Tag Archives: windows

Ebay Pwned – WSWiR Episode 108

Ebay Data Breach, IE8 0Day, and Alleged Chinese Hackers

With all the information security (InfoSec) news coming out each week, it’s hard to believe anyone can keep up with it; let alone an already busy IT professional with other things on his plate. If that sounds like you, rather than worrying about finding the most important security news you can let my weekly summary video fill you in.

Today’s episode covers the 145M record Ebay breach, and new zero day Internet Explorer (IE) 8 vulnerability released early by the supposedly good guys, and the Department of Justice’s official charges against five alleged Chinese government hackers. Check out the video below for the details, and peruse the Reference section for links to other InfoSec stories.

If you’re in the USA, enjoy your extended holiday weekend. See you next time…

(Episode Runtime: 8:00)

Direct YouTube Link: https://www.youtube.com/watch?v=Ib7nI1H13P8

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

TAO Hijack Routers – WSWiR Episode 107

Tons of Patches, NSA Booby-Trapped Routers, and Alleged Iranian Hackers

If you don’t have time to follow all the information security stories popping up each week, you can let our weekly video and blog post summarize the important stuff for you.

In today’s show, I recite the big list of security patches you need to get this week, talk about how the NSA is intercepting and hacking routers to foreigners, and weigh in on whether or not the security industry is blaming advanced attacks on “nation-state” actors a bit too freely. Press play on YouTube for all the details, and don’t forget to check out the Reference section for links to other interesting InfoSec stories.

Hope you have a great weekend, and be careful shopping online!

(Episode Runtime: 8:25)

Direct YouTube Link: https://www.youtube.com/watch?v=LdOHsV88z4Y

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Four Windows Bulletins Fix Group Policy, .NET, and iSCSI Flaws

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, though most require authenticated attackers to do things locally
  • Impact: In the worst case, an authenticated attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as the .NET Framework. An authenticated attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-025: Group Policy Preferences Password Elevation of Privilege Flaw

Group Policy is the Windows feature that allows administrators to push configuration and settings to other Windows computers throughout their network. Group Policy Preferences are simply an extension of settings you can push via Group Policy. Microsoft’s alert describes a vulnerability in the way Active Directory sends password information with certain Group Policy Preferences. If you use Group Policy to set system administrator accounts, map drives, or run scheduled tasks—all things that require privileges—Group Policy stores an encrypted version of the password or credential needed for this task on the local computer. Local, authenticated attackers can then use that information to crack the password, and perhaps elevate their privileges. For instance, if you use your domain administrator account to run a particular scheduled task on every Windows computer network when it boots, local Windows users may have the information they need to crack your domain administrator account. That said, attackers would need valid credentials to log into one of your windows computers in order to exploit this flaw. So this primarily poses an insider risk.

Microsoft rating: Important

  • MS14-026:  .NET Framework Elevation of Privilege Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework suffers from an unspecified elevation of privilege vulnerability. If an authenticated attacker can send specially crafted data to an app that uses .NET Remoting, he can exploit this flaw to execute code on that system with full system privileges.

Microsoft rating: Important

  • MS14-027:  Windows Shell Elevation of Privilege Vulnerability

The Windows Shell is the primary GUI component for Windows. It suffers from a vulnerability having to do with its ShellExecute Application Programming Interface (API). If a local attacker can log in to one of your Windows systems and run a specially crafted program, he can exploit this flaw to execute code with local administrator privileges, thus gaining full control of the computer.

Microsoft rating: Important

  • MS14-028:  Two iSCSI DoS Vulnerabilities

iSCSI is a standard that supports network based storage devices. The Windows iSCSI component suffers from two Denial of Service (DoS) vulnerabilities. By sending a large amount of specially crafted packets to the iSCSI service (TCP 3260), an attacker could exploit this flaw to cause the iSCSI service to stop responding. Of course, the attacker needs access to the iSCSI service, which most administrator might block with their firewall.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. I especially recommend you test the Group Policy Preference update before deploy it, as it may slightly change the way Group Policy Preferences work.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as blocking TCP port 3260), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

May’s IE Update Corrects Two New Memory Corruptions

Summary:

  • This vulnerability affects: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes two new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Though the two vulnerabilities differ technically, they share the same general scope and impact, and involve memory corruption flaws having to do with how IE handles certain HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit either of these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately. Also note, this IE cumulative patch also includes a fix for the zero day IE flaw Microsoft fixed earlier, in an out-of-cycle update. If, for some reason, you haven’t applied that update yet, this is a good time to fix that serious zero day flaw.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0310)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1815)

Your XTM appliance should get this new IPS 4.414 signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Patches for IE, Sharepoint, Office, and Windows

Calling all Microsoft administrators! It’s Microsoft Patch Day, and their security updates are available for download.

You know the drill by now. As they do every second Tuesday of the month, Microsoft has released May’s important security updates. You can find this month’s Patch Day highlights in Microsoft’s summary post, but here’s what you really need to know:

  • Microsoft released eight bulletins, two rated Critical and the rest Important.
  • The affected products include
    • Windows
    • Office
    • Internet Explorer (IE)
    • and Sharepoint Server.
  • Attackers are apparently exploiting some of the Windows and IE vulnerabilities in the wild already, in what Microsoft calls “limited, targeted attacks.
  • As expected, Windows XP users aren’t getting patches this month (or from hereafter).

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can. You can also let Windows’ Automatic Update do it for you. While I don’t recommend Automatic Update on servers (due to potential patch bugs), I do think you should enable it on your clients computers. As always, concentrate on installing the Critical updates as soon as you can (especially the IE one this month), and handle the others later.

I’ll share more details about today’s patches on the blog throughout the day, though these posts may be slightly delayed due to my participation in WatchGuard’s US Partner Summit.  — Corey Nachreiner, CISSP (@SecAdept).

World Password Day – WSWiR Episode 106

MS Patch Day, 4chan Hacked, and Password Security

If you’re too busy helping your users and maintaining your network to read the latest information security news, you might miss out on new tip that could save your network. No worries. Let my short, weekly Infosec video summarize the week’s biggest news for you.

Today, I warn you about all the upcoming patches next Tuesday, talk about a popular web site hack and what administrators can learn from it, and share my three primary password tips for World Password Day. Click play below for all the details, and take a peek at the Reference section for links to other stories.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 7:32)

Direct YouTube Link: https://www.youtube.com/watch?v=fKU3Qoaj_Dw

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

May Brings Eight Microsoft Bulletins and One Adobe Update

Patch Day is coming, Patch Day is coming.

In their advanced notification yesterday, Microsoft announced they’d release eight security bulletins next Tuesday to fix security vulnerabilities in a number of their products. The bulletins will include updates for Internet Explorer (IE), Windows, Office, and a yet unnamed Microsoft Server product. They give two of the bulletins a Critical rating, and the rest listed as Important. See the chart below for complete details.

As usual, Adobe shares the same Patch Day and plans to released one update as well. According to their prenotification post, Adobe plans to released a patch for Adobe Reader and Acrobat, which will fix a serious vulnerabilities in the popular PDF reader. They’ve assigned it a priority of 1 (their highest), so you should plan to apply the patch quickly if you use Reader.

In short, if you’re a Microsoft administrator, or you use Adobe products, be ready to test and deploy a number of updates next week. As always, you should start with the critical updates, and work your way down through the less severe ones. I’ll post details about all these bulletins next week, so stay tuned. — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day, May 2014

Heartbleed Bug- WSWiR Episode 102

April Patch Day, Raided Pen-Tester, and OpenSSL Heartbleed

Information security news never stops, even if I have to post it from a Changi Airport lounge. If you need to learn the latest cyber security news, including what to do about the biggest vulnerability of the year (so far), you’ve found the right weekly video blog.

This week’s “on-the-road” episode covers Adobe and Microsoft’s Patch Day, an allegory on why you should avoid greyhat pen-testing, but most important of all, information and advice about the major OpenSSL Heartbleed vulnerability. If you use the Internet, you need to know about the Heartbleed flaw, so click play below to watch this week’s video. Finally, make sure to check the Reference section for links to the stories and some extras; especially if you are interested in all the WatchGuard Heartbleed information.

(Episode Runtime: 8:05)

Direct YouTube Link: http://www.youtube.com/watch?v=gEw-o2GQd1U

Episode References:

Extras:

Heartbleed described by XKCD

— Corey Nachreiner, CISSP (@SecAdept)

Windows File Handling Remote Code Execution Flaw

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: By tricking your users into running a .bat or .cmd file from a network location
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

As part of Patch Day, Microsoft released a Windows security bulletin describing a code execution vulnerability involving the way it handles .bat and .cmd files, otherwise known as Windows batch files. Windows batch files allow you to write multiple, scripted commands which will run together (as a batch) when you run the file. Window’s suffers from a vulnerability in they way they process these files, which attackers could exploit to execute arbitrary code. If an attacker can trick one of your users into running a .bat or .cmd file from a network location, they could exploit this issue to execute any code with that user’s privileged. In most Windows environments, users have local administrator privileges, so this attack could give hackers full control of your machine.

That said, this flaw takes significant user interaction to succeed, and most savvy Windows users know batch files could be dangerous, and don’t run them randomly. Nonetheless, we recommend you patch Windows as soon as you can.

Also note, this will be the last security update for Windows XP. If you haven’t figured out your Windows XP migration path yet, you really should start thinking about it. That said, security companies like WatchGuard will continue to develop IPS and anti-malware signatures to detect and block threats against Windows XP systems. If you absolutely cannot upgrade XP, be sure to at least implement IPS, AV, and UTM systems to protect your vulnerable computers.

Solution Path:

Microsoft has released updates that correct this vulnerability. You should download, test, and deploy the appropriate update throughout your network as soon as you can. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate some of the risk of this flaw (such as allowing you to block .bat and cmd files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit it over the local network too. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

IE Patch Squashes Six Memory Corruption Flaws

Summary:

  • This vulnerability affects: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes six new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Though these vulnerabilities differ technically, they share the same general scope and impact, and involve various memory corruption flaws having to do with how IE handles certain HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1755)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1753)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1751)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1752)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Follow

Get every new post delivered to your Inbox.

Join 7,520 other followers

%d bloggers like this: