Archive | May, 2011

WatchGuard Releases Fireware XTM 11.3.4 for e-Series Appliances

WatchGuard is very pleased to announce that Fireware XTM 11.3.4, the latest operating system for our Firebox X e-Series appliances, is now available for download.

Fireware XTM v11.3.4 is the newest operating system software release for Firebox X Peak, Core, and Edge e-Series appliances. Fireware XTM v11.3.4 demonstrates a continuing commitment to WatchGuard Firebox X e-Series customers, with a significant number of bug fixes and enhancements.

Please note, the 11.3.4 firmware is only intended for e-Series hardware. XTM appliance owners should install 11.4.1. There is no new WatchGuard System Manager release for Fireware XTM v11.3.4. You can use either WatchGuard System Manager v11.4.x or WatchGuard System Manager v11.3.2 to connect to a Firebox e-Series device that runs Fireware XTM v11.3.4, although you must use WatchGuard System Manager v11.4 if you want use the new Shrew Soft VPN client or new VPN gateway setting.

XTM 11.3.4’s primary enhancements include:

  • Mobile VPN with IPSec: WatchGuard has added support for the Shrew Soft IPSec client. For contractual reasons, WatchGuard can longer distribute the WatchGuard Mobile VPN with IPSec client (powered by NCP), but customers who already use that client will be able to continue to do so with no change to support or services.
  • The addition of a new branch office VPN gateway endpoint setting to specify whether your device attempts to resolve the domain name in the remote gateway ID.
  • The ability to release or renew a DHCP lease for an external VLAN from the Web UI.
  • A new setting in the HTTPS proxy action to allow connections that negotiate the SSLv2 protocol.
  • A new configuration option in the Fireware XTM Web UI to set a global connection idle timeout.

Some XTM 11.3.4 fixes of note include:

  • An issue has been resolved that caused authentication to fail when you used the SSO Agent if a user was a member of a large number of groups.
  • In mixed routing mode, file transfers between computers connected to bridged interfaces no longer cause high CPU load.
  • A problem that caused FSM Status Report to show only one Cluster Member has been corrected.
  • FireCluster active/passive failover now works correctly when you have more than 8 VLANs configured on an interface.
  • A problem that caused an active/passive FireCluster to unexpectedly fail over and lock up has been fixed.
  • An issue has been resolved that caused some web sites to not load on first request.
  • SSL compatibility has been improved when you use the HTTPS proxy with deep inspection.
  • … and many other fixes — please see the Release Notes for complete details.

If you’re an active e-Series LiveSecurity subscriber, you can upgrade to Fireware XTM 11.3.4 free of charge.

Does This Release Pertain to Me?

Fireware XTM 11.3.4 is a maintenance release that contains a significant number of bug fixes and enhancements. If you have any Firebox e-Series appliances, and wish to take advantage of any of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to version 11.3.4. However, XTM appliance owners should not install 11.3.4, but rather stick with 11.4.1 or 11.3.2 and earlier. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM series or Firebox e-Series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Software Downloads web page, which also includes clear installation instructions. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Nasty WINS Messages Hijack Windows Servers

Severity: High

10 May, 2011


  • These vulnerabilities affect: Windows Server 2003 and 2008
  • How an attacker exploits them: By sending specially crafted WINS packets
  • Impact: An attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.


As part of today’s Patch Day, Microsoft released a security bulletin describing a Critical vulnerability that affects Windows Server 2003 and 2008.

The flaw lies within the Windows Internet Name Service (WINS), which is essentially Microsoft’s version of the NetBIOS Name Service (NBNS) — a service that allows you to give computers human friendly names (kind of like a
DNS for your local network computers).

According to Microsoft, the WINS service suffers from a memory corruption flaw due to its inability to handle specially crafted WINS messages. By sending such WINS packets, an attacker can leverage this flaw to force your WINS server to execute code with SYSTEM privileges, thus gaining full control of the server.

However, two factors significantly mitigate the scope of this flaw:

  1. Windows Server does not install the WINS service by default. You are only vulnerable if you have installed it yourself. However, almost every network administrator installs the WINS service on at least one server; usually one that’s critical to the organization’s network.
  2. Firewalls, like our XTM appliances block the WINS service by default. WINS uses TCP and UDP port 42. Administrators should never allow this port through their firewall. This limits the WINS attack to primarily an internal risk. That said, certain malware, such as worms or bot clients, often leverage these sorts of local Windows networking flaws to propagate throughout the rest of your local network.

Despite its mitigating factors, this WINS vulnerability does pose a critical risk to Windows servers. You should download, test, and deploy the proper updates as soon as possible.

Solution Path:

Microsoft has released patches to fix this vulnerability. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.


For All WatchGuard Users:

By default, WatchGuard appliances block the WINS service (TCP/UDP 42), and will prevent Internet-based attackers from leveraging this flaw against your servers. As long as you haven’t specifically allowed WINS through your firewall, you remain safe against external attacks. That said, if malware does somehow sneak into your network, it often leverages this sort of Windows networking flaw to propagate throughout the rest of your network. Therefore, we still recommend you patch as soon as you can.


Microsoft has released patches correcting this flaw.


This alert was researched and written by Corey Nachreiner, CISSP.

What did you think of this alert? Let us know at
More alerts and articles: Log into the LiveSecurity Archive.

Office Updates: Beware Evil PowerPoint Documents

Severity: High

10 May, 2011


  • These vulnerabilities affect: Most current versions of Microsoft PowerPoint for Windows and Mac (ships with Office), except for 2010.
  • How an attacker exploits it: By tricking one of your users into opening a malicious PowerPoint document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft’s PowerPoint updates as soon as possible, or let Microsoft’s automatic update do it for you (Mac update not available yet)


As part of today’s Patch Day, Microsoft released a security bulletin describing two code execution vulnerabilities in most current versions of PowerPoint, which ships with Microsoft Office. The flaws affect both the Windows and Mac versions. However, they do not affect the most recent 2010 version of Office.

Though the two code execution vulnerabilities differ technically, they share the same scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted PowerPoint document, he can exploit either of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Lately, attackers have leveraged malicious Office documents in their targeted email attacks (spear phishing). User often consider Office documents as benign. Yet, criminals can easily leverage these sorts of vulnerabilities to cause malicious office documents to install malware. We recommend, you download, test, and deploy this updates as soon as you can — hopefully, before your users open the wrong document.

Solution Path

Microsoft has released patches for the Windows version of PowerPoint to correct these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you.

Unfortunately, Microsoft has not yet released the Mac updates yet. They don’t say exactly when they plan to release the Mac update, only that they will when testing is complete.


PowerPoint update for:

For All WatchGuard Users:

You can configure WatchGuard appliances to block Microsoft Office documents, like PowerPoint files. However, most organizations need to allow these documents in order to conduct business. Therefore, we recommend you patch instead.

Nonetheless, if you want to block Office documents, the video tutorials below explain how to use WatchGuard’s proxy policies to block content by file extensions (such as PPT or PPTX). Keep in mind, blocking files by extension blocks both malicious and legitimate documents.


Microsoft has released PowerPoint updates to fix these vulnerabilities.


This alert was researched and written by Corey Nachreiner, CISSP.

Microsoft Black Tuesday: WINS and PPT Code Execution Flaws

May Patch Day is live, so go grab Microsoft’s latest security updates.

According to the May summary bulletin, Microsoft released two security bulletins containing software updates for Windows and Office. One update fixes a critical code execution in the Windows WINS services. Though Windows doesn’t enable this service by default, most administrators do run it on their Windows servers. So this flaw poses a significant risk to your Windows servers.

The second update fixes various code execution flaws in PowerPoint. If you open a specially crafted PPT file, an attacker can leverage this flaw to execute code on your machine. If you have local admin rights, the attacker gains complete control. Lately, attackers have leveraged malicious Office files quite successfully to distribute malware; making this a flaw you want to fix sooner, not later

Compared to last month’s 17 security bulletins, two updates seems like a vacation. Nonetheless, you should still test and install these updates as soon as you can. Personally, I’d start with the PowerPoint update since I suspect users often get tricked into opening malicious Office files. The WINS vulnerability is also serious. However, most firewalls (like ours) block WINS by default, so the flaw primarily poses an internal risk.

We’ll post more detailed alerts about these two bulletins, shortly.  Corey Nachreiner, CISSP

Introducing the XTM 2050 Next-Generation Firewall from WatchGuard

XTM 2050

With the recent catastrophe surrounding Sony’s security breach, large enterprises are reevaluating their network security systems. If it can happen to a company as highly regarded at Sony, can it happen to anyone? The answer depends on the strength of the network security system that is in place when a security breach is attempted. Unfortunately, viruses, hackers, and malicious software are part of the price a business pays for being globally connected to the World Wide Web.  However grim that truth may be, there are new tools and effective solutions available to mitigate risks and data exposure. To address these concerns, WatchGuard now offers its latest next-generation firewall and flagship security appliance, the WatchGuard XTM 2050.

Today, WatchGuard unveiled the XTM 2050, part of a new line of next-generation firewalls geared towards large enterprises, university campuses, managed security service providers (MSSPs), data centers, manufacturing plants, and school districts. The XTM 2050 includes: advanced firewalling, Application Control, IPS, and LiveSecurity, all for a fraction of the price of comparable 20 Gbps next generation firewalls.

Using a “defense-in-depth” approach, WatchGuard next-generation firewalls utilize the latest in network security technologies.  For example, the XTM 2050 is the only next generation firewall to include stateful packet inspection, deep packet inspection and proxy technologies as part of its comprehensive firewall protection.  Application Control allows enterprises to control more than 1,800 applications, and regulate acceptable use policy with high granularity and user visibility.  Using continually updated signatures, the Intrusion Prevention Service (IPS) scans network traffic to detect and block incoming threats.

As Sony has shown, the costs of having inadequate network security can be devastating to an enterprise.  Now more than ever, businesses need to take a proactive stance in stopping hackers and malware.  The WatchGuard XTM 2050 next generation firewall provides the high performance and high security features that enterprises expect and need for today’s Internet-driven economy.  And, needless to say, we at WatchGuard are proud to be leading the pack in protecting enterprise networks, applications and data.

Potential Zero Day Cisco IOS DoS Vulnerabilities

According to posts on the Bugtraq mailing list [ 1 / 2 ], Cisco’s popular router and switch operating system — IOS — suffers from two zero day Denial of Service (DoS) vulnerabilities. These advisories come from the penetration test team Of NCNIPC (China).

The advisories share minimal technical details about the two supposed flaws. They do say, attackers can trigger one DoS with a UDP packet flood and the other with SNMP packet sent to improper ports. In either case, the attack can put your IOS devices in a non-responsive state, requiring a reboot. By carrying out this sort of attach against your gateway router, and attacker can failry easily knock you offline

Cisco has since replied to these vulnerability allegations, saying they are researching the situations. However, they did not confirm or deny the DoS flaws, nor have they had time to release patches. Until they do, you can mitigate the risk of one of the flaws by disabling SNMP on your IOS device.

We’ll let you know more as soon as Cisco shares more complete details about these flaws. In the meantime, keep your eyes out for UDP floods. — Corey Nachreiner, CISSP

Microsoft Plans Light Patch Day for May

After last month’s crazy big Microsoft Patch Day, I’m happy to report a much, much smaller one this month. According to their Advanced Notification page, Microsoft plans to release only two Security Bulletins next Tuesday. The bulletins will fix a Critical security flaw in Windows and an Important flaw in Office.

Regardless of the light load, I’d still recommend you at least install the Critical Windows update as soon as Microsoft releases it. Critical updates usually fix flaws that allow attackers to gain control of your computer, with little to no user interaction, so you’ll want to fix it ASAP.

I’ll know more about these bulletins on Tuesday, May 1o, and will publish alerts about them here. — Corey Nachreiner, CISSP

%d bloggers like this: