WatchGuard Security Center | Tag Archive

WatchGuard Security Week in Review: Episode 51 – Flash 0day

February 8, 2013 by Corey Nachreiner 3 Comments

Flash Exploit, ICS Hacks, and Federal Reserve Bank Breach

We’ve had another busy week of security news, with more stories than I can cover in a short video. So I’ll stick to the highlights. Today’s episode talks about a couple Adobe Flash zero day vulnerabilities, the latest Anonymous hijinks, some cross-platform mobile malware, and more. If you missed this week’s InfoSec news, and want to learn about the biggest stories (including how to defend against the latest attacks), click the play button below. Also, check out the Reference section for links to some other interesting security stories I skipped.

Enjoy your weekend, and stay frosty out there.

(Episode Runtime: 8:03)

Direct YouTube Link: http://www.youtube.com/watch?v=B6YdI3NGwlg

Episode References:

February Microsoft Patch Day brings a dozen bulletins – WGSC
Zero day Adobe Flash vulnerabilities in the wild - WGSC
Anonymous breaches Federal Reserve site and leaks Banker PII - ZDNet
Radio Free Security episode including Aaron Swartz/Anonymous story – WGSC
Lucky 13 SSL and TLS crypto weakness - Ars Technica
DroidCleaner cross-platform android malware - Gizmodo
Building ICS software vulnerabilities can affect elevators, boilers, and more - Wired
EXTRAS
- US Department of Energy breached - Help Net Security
- Beebus: New advanced malware (APT?) - Computer Weekly
- Citadel authors re-focusing on cyber espionage - McAfee
- EU releases Cyber Security Strategy - Tech World
- US President can order pre-emptive cyber attacks - Computer World
- Microsoft legal team takes down another botnet - Naked Security
- Iran releases hacked US drone footage - Rinf.com
- List of vulnerable routers from last week’s UPnP vulnerabilities - DefenseCode Blog
- BREAKING: Bit9 breached, and Certs stolen for malware – The Register

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates

Emergency Flash Update Fixes “In the Wild” Vulnerabilities

February 7, 2013 by Corey Nachreiner 5 Comments

Summary:

These vulnerabilities affect: Adobe Flash Player running on all platforms
How an attacker exploits it: By opening any malicious Flash (SWF) content; whether from a web site, within a Word document, and so on
Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
What to do: Download and install the latest version of Adobe Flash Player for your platform

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Today, Adobe released an emergency security bulletin to fix two Flash Player vulnerabilities, which attackers are actively exploiting in the wild. Both flaws are memory corruption-related issues; one being a buffer overflow vulnerability. If an attacker can entice one of your users into opening any Flash content, he could exploit either of these flaws to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

As mentioned earlier, attackers are actively exploiting both these vulnerabilities in the wild. Currently, the attackers try to deliver the malicious Flash either via a booby-trapped web site, or by embedding it within malicious Word documents.

Besides patching, we recommend you educate your users about the dangers of interacting with unsolicited Word (or PDF) documents. Many of the more advanced breaches over the last few years have begun as very targeted spear-phishing emails which included malicious Word or PDF documents. Although security appliances, like WatchGuard’s, can detect some of these malicious documents using AV and IPS, you should still inform your employees to remain vigilant against these sorts of attacks.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content (and Word documents). Keep in mind, doing so blocks all such content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension, MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify these various files:

File Extension:

.flv – Adobe Flash file (file typically used on websites)
.fla – Flash movie file
.f4v – Flash video file
.f4p - Protected Flash video file
.f4a – Flash audio file
.f4b – Flash audiobook file

MIME types:

video/x-flv
video/mp4 (used for more than just Flash)
audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

FLV Hex: 46 4C 56 01
FLV ASCII: FLV
FLA Hex: D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives.)

If you decide you want to block these files, the links below contain instructions that will help you configure your XTM proxy’s content blocking features using the file and MIME information listed above.

XTM Appliance with WSM 11.x

Firebox X Edge running 10.x

Firebox X Core and X Peak running Fireware 10.x

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

February 2013 Adobe Flash Security Bulletin

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Security Updates

0day, adobe, flash, Flash Player, patch, remote code execution, Update, zero day

Oracle Releases Emergency Java Update for February

February 4, 2013 by Corey Nachreiner 3 Comments

Severity: High

Summary:

These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 11 and earlier, on all platforms
How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
Impact: In the worst case, an attacker can gain complete control of your computer
What to do: Install JRE and JDK 7 Update 13

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Today, many operating systems (OS) implement a Java interpreter to recognize and process Java code from websites and other sources, although some operating systems are beginning to depreciate their Java support for security reasons. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

This week, Oracle released an out-of-cycle security update that fixes 50 different security vulnerabilities in Java. Though the flaws differ technically, many of them share the same scope and impact. If an attacker can entice you into running specially crafted Java code, either directly or from a booby-trapped web site, he can leverage many of these flaws to execute code on your computer, with your privileges. For Windows users, this typically means the attacker gains full control of your machine.

Oracle rates 26 these Java vulnerabilities with a base CVSS score of 10.0; the most severe rating. Furthermore, attackers are currently leveraging some of these vulnerabilities in the wild. In short, this is an extremely important update for Java users. We highly recommend you apply Oracle’s emergency update immediately. In fact, if you can do without Java, I suggest you remove it from your computer.

In related news, Apple has also released a Java update for OS X. However, Apple’s update also disables or blocks older versions of Java (6) in your browser. OS X users should also update Java, but be aware the update may prevent you from using some Java content.

Solution Path:

Oracle has released JRE and JDK Update 13 to correct these issues (as well as some legacy version updates). If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the updates in the Patch Table section of Oracle’s alert.

Furthermore, attackers have heavily targeted Java lately in their exploit frameworks. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

WatchGuard XTM appliances can help protect you from this Java vulnerability in a number of ways:

If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well.
WatchGuard’s AV partner, AVG, has developed signatures to catch some Java exploits. If you use our Gateway AntiViris (GAV) service, it will protect you from some of these attacks.
WatchGuard’s signature writers have developed a generic Java signature, which should block some variants of this attack.
WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.

Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.

Status:

Oracle has issued updates to correct these issues.

References:

Oracle’s Out-of-Cycle February Java Security Advisory

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

Security Updates

0day, drive-by download, java, Oracle, patch, sun, Update, zero day

WatchGuard Security Week in Review: Episode 50 – UPnP Pwnage

February 1, 2013 by Corey Nachreiner 2 Comments

UPnP Pwnage and Hacked Journalists

This week is rife with security news. If you want the quick highlights, you’ve come to the right place. Today’s video covers a few Yahoo XSS vulnerabilities, some serious UPnP security flaws, and the alleged China-based hack of the New York Times. Watch the video below for details.

Also, if you are interested in some other stories I didn’t have time to cover in the video, make sure to check out the Reference section for links to these extras.

Thanks for watching, and see you next week.

(Episode Runtime: 10:00)

Direct YouTube Link: https://www.youtube.com/watch?v=azjZ0dFxnR4