Tag Archives: windows

MS Black Tuesday: 12 Bulletins, 57 Flaws, and Lots of Work

February 12, 2013 by Corey Nachreiner 3 Comments

Though not the biggest on record, today’s Patch Day is no slouch.

As expected, Microsoft released a dozen security bulletins, fixing 57 vulnerabilities that affect a range of their software, including:

  • Windows (and its components)
  • .NET Framework
  • Internet Explorer (IE)
  • Exchange Server
  • Fast Search Server 2010

According to the summary alert, Microsoft rates five of the bulletins as Critical, which typically means remote attackers can exploit them to gain control of affected computers (usually with little to no user interaction). In general, I recommend you apply these Critical updates first.

In particular, I’d start with the two IE updates since attackers often target users with drive-by download attacks. Also, jump on the Exchange server update immediately, as it fixes an issue attackers could easily exploit with a specially crafted email and attachment—not to mention, your email server is a pretty critical asset.

Though not as serious as other issues, one of Microsoft’s alerts describes a Windows TCP/IP Denial of Service vulnerability, which it sounds like attackers could exploit with a single malicious packet. I haven’t seen this sort of “Ping of Death”-like DoS vulnerability in a while.

As always, I recommend you test the updates before deploying them to a production environment. If you don’t have time or resources to test all of them, at least try to test the server-related updates.

As an aside, WatchGuard’s IPS signature team gets early warning about Patch Day, and will release a new signature update that detects some of the described issues shortly. The have developed signatures for the following Patch Day-related issues:

  • CVE-2013-0015
  • CVE-2013-0018
  • CVE-2013-0019
  • CVE-2013-0020
  • CVE-2013-0021
  • CVE-2013-0022
  • CVE-2013-0023
  • CVE-2013-0024
  • CVE-2013-0025
  • CVE-2013-0026
  • CVE-2013-0027
  • CVE-2013-0028
  • CVE-2013-0029
  • CVE-2013-0030
  • CVE-2013-0077
  • CVE-2013-1313

We’ll post consolidated alerts throughout the day, sharing more details about these bulletins and updates. Stay tuned.  — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day: Feb. 2013

Editorial Articles
, , , , , , , , , , , , , ,

Microsoft Piles on Patches Next Tuesday

February 7, 2013 by Corey Nachreiner 1 Comment

February looks to be a busy month for Microsoft administrators. According to the latest advanced patch notification, the Redmond-based software company plans to release a dozen security bulletins next Tuesday. The bulletins will fix security flaws in Windows, Internet Explorer (IE), Office, the .NET Framework, and Exchange server. Microsoft rates five of the  bulletins as Critical, and the rest as Important.

In the middle of last month, Microsoft released an out-of-cycle IE update to fix a flaw attackers were leveraging in the wild. It appears that update didn’t fix everything in IE since at least two of the upcoming bulletins affect the popular web browser.

As always, we’ll share more about these updates, and the vulnerabilities they correct, next week. You can also expect our IPS signature team to have signatures prepared for any known exploits that Microsoft shares with us. In the meantime, prepare your IT team for a pretty full plate of patches. — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day: Feb. 2013

Editorial Articles
, , , , , , , , , , ,

WatchGuard Security Week in Review: Episode 49 – Expelled Hacker

January 25, 2013 by Corey Nachreiner 2 Comments

Red October, Cisco WLAN Updates, and Expelled Hacker

Welcome to another “on the road” edition of WatchGuard Security Week in Review, the video podcast dedicated to summarizing the biggest InfoSec stories each week. This week’s episodes covers a Cisco wireless controller security update, Kaspersky’s investigation into the Red October cyber-espionage campaign, and the controversy surrounding an expelled “white hat” hacker. For more details on those stories and others, watch the short video below. You can also check out the ?Reference section for more details on any of these topics.

(Episode Runtime: 6:48)

Direct YouTube Link: http://www.youtube.com/watch?v=Q08Gcu_7EXo

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , ,

WatchGuard Security Week in Review: Episode 48 – 0day Updates

January 19, 2013 by Corey Nachreiner 0 Comments

0Day Updates, Oracle Patches, and Mobile Botnets

Better late than never, right?

This week’s security video summary comes a tad late due to my travel schedule this week. It covers updates on the two latest zero day exploits, Oracle’s critical patch update, and stories about a mobile phone botnet and US power plant breach. Click play below to watch the short episode, or check out the References for more details.

Next week’s episode may also post at a weird time due to continued travel.

(Episode Runtime: 5:11)

Direct YouTube Link: http://www.youtube.com/watch?v=d1xVktaX_1o

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , ,

Out-of-Cycle IE Patch Mends Zero Day Vulnerability

January 17, 2013 by Corey Nachreiner 3 Comments

Summary:

  • This vulnerability affects: Internet Explorer 6 through 8 (9 and 10 are not affected)
  • How an attacker exploits it: Usually, by enticing one of your users to visit a malicious web page
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patch immediately, or let Windows Automatic Update do it for you

Exposure:

In a previous post, we warned you of a zero day “use after free” vulnerability that affected Internet Explorer (IE) 6 through 8. By luring one of your users to a web site containing malicious code, a remote attacker could exploit the vulnerability to execute code on your computer, with your privileges  As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer. At the time, Microsoft hadn’t fixed this newly discovered flaw, but had released a FixIt that could mitigate its risk.

This week, Microsoft released an out-of-cycle security bulletin containing a full patch for this issue. Attackers are still exploiting this flaw in the wild, so it poses a significant risk. If you use IE 6, 7, or 8, you should  patch IE immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from this flaw.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, , ,

WatchGuard Security Week in Review: Episode 47 – Piles of Patches

January 11, 2013 by Corey Nachreiner 3 Comments

Critical Java 0Day, Piles of Patches, and More

Ready for a weekly dose of InfoSec? This episode has a strong “patch” theme, with many vendors releasing some big security updates this week. Besides the patches, I also cover a few new 0day exploits, including a serious Java one getting leveraged quite a bit in the wild, and a couple crazy sounding security-related news items. If you want all the details, click play below, or check out the Reference section.

Note: I will be traveling the next few weeks. I still plan on trying to post the weekly video, but it may be shorter, less produced, and arrive at odd hours due to travel.

(Episode Runtime: 9:17)

Direct YouTube Link: http://www.youtube.com/watch?v=AkNqamIAPs8

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , ,

Minor Microsoft System Center Operations Manager XSS Vulnerabilities

January 8, 2013 by Corey Nachreiner 1 Comment

Besides all the Windows and Windows component-related bulletins from today, Microsoft also released a relatively minor bulletin about two cross-site scripting (XSS) vulnerabilities that affect Microsoft System Center Operations Manager (SCOM) 2007.

For those unaware of this specialized product, SCOM is a centralized, cross-platform management system for 0perating systems and hypervisors, targeted to data centers. It basically helps network operators monitor the health of all their systems, and offers these management capabilities via a web interface.

According to today’s security bulletin, SCOM’s web console suffers from two XSS vulnerabilities. If an attacker knows you use Microsoft SCOM, and can entice you to click on a specially crafted URL, she could exploit this flaw to execute script in your browsers with your privileges. Among other things, this could allow the attacker to do anything on your SCOM server that you could do.

I don’t suspect the majority of WatchGuard’s customers use SCOM, and even if you do, it’s relatively difficult for an attacker to know whether you use it or not. So I doubt many attackers will leverage this vulnerability in the wild. That said, if you do use SCOM, you should apply Microsoft’s update. Furthermore, if you use one of our XTM appliances with the IPS service, we have a signature (EXPLOIT Microsoft SCOM Web Console XSS Vulnerability) that detects this XSS attack. — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , ,

Windows Updates Include .NET and MSXML Fixes

January 8, 2013 by Corey Nachreiner 2 Comments

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that often ship with it (like XML Core Services and the .NET Framework). Some vulnerable components also affect Office and Server Software products.
  • How an attacker exploits them: Multiple vectors of attack, including sending malicious print jobs to luring victims to malicious web pages.
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released six security bulletins that describe 11 vulnerabilities affecting Windows or components related to it,  such as the .NET Framework and XML Core Services (MSXML). Each of these vulnerabilities affects different versions of Windows to varying degrees. One of the component vulnerabilities (MSXML) also affects other Microsoft products, including Office, SharePoint Server, and Microsoft Expression.

A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-001: Print Spooler Remote Code Execution Vulnerability

The print spooler is a Windows service that manages printing. It suffers from an unspecified vulnerability having to do with its inability to handle specially crafted print jobs. By sending a specially crafted print request, an attacker can exploit this flaw to execute code on a Windows computer with full system privileges.  That said, most administrators do not allow the ports necessary for Windows printing through their firewall. By default, a WatchGuard XTM appliance will block Internet-based attackers from leveraging this flaw, so it primarily poses an internal threat.

Microsoft rating: Critical

  • MS13-002: Two MSXML Remote Code Execution Flaws

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It often ships with various versions of Windows, and other Microsoft products like Office, SharePoint Server, Groove Server, and Expressions. If you have a Windows computer, you very likely have MSXML, and you need to update if you use any of the aforementioned products.

According to today’s bulletin, MSXML suffers from two vulnerabilities – likely memory corruption flaws, but Microsoft doesn’t specify – which remote attackers could leverage to execute code on vulnerable computers with the privileges of the currently logged-in user. An attacker would only have to lure you to a web site containing malicious XML content for his attack to succeed. Since most Windows users have local administrative privileges, this sort of attack often gives the attacker complete control of their computers.

Don’t forget, attackers often booby-trap legitimate web sites with drive-by download code. So it’s possible you could encounter attacks leveraging this sort of vulnerability when visiting perfectly legitimate web sites. We recommend you patch quickly to avoid these sorts of attacks.

Microsoft rating: Critical

  • MS13-004Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework component suffers from four new security vulnerabilities.  The flaws differ in scope and impact, and include an information disclosure issue, and three elevation of privilege vulnerabilities; two due to buffer overflow flaws. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit the worst of these flaws to execute code on that user’s computer with full system privileges. This flaw also can affect non-web .NET applications, including custom ones you may have developed in-house. In short, if you’ve installed the .NET framework on any of your servers or clients, you should update them as quickly as possible.

Microsoft rating: Important

  • MS13-005Kernel-Mode Driver Elevation of Privilege Flaw

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from a new local elevation of privilege flaw having to do with how it improperly handles window broadcast messages. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of this vulnerability.

Microsoft rating: Important

  • MS13-006: Windows SSLv3/TLS Degradation Attack

The Secure Socket Layer and Transport Layer Security (SSL/TLS) protocols are responsible for helping computers establish secure connection over networks. For instance, SSL/TLS is what you use when connecting to secure web sites. Like all operating systems, Windows ships with components necessary to handle SSL/TLS connections.

According to Microsoft’s bulletin, the SSL/TLS implementation that ships with most versions of Windows suffers from what they call a “Security Feature Bypass vulnerability.” Windows supports SSLv3, which includes the latest encryption ciphers. However, if an attacker can perform a Man-in-the-Middle attack on your SSL traffic, he can inject maliciously crafted traffic that forces Windows to downgrade to SSLv2. This doesn’t give the attacker immediate access to the SSL encrypted traffic, but it theoretically makes it easier to crack the SSL encryption, since SSLv2 supports weaker ciphers. Since this attack is relatively difficult to carry out, and doesn’t result in any true decryption of the SSL communication, we believe it poses a relatively low risk in the real world. Of course, we still recommend you patch it.

Microsoft rating: Important

At the highest level, the Open Data (OData) protocol is a standard that web applications can use to query and update data. In short, it’s like the many other protocols developers might use to get a web application to interact with a database. The OData component that ships with the .NET Framework suffers from a Denial of Service (DoS) vulnerability. By sending specially crafted HTTP requests, an attacker can leverage this flaw to disrupt your web server, preventing visitors from accessing it. Any IIS web server that includes the .NET Framework and has the Windows Communication Foundation (WCF) services installed is vulnerable to this DoS flaw, as is any Windows Server 2012 with IIS and the Management OData IIS Extension installed.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows, .NET Framework, and XML Core Services patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed a new signature that can detect and block the OData DoS vulnerability against IIS servers with the .NET Framework. Your XTM appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , , , , , , , ,

Microsoft Black Tuesday: Updates Correct .NET and MSXML Flaws

January 8, 2013 by Corey Nachreiner 1 Comment

Are you ready for the first Patch Day of 2013? If you run a Microsoft shop (Mac users need not apply this month), get ready as you’ll want to install some of today’s updates as soon as you can.

As promised, Microsoft released seven security bulletins and software updates today, two of which they rate as Critical. The seven updates fix 12 vulnerabilities in products like Windows, XML Core Services, the .NET Framework, and their System Center Operation Manager. The impact of these vulnerabilities ranges widely from allowing a remote user to execute arbitrary code, to basic Denial of Service (DoS) issues. If you manage any of the affected products, I recommend you apply the updates quickly—particularly the Critical ones.

As I mentioned in last week’s notification, Microsoft is not releasing a fix for the recent Internet Explorer (IE) zero day vulnerability today. They simply haven’t had time to fully craft the patch since the exploit’s first discovery. However, Microsoft has released a FixIt, which partially mitigates the issue. While I recommend you apply the FixIt, do know a security research organization has found it doesn’t prevent all forms of this particular attack. So you’ll still want to jump on Microsoft’s real patch once they release it. In the meantime, if you use one of WatchGuard’s XTM appliances with the IPS service, we have a signature that protects you from the known exploits for this IE zero day flaw.

I’ll post more detailed alerts throughout the day, but until then feel free to refer to Microsoft’s January bulletin matrix below (click the image for more detail).  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day: January 2013

Editorial Articles
, , , , , , , , , , , ,

Ring in the New Year with Seven Microsoft Patches

January 3, 2013 by Corey Nachreiner 2 Comments

If you, like me, are still basking in the afterglow of a relaxing holiday respite, the relentless re-introduction of Microsoft Patch Day may seem like a harsh reminder of some of the drudgery suffered by an InfoSec professional. Don’t get me wrong! Patching is one of the most effective ways of keeping your systems safe. Yet, its ceaseless nature can’t help but put me into a Sisyphean mood.

That said, here comes another round of Microsoft patches, so get ready to push that security boulder back up another hill next Tuesday.

According to their first advanced Notification post for the year, Microsoft plans to release seven new security bulletins next Tuesday, as part of their January Patch Day. The bulletins will include updates to fix security vulnerabilities in Windows, Office, the .NET Framework, and some of Microsoft’s Server Software. Microsoft rates two of the  bulletins as Critical, and the rest as Important.

Microsoft Patch Day: January 2013

Regular followers might notice that a fix for the recent Internet Explorer (IE) zero day vulnerability is missing from Microsoft’s expected updates. Researchers discovered this issue very recently, so I frankly wasn’t expecting a fix yet. It wouldn’t surprise me though if Microsoft releases an “out-of-cycle” update later in the month. In any case, if you applied the  FixIt workaround I recommended previously, you should be fine. As an aside, WatchGuard’s signature writers developed a signature for the known exploit, so if you use our IPS service you are further protected.

I’ll post more information about Microsoft’s updates next week, so keep posted. — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , ,
Newer Entries
Older Entries

Follow

Get every new post delivered to your Inbox.

Join 7,114 other followers

%d bloggers like this: