Tag Archives: Patches

Tax Time Security Woes – WSWiR Episode 139

There’s tons of security news each week. If you can’t keep up, I try to summarize the most important stuff for you in my weekly video.

This week’s show covers a researcher leaking 10M credentials, Forbes’ website getting hacked, a TurboTax security scare, and much more. Watch the video for all the details, or check out the Reference section for other interesting stories.

(Episode Runtime: 9:50)

Direct YouTube Link: https://www.youtube.com/watch?v=mTycl-zSbVA



— Corey Nachreiner, CISSP (@SecAdept)

IE11 0day XSS Flaw – Daily Security Byte EP.17

Beware of phishers leveraging a new zero day Internet Explorer (IE) 11 flaw that affects the latest, fully-patched version of Windows. Click play for details.

(Episode Runtime: 1:35)

Direct YouTube Link: https://www.youtube.com/watch?v=AIKDoTGBaTU


— Corey Nachreiner, CISSP (@SecAdept)

Syrian Honey Trap – Daily Security Byte EP.16

Bad actors have always tried to lure us into doing things we shouldn’t by appealing to our base, carnal instincts. Today’s daily infosec video shares why you might want to avoid “hot girls” in general online.

(Episode Runtime: 1:38)

Direct YouTube Link: https://www.youtube.com/watch?v=TyivxEiCuKM


— Corey Nachreiner, CISSP (@SecAdept)

Don’t Be ‘fraid of No Ghost – WSWiR Episode 137

If you want the best network defenses, you need to stay abreast of the latest information security news; but I realize most IT folks don’t have the time to stay informed on their own. Let our weekly video do the heavy lifting, and quickly share the biggest infosec news.

This episode, from last week, covers the latest evidence of a nation state malware campaign, a warning about an adult site spreading malware, news of a critical Linux vulnerability, and more. Watch the video for the scoop, and see the links below.

(Episode Runtime: 4:18)

Direct YouTube Link: https://www.youtube.com/watch?v=waS8JjyTjks



— Corey Nachreiner, CISSP (@SecAdept)

Lots of 0day – WSWiR Episode 136

Every network admin I know is buried under a list of tasks, and has little time to spend learning about the latest information security news. If that sounds like you, check out our weekly news recap video.

This episode, from the third week of January, covers rumors the NSA hacked North Korea, a warning about attackers exploiting an zero day Flash flaw, Oracle’s quarterly critical patch day, and more. Watch the video for more details, and check out the References section below for all the links.

(Episode Runtime: 4:45)

Direct YouTube Link: https://www.youtube.com/watch?v=_4i6zGmXyRg



— Corey Nachreiner, CISSP (@SecAdept)

DarkHotel & iOS Masque – WSWiR Episode 129

MS Patch Day, DarkHotel, and iOS Masque

Too much Information Security (InfoSec) news, too little time? I sometimes feel the same way. If you don’t have time to keep up yourself, why not watch our weekly InfoSec video to catch the highlights.

This week, I share the highlights from Microsoft Patch Day, talk about a targeted attack preying on executives in hotels, and warn of a new vulnerability that affects anyone with an iPhone or iPad. Click play below to learn all about it, and check out other stories from the week in the Extras section below.

Stay vigilant online and enjoy your weekend!

(Episode Runtime: 12:39)

Direct YouTube Link: https://www.youtube.com/watch?v=MwxEksw3j-Q



— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Delivers a Pile of Security Updates – Patch Day Nov. 2014

Microsoft’s monthly Patch Day went live on Tuesday, delivering a substantial pile of security updates to Microsoft administrators. As mentioned in last week’s video, we expected 16 security bulletins. However, Microsoft held back two for unspecified reasons. Even without those missing bulletins, this is a pretty big Patch Day. If you manage Microsoft networks, you’ll want to apply these updates as soon as you can. I’ll summarize some Patch Day highlights below, but you should visit Microsoft’s November Patch Day Summary page for more details

By the Numbers:

On Tuesday, Microsoft released 14 security bulletins, fixing a total of 33 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • the .NET Framework,
  • and SharePoint Server.

They rate four bulletins as Critical, eight as Important, and two as Moderate.

Patch Day Highlights:

You should definitely patch the critical flaws first. The OLE, IE, SChannel, and XML vulnerabilities are all pretty serious; you should install the updates immediately if you can. The overall theme here seems to be web-based threats. Though many of these vulnerabilities affect components you may not relate to web browsing, attackers can leverage many of them by enticing you to a web page hosting malicious code. Drive-by downloads have become one of the primary ways attackers silently deliver malware to your endusers, so you should patch any flaws that help support drive-by downloads as quickly as you can. Also note, the OLE update poses a particularly high risk as attackers have already been exploiting it in the wild (related to SandWorm). The SChannel vulnerability, which some are calling “WinShock,” is also pretty concerning, and might expose any Microsoft servers you expose to the internet (primarily web and email servers). Patch the OLE and SChannel flaws first, and follow quickly with the IE one.

As an aside, Enhanced Mitigation Experience Toolkit (EMET) is a package that makes it much harder for bad guys to exploit memory-based vulnerabilities. Microsoft released a new version (5.1) of EMET in Monday. If you don’t use EMET yet, consider it; and if you do, update.

Quick Bulletin Summary:

We summarize November’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS14-064 – Critical – Windows OLE Remote Code Execution Flaw – Windows’ Object Linking and Embedding (OLE) suffers from two flaws that attackers could exploit to execute code on user’s computers, if those user’s interact with malicious documents, or visit websites containing embedded malicious documents. Attackers have been exploiting these zero day flaws in the wild.
  • MS14-066 – Critical – Schannel Remote Code Execution Vulnerability – Secure Channel (Schannel), a security package that ships with Windows, suffers from a remote code execution flaw that attackers can exploit simply by sending specially crafted packets to your computer.
  • MS14-065 – Critical – Cumulative Internet Explorer update fixes 17 vulnerabilities – This update fixes remote code execution (RCE), elevation of privilege (EoP), information disclosure, and security bypass vulnerabilities. The RCE flaws pose the most risk as attackers often leverage them in drive-by download attacks, where simply visiting the wrong website could result in malware silently downloading and installing on your computer.
  • MS14-067 – Critical – XML Core Service Remote Code Execution Flaw – If attackers can entice you to a malicious website, or to a booby-trapped legitimate website, they can exploit this Microsoft XML Core Services (MSXML) vulnerability to silently install malware on your computer.
  • MS14-069 – Important – Pair of Office Code Execution Flaws - Office, specifically Word, suffers from a pair of code execution vulnerabilities attackers could exploit by getting you to interact with malicious documents.
  • MS14-070 – Important – Windows TCP/IP Elevation of Privilege Flaw - The Windows TCP/IP stack suffers from an EoP vulnerability. Despite the fact the flaw affects a network component, attackers can only exploit it locally by running a malicious program, which significantly lessens its severity.
  • MS14-071 – Important – Windows Audio Service Elevation of Privilege Flaw - This flaw has the same scope and impact as the local EoP flaw above, only it affects Windows’ Audio Service.
  • MS14-072 – Important – .NET Framework Elevation of Privilege Flaw - The .NET Remoting functionality of the .NET Framework suffers from a remote EoP vulnerability. By sending specially crafted data to a server that uses the .NET Remoting feature, and attacker could gain full control of that server. The good news is, according to Microsoft, .NET Remoting is not widely used.
  • MS14-073 – Important – SharePoint Foundation Elevation of Privilege Flaw - Though Microsoft doesn’t describe it this way, this vulnerability sounds like a cross-site scripting (XSS) flaw. If an attacker can lure you to a website with malicious code, or get you to click a link, he do things on your SharePoint server as though he were you.
  • MS14-076 – Important – IIS Security Bypass - Microsoft’s web server, IIS, has a feature that allows administrators to restrict access to web resources by IP address. Unfortunately, it suffers a flaw that attackers can leverage to bypass this access restriction. The flaw only affects you if you use this feature.
  • MS14-074 – Important – Remote Desktop Protocol Security Bypass - In short, the Remote Desktop Protocol (RDP) doesn’t properly log failed login attempts, meaning you may not notice when attackers repeatedly guess passwords.
  • MS14-077 – Important – ADFS Information Disclosure Flaw Active Directory Federation Services (AD FS) doesn’t fully log off users. If a new users logs on, she might have access to application info from the previous user.
  • MS14-078 – Moderate – Japanese IME Elevation of Privilege Flaw - If you use a Windows system that supports Japanese character input, and an attacker can get you to open a malicious file, the attacker can run code with your privileges. This flaw only affects systems with the Japanese character support install, but it has been exploited in the wild in limited attacks.
  • MS14-079 – Moderate – Kernel-mode Drive DoS flaw - The Kernel-mode driver suffers from a Denial of Server (DoS) having to do with how it handles Truetype fonts. If an attacker can get you to view a malicious font, perhaps by getting you to visit a website, he can exploit this to cause your system to crash or stop responding.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download November’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6353)
  • EXPLOIT Windows OLE Remote Code Execution Vulnerability (CVE-2014-6352)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6351)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6348)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6347)
  • WEB-CLIENT Microsoft Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6346)
  • WEB-CLIENT Microsoft Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6345)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6342)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6341)
  • WEB-ACTIVEX Microsoft Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6340)
  • WEB-CLIENT Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6339)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6337)
  • WEB Exchange URL Redirection Vulnerability (CVE-2014-6336)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4143)
  • WEB-CLIENT Microsoft Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2014-6323)
  • WEB-CLIENT Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332)
  • FILE Microsoft Office Double Delete Remote Code Execution Vulnerability (CVE-2014-6333)
  • FILE Microsoft Office Bad Index Remote Code Execution Vulnerability (CVE-2014-6334)
  • FILE Microsoft Office Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6335)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)


Printer Doom Hack – WSWiR Episode 122

Apple Patches, Kindle XSS, and Doom Printer Hack

If you want to stay current with the Internet “threatscape,” our weekly video can help. It summarizes each week’s top information and network security news in one convenient place. Subscribe today!

Today’s episode covers, Apple and Adobe security updates, a cross-site scripting flaw that affects Kindle users, and an interesting printer hack that allowed an attacker to run doom on a printer. Watch the video for details and see the Reference section below for more info.

Enjoy your weekend!

(Episode Runtime: 5:39

Direct YouTube Link: https://www.youtube.com/watch?v=aZ7-LdlMYHc

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Old Gmail Leak – WSWiR Episode 121

Patch Day, Home Depot Update, and Gmail Leak

Why go searching for all the week’s information security (infosec) news when you can find it in one convenient place. This weekly vlog summarizes the important security updates, hacks, and threats so you can protect yourself.

This week’s episode arrives a bit late due to my business travel in Europe. Today’s show covers the week’s Microsoft and Adobe patches, the latest news on the Home Depot breach, and a story about a potentially new (but likely old) Gmail credential leak. Watch the video for the details, and check the references below for more info and some extra stories.

I will be continuing my business travel next week as well. So my weekly post may arrive earlier or later than normal. Have a great day!

(Episode Runtime: 4:53)

Direct YouTube Link: https://www.youtube.com/watch?v=I1GZpvQV6dQ

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Corrects Lync Server and .NET Framework DoS Flaws

Severity: Medium


  • These vulnerabilities affect: Lync Server and .NET Framework
  • How an attacker exploits them: Various, including by sending maliciously crafted packets or launching specially crafted calls
  • Impact: An attacker could slow down or disrupt connections to the server, or stop it from responding at all.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.


Today, Microsoft released two security bulletins that fix a pair of Denial of Service (DoS) vulnerabilities in two of their products; Lync Server and the .NET Framework. If you used either of these products, you should update them as soon as you can. We summarize the two DoS bulletins below:

  • MS13-053: .NET Framework DoS Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. It suffers from a DoS vulnerability involving the way it handles communications that are hashed. In short, if a remote attacker sends a small amount of specially crafted packets to a server that uses .NET Framework ASP applications, he can cause the server to slow down, and eventually stop responding. If you have any public servers or web applications that use .NET, you should download and install the update as soon as possible.

Microsoft rating: Important

 Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from three vulnerabilities, including a DoS flaw involving the way it handles specially crafted calls. By sending a malicious call to your Lync server, a remote attacker can exploit the DoS flaw to cause the Lync Server to stop responding. If you rely on Lync for communications, you should patch your servers as soon as you can.

Microsoft rating: Important

Solution Path:

Microsoft has released patches that correct both these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

Though you can use your XTM appliance to block the ports necessary for Lync, or use application control to restrict it, this would prevent you from using it externally at all. Right now, Microsoft’s patch are your best solution to these issues.


Microsoft has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.


Get every new post delivered to your Inbox.

Join 7,848 other followers

%d bloggers like this: