Tag Archives: microsoft

July Patch Avalanche – Daily Security Byte EP.114

This Patch Tuesday, Adobe and Oracle shared the spotlight with Microsoft, releasing updates for well over 200 vulnerabilities. Furthermore, the patches included fixes for flaws leaked during The Hacking Team fiasco. Watch today’s video for details, and be sure to update as soon as you can.

Show Note: Due to continued travel, there will likely be no video on Thursday, though I will return with one on Friday. I’ll probably skip the weekly video this time due to the light week.

(Episode Runtime: 2:21)

Direct YouTube Link: https://www.youtube.com/watch?v=aoLhMVu4zzI

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Posts Critical Patches – Daily Security Byte EP.95

It happens every month… Microsoft released their June patches on Tuesday, fixing 45 vulnerabilities in a range of popular products. If you manage a Windows network, you should watch this video to get the Patch Day highlights, and to learn which products to update first. As an aside, I recorded this video Wednesday, but was not able to edit and post it until today due to travel.

 

(Episode Runtime: 2:07)

Direct YouTube Link: https://www.youtube.com/watch?v=1dUGG1eP3A8

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

US Federal Sites Use HTTPS – Daily Security Byte EP.94

HTTPS usage has skyrocketed over the last few years, largely due to the “Snowden effect.” Today, the US government mandated that federal web sites must use HTTPS. Ultimately, this is a good thing. However, malicious actors can hide in HTTPS too. Watch today’s video to learn what you should do to secure HTTPS.

 

(Episode Runtime: 2:48)

Direct YouTube Link: https://www.youtube.com/watch?v=sceDGVyyQXw

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

VM Venom, MS Patches, & GTA V Malware – WSWiR Episode 152

Last week was full of a wide range of information security news; from the latest critical Microsoft updates, to a new virtualization system vulnerability, and finishing off with malware targeting a popular video game. If you find yourself falling behind with the latest security intelligence, you’re not alone. Don’t worry though, we’re here to pick up the slack.

Press play below to hear the highlights from last week, and subscribe to our YouTube Channel to get regular updates. If you’re hungry for more security news, also check out our References section for links to other stories.

(Episode Runtime: 8:37)

Direct YouTube Link: https://www.youtube.com/watch?v=sLIL0Yxnkn8

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day is NOT Dead Yet – Daily Security Byte EP.81

Though Microsoft announced they plan to kill off Patch Day for Windows 10, it’s still alive and kicking in May. Today’s video shares the Patch Day highlights and recommends which updates you should prioritize.

 

(Episode Runtime: 1:50)

Direct YouTube Link: https://www.youtube.com/watch?v=h9TyHbitbeM

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

May Day! Microsoft’s Patch Day is Not Dead… Yet

Despite Microsoft’s recent Ignite Conference announcement—that they’d no longer follow a monthly patch cycle for Windows 10—Patch Tuesday is in full effect for May. Today, Microsoft released 13 security bulletins, including three Critical ones. If you’re a Microsoft administrator, you should get to these updates quickly.

By the Numbers:

February Microsoft Patch DayToday, Microsoft released 13 security bulletins, fixing a total of 48 security vulnerabilities in many of their products. The affected products include:

  • current versions of Windows (and its components),
  • Internet Explorer (IE),
  • Office,
  • SharePoint Server,
  • the .NET Framework,
  • and Silverlight.

They rate three bulletins as Critical and the rest as Important. As an aside, Microsoft’s main summary post contains a wealth of useful information, including their vulnerability exploitability index, which helps you prioritize the updates based on how dangerous each vulnerability is in the real world.

Patch Day Highlights:

Today’s Patch Day highlights revolve around the Critical rated issues. Most organizations will want to apply the IE update first. Not only does it fix 22 vulnerabilities, but also ones that attackers can leverage in drive-by download attacks, which are one of the most common attacks today.

You should also prioritize the various document related vulnerabilities, since threat actors are increasingly using malicious documents in their spear phishing emails. I recommend you prioritize the Windows Font Driver, Journal, and Office updates as well.

In short, if you apply the updates quickly, in the order Microsoft lists, you’ll do well.

Quick Bulletin Summary:

We summarize the April security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS15-043 – Critical – IE Update Corrects 22 Vulnerabilities – You can normally count on Microsoft releasing a cumulative Internet Explorer (IE) update each month, often fixing many memory corruption vulnerabilities. This month’s IE update fixes a slightly more diverse set of flaws, including some privilege elevation issues, and Address Space Layout Randomization (ASLR) bypass vulnerabilities. However, the memory corruption issues still probably pose the highest risk. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC. The other IE flaws also make it easier for attackers to bypass Windows’ security mechanisms, and even gain more privilege on your system. Combined, these are perfect vulnerabilities for attackers to exploit in drive-by download attacks. I’d make this IE update a top priority.
  • MS15-044 – Critical – Windows Font Driver Code Execution Flaw – The Font Driver Windows uses to display OpenType and TrueType fonts suffers from two security flaws; one worse than the other. In essence, if an attacker can get you to view a document or web page that contains a maliciously crafted font, he can exploit the more critical flaw to execute arbitrary code on your computer with your privileges.
  • MS15-045 – Critical – Six Journal Code Execution Flaws – Journal is the basic word processing or note taking program that ships with Windows. It suffers from six flaws that share the same scope and impact. If an attacker can get you to view a specially crafted Journal document, she can exploit any of these flaws to execute code on your computer, with your privileges.
  • MS15-046 – Important – Two Office Code Execution Flaws – Office suffers from two memory corruption flaws with the same scope and impact. If you open a maliciously crafted Office document, an attacker could exploit either flaw to execute code on your computer.
  • MS15-047 – Important – SharePoint Code Execution Flaw – SharePoint Server suffers from a somewhat unspecified code execution vulnerability having to do with its inability to properly sanitize uploaded page content. If an attacker can upload specially crafted content to your Sharepoint Server, they could execute code with the server’s W3WP service account (which has less privilege than the full SYSTEM account).
  • MS15-048 – Important – Two .NET Framework Vulnerabilities – The Windows Task Scheduler suffers from an elevation of privilege flaw. If an attacker can log onto your Windows system with valid credentials (even underprivileged ones), she can run a program that exploits this flaw to gain complete control of the computer.
  • MS15-049 – Important – Silverlight EoP Flaw – Silverlight suffers from an “out of browser” elevation of privilege vulnerability. While most Silverlight applications are supposed to run with limited permissions, attackers could exploit this vulnerability to escape that “privilege sandbox” and run with your user privileges, or higher. However, an attacker would either have to log into your system with valid credentials and run a malicious Silverlight application, or entice you to run such an application yourself.
  • MS15-050 – Important – Local SCM EoP Vulnerability – The Windows Service Control Manager (SCM) suffers from a local privilege escalation vulnerability. By running a specially crafted program, an attacker could leverage this flaw to gain elevated privileges on your Windows systems. However, they’d need valid credential on your systems to do so, which somewhat limits the severity of this flaw.
  • MS15-051 – Important – Six Kernel-Mode Driver flaws – Windows’ Kernel-Mode driver suffers from six vulnerabilities. The worst is a local elevation of privilege flaw. If a local attacker can run a malicious application, she can exploit this flaw to gain complete control of your Windows computer, regardless of the malicious user’s original privileges. The five remaining flaws are information disclosure issues, that could help an attacker learn more about your system, and potentially bypass some of Window’s security features (like ASLR).
  • MS15-052 – Important – Windows Kernel Security Bypass Flaw – Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Kernel ASLR (KASLR) is essentially the same thing, in regards to kernel memory. The Windows kernel suffers from an information disclosure vulnerability which could help attackers bypass this protection. While it doesn’t allow them to execute code alone, it does make it easier for them to exploit other memory based vulnerabilities.
  • MS15-053 – Important – VBScript and JScript ASLR Bypass Flaws – Windows’ JScript and VBScript components suffer from ASLR bypass flaws similar to the ones above. Again, these flaws don’t allow an attacker to execute code by themselves, but they do make it easier for them to exploit other memory corruption vulnerabilities.
  • MS15-054 – Important – MMC DoS Vulnerability – The Windows Microsoft Management Console (MMC) suffers from flaw in the way it handles icon information in a .MSC file. If an attacker can lure you into running a maliciously crafted .MSC file, they could cause you system to stop responding.
  • MS15-055 – Important – Schannel Information Disclosure Flaw Secure Channel (Schannel) is Microsoft’s SSL/TLS implementation. Schannel still allows the use of a weaker cryptographic key length (specifically a 512-byte DFE key), which is susceptible to known attacks. This update increases the minimum key length, making it harder to crack.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download May’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1658)
  • FILE Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1675)
  • FILE Microsoft Windows Journal Remote Code Execution Vulnerability
  • FILE Microsoft Office Memory Corruption Vulnerability (CVE-2015-1682)
  • WEB-CLIENT Microsoft Internet Explorer ASLR Bypass (CVE-2015-1685)
  • WEB-CLIENT Microsoft Internet Explorer VBScript and JScript ASLR Bypass (CVE-2015-1686)
  • FILE Microsoft Internet Explorer Elevation of Privilege Vulnerability (CVE-2015-1688)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1689)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1691)
  • WEB-CLIENT Microsoft Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2015-1692)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1705)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1706)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1708)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1718)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1717)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1714)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1712)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1711)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1710)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1709)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

As an aside, Microsoft also released two new security advisories today. If you are interested in how Microsoft is improving their cipher suite priority and Flash security, be sure to check their advisory page for those new updates. — Corey Nachreiner, CISSP (@SecAdept)

 

Evasive Malware & No More Patch Day – WSWiR Episode 151

In one short week there’s been two new variants of evasive malware, a zero day flaw in a popular blogging framework, some proof-of-concept GPU malware, and a major change to the biggest OS vendor’s patching cycle. How is one poor IT guy to keep up with this every changing Information Security (InfoSec) news? Don’t worry. We got you covered in our weekly InfoSec news round up!

Last week’s episode details that evasive malware and how WatchGuard helps, informs you of the important changes in Microsoft Patch Day, and warns you about the latest Lenovo security flaws. Watch the video for all the details, and check out the Reference section if you’re curious what else happened last week.

As an aside, I’m experimenting with the timing of this weekly blog post. While I will continue to post the weekly video on Friday, I will schedule this blog post the Monday after. If you’d rather see the video on Friday, be sure to subscribe to the YouTube channel.

(Episode Runtime: 14:03)

Direct YouTube Link: https://www.youtube.com/watch?v=hGEPKUqR1mU

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

Bye Bye Patch Day – Daily Security Byte EP.77

On October 2003almost twelve years ago, Microsoft launched their monthly Patch Day. This week, at the their Ignite Conference, they announced that they plan to stop doing monthly patches with Windows 10. If you’re a Microsoft administrator, watch our vlog to learn what this means to you.

 

(Episode Runtime: 2:26)

Direct YouTube Link: https://youtu.be/I1fOZeyFYI0

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Patches, Patches Everywhere – Daily Security Byte EP.66

I thought I’d only have to cover Microsoft Patch Day today, but Adobe, Oracle, and Google also came along for the ride. Patching is one of the easiest and most practical ways you can improve your network’s security. Watch today’s video to learn of all the products you should update.

 

(Episode Runtime: 2:18)

Direct YouTube Link: https://www.youtube.com/watch?v=8mWnk6OKDl0

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Rains April Patch Showers

While not quite as bad as last month’s 14 security bulletins, April’s Patch Day is bursting with updates. According to their summary, Microsoft released 11 security bulletins, some fixing serious issues. Windows administrators should put their heads down, dive in, and get patching.

By the Numbers:

February Microsoft Patch DayToday, Microsoft released 11 security bulletins, fixing a total of 26 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • SharePoint Server,
  • the .NET Framework,
  • XML Core Services,
  • and Hyper-V.

They rate four bulletins as Critical and the rest as Important.

Patch Day Highlights:

In my opinion, the HTTP.sys vulnerability is the biggest deal this month. While it doesn’t say so directly, this flaw affects all Microsoft’s IIS web servers. Simply by sending a specially crafted web request, an attacker can take over your web server. I would patch all your public Windows-based IIS servers immediately. WatchGuard’s IPS service has a signature for this attack, which should help mitigate its risk until then.

Besides that, you should also apply all of Microsoft’s Critical updates as quickly as you can. The Internet Explorer vulnerabilities also pose a high risk since attackers can use in drive-by download attacks, which are quite popular today.

Quick Bulletin Summary:

We summarize the April security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS15-032 – Critical – IE Memory Corruptions Flaws – You can pretty much count on Microsoft releasing a cumulative Internet Explorer (IE) update that fixes a bunch of memory corruption flaws every month, and this month is no different. These are the types of flaws remote attackers use to execute code, and that are typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC. As an aside, the update also fixes an Address Space Layout Randomization (ASLR) bypass flaw that makes it easier for bad guys to exploit memory corruption issues.
  • MS15-033 – Critical- Multiple Office Flaws – Office, and the components that ship with it (such as Word, Excel, etc.), suffer from five vulnerabilities. The worst are four memory-related code execution flaws that black hats can exploit by luring you into opening malicious office documents. If you open such a document, the attacker can execute code on your computer, with your privileges. Finally, the Mac version of Outlook also suffers from a cross-site scripting (XSS) vulnerability as well.
  • MS15-034 – Critical – Windows HTTP Stack Code Execution – HTTP.sys is Windows’ HTTP stack; the component it uses to process HTTP protocol requests. It suffers from an unspecified remote code execution vulnerability. By sending a specially crafted HTTP request, an attacker could exploit this flaw to gain complete control of your computer (code executes with SYSTEM privileges). However, you must be running some web service that uses HTTP.sys (such as IIS) to be vulnerable to the flaw. This is a serious flaw that affects IIS servers.
  • MS15-035 – Critical – EMF Image Code Execution Flaw – The graphics component Windows uses to handle images suffers from a flaw involving the way it parses Enhanced MetaFile (EMF) images. In short, if a bad guy can get you to view such an image—whether on a web site, in an email, and so forth—he can exploit this flaw to run code on your computer with your privileges.
  • MS15-036 – Critical – SharePoint Server XSS flaws – SharePoint suffers from two cross-site scripting vulnerabilities (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to click a specially crafted link, an attacker could exploit this flaw to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could.
  • MS15-037 – Important – Task Scheduler EoP Vulnerability – The Windows Task Scheduler suffers from an elevation of privilege flaw. If an attacker can log onto your Windows system with valid credentials (even underprivileged ones), she can run a program that exploits this flaw to gain complete control of the computer.
  • MS15-038 – Important – Two Windows EoP Vulnerabilities – Two other Windows components suffer from flaws like the Task Scheduler one above. Though they differ technically, an attack exploiting them has the same scope and impact. If an attacker can login and run a program, they can gain full SYSTEM privileges in Windows.
  • MS15-040 – Important – AD FS Information Disclosure – Active Directory Federation Services (AD FS) doesn’t fully log off users. If a new users logs on, she might have access to application info from the previous user (similar to a flaw last year)
  • MS15-041 – Important – .NET Framework Information Disclosure Flaw – The .NET Framework suffers from a flaw that could unintentionally allow attackers to view some of your web applications configuration information. However, you’re only exposed if you configure detailed error messages on your web application (which you shouldn’t do on publicly exposed web applications).
  • MS15-042 – Important – Hyper-V DDoS Flaw – Hyper-V, Microsoft’s virtualization component, suffers from a denial of service (DoS) vulnerability. If an attacker can log into one of your virtual machines (VM) using legitimate credentials, he can run a malicious program that will cause all the VMs on the server to stop responding. Of course the attacker needs valid credentials, and access to the VM, in order to launch the attack.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download February’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB Microsoft IIS HTTP.sys Remote Code Execution Vulnerability (CVE-2015-1635)
  • FILE Microsoft Windows Graphics EMF Processing Remote Code Execution Vulnerability (CVE-2015-1645)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1652)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1668)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1667)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1666)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1665)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1662)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1661)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1660)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1659)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1657)
  • FILE Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641)
  • FILE Microsoft Office Memory Corruption Vulnerability (CVE-2015-1650)
  • WEB Microsoft ASP.NET Information Disclosure Vulnerability (CVE-2015-1648)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

As an aside, Microsoft also released two new security advisories today, if you are interested in how Microsoft is improving their Public Key cryptography, or in learning about an SSL 3.0 issue, be sure to check their advisory page for those new updates. — Corey Nachreiner, CISSP (@SecAdept)

 

Follow

Get every new post delivered to your Inbox.

Join 7,998 other followers

%d bloggers like this: