Tag Archives: internet explorer

Tax Time Security Woes – WSWiR Episode 139

There’s tons of security news each week. If you can’t keep up, I try to summarize the most important stuff for you in my weekly video.

This week’s show covers a researcher leaking 10M credentials, Forbes’ website getting hacked, a TurboTax security scare, and much more. Watch the video for all the details, or check out the Reference section for other interesting stories.

(Episode Runtime: 9:50)

Direct YouTube Link: https://www.youtube.com/watch?v=mTycl-zSbVA

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Delivers Nine Security Bulletins for February

As the second Tuesday of the month, it’s time for Microsoft administrators to get patchin’. You can find this month’s Patch Day details at Microsoft’s February Patch Day Summary page, but I’ll summarize some of the highlights below.

By the Numbers:

February Microsoft Patch DayToday, Microsoft released nine security bulletins, fixing a total of 60 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • and Microsoft System Center Virtual Machine Manager (VMM).

They rate three bulletins as Critical, six as Important.

Patch Day Highlights:

The most interesting vulnerability this month is probably Microsoft’s Group Policy remote code execution flaw. This is a rather complex flaw that requires an attacker successfully pull off a man-in-the-middle (MitM) attack on a computer that is configured to connect to an Active Directory domain. Once the attacker can intercept your traffic, he can trick it into running a malicious login script, which allows him to run anything he wants. Since the flaw relies on a domain login, it primarily affects corporate Windows users. Check out this article to learn more.

Internet Explorer (IE) also got a rather beefy patch, which fixes 41 security flaws. The update mostly fixes memory corruption vulnerabilities that bad guys can leverage in drive-by download attacks. However, this update also includes updates to IE’s SSLv3 handling to mitigate the POODLE flaw. Finally, this update does NOT fix the recent IE11 cross-site scripting (XSS) flaw that Google disclosed. That said, I’d recommend you install the IE update first, as web drive-by download attacks are much more popular and targeted than the Group Policy attack mentioned above.

Quick Bulletin Summary:

We summarize February’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS15-009 – Critical – Cumulative Internet Explorer update fixes 41 vulnerabilities – The Internet Explorer (IE) update primarily fixes a bunch of memory corruption flaws remote attackers could leverage to execute code. These are the types of flaws typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC.
  • MS15-010 – Critical- Kernel-mode Driver RCE flaw – The kernel-mode driver that ships with Windows suffers from various elevation of privilege flaws that could allow unprivileged users to execute code with full privileges. However, the attacker needs local system access and credentials to carry out the attack.
  • MS15-011 – Critical – Group Policy Remote Code Execution Flaw – The Windows Active Directory Group Policy Component suffers from complex code execution vulnerability. If an attacker can successfully intercept all the traffic of a Windows computer that connects to a domain, she can exploit this flaw to run arbitrary code on that computer. However, the attacker would most likely have to be on the same network as the victim in order for such a man-in-the-middle attack to succeed.
  • MS15-012 – Important – Office Code Execution Flaws – Various Office components, like Word and Excel, suffer from document handling code execution flaws. If an attacker can get you to open a maliciously crafted document, he could exploit these to gain control of your computer.
  • MS15-013 – Important – Office Security Bypass Flaw - Office doesn’t properly leverage Windows’ Address Space Layout Randomization (ASLR) feature. Since ASLR makes it harder for bad guys to exploit memory corruption issues, this bypass flaw makes it easier for attackers.
  • MS15-014 – Important – Group Policy Security Bypass Flaw - Using a man-in-the-middle attack, an attacker can trick Group Policy into reverting to its less secure, default state. This attack only works against Windows machines that connect to a domain. This flaw can be used in conjunction with MS15-011 to execute code.
  • MS15-015 – Important – Windows Elevation of Privilege Flaw - In short, if a unprivileged user can run code on a Windows machine, he can leverage this flaw to gain system privileges. However, he needs valid credentials and enough access to log in to the computer in the first place.
  • MS15-016 – Important – Windows Graphic Component Information Disclosure Flaw - The Graphics component of Windows suffers from a minor flaw that attackers could leverage to learn about the current memory state of your computer. This flaw serves little purpose alone, but could help attackers exploit other memory corruption vulnerabilities easier. Also, the attacker would have to entice you into viewing a TIFF image in order to exploit this flaw.
  • MS15-017 – Important – VMM Elevation of Privilege Flaw - If an attacker has credentials to login to your Microsoft Virtual Machine Manager (VMM), even as an under-privileged role, that attacker could leverage this flaw to gain full access to VMM and all your virtual machines.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

IMPORTANT NOTE: We have already read rumors about problems with some of today’s Microsoft updates. We highly recommend you test the patches before applying them to production servers.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download February’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-8967)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0017)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0018)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0019)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0020)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0021)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0022)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0023)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0025)
  •  WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0026)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0029)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0030)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0031)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0035)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0036)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0037)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0038)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0039)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0040)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0041)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0042)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0043)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0071)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0070)
  • WEB-CLIENT Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-0069)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0068)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0067)
  • FILE Microsoft Office Word OneTableDocumentStream Remote Code Execution Vulnerability (CVE-2015-0065)
  • FILE Microsoft Office Word Remote Code Execution Vulnerability (CVE-2015-0064)
  • FILE Microsoft Office Excel Remote Code Execution Vulnerability (CVE-2015-0063)
  • FILE Microsoft Office TTF TrueType Font Parsing Remote Code Execution Vulnerability (CVE-2015-0059)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0053)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0052)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0051)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0050)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0049)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0048)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0046)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0045)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0044)
  • FILE Adobe Flash Player BitmapFilter Invalid Object Corruption Remote Code Execution (CVE-2015-0314)
  • FILE Adobe Flash Player Video Event Dispatch Use After Free (CVE-2015-0315)
  • FILE Adobe Flash Player OP_ANYBYTE PCRE Library Memory Corruption (CVE-2015-0316)
  • FILE Adobe Flash Player XMLSocket.connect Type Confusion (CVE-2015-0317)
  • FILE Adobe Flash Player PCRE Regex Compilation Memory Corruption (CVE-2015-0318)
  • FILE Adobe Flash Player Multiple Type Confusion (CVE-2015-0319
  • FILE Adobe Flash Player MessageChannel.send() Use After Free (CVE-2015-0320)
  • FILE Adobe Flash Player Parsing Malformed mp4 Video Memory Corruption (CVE-2015-0321)
  • FILE Adobe Flash Player ActionScript Pushscope Opcode Memory Corruption (CVE-2015-0322)
  • FILE Adobe Flash Player Special Regex Character Sets Heap Overflow (CVE-2015-0323)
  • FILE Adobe Flash Player JSON.stringify Integer Heap Overflow (CVE-2015-0324)
  • FILE Adobe Flash Player RemoveFromDeviceGroup() Use After Free (CVE-2015-0325)
  • FILE Adobe Flash Player ActionScript URLRequest.requestHeaders Type Confusion (CVE-2015-0326)
  • FILE Adobe Flash Player Stringifying Proxy Objects Heap Overflow (CVE-2015-0327)
  • FILE Adobe Flash Player NetConnection Request Null Dereference (CVE-2015-0328)
  • FILE Adobe Flash Player Multibyte UTF-8 Characters Regular Expressions Memory Corruption (CVE-2015-0329)
  • FILE Adobe Flash Player PCRE Regex Heap Overflow (CVE-2015-0330)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Hot Girls Help Hackers – WSWiR Episode 138

The information security (infosec) industry is fast paced, and attackers change tactics every week. Do you have trouble following the latest attacks and security news? Well, our regular infosec video is here to help.

Today’s episode covers attackers masquerading as hot girls, a zero day IE11 flaw, malicious Google Play apps, an one of the largest healthcare data breaches. Watch the video for details on all that an more, and visit the Reference section for links to other stories.

(Episode Runtime: 10:50)

Direct YouTube Link: https://www.youtube.com/watch?v=EjDCoG7RxsY

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

Poodle’s Back – WSWiR Episode 132

Another week, another batch of information security (infosec) news. Would you like a quick summary, rather than hunting it down yourself? No problem! Just check out our weekly video every Friday.

Today’s episode covers the Patch Day bonanza, lots of updates on the Sony Pictures breach, and a new twist on the “Poodle” SSL/TLS vulnerability. Press play for the scoop, and check our the References and Extras section for more stories and details.

(Episode Runtime: 7:13)

Direct YouTube Link: https://www.youtube.com/watch?v=WbbZjRtyODA

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft’s Last Patch Day Until 2015; Three Critical Patches

It’s that time of the month again; Microsoft Patch Day. Yesterday, Microsoft posted their regular batch of security updates, so it’s time you patch your Windows systems. I’ll summarize some Patch Day highlights below, but you should visit Microsoft’s December Patch Day Summary page for more details

By the Numbers:

On Tuesday, Microsoft released seven security bulletins, fixing a total of 25 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • and Exchange Server.

They rate three bulletins as Critical, four as Important.

Patch Day Highlights:

The Exchange update is the most interesting one, but lets start with what you should patch first. I’d start with the Internet Explorer (IE) update, as it closes a bunch of holes bad guys can use for drive-by download attacks. Next, even though Microsoft doesn’t rate it as Critical, the Exchange update fixes a few flaws attackers could leverage to access your users’ email (if they can get those users to click links). Since email is so important, I’d take care of that next. Then move on to the various Office updates, to make sure your users aren’t affected by malicious Office documents. Finally, even though it poses minimal risk, finish with the Graphics component update.

Quick Bulletin Summary:

We summarize December’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS14-080 – Critical – Cumulative Internet Explorer update fixes 14 vulnerabilities – The Internet Explorer (IE) update primarily fixes a bunch of memory corruption flaws remote attackers could leverage to execute code. These are the types of flaws typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC.
  • MS14-075 – Important- Four Exchange Server Vulnerabilities – Microsoft’s email server, Exchange, suffers from four security flaws. The worst are a pair of cross-site scripting (XSS) flaws. If an attacker can trick you into clicking a specially crafted link on a system you use for OWA, he could exploit these flaws to gain access to your email as you. The remaining flaws allow attackers to spoof emails to appear to come from someone else, or to spoof links that appear to link to somewhere else.
  • MS14-081 – Critical – Two Word Remote Code Execution Flaws – Word suffers from two flaws involving how it handles specially crafted Office files. In short, if an attacker can get you to open a malicious Office file, she can exploit these flaws to execute code on your computer.
  • MS14-082 – Important – Office Code Execution Flaw – Word, an Office component, suffers from yet another code execution vulnerability, similar to the two described above. I’m not sure why Microsoft included this is a separate bulletin, with a lower severity, since it seems to have a similar impact and mitigating factors as the flaws above.
  • MS14-083 – Important – Two Excel Code Execution Flaws - Excel suffers from a pair of code execution vulnerabilities attackers could exploit by getting you to interact with malicious spreadsheets.
  • MS14-084 – Important – Windows VBScript Memory Corruption Flaw - The Windows VBScript component suffers from a memory corruption flaw that attackers could leverage through your browser. If an attacker can lure you to a website with malicious code, he could exploit this flaw to execute code with your privileges.
  • MS14-085 – Important – Windows Graphic Component Information Disclosure Flaw - The Graphics component of Windows suffers from a minor flaw that attackers could leverage to learn about the current memory state of your computer. This flaw serves little purpose alone, but could help attackers exploit other memory corruption vulnerabilities easier.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download December’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-8966)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6376)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6375)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6374)
  • WEB Microsoft Graphics Component Information Disclosure Vulnerability (CVE-2014-6355)
  • FILE Microsoft Word Remote Code Execution Vulnerability (CVE-2014-6357)
  • FILE Microsoft Excel Global Free Remote Code Execution Vulnerability (CVE-2014-6360)
  • WEB-CLIENT Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6368)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6369)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6373)
  • EXPLOIT Adobe Flash Player Memory Corruption (CVE-2014-0574)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6327)
  • WEB MIcrosoft Internet Explorer XSS Filter Bypass Vulnerability (CVE-2014-6328)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6329)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6330)
  • FILE Microsoft Excel Invalid Pointer Remote Code Execution Vulnerability  (CVE-2014-6361)
  • WEB-CLIENT Microsoft VBScript Memory Corruption Vulnerability (CVE-2014-6363)
  • WEB-CLIENT Microsoft VBScript Memory Corruption Vulnerability (CVE-2014-6366)
  • FILE Adobe Flash Player opcode pushwith Memory Corruption Vulnerability (CVE-2014-0586)
  • FILE Adobe Flash Player opcode pushscope Memory Corruption Vulnerability (CVE-2014-0585)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Microsoft Delivers a Pile of Security Updates – Patch Day Nov. 2014

Microsoft’s monthly Patch Day went live on Tuesday, delivering a substantial pile of security updates to Microsoft administrators. As mentioned in last week’s video, we expected 16 security bulletins. However, Microsoft held back two for unspecified reasons. Even without those missing bulletins, this is a pretty big Patch Day. If you manage Microsoft networks, you’ll want to apply these updates as soon as you can. I’ll summarize some Patch Day highlights below, but you should visit Microsoft’s November Patch Day Summary page for more details

By the Numbers:

On Tuesday, Microsoft released 14 security bulletins, fixing a total of 33 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • the .NET Framework,
  • and SharePoint Server.

They rate four bulletins as Critical, eight as Important, and two as Moderate.

Patch Day Highlights:

You should definitely patch the critical flaws first. The OLE, IE, SChannel, and XML vulnerabilities are all pretty serious; you should install the updates immediately if you can. The overall theme here seems to be web-based threats. Though many of these vulnerabilities affect components you may not relate to web browsing, attackers can leverage many of them by enticing you to a web page hosting malicious code. Drive-by downloads have become one of the primary ways attackers silently deliver malware to your endusers, so you should patch any flaws that help support drive-by downloads as quickly as you can. Also note, the OLE update poses a particularly high risk as attackers have already been exploiting it in the wild (related to SandWorm). The SChannel vulnerability, which some are calling “WinShock,” is also pretty concerning, and might expose any Microsoft servers you expose to the internet (primarily web and email servers). Patch the OLE and SChannel flaws first, and follow quickly with the IE one.

As an aside, Enhanced Mitigation Experience Toolkit (EMET) is a package that makes it much harder for bad guys to exploit memory-based vulnerabilities. Microsoft released a new version (5.1) of EMET in Monday. If you don’t use EMET yet, consider it; and if you do, update.

Quick Bulletin Summary:

We summarize November’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS14-064 – Critical – Windows OLE Remote Code Execution Flaw – Windows’ Object Linking and Embedding (OLE) suffers from two flaws that attackers could exploit to execute code on user’s computers, if those user’s interact with malicious documents, or visit websites containing embedded malicious documents. Attackers have been exploiting these zero day flaws in the wild.
  • MS14-066 – Critical – Schannel Remote Code Execution Vulnerability – Secure Channel (Schannel), a security package that ships with Windows, suffers from a remote code execution flaw that attackers can exploit simply by sending specially crafted packets to your computer.
  • MS14-065 – Critical – Cumulative Internet Explorer update fixes 17 vulnerabilities – This update fixes remote code execution (RCE), elevation of privilege (EoP), information disclosure, and security bypass vulnerabilities. The RCE flaws pose the most risk as attackers often leverage them in drive-by download attacks, where simply visiting the wrong website could result in malware silently downloading and installing on your computer.
  • MS14-067 – Critical – XML Core Service Remote Code Execution Flaw – If attackers can entice you to a malicious website, or to a booby-trapped legitimate website, they can exploit this Microsoft XML Core Services (MSXML) vulnerability to silently install malware on your computer.
  • MS14-069 – Important – Pair of Office Code Execution Flaws - Office, specifically Word, suffers from a pair of code execution vulnerabilities attackers could exploit by getting you to interact with malicious documents.
  • MS14-070 – Important – Windows TCP/IP Elevation of Privilege Flaw - The Windows TCP/IP stack suffers from an EoP vulnerability. Despite the fact the flaw affects a network component, attackers can only exploit it locally by running a malicious program, which significantly lessens its severity.
  • MS14-071 – Important – Windows Audio Service Elevation of Privilege Flaw - This flaw has the same scope and impact as the local EoP flaw above, only it affects Windows’ Audio Service.
  • MS14-072 – Important – .NET Framework Elevation of Privilege Flaw - The .NET Remoting functionality of the .NET Framework suffers from a remote EoP vulnerability. By sending specially crafted data to a server that uses the .NET Remoting feature, and attacker could gain full control of that server. The good news is, according to Microsoft, .NET Remoting is not widely used.
  • MS14-073 – Important – SharePoint Foundation Elevation of Privilege Flaw - Though Microsoft doesn’t describe it this way, this vulnerability sounds like a cross-site scripting (XSS) flaw. If an attacker can lure you to a website with malicious code, or get you to click a link, he do things on your SharePoint server as though he were you.
  • MS14-076 – Important – IIS Security Bypass - Microsoft’s web server, IIS, has a feature that allows administrators to restrict access to web resources by IP address. Unfortunately, it suffers a flaw that attackers can leverage to bypass this access restriction. The flaw only affects you if you use this feature.
  • MS14-074 – Important – Remote Desktop Protocol Security Bypass - In short, the Remote Desktop Protocol (RDP) doesn’t properly log failed login attempts, meaning you may not notice when attackers repeatedly guess passwords.
  • MS14-077 – Important – ADFS Information Disclosure Flaw Active Directory Federation Services (AD FS) doesn’t fully log off users. If a new users logs on, she might have access to application info from the previous user.
  • MS14-078 – Moderate – Japanese IME Elevation of Privilege Flaw - If you use a Windows system that supports Japanese character input, and an attacker can get you to open a malicious file, the attacker can run code with your privileges. This flaw only affects systems with the Japanese character support install, but it has been exploited in the wild in limited attacks.
  • MS14-079 – Moderate – Kernel-mode Drive DoS flaw - The Kernel-mode driver suffers from a Denial of Server (DoS) having to do with how it handles Truetype fonts. If an attacker can get you to view a malicious font, perhaps by getting you to visit a website, he can exploit this to cause your system to crash or stop responding.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download November’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6353)
  • EXPLOIT Windows OLE Remote Code Execution Vulnerability (CVE-2014-6352)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6351)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6348)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6347)
  • WEB-CLIENT Microsoft Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6346)
  • WEB-CLIENT Microsoft Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6345)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6342)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6341)
  • WEB-ACTIVEX Microsoft Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6340)
  • WEB-CLIENT Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6339)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6337)
  • WEB Exchange URL Redirection Vulnerability (CVE-2014-6336)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4143)
  • WEB-CLIENT Microsoft Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2014-6323)
  • WEB-CLIENT Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332)
  • FILE Microsoft Office Double Delete Remote Code Execution Vulnerability (CVE-2014-6333)
  • FILE Microsoft Office Bad Index Remote Code Execution Vulnerability (CVE-2014-6334)
  • FILE Microsoft Office Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6335)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Mega IE Update Corrects 37 Vulnerabilities; Including Zero Day

Summary:

  • These vulnerabilities affect: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released as part of Patch Day, Microsoft posted an update that fixes a 37 new vulnerabilities in all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

All but one of the vulnerabilities described in this alert are memory corruption vulnerabilities, which share the same general scope and impact. If an attacker can lure you to a web page containing malicious web code, he can exploit these flaws to execute code on your computer, inheriting your privileges. If you have local administrative privileges, which most Windows users do, the attack could potentially gain full control of your computer.

These types of memory corruption vulnerabilities are ideal for attackers launching drive-by download attacks—a class of attack where malicious code hidden on a web page can silently install malware on your computer. Today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way. In fact, one of today’s fixes closes a zero day vulnerability that attackers have exploited in the wild. I highly recommend you install this update immediately

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4095)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4094)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability -1 (CVE-2014-4092)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability -2 (CVE-2014-4092)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4089)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4082)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4081)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4086)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4087)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4088)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4084)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4065)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4080)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2799)

Your XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Windows, IE, Lync, and .NET Patches

As you may know, today was Microsoft Patch Day. If you manage a Windows-based network, it’s time to get the latest updates.

According to Microsoft’s summary post, the Redmond-based software company released four security bulletins fixing 41 vulnerabilities in many of their popular products. The affected software includes, Windows, Internet Explorer (IE), Lync Server, and the .NET Framework. Microsoft rates the IE update as Critical, and the rest as Important.

As you might guess from the severity ratings, the IE update is the most important. It fixes over 37 security flaws in the popular browser, many of which attackers could use in drive-by download attacks (where just visiting a web site results in malware on your computer). Furthermore, one of the fixes closes a zero day vulnerability that attackers have exploited in the wild. If you use IE, I recommend you apply its update as quickly as your can. You should also install the other updates as well, however, their mitigating factors lessen their risk, so you can install them at your convenience.

In summary, if you use any of the affected products, download, test, and deploy these updates as quickly as you can or let Windows’ Automatic Update do it for you. For the server related updates, I highly recommend you test them before installing them on production servers, as Microsoft has released a few problem causing updates recently. You can find more information about these bulletins and updates in Microsoft’s September Summary advisory.

Also note today is Adobe’s Patch Day as well, and they released one security update fixing 12 vulnerabilities in Flash Player. If you use Flash, you should update it quickly. Adobe also pre-announced a Reader update earlier this month. However, it appears they have had to delay the update for some reason.

I’ll share more details about today’s patches on the blog throughout the day. However, I am traveling internationally, so the updates may not arrive as regularly as usual. If you are in a hurry to patch, I recommend you visit the links above, and start now.  — Corey Nachreiner, CISSP (@SecAdept).

Latest IE Patch Corrects 26 Vulnerabilities

Summary:

  • These vulnerabilities affect: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released as part of Patch Day, Microsoft released an update that fixes a 26 new vulnerabilities in all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Most of the vulnerabilities described in this alert (24 of the 26) are memory corruption vulnerabilities, which share the same general scope and impact. If an attacker can lure you to a web page containing malicious web code, he can exploit these flaws to execute code on your computer, inheriting your privileges. If you have local administrative privileges, which most Windows users do, the attack could potentially gain full control of your computer

The patch also fixes a pair of privilege escalation vulnerabilities, but the memory corruption flaws alone should convince you to update IE as soon as you can.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4063)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4057)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4050)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2824)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2823)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2820)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2799)

Your XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Nine Microsoft Security Bulletins Coming Tomorrow; Two Critical

Is it just me, or are the months flying by this year? It’s already time for yet another Microsoft Patch Day. According to their advanced notification post for August, Microsoft will release nine security bulletins tomorrow, two with a Critical severity rating. The bulletins will include updates to fix flaws in Windows, Internet Explorer, Office, the .NET Framework, SQL server, and other Microsoft Server Software. You can find a little more color about the upcoming patches at Microsoft’s Security Response Center blog.

In short, if you are a Microsoft administrator, you should prepare yourself for a busy day of patching. I’ll post more details about these updates tomorrow, as they come out. However, I am traveling this week to attend a show, so my posts may not go live as quickly as normal. Be sure to keep you eye on their summary post tomorrow, if you’d like to get the details early. — Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,838 other followers

%d bloggers like this: