Tag Archives: word

Hardware Malware – WSWiR Episode 112

Tons of Patches, Facebook Botnets, and Infected Hand Scanners

After a couple weeks of hiatus, we’re finally back with our weekly security news summary video. If you want to learn about all the week’s important security news from one convenience resource, this is the place to get it.

This episode covers the latest popular software security updates from the last two weeks, and interesting Litecoin mining botnet that Facebook helped eradicate, and an advanced attack campaign that leverages pre-infected hardware products. Watch the video for the details, and check out the Reference’s for more information, and links to many other interesting InfoSec stories.

Enjoy your summer weekend, and stay safe!

(Episode Runtime: 7:37)

Direct YouTube Link: https://www.youtube.com/watch?v=oAHYUW1KkM0

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Service Bus DoS Mostly Affects Enterprise Web Developers.

Among this week’s Microsoft security bulletins is one that likely only affects a small subset of Microsoft customers, and thus not worth a full security alert.

Microsoft Service Bus is a messaging component that ships with server versions of Windows, providing enterprise developers with the means to create message-driven applications. According to Microsoft’s bulletin, Service Bus suffers from a denial of service (DoS) vulnerability involving it’s inability to properly handle a sequence of specially crafted messages. If you have created an application that uses Service Bus, an attacker who could send specially crafted messages to your application could exploit this flaw to prevent the application from responding to further messages. You’d have to restart the service to regain functionality.

Windows itself doesn’t really use Service Bus for anything, but if you have internal applications that do, this vulnerability may be significant to you. If you use Service Bus, be sure to check out the bulletin to get your updates. — Corey Nachreiner, CISSP (@SecAdept)

TweetDeck XSS – WSWiR Episode 111

Patch Day, P.F. Changs Hack, and TweetDeck XSS

This week delivered a lot of infosec news and a ton of software security updates. If you didn’t have time to follow it all, check out our weekly computer security video to fill in the blanks.

During today’s episode, I cover the critical patches from Microsoft, Adobe and Mozilla, mention the latest credit card breach against a U.S. restaurant chain, and talk about the cross-site scripting worm spreading via TweetDeck. Click play below to learn more, and check out the References for other interesting infosec stories.

Before wishing you a great weekend, here are a couple of quick show notes. First, I’m starting a vacation during the middle of next week, so I won’t be publishing this weekly video for the next two weeks. It will return in July.

Second, if you are a WatchGuard customer curious about our OpenSSL updates, we are in the process of posting new versions of software for many of our products. Keep your eye on this blog, as those will likely start coming out early next week.

(Episode Runtime: 7:37)

Direct YouTube Link: https://www.youtube.com/watch?v=hbGqdrxvOyA

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Word 2007 Patch Fixes Embedded Font Vulnerability

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Word 2007 (and related components)
  • How an attacker exploits them: By enticing users to open or interact with a maliciously crafted Word document
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing a vulnerability affecting Word 2007, and related software like the Office compatibility pack.

Word is the popular word processor that ships with Office.  It suffers from A memory corruption vulnerabilities having to do with how it handles embedded fonts in documents. By luring one of your users into downloading and opening a malicious Word document, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs.

Microsoft only rates this update as Important (their medium severity), since it requires user interaction to succeed. However, we’ve seen many attackers successfully use malicious Office documents in emails, as part of their advanced spear-phishing campaigns. For that reason, we recommend you install Microsoft’s Word updates as soon as you can.

Solution Path:

Microsoft has released a Word (and related product) update to correct these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

See the “Affected and Non-Affected Software” section of Microsoft’s Word bulletin for links to the updates.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus service can often prevent the most common malicious documents from reaching your users. You can also leverage our XTM appliance’s proxies policies to block all Word documents if you like; though most administrators prefer not to since Office documents are often shared as part of business. To fully protect yourself, we recommend you install Microsoft’s updates.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Seven Security Bulletins Include a Huge IE Update

If there is one day of the month you should really focus on software patching, this is the day. The second Tuesday of the month is both Microsoft and Adobe patch day. If you run a Windows shop, or you use Adobe products on any platform, it’s time for you to get patching!

As they promised, Microsoft released seven bulletins today to fix a wide range of security vulnerabilities in a number of their products, including:

  • Windows and its components,
  • Office (Word),
  • Internet Explorer (IE),
  • and Lync Server.

Microsoft rates two of the bulletins as Critical.

The big news here is the major Internet Explorer (IE) update. Not only does it fix a zero day vulnerability I discussed a few weeks ago, but it corrects a whooping total of 59 security flaws in the popular web browser. If you have Windows computers in your network, you need to patch IE immediately. The second Critical update fixes a Windows graphics component (GDI+) flaw, which attackers can leverage simply by tricking your users into viewing maliciously crafted images.

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can or you can also let Windows’ Automatic Update do it for you. You can find more information about these bulletins and updates in Microsoft’s June Summary advisory.

Adobe’s Patch Day, on the other hand, seems a bit lighter than Microsoft’s. They only released one security update fixing six security flaws in Flash Player. That said, the update fixes some pretty serious vulnerabilities that attackers could exploit just by enticing you to the wrong web site. Be sure to update Flash as well.

I’ll share more details about today’s patches on the blog throughout the day, so stay tuned.  — Corey Nachreiner, CISSP (@SecAdept).

Office Updates Include Patches for SharePoint Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products like SharePoint Server
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents, or interacting with web resources
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a number of vulnerabilities in Office, SharePoint, and related components. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS14-022: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both multiple remote code execution vulnerabilities and a cross-site scripting (XSS) flaw. The remote code execution flaws pose the most risk, and involve several unspecified input sanitation vulnerabilities in a number of SharePoint pages. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges. Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. If you run SharePoint servers, you should patch this as quickly as you can.

Microsoft rating: Critical

  • MS14-023: Office Remote Code Execution Flaw

Various Office components suffer from two publicly reported vulnerabilities. The worst is a remote code execution flaw involving the way Office’s “Grammar Checker” feature loads Dynamic Link Libraries (DLL). However, the flaw only affects Grammar Checker when the language is set to Chinese (Simplified). If a remote attacker can convince you to open an Office document that resides in the same directory (local or over a network) as a malicious DLL, she could exploit this flaw to execute code with your privileges. If you have local administrative access, the attacker gains complete control of your computer. However, this flaw will likely primarily affect Chinese Office users, which somewhat limits its impact. Office also suffers from something call a “token reuse” flaw, but it poses a lesser risk that the remote code execution one.

Microsoft rating: Important

  • MS13-086 MCCOMCTL ASLR Bypass Vulnerabilities

Office (and many other Microsoft products) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Office’s MSCOMCTL component doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Heartbleed Bug- WSWiR Episode 102

April Patch Day, Raided Pen-Tester, and OpenSSL Heartbleed

Information security news never stops, even if I have to post it from a Changi Airport lounge. If you need to learn the latest cyber security news, including what to do about the biggest vulnerability of the year (so far), you’ve found the right weekly video blog.

This week’s “on-the-road” episode covers Adobe and Microsoft’s Patch Day, an allegory on why you should avoid greyhat pen-testing, but most important of all, information and advice about the major OpenSSL Heartbleed vulnerability. If you use the Internet, you need to know about the Heartbleed flaw, so click play below to watch this week’s video. Finally, make sure to check the Reference section for links to the stories and some extras; especially if you are interested in all the WatchGuard Heartbleed information.

(Episode Runtime: 8:05)

Direct YouTube Link: http://www.youtube.com/watch?v=gEw-o2GQd1U

Episode References:

Extras:

Heartbleed described by XKCD

— Corey Nachreiner, CISSP (@SecAdept)

Office Updates Fix Word 0day and Publisher Flaw

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Word, Publisher, and Office Web Apps
  • How an attacker exploits them: Typically by luring your users into opening malicious Office documents
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two Office-related security bulletins describing four vulnerabilities found in various Office and Office-related packages including the Word (for Windows and Mac), Publisher, and Office Web Apps. We summarize the bulletins below:

  • MS14-017: Multiple Word Code Execution Vulnerabilities

Word is the popular word processor that ships with Office.  It suffers from three remote code execution vulnerabilities having to do with how it handles malformed Word and RTF files. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs. This update includes the final fix for a zero day Word RTF vulnerability we mentioned in a previous alert. Since attackers have been exploiting that vulnerability in the wild, Microsoft assigns this a critical severity rating.

Microsoft rating: Critical

  • MS14-020: Multiple SharePoint Vulnerabilities

Publisher is Microsoft’s basic desktop publishing and layout program, and part of the Office suite. It suffers from a memory corruption vulnerability that attackers can leverage to execute code. By luring one of your users into downloading and opening a malicious Publisher document, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. However, the flaw only affects Publisher 2003 and 2007 (not 2010 or 2013)

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. You can also leverage WatchGuard’s proxy policies to block certain types of documents, such as Publisher files or RTF documents. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

APT Blocker – WSWiR Episode 101

April Patch Day, NSA Encryption Backdoors, and APT Blocker

Ready for your weekly summary of InfoSec news? Well here it is.

This week’s episode covers what you need to know about next week’s Microsoft patch day, shares details about the latest NSA/RSA encryption scandal, and unveils WatchGuard’s latest security service, which can protect you from zero day malware. Watch the video for the whole scoop, and scope out the references for links to other news.

I continue my travels in Asia next week, so the video may continue to post at unusual times. We’ll be back to our normal scheduling soon.

(Episode Runtime: 5:23)

Direct YouTube Link: https://www.youtube.com/watch?v=JkFmxEVveRY

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Paranoia 2014 – WSWiR Episode 100

Word 0day, Cisco DoS, and Bricked Androids

My weekly InfoSec summary arrives bit late this time due to business travel. Last week, I spoke at Watchcom’s Paranoia conference in Oslo Norway, so I couldn’t post my security news summary until the weekend. Nonetheless, why not start your week off by quickly catching up on last week’s news.

This week’s episode includes a quick summary of the Paranoia show, news of a new Word zero day flaw, information about Cisco IOS updates, and a story about a new android vulnerability attackers can use to brick phones. Check out the video for the details, and scroll down to the Reference section for a few extra stories.

As an aside, I’ll be traveling the next two weeks as well, so my weekly video may show up either earlier or later than normal, due to travel.

(Episode Runtime: 5:27)

Direct YouTube Link: https://www.youtube.com/watch?v=BNiCOytV5sg

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,561 other followers

%d bloggers like this: