Tag Archives: updates

Adobe Patch Day: Update for ColdFusion Zero Day and More

May 15, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Reader and Acrobat, Flash Player, and ColdFusion
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Yesterday, Adobe released three security bulletins describing vulnerabilities in Reader and Acrobat, Flash Player, and ColdFusion. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. Attackers have been exploiting one of the ColdFusion issues in the wild, so we recommend you patch quickly.

The summary below details some of the vulnerabilities in these popular software packages.

Adobe Patch Day May 2013

  • APSB13-15: Multiple Reader and Acrobat  Memory Corruption Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 27 vulnerabilities that affect Adobe Reader and Acrobat X 11.0.2 and earlier, running on any platform (Windows, Mac, Linux).  Adobe’s alert only describes the flaws in minimal detail, but the majority of them involve memory corruption-related vulnerabilities, such as buffer overflows,  integer overflowsuse-after-free issues, and so on. For the most part, they share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit many of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 2 (Patch within 30 days) for most, though 1 for Windows systems with 9.x and below

  • APSB13-14: Multiple Flash Player Memory Corruption Flaws

Adobe’s bulletin describes 13 vulnerabilities in Flash Player running on all platforms (including Linux and Android). More specifically, the flaws consist of various memory corruption flaws. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe rates these flaws with their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

  • APSB13-13: Critical Zero Day ColdFusion Vulnerability Patched

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. This bulletin fixes two serious vulnerabilities; one of which attackers are currently exploiting in the wild. We mentioned this zero day flaw in passing during last week’s security news video. Adobe’s bulletin doesn’t share many details, but the primary flaw is a remote code execution vulnerability. If you expose certain default ColdFusion directories, an attacker could exploit this flaw to execute code on you web server simply by sending specially crafted HTTP packets. Though not quite as bad, the second vulnerability allows attackers to remotely retrieve sensitive files from your server. Adobe rates these flaws Priority 1, so we highly recommend ColdFusion administrators update immediately–especially if you have public facing servers.

You can find a bit more detail about the zero day ColdFusion flaw in a security advisory Adobe released earlier this month.

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

 

Download Adobe Reader

 

 

Download Adobe Flash Player

 

 

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Reader files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Reader or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Reader via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , ,

Office Patches Mend Word, Visio, Publisher, and Lync

May 14, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word, Visio, Publisher, and Lync
  • How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins that fix 14 vulnerabilities in a range of Microsoft Office products, including Word, Visio, Publisher, and Lync. We summarize these four security bulletins below, in order from highest to lowest severity.

  • MS13-041: Lync Remote Code Execution (RCE) Vulnerability

 Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from an unspecified memory corruption vulnerability that attackers could leverage to execute arbitrary code on your computer. If an attacker can convince one of your users to join a Lync or Communicator session containing specially crafted content, they could execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could gain complete control of affected computers. This flaw only affects certain versions of Lync and Communicator. See the “Affected and Non-Affected Software” section of Microsoft’s bulletin for more details.

Microsoft rating: Critical

  • MS13-042: Multiple Publisher Memory Corruption Vulnerabilities

Publisher is Microsoft’s basic desktop publishing and layout program, and part of the Office suite. It suffers from eleven memory corruption vulnerabilities. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Publisher document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Publisher except 2013.

Microsoft rating: Important

Word is the popular word processor that ships with Office. It suffers from a remote code execution (RCE) vulnerability having to do with how it handles Word or RTF documents containing maliciously crafted shape data. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word and Word Viewer 2003.

Microsoft rating: Important

  • MS13-044 : Visio Information Disclosure Vulnerability

Microsoft Visio is a popular diagramming program often used to create network diagrams.  Visio suffers from a complex information disclosure vulnerability, involving the way it parses specially crafted XML content. At a high level, XTM documents can contain “external entities;” essentially text or binary data from an external location. If an attacker can entice one of your users into downloading and opening a malicious Visio document (containing XTM content), he can exploit this flaw to read data from files on the victim’s computer. This flaw affects all versions of Visio except 2013.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed a signature that can detect and block the Visio Information Disclosure issue:

  • EXPLOIT Microsoft Visio XML External Entities Resolution Vulnerability (CVE-2013-1301)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , , , , , , ,

Trio of Windows Bulletins Correct Moderate Vulnerabilities

May 14, 2013 by Corey Nachreiner 1 Comment

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows or components often packaged with it (like the .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or running malicious programs locally
  • Impact:  Varies, ranging from a remote Denial of Service (DoS) attack to local attackers gaining complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that describe six vulnerabilities affecting Windows or components related to it (like the .NET Framework). They only rate these bulletins as Important, due to limited impact or mitigating factors. Each of these vulnerabilities affects different versions of Windows to varying degrees. In the worst case, a local attacker could exploit one of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates at your earliest convenience.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

The HTTP Protocol Stack (HTTP.sys) is a Windows component that listens for and handles HTTP requests before passing them to a web server like IIS. It suffers from a Denial of Service (DoS) vulnerability having to do with its inability to properly handle HTTP requests with specially malformed headers. By sending a specially crafted HTTP request, a remote attacker can leverage this flaw to cause your system to stop responding. While this sort of DoS attack doesn’t result in any breach or data loss, attackers can leverage it to knock your public web server offline, which could have significant business implications. You should download, test, and deploy Microsoft’s HTTP.sys update as soon as possible.

Microsoft rating: Important

  • MS13-040Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. The .NET Framework component suffers from two new security vulnerabilities.

The first issue is an XML digital signature spoofing vulnerability. XML files can contain digital signatures, which .NET applications can use to verify the integrity of XML files (ensuring they haven’t been improperly modified). However, the .NET Framework component (CLR) responsible for validating these signatures doesn’t do it right. As a result, attackers can modify the contents of an XML file without invalidating the signature. The impact of this flaw depends on if and how your custom .NET applications leverage this functionality.

The second issue is an authentication bypass vulnerability. The Windows Communication Foundation (WCF) is essentially a set of .NET APIs that developers can use to make applications that communicate securely with one another. However, WCF suffers from an authentication bypass flaw. By sending specially crafted packets, an attacker could gain unauthenticated access to computers that run WCF services. The impact of this bypass depends on your custom .NET application. If you custom application gives your users access to sensitive data, then in can pose a significant risk. If you install the .NET framework, you should download, test, and install Microsoft’s update as soon as you can.

Microsoft rating: Important

  • MS13-046Kernel-Mode Driver Elevation of Privilege Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from three new local elevation of privilege flaws. They all differ technically, but share the same basic scope and impact. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers (or cause it to become unstable). However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of this vulnerability.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows and .NET Framework patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:

  • WEB Microsoft Windows 2012 Server HTTP.sys Denial of Service Vulnerability (CVE-2013-1305)
  • EXPLOIT Microsoft XML Digital Signature Spoofing Vulnerability (CVE-2013-1336)

Your XTM appliance should get this new IPS update shortly.

However, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , , , , ,

Microsoft Black Tuesday: Fix for IE8 Zero Day and More

May 14, 2013 by Corey Nachreiner 5 Comments

Calling all Microsoft administrators. It’s time to spin up your virtual test machines and download, test, and deploy May’s batch of Microsoft security updates. This month’s theme is IE updates; with a focus on a recent IE zero day vulnerability, as well as a continuation of the “use after free” vulnerability theme I commented on last month.

According to their summary post, Microsoft released ten security bulletins today, fixing around 33 security vulnerabilities in many of their popular products. The affected software includes Internet Explorer (IE), Windows and related components, products from the Office suite (Word, Visio, and Publisher), Lync, and Windows Essentials. Microsoft rates the IE updates as Critical, and the rest as Important.

As I mentioned earlier, today’s theme definitely centers around IE. Last week’s security video covered how attackers have recently been exploiting a zero day IE8 vulnerability in the wild—most notably against the Department of Labor web site. One of today’s updates completely fixes this serious flaw. The other IE update continues to fix more “use after free” vulnerabilities, a class of memory corruption flaws that researchers and attackers have focused on lately. I highly recommend you install today’s IE updates immediately, then follow with the Windows and Office updates.

As an aside, Microsoft also released or updated four security advisories today. One of the updates has to do with one of today’s bulletins, but the other three are new. Once you’re finished handling today’s patches, you should check out Microsoft’s security advisory page as well.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s May bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , , , , , , , , ,

WatchGuard Security Week in Review: Text Edition

May 3, 2013 by Corey Nachreiner 1 Comment

Welcome to our weekly network and information security (Infosec) news highlights. Typically, I deliver these security highlights as a short video. However, I’m traveling this week for both business and personal reasons, and was unable to produce the video version during my hectic travel schedule. The video will return next  week from the Interop IT conference in Vegas. Until then, enjoy this text summary of the biggest Infosec stories from the week.

This week’s stories includes a big credential leak, the hijacking of a government web site, and news of a flaw in Google’s latest wearable computer. Read below for more details, and join us next week when the video version returns:

  • Living Social breach leaks 50mil user credentials - Attackers breached Living Social’s network and made off with the personal info of 50 million users. The stolen information included things like your email address, date of birth, and your hashed password. Though the passwords were hashed, attackers can still leverage brute force attacks to figure out the weaker ones of the bunch. If you use Living Social, you need to change your password immediately. More importantly, if you use the same password at other sites, stop doing that and change your passwords there too.
  • Latest on the mysterious Apache web site mass hijackings - Over the past few months, we’ve pointing out multiple incidents where thousands of Apache web servers were hijacked with a very sneaking backdoor. While researchers understood the complex backdoor attackers were injecting, no one really knew how attackers were initially gaining access to vulnerable sites (though many suspected Cpanel or WordPress vulnerabilities). In any case, ESET and Sucuri have released new research on the complex backdoor used in this attack campaign. It’s a very interesting read for the security conscious and a must-read for web administrators. Thanks to our friend and reader, Ryan, for pointing out this new research.
  • Hackers pwn Google Glass - You’ve probably seen Google Glass; the latest wearable computer. It’s not really out yet, but a group of select developers with cash to spare have gotten their hands on preview copies of this interesting new product. This week, one of those developers have learned how to jailbreak or root the device. Jailbreaking or rooting are terms used to describe when a user gains full administrative control of a device that was somehow locked down by the manufacturer. Usually, the devices owner is the one that wants to root a device, in order to do things that the manufacturer didn’t originally intend. However, the techniques used to root devices often leverage software vulnerabilities, which attackers could also leverage to take full control of your device. Obviously, you don’t want that. In any case, Google Glass is really still in beta, and not available to consumers. I wouldn’t be overly worried about this supposed flaw, as I’m sure Google will correct it before the official release.  Still, an interesting read.
  • Reader vulnerabilities allows attackers to track PDF documents - Mcafee discovered an Adobe Reader flaw that attackers could leverage to find out when users open a particular Reader document, and what IP there are opening it from. This is not a critical issue, in that attackers can’t leverage it to execute code, but it does pose a privacy risk. There is no fix for the flaw yet, but you should expect one in an upcoming release.
  • Chinese attackers force Department of Labor site to serve malware - According to Alienvault, the Department of Labor web site was hijacked by China-based attackers,  and then forced to serve malicious code, which then tries to infect anyone that visits the site.  The Department of Labor has since cleaned their site, but if you happen to have visited it lately you should definitely scan your computer for malware.
  • Serious Flaw in IBM Notes - It’s hard for me to imagine anyone still using the Notes email client, but I have learned there are still some of you out there. This week, researchers reported a serious security flaw in this client, involving how it handles Java applets and javascript. IBM plans to fix the flaw soon, but until then you should disable javascript and Java applets in the Notes client.
  • State-sponsered attackers breach US government defense contractor - Investigators find evidence of a long term breach of a US defense contracter that makes some pretty interesting defense and spy gear.

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , ,

Adobe Patch Day: Patches for Flash, Shockwave, and ColdFusion

April 9, 2013 by Corey Nachreiner 0 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Flash Player, Shockwave Player, and ColdFusion
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released three security bulletins describing vulnerabilities in Flash Player, Shockwave Player, and ColdFusion. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

Adobe Patch Day: April 2013

  • APSB13-11: Four Flash Player Memory Corruption Flaws

Adobe’s bulletin describes four vulnerabilities in Flash Player running on all platforms. More specifically, the flaws consist of various memory corruption and integer overflow flaws. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

They assign these flaws their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

  • APSB13-12: Four Shockwave Player Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin describes four security vulnerabilities that affect Shockwave Player running on Windows and Macintosh computers. All of the flaws consist of memory corruption issues (one being a buffer overflow) that share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB13-10: Two Unspecified ColdFusion Vulnerabilities

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from two security vulnerabilities that Adobe does not describe in much technical detail. They describe one flaw as a vulnerability that allows an attacker to impersonate an authenticated user (CVE-2013-1387), and the other as a flaw that could allow an unauthenticated attacker to gain access to the administrative console. Other than that, the bulletin shares very little about the scope or impact of these flaws, so we’re unsure how easy or hard it is for attackers to leverage them. They rate both vulnerabilities as Priority 2 issues, which is essentially their medium severity rating.

Adobe Priority Rating(Patch within 30 days)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Shockwave files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Shockwave or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Shockwave via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , ,

Windows Updates Fix Critical RDC Flaw, and More

April 9, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and some of the components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including luring users to web sites with malicious code or sending specially crafted network packets
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Update do it for you.

Exposure:

Today, Microsoft released six security bulletins that describe around ten vulnerabilities affecting Windows or components related to it, such as Remote Desktop Client, Active Directory, and the Antimalware client (part of Windows Defender in Windows 8). Each of these vulnerabilities affect different versions of Windows to varying degrees. A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-029: Remote Desktop Client Code Execution Vulnerability

Remote Desktop Protocol (RDP) is a Microsoft networking protocol that allows you to view and control the desktop of one Windows computer from another networked computer. Windows ships with the Remote Desktop Client to support this functionality. According to Microsoft, an ActiveX control the Remote Desktop Client uses suffers from a “use after free” vulnerability, which remote attackers can exploit to execute arbitrary code on your system. The attacker would simply have to entice you to a web site containing malicious code to trigger the flaw. As is typical with Windows vulnerabilities, the attacker would gain your privileges, and if you’re a local administrator that means full control of your system.

Microsoft rating: Critical

  • MS13-031: Two Kernel Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. The Windows kernel suffers from two race condition vulnerabilities, which attackers can leverage to  elevate their privilege. Though the flaws differ technically, the share the same scope and impact. By running a specially crafted program, a local attacker could exploit this flaw to gain complete control of your PC. However, the attacker would first need to gain local access to your Windows computer using valid credentials. This factor significantly reduces the severity of the issue

Microsoft rating: Important

  • MS13-032: Active Directory Memory Consumption Flaw

Active Directory (AD) provides central authentication and authorization services for Windows computers and ships with server versions of Windows. AD suffers from a memory consumption vulnerability having to do with it’s inability to properly handle specially crafted LDAP queries. By sending a malicious LDAP query to an AD server, an attacker can exploit this flaw to force the server’s LDAP service to stop responding, putting it into a Denial of Service (DoS) state. However, administrators typically limit LDAP access to their local network, so this vulnerability primarily poses an internal threat.

Microsoft rating: Important

  • MS13-033CSRSS Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from a local privilege elevation issue. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

  • MS13-034: Antimalware Client Elevation of Privilege Vulnerability

The Antimalware Client is a free host-based security program that does just what you’d expect; protects Windows systems from malicious software (viruses, worms, trojans, etc.) loosely known as malware. It ships with Windows Defender, which comes with Windows 8. It also suffers from a local privilege elevation issue having to do with its inability to handle improper pathnames. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials, which significantly reduces the risk of this flaw. This issue primarily affects Windows 8 computers.

Microsoft rating: Important

  • MS13-036Multiple Kernel-Mode Driver Vulnerabilities

As mentioned above, the kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers five different privilege elevation vulnerabilities. The vulnerabilities differ technically  but share the same scope and impact. By running a specially crafted program, a local attacker can leverage any of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of these issues.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed a new signature that can detect and block the Remote Desktop Client vulnerability described above:

  • WEB-ACTIVEX Microsoft RDC ActiveX Control Remote Code Execution Vulnerability (CVE-2013-1296)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , , , , , , , ,

WatchGuard Security Week in Review: Episode 55 – SSL/TLS Weakness

March 15, 2013 by Corey Nachreiner 6 Comments

Lots of Patches, Celebrity Hacks, and a SSL/TLS Weakness

If you’re anything like the average IT professional, you’re probably too busy putting out proverbial IT helpdesk fires, and installing new business IT solutions to spend much time each week staying on top of the latest security news and threats. That’s where we come in! For a quick recap of the biggest information and network security news from the week, check out the YouTube video below.

In this episode, I cover a ton of software updates from the week (it was Patch Day after all), the latest celebrity hack incident, an ironic breach of a security organization’s web site, and yet another weakness in the SSL/TLS encryption protocol. I even share a tip on how webmasters can learn to recover from web site hacks.

Enjoy the episode, and share your thoughts, suggestions, and questions in the comment section below. You can also find more details about these stories in the Reference section. Thanks for watching, and enjoy your St. Patty’s Day weekend.

(Episode Runtime: 11:00)

Direct YouTube Link: http://www.youtube.com/watch?v=yD6wNDXVsHE

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , , , , ,

Silverlight and Windows Kernel-Mode Driver Patches

March 12, 2013 by Corey Nachreiner 3 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Windows and Silverlight 5 (For PC and Mac)
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web content or running specially crafted programs
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins that describe four vulnerabilities in Windows and the Silverlight component, which is commonly installed with it. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical one – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-022.NET Framework and Silverlight Code Execution Flaw

Silverlight is a cross-platform and cross-browser software framework used by developers to create rich media web applications. It suffers from something experts call a double dereference vulnerability involving how Silverlight handles specially crafted HTML objects. If an attacker can lure one of your Silverlight users to a malicious web site (or a legitimate site booby-trapped with malicious code), he can exploit this flaw to execute code on that user’s computer, with the user’s privileges. As usual, if you are a  local administrator, the attacker could exploit this to gain full control of your machine.

Microsoft rating: Critical

  • MS13-027 :  Three Kernel-Mode Driver Elevation of Privilege Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from three local elevation of privilege flaws having to do with how it improperly handles objects in memory. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your Windows computer or trick you into running it yourself, which significantly lessens the severity of this vulnerability.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows and Silverlight patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Attackers can exploit some of these flaws locally. Since your gateway XTM appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , ,

Microsoft Black Tuesday: Security Flaws in a Menagerie of Products

March 12, 2013 by Corey Nachreiner 3 Comments

Though today’s Patch Day might seem pretty average as far as the number of security bulletins released, it does cover a rather eclectic range of Microsoft products. In fact, a few of the updates affect Mac users as well, and one is even exclusive to Mac.

During today’s Patch Day, Microsoft released seven security bulletins fixing  20 vulnerabilities in the following products:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Office Suite updates
    • Visio Viewer 2010
    • SharePoint Server 2010
    • OneNote 2010
    • Office Outlook for Mac
  • Silverlight 5 (For PC and Mac)

They rate four of the bulletins as Critical, and three as Important. Many of the Critical issues can allow remote attackers to execute code on affected systems. So we highly recommend you patch them quickly.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s March bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , , , ,
Older Entries

Follow

Get every new post delivered to your Inbox.

Join 7,118 other followers

%d bloggers like this: