Archive | June, 2011

Apple OSX: Take Your Leopards In For a Checkup

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various documents or images
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer
  • What to do: OS X administrators should download, test and install OS X 10.6.8 or Security Update 2011-004 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 39 (number based on CVE-IDs) security issues in 22 components that ship as part of OS X or OS X Server, including Airport, Quicktime, and MobileMe. Some of the fixed vulnerabilities include:

  • Two ImageIO Code Execution Flaws. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from two security vulnerabilities involving the way it handles certain types of image files (such as a buffer overflow vulnerabilities). Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include JEPG2000, and TIFF.
  • ATS Buffer Overflow Vulnerability. The Apple Type Service (ATS) helps OS X machines handle fonts. ATS suffers from a buffer overflow vulnerability having to do with the way it handles embedded fonts TrueType fonts. By tricking one of your users into downloading and viewing a malicious document containing a specially crafted font, an attacker can exploit this flaw to execute code on that user’s computer. By default, the attacker would only execute code with that user’s privileges.
  • Five Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from five security issues  involving how it handles certain image,audio, and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted media in QuickTime, he could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, privilege escalation vulnerabilities, and information disclosure flaws. Components patched by this security update include:

AirPort App Store
ATS Certificate Trust Policy
ColorSync CoreFoundation
CoreGraphics FTP Server
ImageIO International Components for Unicode
Kernel Libsystem
libxslt MobileMe
MySQL OpenSSL
patch QuickLook
QuickTime Samba
servermgrd subversion

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

Solution Path:

Apple has released OS X Security Update 2011-004 and OS X 10.6.8 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

Eight Excel Vulnerabilities Makes Spreadsheets Risky

Severity: High

14 June, 2011

Summary:

  • These vulnerabilities affect: Most current versions of Excel, which ships with Microsoft Office
  • How an attacker exploits it: By enticing one of your users to open a malicious Excel document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft Office updates as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing eight vulnerabilities found in Excel — part of Microsoft Office for Windows and Mac. The flaws also affect some of the Office document viewer and converter applications

Though the eight vulnerabilities differ technically, they share the same scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted Excel document, he can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you.

Excel update for:

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Microsoft Excel documents, some organizations need to allow them in order to conduct business. Therefore, these patches are your best recourse.

If you want to block Excel documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features by file extensions (.xls and .xlsx). Keep in mind, blocking files by extension blocks both malicious and legitimate documents.

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Eleven Windows Bulletins Patch Many Critical Vulnerabilities

Critical SMB, OLE, and .NET Flaws Corrected

Severity: High

14 June, 2011

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it (as well as some optional components like .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or enticing your users to view malicious images
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released eleven security bulletins describing a dozen vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity (according to Microsoft’s summary).

  • MS11-038: OLE Automation Code Execution Vulnerability

According to Microsoft, Object Linking and Embedding (OLE) Automation is a Windows protocol that allows an application to share data with or to control another application. Unfortunately, OLE Automation suffers from a vulnerability involving the way it parses specially crafted Windows MetaFile (WMF) images. By tricking a user into viewing a specially crafted image, perhaps hosted on a web site, an attacker could exploit this flaw to execute code with that user’s privileges. If your users have local administrative privileges, the attacker gains complete control of their machines.
Microsoft rating: Critical

The .NET Framework is software framework used by developers to create new Windows and web applications. The .NET Framework (and SilverLight) suffers from two complex vulnerabilities having to do with how it validates parameters passed to network function, or how its JIT compiler validates values within objects. The scope and impact of these complex vulnerabilities differs depending on the attack vector. There are three potential vectors of attack: An attacker can host a malicious .NET web site; attack your .NET web site, or leverage one of your custom .NET applications to potentially elevate his privilege. We believe the malicious .NET web site poses the most risk. If an attacker can entice you to a specially crafted site (or to a legitimate site that somehow links to his malicious site), he can exploit this flaw to execute code on your computer, with your privileges. If you are a  local administrator, the attacker has full control of your machine. If you’ve installed .NET Framework, you should patch, even if you do not run custom .NET applications or web sites.
Microsoft rating: Critical

  • MS11-041  Kernel-Mode Drivers Code Execution Vulnerability

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. This kernel-mode driver suffers from a code execution flaw involving the way it handles OpenType fonts on 64-bit systems. By enticing one of your users to view a specially crafted font, an attacker could exploit this flaw to gain full control of that user’s computer (regardless of the user’s privilege). However, the malicious font would have to reside on the local computer, or a network share in order for this attack to succeed. Again, the flaw only affects 64-bit versions of Windows.
Microsoft rating: Critical

  • MS11-042 DFS Memory Corruption Vulnerability

Microsoft’s Distributed File System (DFS) is a collection of client and server services that allows you to create what appears to be a single file share, but actually consists of shares on multiple hosts. The Windows DFS service suffers from two security vulnerabilities. The worst is a memory corruption flaw that has to do with how the DFS client handles specially crafted DFS responses. By hosting a malicious server on your network, which sends specially crafted DFS responses to requesting clients, an attacker could exploit this memory corruption flaw to gain complete control of a Windows computer (or in some cases, just crash your computer). That said, most adminstrators do not allow DFS traffic past their firewall. So these vulnerabilites primarily pose an internal risk.
Microsoft rating: Critical

  • MS11-043: SMB Client Code Execution Vulnerability

Microsoft Server Message Block (SMB) is the protocol Windows uses for file and print sharing. According to Microsoft, the Windows SMB client suffers from a security vulnerability which attackers could leverage to execute malicious code. By enticing one of your users to connect to a malicious SMB server, or by sending a specially crafted SMB message in response to a legitimate local request, an attacker can exploit this flaw to gain complete control of a vulnerable Windows computer. However, firewalls like WatchGuard’s XTM appliances typically block SMB traffic from the Internet, making these vulnerabilities primarily an internal risk. That said, many types of malware leverage SMB vulnerabilities to self-propagate within networks, once they infect their first victim.
Microsoft rating: Critical

  • MS11-037: MHTML Information Disclosure Vulnerability

In our February advanced notification post, we mentioned a zero day MHTML vulnerability that was similar to a Cross-site Scripting (XSS) vulnerability.The flaw involves the Windows MHTML or MIME HTML component, which is used to handle special web pages that include both HTML and MIME (typically pictures, audio, or video) content contained in one file. If an attacker can entice you to visit a specially crafted web-page, or click a malicious link, he could exploit this flaw in much the same way he might exploit a Cross-Site Scripting (XSS) vulnerability; to steal your cookies, redirect your browser to malicious sites, or essentially take any action you could on a web site. Last April, Microsoft supposedly fixed this flaw. However, their fix must not have been complete since this update fixes a new variant of essentially the same issue.
Microsoft rating: Important.

  • MS11-046 AFD Elevation of Privilege Vulnerability

The Ancillary Funtion Driver (AFD.sys) is driver that handles Winsock TCP/IP communications. This kernel-mode driver suffers from an elevation of privilege (EoP) vulnerability. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.
Microsoft rating: Important

  • MS11-047: Windows 2008 Hyper-V DoS Vulnerability

Hyper-V is the hypervisor technology that Windows 2008 uses for virtualization. Hyper-V suffers from a Denial of Service (DoS) vulnerability having to do with how it handles specially crafted communications between a guest OS and the host OS. By running a specially crafted program within a guest OS, an attacker can exploit this flaw to cause a 2008 server to stop responding until you reboot it. However, the attacker needs administrative access on the guest OS in order to exloit this flaw. The flaw only affects 2008 servers.
Microsoft rating: Important

  • MS11-048: SMB Server DoS Vulnerability

The Windows SMB Server suffers from a Denial of Service (DoS) vulnerability having to do with how it handles specially crafted SMB requests. By sending a specially crafted SMB packet, an attacker can exploit this flaw to cause a Windows computer to stop responding until you rebooted it. Like the SMB client vulnerabilit mentioned before, this vulnerability primarily poses an internal risk since firewalls block SMB.
Microsoft rating: Important

  • MS11-051 AD Certificate Services Web Enrollment EoP Vulnerability

The Active Directory (AD) Certificates Services Web Enrollment site suffers from a Cross-site Scripting (XSS) vulnerability. By enticing one of your users to click a specially crafted link, an attacker could exploit this flaw to steal your cookies, redirect your browser to malicious sites, or essentially take any action you could on the AD Web Enrollment site. This flaw only affects the non-Itanium, server versions of Windows.
Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-038:

* Note: Server Core installations not affected.

MS11-039MS11-044:

Due to the complicated, version-dependent nature of .NET Framework updates, we recommend you see the Affected & Non-Affected Software section of Microsoft’s Bulletins for patch details (or let Windows Automatic Updates handle the patch for you).

MS11-041:

MS11-042:

MS11-043:

MS11-037:

* Note: Server Core installations not affected.

MS11-046:

MS11-047:

MS11-048:

MS11-051:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall could help mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent all attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

Two IE Bulletins Cure a Dozen Security Flaws

Severity: High

14 June, 2011

Summary:

  • These vulnerabilities affects: All current versions of Internet Explorer, running on all current versions of Windows
  • How an attacker exploits it: Typically, by enticing one of your users to visit a malicious web page
  • Impact: In the worst case an attacker can execute code on your user’s computer, gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In two security bulletins [ MS11-050 / MS11-052 ] released today as part of Patch Day, Microsoft describes twelve privately reported vulnerabilities in Internet Explorer (IE) 9.0 and earlier versions, running on all current versions of Windows. They rate both of these bulletins as Critical.

Microsoft warns of 11 new IE vulnerabilities in their cumulative IE update. Though these 11 flaws differ technically, most of them (eight) share the same general scope and impact. They all involve memory corruption issues having to do with how IE handles various HTML elements, such as link properties and layout memory. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker gains complete control of the victim’s computer. Attackers often leverage these type of code execution vulnerabilities to launch Drive-by Download attacks.

The remaining  issues cover less severe  information disclosure vulnerabilities.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately.

  • MS11-052: IE (and Windows) VML Code Execution Flaw

IE also suffers from a memory corruption vulnerability having to do with how it parses specially crafted Vector Markup Language (VML) that references uninitialized or deleted objects. By enticing one of your users to a specially crafted web page, an attacker could leverage this flaw to execute code on that user’s computer, with their privileges. As usual, if the victim has local administrative privilege, the attacker gains complete control of the victim’s computer. This flaw is similar in scope to previous VML IE flaws, like the one we demonstrate in this old Wire video.

Keep in mind, today’s attackers commonly hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and XSS attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.

MS11-050:

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

MS11-052:

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

For All WatchGuard Users:

These types of attacks typically look like normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: Log into the LiveSecurity Archive.

Microsoft Black Tuesday: 16 Bulletins, 34 Vulnerabilities, Lots of Patching

If you plan on enjoying a Father’s Day of BBQ and relaxation, you better start patching your Microsoft networks now. Otherwise, you may not have time to install 16 bulletins worth of patches by this weekend.

Microsoft has posted their June Patch Day summary, which contains 16 security bulletins, nine of which they rate as Critical. The bulletins fix around 34 vulnerabilities in many Microsoft products, including:

  • Internet Explorer (IE)
  • Windows (and components that ship with it)
  • Office
  • SQL Server
  • .NET Framework
  • Silverlight
  • Visual Studio
  • Forefront Threat Management Gateway

With so many Critical updates, it’s hard to say which to install first. In general, I recommend you follow the priority recommended in Microsoft’s summary bulletin. That said, lately attackers have  focused on leveraging web and browser-based vulnerabilities to install malware via “Drive-by Downloads.” So you may want to install the Critical IE updates before the others.

We’ll post more detailed alerts about these flaws, and how to fix them, shortly.  Corey Nachreiner, CISSP

Are You Ready for the Great IPv6 Migration?

Tune in for WatchGuard’s IPv6 Readiness Webinar Series, Starting June 8th

In 1984, the capacity for 4.3 billion potential web addresses provided by IPv4 (Internet Protocol Version 4) seemed like an enormous amount for the fledgling public Internet.  However, rapid worldwide Internet adoption and the proliferation of devices (PCs, cars, smart phones, etc.), each requiring its own IP address, has depleted the amount of available IP addresses and necessitated development of a new addressing architecture, IPv6. 

Not only will IPv6 scale to the Internet’s foreseeable growth by providing an exponential increase in IP addresses that can be assigned, but it may also deliver other benefits, such as faster network traffic and improved security.  However, because IPv6 and IPv4 architectures are not compatible, it is essential for businesses to be ready and equipped for the transition.

Wednesday, June 8th, is World IPv6 Awareness Day and the Internet Society (IOSC) is sponsoring global testing of IPv6 content enablement. To coincide with this pivotal experiment and build further momentum in educating IT professionals and business decision makers as they make the significant transition, WatchGuard is launching its IPv6 Readiness Webinar Series.

On June 8th, WatchGuard will present three live webcasts (7:00 a.m., 10:00 a.m., and 8:00 p.m. PDT), and answer – IPv6: Hype or Reality.  Hosted by Corey Nachreiner, Senior Network Security Analyst and Tim Helming, Director of Product Management, this pithy, hour-long session will offer a foundational overview of IPv6 as well as insight into how it will impact your business.  Subsequent monthly webinars will provide more in depth education on security considerations, preparations for your network, and WatchGuard-related IPv6.

Register now and choose the optimal time for your schedule.  A recording will be made available for those who cannot attend one of the live sessions.

Stay tuned via Twitter and Facebook for announcements about our future IPv6 webinars.


%d bloggers like this: