Tag Archives: ie

Two Critical IE Bulletins Fix Zero Day Vulnerability and More

May 14, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

  • These vulnerabilities affect: Internet Explorer (IE) versions 6 – 10
  • How an attacker exploits them: Typically, by enticing one of your users to visit a web page with malicious content
  • Impact: In the worst case, an attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released two security bulletins (MS13-037/MS13-038) describing a dozen new security vulnerabilities that affect all current versions of Internet Explorer (IE). They rate both updates as Critical.

Over the last few months, most of the new flaws affecting IE are what developers call “use after free” vulnerabilities – a type of memory corruption flaw that attackers can leverage to execute arbitrary code. May’s duo of IE bulletins continues this theme, with all but one of the vulnerabilities falling under this class of flaw.

Though these dozen vulnerabilities differ technically, they share the same general scope and impact (with one small exception). If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer. Keep in mind, attackers often hijack legitimate web pages and booby trap them with this sort of malicious code, in what the industry refers to as a “watering hole” attack.

Typically, Microsoft only releases one IE cumulative update a month. However, over the last few weeks attackers have exploited a zero day IE8 vulnerability in the wild—most notably against the Department of Labor (DoL) web site. We talked about this exploit in last week’s security video. Although Microsoft had released a temporary “FixIt” to mitigate this serious vulnerability, today’s second IE bulletin (MS13-038) rectifies the issue more completely. Attackers are still exploiting this flaw in the wild. They’ve worked it into their underground exploit toolkits, and even the popular Metasploit framework contains a public version of the exploit. We highly recommend you install both of Microsoft’s IE updates immediately (after testing, of course).

If you’d like more technical detail about any of these flaws, see the “Vulnerability Information” section in both of Microsoft’s bulletins (MS13-037/MS13-038).

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletins:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the “use after free” vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-2551)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1309)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1311)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1312)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1307)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1308)
  • WEB-CLIENT Microsoft Internet Explorer JSON Array Information Disclosure Vulnerability (CVE-2013-1297)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , , , , , ,

Microsoft Black Tuesday: Fix for IE8 Zero Day and More

May 14, 2013 by Corey Nachreiner 5 Comments

Calling all Microsoft administrators. It’s time to spin up your virtual test machines and download, test, and deploy May’s batch of Microsoft security updates. This month’s theme is IE updates; with a focus on a recent IE zero day vulnerability, as well as a continuation of the “use after free” vulnerability theme I commented on last month.

According to their summary post, Microsoft released ten security bulletins today, fixing around 33 security vulnerabilities in many of their popular products. The affected software includes Internet Explorer (IE), Windows and related components, products from the Office suite (Word, Visio, and Publisher), Lync, and Windows Essentials. Microsoft rates the IE updates as Critical, and the rest as Important.

As I mentioned earlier, today’s theme definitely centers around IE. Last week’s security video covered how attackers have recently been exploiting a zero day IE8 vulnerability in the wild—most notably against the Department of Labor web site. One of today’s updates completely fixes this serious flaw. The other IE update continues to fix more “use after free” vulnerabilities, a class of memory corruption flaws that researchers and attackers have focused on lately. I highly recommend you install today’s IE updates immediately, then follow with the Windows and Office updates.

As an aside, Microsoft also released or updated four security advisories today. One of the updates has to do with one of today’s bulletins, but the other three are new. Once you’re finished handling today’s patches, you should check out Microsoft’s security advisory page as well.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s May bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , , , , , , , , ,

“Use After Free” Flaws: A New Theme for IE Vulnerability

April 9, 2013 by Corey Nachreiner 2 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Internet Explorer (IE)
  • How an attacker exploits them: By enticing one of your users to visit a malicious web page
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing two new security vulnerabilities affecting Internet Explorer (IE). Similar to the flaws in last month’s update, both of these vulnerabilities are what developers call “use after free” vulnerabilities – a type of memory corruption flaw that attackers can leverage to execute arbitrary code. This class of vulnerability seems to be a theme for IE lately, since Microsoft has been fixing IE use after free flaws quite a bit over the last few months.

In any case, if an attacker can lure one of your users to a web page containing maliciously crafted HTML, she could exploit either of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like more technical detail about either of these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technicalities aside, both of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws may affect you even when visiting legitimate, trusted web sites.

If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus services can often prevent the malware that drive-by download attacks try to force onto your computer. Furthermore, our Reputation Enabled Defense (RED) and WebBlocker service can often prevent your users from accidentally visiting malicious sites. Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from these vulnerabilities.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , ,

Remote Desktop and IE Updates Top April’s Patch Day List

April 9, 2013 by Corey Nachreiner 0 Comments

Unless you’re new to IT, you’re probably aware that todaythe second Tuesday of the monthis Microsoft Patch Day.

As expected, Microsoft released nine security bulletins today, fixing 13 vulnerabilities across products like Internet Explorer (IE), Windows and its components, Sharepoint Server, and a few other Office server products. The worst two, Critical-rated updates fix security problems in IE and the Remote Desktop Client (RDC) that ships with Windows (specifically, its ActiveX control). The vulnerabilities in both these products could help remote attackers launch drive-by download attacks. If an attacker can get your IE or RDC users to visit a specially crafted web site (or a legitimate, hijacked web site), they could leverage these flaws to execute arbitrary code with those users’ privileges. You should download, test, and apply these Critical updates as soon as you can, or let Windows’ automatic updater do it for you.

As an aside, some experts had expected today’s IE update to fix some publicly disclosed vulnerabilities from the recent Pwn2Own contest at a Canadian security conference. In their IE alert, Microsoft credits two Google security researchers for discovering the flaws they fixed today. However, the Pwn2Own IE 10 flaws were disclosed by different researchers from VUPEN. So it appears the Pwn2Own IE flaws are still open issues.

Microsoft also released seven other updates, which they rate as Important. While not as serious as the ones mentioned above, they all fix some relatively risky issues too. In general, I recommend you always install all of Microsoft’s monthly patches as quickly as you can. That said, be sure to at least try and test the server updates before deploying them to your production network.

I’ll post more detailed alerts about these security bulletins as the day progresses. Stay tuned. — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , ,

Microsoft Kicks Off Spring with Nine Security Bulletins

April 4, 2013 by Corey Nachreiner 4 Comments

The advanced notification results are in, and it’s looking good for Patch Day.

Next Tuesday, Microsoft will release nine security bulletins, two of which the Redmond-based software company rates as Critical. The bulletins will fix flaws in Windows, Internet Explorer (IE), Office, and some of Microsoft’s server and security software. As usual, they haven’t shared many details yet, but some experts expect the critical IE update to fix the zero day vulnerabilities disclosed at CanSecWest’s recent Pwn2Own contest. Either way, I expect the IE flaws to pose the greatest risk to most users, so you should plan on applying that patch as quickly as possible.

While nine bulletins may sound like a lot, it’s pretty average for Patch Day lately. Nonetheless, you should prepare your IT staff for a busy day of testing and patching next Tuesday. We’ll know more about these bulletins next week, and will publish alerts about them here. — Corey Nachreiner, CISSP (@SecAdept)

Screen Shot 2013-04-04 at 10.01.09 PM

Editorial Articles
, , , , , , ,

WatchGuard Security Week in Review: Episode 55 – SSL/TLS Weakness

March 15, 2013 by Corey Nachreiner 6 Comments

Lots of Patches, Celebrity Hacks, and a SSL/TLS Weakness

If you’re anything like the average IT professional, you’re probably too busy putting out proverbial IT helpdesk fires, and installing new business IT solutions to spend much time each week staying on top of the latest security news and threats. That’s where we come in! For a quick recap of the biggest information and network security news from the week, check out the YouTube video below.

In this episode, I cover a ton of software updates from the week (it was Patch Day after all), the latest celebrity hack incident, an ironic breach of a security organization’s web site, and yet another weakness in the SSL/TLS encryption protocol. I even share a tip on how webmasters can learn to recover from web site hacks.

Enjoy the episode, and share your thoughts, suggestions, and questions in the comment section below. You can also find more details about these stories in the Reference section. Thanks for watching, and enjoy your St. Patty’s Day weekend.

(Episode Runtime: 11:00)

Direct YouTube Link: http://www.youtube.com/watch?v=yD6wNDXVsHE

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , , , , ,

IE Update Fixes Multiple “Use After Free” Vulnerabilities

March 12, 2013 by Corey Nachreiner 4 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Internet Explorer (IE)
  • How an attacker exploits them: By enticing one of your users to visit a malicious web page
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing nine new security vulnerabilities affecting Internet Explorer (IE). Similar to the last  few IE updates, all nine of these security flaws are what developers call “use after free” vulnerabilities, which are types of memory corruption flaws that attackers can leverage to execute arbitrary code. They all have to do with how IE handles various HTML objects and elements. If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like more technical detail about these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Details aside, all of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws may affect you even when visiting legitimate, trusted web sites.

If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed new signatures, which can detect and block a number of these new IE vulnerabilities:

  • WEB-CLIENT Microsoft Internet Explorer GetMarkupPtr Use After Free Vulnerability (CVE-2013-0092)
  • WEB-CLIENT Microsoft Internet Explorer CTreeNode Use After Free Vulnerability (CVE-2013-1288)
  • WEB-CLIENT Microsoft Internet Explorer CElement Use After Free Vulnerability (CVE-2013-0091)
  • WEB-CLIENT Microsoft Internet Explorer OnResize Use After Free Vulnerability (CVE-2013-0087)
  • WEB-CLIENT Microsoft Internet Explorer saveHistory Use After Free Vulnerability (CVE-2013-0088)
  • WEB-CLIENT Microsoft Internet Explorer CMarkupBehaviorContext Use After Free Vulnerability (CVE-2013-0089)
  • WEB-CLIENT Microsoft Internet Explorer CCaret Use After Free Vulnerability (CVE-2013-0090)
  • WEB-CLIENT Microsoft Internet Explorer removeChild Use After Free Vulnerability (CVE-2013-0094)

Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from these vulnerabilities.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , ,

Microsoft Black Tuesday: Security Flaws in a Menagerie of Products

March 12, 2013 by Corey Nachreiner 3 Comments

Though today’s Patch Day might seem pretty average as far as the number of security bulletins released, it does cover a rather eclectic range of Microsoft products. In fact, a few of the updates affect Mac users as well, and one is even exclusive to Mac.

During today’s Patch Day, Microsoft released seven security bulletins fixing  20 vulnerabilities in the following products:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Office Suite updates
    • Visio Viewer 2010
    • SharePoint Server 2010
    • OneNote 2010
    • Office Outlook for Mac
  • Silverlight 5 (For PC and Mac)

They rate four of the bulletins as Critical, and three as Important. Many of the Critical issues can allow remote attackers to execute code on affected systems. So we highly recommend you patch them quickly.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s March bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , , , ,

WatchGuard Security Week in Review: Episode 54 – Nuke Hackers

March 8, 2013 by Corey Nachreiner 2 Comments

Pwn2Own, Evernote Breach, and Nuke Cyber Attackers

Want a quick way to catch up on weekly information and network security (InfoSec) highlights? Well you’ve found the right place. In this episode of our InfoSec summary video, I talk about Evernote’s 50 million user data leak, web browsers falling to the Pwn2Own contest, and a U.S. government document that talks about nuclear retaliation against cyber attackers. Click play below for all the details, and check the Reference section for stories and links associated with the video.

If you have any suggestions, comments, or questions, leave them in the comment section. Meanwhile, stay safe out there.

(Episode Runtime: 7:27)

Direct YouTube Link: http://www.youtube.com/watch?v=ROG2LDBZZ9E

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , , , , ,

Microsoft Leprechaun Leaves a Pot Full of Patches

March 8, 2013 by Corey Nachreiner 0 Comments

We’re coming upon that time of the month again for Microsoft administrators; patch time.

According to the latest Advanced Notification page, our Microsoft friends plan on releasing seven security bulletins next Tuesday. The bulletins will including updates to fix security vulnerabilities in Windows, Office, Internet Explorer (IE), Silverlight, and some of their Server Software. They rate more than half (4/7) of the bulletins as Critical, which typically means remote attackers can likely exploit them to gain control of vulnerable computers.

MS Notification 3/13At this point you’re probably quite familiar with the monthly update routine, and know you should prepare your IT team for Patch Day so that they can apply Microsoft’s fixes as soon as possible; especially the Critical ones.

As always, I highly recommend you take some extra time to test the updates before applying them. Lately, there have been a few more reported incidents of Microsoft patches causing issues. You should at least take the time to test the server related updates before deploying them to production machines.

I’ll know more about these bulletins next Tuesday, and will publish alerts about them then.

In an unrelated aside, some business travel has delay production of my weekly security news video. For those waiting, it will come out today, but it may be later in the afternoon. — Corey Nachreiner, CISSP

Editorial Articles
, , , , , ,
Older Entries

Follow

Get every new post delivered to your Inbox.

Join 7,114 other followers

%d bloggers like this: