Archive | January, 2011

WatchGuard Releases Fireware XTM 11.4: For XTM 2, 5, 8, and XTM 1050 Appliances, and WSM

The time has come to take control! WatchGuard is pleased to announce the immediate availability of Fireware XTM 11.4 and WSM 11.4, which gives businesses powerful new ways to control their security. In this release, WatchGuard has made significant enhancements to most major areas of product functionality, including security, centralized management, authentication, reporting, and wireless. Some highlights include the following:

  • Application Control, our newest security subscription for all WatchGuard XTM 2, 5, 8, and 1050 appliances, allows fine-grained management of thousands of applications including Skype, Facebook, YouTube and more
  • New centralized management features simplify the task of deploying security policies across multiple appliances. Templates are more flexible than ever, with inheritance and override settings that allow nuanced policies to be deployed across one, some, or all appliances under centralized management
  • Configuration History and Rollback for devices under centralized management gives the administrator the ability to “turn back the clock” and revert to a previous configuration when using the WSM Management Server
  • New authentication features help ensure that every user or group has the correct security policy. These include the ability to authenticate users who are on Microsoft Terminal Servers or Citrix servers; support for multiple Active Directory groups, 802.1x authentication for the XTM 2 Series Wireless models, and more
  • Enhanced IPS delivers rock-solid security with greater efficacy and ease of configuration; IPS can now be configured independent of the security proxies
  • New reporting functionality includes reports on Application Control and on several other functional areas, such as DHCP lease activity
  • Rogue wireless access point detection for the XTM 2 Series Wireless models

In addition to the features listed above, 11.4 includes numerous smaller enhancements and bug fixes in many different areas of Fireware and WSM.

If you’re an active LiveSecurity subscriber, you can upgrade to Fireware XTM 11.4 free of charge.

Does This Release Pertain to Me?

Fireware XTM 11.4 is a feature release that also includes many bug fixes. If you have any XTM series appliance and wish to take advantage of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to version 11.4. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Software Downloads web page, which also includes clear installation instructions. Fireware XTM 11.4 is an XTM Series only release, but some of the WSM 11.4 management enhancements (such as certain changes to logging, reporting, and centralized management) are applicable to e-Series appliances running earlier 11.x versions, as well as to XTM appliances running 11.4. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

WatchGuard XCS 9.1 Update 2 Now Available: Spam & Data Loss Prevention Enhancements

WatchGuard is very pleased to announce the release of WatchGuard XCS version 9.1 Update 2 for all XCS Extensible Content Security appliances.

WatchGuard XCS 9.1 Update 2 includes significant enhancements to our award-winning WatchGuard XCS Extensible Content Security solutions. This release includes enhancements in spam protection, management and reporting, as well as data loss prevention functionality for XCS email security.In addition, XCS 9.1 Update 2 contains a number of fixes for issues reported by WatchGuard customers.

The key advancements of XCS 9.1 Update 2 include, but are not limited to:

  • New WatchGuard XCS SecureMail Email Encryption add-on subscription for integrated privacy and protection of email communications; provides transparent, policy-based email encryption directly from the WatchGuard XCS appliance without the need for a local encryption server or additional desktop software
  • New WatchGuard XCS SecureMail Branding add-on subscription for custom, fully-branded encrypted email communications
  • XCS Outlook Add-in that places special Spam and Not Spam buttons in end user Outlook toolbar; helps improve overall XCS efficacy while giving users more control over their messages by providing:
    • end user ability to report false positives where legitimate messages were marked as spam
    • end user ability to report false negatives where a good message was mistakenly tagged as spam
    • improved training of WatchGuard XCS appliance
    • relays training feedback to WatchGuard
    • adds sender to end user’s personal Trusted/Blocked Sender list
  • Enhanced visibility into spam processing with new Intercept Component report that provides detailed information regarding:
    • frequency of spam received based on each spam category
    • token analysis score of messages received
    • Intercept component contribution to spam score
  • Improved redundancy with more connections to WatchGuard XCS Security Connection to ensure XCS security, updates, and services are always up and running
  • And many more quality improvements and enhancements

If you’re an active LiveSecurity subscriber, you can upgrade to XCS 9.1 Update 2 free of charge.

Does This Release Pertain to Me?

WatchGuard XCS 9.1 Update 2 includes many important new features and enhancements as they pertain to spam efficacy, end user experience, secure email communications, data loss prevention, and redundancy of security and services. If you wish to take advantage of any of the updates listed above, or those mentioned in the Release Notes, you should consider upgrading to version 9.1 Update 2. Please read the Release Notes before you upgrade to understand what’s involved.

How Do I Get the Release?

WatchGuard XCS customers who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable package and/or XCS Outlook Add-Ins from the Software Downloads web page, which also includes clear installation instructions. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Microsoft Corrects Vulnerabilities in MDAC and Backup Manager

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into visiting malicious websites or opening specially crafted files
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released two security bulletins describing three vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS11-002: MDAC Code Execution Vulnerabilities
The Microsoft Data Access components (MDAC) are a collection Windows components that allow other programs to easily access and manipulate databases. Unfortunately, MDAC suffers from two memory related security vulnerabilities, including a buffer overflow vulnerability. The flaws differ technically, but share the same impact. By luring one of your users into visiting a malicious web page, or visiting a legitimate page that has been hijacked, an attacker could leverage these flaws to execute code on that user’s computer, with the user’s privileges. If you users have local administrative privileges, attackers could leverage these flaws to gain complete control of their PCs. Microsoft rating: Critical
  • MS11-001: Backup Manager Insecure Library Loading Vulnerability
Windows ships with Backup Manager, which allows users to restore their files to a previous point in time. It is part of Windows’ System Protection and System Restore feature. According to Microsoft, Backup Manager suffers from an insecure Dynamic Link Library (DLL) loading vulnerability, sometimes referred to as a binary planting flaw. We first described this flaw in a September Wire post, which describes this Microsoft security advisory. If an attacker can entice one of your users into opening a malicious Windows Backup (.wbcat) file from the same location as a specially crafted DLL, she could exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This particular flaw only affects the version of Backup Manager that ships with Vista. Since this type of attack requires a user interaction to success, and only affects Vista, it poses less risk that the MDAC flaw described above.
Microsoft rating: Important
 

Researchers or “gray hats” have already posted exploit code for at least one of these vulnerabilities on a public exploit forum. We recommend you download and install both these updates as quickly as possible, starting with the MDAC update.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-002:

MS11-001:

* Note: This update doesn’t affect other versions of Windows

 

For All WatchGuard Users:

In most cases, these attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Microsoft Black Tuesday: Exploits for flaws in both Microsoft bulletins

Microsoft has served this month’s patches, hot out of the oven. As expected, they only released two security bulletins, both of which affect Windows or a component that ships with it.

The more detrimental of the two bulletins fixes two Critical vulnerabilities in Windows’ Data Access components. In short, if an attacker can entice you to a malicious web page, he could exploit this to take over your computer. I would recommend you patch this one immediately. The second bulletin fixes a flaw in Vista’s Backup Manager. This flaw requires a bit more user interaction to exploit, but Vista users should still upgrade as soon as they can. You can find more details about today’s MS Patch Day releases here.

According to SANs, exploit code is available for the flaws both these bulletins fix, one of which anyone can download from the Exploit-db. Even though today’s Black Tuesday isn’t so black, I’d still recommend you install all of Microsofts updates as quickly as you can.

I’ll post a LiveSecurity alert that describes these bulletins in more detail, shortly. — Corey Nachreiner, CISSP

Windows zero day and small Snow Leopard update start off the new year

A fresh new year has begun and we already have security vulnerabilities in two of the most popular operating systems; Windows and OS X. Let’s start with the more worrisome one – Windows.

According to a recent Microsoft Security Advisory, the Graphics Rendering Engine that ships with most versions of Windows (one of the components that helps display graphics on your screen) suffers from a zero day vulnerability. Specifically, a flaw in how the Graphics Rendering engine parses specially crafted thumbnail images could result in a buffer overflow. By enticing you to preview a thumbnail image, perhaps hosted on a website or sent within an email, an attacker could exploit this flaw to execute code on your computer, with your privileges. If you’re a local administrator, the attacker gets the keys to your castle.

Microsoft doesn’t have a patch for this vulnerability, but they do describe a workaround that will mitigate some attacks. See the “Mitigating Factors and Suggested Actions” section of their advisory for more details. Unfortunately, they don’t say whether or not attackers are exploiting this zero day in the wild. Though Patch Day is coming up next week, I doubt Microsoft will get this fix out by then, so be sure to be careful handling thumbnail images.

Next up is Apple. Late yesterday, Apple released a security update for OS X 10.6.x (Snow Leopard). The update only seems to fix one marginally severe vulnerability. Apple’s alert doesn’t describe the flaw in much technical detail. They only say that a format string flaw in PackageKit could allow an attacker to execute code on your Mac. In order to exploit this flaw, the attacker would need to deliver a malicious package via Apple’s Software Update, which means he would need to complete a Man-in-the-Middle attack to gain control of where Software Update gets its package from. In short, attackers will have a hard time leveraging this flaw without local access to your network. Nonetheless, Snow Leopard users should download the 10.6.6 update or let Software Update do it for them.

In summary, if you’re a Windows user, be careful with thumbnails, and look for updates next Tuesday, and if you’re a Snow Leopard user, upgrade as soon as you can.

Corey Nachreiner, CISSP

First Patch Day of 2011 weighs in light

Today’s the first Thursday of the month, which means Microsoft has informed the world what to expect for next week’s Patch Day. I’m happy to say, the first Patch Day of 2011 won’t tax your IT department.

According to their advanced notification bulletin, Microsoft only plans to release two security bulletins on Tuesday 11. Both of the bulletins affect Windows, or components that ship with it — one rated Critical and one Important.

After last December’s insane Patch Day, I for one am happy for a light update load. However, you should still pay attention next Tuesday, despite the light load. One critical vulnerability is often all an attacker needs to make mincemeat of your network. I recommend you jump on Microsoft’s Critical and Important patches as soon as you can.

We’ll know more about these bulletins next Tuesday, and will publish alerts about them via LiveSecurity and LiveSecurity Informer. — Corey Nachreiner, CISSP


%d bloggers like this: