Archive | October, 2010

Mozilla Plugs Zero Day Hole With Firefox 3.6.12

Summary:

  • This vulnerability affects: Firefox 3.6.x and 3.5.x for Windows, Linux, and Macintosh
  • How an attacker exploits it: By enticing one of your users to visit a malicious web page
  • Impact: An attacker executes code on your user’s computer, potentially gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.12 (or 3.5.15), or let Firefox’s automatic update do it for you

Exposure:

In a WatchGuard Wire post yesterday, we warned you of a new zero day Firefox exploit that attackers had planted onto the Nobel Peace Prize web site. If you visited the infected site with Firefox 3.5 or 3.6 running on an XP computer, the exploit would silently download and install the Belmoo trojan onto your computer. At the time of the Wire post, Mozilla was aware of the zero day flaw but had not yet had time to fix it.

Luckily, Mozilla works fast. In an impressive display of development speed, Mozilla has already released Firefox 3.6.12 to fix this critical zero day vulnerability. According to their Known Vulnerabilities page, the zero day vulnerability was due to a heap buffer overflow flaw within Firefox’s DOM component. By enticing one of your users to a specially crafted web page, or by sneaking malicious code onto a legitimate web page that your user visits, an attacker can leverage this vulnerability to execute malicious code on that user’s machine, with that user’s privileges. If the user happens to be a local administrator or have root privileges, the attacker gains total control of the victim’s computer.

This is a very critical update for Firefox users. The bad guys found this serious vulnerability first, and are already exploiting it in the wild (like with the Nobel Peace Prize web site). As such, we consider it a very serious risk. If you use Firefox, we highly recommend you install the latest update immediately.

Solution Path:

Mozilla has released Firefox 3.6.12 and 3.5.15, to correct this zero day flaw. If you use Firefox in your network, we recommend that you download and deploy version 3.6.12 immediately, or let Firefox’s automatic updater do it for you. If, for some reason, you must remain with Firefox 3.5.x, make sure to upgrade to 3.5.15.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

As an aside, attackers cannot leverage this vulnerability, nor many other web-based flaws, without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based attacks in general. If you use Firefox, we highly recommend you also install the NoScript extension, which will disable JavaScript (and other active scripts) by default.

For All Users:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.12 to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

Researcher releases zero day Shockwave vulnerability and exploit

Yesterday, Adobe released a Security Advisory in response to a grey hat researcher who published details about a zero day vulnerability in Adobe Shockwave. The researcher from Abysssec described a critical memory corruption vulnerability in the popular multimedia rendering application — and he describe the flaw in very great technical detail. He even posted Proof-of-Concept (PoC) exploit code that can leverage the flaw against Windows XP SP3 computers. In short, if an attacker can entice you to a web site containing specially crafted Flash content, an attacker can leverage this flaw to execute code on your machine with your privileges. Since most Windows users have Local Administrator privileges, attackers can often leverage this sort of flaw to gain complete control of their computers.

Since the Abysssec researcher released details about this flaw without first informing Adobe, they haven’t had time to release a patch yet. In their advisory, they verify that this is a critical vulnerability, but they do not share any workaround that might help. They are working with antivirus vendors to make sure they have signatures for this flaw. In the meantime, I highly recommend you use Firefox with the NoScript extension to help protect yourself from this, and many other web-based flaws. While NoScript won’t always block all web attack, it script blocking capability does help mitigate most of them.

Happily, no one has reported attackers exploiting this flaw in the wild yet. However, the researcher’s PoC is easily weaponizable. So I expect malicious versions in the wild soon. If you use Shockwave, I recommend you use caution browsing. I’ll update you as soon as I know more about Adobe’s fix via the Wire or the LiveSecurity Service. — Corey Nachreiner, CISSP

Apple Posts OS X Java Updates for Tiger and Leopard

Summary:

  • This vulnerability affects: OS X 10.5.x (Leopard) and 10.6.x (Snow Leopard)
  • How an attacker exploits it: By enticing your users to a malicious website containing specially crafted Java applets
  • Impact: In the worst case, an attacker executes code on your user’s computer, with that user’s privileges
  • What to do: Install Java for OS X 10.5 Update 8 or Java for OS X 10.6 Update 3 as soon as possible, or let Apple’s updater do it for you.

Exposure:

Yesterday, Apple issued two advisories [ 1 / 2 ] describing Java security updates for OS X 10.5.x and OS X 10.6.x. The advisories warn of multiple vulnerabilities in OS X’s Java components; specifically, six Java vulnerabilities in 10.5.x and four in 10.6.x (number based on CVE-IDs). Though the updates only fix a few flaws, many of them pose a serious risk.

For the most part, Apple only describes the impact of these vulnerabilities, leaving out technical details. In general, the flaws share the same potential impact: By luring one of your users to a malicious website containing a specially crafted Java applet, an attacker can exploit these Java flaws to either execute code or elevate privileges on your users’ OS X computers. In most cases, the attacker would only gain the privileges of the currently logged in user, which doesn’t include root or administrator access in OS X. Nonetheless, we recommend you install Apple’s OS X Java update as soon as possible.

As an aside, Microsoft recently pointed out that malware exploiting Java flaws has exploded during 2010. Though no one has reported Mac-based Java threats in the wild yet, I would recommend keeping Java up to date.

Solution Path:

Apple has issued Java for OS X 10.5 Update 8 [dmg file] and Java for OS X 10.6 Update 3 [dmg file] to correct these flaws. If you manage OS X 10.5.x or 10.6.x computers, we recommend you download and deploy these update as soon as possible, or let OS X’s automatic Software Update utility install the proper update for you.

For All WatchGuard Users:

Some of these attacks rely on one of your users visiting a web page containing malicious Java bytecode. The HTTP-Proxy policy that ships with most Firebox models automatically blocks Java bytecode by default, which somewhat mitigates the risk posed by some of these vulnerabilities.

Status:

Apple has released Java updates to fix these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

Firefox 3.6.11 Delivers 13 Security Fixes

Summary:

  • These vulnerabilities affect: Firefox 3.6.x and 3.5.x for Windows, Linux, and Macintosh
  • How an attacker exploits it: Typically by enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.1 (or 3.5.14), or let Firefox’s automatic update do it for you

Exposure:

Late Tuesday, Mozilla released a Firefox update fixing around 13 (count based on CVE numbers) vulnerabilities in their popular multi-platform web browser. Mozilla rates half of these vulnerabilities as critical; meaning an attacker can leverage them to execute code and install software without user interaction beyond normal browsing. We summarize three of the most critical Firefox 3.6.10 vulnerabilities below:

  • Multiple Dangling Pointer vulnerability (2010-67). A function within Firefox (LookupGetterOrSetter) suffers from a software flaw called a dangling pointer vulnerability. In the past, programmers considered dangling pointer flaws relatively benign, since attackers couldn’t easily exploit them. More recently, researchers have proven this class of  flaw quite exploitable. By enticing one of your users to a web page, an attacker can leverage these vulnerabilities to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • Buffer Overflow Vulnerability in Document.write (2010-65). According to Mozilla, the latest Firefox update fixes a buffer overflow vulnerability in the code responsible for text rendering (document.write). By enticing one of your users to a maliciously crafted web page, an attacker can leverage this buffer overflow to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. As usual, an attacker may gain full control of your users’ computers if they have administrative privileges.
    Mozilla Impact rating: Critical
  • Typical Memory Corruption Vulnerabilities (2010-64). Mozilla’s update fixes three mostly unspecified memory “safety” or corruption vulnerabilities, which can at least crash Firefox. Mozilla’s alert doesn’t say much about these vulnerabilities, other than they lie within Firefox’s browser engine. Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical

Mozilla’s alert describes many more vulnerabilities, including more code execution flaws, a few Cross-Site Scripting (XSS) vulnerabilities, and a few certificate and encryption issues. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.11 fixes. On a related note, some of these vulnerabilities also affect Firefox 3.5.x. If you use 3.5.x, we recommend you move to 3.6.11. However, if you must stay with 3.5.x, Mozilla has also released an update for that legacy version as well.

Solution Path:

Mozilla has released Firefox 3.6.1 and 3.5.14, to correct these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.11 as soon as possible, or let Firefox’s automatic updater do it for you. If, for some reason, you must remain with Firefox 3.5.x, make sure to upgrade to 3.5.14.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable JavaScript (and other active scripts) by default.

For All Users:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.11 to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

More Security Vulnerabilities Affect Word and Excel

Summary:

  • These vulnerabilities affect: All current versions of Microsoft Office for Windows and Mac (specifically Word and Excel)
  • How an attacker exploits them: Typically, by enticing you to open maliciously crafted Office documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office patches immediately, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing 24 vulnerabilities found in components or programs that ship with Microsoft Office for Windows and Mac — more specifically, Word and Excel. Some of the vulnerabilities also affect the viewers, Office Compatibility Packs, and File Format Converters that ship with each program. Each vulnerability affects different versions of Office to a different extent.

The 24 flaws may affect different components and applications within Office, but the end result is always the same. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

According to Microsoft’s bulletins, an attacker can exploit these flaws using two types of Office documents: Word (.doc) and Excel (.xls). So beware of all unexpected documents you receive with these file extensions.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS10-079: Multiple Word Code Execution Vulnerabilities, rated Important
  • MS10-080: Multiple Excel Code Execution Vulnerabilities, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

Word update for:

Excel update for:

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Word and Excel documents, some organizations need to allow them in order to conduct business. Therefore, these patches are your best recourse. Temporarily though, you may still want to block these Office documents until you are able to install Microsoft’s patches.

If you want to block Word, Excel, and Works documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .doc and .xls files by their file extensions:

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

A Dozen Windows Updates Plug 15 Security Holes: BULLETINS AFFECT MEDIA PLAYER, .NET FRAMEWORK, KERNEL-MODE DRIVERS, AND MORE

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it (also the .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, or enticing your users to websites containing malicious media
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released a dozen security bulletins describing 15 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-075: Media Player Network Sharing Code Execution Vulnerability

Windows Media Player (WMP) is the popular multimedia playback application that ships with Windows. By default, many Windows computers start the Media Player Network Sharing Service, which allows other computers on your network to share media from your computer. However, Windows Vista and 7 do not start this service by default.

According to Microsoft, the Media Player Network Sharing Service that ships with Windows Vista and 7 suffers from a security vulnerability involving the way it handles Real Time Streaming Protocol (RTSP) packets. By sending a specially crafted RTSP packet to a computer with the Network Sharing Service, an attacker can exploit this vulnerability to execute code on that computer under the context of the Network Services account. Though the Network Services account has limited privileges, the attacker could then leverage other vulnerabilities described in this alert to gain complete control of that computer. Typically, Windows only allows computers within your local network to access the Media Player Network Sharing Service, which tends to limit this to an internal threat. Furthermore, Neither Vista nor Windows 7 starts this service by default, which further mitigates this attack.
Microsoft rating: Critical

  • MS10-076: OpenType Font Engine Integer Overflow Vulnerability

Windows ships with an OpenType Font Engine to handle documents, emails, and web pages that contain OpenType fonts. The OpenType Font Engine suffers from an integer overflow vulnerability that has to do with how it handles certain tables within content that contains OpenType fonts. By luring one of your users into visiting a web page, or opening content that contains maliciously crafted OpenType fonts, an attacker could leverage this flaw to gain complete control of that user’s computer.
Microsoft rating: Critical

  • MS10-077: Code Execution Vulnerability in .NET Framework 4.0

Microsoft’s .NET Framework is an optional Windows component used to help developers create rich web applications, as well as to display said web content. Windows doesn’t ship with it by default, but many users install it. The 64-bit version of the .NET Framework 4.0 suffers from a code execution vulnerability that has to do with how one of it’s compilers optimizes code incorrectly. By enticing one of your users to a website containing a specially crafted web application, or into running a malicious .NET application, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As usual, attackers could gain complete control of the computer if the user has local administrative privileges.
Microsoft rating: Critical

  • MS10-073 Windows Kernel-Mode Drivers Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. This kernel-mode driver suffers from multiple elevation of privilege vulnerabilities. Though these flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws. That said, despite the lower severity of these flaws, attackers have exploited one of them in the wild — specifically, within the Stuxnet worm, which has received significant media attention.
Microsoft rating: Important

  • MS10-078: OpenType Font Format Driver Elevation of Privilege Vulnerability

The OpenType Font format driver is another component Windows uses to handle OpenType fonts. The OpenType Font format driver suffers from two elevation of privilege vulnerabilities involving its inability to handle specially crafted OpenType fonts. These flaws are similar in concept to the OpenType Engine flaw described above, except that an attacker needs to locally log into a vulnerable Windows machine, and execute a specially crafted program in order to exploit these flaws. Assuming the attacker can gain access to one of your Windows computers, his malicious program could then leverage either of these flaws to gain complete control of that computer. Granted, these vulnerabilities only affect XP and Server 2003.
Microsoft rating: Important

  • MS10-081: Common Control Library Buffer Overflow Vulnerability

Windows ships with a library of functions called the Common Control Library (Comctl32.dll), which helps it create the interactive windows it’s know for. This Common Control Library suffers from a heap buffer overflow vulnerability having to do with how it handles Scalable Vector Graphics (SVG) passed to it from 3rd party applications. By enticing your user to a website containing specially crafted code, an attacker could exploit this flaw to execute code on that user’s computer, with that user’s privileges. As usual, attackers could gain complete control of the computer if the user has local administrative privileges.
Microsoft rating: Important

  • MS10-082 Media Player Code Execution Vulnerability

As mentioned earlier, Windows Media Player (WMP) is the popular multimedia playback application that ships with Windows. Windows Media Player suffers from a second code execution vulnerability that has to do with how it handles web-based media. By enticing one of your users to a website containing specially crafted media, an attacker could gain complete control of that user’s computer. However, the user would have to click through at least one pop-up dialog from the website in order for this attack to succeed. This significantly reduces this flaws’ severity (compared to the first Media Player flaw, which requires no user interaction at all).
Microsoft rating: Important

  • MS10-083: WordPad and Windows Shell COM Object Code Execution Vulnerability

WordPad is a very basic word processing program and text editor that ships with Windows, and the Windows Shell is the primary GUI component for Windows. Both of these Windows components suffer from a flaw having to do with how they handle COM objects. Without going into technically detail, if an attacker can either entice you to a specially crafted web page, trick you into opening a malicious document with WordPad, or lure you into interacting with a malicious shortcut, he could leverage this flaw to execute code on your computer with your privileges. If you are a local administrator, the attack would gain total control of your computers.
Microsoft rating: Important

  • MS10-084: LPC Buffer Overflow Vulnerability

Remote Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and then receive the results of that task. Windows RPC also includes a Local Procedure Call (LPC) component, which Windows uses to exchange messages between local processes and threads.The Windows LPC component suffers from a buffer overflow vulnerability involving its inability to handle specially crafted LPC requests. By running a specially crafted program, a local attacker could leverage this flaw to execute code under the context of the Network Services account. Though the Network Services account has limited privileges, the attacker could then leverage other vulnerabilities described in this alert to gain complete control of that computer. However, by their very nature, LPC calls are only sent locally. That means the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw. Furthermore, this flaw only affects XP and Server 2003.
Microsoft rating: Important

The Secure Channel (SChannel) is a Windows security package that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) authentication protocols. According to today’s bulletin, SChannel suffers from a Denial of Service (DoS) vulnerability involving the way it handles specially crafted SSL/TLS handshake requests. By sending an SSL-enabled web server specially crafted requests, an attacker could leverage this flaw to cause your server to stop responding. You’d have to reboot the server to resume service. However, this flaw obviously only affects servers accepting incoming SSL connection — typically IIS web servers with secure pages. Unless you have such servers, and you have allowed the SSL connections through your firewall, you are not vulnerable to this attack.
Microsoft rating: Important

  • MS10-074: Microsoft Foundation Class Code Execution Vulnerability

Windows ships with a library of functions called the Foundation Class Library, which developers can use to write programs implementing many of Windows’ basic OS and GUI functions. In short, the Foundation Class Library suffers from a vulnerability that has to do with how it handles window titles. If your computer has a 3rd party application that was created using the Foundation Class Library, and that application allows some way for user input to change a windows title, and an external attacker can somehow manipulate the input in a way to change the windows title, he could exploit this flaw to execute code on your computer, with your privileges. As you can tell, that is a lot of “ifs.” Microsoft has established that none of their software is vulnerable to this flaw. So you are only affected by it if you have installed some 3rd party application that was coded in a very specific way. This flaw poses a very low risk.
Microsoft rating: Moderate

  • MS10-086: Shared Cluster Disk Tampering Vulnerability

Microsoft Cluster Server (MSCS) is a Windows component that allows you to cluster servers and disks. MSCS incorrectly sets permissions when adding news disks to a disk cluster. As a result, an internal attacker that can remotely access the file system of a cluster disk administrative share will have full control of that share, regardless of his privilege. However, usually only users on the local network will have access to disk shares. The flaw only affects Windows Server 2008 R2.
Microsoft rating: Moderate

 

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-075:

Note: Other versions of Windows are not affected by this vulnerability.

MS10-076:

* Note: Server Core installations not affected.

MS10-077:

MS10-073:

MS10-078:

Note: Other versions of Windows are not affected.

MS10-081:

* Note: Server Core installations not affected.

MS10-082:

All versions of Windows Media Player for:

* Note: Server Core installations not affected.

MS10-083:

Updates for WordPad:

Updates for Windows Shell:

* Note: Server Core installations not affected.

MS10-084:

Note: Other versions of Windows are not affected.

MS10-085:

Note: Other versions of Windows are not affected.

MS10-074:

* Note: Server Core installations not affected.

MS10-086:

Note: Other versions of Windows are not affected.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues (the ones that rely on access to local resources). That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

Cumulative IE Patch Fixes Ten New Security Flaws

Summary:

  • This vulnerability affects: All current versions of Internet Explorer, running on all current versions of Windows
  • How an attacker exploits it: Usually, by enticing one of your users to visit a malicious web page
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes ten new vulnerabilities in Internet Explorer (IE) 8.0 and earlier versions, running on all current versions of Windows (including Windows 7 and Windows Server 2008). Microsoft rates the aggregate severity of these new flaws as Critical.

The ten vulnerabilities differ technically, but four of the most serious ones share the same general scope and impact. These four issues involve various memory corruption flaws having to do with how IE handles certain HTML elements and objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these four vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

The remaining vulnerabilities consists of Cross-Site or Cross-Domain Scripting (XSS) flaws and some Information Disclosure issues.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and XSS attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you. By the way, Microsoft no longer supports Windows 2000 and IE 5.x. If you still run a legacy version of IE or Windows, we highly recommend you update in order to get the latest security updates.

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

Does My Firewall Help?

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

Microsoft Black Tuesday: Yet another record-breaking Patch Day in October

Microsoft, if you’re listening, I’d really like you to stop breaking records on Patch Tuesday.

According to their advanced notification bulletin,  Microsoft expects another record setting Patch Day on Tuesday, October 12. Specifically, they plan to release 16 security bulletins, which correct a total of 49 vulnerabilities in Windows, Office, Internet Explorer, and “Windows Server Software.” They rate four bulletins Critical, ten Important, and two Moderate.

Until now, last August’s Patch Day was the biggest patch day ever. Unfortunately, next Tuesday’s Patch Day will be even bigger. I recommend you inform your IT staff to have all hands on deck next Tuesday. Obviously, you’ll want to apply Microsoft’s Critical updates first, since they typically allow attackers to gain control of affected computers. However, Microsoft’s Important patches often pose significant risk as well, so patch those quickly too. If possible, plan to try to test and deploy all of Microsoft’s patches on Tuesday.

We’ll know more about these bulletins next Tuesday, and will publish alerts about them here. — Corey Nachreiner, CISSP

 

Out-of-Cycle Reader Update Corrects Flash-related Vulnerability: Also Fixes 22 Other Security Vulnerabilities

Summary:

  • This vulnerability affects: Adobe Reader and Acrobat 9.3.4 and earlier, on Windows, Mac, and UNIX computers
  • How an attacker exploits it: Typically, by enticing your users into viewing a maliciously crafted PDF document
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: Install Adobe’s Reader and Acrobat 9.4 updates as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

About two weeks ago, we released an alert warning you of an Adobe Flash update that fixed a zero day vulnerability that attackers were exploiting in the wild. In that alert, we also mentioned that Adobe Reader was susceptible to the zero day flaw as well, but Adobe had not had time to patch it, and were planning to release a Reader update during the week of October 4th. As promised, yesterday Adobe released an update for Reader and Acrobat that fixes that flaw, and many others. Specifically, the update fixes 23 security vulnerabilities (number based on CVE-IDs) in Adobe’s popular PDF reader.

The 23 flaws differ technically, but many of them consist of memory corruption vulnerabilities that share the same general scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted PDF document (.pdf), many of these vulnerabilities can be exploited to execute code on that user’s computer, with that user’s privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

This update fixes many serious flaws, including one that attackers have exploited in the wild. We greatly encourage you to download and install this Reader update as soon as possible. Also note, Adobe typically sticks to a quarterly patch cycle that falls on the same day as Microsoft Patch Day (the second Tuesday of the month). However, since they chose to release this Reader update early due to its critical nature, they will not release any Reader updates on their normally scheduled patch day, October 12. Their next Reader update is due February 8th, 2011.

Solution Path

Adobe has released Reader and Acrobat 9.4 updates to fix these vulnerabilities on all platforms. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.

Does My Firewall Help?

Many firewalls can block incoming PDF files. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if PDF files are not absolutely necessary to your business, you may consider blocking them using the firewall’s HTTP and SMTP proxy until the patch has been installed.

Status:

Adobe has released patches that correct these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


%d bloggers like this: