Tag Archives: .NET Framework

Microsoft Corrects Lync Server and .NET Framework DoS Flaws

Severity: Medium

Summary:

  • These vulnerabilities affect: Lync Server and .NET Framework
  • How an attacker exploits them: Various, including by sending maliciously crafted packets or launching specially crafted calls
  • Impact: An attacker could slow down or disrupt connections to the server, or stop it from responding at all.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins that fix a pair of Denial of Service (DoS) vulnerabilities in two of their products; Lync Server and the .NET Framework. If you used either of these products, you should update them as soon as you can. We summarize the two DoS bulletins below:

  • MS13-053: .NET Framework DoS Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. It suffers from a DoS vulnerability involving the way it handles communications that are hashed. In short, if a remote attacker sends a small amount of specially crafted packets to a server that uses .NET Framework ASP applications, he can cause the server to slow down, and eventually stop responding. If you have any public servers or web applications that use .NET, you should download and install the update as soon as possible.

Microsoft rating: Important

 Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from three vulnerabilities, including a DoS flaw involving the way it handles specially crafted calls. By sending a malicious call to your Lync server, a remote attacker can exploit the DoS flaw to cause the Lync Server to stop responding. If you rely on Lync for communications, you should patch your servers as soon as you can.

Microsoft rating: Important

Solution Path:

Microsoft has released patches that correct both these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

Though you can use your XTM appliance to block the ports necessary for Lync, or use application control to restrict it, this would prevent you from using it externally at all. Right now, Microsoft’s patch are your best solution to these issues.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Windows, IE, Lync, and .NET Patches

As you may know, today was Microsoft Patch Day. If you manage a Windows-based network, it’s time to get the latest updates.

According to Microsoft’s summary post, the Redmond-based software company released four security bulletins fixing 41 vulnerabilities in many of their popular products. The affected software includes, Windows, Internet Explorer (IE), Lync Server, and the .NET Framework. Microsoft rates the IE update as Critical, and the rest as Important.

As you might guess from the severity ratings, the IE update is the most important. It fixes over 37 security flaws in the popular browser, many of which attackers could use in drive-by download attacks (where just visiting a web site results in malware on your computer). Furthermore, one of the fixes closes a zero day vulnerability that attackers have exploited in the wild. If you use IE, I recommend you apply its update as quickly as your can. You should also install the other updates as well, however, their mitigating factors lessen their risk, so you can install them at your convenience.

In summary, if you use any of the affected products, download, test, and deploy these updates as quickly as you can or let Windows’ Automatic Update do it for you. For the server related updates, I highly recommend you test them before installing them on production servers, as Microsoft has released a few problem causing updates recently. You can find more information about these bulletins and updates in Microsoft’s September Summary advisory.

Also note today is Adobe’s Patch Day as well, and they released one security update fixing 12 vulnerabilities in Flash Player. If you use Flash, you should update it quickly. Adobe also pre-announced a Reader update earlier this month. However, it appears they have had to delay the update for some reason.

I’ll share more details about today’s patches on the blog throughout the day. However, I am traveling internationally, so the updates may not arrive as regularly as usual. If you are in a hurry to patch, I recommend you visit the links above, and start now.  — Corey Nachreiner, CISSP (@SecAdept).

Windows Updates for Media Center, .NET, and LRPC

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, such as enticing you into opening maliciously crafted Office file.
  • Impact: In the worst case, an remote attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing seven vulnerabilities in Windows and related components, such as the .NET Framework. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-043:  Windows Media Center Code Execution Flaw

Windows Media Center is the media player and Digital Video Recording (DVR) application that ships with the popular operating system. MCplayer.dll, a component Media Center uses for audio and video playback, suffers from a “use after free” vulnerability. By tricking you into running a specially crafted Office file, a remote attacker could leverage this flaw to execute code on your computer, with your privileges. If you’re a local adminstrator, the attacker could gain complete control of your machine. Note, this flaw mostly affects the latest versions of Windows.

Microsoft rating: Critical

  • MS14-045:  Multiple Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from three local code execution flaws. The flaws differ technically, but most have to do with the kernel-mode driver improperly handling certain objects, which can result in memory corruptions. Smart attackers can leverage memory corruption flaws to execute code. In a nutshell, if a local attacker can run a specially crafted application, he could leverage most of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability.

Microsoft rating: Important

  • MS14-046:  .NET Framework ASLR Bypass Flaw

The .NET Framework is software framework used by developers to create new Windows and web applications. Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. In short, the .NET framework doesn’t use ASLR protection. This means attackers can leverage .NET to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

Local Remote Procedure Call (LRPC) is a protocol Microsoft Windows uses to allow processes to communicate with each other and execute tasks, whether on the same computer or another computer over the network. It suffers from a ASLR bypass vulnerability that has the same scope and impact as the .NET one described above.

Microsoft rating: Important

  • MS14-049:  Windows Installer Service Elevation of Privilege Flaw

As its name suggests, the Windows Installer services is a component that helps you install and configure stuff in Windows. It suffers from a privilege escalation vulnerability involving the way it improperly handles the repair of a previous application. If a local attacker can log into one of your Windows systems and run a specially crafted application, he could exploit this flaw to gain complete control of the system (even if he started out with only Guest privileges). Of course, the attacker would need valid login credentials, which significantly lowers the severity of this issue.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as blocking Office files), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Nine Microsoft Security Bulletins Coming Tomorrow; Two Critical

Is it just me, or are the months flying by this year? It’s already time for yet another Microsoft Patch Day. According to their advanced notification post for August, Microsoft will release nine security bulletins tomorrow, two with a Critical severity rating. The bulletins will include updates to fix flaws in Windows, Internet Explorer, Office, the .NET Framework, SQL server, and other Microsoft Server Software. You can find a little more color about the upcoming patches at Microsoft’s Security Response Center blog.

In short, if you are a Microsoft administrator, you should prepare yourself for a busy day of patching. I’ll post more details about these updates tomorrow, as they come out. However, I am traveling this week to attend a show, so my posts may not go live as quickly as normal. Be sure to keep you eye on their summary post tomorrow, if you’d like to get the details early. — Corey Nachreiner, CISSP (@SecAdept)

Four Windows Bulletins Fix Group Policy, .NET, and iSCSI Flaws

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, though most require authenticated attackers to do things locally
  • Impact: In the worst case, an authenticated attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as the .NET Framework. An authenticated attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-025: Group Policy Preferences Password Elevation of Privilege Flaw

Group Policy is the Windows feature that allows administrators to push configuration and settings to other Windows computers throughout their network. Group Policy Preferences are simply an extension of settings you can push via Group Policy. Microsoft’s alert describes a vulnerability in the way Active Directory sends password information with certain Group Policy Preferences. If you use Group Policy to set system administrator accounts, map drives, or run scheduled tasks—all things that require privileges—Group Policy stores an encrypted version of the password or credential needed for this task on the local computer. Local, authenticated attackers can then use that information to crack the password, and perhaps elevate their privileges. For instance, if you use your domain administrator account to run a particular scheduled task on every Windows computer network when it boots, local Windows users may have the information they need to crack your domain administrator account. That said, attackers would need valid credentials to log into one of your windows computers in order to exploit this flaw. So this primarily poses an insider risk.

Microsoft rating: Important

  • MS14-026:  .NET Framework Elevation of Privilege Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework suffers from an unspecified elevation of privilege vulnerability. If an authenticated attacker can send specially crafted data to an app that uses .NET Remoting, he can exploit this flaw to execute code on that system with full system privileges.

Microsoft rating: Important

  • MS14-027:  Windows Shell Elevation of Privilege Vulnerability

The Windows Shell is the primary GUI component for Windows. It suffers from a vulnerability having to do with its ShellExecute Application Programming Interface (API). If a local attacker can log in to one of your Windows systems and run a specially crafted program, he can exploit this flaw to execute code with local administrator privileges, thus gaining full control of the computer.

Microsoft rating: Important

  • MS14-028:  Two iSCSI DoS Vulnerabilities

iSCSI is a standard that supports network based storage devices. The Windows iSCSI component suffers from two Denial of Service (DoS) vulnerabilities. By sending a large amount of specially crafted packets to the iSCSI service (TCP 3260), an attacker could exploit this flaw to cause the iSCSI service to stop responding. Of course, the attacker needs access to the iSCSI service, which most administrator might block with their firewall.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. I especially recommend you test the Group Policy Preference update before deploy it, as it may slightly change the way Group Policy Preferences work.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as blocking TCP port 3260), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Patches for IE, Sharepoint, Office, and Windows

Calling all Microsoft administrators! It’s Microsoft Patch Day, and their security updates are available for download.

You know the drill by now. As they do every second Tuesday of the month, Microsoft has released May’s important security updates. You can find this month’s Patch Day highlights in Microsoft’s summary post, but here’s what you really need to know:

  • Microsoft released eight bulletins, two rated Critical and the rest Important.
  • The affected products include
    • Windows
    • Office
    • Internet Explorer (IE)
    • and Sharepoint Server.
  • Attackers are apparently exploiting some of the Windows and IE vulnerabilities in the wild already, in what Microsoft calls “limited, targeted attacks.
  • As expected, Windows XP users aren’t getting patches this month (or from hereafter).

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can. You can also let Windows’ Automatic Update do it for you. While I don’t recommend Automatic Update on servers (due to potential patch bugs), I do think you should enable it on your clients computers. As always, concentrate on installing the Critical updates as soon as you can (especially the IE one this month), and handle the others later.

I’ll share more details about today’s patches on the blog throughout the day, though these posts may be slightly delayed due to my participation in WatchGuard’s US Partner Summit.  — Corey Nachreiner, CISSP (@SecAdept).

Windows Updates Fix Code Execution, DoS, and Privilege Elevation Flaws

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like the .NET Framework and VBScript Engine)
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites or into viewing malicious vector graphics
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing seven vulnerabilities in Windows and its components. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-011VBScript Code Execution Vulnerability

VBScript is a scripting language created by Microsoft, and used by Windows and its applications. The VBScript Scripting Engine, which ships with Windows, suffers from an unspecified memory corruption vulnerability having to do with its inability to properly handle certain objects in memory when rendering script for Internet Explorer (IE). By enticing you to a specially crafted web page, an attacker could leverage this flaw to execute code on your computer with your privileges. If you have admin rights, then The attacker gains computer control of your computer.

Microsoft rating: Critical

  • MS14-007:  Direct2D Memory Corruption Vulnerability

DirectX is a multimedia development API, primarily used by programmers to make games for Windows and to handle multimedia. It includes Direct2D, a component Windows uses to render two dimensional vector graphics. Direct2D suffers from a memory corruption vulnerability having to do with how it improperly handles specially crafted vector figures. By enticing you to open a malicious vector graphic, an attacker can exploit this flaw to execute code on your system, with your privileges. Of course, if you have administrative privileges, as most Windows users do, the attacker gains complete control of your computer. Since this vulnerability requires some user interaction to succeed, Microsoft assigns it an Important severity rating.

Microsoft rating: Important

  • MS14-009Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. The .NET Framework suffers from three new security vulnerabilities, including an elevation of privilege flaw, a denial of service (DoS) vulnerability, and an issue that allows attackers to bypass one of Windows’ security features (Address Space Layout Randomization or ASLR). The worst of the three is the elevation of privilege flaws. Without going into technical detail, if an attacker can entice one of your users to visit a malicious .NET web page or run an .NET application locally, she can exploit this flaw to gain full control of that user’s system.

Microsoft rating: Important

  • MS14-005:  MSXML Information Disclosure Flaw

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It ships with various versions of Windows, and other Microsoft products. If you have a Windows computer, you very likely have MSXML. MSXML suffers from an information disclosure vulnerability due to a flaw in the way it handles cross-domain policies. By luring your users to a malicious web site or specially crafted link, an attacker could exploit this flaw to gain access to some of the files on that user’s computer.

Microsoft rating: Important

Windows ships with a TCP/IP stack used to handle network traffic, and this stack now supports  IPv6. Unfortunately, the Windows IPv6 TCP/IP stack suffers from a denial of service vulnerability involving the way it handles large amounts of specially crafted router advertisement messages.  If an attacker on your local network sends a large amount of such packets, he can cause your Windows computer to stop responding. Of course, the attackers needs to be on the same subnet as the victim, with relegates this primarily to an insider threat. 

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:

  • WEB Microsoft ASP.NET POST Request DoS Vulnerability (CVE-2014-0253)
  • WEB-CLIENT Microsoft Graphics Component Memory Corruption Vulnerability (CVE-2014-0263)
  • WEB-CLIENT Microsoft MSXML Information Disclosure Vulnerability (CVE-2014-0266)

Your XTM appliance should get this new IPS update shortly.

However, attackers can exploit some of these flaws locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Patch Windows Kernel-mode Driver and .NET First

Microsoft’s July Patch Day is live and ready for download, so go grab those updates. I recommend you work on the Windows Kernel-mode driver and .NET one’s first.

According to their summary post, Microsoft released seven security bulletins today, six of which they rate as Critical. The bulletins include updates to fix 36 vulnerabilities in many popular Microsoft products, including Windows, Internet Explorer (IE), Office, the .NET Framework, Silverlight, and Defender. Attackers are exploiting at least one of these flaws in the wild.

I always recommend you apply Microsoft’s Critical updates as soon as possible, but there are two in particular that you should jump on immediately. The first fixes vulnerabilities in Windows’ kernel-mode driver (MS13-053), which was disclosed awhile ago by a Google researcher. The researcher has already released proof of concept (PoC) code for this flaw, and Microsoft is aware of attackers leveraging it in targeted attacks. Next, you should also apply Microsoft’s .NET Framework and Silverlight patch quickly, since at least two of its flaws were disclosed in detail before today’s updates came out.

That’s not to say you should lax-off on the other updates. I think the IE patch is pretty important too; as are any updates Microsoft rates Critical. So I’d recommend you apply all six of the Critical updates today if you can. Of course, I still recommend you test Microsoft’s updates in a non-production  environment before pushing them to any critical production server. It may be ok to quickly patch client machines without testing, but you don’t want any surprises with your critical servers.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

Summary of July 2013 Microsoft Updates

Summary of July 2013 Microsoft Updates

Trio of Windows Bulletins Correct Moderate Vulnerabilities

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows or components often packaged with it (like the .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or running malicious programs locally
  • Impact:  Varies, ranging from a remote Denial of Service (DoS) attack to local attackers gaining complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that describe six vulnerabilities affecting Windows or components related to it (like the .NET Framework). They only rate these bulletins as Important, due to limited impact or mitigating factors. Each of these vulnerabilities affects different versions of Windows to varying degrees. In the worst case, a local attacker could exploit one of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates at your earliest convenience.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

The HTTP Protocol Stack (HTTP.sys) is a Windows component that listens for and handles HTTP requests before passing them to a web server like IIS. It suffers from a Denial of Service (DoS) vulnerability having to do with its inability to properly handle HTTP requests with specially malformed headers. By sending a specially crafted HTTP request, a remote attacker can leverage this flaw to cause your system to stop responding. While this sort of DoS attack doesn’t result in any breach or data loss, attackers can leverage it to knock your public web server offline, which could have significant business implications. You should download, test, and deploy Microsoft’s HTTP.sys update as soon as possible.

Microsoft rating: Important

  • MS13-040Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. The .NET Framework component suffers from two new security vulnerabilities.

The first issue is an XML digital signature spoofing vulnerability. XML files can contain digital signatures, which .NET applications can use to verify the integrity of XML files (ensuring they haven’t been improperly modified). However, the .NET Framework component (CLR) responsible for validating these signatures doesn’t do it right. As a result, attackers can modify the contents of an XML file without invalidating the signature. The impact of this flaw depends on if and how your custom .NET applications leverage this functionality.

The second issue is an authentication bypass vulnerability. The Windows Communication Foundation (WCF) is essentially a set of .NET APIs that developers can use to make applications that communicate securely with one another. However, WCF suffers from an authentication bypass flaw. By sending specially crafted packets, an attacker could gain unauthenticated access to computers that run WCF services. The impact of this bypass depends on your custom .NET application. If you custom application gives your users access to sensitive data, then in can pose a significant risk. If you install the .NET framework, you should download, test, and install Microsoft’s update as soon as you can.

Microsoft rating: Important

  • MS13-046Kernel-Mode Driver Elevation of Privilege Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from three new local elevation of privilege flaws. They all differ technically, but share the same basic scope and impact. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers (or cause it to become unstable). However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of this vulnerability.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows and .NET Framework patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:

  • WEB Microsoft Windows 2012 Server HTTP.sys Denial of Service Vulnerability (CVE-2013-1305)
  • EXPLOIT Microsoft XML Digital Signature Spoofing Vulnerability (CVE-2013-1336)

Your XTM appliance should get this new IPS update shortly.

However, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Fix for IE8 Zero Day and More

Calling all Microsoft administrators. It’s time to spin up your virtual test machines and download, test, and deploy May’s batch of Microsoft security updates. This month’s theme is IE updates; with a focus on a recent IE zero day vulnerability, as well as a continuation of the “use after free” vulnerability theme I commented on last month.

According to their summary post, Microsoft released ten security bulletins today, fixing around 33 security vulnerabilities in many of their popular products. The affected software includes Internet Explorer (IE), Windows and related components, products from the Office suite (Word, Visio, and Publisher), Lync, and Windows Essentials. Microsoft rates the IE updates as Critical, and the rest as Important.

As I mentioned earlier, today’s theme definitely centers around IE. Last week’s security video covered how attackers have recently been exploiting a zero day IE8 vulnerability in the wild—most notably against the Department of Labor web site. One of today’s updates completely fixes this serious flaw. The other IE update continues to fix more “use after free” vulnerabilities, a class of memory corruption flaws that researchers and attackers have focused on lately. I highly recommend you install today’s IE updates immediately, then follow with the Windows and Office updates.

As an aside, Microsoft also released or updated four security advisories today. One of the updates has to do with one of today’s bulletins, but the other three are new. Once you’re finished handling today’s patches, you should check out Microsoft’s security advisory page as well.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s May bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,581 other followers

%d bloggers like this: