Tag Archives: zero day

Heartbleed Bug- WSWiR Episode 102

April Patch Day, Raided Pen-Tester, and OpenSSL Heartbleed

Information security news never stops, even if I have to post it from a Changi Airport lounge. If you need to learn the latest cyber security news, including what to do about the biggest vulnerability of the year (so far), you’ve found the right weekly video blog.

This week’s “on-the-road” episode covers Adobe and Microsoft’s Patch Day, an allegory on why you should avoid greyhat pen-testing, but most important of all, information and advice about the major OpenSSL Heartbleed vulnerability. If you use the Internet, you need to know about the Heartbleed flaw, so click play below to watch this week’s video. Finally, make sure to check the Reference section for links to the stories and some extras; especially if you are interested in all the WatchGuard Heartbleed information.

(Episode Runtime: 8:05)

Direct YouTube Link: http://www.youtube.com/watch?v=gEw-o2GQd1U

Episode References:

Extras:

Heartbleed described by XKCD

— Corey Nachreiner, CISSP (@SecAdept)

Office Updates Fix Word 0day and Publisher Flaw

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Word, Publisher, and Office Web Apps
  • How an attacker exploits them: Typically by luring your users into opening malicious Office documents
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two Office-related security bulletins describing four vulnerabilities found in various Office and Office-related packages including the Word (for Windows and Mac), Publisher, and Office Web Apps. We summarize the bulletins below:

  • MS14-017: Multiple Word Code Execution Vulnerabilities

Word is the popular word processor that ships with Office.  It suffers from three remote code execution vulnerabilities having to do with how it handles malformed Word and RTF files. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs. This update includes the final fix for a zero day Word RTF vulnerability we mentioned in a previous alert. Since attackers have been exploiting that vulnerability in the wild, Microsoft assigns this a critical severity rating.

Microsoft rating: Critical

  • MS14-020: Multiple SharePoint Vulnerabilities

Publisher is Microsoft’s basic desktop publishing and layout program, and part of the Office suite. It suffers from a memory corruption vulnerability that attackers can leverage to execute code. By luring one of your users into downloading and opening a malicious Publisher document, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. However, the flaw only affects Publisher 2003 and 2007 (not 2010 or 2013)

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. You can also leverage WatchGuard’s proxy policies to block certain types of documents, such as Publisher files or RTF documents. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

APT Blocker – WSWiR Episode 101

April Patch Day, NSA Encryption Backdoors, and APT Blocker

Ready for your weekly summary of InfoSec news? Well here it is.

This week’s episode covers what you need to know about next week’s Microsoft patch day, shares details about the latest NSA/RSA encryption scandal, and unveils WatchGuard’s latest security service, which can protect you from zero day malware. Watch the video for the whole scoop, and scope out the references for links to other news.

I continue my travels in Asia next week, so the video may continue to post at unusual times. We’ll be back to our normal scheduling soon.

(Episode Runtime: 5:23)

Direct YouTube Link: https://www.youtube.com/watch?v=JkFmxEVveRY

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Only Four Microsoft Security Bulletins in April

Yesterday, Microsoft released their advanced notification, warning that they plan to release four security bulletins next Tuesday. The bulletins will include patches for Windows, Office, and Internet Explorer, and two have received Microsoft’s Critical severity rating. I suspect the Office updates will include a fix for the recent zero day Word flaw I mentioned in an earlier post.

Also note, April’s Patch Day marks the last time Microsoft will release Windows XP updates. They’ve been warning about XP’s End-of-Life for awhile now, and it’s finally upon us. Though some people think Microsoft’s using the opportunity to force people to upgrade, I believe XP has hung around longer than any operating system before it (13 years), and frankly it’s about time you update. I suspect hackers are holding onto an XP zero day or two, so it may be dangerous to keep it around much longer. That said, WatchGuard will continue to release IPS signatures for any future XP network flaws and AV signatures for XP malware.

In any case, I’ll post details about Microsoft bulletins next week, and if Adobe releases any updates you’ll hear about them here too. — Corey Nachreiner, CISSP (@SecAdept)

Paranoia 2014 – WSWiR Episode 100

Word 0day, Cisco DoS, and Bricked Androids

My weekly InfoSec summary arrives bit late this time due to business travel. Last week, I spoke at Watchcom’s Paranoia conference in Oslo Norway, so I couldn’t post my security news summary until the weekend. Nonetheless, why not start your week off by quickly catching up on last week’s news.

This week’s episode includes a quick summary of the Paranoia show, news of a new Word zero day flaw, information about Cisco IOS updates, and a story about a new android vulnerability attackers can use to brick phones. Check out the video for the details, and scroll down to the Reference section for a few extra stories.

As an aside, I’ll be traveling the next two weeks as well, so my weekly video may show up either earlier or later than normal, due to travel.

(Episode Runtime: 5:27)

Direct YouTube Link: https://www.youtube.com/watch?v=BNiCOytV5sg

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Operation Windigo – WSWiR Episode 99

MH370 Scams, Google Play DDoSed, and Operation Windigo

Each week I summarize the biggest information security news in a short video, so you don’t have to go searching for it yourself. If you’re interested in the latest infosec updates, be sure to watch each Friday. 

Today’s late episode covers a few cyber security stories around the disappeared MH370 flight, news about a penetration tester downing Google Play, and a report about a cyber attack campaign that hijacked 25,000 Linux servers. Watch the video for the full scoops, and check the Reference section below for more info.

Have a great weekend.

(Episode Runtime: 8:41)

Direct YouTube Link: http://www.youtube.com/watch?v=YJ3Ei1WDyIY

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

NSA’s Turbine – WSWiR Episode 98

Patch Day, Missed Logs, and Snowden’s Latest

What to learn about the latest information security (infosec) news in under eight minutes? You’ve found the right place. Check out my weekly security news summary video below.

This week’s episode covers all the big updates from this month’s Adobe & Microsoft Patch Day, the latest news suggesting Target’s breach could have been averted, and another top secret document leak, detailing how the NSA hacks its targets. Check out the video below for the details, and don’t forget the Reference section for links to other stories. 

Enjoy your weekend, and stay safe!

(Episode Runtime: 8:21)

Direct YouTube Link: http://www.youtube.com/watch?v=h87aqWmaCtQ

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Latest IE Update Patches Zero Day Hole and 17 Others

Summary:

  • This vulnerability affects: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes 18 new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Though many of these vulnerabilities differ technically, the majority of them share the same general scope and impact, and involve various memory corruption flaws having to do with how IE handles certain HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

Most importantly, attackers have been exploiting one of these memory corruption corruption flaws in the wild. Recently, security researchers have discovered attackers exploiting this particular IE flaw in two watering hole attacks, where they hijack legitimate websites and inject them with malicious code, hoping to infect the people who visit those sites. Since attackers are already exploiting at least one of these issues in the wild, we highly recommend you apply this IE update immediately

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s December IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0297)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0298)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0299)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0302)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0303)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0304)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0305)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0306)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0309)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0311)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0312)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0313)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0322)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0314)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Uroburos APT- WSWiR Episode 97

SOHO Pharming, Trio of Data Breaches, and Russian APT

I still remember ten years ago, when I used to wish more people would realize the dangers of the Internet and the sad state of cyber security. Back then, it seemed like I had to work to convince someone that there was any computer security problem at all. Boy has that changed… Now I feel overwhelmed by the amount of information security news that breaks each week. If you’re interested in computer security news, but feel overwhelmed yourself, let my short video summarize the important news for you.

Today’s episode covers a SOHO pharming campaign that’s hijacking routers in Europe and Asia, another trio of big network and data breaches, and a new advanced, nataion-state level attack that allegedly comes from Russia. Watch the video for my quick summary, and/or check out the links below for more details, and some extra security stories to boot.

Enjoy your weekend, and keep safe out there.

(Episode Runtime: 11:24)

Direct YouTube Link: http://www.youtube.com/watch?v=IQch3fdbzAk

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

March’s Patch Day Includes an IE Zero Day Fix

It’s almost that time of the month again. Next week is Microsoft Patch day, and here’s what you can expect.

MS Patch Notification: March 2014According to Microsoft’s advanced notification, next week’s Patch Day should be fairly light, and relatively simple. The Redmond-based software company plans to release five security bulletins, fixing flaws in Windows, Internet Explorer (IE), and Silverlight. They rate two updates as Critical and the rest as Important. The biggest news about these updates is that the IE one will completely fix the zero day flaw that attackers have been exploiting in the wild, in watering hole attacks. So at the very least, you should prepare to install the IE update as soon as you can next week.

In related news, Adobe also shares Microsoft’s Patch Day. They haven’t announced if they will release any updates yet (they just recently released that emergency Flash one), but I would keep an eye on their security page next Tuesday. In any case, I’ll post details about Microsoft bulletins next week, and if Adobe releases any updates you’ll hear about them here. — Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,938 other followers

%d bloggers like this: