Archive | April, 2010

Microsoft's Windows 2000 Media Services update doesn't really fix the security flaw

April 30, 2010 by WatchGuard Technologies 0 Comments

Last Week, the Microsoft Security Response Center released a blog postwarning that they had pulled the MS10-25 security update because essentially, it didn’t work.

MS10-25 was supposed to fix a critical buffer overflow vulnerability in Windows Media Servers; the on-demand streaming services that ships with Windows 2000. By sending a specially crafted packet to your Windows 2000 Media Server, an attacker could exploit this vulnerability to gain complete control of the machine. Of course, this flaw only affects Windows 2000 servers, and you have to specifically enable the Windows Media Services.

According to Microsoft’s blog post, the update they released a few Tuesdays ago, “does not address the underlying issue effectively.” On a positive note, Microsoft is not aware of anyone actively exploiting this flaw in the wild. That could change though. Now that the bad guys know that Microsoft’s fix is broken, they could put more effort into reverse engineering the original update to find the underlying vulnerability.

Microsoft does say they plan on re-releasing this update, probably sometime this week. Until they do, you should check out the Workarounds section of their security bulletin to see how to mitigate the risk of this now unpatched issue.

Editorial Articles
,

Apple's OS X Update Fixes One Serious "Pwn2Own" Flaw

April 15, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them: By enticing one of your users to a malicious website
  • Impact: An attacker executes code on your user’s computer, with that user’s privileges
  • What to do: OS X administrators should download, test and install Security Update 2010-003 as soon as possible, or let Apple’s Software updater do it for you

Exposure:

Late Yesterday, Apple released a security update to fix a single security flaw that affects OS X 10.5.x and 10.6.x. The flaw resides in Apple Font Services (ATF), which is an OS X component used to handle and display embedded fonts. In short, ATF doesn’t properly handle specially malformed embedded fonts. If an attacker can lure one of your users into downloading or viewing a malicious document, perhaps embedded on a malicious website, the vulnerability can be exploited to execute code on that users computer with that user’s privileges. Since OS X separates the root user privileges from your basic user account privileges, an attacker can’t immediately exploit this to gain complete control of your Mac. However, he could leverage it to do anything on your computer that you can, so this still gives him significant access and control of your computer.

While this flaw lies within a font handling component, attackers will most likely exploit it through your web browser. In fact, that is exactly how the researcher who discovered this flaw, Charlie Miller, exploited it during this year’s Pwn2Own contest at the CanSecWest security conference. Miller lured his Safari victim to a malicious website containing an embedded font, which triggered this ATF vulnerability, and won Miller $10,000. As part of the contest,  participants have to agree not to publicly disclose the flaws they use. Rather, they turn them over to TippingPoint, who doesn’t disclose them until the affected vendor fixes the issue. That means attackers in the wild probably do not know how to exploit this flaw yet. That said, its high publicity will surely bring it to the attention of attackers, so you should download and install Apple’s security update as soon as you can.

Solution Path:

Apple has released OS X Security Update 2010-003 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

This attack can arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Apple has released updates to fix this flaw.

References:

Security Updates
, ,

Adobe's Patch Day Update Corrects 15 Reader Flaws

April 13, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • This vulnerability affects: Adobe Reader and Acrobat 9.3.1 and earlier, on Windows, Mac, and UNIX computers
  • How an attacker exploits it: By enticing your users into viewing a maliciously crafted PDF document
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: Install Adobe’s Reader and Acrobat 9.3.2 updates as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

As part of their quarterly patch day cycle (which shares the same date as Microsoft Patch Day), Adobe released a security bulletin describing 15 security vulnerabilities (number based on CVE-IDs) that affect Adobe Reader and Acrobat 9.3.1 and earlier, running on Windows, Mac, and UNIX computers. The flaws differ technically, but consist primarily of buffer overflow and  memory corruption vulnerabilities, and share the same general scope and impact.

In the worst case, if an attacker can entice one of your users into downloading and opening a maliciously crafted PDF document (.pdf), he can exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Early this year, we predicted that attackers would increasingly target third-party applications, like Adobe Reader, in 2010. Recently, another security company proved this prediction true, showing that Adobe Reader is the most exploited application by attackers. For those reasons, we highly recommend you download and install these Reader updates immediately.

Solution Path

Adobe has released Reader and Acrobat 9.3.2 to fix these vulnerabilities on all platforms. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.

For All WatchGuard Users:

Many WatchGuard Firebox models can block incoming PDF files. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if PDF files are not absolutely necessary to your business, you may consider blocking them using the Firebox’s HTTP and SMTP proxy until the patch has been installed.

If you decide you want to block PDF documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .pdf files by their file extension:

Status:

Adobe has released patches that correct these vulnerabilities.

References:

Security Updates
,

Beware Malicious Publisher and Visio Documents

April 13, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • These vulnerabilities affect: All current version of Microsoft Office Publisher and Visio
  • How an attacker exploits them: By enticing you to open maliciously crafted Publisher or Visio documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office Publisher and Visio patches immediately, or let Microsoft’s Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing three vulnerabilities found in Microsoft Office Publisher and Microsoft Visio; two applications that belong to Microsoft’s Office line of products.

While the vulnerabilities differ technically, and affect two different applications from the Office line, they share the same general scope and impact. By enticing one of your users into downloading and opening a maliciously crafted document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

The notable difference between these flaws lies in which document types can trigger the flaws. According to Microsoft, the vulnerable document types include Publisher documents (.PUB) and Visio files (.VSD, .VST, .VSS, .VDX).

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS10-023: Microsoft Office Publisher Code Execution Vulnerability, rated Important
  • MS10-028: MicrosoftVisio Code Execution Vulnerabilities, rated Important

Solution Path

Microsoft has released patches for Publisher and Visio to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you.

MS10-023:

MS10-028:

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Microsoft Publisher and Visio documents, some organizations need to allow them in order to conduct business. Therefore, these patches are your best recourse.

If you want to block Office documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features by file extensions. Some of the file extensions you’d want to block include, .PUB, VSD, and .VDX. Keep in mind, blocking files by extension blocks both malicious and legitimate documents.

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

Security Updates
, ,

Microsoft Exchange and Windows SMTP Service DoS Vulnerability

April 13, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • This vulnerability affects: All current versions of Exchange Server and many versions of Windows
  • How an attacker exploits it: By sending specially crafted network traffic (malicious DNS MX record responses)
  • Impact: Multiple impacts, in the worst case an attacker can crash your mail server, preventing you from receiving email
  • What to do: Deploy the appropriate Exchange Server or Windows patch as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Microsoft Exchange is one of the most popular email servers used today. Exchange is a stand-alone program, separate from Windows, however, many versions of Windows also ship with a basic SMTP service to receive email as well.

In a security bulletin released today, Microsoft describes two security vulnerabilities that affect all current versions of Exchange, as well as the SMTP service that ships with many versions of Windows. The worst of these flaws has to do with how Exchange handles specially crafted DNS Mail Exchanger (MX) records. Basically, the SMTP service will hang indefinitely when it attempts to parse a specially crafted MX record. In order to exploit this vulnerability, an attacker would have to setup a malicious DNS Server for a domain they controlled. Then the attacker would have to send you an email containing addresses from that domain. When your mail server tries to request the MX record associated with this domain, it encounters the attackers specially crafted MX record, and will hang until you manually reboot it. This results in a Denial of Service (DoS) situation for email.

Microsoft’s bulletin also describes a lower risk information disclosure vulnerability in Exchange. By sending specially crafted SMTP commands, an attacker may be able to retrieve random email fragments from your server’s memory. We recommend you download an install the Exchange and Windows updates as soon as possible, in order to fix both these issues.

Solution Path:

Microsoft has released patches to fix these vulnerabilities. You should download, test, and deploy the appropriate Exchange and Windows patches as soon as possible.

For All WatchGuard Users:

An attacker can exploit the worst of these vulnerabilities by sending normal emails, which you must allow through your firewall if you have an internal email server. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

Security Updates
, , , ,

Eight Microsoft Windows Bulletins Close Over 20 Security Holes Bulletins Affect SMB Client, WMP, the Kernel, and More

April 13, 2010 by WatchGuard Technologies 2 Comments

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, or enticing your users to open malicious media
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released eight security bulletins describing over 20 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-020: SMB Client Code Execution Vulnerabilities

Microsoft Server Message Block (SMB) is the protocol Windows uses for file and print sharing. According to Microsoft, the Windows SMB client suffers from five security vulnerabilities, four of which could allow attackers to execute malicious code. Though the flaws differ technically, an attacker could exploit them all  in the same way.  By enticing one of your users to connect to a malicious SMB server, an attacker can exploit one of the flaws to gain complete control of a vulnerable Windows computer.
Microsoft rating: Critical.

  • MS10-019: Two Authenticode Code Execution Vulnerabilities

Microsoft has built a mechanism into Windows called Authenticode, which allows developers to sign their executable programs using Public-Key Cryptography standards. This mechanism allows you (or the operating system) to make sure  programs you run really come from the vendors you expect them from. If you’ve ever installed a driver in Windows, and received a message saying it wasn’t signed, the Authenticode Signature Verification system provided that message. According to Today’s bulletin, various components involved with the Authenticode system suffer from two security vulnerabilities. The flaws differ technically, but share the same general impact. By tricking one of your users into downloading and opening a specially crafted .EXE or .CAB file, an attacker could leverage either flaw to gain complete control of that user’s computer.
Microsoft rating: Critical.

  • MS10-025: Win2K Media Services Buffer Overflow Vulnerability

Windows 2000 (Win2k) ships with Windows Media Services to allow you to create a server for on-demand, streaming audio and video. Unfortunately, one of the Windows Media Services (the Unicast Service, nsum.exe) suffers from a buffer overflow vulnerability involving the way it handles specially malformed network packets. By sending a specially crafted packet to your Windows 2000 Media Server, an attacker could exploit this vulnerability to gain complete control of the machine. That said, Windows 2000 doesn’t enable the Windows Media Services by default. You are only vulnerable to this flaw if you’ve specifically enabled them.
Microsoft rating: Critical.

  • MS10-026: MP3 Codecs Buffer Overflow Vulnerability

MPEG Layer-3, otherwise known as MP3, is an audio encoding format used to compress audio for playback on digital devices, like computers. Windows ships with special codecs used to decode and playback MP3 audio within music files or videos. Windows’ MP3 codecs suffer from a buffer overflow vulnerability, involving their inability to handle specially crafted AVI movies with MP3 audio. By luring one of your users into downloading and playing a specially crafted AVI file, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Critical.

  • MS10-027: WMP Code Execution Vulnerability

Windows Media Player (WMP) is the audio and video player that ships with Windows. WMP also included ActiveX controls that allows it to playback media hosted on websites. The WMP ActiveX control suffers from an unspecified code execution vulnerability having to do with how it handles specially crafted media hosted on an malicious website. By enticing one of your users to visit a website with an embedded video, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. This vulnerability only affects WMP 9, which ships with Windows 2000 and XP.
Microsoft rating: Critical.

  • MS10-021: Multiple Windows Kernel Elevation of Privilege and DoS Vulnerabilities

The kernel is the core component of any computer operating system. The Windows kernel suffers from multiple Denial of Service (DoS) and elevation of privilege vulnerabilities. By running a specially crafted program, an attacker could leverage these flaws to either crash or lock up your computer, or to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important

  • MS10-022: VBScript F1 Code Execution Vulnerability

VBScript, or Visual Basic Scripting, is a scripting language created by Microsoft, and used by Windows and its applications. VBScript suffers from a complex security flaw, involving they way it interacts with Windows Help files via Internet Explorer. The vulnerability only crops up when a victim presses the “F1” key while visiting a specially crafted web page. You can learn more about this previously unpatched vulnerability in a Wire post we released in early March. In short, if an attacker can lure one of your users to a malicious web page and trick them into pressing the “F1” key on that web page (perhaps by using a pop-up dialog that instructs the user to press that key for some trumped-up reason), he can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As usual, if your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Important.

  • MS10-029: IPv6 ISATAP Source Spoofing Vulnerability

The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an IPv6 transition mechanism designed to allow you to send IPv6 packets over an IPv4 network. The Windows ISATAP component suffers from a potential spoofing vulnerability. Essentially, the Windows TCP/IP stack doesn’t properly validate the source address for tunneled ISATAP packets. By sending specially crafted IPv6 packets, an attacker could leverage this flaw to impersonate or spoof another address on your network, potentially bypassing any address-based filters you employ on a firewall. However, this vulnerability only affects systems with the ISATAP interface configured, which significantly lowers risk.
Microsoft rating: Moderate.

Microsoft also released an Exchange security bulletin today, that describes vulnerabilities that also affects Windows itself. We will release details about those Windows and Exchange vulnerabilities in another alert to be published today.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-020:

MS10-019:

MS10-025:

Note: This vulnerability does not affect any other versions of Windows

MS10-026:

Note: This vulnerability does not affect any other versions of Windows

MS10-027:

Note: This vulnerability does not affect any other versions of Windows

MS10-021:

MS10-022:

Security Updates
, , ,