Tag Archives: mac

Time to Polish Your Apple: OS X & Safari Updates

Severity: High

Summary:

  • These vulnerabilities affect: Apple OS X 10.6.x-10.8.x and Safari 6.0.4 and below
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files (often multimedia files), or visiting malicious websites
  • Impact: Various results; in the worst case, an attacker can execute code with your privileges
  • What to do: Install the appropriate OS X and Safari, or let Apple’s Software updater do it for you.

Exposure:

Yesterday, Apple released two security updates to fix many vulnerabilities in OS X and Safari (Mac version only). If you use Mac computers, you should apply these significant updates quickly. I summarize Apple’s alerts below:

Apple released an update to fix vulnerabilities in all current versions of OS X. The update patches about 33 (number based on CVE-IDs) security issues in 11 of the components that ship as part of OS X, including QuickTime, OpenSSL, and Ruby. The flaws differ in scope and impact, but the worst allow attackers to execute code with your privileges simply by enticing you into viewing a malicious file. Most of these file handling issue involve multimedia files, such as movies and pictures. If you use a Mac, you should install the update as quickly as you can. See Apple’s alert for more detail on each flaw.

WatchGuard rating: Critical

Apple also released an update to fix about 26 security flaws in Safari for Mac (Apple seems to have discontinued supporting Safari for Windows). The majority of these are memory corruption issues that attackers could exploit to run arbitrary code on your Mac, with your privileges. Of course, they’d have to lure you to a web site with malicious code in order to trigger the attack. Many of these vulnerabilities are ideal for drive-by download attacks. Again, if you have a Mac, I recommend you patch Safari, even if you don’t use it as your primary browser. See Apple’s alert for more detail.

WatchGuard rating: Critical

Solution Path:

Apple has released update for all these products. If you use Mac computers, you should download and install the updates as soon as you can, or let Apple’s Software Updater do it for you. That said, the OS X update is rather large, and will require a reboot, so plan that update accordingly.

Personally, I have not had any problems with Apple’s automatic updates, so I recommend you use the Automatic Updater to download and remind you of patches regularly, at least on your client machines (you may need to plan your OS X server updates more carefully).

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM appliance can help mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Apple’s updates are your best solution.

Status:

Apple has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

Four Office-related Updates Fix Productivity Software Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Visio Viewer 2010, SharePoint Server 2010, OneNote 2010, and Outlook for Mac
  • How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting malicious URLs
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing vulnerabilities in some of their Office-related productivity packages,  including Visio Viewer, SharePoint, OneNote, and Outlook for Mac. We summarize the four security bulletins below, in order of severity:

  • MS13-023: Visio Viewer Code Execution Vulnerability

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from a memory-related code execution vulnerability, having to do with the way it handles specially crafted Visio diagrams. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit this vulnerability to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects the 2010 version of Visio Viewer.

Microsoft rating: Critical

  • MS13-024: Various SharePoint Vulnerabilities

SharePoint and SharePoint Foundation are Microsoft’s web and document collaboration and management platforms. They suffer from four different security issues, including a few elevation of privilege flaws, a Cross-Site Scripting vulnerability (XSS), and a Denial of Service (DoS) issue. By either enticing one of your users into clicking a malicious URL, or by inputting a specially crafted URL into a vulnerable SharePoint server, an attacker could exploit the worst of these flaws to gain elevated access to your SharePoint server, allowing him to view or change the documents your user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Critical.

  • MS13-025: OneNote 2010 Information Disclosure Flaw

Microsoft OneNote is a digital notebook that provides you a place to easily take notes on your digital device. It ships with most recent versions of Office. OneNote suffers from an information disclosure flaw. If an attacker can entice one of your users into downloading and opening a maliciously crafted OneNote (.ONE) file, she can leverage this flaw to read arbitrary data from your computer’s memory. Depending on what you are doing on your computer at the time, this flaw could allow the attacker to gain access to some of your sensitive information, including usernames and passwords. The issue only affects the 2010 version of OneNote.

Microsoft rating: Important

  • MS13-026: Outlook for Mac Information Disclosure Flaw

Outlook for Mac (the Apple OS X version of Microsoft’s email client) suffers from a relatively minor information disclosure vulnerability having to do with how it previews certain HTML email messages. If an attacker can lure you into opening a specially crafted HTML email, they can verify your email address is accurate and confirm you previewed the message. At best, this vulnerability may help attackers enumerate valid email addresses for later use in their spam and phishing attacks. However, it does not give attackers any further access to your email messages or computer. For that reason, we believe it poses a fairly low risk.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

Attackers can exploit these vulnerabilities using diverse methods. Though you can configure WatchGuard appliances to block some of the Office documents related to a few of these attacks, and you can leverage our security services to mitigate the risk of malware delivered via these attacks, we cannot protect you against all of them; especially the local ones. We recommend you apply Microsoft’s patches to best protect your network.

That said, our IPS signature team has developed new signatures that can detect and block some of the SharePoint attacks:

  • WEB Microsoft SharePoint Server Callback Function Vulnerability (CVE-2013-0080)
  • WEB Microsoft SharePoint XSS Vulnerability (CVE-2013-0083)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -1 (CVE-2013-0084)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -2 (CVE-2013-0084)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -3 (CVE-2013-0084)

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Apple and Facebook Breaches Result in Multi-Platform Java Updates

If you’re still using Java, you need to patch it yet again—even if you’re using a Mac.

Over the last few days both Facebook and Apple have reported network breaches. In both cases, employees at those companies visited a particular web site that was infected with a zero day Java exploit, which then infected the victims with malware. Though Facebook and Apple admit that they found malware on their systems, both claim that there is no evidence suggesting the attackers stole any sensitive customer data.

With all the zero day Java vulnerabilities we’ve reported recently, this probably doesn’t come as a huge surprise. Attackers are obviously targeting this popular web plugin. Yet, this incident is a very significant admission from Apple. Not only does it prove what security professionals have been arguing for years—that Macs aren’t immune from malware—but it demonstrates that even large enterprises, like Apple are suffering from cyber attacks.

Attack disclosures aside, both Oracle and Apple have released Java security updates as a result of these attacks. Despite just releasing an earlier Java update this month, Oracle released yet another emergency update on February 19th, fixing five more security vulnerabilities in Java. If you use Java on Windows, Linux, or Solaris computers, you should go get that update immediately. Apple also released their own Java update for OS X today. If you’re a Mac user,  you should also install either Java for OS X 2013-001 or Mac OS X v10.6 Update 13 immediately.

After repeated cases of zero day exploits over the past fews months, you’ve probably discerned that Java is very dangerous right now. Apparently, it is rife with security holes and there is no doubt that attackers have focused their efforts on finding them before Oracle does. I’ve said this before, but if there is any way you can live without Java on your computer, you should remove it. Frankly, this advice is easier said than done. Unfortunately, many business applications (even some security ones) rely on Java to function. These applications may prevent you from removing Java immediately. That said, with the current prevalence of Java attacks, perhaps it’s time to re-evaluate any applications that forces Java upon you.— Corey Nachreiner, CISSP (@SecAdept)

Nasty RTFs Nudge Word Into Submission

Severity: High

Summary:

  • These vulnerabilities affect: Word (and Office) 2003 through 2010 for Windows (and related components)
  • How an attacker exploits it: By enticing one of your users to open a malicious RTF document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft’s Word update as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing a serious security vulnerability in the Windows version of Word — part of Microsoft Office package. The flaw doesn’t affect the Mac versions, but does affect the Word viewer and Office Compatibility Packs.

The vulnerability stems from an unspecified memory corruption fkaw having to do with how Word handles rich text format (RTF) documents. If an attacker can entice one of your users into downloading and opening a maliciously crafted RTF document, he can exploit the flaw to execute code on that user’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path

Microsoft has released Word and Office updates to correct these vulnerabilities. If you use Office or Word, download, test, and deploy the appropriate updates as quickly as possible, or let Windows Update do it for you.

You’ll find links to these updates in the “Affected and Non-Affected Software” section for of Microsoft’s Word bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed a signature, which detects and blocks this Word RTF vulnerability:

  • EXPLOIT Microsoft Word RTF listoverridecount Remote Code Execution Vulnerability (CVE-2012-2539)

Your appliance should get this new IPS update shortly.

You can also configure WatchGuard devices to block RTF documents. However, this will block all RTFs, whether legitimate or malicious. If you decide you want to block them, the links below contain instructions that will help you configure proxy’s content blocking features for your device:

Status:

Microsoft has released Word updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Four Critical Spreadsheet Handling Flaws in Excel

Severity: Medium

Summary:

  • These vulnerabilities affect: Excel (and Office) 2003 through 2010 for Mac and PC (and related components)
  • How an attacker exploits it: By enticing one of your users to open a malicious Excel document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft’s Excel updates as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing four vulnerabilities found in Excel — part of Microsoft Office for Windows and Mac. The flaws also affect the Excel viewer and Office Compatibility Package.

Though the four vulnerabilities differ technically, they are all memory corruption issues which share the same scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted Excel document, he can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path

Microsoft has released Excel and Office updates to correct these vulnerabilities. If you use Office or Excel on a PC or Mac, download, test, and deploy the appropriate updates as quickly as possible, or let Windows Update do it for you.

You’ll find links to these updates in the “Affected and Non-Affected Software” section for of Microsoft’s Excel security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed four signatures, which can detect and block these new Excel file handling vulnerabilities:

  • EXPLOIT Microsoft Excel SST Invalid Length Use After Free Vulnerability (CVE-2012-1887)
  • EXPLOIT Microsoft Excel Memory Corruption Vulnerability (CVE-2012-1886)
  • EXPLOIT Microsoft Excel SerAuxErrBar Heap Overflow Vulnerability (CVE-2012-1885)
  • EXPLOIT Microsoft Excel Stack Overflow Vulnerability (CVE-2012-2543)

Your appliance should get this new IPS update shortly.

You can also configure certain WatchGuard devices to block Microsoft Excel documents. However, this will block all Excel documents, whether legitimate or malicious. If you decide you want to block Excel files, the links below contain instructions that will help you configure proxy’s content blocking features for your device:

Status:

Microsoft has released Excel updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Apple Posts Security Updates for OS X, iOS, and Safari

Severity: High

Summary:

  • These vulnerabilities affect: Apple OS X 10.6.x-10.8.x, Safari 6.0 and below, and iOS 5.1.1 and below.
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files, or visiting malicious websites
  • Impact: Various results; in the worst case, an attacker can execute code with your privileges, and leverage other flaws to elevate to root
  • What to do: Install the appropriate OS X, Safari, and iOS update as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Yesterday, Apple released three security updates to fix many vulnerabilities in OS X, iOS, and Safari (Mac version only). Like the iTunes patch from last week, these updates fix an unusually large number of vulnerabilities. For instance, the iOS update fixes around 197 flaws, many of them affecting the Webkit component.  If you use Mac computers, or iOS devices, you should apply these significant updates quickly. I quickly summarize Apple’s three alerts below:

If you paid attention to Apple’s iPhone 5 announcement last week, you may also have been excited about iOS 6, which they posted yesterday. If iOS 6′s new features weren’t enough to sell you on the new firmware, Apple’s iOS 6 security alert should close the deal. According to Apple’s alert, iOS 6 fixes around 197 security vulnerabilities. The flaws differ widely, but attackers can exploit the worst of them to execute arbitrary code on your iOS devices. The attacker only has to lure you to a site containing malicious content, or entice you to interact which some sort of file (whether it be an image, movie, or config file). If you have an iPhone, iPod, or iPad, you should update it to iOS 6 as quickly as possible. See Apple’s security update if you want more details on the individual flaws, including their CVE numbers.
WatchGuard rating: Critical

Apple also released a huge OS X security update to fix vulnerabilities in all current versions of OS X. The almost 700MB patch fixes about 35 (number based on CVE-IDs) security issues in many components that ship as part of OS X or OS X Server, including QuickTime, the Kernel, and BIND. Again, the flaws differ in scope and impact, but the worst allow attackers to execute code with your privileges simply by enticing you into viewing malicious file or web content. Furthermore, some of the Kernel flaws allow attackers to elevate their privilege, gaining complete control of your computer. If you use a Mac, you should install the update as quickly as you can. See Apple’s alert for more detail on each flaw.
WatchGuard rating: Critical

Finally, Apple also released an update to fix about 60 security flaws in Safari for Mac (Apple seems to have discontinued supporting Safari for Windows). Many of these flaws are the same Webkit component issues that Apple recently patched in iTunes. Like those flaw, by enticing you to a web site containing malicious code, attackers can execute code with your privileges. Many of the vulnerabilities are ideal for drive-by download attacks. Again, if you have a Mac, I recommend you patch Safari, even if you don’t use it as your primary browser.
WatchGuard rating: Critical

Solution Path:

Apple has released update for all these products. If you use Mac computers, or iOS devices, you should download and install the updates as soon as you can, or let Apple’s Software Updater do it for you. That said, the OS X update is rather large, and will require a reboot, so plan that update accordingly.  Personally, I have had few issues with Apple’s Automatic Updater. I recommend you use the Automatic Updater to download and remind you of patches regularly, at least on your client machines (you may need to plan your OS X server updates more carefully).

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM appliance can help mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Apple’s updates are your best solution.

Status:

Apple has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

WatchGuard Security Week in Review: Episode 18

AusCERT 2012, QuickTime Updates, and a New Zeus Variant

This week’s “on the road” edition of WatchGuard Security Week in Review comes to you from the sunny Gold Coast of Australia, where I’ve spent the week learning about the latest mobile attacks, cloud threats, and SCADA security issues with the vibrant Australian security community. In this week’s video podcast, I quickly summarize a few of the presentations I saw at AusCERT this year.

Of course, normal security news continued marching along despite my little jaunt to the land down under. So I also cover this week’s important software updates, some new malware variants, and a potentially catastrophic antivirus update mistake. If you’re ready to catch up on the week’s most interesting security stories, check out the video below.

If you’d like to read the original sources for many of these stories, be sure to check out the Reference section. Also, make sure to post any feedback or questions in the comments section below, and share this podcast with your friends if you like it. Cheers!

(Episode Runtime: 5:35)

Direct YouTube Link: http://www.youtube.com/watch?v=KI9astTaRjU

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 17

Twitter Hacks, Gas Pipeline Cyber Attacks, and FBI Wiretaps

Though the primary theme for this week was, “patch, patch, patch,” I saw many other interesting, non-update related security stories in the news as well. This week’s vlog packs all those stories into a brisk eight and a half minutes. Topics include:

  • Highlights on Microsoft, Adobe, and Apple security updates
  • FBI lobbying for online wiretaps
  • Warnings of Gas Pipeline Cyber Attacks
  • Some new Geo-aware malware
  • A seemingly big Twitter breach
  • Some hacker arrests

For details on all these stories, and a few security tips along the way, check out the latest WatchGuard Security Week in Review video below.

As always, if you don’t have time for a video but want to check out individual stories later, you can find links to all the issues I cover in the “Reference” section at the end of this post. You can also let us know what you think about this video series in the comments section.

Finally, I’m attending AusCERT next week; a security conference in Australia. Though I plan to release an episode next week, I will either post it significantly earlier or later than normal, due to the time zone difference. So keep your eyes peeled for next week’s episode, but don’t expect it at the regular time.

(Episode Runtime: 8:31)

Direct YouTube Link: http://www.youtube.com/watch?v=guqTuUatEwc

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 16

Lots of New Malware, Microsoft Patch Day, and Oracle Updates

This week’s security summary podcast includes information about Microsoft’s upcoming Patch Day, stories about three interesting new malware variants, and updates to a few stories from previous episodes. Watch the video below for the details.

If you’d prefer to read, see the “Reference” section for links to all these security stories. I’ve seen a few late-breaking stories since I shot this week’s video, so be sure to check out those updates below. Also, don’t forget to share your thoughts or feedback in the comments section. (Episode Runtime: 8:37)

Direct YouTube Link: http://www.youtube.com/watch?v=guqTuUatEwc

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 15

Major US Cyber Legislation, VMware Source Code Leak, and Hotmail Hacks

This week’s security news round-up video is full of scary Cyber legislation, major network and organization breaches, and a couple of important security updates. If you’re too busy to follow the barrage of security news every day, let WatchGuard’s Security Week in review video summarize it for you.

Would you rather read? No problem. You’ll find links to all these stories in the reference section.

By the way, this week’s stories continued to develop as I produced this episode. Unfortunately, I had to sneak in a quick video update about the CISPA bill during production. I won’t give it all away, but I can say CISPA is one step closer to reality. Watch below for details. (Episode Runtime: 6:54)

Direct YouTube Link: http://www.youtube.com/watch?v=euZUKfEvZvY

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,380 other followers

%d bloggers like this: