Tag Archives: Patches

Office 2003 Document Handling Code Execution Vulnerability

June 11, 2013 by Corey Nachreiner 1 Comment

Severity: Medium

Summary:

  • These vulnerabilities affect: Office 2003 and Office for Mac 2011
  • How an attacker exploits them: By enticing you to open maliciously crafted Office documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office patches as soon as possible, or let Windows Update do it for you.

Exposure:

As part of part of Patch Day, Microsoft released a security bulletin describing a vulnerability in Office 2003 and Office for Mac 2011. Specifically, the Office components used to parse PNG image files suffer from a buffer overflow vulnerability involving the way they handle specially crafted images. By embedding a malicious PNG image into an Office document, and tricking one of your users into downloading and opening or previewing it, an attacker can exploit this vulnerability to execute code on that user’s computer, inheriting that user’s privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Though Microsoft only rates this security update as Important, since the attack requires user interaction to succeed, we believe it poses a significant risk because many normal users trust Microsoft Office documents. You should patch this flaw as soon as you can.

Solution Path

Microsoft has released an update for Office to fix this flaw. If you use Office 2003 or Office for Mac 2011 you should download, test, and deploy the update as soon as possible, or let Windows Update do it for you. See the “Affected and Non-Affected Software” section of Microsoft’s bulletin for more details on where to find the updates.

For All WatchGuard Users:

Though you can use WatchGuard’s XTM and XCS appliances to block certain files and content, such as Office documents, most organizations share these types of documents as part of normal business. Instead, we recommend you install Microsoft’s updates to completely protect yourself from this flaw.

Status:

Microsoft has released an Office update to fix this flaw.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , ,

Microsoft Black Tuesday: Big IE Update Trumps Windows & Office Patches

June 11, 2013 by Corey Nachreiner 2 Comments

If you manage Windows networks, you know what time it is… time for Microsoft’s monthly list of security updates.

Microsoft Patch day has gone live, and you can find a listing of today’s security bulletins in their June Patch Day summary page. As expected, they released five security bulletins, one for Internet Explorer (IE), three for Windows and its components, and one for Office. They only rate the IE bulletin as Critical.

I recommend you focus most your attention to the IE update. It corrects 19 vulnerabilities—the bulk of today’s flaw—and most of them could allow remote attackers to gain control of your users’ computers via drive-by download attacks. You should definitely patch it first. That said, the Windows and Office updates are still important. Even though the Windows flaws require local access, and the Office flaw requires a bit of user interaction, they still pose some risk. So patch them too, just start with IE.

We’ll share more details about Microsoft’s bulletins in three upcoming alerts, posted throughout the day. Stay tuned.  — Corey Nachreiner, CISSP (@SecAdept)MS Patch Day June 2013

Editorial Articles
, , , , , , , , , , ,

Next Week’s Patch Tuesday Focuses on IE

June 7, 2013 by Corey Nachreiner 1 Comment

I’m sure you’re used to the Microsoft Patch drill by now, so let’s jump right in…

According to their advanced notification post, Microsoft plans to release five security bulletins next Tuesday, which is a rather small number compared to Patch Days of recent past. Their notice warns that the bulletins will include security updates for Windows, Office, and Internet Explorer (IE), and will fix a total of 23 vulnerabilities. The IE patch alone  fixes 19 of those 23 issues, and it’s the only update Microsoft rates as Critical (the rest are rated Important).

Based on past experience, I’d bet that the majority of the IE fixes correct memory related vulnerabilities that attackers could leverage in drive-by download attacks.So when Patch Day comes around next week, I recommend you get your IT staff to put precedence on the IE update, then take care of the other four.

As an aside, there is no word whether or not Microsoft’s upcoming Windows updates will fix the zero day kernel-mode driver vulnerability that I mentioned the Google researcher disclosed last week. I’ll let you know once I know this flaw is patched and I’ll share more details about Patch Day next Tuesday.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , ,

WatchGuard Security Week in Review: Ruby on Rails Botnet

May 31, 2013 by Corey Nachreiner 2 Comments

Welcome to our weekly network and information security (Infosec) highlights. While I normally deliver these highlights in a short video, I’m currently attending WatchGuard’s 2013 Global Partner Conference, and couldn’t find the time to shoot this week’s episode. I’ll return to my regular programming cycle next week. Until then, here’s a written summary of the week’s security news.

Today’s stories includes a Ruby on Rail exploit plaguing web servers, a new Windows zero day flaw, a Drupal.org user account leak, and much more. Read below for more details, and join us next week when the regular video returns:

  • Ruby on Rails exploit in the wild - During the past week, attackers have exploited a vulnerability in a popular web framework called Ruby on Rails to hijack web servers and force them to join a botnet. The flaw responsible for the hijackings was first discussed and patched back in January, but apparently many web administrators haven’t applied it yet. If you run a server with Ruby on Rail, make sure it’s up to date.
  • Google researcher discloses zero day Windows kernel-mode driver flaw - A Google security researcher named Tavis Ormandy disclosed a zero day vulnerability in the kernel-mode driver that could allow local attackers to gain full system privileges on Windows 7 and 8 computers (and perhaps earlier versions too). In his normal style, Ormandy released details and proof of concept (PoC) code for this flaw before giving Microsoft time to patch the issue. I’ve never personally liked Ormandy’s disclosure strategy, but he does find many security flaws. The good news is attackers can only exploit this flaw if they can run a program locally or the victim’s computer, or can trick one of your users into doing it for them. We’ll let you know when Microsoft patches.
  • Drupal.org breached and user accounts leaked - Like the many sites before them, Drupal.org was breached by an unidentified hacker who stole the user credentials, email addresses, and hashed passwords of millions of their users. They claim no financial information was stolen. If you have a Drupal account, change your Drupal password immediately (and hopefully you don’t use that password anywhere else).
  • Suspected game company hacker charged in Perth -  A  teenaged, Perth-based hacker who calls himself SuperDaE was charged  this week in Australia with various computer related offenses. SuperDaE claims to have breached many game companies, including Microsoft, Sony, Epic, and Blizzard. He also claims to have stolen game engine code, SDK, and early information and details about Sony and Microsoft’s upcoming new consoles. Before his arrest, he threatened to release all this stolen information publicly if he wasn’t released at a certain time. The authorities haven’t shared much detail about the charges yet, but apparently SuperDaE is out on bail.
  • Chinese attackers alleged to steal U.S. weapon system designs - According to a report to the Pentagon from the Defense Science Board, alleged Chinese attackers breached private government networks and accessed the designs of two dozen weapon systems. The report doesn’t blame China outright, but contains language that suggests the attacks were part of a long-term Chinese cyber attack campaign. Other articles correctly point out that many of these reports lack evidence, and we should avoid knee-jerk reactionscblaming China for every attack.
  • Financial service targeted with another huge DDoS attack - According to a DDoS vendor, hackers targeted an unnamed financial service with a 167Gbps DDoS attack. While not quite as large as the recent 300Gbps DDoS attack against Spamhaus, it’s further proof that DDoS attackers are getting bigger every day.
  • Anonymous related twitter feeds hijacked - In an ironic turn of events, a few twitter feeds that promote the Anonymous hacktivist group have been hijacked by rivals.

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , ,

Office Patches Mend Word, Visio, Publisher, and Lync

May 14, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word, Visio, Publisher, and Lync
  • How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins that fix 14 vulnerabilities in a range of Microsoft Office products, including Word, Visio, Publisher, and Lync. We summarize these four security bulletins below, in order from highest to lowest severity.

  • MS13-041: Lync Remote Code Execution (RCE) Vulnerability

 Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from an unspecified memory corruption vulnerability that attackers could leverage to execute arbitrary code on your computer. If an attacker can convince one of your users to join a Lync or Communicator session containing specially crafted content, they could execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could gain complete control of affected computers. This flaw only affects certain versions of Lync and Communicator. See the “Affected and Non-Affected Software” section of Microsoft’s bulletin for more details.

Microsoft rating: Critical

  • MS13-042: Multiple Publisher Memory Corruption Vulnerabilities

Publisher is Microsoft’s basic desktop publishing and layout program, and part of the Office suite. It suffers from eleven memory corruption vulnerabilities. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Publisher document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Publisher except 2013.

Microsoft rating: Important

Word is the popular word processor that ships with Office. It suffers from a remote code execution (RCE) vulnerability having to do with how it handles Word or RTF documents containing maliciously crafted shape data. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word and Word Viewer 2003.

Microsoft rating: Important

  • MS13-044 : Visio Information Disclosure Vulnerability

Microsoft Visio is a popular diagramming program often used to create network diagrams.  Visio suffers from a complex information disclosure vulnerability, involving the way it parses specially crafted XML content. At a high level, XTM documents can contain “external entities;” essentially text or binary data from an external location. If an attacker can entice one of your users into downloading and opening a malicious Visio document (containing XTM content), he can exploit this flaw to read data from files on the victim’s computer. This flaw affects all versions of Visio except 2013.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed a signature that can detect and block the Visio Information Disclosure issue:

  • EXPLOIT Microsoft Visio XML External Entities Resolution Vulnerability (CVE-2013-1301)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , , , , , , ,

Microsoft Black Tuesday: Fix for IE8 Zero Day and More

May 14, 2013 by Corey Nachreiner 5 Comments

Calling all Microsoft administrators. It’s time to spin up your virtual test machines and download, test, and deploy May’s batch of Microsoft security updates. This month’s theme is IE updates; with a focus on a recent IE zero day vulnerability, as well as a continuation of the “use after free” vulnerability theme I commented on last month.

According to their summary post, Microsoft released ten security bulletins today, fixing around 33 security vulnerabilities in many of their popular products. The affected software includes Internet Explorer (IE), Windows and related components, products from the Office suite (Word, Visio, and Publisher), Lync, and Windows Essentials. Microsoft rates the IE updates as Critical, and the rest as Important.

As I mentioned earlier, today’s theme definitely centers around IE. Last week’s security video covered how attackers have recently been exploiting a zero day IE8 vulnerability in the wild—most notably against the Department of Labor web site. One of today’s updates completely fixes this serious flaw. The other IE update continues to fix more “use after free” vulnerabilities, a class of memory corruption flaws that researchers and attackers have focused on lately. I highly recommend you install today’s IE updates immediately, then follow with the Windows and Office updates.

As an aside, Microsoft also released or updated four security advisories today. One of the updates has to do with one of today’s bulletins, but the other three are new. Once you’re finished handling today’s patches, you should check out Microsoft’s security advisory page as well.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s May bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , , , , , , , , ,

WatchGuard Security Week in Review: Text Edition

May 3, 2013 by Corey Nachreiner 1 Comment

Welcome to our weekly network and information security (Infosec) news highlights. Typically, I deliver these security highlights as a short video. However, I’m traveling this week for both business and personal reasons, and was unable to produce the video version during my hectic travel schedule. The video will return next  week from the Interop IT conference in Vegas. Until then, enjoy this text summary of the biggest Infosec stories from the week.

This week’s stories includes a big credential leak, the hijacking of a government web site, and news of a flaw in Google’s latest wearable computer. Read below for more details, and join us next week when the video version returns:

  • Living Social breach leaks 50mil user credentials - Attackers breached Living Social’s network and made off with the personal info of 50 million users. The stolen information included things like your email address, date of birth, and your hashed password. Though the passwords were hashed, attackers can still leverage brute force attacks to figure out the weaker ones of the bunch. If you use Living Social, you need to change your password immediately. More importantly, if you use the same password at other sites, stop doing that and change your passwords there too.
  • Latest on the mysterious Apache web site mass hijackings - Over the past few months, we’ve pointing out multiple incidents where thousands of Apache web servers were hijacked with a very sneaking backdoor. While researchers understood the complex backdoor attackers were injecting, no one really knew how attackers were initially gaining access to vulnerable sites (though many suspected Cpanel or WordPress vulnerabilities). In any case, ESET and Sucuri have released new research on the complex backdoor used in this attack campaign. It’s a very interesting read for the security conscious and a must-read for web administrators. Thanks to our friend and reader, Ryan, for pointing out this new research.
  • Hackers pwn Google Glass - You’ve probably seen Google Glass; the latest wearable computer. It’s not really out yet, but a group of select developers with cash to spare have gotten their hands on preview copies of this interesting new product. This week, one of those developers have learned how to jailbreak or root the device. Jailbreaking or rooting are terms used to describe when a user gains full administrative control of a device that was somehow locked down by the manufacturer. Usually, the devices owner is the one that wants to root a device, in order to do things that the manufacturer didn’t originally intend. However, the techniques used to root devices often leverage software vulnerabilities, which attackers could also leverage to take full control of your device. Obviously, you don’t want that. In any case, Google Glass is really still in beta, and not available to consumers. I wouldn’t be overly worried about this supposed flaw, as I’m sure Google will correct it before the official release.  Still, an interesting read.
  • Reader vulnerabilities allows attackers to track PDF documents - Mcafee discovered an Adobe Reader flaw that attackers could leverage to find out when users open a particular Reader document, and what IP there are opening it from. This is not a critical issue, in that attackers can’t leverage it to execute code, but it does pose a privacy risk. There is no fix for the flaw yet, but you should expect one in an upcoming release.
  • Chinese attackers force Department of Labor site to serve malware - According to Alienvault, the Department of Labor web site was hijacked by China-based attackers,  and then forced to serve malicious code, which then tries to infect anyone that visits the site.  The Department of Labor has since cleaned their site, but if you happen to have visited it lately you should definitely scan your computer for malware.
  • Serious Flaw in IBM Notes - It’s hard for me to imagine anyone still using the Notes email client, but I have learned there are still some of you out there. This week, researchers reported a serious security flaw in this client, involving how it handles Java applets and javascript. IBM plans to fix the flaw soon, but until then you should disable javascript and Java applets in the Notes client.
  • State-sponsered attackers breach US government defense contractor - Investigators find evidence of a long term breach of a US defense contracter that makes some pretty interesting defense and spy gear.

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , ,

Microsoft Black Tuesday: Security Flaws in a Menagerie of Products

March 12, 2013 by Corey Nachreiner 3 Comments

Though today’s Patch Day might seem pretty average as far as the number of security bulletins released, it does cover a rather eclectic range of Microsoft products. In fact, a few of the updates affect Mac users as well, and one is even exclusive to Mac.

During today’s Patch Day, Microsoft released seven security bulletins fixing  20 vulnerabilities in the following products:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Office Suite updates
    • Visio Viewer 2010
    • SharePoint Server 2010
    • OneNote 2010
    • Office Outlook for Mac
  • Silverlight 5 (For PC and Mac)

They rate four of the bulletins as Critical, and three as Important. Many of the Critical issues can allow remote attackers to execute code on affected systems. So we highly recommend you patch them quickly.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s March bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , , , ,

WatchGuard Security Week in Review: Reader 0day

February 15, 2013 by Corey Nachreiner 4 Comments

Reader 0Day, Zombie Broadcast, and Bit9 Breach

Due to a busy work week, I was unable to create a fully produced InfoSec news summary video this week. I did post a very brief video (which you can find below), mostly to warn our YouTube subscribers about the missing episode. It contains very minimal detail about this week’s top security stories.

However, I won’t leave you hanging for your weekly security news fix. Below, you’ll find a bullet-list, which quickly summarizes many of this week’s most interesting Infosec news. See you next week.

  • Zero day Adobe Reader vulnerability - A security company, FireEye, discovered attackers exploiting a previously unknown vulnerability in Adobe Reader to install malware. Adobe hasn’t had time to fix it yet, but recommends you use “Protected View” mode to mitigate the issue. We’ll post more details when they patch.
  • President Obama signs cyber security executive order  - As many expected, President Obama signed a cyber security executive order this week that allows government organizations to share security intelligence with some private organizations  and asks critical infrastructure providers to up their security.
  • Bit9 breached and digital certificates stolen - A security company, Bit9, confirmed they were breached this week, and that attackers had stolen their digital certificates and used them to sign malware. Their excuse for the breach? They didn’t use their own product enough.
  • Hacked emergency broadcast system warns of zombie attack  - Folks in some Montana counties were surprise when their television emergency broadcast system warned of a zombie attack. Unsurprisingly, it turns out the system was hacked.
  • More Ruby on Rail vulnerabilities - Researchers have found more vulnerabilities, like SQL injections, in Ruby on Rails. If you are a web developer who uses this package, go patch.
  • Microsoft’s February Patch Day- As always, Microsoft released a bunch of security updates this week. They fixed flaws in Windows, Exchange, Internet Explorer, and a few lesser known products. I released details about the updates here, so hopefully you’ve already patched.
  • Adobe Flash and Shockwave updates – Adobe also released important Shockwave and Flash Player updates during Microsoft’s Patch Day. I talked about those earlier, too. Make sure to patch!
  • The dangers of losing your master password - A well-known security researcher, Jeremiah Grossman, shares a great anecdote on how very strong security practices can come back and bite you due to user error.

Direct YouTube Link: 

 (Runtime: 2:08)

Extra Stories:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , ,

MS Black Tuesday: 12 Bulletins, 57 Flaws, and Lots of Work

February 12, 2013 by Corey Nachreiner 3 Comments

Though not the biggest on record, today’s Patch Day is no slouch.

As expected, Microsoft released a dozen security bulletins, fixing 57 vulnerabilities that affect a range of their software, including:

  • Windows (and its components)
  • .NET Framework
  • Internet Explorer (IE)
  • Exchange Server
  • Fast Search Server 2010

According to the summary alert, Microsoft rates five of the bulletins as Critical, which typically means remote attackers can exploit them to gain control of affected computers (usually with little to no user interaction). In general, I recommend you apply these Critical updates first.

In particular, I’d start with the two IE updates since attackers often target users with drive-by download attacks. Also, jump on the Exchange server update immediately, as it fixes an issue attackers could easily exploit with a specially crafted email and attachment—not to mention, your email server is a pretty critical asset.

Though not as serious as other issues, one of Microsoft’s alerts describes a Windows TCP/IP Denial of Service vulnerability, which it sounds like attackers could exploit with a single malicious packet. I haven’t seen this sort of “Ping of Death”-like DoS vulnerability in a while.

As always, I recommend you test the updates before deploying them to a production environment. If you don’t have time or resources to test all of them, at least try to test the server-related updates.

As an aside, WatchGuard’s IPS signature team gets early warning about Patch Day, and will release a new signature update that detects some of the described issues shortly. The have developed signatures for the following Patch Day-related issues:

  • CVE-2013-0015
  • CVE-2013-0018
  • CVE-2013-0019
  • CVE-2013-0020
  • CVE-2013-0021
  • CVE-2013-0022
  • CVE-2013-0023
  • CVE-2013-0024
  • CVE-2013-0025
  • CVE-2013-0026
  • CVE-2013-0027
  • CVE-2013-0028
  • CVE-2013-0029
  • CVE-2013-0030
  • CVE-2013-0077
  • CVE-2013-1313

We’ll post consolidated alerts throughout the day, sharing more details about these bulletins and updates. Stay tuned.  — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day: Feb. 2013

Editorial Articles
, , , , , , , , , , , , , ,
Older Entries

Follow

Get every new post delivered to your Inbox.

Join 7,132 other followers

%d bloggers like this: