Tag Archives: patch

WatchGuard Security Week in Review: Episode 63 – Patch Bonanza

May 17, 2013 by Corey Nachreiner 0 Comments

Zero Day Patches, Nasty New Malware, and Jailed Hackers

Ready for a dose of InfoSec news? Your weekly security highlights reel is spooled up and ready to go.

This week was all about software updates. Not only did Microsoft and Adobe’s monthly Patch Day bring us patches for critical zero day vulnerabilities, but we saw security updates for Firefox and iTunes as well. In today’s video, I talk about all those updates, as well as two new interesting malware variants, and the sentencing and jailing of a team of well-known hackers. View the video for all the details.

A quick note… Next week I’ll be attending the AusCERT security conference in Australia. Though I still expect to bring you a weekly video, I may post it earlier or later than normal due to travel and the time zone differences. Keep safe out there and see you next week.

(Episode Runtime: 7:17)

Direct YouTube Link: http://www.youtube.com/watch?v=gjAx6PdFY0k

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , ,

Adobe Patch Day: Update for ColdFusion Zero Day and More

May 15, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Reader and Acrobat, Flash Player, and ColdFusion
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Yesterday, Adobe released three security bulletins describing vulnerabilities in Reader and Acrobat, Flash Player, and ColdFusion. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. Attackers have been exploiting one of the ColdFusion issues in the wild, so we recommend you patch quickly.

The summary below details some of the vulnerabilities in these popular software packages.

Adobe Patch Day May 2013

  • APSB13-15: Multiple Reader and Acrobat  Memory Corruption Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 27 vulnerabilities that affect Adobe Reader and Acrobat X 11.0.2 and earlier, running on any platform (Windows, Mac, Linux).  Adobe’s alert only describes the flaws in minimal detail, but the majority of them involve memory corruption-related vulnerabilities, such as buffer overflows,  integer overflowsuse-after-free issues, and so on. For the most part, they share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit many of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 2 (Patch within 30 days) for most, though 1 for Windows systems with 9.x and below

  • APSB13-14: Multiple Flash Player Memory Corruption Flaws

Adobe’s bulletin describes 13 vulnerabilities in Flash Player running on all platforms (including Linux and Android). More specifically, the flaws consist of various memory corruption flaws. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe rates these flaws with their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

  • APSB13-13: Critical Zero Day ColdFusion Vulnerability Patched

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. This bulletin fixes two serious vulnerabilities; one of which attackers are currently exploiting in the wild. We mentioned this zero day flaw in passing during last week’s security news video. Adobe’s bulletin doesn’t share many details, but the primary flaw is a remote code execution vulnerability. If you expose certain default ColdFusion directories, an attacker could exploit this flaw to execute code on you web server simply by sending specially crafted HTTP packets. Though not quite as bad, the second vulnerability allows attackers to remotely retrieve sensitive files from your server. Adobe rates these flaws Priority 1, so we highly recommend ColdFusion administrators update immediately–especially if you have public facing servers.

You can find a bit more detail about the zero day ColdFusion flaw in a security advisory Adobe released earlier this month.

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

 

Download Adobe Reader

 

 

Download Adobe Flash Player

 

 

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Reader files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Reader or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Reader via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , ,

WatchGuard Security Week in Review: Episode 62 – Major Cyber Heist

May 10, 2013 by Corey Nachreiner 4 Comments

The Onion Hack, IE8 0day, and ATM Cyber Heist

Are you an over-worked IT administrator with no time to learn about the latest internet threats? Do you want to keep your network safe, but don’t know what the bad guys are up to? If that’s you, then our weekly information security highlights video is just the thing for you. For just three easy payments of… well, nothing… you can have all that and more!

Today’s episode covers Syrian cyber attackers hijacking The Onion’s twitter feed, a serious zero day vulnerability affecting Internet Explorer 8 (IE8), a major cyber bank heist, and more. For all the details, and some tips to protect yourself, watch the video below or check out the stories in the Reference section.

Have a great weekend.

(Episode Runtime: 7:46)

Direct YouTube Link: http://www.youtube.com/watch?v=hdN9YMjKTXM

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , ,

Adobe Patch Day: Patches for Flash, Shockwave, and ColdFusion

April 9, 2013 by Corey Nachreiner 0 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Flash Player, Shockwave Player, and ColdFusion
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released three security bulletins describing vulnerabilities in Flash Player, Shockwave Player, and ColdFusion. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

Adobe Patch Day: April 2013

  • APSB13-11: Four Flash Player Memory Corruption Flaws

Adobe’s bulletin describes four vulnerabilities in Flash Player running on all platforms. More specifically, the flaws consist of various memory corruption and integer overflow flaws. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

They assign these flaws their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

  • APSB13-12: Four Shockwave Player Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin describes four security vulnerabilities that affect Shockwave Player running on Windows and Macintosh computers. All of the flaws consist of memory corruption issues (one being a buffer overflow) that share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB13-10: Two Unspecified ColdFusion Vulnerabilities

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from two security vulnerabilities that Adobe does not describe in much technical detail. They describe one flaw as a vulnerability that allows an attacker to impersonate an authenticated user (CVE-2013-1387), and the other as a flaw that could allow an unauthenticated attacker to gain access to the administrative console. Other than that, the bulletin shares very little about the scope or impact of these flaws, so we’re unsure how easy or hard it is for attackers to leverage them. They rate both vulnerabilities as Priority 2 issues, which is essentially their medium severity rating.

Adobe Priority Rating(Patch within 30 days)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Shockwave files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Shockwave or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Shockwave via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , ,

WatchGuard Security Week in Review: Episode 58 – Darkleech Apache Attack

April 5, 2013 by Corey Nachreiner 6 Comments

Telephony DoS, OpFreeKorea, and Darkleech

What do zombie video games, North Korea, and emergency telephone systems have in common? They’ve all been compromised by cyber attackers this week.

If you’re too busy dousing IT fires to keep up with InfoSec news on your own, give our weekly security news summary a try. In this short video, I quickly highlight the biggest security stories from the week, and give some practical defense tips along the way.

This week’s episode covers a new telephony denial of service (TDos) extortion scheme , a serious flaw in a common database system, the latest Anonymous operation, and a mysterious Apache hijacking campaign that has affected over 20,000 web servers. Watch the video below for the full scoop, and check out the Reference section for additional stories.

(Episode Runtime: 9:03)

Direct YouTube Link: http://www.youtube.com/watch?v=K18Snt0Lrm0

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , , , , ,

WatchGuard Security Week in Review: Episode 57 – 300Gb DDoS

March 29, 2013 by Corey Nachreiner 2 Comments

POS Trojans, Android Spear Phishing, and Record DDoS

Extra, Extra, the Internet almost broke (no it didn’t). Read… View all about it!

Too much security news, and too little time? Let me summarize the highlights for you in my weekly InfoSec recap video. This week I cover two trojans targeting point-of-sale (POS) computers, a few software updates, a targeted spear phishing campaign spreading Android malware, and the record-breaking SpamHaus DDoS attack, which didn’t really break the Internet despite some reports. Click play for the details

There were also a ton of other interesting Infosec tidbits this week, beyond what’s in the video. If you’re interested, check out the Reference section below. Stay frosty out there, and have a Happy Easter weekend.

(Episode Runtime: 9:47)

Direct YouTube Link: http://www.youtube.com/watch?v=sC1zLvbjzI4

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , , , , ,

Make Sure to Update Your Apple Devices

March 21, 2013 by Corey Nachreiner 1 Comment

If you follow my weekly security video, WatchGuard Security Week in Review, you probably already know that Apple released both an OS X and Safari security update last week. Hopefully, you’ve already applied those two updates, but if not I highly recommend you do so immediately. Among other things, the OS X update includes a Java related security fix. Lately, cyber criminals have really targeted Java in attacks against both Macs and PCs, so it’s important you apply all Java related updates as quickly as you can.

This week, Apple also released iOS and Apple TV security updates. These updates fix a number of security issues in these popular products. High on the list of fixed issues was a very highly publicized lock screen bypass flaw in iOS, which an attacker could exploit to gain access to the data on your phone when lost or stolen. iOS 6.1.3 fixes that particular lock screen issues, and a few other vulnerabilities. However, later in the week news emerged of another lockscreen flaw that affects iPhone 4s. So it looks like Apple will have some more lock screen related updates in their future.

In any case, if you use Apple devices, you’re probably affected by at least one of these issues. So I recommend you go get the corresponding updates, or let Apple’s automatic update mechanisms do their job. — Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , , , ,

Adobe Plugs Four Flash Security Holes on Patch Day

March 13, 2013 by Corey Nachreiner 4 Comments

Summary:

  • This vulnerability affects: Adobe Flash Player  11.6.602.171 and earlier, running on all platforms
  • How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player (version 11.6.602.180 for PC and Mac)

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

In a security bulletin released yesterday, Adobe announced a patch that fixes four critical vulnerabilities in their popular Flash Player. Though the flaws differ technically, they all consist of memory corruption issues, including a buffer overflow flaw, a  use after free issue, an integer overflow and so on. The issues share the same general impact. If an attacker can entice one of your users to visit a malicious website, or into handling specially crafted Flash (SWF of FLV) content, he could exploit these flaws to execute code on that user’s computer, with that user’s privileges. If your users have administrator privileges, the attacker could gain full control of their computers.

The good news is, unlike the emergency Flash update two weeks ago, attackers don’t seem to be exploiting these flaws in the wild right now. Nonetheless, Adobe rates the update as a “Priority 1” for Windows users, and recommends you apply the it as soon as possible (within 72 hours). We have noticed that attackers and researchers seem to be finding holes in Flash as often as they are Java. Whatever platform you run it on, we highly recommend you keep Flash up to date.

Solution Path

Adobe has released new versions of Flash Player (11.6.602.180 for PC and Mac) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

  • Download Flash Player for your computer:
Also, we believe attackers and researchers have been focusing on exploit Flash lately (like they have focused on Java). Flash is used on many web sites, so it may be difficult to make your users remove it. However, there are script limiting plugins, such as NoScript and NotScripts, which prevents Flash, and other languages  from running by default on web sites. This allows your users to create a whitelist of trusted sites, and only run Flash when absolutely necessary. In doing so, you can prevent many drive-by download attacks that might leverage these sorts of Flash flaws.
NOTE: Chrome ships with its own version of Flash, built-in. If you use Chrome as you web browser, you will also have to update it separately, though Chrome often receive its updates automatically.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

  • .swf – Shockwave
  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p - Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • application/x-shockwave-flash
  • application/x-shockwave-flash2-preview
  • application/futuresplash
  • image/vnd.rn-realflash

FILExt.com reported Magic Byte Pattern:

  • Hex SWF: 46 57 53
  • ASCII SWF: FWS

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , ,

Another Emergency Java Update Fixes Two New Flaws

March 5, 2013 by Corey Nachreiner 5 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 15 and earlier, on all platforms
  • How an attacker exploits them: Typically by luring your users to a malicious web page containing specially crafted Java
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install JRE and JDK 7 Update 17 (or Apple’s OS X update)

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

I’ll keep this short since Oracle has been releasing many Java updates lately. Yesterday, Oracle released yet another emergency Java update to fix two critical vulnerabilities in the popular web plugin. By enticing you to a web site with malicious content, attackers can leverage these flaws to execute code on your computer, with your privileges. If you are an administrator, it’s game over.

Java is very dangerous right now. Attackers are currently leveraging these vulnerabilities in the wild. Other research organizations have also found additional Java vulnerabilities. Cyber criminals are even selling a Java exploit kit on the underground market. In short, this is an extremely important update for Java users. We highly recommend you apply Oracle’s emergency update immediately. In fact, if you can do without Java, I suggest you remove it from your computer.

In related news, Apple has also released a Java update for OS X. Mac users should update Java as well.

Solution Path:

Oracle has released JRE and JDK Update 17 to correct these issues (as well as some legacy version updates). If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Remember, attackers have heavily targeted Java lately. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

WatchGuard XTM appliances can often help protect you from these sorts of Java vulnerability in a number of ways:

  • If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well.
  • WatchGuard constantly develops AV signatures to catch wild Java exploits. If you use our Gateway AntiViris (GAV) service, it can protect you from some of these attacks.
  • WatchGuard’s IPS signature writers also develop generic Java signatures, which can block some variants of this attack.
  • WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.

Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.

Status:

Oracle has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

Security Updates
, , , , , , , , ,

Another Abode Zero Day: Patch Flash

February 27, 2013 by Corey Nachreiner 5 Comments

Summary:

  • This vulnerability affects: Adobe Flash Player  11.6.602.168 and earlier, running on all platforms
  • How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player (version 11.6.602.171 for PC and Mac)

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

In a security bulletin released yesterday, Adobe announced a patch that fixes three critical zero day vulnerabilities in their popular Flash Player; two of which attackers are currently exploiting in the wild.

The three vulnerabilities differ technically. For instance, one is a buffer overflow flaw and another is a sandbox bypass vulnerability. However, combined they share the same general impact. If an attacker can entice one of your users to visit a malicious website, or into handling specially crafted Flash (SWF of FLV) content, he could exploit these flaws to execute code on that user’s computer, with that user’s privileges. If your users have administrator privileges, the attacker could gain full control of their computers.

According to Abobe’s alert, the exploits for these vulnerabilities target the Firefox web browser running on Windows systems, which is why they rate this a “Priority 1” issue for Windows, and recommend you apply the updates as soon as possible (within 72 hours).   However, the vulnerability technically affects other platforms as well, so I recommend you update any Flash capable device as soon as you can.

Solution Path

Adobe has released new versions of Flash Player (11.6.602.171 for PC and Mac) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

  • Download Flash Player for your computer:
NOTE: Chrome ships with its own version of Flash, built-in. If you use Chrome as you web browser, you will also have to update it separately, though Chrome often receive its updates automatically.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

  • .swf – Shockwave
  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p - Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • application/x-shockwave-flash
  • application/x-shockwave-flash2-preview
  • application/futuresplash
  • image/vnd.rn-realflash

FILExt.com reported Magic Byte Pattern:

  • Hex SWF: 46 57 53
  • ASCII SWF: FWS

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , ,
Older Entries

Follow

Get every new post delivered to your Inbox.

Join 7,114 other followers

%d bloggers like this: