Tag Archives: internet explorer

World Password Day – WSWiR Episode 106

MS Patch Day, 4chan Hacked, and Password Security

If you’re too busy helping your users and maintaining your network to read the latest information security news, you might miss out on new tip that could save your network. No worries. Let my short, weekly Infosec video summarize the week’s biggest news for you.

Today, I warn you about all the upcoming patches next Tuesday, talk about a popular web site hack and what administrators can learn from it, and share my three primary password tips for World Password Day. Click play below for all the details, and take a peek at the Reference section for links to other stories.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 7:32)

Direct YouTube Link: https://www.youtube.com/watch?v=fKU3Qoaj_Dw

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

IE & Flash 0day – WSWiR Episode 105

White House Cyber Disclosure, Traffic Light Hacking, and Zero Day Exploits

There was a ton of Information Security news this week. More than most people can keep up with; especially busy IT administrators who are already putting out other fires. If you have little time to read the latest news, but want a quick recap of the most important infosec stories each week, this is the vlog for you.

In this episode, I react to the White House talking about their zero day disclosure policy, I share news about a researcher hijacking traffic lights across the US, and I warn you about two critical zero day flaws in very popular software products. If you want to stay informed and get the latest security advice, watch the video below. You can also explore the Reference section for links to more stories.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 8:04)

Direct YouTube Link: https://www.youtube.com/watch?v=UxQoInvMBcw

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

UPDATE TO: Advanced Attackers Exploit IE 0day in the Wild

Severity: High

Summary:

  • This vulnerability affects: All versions of Internet Explorer (IE)
  • How an attacker exploits it: By enticing a user to visit web site containing malicious content
  • Impact: An attacker can execute code with your privileges, potentially gaining complete control of your computer
  • What to do: Install Microsoft’s emergency IE patch immediately, or let Windows Update do it for you

Exposure:

On Monday, we released an alert warning about a zero day vulnerability affecting all version of Internet Explorer. Researchers discovered attackers exploiting this critical flaw in the wild, and Microsoft had not yet released a patch at that time.

Today, Microsoft released an out-of-cycle security bulletin containing an update to fix this serious vulnerability. As mentioned in our original alert, IE suffers from something called a “use after free” memory corruption vulnerability. By enticing one of your users to a web site containing malicious content, an attacker can exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker gains full control of your machine.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks. Furthermore, attackers are already exploiting this particular flaw in targeted attacks. We highly recommend you install Microsoft’s IE update immediately

We have included the original alert below for your convenience.

Solution Path:

Microsoft has released IE updates to correct this vulnerability. You should download, test, and deploy the updates immediately, or let Windows Update do it for you. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s IE bulletin. Also note, Microsoft has included updates for Windows XP customers, despite their End-of-Life date last month.

If for some reason you cannot patch immediately, there are also some workarounds than can mitigate the issue. We detail those workarounds in our original alert, which we’ve included below for your convenience.

For All WatchGuard Users:

As mentioned in our original alert, there are a number of things WatchGuard XTM customers can do to protect themselves. For instance, you can use our proxy policies to block Flash content by extension (.SWF) or by MIME type (application/x-shockwave-flash). Furthermore, our IPS service includes signatures that block this IE exploit (update to signature set 4.410). Nonetheless, we still highly recommend you install Microsoft’s IE update to completely protect yourself from this attack.

Status:

Microsoft has released patches to fix this vulnerability.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


Over the weekend, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild. Around the same time, Kaspersky also noted an attack campaign leveraging a new Adobe Flash zero day flaw, which Adobe patched today. I’ll discuss both issues below, starting with the IE issue.

IE Zero Day in the Wild

According to this blog post, researchers at FireEye discovered advanced attackers exploiting this zero day IE flaw as part of a persistent attack campaign they are calling “Operation Clandestine Fox.” The attack targets IE 9-11 and also leverages a Flash flaw to help bypass some of Windows’ security features.

Shortly after FireEye’s post, Microsoft released a security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects all versions of IE (though the attack seems to target IE 9-11). While Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine. It’s interesting to note, the attackers also leverage a known Adobe Flash issue to help defeat some of Microsoft’s Windows memory protection features.

Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this IE one in the wild, so it poses a significant risk. Unfortunately, Microsoft just learned of the flaw, so they haven’t had time to patch it yet. I suspect Microsoft will release an out-of-cycle patch for this flaw very shortly since this is a high-profile issue. In the meantime here a few workarounds to help mitigate the flaw:

  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMETEMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. Installing EMET could help protect your computer from many types of memory corruption flaws, including this one. This Microsoft blog post shares more details on how it can help with this issue.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to many browser-based attacks.
  • Disable VML in IE – This exploit seems to rely on VML to work. Microsoft released a blog post detailing how disabling VML in IE, or running IE in “Enhanced Protection Mode” can help.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, WatchGuard’s IPS engineers have already created signatures to catch this attack. We are QA testing the signatures now, but they should be available to XTM devices shortly. Whatever IPS system you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.
  • WatchGuard XTM customers can block Flash with proxies - If you own a WatchGuard XTM security appliance, you can use our proxy policies to block certain content, including Flash content. For instance, you can use our SMTP or HTTP proxies to block SWF files by extensions (.SWF) or by MIME type (application/x-shockwave-flash). Keep in mind, blocking Flash blocks both legitimate and malicious content. So only implement this workaround if you are ok with your users not accessing normal Flash pages.

Adobe Patches Flash Zero Day

Coincidentally, Adobe also released an emergency Flash update today fixing a zero day exploit that other advanced attackers are also exploiting in a targeted watering hole campaign. The patch fixes a single vulnerability in the popular Flash media player, which attackers could exploit to run arbitrary code on your system; simply by enticing you to a web site containing specially crafted Flash content. This exploit was discovered in the wild by Kaspersky researchers (one of our security partners). According to Kaspersky’s research, the exploit was discovered on a Syrian website, and seems to be designed to target potential Syrian dissidents.

The good news is there is a patch for this flaw. So if you use Adobe Flash, go get the latest update now. By the way, some browsers like Chrome and IE 11 embed Flash directly, so you will also have to update those browsers individually. Finally, though the IE zero day I mentioned earlier does rely on a Flash issue, this particular zero day Flash flaw is totally unrelated. One additional note; WatchGuard’s IPS engineers have also created a signature for this exploit as well. It will be available shortly, once testing is complete.

So to summarize, if you use IE, disable VML, install EMET, and watch for an upcoming patch. If you use Flash, updates as soon as you can. I will be sure to inform you here, as soon as Microsoft releases their real patch or FixIt. — Corey Nachreiner, CISSP (@SecAdept)

Advanced Attackers Exploit IE & Flash 0days in the Wild

Over the weekend, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild. Around the same time, Kaspersky also noted an attack campaign leveraging a new Adobe Flash zero day flaw, which Adobe patched today. I’ll discuss both issues below, starting with the IE issue.

IE Zero Day in the Wild

According to this blog post, researchers at FireEye discovered advanced attackers exploiting this zero day IE flaw as part of a persistent attack campaign they are calling “Operation Clandestine Fox.” The attack targets IE 9-11 and also leverages a Flash flaw to help bypass some of Windows’ security features.

Shortly after FireEye’s post, Microsoft released a security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects all versions of IE (though the attack seems to target IE 9-11). While Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine. It’s interesting to note, the attackers also leverage a known Adobe Flash issue to help defeat some of Microsoft’s Windows memory protection features.

Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this IE one in the wild, so it poses a significant risk. Unfortunately, Microsoft just learned of the flaw, so they haven’t had time to patch it yet. I suspect Microsoft will release an out-of-cycle patch for this flaw very shortly since this is a high-profile issue. In the meantime here a few workarounds to help mitigate the flaw:

  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMETEMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. Installing EMET could help protect your computer from many types of memory corruption flaws, including this one. This Microsoft blog post shares more details on how it can help with this issue.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to many browser-based attacks.
  • Disable VML in IE – This exploit seems to rely on VML to work. Microsoft released a blog post detailing how disabling VML in IE, or running IE in “Enhanced Protection Mode” can help.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, WatchGuard’s IPS engineers have already created signatures to catch this attack. We are QA testing the signatures now, but they should be available to XTM devices shortly. Whatever IPS system you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.
  • WatchGuard XTM customers can block Flash with proxies - If you own a WatchGuard XTM security appliance, you can use our proxy policies to block certain content, including Flash content. For instance, you can use our SMTP or HTTP proxies to block SWF files by extensions (.SWF) or by MIME type (application/x-shockwave-flash). Keep in mind, blocking Flash blocks both legitimate and malicious content. So only implement this workaround if you are ok with your users not accessing normal Flash pages.

Adobe Patches Flash Zero Day

Coincidentally, Adobe also released an emergency Flash update today fixing a zero day exploit that other advanced attackers are also exploiting in a targeted watering hole campaign. The patch fixes a single vulnerability in the popular Flash media player, which attackers could exploit to run arbitrary code on your system; simply by enticing you to a web site containing specially crafted Flash content. This exploit was discovered in the wild by Kaspersky researchers (one of our security partners). According to Kaspersky’s research, the exploit was discovered on a Syrian website, and seems to be designed to target potential Syrian dissidents.

The good news is there is a patch for this flaw. So if you use Adobe Flash, go get the latest update now. By the way, some browsers like Chrome and IE 11 embed Flash directly, so you will also have to update those browsers individually. Finally, though the IE zero day I mentioned earlier does rely on a Flash issue, this particular zero day Flash flaw is totally unrelated. One additional note; WatchGuard’s IPS engineers have also created a signature for this exploit as well. It will be available shortly, once testing is complete.

So to summarize, if you use IE, disable VML, install EMET, and watch for an upcoming patch. If you use Flash, updates as soon as you can. I will be sure to inform you here, as soon as Microsoft releases their real patch or FixIt. — Corey Nachreiner, CISSP (@SecAdept)

Heartbleed Bug- WSWiR Episode 102

April Patch Day, Raided Pen-Tester, and OpenSSL Heartbleed

Information security news never stops, even if I have to post it from a Changi Airport lounge. If you need to learn the latest cyber security news, including what to do about the biggest vulnerability of the year (so far), you’ve found the right weekly video blog.

This week’s “on-the-road” episode covers Adobe and Microsoft’s Patch Day, an allegory on why you should avoid greyhat pen-testing, but most important of all, information and advice about the major OpenSSL Heartbleed vulnerability. If you use the Internet, you need to know about the Heartbleed flaw, so click play below to watch this week’s video. Finally, make sure to check the Reference section for links to the stories and some extras; especially if you are interested in all the WatchGuard Heartbleed information.

(Episode Runtime: 8:05)

Direct YouTube Link: http://www.youtube.com/watch?v=gEw-o2GQd1U

Episode References:

Extras:

Heartbleed described by XKCD

— Corey Nachreiner, CISSP (@SecAdept)

IE Patch Squashes Six Memory Corruption Flaws

Summary:

  • This vulnerability affects: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes six new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Though these vulnerabilities differ technically, they share the same general scope and impact, and involve various memory corruption flaws having to do with how IE handles certain HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1755)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1753)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1751)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1752)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Word 0day Fix & More

Microsoft’s monthly Patch Day went live earlier today. As expected they released four security bulletins, fixing flaws in Windows, Internet Explorer (IE), and Office. Microsoft rates two of the bulletins as critical, one that fixes Word vulnerabilities (including a zero day one I warned about earlier) and another that fixes IE flaws.

If you use the affected Microsoft products, you should apply these patches as soon as you can. I’d apply the updates in the order Microsoft recommends; the Word update first, the IE one second, and the Windows and Publisher updates last.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day.  However, I am currently traveling in Asia, so my blog posts may be late due to timezone issues and travel. So I recommend you check out the April bulletin summary in the meantime, if you’d like an early peek. Also, keep in mind that Adobe released a Flash update today as well. — Corey Nachreiner, CISSP (@SecAdept).

APT Blocker – WSWiR Episode 101

April Patch Day, NSA Encryption Backdoors, and APT Blocker

Ready for your weekly summary of InfoSec news? Well here it is.

This week’s episode covers what you need to know about next week’s Microsoft patch day, shares details about the latest NSA/RSA encryption scandal, and unveils WatchGuard’s latest security service, which can protect you from zero day malware. Watch the video for the whole scoop, and scope out the references for links to other news.

I continue my travels in Asia next week, so the video may continue to post at unusual times. We’ll be back to our normal scheduling soon.

(Episode Runtime: 5:23)

Direct YouTube Link: https://www.youtube.com/watch?v=JkFmxEVveRY

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Out-of-Cycle Word FixIt Corrects Zero Day Vulnerability

If you’re worried about spear phishing attacks (and if you’re not, you should be), grab Microsoft’s emergency FixIt to mitigate a zero day vulnerability attackers are exploiting in the wild.

In a security advisory released yesterday, Microsoft warned of a zero day vulnerability in Word, which attackers are exploiting in what Microsoft describes as limited, targeted attacks. Apparently, the exploit in the wild targets Word 2010, but the flaw affects other versions of Word as well. Since this is an early advisory, it doesn’t describe the flaw in much technical detail. However, it does mention attackers can trigger the flaw with specially crafted rich text format (RTF) files. If an attacker can entice you to view a malicious RTF in Word, he could exploit this vulnerability to execute code on you computer, with your privileges. If you are an administrator, the attacker gains complete control of your PC.

By default, most current version of Office use Word as Outlook’s email viewer. This mean attackers can trigger this flaw just by getting you to open an RTF attached to an email. According to some on Twitter, simply previewing an email with a malicious RTF triggers the flaw.

While Microsoft hasn’t had time to release a full patch yet, they have posted a FixIt that mitigates the risk of this vulnerability. If you use Office, I highly recommend you install the FixIt as soon as you can. Also, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) can mitigate the risk of any type of memory corruption flaw. In general, I recommend you install EMET on Windows machines to protect them from any zero day, memory-related issues.

I’ll post more details about this flaw during an upcoming Patch Day, when Microsoft releases the final update. In the meantime, if you’d like more information about it you can check out Microsoft’s security blog post— Corey Nachreiner, CISSP (@SecAdept

 

Latest IE Update Patches Zero Day Hole and 17 Others

Summary:

  • This vulnerability affects: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes 18 new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Though many of these vulnerabilities differ technically, the majority of them share the same general scope and impact, and involve various memory corruption flaws having to do with how IE handles certain HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

Most importantly, attackers have been exploiting one of these memory corruption corruption flaws in the wild. Recently, security researchers have discovered attackers exploiting this particular IE flaw in two watering hole attacks, where they hijack legitimate websites and inject them with malicious code, hoping to infect the people who visit those sites. Since attackers are already exploiting at least one of these issues in the wild, we highly recommend you apply this IE update immediately

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s December IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0297)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0298)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0299)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0302)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0303)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0304)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0305)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0306)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0309)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0311)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0312)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0313)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0322)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0314)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Follow

Get every new post delivered to your Inbox.

Join 7,524 other followers

%d bloggers like this: