how to protect yourself, watch the video below. Or if you prefer to read, check out the Reference section for links to those stories and more.

Quick show note. Next week I’ll be attending the annual RSA Security Conference. Though I still hope to produce a video on the road, I may have to settle for a text version of our weekly Infosec news if I get too busy. Keep an eye on the blog for the latest, and have a great weekend.

(Episode Runtime: 8:57)

Direct YouTube Link: http://www.youtube.com/watch?v=NbxXXLov6Ek

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Grab Adobe and Microsoft’s Emergency Flash and IE Fixes

Let’s start with the short version. Yesterday, both Microsoft and Adobe released out-of-cycle updates to fix zero day security vulnerabilities that advanced attackers are exploiting in the wild via “watering hole” campaigns. If you use these products and haven’t installed the updates, go get the Flash and Internet Explorer (IE) fixes now!

The slightly longer story is early this week (during the U.S. President’s Day holiday) two security companies, FireEye and Websense, independently reported discovering two different legitimate web sites serving malware via a drive-by download attack. The web sites included a U.S Veteran’s site (VFW.org) and a French aeronautical company’s web site. The malicious code on these sites exploited two previously undiscovered, zero day vulnerabilities affecting Adobe Flash, and IE 9 and 10. They also delivered some relatively advanced trojan malware (in one case, Gh0strat), which has been used before in attacks that seem to come from China-based hackers. Since these sites have very specific user bases (military and ex-military, or aeronautical engineers), these attack campaigns fall into the category of watering hole attacks, where smart attackers purposely hijack web sites they know their target visits in hopes of poisoning the target’s watering hole. If you’d like to learn more about these types of attacks, and other web threats, you can check out a presentation I recently gave on the subject in a BrightTALK. You can also learn more about these specific attacks in this week’s upcoming security video.

In any case, yesterday both Microsoft and Adobe released advisories that include updates or FixIts that patch these zero day flaws. While you probably haven’t run into these exploits yet, unless you happen to fall into the two victim bases for these attacks, I expect criminal attackers to quickly start leveraging these new flaws. Now that they are public, you can expect criminal hackers to quickly incorporate the new attacks into the exploit kits they sell on the underground. Once they do, you’ll start to see these exploits popping up every where, to serve normal criminal malware. In other words, if you use IE or Flash, you should go get the updates immediately. You can find links to them in Microsoft and Adobe’s advisories. — Corey Nachreiner, CISSP (@SecAdept

 

The Mask APT Campaign – WSWiR Episode 95

400Gb DDoS, More Bitcoin Attacks, and The Mask APT

If you’re looking for a quick synopsis of the latest information security news and advisories, our quick weekly video can provide it for you. This week’s episode was shot literally right before I had to run out to catch a plane, so please excuse the low quality webcam footage. 

Today’s episode includes a quick rundown of the week’s Microsoft and Adobe patches, news about the latest world record-breaking DDoS attack, some Bitcoin hijinks, and the details around a new cross-platform advanced attack campaign discovered by Kaspersky. Check out the video for all the details, and give the Reference section a peek for links to other infosec stories, including last minute news of a new Internet Explorer (IE) zero day attack.

Have a great weekend (and President’s Day for US readers), and be careful online.

(Episode Runtime: 8:20)

Direct YouTube Link: http://www.youtube.com/watch?v=W4JItAGJynY

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Target Chain of Trust Attack – WSWiR Episode 94

Flash 0day, DailyMotion Watering Hole, and New POS Malware

With Seattle celebrating our Super Bowl victory (Sea-Hawks!), it’s hard for locals to keep their minds on Information Security (Infosec), but criminal hackers don’t stop for American football. If you’ve been too busy to follow security news this week, let WatchGuard’s Friday video fill you in on the details, and help you with your defenses.

In today’s video, I cover an Adobe Flash 0day exploit that advanced attackers are leveraging in the wild, warn about a popular video site that has been turned into a FakeAV watering hole, give you the latest breaking update on the Target breach, and more. Watch the video below to learn the latest security news, and check out the Reference section if you’d like links to other security stories from the week.

Quick show note; I’ll be traveling in the UK next week, so will have to produce the next episode from the road. This also means the video may go live either early or later in the week than it normally does.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 10:04)

Direct YouTube Link: https://www.youtube.com/watch?v=aJMAyKpTaYI

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Cyber Tradecraft; Defending Against Drive-by Downloads

Imagine this… You’re perusing the ancient and colorful Grand Bazaar in Istanbul, feeling overwhelmed by all the interesting sights, sounds, and smells. An excited and charismatic shop owner waves you over to his wares, enticing you to contemplate the colorful baubles he has on display. As you’re thus distracted, a quiet, inconspicuous character jostles you lightly from behind, whispering an apology as she hurries past. You walk away from the ordinary encounter perfectly unaware that she also planted a powerful bug on your person, and can now track your every move, and monitor whatever you do, potentially using this newfound power to swipe the confidential documents you have holed up in your hotel safe.

You’re probably thinking, the description above sounds a lot like the fantastical tales you’ve read about in pulpy spy novels. Yet, it is surprisingly close to what the average user risks every day while browsing web sites online—the risk of the drive-by download.

Right now drive-by downloads are one of the most common ways cyber attackers lure victims into unknowingly infecting themselves with malware. Today, smart attackers combine drive-by download attacks with something called a “watering hole” attack, where they exploit web application flaws to hijack legitimate web sites and force them into serving malware to their visitors. Yesterday, Help Net Security posted an article I wrote describing how drive-by downloads and watering holes work, and how to defend yourself against them. If you’d like to learn more about either of these common cyber attacks, check out Defending Against Drive-by Downloads on Help Net Security— Corey Nachreiner, CISSP (@SecAdept)

Oracle Fixes 133 Vulnerabilities with Massive CPU & Java Updates

Yesterday, Oracle released their quarterly Critical Patch Update (CPU) for October 2013. If you haven’t heard of them, CPUs are Oracle’s quarterly collections of security updates, which fix vulnerabilities in a wide-range of their products. Oracle publishes their quarterly updates on the Tuesday closest to the 17th of the month (in this case, October 15th). Previously, Oracle decoupled their Java updates from their quarterly CPU cycle. However, that changes as of this release. From now on, Oracle plans to release Java updates quarterly, so this quarter’s Oracle CPU includes a Java security update as well.

Overall, the CPU and Java updates fix around 133 security vulnerabilities in many different Oracle products and suites. The table below outlines the affected products, and the severity of the fixed flaws. The flaws with the highest CVSS rating are the most risky, meaning you should handle them first:

Product or Suite Flaws Fixed (CVE) Max CVSS
Java SE 51 10
Database Server 4 6.4
MySQL 12 8.5
Fusion Middleware 17 7.5
Enterprise Manager Grid Control 4 4.3
Siebel CRM 9 6.8
E-Business Suite 1 5.0
Supply Chain Product Suite 2 5.0
Industry Applications 6 5.5
PeopleSoft Products 8 5.0
iLearning 2 6.8
Financial Services Software 1 6.0
Primavera Products Suite 2 5.0
Sun Systems Products Suite 12 6.1
Virtualization 2 5.0

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share  CVSS severity ratings. While the severity of the 133 vulnerabilities differs greatly, some of them pose a pretty critical risk; especially the Java SE ones.

Almost everyone has Java installed. If you do, I recommend you install the Java update immediately, or perhaps consider uninstalling Java or restricting it in some way using its security controls. With a CVSS rating of 10, the Java exploits allow remote attackers to install malware on your computer via web-based drive-by download attacks; and right now attackers really like targeting Java flaws.

Of course,  if you use any of the other affected Oracle software, you should update it as well. I recommend scheduling the updates based on the max CVSS rating for the products. For instance, if you use MySQL, update it quickly, but you can allow yourself to more time to fix the Grid Control issues. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert. — Corey Nachreiner, CISSP (@SecAdept)

IE Update Fixes Two Zero Day Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Internet Explorer (IE)
  • How an attacker exploits them: By enticing one of your users to visit a web page containing malicious content
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing ten vulnerabilities affecting Internet Explorer (IE); including two that attackers have been exploiting in the wild.

On it’s surface, this bulletin looks very similar to many of Microsoft’s past IE bulletins.  It describes ten “memory corruption” vulnerabilities, which share the same scope and impact. If an attacker can lure one of your users to a web page containing maliciously crafted content, he can exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Since Windows users often have local administrative privileges, attackers can leverage these issues to gain complete control of their machines.

However, today’s IE update differs slightly in that it fixes two zero day vulnerabilities that attackers are exploiting in the wild. We’ve warned you about the first in a previous post, and just learned about a second one today.

These remote code execution flaws pose significant risk to IE users, especially the two zero day ones. Attackers can exploit them to launch drive-by download attacks, and we’ve already seen them doing so with two of these vulnerabilities. If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s September IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3897)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3875)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3871)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3886)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3885)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3874)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3873)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Follow

Get every new post delivered to your Inbox.

Join 7,380 other followers

%d bloggers like this: