Archive | December, 2010

Office Update Fixes Flaws with Image Embedded Documents

Summary:

  • These vulnerabilities affect: All current versions of Microsoft Office for Windows, as well as Works 9
  • How an attacker exploits them: Typically, by enticing you to open maliciously crafted Office documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office patches immediately, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing twelve vulnerabilities found in components or programs that ship with Microsoft Office for Windows — more specifically, Publisher and the Office Graphics Filters component. Some of the vulnerabilities also affect the Office Converter Pack, Microsoft Works 9.

The twelve flaws affect different components and applications within Office, but the end result is always the same. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Since many of the vulnerabilities have to do with an attacker embedding specially crafted image files within any Office document, all types of Office documents could trigger these flaws. Warn your users to beware of all unexpected Office documents they receive.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS10-103: Multiple Publisher Code Execution Vulnerabilities, rated Important
  • MS10-105: Multiple Office Graphics Filters Code Execution Vulnerabilities, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

MS10-103:

MS10-105:

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Microsoft Office documents, most organizations need to allow them in order to conduct business. Furthermore, you’d have to block all types of Office documents in order to mitigate the risk posed by one of these vulnerabilities. Therefore, the patches above are your best recourse.

Nonetheless, if you want to block all Office documents, the links below contain video instructions showing how your Fireboxes proxy policies can block files by extension. Keep in mind, this technique also blocks legitimate documents as well.

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

Only One Critical Flaw in a Dozen Windows Bulletins

Bulletins Affect Task Scheduler, Movie Maker, the Kernel, and More

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files, or visiting malicious websites or file shares
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released a dozen security bulletins describing 19 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-091: OpenType Font (OTF) Driver Code Execution Vulnerabilities

The OpenType Font (OTF) driver is a component that ships with Windows to handle documents, emails, and web pages that contain OpenType fonts. Unfortunately, the OTF driver suffers from three code execution vulnerabilities having to do with how it handles specially crafted OpenType fonts. By luring one of your users into visiting a web page, or opening content that contains maliciously crafted OpenType fonts, an attacker could leverage this flaw to gain complete control of that user’s computer. An attacker could also leverage this vulnerability against Windows Vista, 7, and Server 2008 computers simply by enticing victims to a file share containing an OpenType Font. The preview feature of these newer versions of Windows will automatically trigger these flaws.
Microsoft rating: Critical

  • MS10-092: Windows Task Scheduler Elevation of Privilege Vulnerability

The Task Scheduler is a service that allows you to automate tasks in Windows. It suffers from an elevation of privilege vulnerability, which essentially allows any local user on a Windows computer to create scheduled tasks that run with full system privileges. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials, which significantly reduces the risk of this vulnerability.
Microsoft rating: Important

  • MS10-093: Windows Vista Movie Maker Code Execution Vulnerability

Movie Maker is an application that ships with Windows to allow you to create and edit movies or videos. Movie Maker suffers from an insecure Dynamic Link Library (DLL) loading vulnerability, sometimes referred to as a binary planting flaw. We first described this flaw in a September Wire post, which describes this Microsoft security advisory. If an attacker can entice one of your users into opening a malicious Movie Maker (.mswmm) file from the same location as a specially crafted DLL, she could exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This particular flaw only affects the version of Movie Maker that ships with Vista.
Microsoft rating: Important

  • MS10-094: Windows Media Encoder Code Execution Vulnerability

Media Encoder is a Windows component that can save or convert video and audio content to the Windows Media Format. Like Movie Maker, it suffers from an insecure Dynamic Link Library (DLL) loading vulnerability, which we first described in a September Wire post. If an attacker can entice one of your users to open a malicious media profile (.prx) file located in the same place as a specially crafted DLL, he could exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This flaw does not affect Windows 7 or Server 2008 R2.
Microsoft rating: Important

  • MS10-095: BranchCache Code Execution Vulnerability

BranchCache is a WAN optimization feature that only ships with Windows 7 and Server 2008 R2. BranchCache suffers from the same type of insecure Dynamic Link Library (DLL) loading vulnerability as we’ve described in the bullets above. By enticing one of your users into opening a malicious .eml, .rss, or .wpost file located in the same place as a specially crafted DLL, an attacker can exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This flaw only affects Windows 7 or Server 2008 R2.
Microsoft rating: Important

  • MS10-096: Windows Address Book Code Execution Vulnerability

The Windows Address Book (WAB) is exactly what it sounds like; an application that ships with Windows to store contact information for people you know. Like the three components listed above, WAB also suffers from the insecure Dynamic Link Library (DLL) loading vulnerability. By enticing one of your users into opening a specially crafted .wab file located in the same place as a malicious DLL, an attacker can exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer.
Microsoft rating: Important

  • MS10-097: Internet Connection Signup Wizard Code Execution Vulnerability

The Internet Connection Signup Wizard is a Windows component that helps you setup or troubleshoot your Internet connection. Like the bulletins listed previously, this wizard suffers from an insecure Dynamic Link Library (DLL) loading vulnerability (this is the last of the insecure DLL loading flaws in Windows this month). By enticing one of your users into opening a specially crafted  .ins or .isp file located in the same place as a malicious DLL, an attacker can exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This flaw only affects windows XP and Server 2003.
Microsoft rating: Important

  • MS10-098 Windows Kernel-Mode Drivers Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. This kernel-mode driver suffers from six elevation of privilege vulnerabilities. Though these flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important

  • MS10-099: Kernel NDProxy Buffer Overflow Vulnerability

Windows ships with the Routing and Remote Access (RRAS) services, which essentially allow a Windows computer to function like a network router. The NDProxy is one of the RRAS components that helps provide this functionality. Unfortunately, the NDProxy component suffers from a buffer overflow vulnerability. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw. This flaw only affects Windows XP and Server 2003.
Microsoft rating: Important

  • MS10-100: Consent UI Elevation of Privilege Vulnerability

Consent UI is part of Windows’ User Access Control (UAC) services. Specifically, it’s the component that asks you for consent whenever you perform administrative tasks. Consent UI suffers from an elevation of privilege vulnerability. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw. This flaw only affects the more recent versions of Windows (Vista and later).
Microsoft rating: Important

  • MS10-101: Windows Netlogon RPC DoS Vulnerability

Netlogon Remote Protocol is the RPC service Windows uses to allow network users to log in to domains. It suffers from a Denial of Service (DoS) vulnerability involving the way it handles logins containing specially crafted user data. By sending maliciously crafted RPC requests, an attacker could leverage this flaw to cause your domain controller to reboot. However, the attacker would need valid user credentials, and local access to your network in order to leverage this vulnerability. It primarily poses an internal risk. Furthermore, the flaw only affects the Server versions of Windows.
Microsoft rating: Important

Hyper-V is the hypervisor technology used to provide a virtualization platform in Windows Server 2008 and Server 2008 R2. It suffers from a Denial of Service (DoS) vulnerability involving the way it handles specially crafted packets sent over the virtual network.  By running a specially crafted program, a local attacker could leverage this flaw to cause your virtual server to become non-responsive. You would have to reboot the machine to regain functionality. Since an attacker needs local access to your machine, this flaw poses a low risk.
Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-091:

MS10-092:

MS10-093:

MS10-094:

MS10-095:

MS10-096:

* Note: Server Core installations not affected.

MS10-097:

MS10-098:

MS10-099:

MS10-100:

Note: Other versions of Windows  and Server Core installations are not affected.

MS10-101:

MS10-102:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall could help mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

IE Suffers from Five New “Drive-by Download” Vulnerabilities

Summary:

  • This vulnerability affects: All current versions of Internet Explorer, running on all current versions of Windows
  • How an attacker exploits it: Typically, by enticing one of your users to visit a malicious web page
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes seven new vulnerabilities in Internet Explorer (IE) 8.0 and earlier versions, running on all current versions of Windows (including Windows 7 and Windows Server 2008). Microsoft discovered four of the new vulnerabilities themselves, and the remaining ones were disclosed publicly. They rate the aggregate severity of these new flaws as Critical.

The seven vulnerabilities differ technically, but five of them share the same scope and impact. They all involve various memory corruption issues having to do with how IE handles various HTML elements and objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these five vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker gains complete control of the victim’s computer. Attackers often leverage these type of code execution vulnerabilities to launch Drive-by Download attacks.

The remaining two vulnerabilities are Cross-Site or Cross-Domain Scripting (XSS) flaws. Among other things, an attacker can leverage these types of vulnerabilities to view information (such as cookies) from another domain or site, which he shouldn’t have access to; or to execute scripts with another domain or sites privileges.

Keep in mind, today’s attackers commonly hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and XSS attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you. By the way, Microsoft no longer supports Windows 2000 and IE 5.x. If you still run a legacy version of IE or Windows, we highly recommend you update in order to get the latest security updates.

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

December Firefox Update Corrects a Bunch of Critical Vulnerabilities

Summary:

  • These vulnerabilities affect: Firefox 3.6.x and 3.5.x for Windows, Linux, and Macintosh
  • How an attacker exploits it: Typically by enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.13 (or 3.5.16), or let Firefox’s automatic update do it for you

Exposure:

Last week, Mozilla released a Firefox update fixing 13 (count based on CVE number) vulnerabilities in their popular multi-platform web browser. Mozilla rates most of these vulnerabilities as critical; meaning an attacker can leverage them to execute code and install software without user interaction beyond normal browsing. We summarize three of the most critical Firefox 3.6.12 vulnerabilities below:

  • Integer Overflow Vulnerability in Javascript Array (2010-81).  A javascript array (specifically NewIdArray) in Firefox suffers from an integer overflow vulnerability that can cause a memory buffer overflow. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this buffer overflow to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • Document.write() Buffer Overflow Vulnerability (2010-75). According to Mozilla, one of the javascript methods used to write text to a page (document.write) suffers from a buffer overflow vulnerability.  By enticing one of your users to a web page containing specially crafted javascript, an attacker can leverage this buffer overflow to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. As usual, an attacker may gain full control of your users’ computers if they have administrative privileges.
    Mozilla Impact rating: Critical
  • Three Memory Corruption Vulnerabilities (2010-74). Mozilla’s update fixes three unspecified memory “safety” related vulnerabilities, which can at least crash Firefox. Mozilla’s alert doesn’t say much about these vulnerabilities, other than they lie within Firefox’s browser engine. Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical

Mozilla’s alert describes many more critical vulnerabilities, most of which allow attackers to execute code simply by enticing you to a malicious web page. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.13 fixes. On a related note, some of these vulnerabilities also affect Firefox 3.5.x. If you use 3.5.x, we recommend you move to 3.6.13. However, if you must stay with 3.5.x, Mozilla has also released an update for that legacy version as well.

Solution Path:

Mozilla has released Firefox 3.6.13 and 3.5.16, to correct these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.13 as soon as possible. If, for some reason, you must remain with Firefox 3.5.x, make sure to upgrade to 3.5.16.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable JavaScript (and other active scripts) by default.

For All Users:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.13 to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

Pictures and Videos Pose a Threat to Quicktime for Windows and Mac

Summary:

  • These vulnerabilities affect: QuickTime 7.6.8 and earlier for Windows and Mac
  • How an attacker exploits them: By enticing your user into viewing a maliciously crafted movie or image file
  • Impact: An attacker could execute code on your user’s computer, potentially gaining control of it
  • What to do: Download and install QuickTime 7.6.9 as quickly as possible, or let Apple’s Software Update tool do it for you

Exposure:

Late Yesterday, Apple released a security update to fix 15 media handling vulnerabilities that affect both the Windows and Mac version of QuickTime, their popular media player.

The flaws vary quite a bit technically, but most of them share the same general scope and impact. If an attacker can lure one of your users into viewing malicious media, such as an image or video file, he can exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. Since most Windows users have local administrative privileges, attackers could often leverage this flaw to gain complete control of Windows machines. Macs, on the other hand, separate your user privileges from the superuser account. So an attacker could only leverage these flaws to gain limited privileges on a Mac (though still enough privilege to do significant damage).

If you use Quicktime within your network, we highly recommend you download and install Apple’s update as quickly as you can.

Solution Path:

Apple has released QuickTime 7.6.9 to fix this security issue. Administrators who allow QuickTime in their network should download, test, and deploy the updated version at their earliest convenience. By default, Apple’s download bundles iTunes with QuickTime, but because iTunes often has security issues of its own, we recommend that you select the option of downloading QuickTime alone (unless you need iTunes). If you like, you can also let Apple’s Software Update tool download and install the update for you.

For WatchGuard Users:

You can mitigate the risk of this flaw by blocking media files with your WatchGuard appliance. According to Apple’s advisory, attackers could potentially leverage these flaws using the following media files (listed by extension):

 

If you like, you can use the HTTP, SMTP, and FTP proxy on some WatchGuard appliances to block these files by their extension. That said, many administrators prefer to allow this type of media into their network, in order to visit media rich websites. Blocking this media, especially image files, could significantly hamper your web browsing experience. Therefore, we recommend you apply Apple’s Quicktime update instead.

That said, if you really want to block QuickTime media files, the links below contain video instructions showing how to block them by extension. Keep in mind, this technique also blocks legitimate media as well.

 

Status:

Apple has released updates to fix these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

Got feedback? Leave it in the comments!

 

Official ProFTPD source code “backdoored” via a zero day flaw

Late last week, the developers of a popular open source FTP server, ProFTPD, warned that they’ve accidentally been distributing a booby-trapped version of their FTP server’s source code. If you downloaded and installed ProFTPD from a legitimate distribution server between November 28 and December 1, you likely have a backdoor on your system.

In an ironic twist, the attackers actually leveraged a zero day vulnerability in ProFTPD in order to place this maliciously modified source code onto the official ProFTPD distribution servers. The modified ProFTPD 1.3.3c source code contains a backdoor, which gives any remote attacker who knows the “secret password,” complete root access to your FTP server. If you install this modified source, it’s extremely easy for attackers to access the backdoor — in fact, someone has already released a metasploit module to help you do it.

Hopefully, you haven’t installed ProFTPD 1.3.3c in the last week, but if you have, I highly recommend you remove it and download the latest version. More importantly, make sure to use the PGP and MD5 signatures that the ProFTPD team provides to ensure that you have a legitimate copy of unmodified source code. Furthermore, you may want to restrict access to your ProFTPD server using firewall or ACL rules. Unfortunately, the ProFTPD team hasn’t mentioned much about the zero day exploit the attackers leveraged to install this backdoor, so we can only assume that ProFTPD 1.3.3c is still vulnerable to this mysterious flaw. Some experts have suggested that the attackers may have used the unpatched ProFTPD flaw highlighted in last month’s Phrack magazine in this attack. Whether it was the Phrack zero day or some other one, the latest version of ProFTPD is vulnerable, so use it with caution. Corey Nachreiner, CISSP


%d bloggers like this: