Archive | September, 2010

Out-of-Cycle Bulletin Fixes Serious ASP.NET Padding Oracle Vulnerability

September 29, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • This vulnerability affects: All current versions of Microsoft’s .NET Framework
  • How an attacker exploits it: By sending a large number of web requests containing cipher text (and interpreting error responses)
  • Impact: In the worst case, an attacker can gain enough information to read and/or tamper with encrypted data from your web server
  • What to do: Install the proper .NET Framework update immediately (Windows update will not immediately push this update, you should download it manually)

Exposure:

At a cryptography conference in 2002, a researcher introduced a cryptological “side-channel” attack called a padding oracle attack, which attackers can leverage to decrypt Cipher Block Chaining or CBC-mode encryption without knowing the encryption key. Without getting into too much technical detail, block ciphers, like CBC, require that all messages arrive with the exact same number of blocks (multiples of eight bytes). However, the plain text messages you encrypt come in varying lengths, which may not fit perfectly within those specifically-sized boundaries. As a result, cryptographic algorithms have to use padding to fill in the extra, unused portions of each block. In order to check whether or not an encrypted value is padded correctly or not, encryption mechanisms employ something called a padding oracle. The researcher from 2002 found that by sending multiple, incorrectly padded messages to a server, he could interpret the error messages returned by the padding oracle to eventually learn enough to decrypt the server’s encrypted content without knowing the encryption key. The researcher even released a tool called Padding Oracle Exploit Tool (POET), which you can use to leverage this class of vulnerability.

More recently, at the Ekoparty security conference in Argentina, two security researchers reported that Microsoft ASP.NET suffers from this classic padding oracle attack. More specifically, they found a universal padding oracle vulnerability that supposedly affects every ASP.NET web application. They claimed attackers can leverage this flaw to decrypt cookies, view states, form authentication tickets, membership passwords, user data, and anything else encrypted using the ASP.NET framework’s API. As a result of these researcher’s findings, Microsoft has decided to release an out-of-band security update to correct this issue.

According to Microsoft’s out-of-band security bulletin, the ASP.NET components that ship with the .NET Framework suffer from an information disclosure vulnerability due a padding oracle flaw like the one described above. By repeatedly sending web requests containing a cipher text to a vulnerable ASP.NET web server, an attacker could interpret the error messages returned by the web server to eventually gain enough information to read or tamper with encrypted data. This would allow the attacker to gain access to significant amounts of sensitive information from your web server, and in one example, attackers even demonstrated how this leak could be leveraged to attack and potentially gain full access to the server.

Researchers have already released tools and shared examples showing how you can leverage this vulnerability. Furthermore, Microsoft has also seen evidence of attackers leveraging this flaw in the wild. If you have a web server using the .NET Framework, we highly recommend you update it immediately.

For more technical detail about this flaw, check out the articles in the References section below.

Solution Path:

Microsoft has released .NET Framework updates to fix this vulnerability. If you have web servers that use the .NET Framework, you should download, test and deploy the corresponding update immediately:

** Server Core Installation Not Affected

For All Users:

This attack leverages normal looking HTTP requests, which you must allow for you users to reach the web. Therefore, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, , ,

Cisco Biannual Patch Day: IOS Teeming with DoS Vulnerabilities

September 23, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • These vulnerabilities affect: Many devices running Cisco IOS
  • How an attacker exploits them: Multiple vectors of attack; in the most common, the attacker sends specially crafted network packets
  • Impact: An attacker can cause your IOS device to reload and can repeatedly exploit these flaws to cause a Denial of Service (DoS) situation
  • What to do: Administrators who manage Cisco IOS devices should download, test, and deploy the appropriate Cisco updates as soon as possible

Exposure:

Over a year ago, Cisco implemented a twice-yearly patch cycle that falls on the fourth Wednesday of March and September. Yesterday marked another Cisco biannual patch day, for which they released six security advisories. Five of these advisories cover security vulnerabilities that affect devices running Cisco’s Internetwork Operating System (IOS) software. IOS is the operating system that runs on most Cisco routers and switches. The remaining advisory covers a flaw in Unified Communications Manager.

While Cisco’s IOS advisories differ in technical ways, all of them cover vulnerabilities that attackers could exploit in Denial of Service (DoS) attacks. For a complete list of today’s IOS alerts, check out the Cisco’s Bundled Advisory for September 22nd. However, we summarize three of the IOS advisories below:

Cisco Document ID 112028: Three NAT-related DoS vulnerabilities.

Cisco’s Network Address Translation (NAT) component suffers from three different DoS vulnerabilities. More specifically, the three DoS vulnerabilities have to do with how IOS NAT translates SIP, H.323, and H.225.0 traffic.  Though these flaw differ technically, they essentially share the same scope and impact. By sending specially crafted packets, an unauthenticated attacker can exploit any of these flaws to cause your IOS device to reload. Furthermore, if you use a Cisco IOS router as your Internet gateway, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8 (10 being the most severe)

Cisco Document ID 112022: IOS SIP DoS vulnerabilities.

The Session Initiation Protocol (SIP) is a popular signaling standard used by many Voice over IP (VoIP) products. Unfortunately, IOS’s SIP handling implementation suffers from three unspecified DoS vulnerabilities. By sending a specially crafted SIP message to your IOS device, an attacker could exploit this vulnerability to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline. This vulnerability only affects IOS devices with SIP voice services enabled. This issue may sound similar to the flaws described above. However, this flaw actually lies within IOS’s SIP component, while the flaws above lie within IOS’s NAT component.
Average CVSS Score: 7.8

Cisco Document ID 112021: IOS H.323 DoS vulnerability.

H.323 is a standard that defines various protocols used to pass audio-visual communications across packet networks. Similar to the SIP issue above, IOS’s H.323 component suffers from two unspecified DoS vulnerabilities. By sending a specially crafted H.323 packets to your IOS device, an attacker can remotely cause a DoS condition on your IOS device.
Average CVSS Score: 7.8

The remaining two IOS advisories also fix DoS flaws just as severe as the ones described above. For greater detail on all of Cisco’s September vulnerabilities, check out the individual advisories in the References section of this alert, or refer to Cisco’s bundled security advisory for September 2010. Also, if you happen to use Cisco’s Unified Communications Manager, you should check out Cisco’s advisory describing a DoS flaw in it as well.

Solution Path:

Cisco has released patches to fix these vulnerabilities. If you use any Cisco device running IOS software, you should immediately consult the “Software Versions and Fixes” and “Obtaining Fixed Software” section of Cisco’s bundled security advisory for September 2010 to learn which fixes apply to your devices, and how to obtain them. You can also refer to the “Software Versions and Fixes” and “Obtaining Fixed Software” section of each of the individual alerts linked below.

For All Users:

Since these vulnerabilities can affect your router, which is typically in front of your firewall, the solutions above are your primary recourse.

Status:

Cisco has made fixes available.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
,

Early Adobe Flash Update Plugs Zero Day Vulnerability: Reader Update Due Week of October 4

September 22, 2010 by WatchGuard Technologies 1 Comment

Summary:

  • This vulnerability affects: Adobe Flash Player 10.1.82.76 and earlier for Windows, Mac, Linux, and Solaris. Also affects Flash Player 10.1.92.10 for Android.
  • How an attacker exploits it: By enticing your users to a malicious website
  • Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
  • What to do: Install Flash Player 10.1.85.3 (or 10.1.95.1 for Android) immediately, or let Adobe’s Updater do it for you

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia claims that 99% of Windows computers have Adobe Flash Player installed, so your users very likely have it.

Yesterday, Adobe released a security bulletin describing an update that fixes a serious zero day vulnerability in Flash Player, which attackers are exploiting in the wild. We first warned you of this zero day vulnerability in an early Wire post last week. The vulnerability affects Flash Player 10.1.82.76 and earlier for Windows, Mac, Linux, and Solaris, as well as Flash Player 10.1.92.10 for Android. Originally, Adobe planned to release a patch for this vulnerability on September 27 (as mentioned in our Wire post). However, they have released the update early, likely due to the flaw’s severity.

Adobe’s bulletin doesn’t describe the critical vulnerability (CVE-2010-2884) in any technical detail. They only say that an attacker can exploit it to cause a crash and execute code on a victim’s computer, potentially gaining full control of it. Like most Flash vulnerabilities, an attacker would first have to entice you to a web page containing malicious Flash content to leverage this flaw. Attackers are currently exploiting this Flash vulnerability in the wild, so you will want to patch it immediately

Adobe also warns that this flaw affects Reader as well. However, they do not plan to release the Reader patch until the week of October 4. They claim attackers haven’t begun leveraging the Reader version of the vulnerability in the wild yet. Nonetheless, we will alert you as soon as they release the Reader update.

Solution Path

To correct this vulnerability, Adobe has released Flash Player 10.1.85.3 for Windows, Mac, Linux and Solaris, as well as Flash Player 10.1.95.1 for Android (link points to Android Marketplace). You should download and deploy the corresponding update immediately, or let the Adobe Software Updater program do it for you.

Note to Google Chrome users: Chrome comes with the Flash Player built into the browser, so simply upgrading Flash is not enough to fix this vulnerability. If you use Google Chrome, you should download and install Chrome 6.0.472.62 to fix this issue.

For All Users:

Attackers exploit these flaws via normal looking HTTP traffic, which most administrators must allow. Therefore, installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches that correct these vulnerabilities.

References:

  • APSB10-22: Adobe Flash Player Security Update

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, , ,

Microsoft Office Update Plugs Critical Outlook Hole

September 15, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • These vulnerabilities affect: The versions of Outlook that ship with Microsoft Office 2002, 2003, and 2007
  • How an attacker exploits them: By enticing your users into opening or previewing a maliciously crafted email message
  • Impact: The attacker can execute code, potentially gaining complete control of your Windows computers
  • What to do: Install the appropriate Office patches immediately, or let Windows Automatic Update do it for you.

Exposure:

As part of today’s Patch Day, Microsoft released an Office security bulletin describing a critical buffer overflow vulnerability that affects the versions of Outlook that ship with Microsoft Office 2002, 2003, and 2007. Specifically, Outlook suffers from a heap buffer overflow vulnerability due to its inability to handle specially crafted email. If an attacker can get one of your Outlook users to open or preview a malicious email message, she can execute code on that user’s computer with that user’s privileges. If your users have local administrator privileges, as most Windows users do, the attacker can leverage this flaw to gain complete control of your users’ computers.

Luckily, one factor significantly mitigates the risk of this serious vulnerability for Outlook 2003 and 2007 clients. Specifically, this flaw only affects Outlook clients that connect to an Exchange server in Online Mode. It does not affect Outlook clients that connect to an Exchange server in Cached Exchange Mode. By default, Outlook 2003 and 2007 clients connect to Exchange servers with the unaffected Cached Exchange Mode. However, Outlook 2002 clients don’t support Cached Exchange Mode, and thus suffer the greatest risk from this flaw.

We recommend you upgrade all your Outlook clients as soon as possible to avoid this serious vulnerability. Furthermore, if you have Outlook 2002 clients, update them immediately.

Solution Path:

Microsoft has released patches that correct this serious Outlook flaw. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

Outlook Update for:

For All WatchGuard Users:

Attackers can exploit this flaw with seemingly normal email messages. The patches above are your best solution. Theoretically, WatchGuard’s incoming SMTP proxy might be able to help prevent emails that target this vulnerability. However, neither Microsoft, nor any third party researcher, have disclosed specifically how an attacker would have to craft an email in order to trigger this flaw. Without this information, we can’t say for sure whether or not our proxy might help. However, if we do learn such details, we will update this alert.

Status:

Microsoft has released patches correcting this issue.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates

Seven Windows Updates for an Equal Number of Vulnerabilities: Bulletins Affect Print Spooler, MPEG-4 Codec, RPC, and More

September 14, 2010 by Corey Nachreiner 0 Comments

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it (one flaw also affects Office to some extent)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, or enticing your users to open malicious media or documents
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released seven security bulletins describing seven vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-061: Print Spooler Code Execution Vulnerability

The print spooler is a Windows service that manages printing. According to Microsoft, the print spooler does not adequately validate whether a remote user has adequate permissions to send it print jobs. By sending a specially crafted print request, an attacker can exploit this print spooler vulnerability to save a malicious file on your computer. Windows automatically executes files saved to certain locations. By placing a malicious executable in the right place, the attacker could exploit this flaw to gain complete control of your Windows machine. However, only computers with shared printers are vulnerable to this issue. Furthermore, most administrators do not allow the traffic necessary for print sharing (UDP and TCP ports 135, 137, 138, 445, and TCP port 593) through their firewall. So this flaw primarily poses an internal threat.
Microsoft rating: Critical.

  • MS10-062: MPEG-4 Codec Code Execution Vulnerability

MPEG Layer-4, is an audio and video encoding format used to compress media for playback on digital devices, like computers. Windows ships with special codec used to decode and playback MPEG-4 within music files or videos. Windows’ MPEG-4 codec suffers from an unspecified code execution vulnerability, involving its inability to handle specially crafted media files. By luring one of your users into downloading and playing a specially crafted media file, perhaps embedded on a website, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Critical.

  • MS10-063: Unicode Script Processor Memory Corruption Vulnerability

According to Microsoft, the Unicode Script Processor (USP10.DLL) is a collection of APIs that enables a text layout client to format complex scripts. Unfortunately, it suffers from a memory corruption vulnerability involving the way it handles specially crafted documents containing OpenType fonts. By enticing one of your users to download a malicious document, and then open it within an application that uses the Unicode Script Processor APIs, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. Keep in mind, third-party, non-Microsoft applications can also use the Unicode Script Processor. Note: Unicode Script Processor also ships with Office, so you will have to patch Office as well.
Microsoft rating: Critical.

  • MS10-066: RPC Memory Corruption Vulnerability

Remote Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and then receive the results of that task. The Windows RPC client suffers from an unspecified memory corruption vulnerability involving its inability to handle specially crafted RPC requests. By sending a specially crafted response to an RPC request, an attacker could exploit this vulnerability to gain complete control of your Windows machines. That said, the attacker would have to find a way to lure the victim into making an RPC request to his malicious computer in the first place. Furthermore, most administrators do not allow RPC traffic through their firewall. Therefore, this flaw primarily poses an internal threat. Finally, this flaw only affects XP and Server 2003.
Microsoft rating: Important.

  • MS10-067: Wordpad Text Converter Memory Corruption Vulnerability

Wordpad is a very basic word processing program and text editor that ships with Windows. It also includes some text converter components that allow you to open various Word documents, even if you do not have Office or Word. Unfortunately, the Wordpad text converter suffers from an unspecified memory corruption vulnerability involving its inability to handle specially crafted Word 97 documents. By luring one of your users into downloading a malicious document, and opening it in Wordpad, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. This flaw only affects XP and Server 2003.
Microsoft rating: Important.

  • MS10-068: LSASS Buffer Overflow Vulnerability

The Local Security Authority Subsystem Service (LSASS) is a Windows component that handles security policy and authentication tasks for Windows. LSASS suffers from a heap buffer overflow vulnerability caused when handling specially malformed LDAP messages. By sending a maliciously crafted LDAP message, an authenticated attacker could exploit this flaw to elevate his privileges, and gain complete control of your computer. Of course, the attacker would need valid credentials and access to your Active Directory server in order to exploit this vulnerability. It primarily poses an internal threat.
Microsoft rating: Important.

  • MS10-069: CSRSS Local Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It does not properly allocate memory when handling specific user transactions on Windows systems configured with Chinese, Japanese, or Korean system locales. By running a specially crafted program, an authenticated attacker could leverage this flaw to elevate privileges, gaining complete control of a Windows computer. However, the attacker would first need to gain local access to a Windows computer using valid credentials (Guest access would work) in order to exploit this flaw. Furthermore, this flaw only affects Windows systems with Chinese, Japanese, and Korean system locales installed. It also only affects XP and Server 2003.
Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-061:

MS10-062:

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

MS10-063:

MS10-066:

Note: Other versions of Windows are not affected.

MS10-067:

Note: Other versions of Windows are not affected.

MS10-068:

MS10-069:

Note: Other versions of Windows are not affected.

Does My Firewall Help?

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. You can configure your firewall to block the files types necessary to carry out some of these attacks (.DOC .MP4 files, etc…). That said, your firewall cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates

Three IIS Flaws Allow Authentication Bypass, DoS, or Code Execution

September 14, 2010 by Corey Nachreiner 0 Comments

Summary:

  • This vulnerability affects: IIS 5.1, 6.0, 7.0 and 7.5
  • How an attacker exploits it: By sending specially crafted HTTP requests or URLs
  • Impact: In the worst case, an attacker can gain complete control of your IIS server
  • What to do: Install Microsoft’s IIS update immediately, or let Windows Update do it for you

Exposure:

Microsoft’s Internet Information Services (IIS) is one of the most popular web servers used on the Internet. All server versions of Windows come with IIS, though some of its services may not start by default.

In a security bulletin released as part of Patch Day, Microsoft describes three vulnerabilities affecting IIS. The worst is a buffer overflow vulnerability involving the way IIS handles FastCGI enabled requests. By sending you IIS server a specially crafted HTTP request, an attacker could exploit this vulnerability to gain complete control of your IIS server. This flaw sounds quite bad, however a key mitigating factor limits its severity. FastCGI is not enabled by default on IIS server. You are only vulnerable to this flaw if you’ve specifically enabled it.

The two remaining flaws include a Denial of Service flaw that an attacker could leverage to crash your IIS server and an authentication bypass vulnerability that attackers could leverage to gain access to web resources that require authentication.

Though Microsoft only rates these flaws as Important, we recommend IIS administrator download, test and install the IIS update immediately.

Solution Path:

Microsoft has released IIS updates to fix this vulnerability. IIS administrators should download, test and deploy the corresponding update as soon as possible, or let Windows Update do it for you:

For All WatchGuard Users:

WatchGuard’s HTTP-Server proxy action allows you to control many aspects pertaining to the HTTP requests you accept to your web server. In some cases, this control can allow you to configure your proxies in ways that prevent certain types of attacks from succeeding. However, neither Microsoft, nor this flaw’s original discoverer, have disclosed enough technical detail about this flaw for us to say whether or not our proxy can help. If we do learn technical details that suggest our proxies do help, we’ll update this alert. However for now, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

  • Microsoft Security Bulletin MS10-65

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, ,

Supposedly Wide-Spread Email Worm Making Headlines: “Here You Have” email contains fake and malicious PDF or WMV links

September 10, 2010 by Corey Nachreiner 0 Comments

Virus/Worm Summary:

  • Subject lines to avoid: include “Here you have,” or “Just for you,” and “This is the Free Dowload (sic) Sex Movies, you can find it Here”
  • Malicious email attachment: contains supposed links to PDF or WMV files, which actually link to malicious .SCR files
  • Impact: Spreads via your email contacts and through network shares. Infects your computer with various malware, and potentially steals information
  • What to do: Make sure you are using updated antivirus software, and block .SCR files at your gateway (see below for details)

About the Virus:

Late yesterday, various antivirus (AV) vendors began receiving reports of a new mass-mailing email worm, generally called VBMania, which arrives with various subjects including, “Here you have.” Today, others in the press have jumped on the bandwagon and published many shrill reports [ 1 / 2 / 3 ] that describe this worm as an outbreak and suggest it has flooded inboxes worldwide. While we don’t doubt that attackers have aggressively seeded this malicious email using spamming techniques (and likely a botnet), we haven’t yet seen the worm in our own inbox. There are reports of it affecting some well known companies. However, it doesn’t seem to be as wide-spread as the big worms of the past (Nimba, etc). In fact, most antivirus (AV) companies still only rate this worm as only a medium risk. While you should make yourself, and your users, aware of this new worm, it doesn’t offer reason for panic.

Unfortunately, the lack of coordination among AV vendors’ naming conventions makes it difficult to track these worms. While the media generally refers to this as the “Here you have” worm, AV vendors have given this worm a variety of names including:

For simplicity sake, we will refer to this worm as VBMania.

Distinguishing Characteristics

Despite the media hype surrounding this new worm, it doesn’t seem to use any new techniques that would allow it spread any more quickly than a typical email worm. In fact it seems to call back to older malicious email techniques, some saying it shares similarities with the older ILoveYou and Anna Kournikova worms from 2000 and 2001. We describe some of VBMania’s distinguishing characteristics below.

VBMania arrives as an email with the following Subject lines:

  • Here you have
  • Just for you
  • This is The Free Dowload Sex Movies,you can find it Here.

The body of the worm contains some text describing either a document or movie. It also includes a link to what appears to be a PDF document or WMV movie file. However, if you actually click the link, it attempts to get you to download a malicious .SCR screensaver file. An example of the malicious SCR file might include:

  • PDF_Document21_025542010_pdf.scr

If you run the malicious .SCR file it:

  • Copies itself to the Windows directory as CSRSS.EXE (not to be confused with the real CSRSS.EXE in your Windows system directory) and adds registry entries to make sure it can restart after your next reboot
  • Sends itself to your email contacts and IM buddies
  • Copies itself to mapped drives and removable USB media (uses AUTORUN tricks as well)
  • Tries to lower your computer’s security by disabling many popular security applications
  • Downloads and installs various malware (likely including a botnet trojan)
  • Steals sensitive information (including passwords from web browsers)

VBMania doesn’t really use any tricks that you haven’t seen before. You should have no problems distinguishing this worm in your inbox, and avoiding it. However, attackers seem to have spammed this worm very aggressively. If one of your users does accidentally run its malicious file, they could cause a lot of damage to your network. Make sure to inform your users of this new email worm so they know to avoid it. However, you don’t need to panic over this new threat, despite what the media may suggest.

What you can do

  • As always, remind your users never to open unexpected attachments or click on unexpected web links from any source. Inform them that most modern viruses falsify the “From” field and can appear to come from friends, co-workers, or other trusted parties.
  • Most major antivirus vendors already have signatures that detect this worm. Check with your vendor for the latest update.
  • Educate your users by downloading and presenting the new SecurityWise module, “E-mail Safety in the Age of Cybercrime.” This resource is available free of charge, exclusively to LiveSecurity Service subscribers.
  • XTM appliance owners should follow the steps below. The SMTP or POP3 proxy can help.

For all XTM users:

If you manage a WatchGuard XTM appliance, it can protect your network in many ways:

  • If you have spamBlocker (part of the UTM security bundle), it will likely block the emails this worm sends
  • Gateway Antivirus (part of the UTM security bundle) will block this virus with a signature
  • If you have RED (part of the UTM security bundle), it will block the VBMania URLs serving the malicious .SCR files
  • You can also configure an HTTP proxy policy to prevent your users from downloading .SCR files

For all XCS users:

If you manage a WatchGuard XCS appliance, it can protect your network in many ways:

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, ,