Archive | May, 2010

As predicted, social networking continues to be a target

Over the last week a handful of issues have cropped up with social networks like Twitter and Facebook. We predicted that social networking would become more of a battle ground in 2010 than ever before and it looks like that prediction is holding true:

Twitter malware campaign with a banking Trojan and keylogger combo

New Facebook clickjacking attacks

More Facebook users hit by “distracting beach babes”

Adobe Corrects 18 Shockwave Security Flaws

Summary:

  • This vulnerability affects: Adobe Shockwave Player 11.5.6.606 and earlier, running on Windows and Macintosh computers
  • How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave or Director file
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (11.5.7.609) of Adobe Shockwave Player as soon as possible.

Exposure:

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

In a security bulletin released late Tuesday, Adobe warned of eighteen critical vulnerabilities that affect Adobe Shockwave Player 11.5.6.606 for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail. It only describes the nature of each flaw, and its basic impact. For the most part, the flaws consist of memory related vulnerabilities, including buffer overflows, integer overflows, and various other memory corruption flaws. Though these flaws differ technically, they all share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit any of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC. Adobe’s alert doesn’t describe what type of Shockwave content triggers these various flaws. However, other researchers alerts have disclosed malicious Shockwave (.SWF) and Director (.DCR) files can trigger these vulnerabilities.

If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version as soon as you can.

As an aside, Adobe also released a security bulletin to fix three less severe vulnerabilities in their web application server, ColdFusion. We suspect few of our customers use this less popular application server. However, if you do, we recommend you follow the instructions in this Adobe TechNote to fix these vulnerabilities.

Solution Path

Adobe has released a new version of Shockwave Player, version 11.5.7.609. If you use Adobe Flash in your network, we recommend you download and deploy this updated player as soon as possible.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from accessing Shockwave content (.SWF and .DCR) via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of this vulnerability by blocking .SWF and .DCR files using your Firebox’s proxy services. That said, many websites rely on Shockwave for interactive content, and blocking it could prevent these sites from working properly.

If you choose to block Shockwave content, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .SWF and .DCR files by their file extensions:

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:

VBA Vulnerability Makes Office Documents Dangerous

Summary:

  • This vulnerability affects: Microsoft Visual Basic for Applications (VBA), which ships with all current versions of Office
  • How an attacker exploits it: By tricking one of your users into opening a malicious Office document
  • Impact: An attacker can potentially gain complete control of your windows computers (depending on the privileges of the user)
  • What to do: Download, test, and install Microsoft’s update as soon as possible, or let Windows Automatic Update do it for you

Exposure:

According to Microsoft, Visual Basic for Applications (VBA) is “a development technology for developing client desktop packaged applications and integrating them with existing data and systems.” In more understandable terms, it’s a programming language that allows developers to make customized applications based on the Office applications. All current versions of Office ship with VBA, and the Office applications make use of it to perform certain functions.

According to this Microsoft security bulletin, VBA suffers from a memory corruption vulnerability having to do with the way it searches for ActiveX controls in a document that supports VBA. Without getting too deep into the technical details, if an attacker can lure one of your users into downloading a specially crafted Office document that supports VBA, he can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If the user has local administrator privileges, that attacker gains full control of the PC. An attacker can trigger this flaw using just about any Office document, including Word, PowerPoint, and Excel documents.

Solution Path:

Microsoft has released patches to fix these vulnerabilities. You should download, test, and deploy the appropriate Office and VBA patches as soon as possible, or let Windows Automatic Update do it for you.

For All WatchGuard Users:

You can configure certain WatchGuard Firebox models to block Microsoft Office documents, such as Word, PowerPoint, and Excel documents. However, most organizations need to allow Office documents in order to conduct business. Therefore, Microsoft patches are your best recourse.

Nonetheless, if you do want to block Office documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features by file extensions. Some of the file extensions you’d want to block include:

  • .doc
  • .docx
  • .ppt
  • .pptx
  • .xls
  • .xlsx

Keep in mind, blocking files by extension blocks both malicious and legitimate documents.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

Code Execution Vulnerability in Outlook Express and Windows Mail

Summary:

  • This vulnerability affects: The email client shipping with any current version of Windows (whether it’s Outlook Express or Windows Mail)
  • How an attacker exploits it: By enticing one of your users to connect to a malicious POP3 or IMAP email server (or by performing a man-in-the-middle attack)
  • Impact: An attacker can execute malicious code, potentially gaining full control of your users computer
  • What to do: Download, test, and install Microsoft’s email client updates as soon as possible, or let Windows Automatic Update do it for you

Exposure:

All versions of Windows ship with a free email client that allows you to retrieve your email from an email server. Older versions of Windows came with Outlook Express, while more recent versions come with Windows Mail or Windows Live Mail.

In a security bulletin released during patch day, Microsoft describes a new integer overflow vulnerability that affects Outlook Express and Windows Mail. By sending a specially crafted POP3 or IMAP response to one of your user’s email clients, an attacker can trigger this integer overflow flaw to execute code on that user’s computer, with that user’s privileges. As is typical with Windows vulnerabilities, if your users have local administrative privileges, the attacker could leverage this flaw to gain complete control of their PC.

However, in order to send a malicious POP3 or IMAP response to an email client, an attacker has to somehow convince their victim into configuring their mail client to connect to a malicious email server. That is a lot easier said than done. An attacker might also leverage this flaw using a man-in-the-middle attack. If the attacker could place himself between his victim and that victim’s email server, and the attacker could sniff all the victim’s email traffic, he could theoretically alter the real mail server’s response in a way that triggers this vulnerability. However, this sort of attack is also somewhat difficult to pull off in the real world. These factors lessen the risk of this vulnerability to some degree.

Solution Path:

Microsoft has released Outlook Express and Windows Mail updates to fix this vulnerability. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Automatic Update do it for you.

For All WatchGuard Users:

Some WatchGuard appliances include a POP3 proxy. It is often possible to configure WatchGuard’s proxies to block certain application layer attacks. However, to do this you usually need to know the vulnerability’s underlying technical details. Unfortunately, Microsoft’s bulletin doesn’t share any specific details about how an attacker might alter the POP3 and IMAP responses. Without these technical details, it’s hard to say whether or not our POP3 proxy can help. For that reason, Microsoft’s patches are your best solution.

Status:

Microsoft has released patches to fix this vulnerability.

References:

WatchGuard’s DNS Proxy Supports DNSSEC

On Wednesday May 5, the Internet Corporation for Assigned Names and Numbers (ICANN) (and other partners) plan to complete the first phase of DNSSEC introduction, by rolling DNSSEC out to all thirteen of the Internet’s root DNS servers. DNSSEC makes some significant changes to the way typical DNS traffic “looks” to networking devices. As a result, some experts worry that certain networks and devices may not handle DNSSEC traffic properly after this change, thus potentially preventing you from accessing the Internet (using domain names). Below, we’ll list a few of the DNSSEC changes that could affect some of your networking gear. However, the main point of this alert is to inform you that WatchGuard’s Firebox and XTM appliances should handle the DNSSEC changes without problem — whether you use our packet filtered or proxied DNS policies.

As you probably know, the Domain Name System (DNS) is an Internet protocol that makes it possible for computers to learn the IP address associated with a human readable name, called a domain name. While DNS works well, over the years experts have realized that the protocol isn’t entirely secure. In fact, in the middle of 2008, a well-known security researcher named Dan Kaminsky warned the world of some underlying flaws in the DNS protocol that could allow attackers to perform DNS cache poisoning attacks. You can learn more about these flaws in this alert, or this Radio Free Security episode. Some of Kaminsky’s flaws were fixable. However, at least one flaw was a core vulnerability in the underlying DNS protocol itself. Kaminsky’s attack illustrated to the world that we simply needed a more secure DNS standard.

DNSSEC is that new standard. Specifically, it is an update to DNS protocol that adds some new security extensions. In a nutshell, DNSSEC uses public key cryptography to add digital signatures to DNS responses, so your computer can make sure that the DNS response really comes from an authoritative DNS server. Without getting too deep into the technical details, DNSSEC changes the way DNS traffic looks in the following ways:

  • DNS responses will come in significantly larger packets, to allow room for digital signatures
  • DNS responses may arrive in multiple packets (fragments), which would rarely happen with the small packets used by traditional DNS
  • DNS will use TCP packets more often; traditionally, DNS primarily used UDP
  • DNS responses will contain the EDNS extension.

If you have any network devices, like routers or firewalls, that parse DNS traffic to look for anomalies, the device may have trouble with these new DNS changes. For instance, the networking device may not like large DNS responses, or it may not allow fragmented IP traffic; it may not even support the EDNS extension. In these cases, the device in question may prevent your DNS clients or DNS server from communicating with ICANN’s root DNS servers, after May 5th. If you use any network devices that parse or filter DNS traffic, we highly recommend you check those devices’ compatibility with DNSSEC.

In that respect, WatchGuard’s Firebox and XTM appliances should NOT have any issues with these new DNSSEC packets. WatchGuard has verified that DNSSEC queries work through our XTM appliances running the latest firmware, and further verified the queries work fine through both our DNS proxy and DNS packet filter policies. We tested both incoming and outgoing DNSSEC queries, with our DNS server on both the trusted and external networks. In all cases, our appliance had no problems passing DNSSEC queries. Your WatchGuard Firebox should not have any issues with the DNSSEC changes coming this Wednesday.

If you are interested in all the gory technical details about DNSSEC, see this RFC. Also, if you want to learn more about how these DNSSEC changes might affect your other networking devices, we recommend these informational links [ 1 / 2 ].

As always, if you have any Firebox or XTM related issues, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

%d bloggers like this: