Tag Archives: updates

Oracle CPU – WSWiR Episode 103

Oracle Patches, Heartbleed Update, and Cool Gaming Hacks

Information security has become a hot topic, with tens of new infosec articles and issues showing up each week. Perhaps you’re concerned with the latest security news, but don’t have to time to keep up with it among your other administrative tasks. If that sounds like you, check out my weekly infosec news video for a quick summary of the week’s most interesting stories.

Today’s episode is quite simple. I quickly cover Oracle’s April Critical Patch Update (CPU), share some interesting Heartbleed vulnerability updates, and end with a fun, gaming-related hack to cap off the week. Watch the video below, and browse the Reference section for links to more stories and details.

Have a great Easter weekend.

(Episode Runtime: 6:42)

Direct YouTube Link: https://www.youtube.com/watch?v=NtwbM82vVF0

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Windows File Handling Remote Code Execution Flaw

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: By tricking your users into running a .bat or .cmd file from a network location
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

As part of Patch Day, Microsoft released a Windows security bulletin describing a code execution vulnerability involving the way it handles .bat and .cmd files, otherwise known as Windows batch files. Windows batch files allow you to write multiple, scripted commands which will run together (as a batch) when you run the file. Window’s suffers from a vulnerability in they way they process these files, which attackers could exploit to execute arbitrary code. If an attacker can trick one of your users into running a .bat or .cmd file from a network location, they could exploit this issue to execute any code with that user’s privileged. In most Windows environments, users have local administrator privileges, so this attack could give hackers full control of your machine.

That said, this flaw takes significant user interaction to succeed, and most savvy Windows users know batch files could be dangerous, and don’t run them randomly. Nonetheless, we recommend you patch Windows as soon as you can.

Also note, this will be the last security update for Windows XP. If you haven’t figured out your Windows XP migration path yet, you really should start thinking about it. That said, security companies like WatchGuard will continue to develop IPS and anti-malware signatures to detect and block threats against Windows XP systems. If you absolutely cannot upgrade XP, be sure to at least implement IPS, AV, and UTM systems to protect your vulnerable computers.

Solution Path:

Microsoft has released updates that correct this vulnerability. You should download, test, and deploy the appropriate update throughout your network as soon as you can. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate some of the risk of this flaw (such as allowing you to block .bat and cmd files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit it over the local network too. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Word 0day Fix & More

Microsoft’s monthly Patch Day went live earlier today. As expected they released four security bulletins, fixing flaws in Windows, Internet Explorer (IE), and Office. Microsoft rates two of the bulletins as critical, one that fixes Word vulnerabilities (including a zero day one I warned about earlier) and another that fixes IE flaws.

If you use the affected Microsoft products, you should apply these patches as soon as you can. I’d apply the updates in the order Microsoft recommends; the Word update first, the IE one second, and the Windows and Publisher updates last.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day.  However, I am currently traveling in Asia, so my blog posts may be late due to timezone issues and travel. So I recommend you check out the April bulletin summary in the meantime, if you’d like an early peek. Also, keep in mind that Adobe released a Flash update today as well. — Corey Nachreiner, CISSP (@SecAdept).

Only Four Microsoft Security Bulletins in April

Yesterday, Microsoft released their advanced notification, warning that they plan to release four security bulletins next Tuesday. The bulletins will include patches for Windows, Office, and Internet Explorer, and two have received Microsoft’s Critical severity rating. I suspect the Office updates will include a fix for the recent zero day Word flaw I mentioned in an earlier post.

Also note, April’s Patch Day marks the last time Microsoft will release Windows XP updates. They’ve been warning about XP’s End-of-Life for awhile now, and it’s finally upon us. Though some people think Microsoft’s using the opportunity to force people to upgrade, I believe XP has hung around longer than any operating system before it (13 years), and frankly it’s about time you update. I suspect hackers are holding onto an XP zero day or two, so it may be dangerous to keep it around much longer. That said, WatchGuard will continue to release IPS signatures for any future XP network flaws and AV signatures for XP malware.

In any case, I’ll post details about Microsoft bulletins next week, and if Adobe releases any updates you’ll hear about them here too. — Corey Nachreiner, CISSP (@SecAdept)

Four Windows Updates: Hijack Windows with Malicious Images

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like Silverlight)
  • How an attacker exploits them: Multiple vectors of attack, including luring users into viewing malicious images
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as Silverlight. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-013DirectShow JPEG Handling Vulnerability

DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams, images, and files. It suffers from an unspecified memory corruption vulnerability having to do with how it handles specially crafted JPEG (JPG) images. By getting your users to view such a malicious image, perhaps via a web site or email, an attacker could leverage this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, the attacker gains full control of the users’ machines.

Microsoft rating: Critical

  • MS14-015:  Multiple Kernel-Mode Driver Code Execution Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from two security vulnerabilities. The worst is an elevation of privilege flaw having to do with it handles memory. In a nutshell, if a local attacker can run a specially crafted application, he could leverage this flaw to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability. The second issue could allow attackers to gain access to information in restricted sections of your computer’s memory, but doesn’t pose as high a risk as the first.

Microsoft rating: Important

  • MS14-016:  SAMR Lockout Bypass Vulnerability

The Security Account Manager or SAM file is a database file on Windows computers that contains all the hashed user credentials. The Security Account Manager Remote (SAMR) protocol is a client-to-server communication protocol Windows uses to check credentials against a SAM database. SAMR suffers from a flaw that allows attackers to bypass its user lockout feature. Windows allows you to lockout a user who has entered the wrong password a certain number of times. This makes it harder for attackers to launch “brute-force” password cracking attacks, since it limits the amount of failed password attempts. However, by sending specially crafted SAMR messages, an attacker can bypass this lockout feature, and try unlimited passwords against your Windows system. While this doesn’t directly give the attacker access to your computer, it does allow attackers on your local network to try and brute-force your passwords.

Microsoft rating: Important

  • MS14-014:  Silverlight DEP/ASLR Bypass Flaw

Silverlight is a cross-platform and cross-browser software framework used by developers to create rich media web applications. Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems (OS) use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Data Execution Prevention (DEP) is another such feature that makes it hard for attackers to execute code from memory. Unfortunately, Silverlight does not implement Windows’ DEP and ASLR protection properly. This means that it’s relatively easy for attackers to exploit any memory corruption flaws in Silverlight. By itself, this bypass flaw is worthless. It doesn’t give an attacker access to your computer. However, assuming attackers find memory corruption flaws in Silverlight, this bypass flaw would make it easier for them to exploit those flaws to execute code. You should apply this update simply to improve the general security of Silverlight.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as allowing you to block .jpg files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Patch IE Zero Day & Windows Vulnerabilities

Microsoft’s March Patch Day is live, and looks to be by the numbers. As expected, they released five bulletins, including one that contains a fix for a zero day vulnerability in Internet Explorer. Their Patch Day summary highlights five security bulletins that fix 23 vulnerabilities in various Microsoft products, including Internet Explorer (IE), Windows and its various components, such as Silverlight. They rate two of these bulletins as Critical, and the rest as Important.

MS Patch Day: March 2014As I mentioned in my notification post, the most important update this month is the IE cumulative patch. Besides fixing 23 memory corruption flaws, many of which attackers could exploit to execute code, one specifically fixes a critical zero day flaw which attackers have been leveraging in watering hole attacks. Though Microsoft released a Fix-it for this vulnerability a few weeks ago, this update completely corrects the underlying issue. Make sure to install the IE update on all your clients as soon as possible. Hopefully, you already have Automatic Updates set to do it for you. Of course, you should also install the Windows updates too, especially the DirectShow one. If an attacker can trick one of your users into viewing a malicious JPEG image, he could exploit it to gain control of that user’s computer, with their privileges. You don’t want that.

While we are talking about Windows updates, let me take this time to continue to remind you that these updates are among the last that Windows XP will receive. XP users will likely see a few more updates next month, but after than it goes End-of-Life. Hopefully, most of you are saying, “Why do I care? I’ve been using Windows 7 or above for years.” But for the stragglers out there, you might want to consider upgrading to a more recent version of Windows. While I don’t want to come off as promoting Microsofts “upgrade” sales message, I do believe XP will likely pose more risk once the official updates stop. It seems very likely that some cyber attacker (or nation-state groups) out there are sitting on a zero day XP exploit or two; saving them until after Microsoft’s fixes run out. You might want to get away from XP before that happens.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day. Meanwhile, check out the March  bulletin summary now, if you’d like an early peek. — Corey Nachreiner, CISSP (@SecAdept).

March’s Patch Day Includes an IE Zero Day Fix

It’s almost that time of the month again. Next week is Microsoft Patch day, and here’s what you can expect.

MS Patch Notification: March 2014According to Microsoft’s advanced notification, next week’s Patch Day should be fairly light, and relatively simple. The Redmond-based software company plans to release five security bulletins, fixing flaws in Windows, Internet Explorer (IE), and Silverlight. They rate two updates as Critical and the rest as Important. The biggest news about these updates is that the IE one will completely fix the zero day flaw that attackers have been exploiting in the wild, in watering hole attacks. So at the very least, you should prepare to install the IE update as soon as you can next week.

In related news, Adobe also shares Microsoft’s Patch Day. They haven’t announced if they will release any updates yet (they just recently released that emergency Flash one), but I would keep an eye on their security page next Tuesday. In any case, I’ll post details about Microsoft bulletins next week, and if Adobe releases any updates you’ll hear about them here. — Corey Nachreiner, CISSP (@SecAdept)

Windows Updates Fix Code Execution, DoS, and Privilege Elevation Flaws

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like the .NET Framework and VBScript Engine)
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites or into viewing malicious vector graphics
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing seven vulnerabilities in Windows and its components. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-011VBScript Code Execution Vulnerability

VBScript is a scripting language created by Microsoft, and used by Windows and its applications. The VBScript Scripting Engine, which ships with Windows, suffers from an unspecified memory corruption vulnerability having to do with its inability to properly handle certain objects in memory when rendering script for Internet Explorer (IE). By enticing you to a specially crafted web page, an attacker could leverage this flaw to execute code on your computer with your privileges. If you have admin rights, then The attacker gains computer control of your computer.

Microsoft rating: Critical

  • MS14-007:  Direct2D Memory Corruption Vulnerability

DirectX is a multimedia development API, primarily used by programmers to make games for Windows and to handle multimedia. It includes Direct2D, a component Windows uses to render two dimensional vector graphics. Direct2D suffers from a memory corruption vulnerability having to do with how it improperly handles specially crafted vector figures. By enticing you to open a malicious vector graphic, an attacker can exploit this flaw to execute code on your system, with your privileges. Of course, if you have administrative privileges, as most Windows users do, the attacker gains complete control of your computer. Since this vulnerability requires some user interaction to succeed, Microsoft assigns it an Important severity rating.

Microsoft rating: Important

  • MS14-009Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. The .NET Framework suffers from three new security vulnerabilities, including an elevation of privilege flaw, a denial of service (DoS) vulnerability, and an issue that allows attackers to bypass one of Windows’ security features (Address Space Layout Randomization or ASLR). The worst of the three is the elevation of privilege flaws. Without going into technical detail, if an attacker can entice one of your users to visit a malicious .NET web page or run an .NET application locally, she can exploit this flaw to gain full control of that user’s system.

Microsoft rating: Important

  • MS14-005:  MSXML Information Disclosure Flaw

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It ships with various versions of Windows, and other Microsoft products. If you have a Windows computer, you very likely have MSXML. MSXML suffers from an information disclosure vulnerability due to a flaw in the way it handles cross-domain policies. By luring your users to a malicious web site or specially crafted link, an attacker could exploit this flaw to gain access to some of the files on that user’s computer.

Microsoft rating: Important

Windows ships with a TCP/IP stack used to handle network traffic, and this stack now supports  IPv6. Unfortunately, the Windows IPv6 TCP/IP stack suffers from a denial of service vulnerability involving the way it handles large amounts of specially crafted router advertisement messages.  If an attacker on your local network sends a large amount of such packets, he can cause your Windows computer to stop responding. Of course, the attackers needs to be on the same subnet as the victim, with relegates this primarily to an insider threat. 

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:

  • WEB Microsoft ASP.NET POST Request DoS Vulnerability (CVE-2014-0253)
  • WEB-CLIENT Microsoft Graphics Component Memory Corruption Vulnerability (CVE-2014-0263)
  • WEB-CLIENT Microsoft MSXML Information Disclosure Vulnerability (CVE-2014-0266)

Your XTM appliance should get this new IPS update shortly.

However, attackers can exploit some of these flaws locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: IE Fix Leads the List of Critical Updates

Today’s Microsoft Patch Day will probably be a bit busier than expected. It looks like Microsoft called a last minute audible, releasing seven security bulletins rather than the five I mention in last week’s security video. The good news is this last minute play change might help your security team win the game by providing your users with a more protected web browser.

Microsoft Patch Day: Feb, 2014

Microsoft Patch Day: Feb, 2014

February’s Patch Day summary highlights seven security bulletins that fix 32 vulnerabilities in various Microsoft products, including Internet Explorer (IE), Windows and its various components, and Forefront Protection for Exchange. They rate four of these bulletins as Critical, and the rest as Important.

This month, the most important updates are probably the most unexpected ones. Microsoft’s original advisory suggested they planned on releasing updates for Windows and one of their security products (which we now know is Forefront Protection), but they had not mentioned the IE or VBScript updates they released today. However, both these unexpected updates make great additions to this month’s Patch Day. The IE cumulative patch fixes 24 serious vulnerabilities, including one disclosed publicly; many of which attackers can leverage to execute code in drive-by download attacks. Though Microsoft hasn’t seen anyone exploiting these flaws in the wild yet, I expect attackers will surely reverse this update and start exploiting these flaws soon. The VBscript update is no slouch either, as it too fixes a code execution flaw. If bad guys can entice you to a web page with malicious code, they can use these flaws to”pwn” your computer.

Of course, you shouldn’t ignore the expected updates either. Two of them—the critical flaws in Direct2D and Forefront Protection for Exchange—also allow remote attackers to execute code on your systems. In short if you are a Microsoft administrator, you should apply today’s critical updates as soon as you can, and take care of the Important while you’re at it. In general, I recommend you test Microsoft updates before deploying them throughout your production network, especially server related updates that affect critical production servers. This is probably especially this month, for the two surprise updates. Since the IE and VBScript updates came out a bit earlier than expected, they may not have gone through as rigorous a QA process as usual. You might want to give them a whirl on non-production machines, or your virtual testing environment before sharing them with your users.

For more details on today’s Patch Day, check out the February bulletin summary now, or wait for our detailed, consolidated alerts which I’ll post on the blog through the day. — Corey Nachreiner, CISSP (@SecAdept).

Adobe Patch Day: Flash and Reader Updates Fix Five Flaws

Severity: High

Summary:

  • These vulnerabilities affect: Flash Player, Reader XI, and Acrobat XI (and Adobe Air)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released or updated two security bulletins that describe vulnerabilities in two of their popular software packages; Flash Player and Reader/Acrobat X.

Adobe Patch Day, Jan 2014

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:

  • APSB14-01: Trio of Reader and Acrobat Memory Corruption Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes three vulnerabilities that affect Adobe Reader and Acrobat XI 11.0.05 and earlier, running on Windows and Macintosh.  Adobe doesn’t describe the flaws in much technical detail, but does note that they involve integer overflow and memory corruption issues. They all share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit any of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB14-02: Flash Player Code Execution Vulnerability

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Adobe’s bulletin describes two serious flaws in Flash Player 11.9.900.170 and earlier for all platforms. They don’t describe the  vulnerabilities in much technical detail, just mentioning that one allows you to “bypass security protections” and the other allows you to defeat Address Space Layout Randomization (ASLR), which is a memory obfuscation technique that some software uses to make it harder for attackers to exploit memory corruption flaws. They do, however, describe the flaws’ impacts. In the worst case, if an attacker can lure you to a web site, or get you to open documents containing specially crafted Flash content, he could exploit a combination of these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Follow

Get every new post delivered to your Inbox.

Join 7,384 other followers

%d bloggers like this: