Archive | July, 2011

Evil Visio 2003 Documents Could Install Malware

Severity: Medium

12 July, 2011

Summary:

  • This vulnerability affects: Visio 2003, only
  • How an attacker exploits it: By enticing one of your users into opening a maliciously crafted Visio document
  • Impact: An attacker can execute code, potentially gaining complete control of your users’ computers
  • What to do: Deploy the Visio 2003 patch as soon as possible, or let Windows Update do it for you

Exposure:

Microsoft Visio is a very popular diagramming application, which many administrators use to create network diagrams. It also ships with some Office packages.

In a security bulletin released today, Microsoft describes a security vulnerability that only affects Visio 2003. Specifically, Visio 2003 suffers from an insecure Dynamic Link Library (DLL) loading vulnerability, sometimes referred to as a binary planting flaw. We first described this class of flaw in a September Wire post, which describes this Microsoft security advisory. If an attacker can entice one of your users into opening a Visio related filw (such as .vsd, .vdx, .vst, or .vtx) file from the same location as a specially crafted DLL, he could exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer.

Solution Path:

Microsoft has released a Visio 2003 patch to fix this flaw. You should download, and deploy the patch as soon as possible, or let Windows Update do it for you.

For All WatchGuard Users:

If the practice fits your business environment, you can use the HTTP, SMTP, and/or POP3 proxies to block Visio documents by extension (such as .vsd, .vdx, .vst, or .vtx). However, doing so blocks both malicious and legitimate file.

If you would like to use our proxies to block Visio documents, follow the links below for instructions:

Status:

Microsoft has released a fix.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: Log into the LiveSecurity Archive.

Three Windows Updates: Critical Wireless Bluetooth Attack

Also, Flaws in CSRSS and Kernel-Mode Drivers

Severity: High

12 July, 2011

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted wireless Bluetooth traffic
  • Impact: An attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released three security bulletins describing 21 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could wirelessly exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity (according to Microsoft’s summary).

  • MS11-053: Bluetooth Stack Code Execution Vulnerability

Bluetooth is an open wireless technology and standard for transmiting data over short distances.  The Bluetooth stack that ships with more recent versions of Windows suffers from a code execution vulnerability involving how it accesses memory that hasn’t been deleted or initialized. By wirelessly sending a series of specially crafted Bluetooth packets, an attacker could leverage this flaw to gain complete control of your vulnerable computers. However, an attacker would need to remain in Bluetooth range to carry out this attack. The average range of Bluetooth varies from 5 to 100 meters. However, using special gear, Bluetooth “Snipers” have extended the range up to a Kilometer. This flaw only affects Windows Vista and 7. 
Microsoft rating: Critical

  • MS11-054  15 Kernel-Mode Driver Elevation of Privilege Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. This kernel-mode driver suffers from 15 elevation of privilege (EoP) vulnerabilities. The flaws all differ technically, but generally share the same scope and impact. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.
Microsoft rating: Important

  • MS11-056: CSRSS Local Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from five technically different, but functionally similar, Elevation of Privilege (EoP) vulnerabilities. Like the Kernel-Mode Driver flaw above, by running a specially crafted program, an authenticated attacker could leverage these flaws to gain complete, SYSTEM-level  control of your Windows computers. However, like before, the attacker would first need to gain local access to your Windows computers using valid credentials, which somewhat reduces the risk of these flaws.

  • Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-053:

* Note: Windows Vista SP1 is only affected if you install the optional Feature Pack for Wireless

MS11-054:

MS11-056:

For All WatchGuard Users:

Attackers exploit these flaws either locally, or via Bluetooth Wireless transmitions. WatchGuard’s wired and 802.11 wireless appliances do not protect these vectors. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

Microsoft Patch Tuesday: Critical Bluetooth Flaw Allows Wireless Hacks

Microsoft has released this month’s patches, and if you have a Windows Vista or 7 computer with bluetooth, you should update now.

You’ll find the full list of this month’s Microsoft patches on their July Patch Day summary page.  The summary describes three flaws that affect Windows and its components, and one flaw that affects Visio (included in some Office packages).

The Windows Bluetooth Stack code execution vulnerability poses, by far,  the worst risk, which is why Microsoft rates it as Critical.  By simply sending some specially crafted Bluetooth packets, an attacker could exploit this flaw to gain complete control of you computer.

Microsoft rates the remaining updates as Important. I’d definately apply the Bluetooth Stack patch first, at least on computers that have Bluetooth adapters. I’d probably install the Visio update next, as users often click on Office documents without thinking. Finally, shore up the remaining Windows updates. Whichever order you apply them, I’d recommend downloading, testing, and deploying this patches as soon as you can.

We’ll post more detailed alerts about these flaws, and how to fix them, shortly.  Corey Nachreiner, CISSP (@SecAdept)

Patch BIND 9 to Avoid DNS Outages

Earlier this week, the Internet Systems Consortium (ISC) released a BIND 9 update to fix two serious Denial of Service (DoS) vulnerabilities in the popular, open source DNS server software.

The two DoS flaws differ technically, but essentially share the same scope and impact. By sending specially crafted packets to your BIND 9 server, an attacker could leverage these flaws to either crash BIND, or cause it to exit. In either case, by repeatedly exploiting this flaw an attacker could drastically affect your DNS service, thus preventing your users from browsing the web.

That said, one of the two flaws only affects BIND 9 servers which have recursion enabled, and which use a special feature called “Response Policy Zones (RPZ). In fact, the flaw only affects BIND servers that have RPZ zones with specific rule or action patterns. These factors significantly mitigate the severity of that particular flaw.

In any case, if you run a BIND 9 server, I recommend you download and install the BIND 9.8.0-P4 update to correct these vulnerabilities.

You can learn more about these two vulnerabilities at ISC’s BIND advisory page, or at the individual advisory links below:

Corey Nachreiner, CISSP (@SecAdept)

Microsoft Windows and Visio Patches Coming Next Tuesday

After last month’s monsterous Patch Day, I’m happy to report Microsoft plans to give us a break next Tuesday. According to their Advanced Notification alert for July, they will release four security bulletins on Tuesday, July 12. The bulletins will cover 22 vulnerabilities affecting Windows and Office (likely Visio), and Microsoft only rates one of them as Critical.

Despite the light load, I still recommend you prepare to download, test, and deploy Microsoft’s updates as soon as you can on Tuesday–especially the Critical one. Critical updates often fix flaws that allow attackers to gain remote control of your computer, with little to no user interaction. Even Important updates can fix code execution flaws that require a bit more user interaction. In either case, we recommend you try and install Microsoft patches as quickly as possible.

I’ll know more about these bulletins on Tuesday, July 12, and will publish alerts about them here. — Corey Nachreiner, CISSP (@SecAdept)

 


%d bloggers like this: