Tag Archives: internet explorer

Two IE Bulletins Double the Browser Updates

February 12, 2013 by Corey Nachreiner 0 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Internet Explorer (IE) 10 and earlier
  • How an attacker exploits them: Typically, by enticing one of your users to visit a web page with malicious content
  • Impact: Various; In the worst case, an attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s Internet Explorer updates immediately, or let Windows Automatic Update do it for you

Exposure:

In a relatively unusual move, Microsoft released two Internet Explorer (IE) security bulletins today, rather than their typical single cumulative update. Combined, the two bulletins fix 14 vulnerabilities in the popular web browser, many of which allow attackers to execute code on vulnerable Windows systems.

We summarize the two bulletins below:

  • MS13-009: February IE Cumulative Update

This update fixes 13 vulnerabilities in IE, most of them being  “use after free” vulnerabilities similar to the ones Microsoft fixed with last month’s out-0f-cycle IE bulletin.  By luring one of your users to a web site containing malicious code, a remote attacker can exploit most of these vulnerabilities to execute code on your computer, with your privileges.  As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer.

Microsoft rating: Critical

  • MS13-010: VML Memory Corruption Vulnerability

Vector Markup Language (VML) is a graphics standard for creating 2D vector illustrations with XML files. The VML component in IE suffers from a memory corruption vulnerability having to do with how it allocates buffers. By enticing your users to a web site with specially crafted content, a remote attacker could exploit this flaw to execute code on that user’s computer, with the user’s privileges. Since most Windows users have local administrative privileges, this sort of attack often gives the attacker complete control of their computers.

Microsoft rating: Critical

Malicious hackers often leverage these types of vulnerabilities in drive-by download attacks, and they also target legitimate web sites and booby-trap them with malicious code. In other words, you can sometimes encounter these sorts of “drive-by download” attacks even while visiting trusted, legitimate web sites. We recommend you update your IE users immediately.

Solution Path:

These updates fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

That said, WatchGuard’s Gateway Antivirus and Intrusion Prevention Service can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS team has created signatures for  the following:

  • Various “use after free” vulnerabilities - CVE-2013-0018, CVE-2013-0019, CVE-2013-0020, CVE-2013-0021, CVE-2013-0022, CVE-2013-0023, CVE-2013-0024, CVE-2013-0025, CVE-2013-0026, CVE-2013-0027, CVE-2013-0028, CVE-2013-0029
  • JIS character encoding vulnerability - CVE-2013-0015
  • VML memory corruption vulnerability - CVE-2013-0030

These signatures will be available in our next IPS update, which should come out shortly. We highly recommend you enable our security services on your WatchGuard XTM and XCS appliances, and keep IPS and AV up to date.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , , ,

MS Black Tuesday: 12 Bulletins, 57 Flaws, and Lots of Work

February 12, 2013 by Corey Nachreiner 3 Comments

Though not the biggest on record, today’s Patch Day is no slouch.

As expected, Microsoft released a dozen security bulletins, fixing 57 vulnerabilities that affect a range of their software, including:

  • Windows (and its components)
  • .NET Framework
  • Internet Explorer (IE)
  • Exchange Server
  • Fast Search Server 2010

According to the summary alert, Microsoft rates five of the bulletins as Critical, which typically means remote attackers can exploit them to gain control of affected computers (usually with little to no user interaction). In general, I recommend you apply these Critical updates first.

In particular, I’d start with the two IE updates since attackers often target users with drive-by download attacks. Also, jump on the Exchange server update immediately, as it fixes an issue attackers could easily exploit with a specially crafted email and attachment—not to mention, your email server is a pretty critical asset.

Though not as serious as other issues, one of Microsoft’s alerts describes a Windows TCP/IP Denial of Service vulnerability, which it sounds like attackers could exploit with a single malicious packet. I haven’t seen this sort of “Ping of Death”-like DoS vulnerability in a while.

As always, I recommend you test the updates before deploying them to a production environment. If you don’t have time or resources to test all of them, at least try to test the server-related updates.

As an aside, WatchGuard’s IPS signature team gets early warning about Patch Day, and will release a new signature update that detects some of the described issues shortly. The have developed signatures for the following Patch Day-related issues:

  • CVE-2013-0015
  • CVE-2013-0018
  • CVE-2013-0019
  • CVE-2013-0020
  • CVE-2013-0021
  • CVE-2013-0022
  • CVE-2013-0023
  • CVE-2013-0024
  • CVE-2013-0025
  • CVE-2013-0026
  • CVE-2013-0027
  • CVE-2013-0028
  • CVE-2013-0029
  • CVE-2013-0030
  • CVE-2013-0077
  • CVE-2013-1313

We’ll post consolidated alerts throughout the day, sharing more details about these bulletins and updates. Stay tuned.  — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day: Feb. 2013

Editorial Articles
, , , , , , , , , , , , , ,

Microsoft Piles on Patches Next Tuesday

February 7, 2013 by Corey Nachreiner 1 Comment

February looks to be a busy month for Microsoft administrators. According to the latest advanced patch notification, the Redmond-based software company plans to release a dozen security bulletins next Tuesday. The bulletins will fix security flaws in Windows, Internet Explorer (IE), Office, the .NET Framework, and Exchange server. Microsoft rates five of the  bulletins as Critical, and the rest as Important.

In the middle of last month, Microsoft released an out-of-cycle IE update to fix a flaw attackers were leveraging in the wild. It appears that update didn’t fix everything in IE since at least two of the upcoming bulletins affect the popular web browser.

As always, we’ll share more about these updates, and the vulnerabilities they correct, next week. You can also expect our IPS signature team to have signatures prepared for any known exploits that Microsoft shares with us. In the meantime, prepare your IT team for a pretty full plate of patches. — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day: Feb. 2013

Editorial Articles
, , , , , , , , , , ,

Out-of-Cycle IE Patch Mends Zero Day Vulnerability

January 17, 2013 by Corey Nachreiner 3 Comments

Summary:

  • This vulnerability affects: Internet Explorer 6 through 8 (9 and 10 are not affected)
  • How an attacker exploits it: Usually, by enticing one of your users to visit a malicious web page
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patch immediately, or let Windows Automatic Update do it for you

Exposure:

In a previous post, we warned you of a zero day “use after free” vulnerability that affected Internet Explorer (IE) 6 through 8. By luring one of your users to a web site containing malicious code, a remote attacker could exploit the vulnerability to execute code on your computer, with your privileges  As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer. At the time, Microsoft hadn’t fixed this newly discovered flaw, but had released a FixIt that could mitigate its risk.

This week, Microsoft released an out-of-cycle security bulletin containing a full patch for this issue. Attackers are still exploiting this flaw in the wild, so it poses a significant risk. If you use IE 6, 7, or 8, you should  patch IE immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from this flaw.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, , ,

WatchGuard Security Week in Review: Episode 46 – IE 0day

January 4, 2013 by Corey Nachreiner 2 Comments

IE 0day, Fraudulent Certs, and Damaged Drivers

Happy New Year everyone, and welcome back to 2013′s first episode of WatchGuard Security Week in Review (WSWiR).

If you are new to our blog, the WSWiR vlog is a weekly video podcast designed to keep busy IT admins up-to-date with the latest security news and events every week. I cover big breaches, zero day flaws, software updates, and many other security stories, and also share some practical defense tips along the way. If you want a quick recap of the week’s InfoSec news, give our show a try.

This week’s episode has a strong Microsoft theme. I cover a zero day IE exploit found in the wild, some fraudulent digital certificates found by Microsoft, and their upcoming Patch Day. I also throw in a few non-Microsoft news items as well, and an update about the Samsung phone vulnerability mentioned in a previous episode. If you want the skinny on the latest security news, click play below (or check out the Reference section if you’re rather read up on these issues).

One aside; I had planned a new, shorter intro to these episodes to launch with the new year (as per request), but simply ran out of time. I will shorten it soon.

(Episode Runtime: 9:52)

Direct YouTube Link: http://www.youtube.com/watch?v=0B3pd4gX8KY

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , ,

IE FixIt Corrects Zero Day Drive-by Download Exploit

January 2, 2013 by Corey Nachreiner 4 Comments

I can think of better ways to end the year than with a last-minute zero day Internet Explorer (IE) exploit found in the wild. Yet that is exactly what happened last week. The good news is Microsoft has a quick fix.

Late last week, FireEye reported that attackers had infected the Council of Foreign Relations’ (CFR) web site with malicious code that leveraged a previously undiscovered vulnerability in IE. If you visited this site while it was booby-trapped, the drive-by download code would exploit the zero day flaw to install malware onto your computer. The attack code also checks your browser version to confirm you’re vulnerable, and only targets victims with English, Russian, Chinese, Korean, and Japanese operating systems. The code seems to contain Chinese characters, leading some to believe this is a China-based attack.

Over the weekend, Microsoft released an early advisory confirming this vulnerability. They also updated the advisory on Monday to add a FixIt workaround. According to their post, the vulnerability only affects IE 6 through 8. So if you use the latest  versions of IE (9 and 10), you’re immune to the exploit. Though Microsoft hasn’t released the full details yet, the vulnerability seems to involve a “use after free” problem, which attackers can leverage to corrupt memory and force a computer to execute code of their choosing. If you use IE 6-8, I highly recommend you apply Microsoft’s IE FixIt immediately.

That said, I expect the FixIt only provides a temporary solution, and you should expect a more complete patch during one of Microsoft’s upcoming Patch Days. — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , ,

Avoid Drive-by Downloads; Patch IE

December 11, 2012 by Corey Nachreiner 5 Comments

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Internet Explorer (IE)
  • How an attacker exploits them: By enticing one of your users to visit a malicious web page
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing three new security vulnerabilities affecting Internet Explorer (IE). Technically, the new vulnerabilities seem only to affect IE 9 and 10, yet Microsoft has released the cumulative update for all versions. They rate this update as Critical.

Similar to last month, all three of these security flaws are “use after free” vulnerabilities, which are types of memory corruption flaws that attackers can leverage to execute arbitrary code. They all have to do with how IE handles various HTML objects. If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like more technical detail about these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Details aside, all of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws may affect you even when visiting legitimate, trusted web sites.  If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed a new signatures, which can detect and block at least one of these new IE vulnerabilities:

  • WEB-CLIENT Microsoft Internet Explorer Improper Ref Counting Use After Free (CVE-2012-4787)

Your appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from these vulnerabilities.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, , , , ,

Microsoft Black Tuesday: Patch Before the Holidays

December 11, 2012 by Corey Nachreiner 0 Comments

If you’re anything like me, your late December schedule is quickly filling with holiday parties, family activities, and seasonal days off. This means if you want to secure your Microsoft environment before the end of the year, you better get started earlier rather than later.

Today, Microsoft released seven security bulletins fixing at least 11 vulnerabilities in many of their products, including:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Word (part of Office)
  • and Exchange Server

They rate five of the bulletins as Critical, and the rest as Important. For more details, check out their December bulletin summary, or wait for our detailed alerts.

If I were to pick the order you patched, I’d start with the Exchange update since you need to protect your public servers, follow with the IE patch since attackers like drive-by downloads, fix the Word flaw to avoid targeted phishing attacks, and end with the Windows updates in order of severity… but that’s just me.

In any case, you should download, test, and deploy Microsoft’s updates as soon as possible. If you don’t have time to test everything, at least take the time to test the Exchange update, as you don’t want your production email server suffering any downtime.

I’ll post more detailed alerts throughout the day, but until then feel free to refer to Microsoft’s December bulletin matrix below.  — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day: December 2012

Editorial Articles
, , , , , , , , , , , , ,

Three Critical Vulnerabilities Only Affect IE 9

November 13, 2012 by Corey Nachreiner 4 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Internet Explorer (IE) 9 only
  • How an attacker exploits them: By enticing one of your users to visit a malicious web page
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s Internet Explorer 9 updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing three new security vulnerabilities that affect Internet Explorer (IE) 9.0, running on Windows Vista, 7, and Server 2008. These vulnerabilities do not affect any other versions of IE. Microsoft rates the aggregate severity of these new flaws as Critical.

The three security flaws are all “use after free” vulnerabilities, which are types of memory corruption flaws that attackers can leverage to execute arbitrary code. They all have to do with how IE handles various specially crafted HTML objects.  If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Details aside, all of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws may affect you even when visiting legitimate, trusted web sites.  If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware these attacks try to distribute.

More specifically, our IPS signature team has developed three new signatures, which can detect and block these new IE vulnerabilities:

  • WEB-CLIENT Microsoft IE CTreeNode Use After Free Vulnerability (CVE-2012-4775)
  • EXPLOIT Microsoft IE CFormElement Use After Free Vulnerability (CVE-2012-1538)
  • EXPLOIT Microsoft IE CTreePos Use After Free Vulnerability (CVE-2012-1539)

Your appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from these vulnerabilities.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, , , , ,

Microsoft Black Tuesday: Critical Updates Affect Windows 8 and More

November 13, 2012 by Corey Nachreiner 2 Comments

It’s Microsoft Patch Day and I have a question for you. How quick are you at applying software updates? Do you jump on them within the day; a week, or are you months behind?

If you are one of the many who fall behind, know that patching is one of the practices that can most improve your security posture. I recommend you take this opportunity to improve your patching practices with a small challenge. Try to test and deploy all of today’s patches before Turkey Day (Thanksgiving, Nov. 22). That way you can enjoy a guilt-free feast, knowing your network is relatively safe and secure. If you accept this challenge, here’s what you are in for…

Today, Microsoft released six security bulletins fixing 19 vulnerabilities in many of their popular products, including:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Excel (part of Office)
  • .NET Framework
  • IIS Server

They rate four of the bulletins as Critical, one as Important, and one as Moderate. For more details, check out this November bulletin summary, or wait for our detailed alerts.

With so many critically rated issues, it’s hard to recommend a patch order. I would personally apply the IE update first, since attackers often exploit web browser issues in drive-by download attacks. Follow that with the Critical Windows updates, but don’t forget the Important Excel vulnerability.  While this sort of document handling vulnerability requires a little user interaction to succeed, spear-phishers often leverage it in their email-based attacks. Whatever order you choose, I recommend you apply all of today’s update as quickly as you can.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , , , ,
Newer Entries
Older Entries

Follow

Get every new post delivered to your Inbox.

Join 7,118 other followers

%d bloggers like this: