Tag Archives: Metasploit

Install IE FixIT to Avoid Zero Day Attack

Summary:

  • This vulnerability affects: Probably all current versions of Internet Explorer (IE), but the targeted exploit only affects IE 8 and 9
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: In the worst case, an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Apply Microsoft’s IE FixIt, or consider the other workarounds below

Exposure:

Today, Microsoft released a critical out-of-cycle security advisory warning customers of a serious new zero day vulnerability affecting Internet Explorer (IE), which attackers are currently exploiting in the wild. The flaw likely affects all current versions of IE (6-11), but Microsoft claims the targeted attack only goes after IE 8 and 9 users.

The early advisory doesn’t describe the vulnerability in much technical detail, but what it does describe sounds very much like a  “use after free” vulnerability involving the way IE handles certain HTML objects. Regardless of the technical details, the scope and impact is the same. If an attacker can lure you to a web site containing malicious code (including a legitimate web site which may have been hijacked and booby-trapped), he could exploit this vulnerability to execute code on your computer, with your privileges.  As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer.

A remote code execution vulnerability is bad enough in theory, but knowing attackers found this one first, and are already exploiting it in the wild makes this flaw a pretty critical issue. The good news is Microsoft has released a FixIt to mitigate the risk of this flaw. We highly recommend you apply that FixIt, and also consider the other protective workarounds mentioned below.

Solution Path:

Since this vulnerability was first discovered in the wild, Microsoft has not yet had time to release a patch. However, they have released a FixIt workaround to temporarily mitigate the attack. If you use IE, I recommend you apply the FixIt immediately.

It’s important to note FixIts are temporary workarounds. They don’t replace full patches. We expect Microsoft to release a full patch for this flaw in the future, perhaps even in an out-of-cycle IE bulletin this month.

Finally, though the FixIt prevents attackers from exploiting this issue, we also offer a few other workarounds below. Some of these tips can help mitigate many web-based, memory-related vulnerabilities, so you might consider making them your regular practice:

  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMET – EMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. Nonetheless, installing it could help protect your computer from many types of memory corruption flaws, including this one.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to this attack.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. Be sure to keep your AV and IPS systems updating regularly, to get the latest protections.

For All WatchGuard Users:

Our IPS signature team belongs to the Microsoft Active Protections Program (MAPP). According to their advisory, Microsoft is sharing information about this attack with MAPP partners now. Due to this partnership, we’ll likely have a signature for this attack shortly. Regardless, we still highly recommend you apply Microsoft’s FixIt to protect your users.

Status:

Microsoft has released a FixIt to mitigate the issue. They plan on releasing a full patch in the future.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

WatchGuard Security Week in Review: Episode 64 – AusCERT 2013

AusCERT, Aurora Updates, and FPS Hacks

Do you know the latest information security (infosec) buzz? If not, you’ve found the right weekly vlog. Every Friday we post a short video sharing the latest network and information security highlights for your consideration. Today’s episode comes to you from the beautiful Australian Gold Coast, which is why I’ve had to post it a bit late due to travel.

In this episode I share a few highlights from the AusCERT security conference, update you on the old Google Aurora attack, warn about new vulnerabilities affecting many FPS engines, and much more. If you want to stay abreast of the latest network security news, in eight minutes or less, watch the video below.

As always, you can find more detail about the stories from this week’s episode in the Reference section, as well as a few extras.

(Episode Runtime: 7:41)

Direct YouTube Link: http://www.youtube.com/watch?v=JLbzY_i8TIc

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 63 – Patch Bonanza

Zero Day Patches, Nasty New Malware, and Jailed Hackers

Ready for a dose of InfoSec news? Your weekly security highlights reel is spooled up and ready to go.

This week was all about software updates. Not only did Microsoft and Adobe’s monthly Patch Day bring us patches for critical zero day vulnerabilities, but we saw security updates for Firefox and iTunes as well. In today’s video, I talk about all those updates, as well as two new interesting malware variants, and the sentencing and jailing of a team of well-known hackers. View the video for all the details.

A quick note… Next week I’ll be attending the AusCERT security conference in Australia. Though I still expect to bring you a weekly video, I may post it earlier or later than normal due to travel and the time zone differences. Keep safe out there and see you next week.

(Episode Runtime: 7:17)

Direct YouTube Link: http://www.youtube.com/watch?v=gjAx6PdFY0k

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 62 – Major Cyber Heist

The Onion Hack, IE8 0day, and ATM Cyber Heist

Are you an over-worked IT administrator with no time to learn about the latest internet threats? Do you want to keep your network safe, but don’t know what the bad guys are up to? If that’s you, then our weekly information security highlights video is just the thing for you. For just three easy payments of… well, nothing… you can have all that and more!

Today’s episode covers Syrian cyber attackers hijacking The Onion’s twitter feed, a serious zero day vulnerability affecting Internet Explorer 8 (IE8), a major cyber bank heist, and more. For all the details, and some tips to protect yourself, watch the video below or check out the stories in the Reference section.

Have a great weekend.

(Episode Runtime: 7:46)

Direct YouTube Link: http://www.youtube.com/watch?v=hdN9YMjKTXM

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

H.D. Moore Unveils Major UPnP Security Vulnerabilities

This week, H.D Moore, the creator of Metasploit, and now CSO of Rapid7, released a detailed report unveiling his team’s months-long research into the security of the Universal Plug and Play (UPnP) protocol.

If you haven’t heard of it, Universal Plug and Play (UPnP) is a set of networking protocols intended to allow network devices to automatically find one another and then communicate and share data. The protocol was designed primarily for consumers, with the intention of making it easier for non-techie people to connect network products at home. Many network devices including home routers, media servers, game consoles, and printers leverage UPnP, and most operating systems enable it by default. In Moore’s own words, it is pervasive.

Moore’s report highlights just how exposed UPnP devices are on the Internet. For over five months, the Rapid7 researchers scanned the IPv4 address space, looking for devices that responded to UPnP queries (UDP port 1900). To their surprise, they found over 81 million devices (2.2% of the IPv4 addresses) that responded to their queries. They also learned that the majority of these devices use four common UPnP development kits, and that many of these development kits suffer from a variety of critical software vulnerabilities.

One of the worst software vulnerabilities they found lies in the Portable UPnP SDK development kit. This UPnP framework suffers from a serious remote code execution vulnerability that an attacker can exploit with a single, spoofed UDP packet. Moore’s team found 23 million devices exposed to this particular flaw alone.

So what should you do to protect yourself from these potential UPnP issues?

Well, if you work for a business or large organization, there’s some good news. These issues probably don’t affect your organization on the same level as they affect consumers. Business or enterprise class routers and network gear don’t enable UPnP services as often as consumer equipment does. It’s unlikely that your company’s router enables UPnP on its external interface. Furthermore, if you have an enterprise class firewall or security appliance, like any of WatchGuard’s XTM appliances, it will block the UPnP port (UDP 1900) by default. Unless you’ve specifically created a policy to allow UPnP traffic, you’re protected from these sorts of UPnP scans and attacks. Of course, even businesses may have UPnP-enabled devices on their internal networks. Even if you are protected from external attacks, you may still want to consider updating or disabling your internal UPnP devices, if you don’t actually use the UPnP features.

Consumers, on the other hand, will need to do more to protect themselves. Unlike enterprise equipment, consumer devices often enable UPnP. In fact, consumer routers, including ones your ISP may have provided, sometimes enable UPnP on the WAN interface. The first thing you need to do at home is find out whether your Internet router has UPnP enabled on its external interface, and then disable it. You may also need to upgrade the router’s firmware to get the latest UPnP components to fix the vulnerabilities Moore’s report describes.

Consumers should also scan their network to try and find all the devices that use UPnP. Rapid7 has provided a free tool called ScanNow UPnP to help with this task. Once you find all your UPnP devices, you should decide whether or not you are really using the UPnP services. If not, disable it. If you are using UPnP, then you may need to update the associated device’s software or firmware. However, this issue unfortunately affects thousands of devices, and some are outdated devices that may never receive future updates. It may take a while for all the affected vendors to provide the updated software.

UPnP is a perfect example of how convenience and security don’t always mix. The protocol was created to make it easier for devices to connect, but unfortunately easy often translates to insecure. In this case, UPnP made it too easy for users to accidentally expose a critical network service to the public.

For more technical details on these UPnP issues and how to fix them, I highly recommend you read Rapid7’s report [PDF]. In the meantime, if you don’t specifically use UPnP, turn it off. — Corey Nachreiner, CISSP (@SecAdept)

Final IE 0day Update: Microsoft Out-of-Cycle Patch Available

If you’ve read my two posts [ 1 / 2 ], and watched this week’s video, you already know all about the zero day vulnerability plaguing Internet Explorer (IE) this week. In my last update, I mentioned Microsoft promised to release a full, out-of-cycle patch for this serious vulnerability today. True to their word, they did just that.

Since you know all about this flaw already, I won’t bore you with the details again. However, I highly recommend you go download, test, and install this update immediately. The patch is your best protection against the attacks in the wild.  — Corey Nachreiner, CISSP (@SecAdept)

IE 0day Update: Microsoft Releases a FixIt Patch

A few days ago, I posted an alert about a zero day Internet Explorer (IE) vulnerability that attackers were exploiting in the wild. By luring you to a web site containing malicious code, a remote attacker can exploit this flaw to execute code on your computer, with your privileges. To most Windows users, this means the attacker gains complete control of your computer.

Today, Microsoft released a FixIt workaround to temporarily mitigate this attack. If you use IE, I recommend you apply this FixIt immediately. It’s important to note, the FixIt doesn’t replace a full patch. Microsoft says they plan on releasing a more complete patch for this flaw on Friday. You’ll still want to apply that too, once it comes out. In the meantime, however, this FixIt offers the best protection to IE users.

For your convenience, I’ve included the original IE alert below. Be sure to check with Microsoft on Friday, for their full patch. Though I plan on alerting you when Microsoft posts their update, I will be on international flights on Friday, and may not be able to post the update till later. — Corey Nachreiner, CISSP (@SecAdept)


Yesterday, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild.

According to a blog post, a security researcher named Eric Romang first discovered the zero day IE exploit as he was poking around a web server hijacked by the Nitro gang. Romang found four malicious files (.html x2, .swf, .exe) on the server, which acted together to infect his fully patched Windows XP machine.

Shortly after Romang’s release, Microsoft posted their security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects IE 7, 8, and 9, but not 10. Though Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine.

Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this one in the wild, so it poses a significant risk. Furthermore, researchers have already added an exploit for this issue to the popular Metasploit framework, making it even easier for novices to leverage.

Unfortunately, Microsoft just learned of this flaw, so they haven’t had time to patch it yet. I suspect Microsoft may release an out-of-cycle patch for this flaw, but in the meantime here a few workarounds to help mitigate the issue:

  • Use IE 10 – IE 10 is not vulnerable to this issue. However, IE 10 is still only a preview build, and the latest versions only runs on Windows 8 and Server 2012. So this workaround may not help everyone.
  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMETEMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. Nonetheless, installing it could help protect your computer from many types of memory corruption flaws, including this one.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to this attack.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, if you use an XTM appliances with the IPS service, we can already detect and block the Metasploit variant of this attack. Whatever you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.

I’ll continue to follow this issue as it evolves, and will post here as soon as Microsoft releases a patch.

As an aside, I apologize for the slight delay to this post. Unfortunately, I was on an international flight when this news first broke. — Corey Nachreiner, CISSP (@SecAdept)

Attackers Exploit Serious Zero Day Internet Explorer Vulnerability

Yesterday, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild.

According to a blog post, a security researcher named Eric Romang first discovered the zero day IE exploit as he was poking around a web server hijacked by the Nitro gang. Romang found four malicious files (.html x2, .swf, .exe) on the server, which acted together to infect his fully patched Windows XP machine.

Shortly after Romang’s release, Microsoft posted their security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects IE 7, 8, and 9, but not 10. Though Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine.

Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this one in the wild, so it poses a significant risk. Furthermore, researchers have already added an exploit for this issue to the popular Metasploit framework, making it even easier for novices to leverage.

Unfortunately, Microsoft just learned of this flaw, so they haven’t had time to patch it yet. I suspect Microsoft may release an out-of-cycle patch for this flaw, but in the meantime here a few workarounds to help mitigate the issue:

  • Use IE 10 – IE 10 is not vulnerable to this issue. However, IE 10 is still only a preview build, and the latest versions only runs on Windows 8 and Server 2012. So this workaround may not help everyone.
  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMETEMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. Nonetheless, installing it could help protect your computer from many types of memory corruption flaws, including this one.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to this attack.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, if you use an XTM appliances with the IPS service, we can already detect and block the Metasploit variant of this attack. Whatever you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.

I’ll continue to follow this issue as it evolves, and will post here as soon as Microsoft releases a patch.

As an aside, I apologize for the slight delay to this post. Unfortunately, I was on an international flight when this news first broke. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 2

Railway Hacks, VideoConferencing Espionage, and Security Professionals Gone Bad

Another week, another WatchGuard Security Week in Review. While this week wasn’t quite as action packed as last, there’s plenty of security stories to cover in this episode. I summarize them in the  brisk video below (runtime: 6:03 minutes).

If you prefer text to moving pictures, you can also find a quick descriptions of these stories, as well as reference links, underneath the video. Let us know what you think in the comments.

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)


Follow

Get every new post delivered to your Inbox.

Join 7,561 other followers

%d bloggers like this: