Archive | August, 2010

QuickTime Movie Handling Vulnerability Only Affects Windows Users

Severity: Medium

13 August, 2010

Summary:

  • These vulnerabilities affect: QuickTime 7.6.6 and earlier for Windows (Mac version is unaffected)
  • How an attacker exploits them: By enticing your user into viewing a maliciously crafted movie
  • Impact: An attacker could execute code on your user’s computer, potentially gaining control of it
  • What to do: Download and install QuickTime 7.6.7 for Windows or let Apple’s Software Update tool do it for you at your earliest convenience

Exposure:

Late Yesterday, Apple released a security update to fix a single vulnerability in the Windows version of QuickTime, their popular media player. According to Apple, the error logging component in QuickTime suffers from a buffer overflow vulnerability. By luring one of your users into viewing a maliciously crafted movie, an attacker can exploit this buffer overflow to execute code on that user’s computer, with that user’s privileges. Since most Windows users have local administrative privileges, attackers could often leverage this flaw to gain complete control of Windows machines.

Though Apple’s QuickTime update only fixes one security flaw, it is a fairly risky one. If you use QuickTime in your network, we recommend you update it at your earliest convenience

Solution Path:

Apple has released QuickTime 7.6.7 to fix this security issue. Windows administrators who allow QuickTime in their network should download, test, and deploy the updated version at your earliest convenience. By default, Apple’s download bundles iTunes with QuickTime, but because iTunes often has security issues of its own, we recommend that you select the option of downloading QuickTime alone.

For WatchGuard Users:

You can mitigate the risk of this flaw by blocking .mov files with your WatchGuard appliance. QuickTime is primarily used to play .mov files, which is likely the type of movie file an attacker would leverage to exploit this flaw. You can use the HTTP, SMTP, and FTP proxy on some WatchGuard appliances to block files by their extension. If you want to block QuickTime movie files, the links below contain video instructions showing how to block them by extension (.mov). Keep in mind, this technique also blocks legitimate movies as well.

Status:

Apple has released updates to fix these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Eleven Windows Bulletins Patch 23 Security Vulnerabilities

Bulletins Affect SMB Server, XML Core Services, the Kernel, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it (one flaw also affects Microsoft Silverlight)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, or enticing your users to open malicious media
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

(Editor’s note: Due to an unforeseen technical difficulty, we were unable to post and email the LiveSecurity alerts that were written for Microsoft Patch Day. Please see yesterday’s Wire post)

Today, Microsoft released eleven security bulletins describing 23 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-054: Three SMB Server Vulnerabilities

Microsoft Server Message Block (SMB) is the protocol Windows uses for file and print sharing. According to Microsoft, the Windows SMB Server suffers from three security vulnerabilities, one of which could allow attackers to execute malicious code. Though the flaws differ technically, an attacker could exploit them all  in the same way. By sending a specially crafted network message, an attacker can exploit the worst of these flaws to gain complete control of a vulnerable Windows computer. The remaining two SMB Server flaws only result in Denial of Service (DoS) situations. Attackers often leverage these type of SMB Server vulnerabilities to help their malware automatically propagate within local networks. We recommend you apply this update immediately.
Microsoft rating: Critical.

  • MS10-049: SChannel Code Execution Vulnerability

The Secure Channel (SChannel) is a Windows security package that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) authentication protocols. According to today’s bulletin, SChannel suffers from two security vulnerabilities. By luring one of your users to a specially crafted website, an attacker could leverage the worst of these two flaws to execute code with full system privileges, gaining complete control of that user’s computer. This update also fixes the TLS/SSL renegotiation vulnerability that attackers could leverage for a Man-in-the-Middle (MitM) attack on secured connections.
Microsoft rating: Critical.

  • MS10-051: XML Core Services Code Execution Vulnerability

Microsoft XML (MSXML) Core Services is a Windows component that handles XML content. Unfortunately, it suffers from a memory corruption vulnerability involving the way it handles specially malformed HTTP responses. By enticing one of your users to visit a malicious website, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Critical.

  • MS10-052: MP3 Codecs Buffer Overflow Vulnerability

MPEG Layer-3, otherwise known as MP3, is an audio encoding format used to compress audio for playback on digital devices, like computers. Windows ships with special codecs used to decode and playback MP3 audio within music files or videos. Windows’ MP3 codecs suffer from a buffer overflow vulnerability, involving their inability to handle specially crafted audio files. By luring one of your users into downloading and playing a specially crafted audio file, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. This flaw only affects Windows XP and Server 2003.
Microsoft rating: Critical.

  • MS10-055: Cinepak Codec Code Execution Vulnerability

Cinepak is another media encoding and decoding codec used to compress video for playback on digital devices, like computers. Windows ships with the Cinepak codec to handle video files encoded using this codec. Unfortunately, the Windows Cinepak codec suffers from an unspecified vulnerability involving its inability to handle specially crafted video files. By luring one of your users into downloading and playing a specially crafted video file, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. This flaw only affects the client versions of Windows (XP, Vista, and 7).
Microsoft rating: Critical.

  • MS10-060: Code Execution Vulnerabilities in Microsoft .NET Framework and Silverlight

Microsoft Silverlight and the .NET Framework are two optional Windows components used to help developers create rich web applications. Windows doesn’t ship with these components by default, but many users install them. Both components suffer from two code execution vulnerabilities. Though the flaws differ technically, an attacker can exploit them in the same way, with generally the same result. By enticing your user to a website containing a specially crafted web application, an attacker could exploit either of these flaws to execute code on that user’s computer, with that user’s privileges. As usual, attackers could gain complete control of the computer if the user has local administrative privileges.
Microsoft rating: Critical

  • MS10-047 & MS10-048: Multiple Windows Kernel Elevation of Privilege and DoS Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The Windows kernel and this kernel-mode driver suffer from multiple Denial of Service (DoS) and elevation of privilege vulnerabilities. Though these flaws differ technically, most of them share the same scope and impact. By running a specially crafted program, an attacker could leverage these flaws to either crash or lock up your computer, or to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important

  • MS10-050: Windows Movie Maker Memory Corruption Vulnerability

Windows Movie Maker is a video capturing and editing application that you get free with Windows. Movie Maker actually ships with older versions of Windows, such as Windows XP and 2000. However, the latest versions of Windows (Windows Vista and 7), don’t provide the Movie Maker application on the installation disc. Instead, you have the option to download it for free as part of the Windows Live Essentials package. In short, if you have Windows XP, you have Windows Movie Maker. However, if you have Windows Vista or 7, you only have it if you chose to download and install the Live Essentials package. Movie Maker suffers from a memory corruption vulnerability involving its inability to properly parse specially crafted project files. If an attacker can entice you to download a specially crafted project file, then open that file in Movie Maker or Producer, he can exploit this flaw to execute code on your computer, with your privileges. If you have local administrative privileges, the attacker gains full control your computer. This flaw does not affect the Windows 7 versions of Movie Maker.
Microsoft rating: Important.

  • MS10-058: Multiple Windows TCP/IP Vulnerabilities

The TCP/IP stack that ships with many versions of Windows suffers from an Elevation of Privilege (EoP) and Denial of Service (DoS) vulnerability. By sending specially crafted IPv6 packets, an attacker could leverage the DoS flaw to cause your Windows systems to become unresponsive. Exploiting the EoP vulnerability is a little more difficult. In order to exploit this flaw, an attacker would need to log into an affected system using valid Windows credentials, and then execute a specially crafted program on the local computer. However, doing so gives the attacker complete control of that computer, regardless of the user privileges he logged in with.
Microsoft rating: Important.

  • MS10-059: Tracing Feature for Services Elevation of Privilege Vulnerabilities

Windows ships with  a component called the Tracing Feature for Services. This component suffers from two technically different vulnerabilities that share the same scope and impact. If an attacker can log into an affected Windows system using valid Windows credentials, he can execute a specially crafted program that gives him complete control of that computer, regardless of the user privileges he logged in with.
Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-054:

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

MS10-049:

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

MS10-051:

Microsoft XML Core Services 3.0 for:

MS10-052:

Note: Other versions of Windows are not affected.

MS10-055:

Note: Other versions of Windows are not affected.

MS10-060:

MS10-047:

Note: Other versions of Windows are not affected.

MS10-048:

MS10-050:

Updates for Movie Maker:

MS10-058:

Note: Other versions of Windows are not affected.

MS10-059:

Note: Other versions of Windows are not affected

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. In fact, by default your Firebox will prevent most of the Microsoft flaws that require network access – specifically, the SMB-related vulnerabilities. You can also configure your Firebox to block the files types necessary to carry out some of these attacks (.AVI, .MP3 files, etc…). That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Vulnerabilities in Word and Excel Document Parsing

Severity: High

10 August, 2010

Summary:

  • These vulnerabilities affect: All current versions of Microsoft Office for Windows and Mac (specifically Word and Excel)
  • How an attacker exploits them: By enticing you to open maliciously crafted Office documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office patches immediately

Exposure:

(Editor’s note: Due to an unforeseen technical difficulty, we were unable to post and email the LiveSecurity alerts that were written for Microsoft Patch Day. Please see yesterday’s Wire post)

Today, Microsoft released two security bulletins describing five vulnerabilities found in components or programs that ship with Microsoft Office for Windows and Mac. Some of the vulnerabilities also affect Word Viewer, the Office Compatibility Packs, and the Open XML File Format Converter for Mac. Each vulnerability affects different versions of Office to a different extent. The five flaws affect different components and applications within Office, but the end result is always the same – by enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

According to Microsoft’s bulletins, an attacker can exploit these flaws using two types of Office documents: Word (.doc) and Excel (.xls). So beware of all unexpected documents you receive with these file extensions.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS10-056: Multiple Word Code Execution Vulnerabilities, rated Critical
  • MS10-057: Excel Code Execution Vulnerability, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

Word update for:

Excel update for:

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Word and Excel documents, some organizations need to allow them in order to conduct business. Therefore, these patches are your best recourse. Temporarily though, you may still want to block these Office documents until you are able to install Microsoft’s patches.

If you want to block Word, Excel, and Works documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .doc and .xls files by their file extensions:

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Adobe Patch Day Delivers Flash and ColdFusion Security Updates

Emergency Reader Update Expected Later this Month

11 August, 2010

Summary:

  • This vulnerability affects: Adobe Flash Player, Flash Media Server, and ColdFusion for Windows, Mac, and UNIX computers
  • How an attacker exploits it: Multiple vectors, such as enticing your users to a malicious website or sending malicious requests to your web server
  • Impact: Various, in the worst case an attacker can execute code on your computer or server, potentially gaining control of it
  • What to do: Install Adobe’s updates as soon as possible or let Adobe’s Updater do it for you

Exposure:

Yesterday, Adobe released three security bulletins describing 11 vulnerabilities (based on CVE numbers) that affect various Adobe Products, including Flash Player, Flash Media Server, and ColdFusion running on all platforms; many of them critical. We summarize these bulletins below.

  • APSB10-16: Adobe Flash Player Security Update

Affects: Adobe Flash Player 10.1.53.64 and Adobe AIR 2.0.2.12610 and earlier, running on all platforms (Win, Mac, Linux, and Solaris)

Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia stats that 99% of Windows computers have Adobe Flash Player installed, so you users very likely have it. Adobe’s update fixes six security vulnerabilities in Flash Player, which they don’t describe in much technical detail. However, they do describe the general scope and impact of these flaws. In the worst case, if an attacker can lure one of your users to a malicious website, they could exploit some of these flaws to gain control of that user’s computer. We assume the attacker would only gain the privileges of the logged in user. However, since most Windows users have local administrator privileges, the attacker would likely gain full control of Windows machines.
Microsoft rating: Critical.

  • APSB10-19: Adobe Flash Media Server Security Update

Affects: Adobe Flash Media Server (FMS) 3.5.3 and 3.0.5 and earlier, running on Windows and Linux platforms

Adobe Flash Media Server is a product specifically designed to help you stream Flash media over the web. According to Adobe, it suffers from four unspecified security vulnerabilities. Three of the vulnerabilities can lead to Denial of Service (DoS) situations, while the fourth could allow a remote attacker to execute code on your Flash Media Server. Unfortunately, Adobe doesn’t describe exactly how an attacker might exploit these vulnerabilities. We assume they’d have to send some sort of specially crafted request to the Flash Media Server. Adobe also doesn’t implicitly state what level of privilege an attacker’s code would execute with. However, they do assign a Critical rating to this flaw. Without these details we can only assume that an attacker could leverage it to gain full control of a Flash Media Server.
Microsoft rating: Critical.

  • APSB10-18: Adobe ColdFusion Security Hotfix

Affects: Adobe ColdFusion 9.0.1, running on all platforms (Win, Mac, and UNIX)

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from an unspecified directory traversal vulnerability, which is essentially a class of vulnerability that allows an attacker to gain access to directories on a server that they should not have access to, thus potentially giving them access to sensitive information. Adobe’s bulletin shares very little about the scope of this flaw, so we’re unsure how easy or hard it is for attackers to leverage. They rate the hotfix as Important.
Microsoft rating: Important.

Besides the three full security bulletins, Adobe also released an early bulletin announcing an upcoming Adobe Reader update that they plan to release later this month. Among other things, this update will include a fix for a PDF related vulnerability that a researcher named Charlie Miller disclosed at the Blackhat 2010 security conference. We expect Adobe to release this final update on or around August 16, and will publish another alert when they do.

Solution Path

Adobe has released updates to correct the issues in all these products.  You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods, many of which leverage normal HTTP traffic that most administrators must allow.  Therefore, installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches that correct these vulnerabilities.

References:

  • APSB10-16: Adobe Flash Player Security Updates
  • APSB10-19: Adobe Flash Media Server Security Updates
  • APSB10-18: Adobe ColdFusion Security Hotfix

This alert was researched and written by Corey Nachreiner, CISSP.

Cumulative IE Patch Corrects Multiple Memory Corruption Flaws

Severity: High

10 August, 2010

Summary:

  • This vulnerability affects: All current versions of Internet Explorer, running on all current versions of Windows
  • How an attacker exploits it: By enticing one of your users to visit a malicious web page
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes six new vulnerabilities in Internet Explorer (IE) 8.0 and earlier versions, running on all current versions of Windows (including Windows 7 and Windows Server 2008). Microsoft rates the aggregate severity of these new flaws as Critical.

The six vulnerabilities differ technically, but five of them share the same general scope and impact. These five issues involve various memory corruption flaws having to do with how IE handles various HTML elements and objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

The remaining vulnerability consists of a Cross-Site or Cross-Domain Scripting (XSS) flaw. Among other things, an attacker might leverage this type of vulnerability to view information (such as cookies) from another domain or site, which he shouldn’t have access to; or to execute scripts with another domain or sites privileges.

Keep in mind, today’s attackers commonly hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and XSS attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you. By the way, Microsoft no longer supports Windows 2000 and IE 5.x. If you still run a legacy version of IE or Windows, we highly recommend you update in order to get the latest security updates.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Out-of-Cycle Update Fixes Shortcut Icon Vulnerability

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: Various ways, including enticing you into downloading a specially crafted shortcut and browsing the directory containing it
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install Microsoft’s out-of-band Windows update immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released an out-of-cycle security bulletin to fix a significant Windows vulnerability that has gotten a lot of media attention, and which attackers have exploited in the wild via a worm and other malware. Microsoft rates this update as Critical.

The vulnerability has to do with how the Windows Shell handles shortcut icons (.lnk files). Essentially, if an attacker can somehow get a specially crafted shortcut file (.lnk) onto one of your user’s computers, and then entice that user to browse to the directory containing the malicious shortcut from within Windows Explorer, the attacker can exploit this flaw to execute malicious code on that user’s computer with that user’s privileges. As with most Windows vulnerabilities, if your users have local administrator privileges, attackers could leverage this flaw to gain complete control of their computers.

On the surface, this vulnerability doesn’t seem overly critical. At first, it seems like a local vulnerability, not a remote one. For instance, it requires an attacker get a malicious shortcut file onto a user’s local computer, and then to interact with the folder containing the file. In order to get such a malicious .lnk file onto one of your user’s computers, an attacker would either have to entice your user to download a shortcut, leverage some other flaw (assuming one exists) that gives him remote access to your user’s file system, or leverage existing Windows file shares to copy the malicious file (assuming the attacker has access to your local network and file shares). All of these factors should mitigate the risk of this particular flaw, and lessen its severity. However, Microsoft has also learned that in some cases attackers can exploit this flaw in drive-by download attacks. If an attacker creates a malicious web page with a specially embedded shortcut, simply visiting the page in Internet Explorer can trigger this flaw. Attackers could even embed a malicious .lnk in a Office document. Finally, real-world malware has proven that this particular flaw has fangs.

According to researchers, a worm spreading in the wild called Stuxnet leverages this shortcut vulnerability, to help it spread within local networks, once it’s infected some victim. If Stuxnet somehow infects one of your user’s computers (for instance, a roving laptop that a user walks into your local network), that computer will do two things; it will search for Windows network shares, and try to copy its malicious .lnk file to those shares, and it also adds its malicious.lnk file to any USB storage device plugged into the infected machine. This will cause anyone who browses the affected share directory or USB drive to become infected with Stuxnet. With the USB vector, if your users have Windows Autorun or Autoplay enabled, they can become infected simply by plugging in an infected USB storage device. Keep in mind, Stuxnet does not leverage the shortcut vulnerability to infect its first victim. It needs to exploit some other flaw or social engineering trick to infect its first victim. However, once it gets onto one computer in your network, the shortcut flaw helps it spread quickly throughout your local network, as the German engineering company Siemens AG regrettably found out recently.

According to Microsoft, other malware authors have already caught on to this .lnk file trick and have incorporated similar spreading techniques into other worms, like Sality. Despite the fact that, on the surface, this vulnerability shouldn’t pose a huge threat, attackers have found novel ways to leverage it that have proven very affective in the real-world. Big organization have already fell victim to malware leveraging this flaw, and the vulnerability poses a very serious risk. For that reason, we highly recommend you download, test, and deploy Microsoft’s update immediately.

Solution Path:

Microsoft has released an out-of-cycle patch for Windows that corrects this vulnerability. You should download, test, and deploy it immediately, or let Windows Automatic Update do it for you.

MS10-046:

For All WatchGuard Users:

You can somewhat mitigate the risk of this flaw by blocking .lnk files with your WatchGuard appliance. You can use the HTTP, SMTP, and FTP proxy on some WatchGuard appliances to block files by their extension. However, there are many ways that an attacker might sneak a malicious .lnk file into your network. Therefore, the patches above are still your best recourse.

Nonetheless, if you want to block Windows shortcuts, the links below contain video instructions showing how to block them by extension (.lnk). Keep in mind, this technique also blocks legitimate shortcuts as well. That said, there really is no legitimate reason for your users to download shortcuts from the Internet.

Status:

Microsoft has released an update to correct this serious vulnerability.

References:


%d bloggers like this: