Archive | August, 2011

Three Development Related Microsoft Bulletins

Among the other security bulletins released during Patch Day, Microsoft also released three updates covering security vulnerabilities in various development related software packages. These security bulletins included:

  • MS11-066: Microsoft Chart Control ( .NET Framework) Information Disclosure Flaw
  • MS11-067: Microsoft Report Viewer and Visual Studio Information Disclosure Flaw
  • MS11-069: Microsoft .NET Framework  Information Disclosure Flaw

The vulnerabilities these three bulletins cover all differ technically, but generally they all allow attackers to gain access to information (such as files within a directory) that they should not have access to. Microsoft rates these bulletins as Important or Moderate.

The .NET Framework does not ship with all Windows computers, though many people do install it to support internal custom Windows applications. Furthermore, only developers install Visual Studio. For those reasons, we don’t believe that these three bulletins will pose much risk to normal Windows users. That said, if you use the affected products, we do still recommend you patch these flaws at your earliest convenience.

You can find the patches for these three issues in the “Affected Software” section of each individual bulletin linked above. — Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Updates for Flash, Shockwave, and Photoshop

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Shockwave Player, Flash Player, Flash Media Server, and Photoshop
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Yesterday, Adobe released five security bulletins describing vulnerabilities in many of their popular software packages, including Shockwave Player, Flash Player, Flash Media Server, Photoshop, and Robohelp. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

  • APSB11-19: Seven Shockwave Player Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin warns of seven security vulnerabilities that affect Shockwave Player 11.6.0.626 and earlier for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail. It only describes the nature and basic impact of each flaw. For the most part, the flaws consist of unspecified memory corruption vulnerabilities. Though these flaws differ technically, most of them share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.
Adobe Severity: Critical

  • APSB11-20: Flash Media Server DoS Vulnerability

Adobe Flash Player displays interactive, animated web content called Flash. Flash Media Server allows administrators to stream Flash content.

Flash Media Server 4.0.2 and earlier suffer from an unspecified Denial of Service (DoS) vulnerability. Adobe does not share any relevant detail about this flaw, including no detail on how an attacker might exploit it. They only share that an attacker could somehow exploit the flaw to launch a DoS attack against your media server. 
Adobe Severity: Critical

  • APSB11-21 : Flash Player Update Corrects 13 Security Flaws

Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia stats that 99% of Windows computers have Adobe Flash Player installed, so you users very likely have it.

Adobe’s update fixes 13 security vulnerabilities in Flash Player (for Windows, Mac, Linux, and Solaris), which they don’t describe in much technical detail. However, they do describe the general scope and impact of these flaws. In the worst case, if an attacker can lure one of your users to a malicious website, they could exploit some of these flaws to gain control of that user’s computer. We assume the attacker would only gain the privileges of the logged in user. However, since most Windows users have local administrator privileges, the attacker would likely gain full control of Windows machines.
Adobe Severity: Critical

  • APSB11-22: Photoshop GIF Handling Vulnerability

Photoshop is a popular image editing program. Photoshop CS5 suffers from an unspecified vulnerability involving its inability to properly handle specially crafted GIF images. If an attacker can trick you into downloading and opening a malicious GIF image in Photoshop, she can exploit this flaw to execute code on your machine, with your privileges. If you have local admin privileges, the attacker gains complete control of your computer.
Adobe Severity: Critical

RoboHelp 9 is software that helps you create help systems. It suffers from an unspecified Cross-Site Scripting (XSS)  vulnerability. By enticing one of your users into clicking a specially crafted link, an attacker could run script on that users computer under the context of the Robohelp component. 
Adobe Severity: Important.

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Adobe’s updates is your most secure course of action.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Two Visio Document Parsing Vulnerabilities

Severity: Medium

10 August, 2011

Summary:

  • This vulnerability affects: All current versions of Microsoft Visio
  • How an attacker exploits it: By enticing one of your users into opening a maliciously crafted Visio document
  • Impact: An attacker can execute code, potentially gaining complete control of your users’ computers
  • What to do: Deploy the appropriate Visio patches as soon as possible, or let Windows Update do it for you

Exposure:

Microsoft Visio is a very popular diagramming application, which many administrators use to create network diagrams. It also ships with some Office packages.

In a security bulletin released yesterday, Microsoft describes two security vulnerabilities that affect all current versions of Visio. The vulnerabilities differ technically, but share the same scope and impact. They both involve flaws in how Visio parses Visio documents. If an attacker can entice one of your users into opening a specially crafted Visio file (such as .vsd, .vdx, .vst, or .vtx), he could exploit either of these flaws to execute code on that user’s computer with that user’s  privileges. If your user has administrative privileges, the attacker could gain complete control of their computer.

Solution Path:

Microsoft has released Visio patches to fix this flaw. You should download, test, and deploy the appropriate patches as soon as possible, or let Windows Update do it for you.

For All WatchGuard Users:

If the practice fits your business environment, you can use the HTTP, SMTP, and/or POP3 proxies to block Visio documents by extension (such as .vsd, .vdx, .vst, or .vtx). However, doing so blocks both malicious and legitimate file.

If you would like to use our proxies to block Visio documents, follow the links below for instructions:

Status:

Microsoft has released a fix.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: Log into the LiveSecurity Archive.

Six Windows Bulletins Fix Important and Moderate Flaws

Bulletins Affect TCP/IP Stack, Data Access Components, the Kernel, and More

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, enticing your users to open malicious files, or running malicious applications locally
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Yesterday, Microsoft released six security bulletins describing seven vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS11-059: Data Access Components Code Execution Vulnerability

According to Microsoft, Windows Data Access Components (Windows DAC) help provide access to information across an enterprise. Unfortunately, Windows DAC allows unrestricted access to the loading of external libraries. By enticing one of your users to open a specially crafted Excel file residing in the same location as a malicious DLL file, an attacker could exploit this flaw to execute code on that user’s system, with that users privileges. If your users have local administrative privileges, the attacker gains complete control of their machine. This flaw only affects Windows 7 and later.
Microsoft rating: Important.

  • MS11-061: Remote Desktop Web Access XSS Vulnerability

Windows Remote Desktop (RD) allows you to gain network access to your Windows desktop from anywhere. The Web Access component provides this capability through a web browser. Unfortunately, the RD Web Access component suffers from a Cross-Site Scripting (XSS)  vulnerability. By enticing one of your users into clicking a specially crafted link, an attacker could run script on that users computer under the context of the RD Web Access component, potentially giving the attacker access to your remote desktop. This flaw only affects Windows Server 2008 R2 x64.
Microsoft rating: Important.

  • MS11-062: RAS NDISTAPI Driver Elevation of Privilege Vulnerability

Remote Access Service (RAS) is a component that allows you to access networks over phone lines, and the NDISTAPI driver is one of the RAS components that helps provide this functionality. The NDISTAPI driver doesn’t properly validate users input that it passes to the Windows kernel. By running a specially crafted application, an attacker can leverage this flaw to elevate his privilege, gaining complete control of your Windows machine. However, the attacker would first need to gain local access to your Windows computers using valid credentials, in order to run his special program. This factor significantly reduces the risk of this flaw. Finally, this flaw only affects XP and Server 2003.
Microsoft rating: Important.

  • MS11-063: CSRSS Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from a Elevation of Privilege (EoP) vulnerability. Like the NDISTAPI driver flaw above, by running a specially crafted program, an authenticated attacker could leverage these flaws to gain complete, SYSTEM-level  control of your Windows computers. However, like before, the attacker would first need to gain local access to your Windows computers using valid credentials, which somewhat reduces the risk of these flaws.
Microsoft rating: Important.

  • MS11-064: TCP/IP Stack DoS Vulnerabilities

The Windows TCP/IP stack provides IP-based network connectivity to your computer. It suffers from two Denial of Service (DoS) vulnerabilities. On of the flaws is a variant of the very old Ping of Death vulnerability. By sending a specially crafted ICMP message, an attacker can cause your system to stop responding or reboot. Most firewalls, including WatchGuard’s XTM appliances, prevent external exploit of this classic DoS flaw. The second flaw has to do with how the TCP/IP stack handles specially crafted URLs. By sending a specially crafted URL to one of your Windows Web servers, an attacker could exploit this flaw to cause the server to lock up or reboot. These flaws only affect Windows Vista and later.
Microsoft rating: Important.

  • MS11-068: Windows Kernel DoS Vulnerability

The kernel is the core component of any computer operating system. The Windows kernel suffers from a Denial of Service (DoS) vulnerability, involving a flaw in the way it parses metadata in files. By running a specially crafted program, an attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws. This flaw only affect Windows Vista and later.
Microsoft rating:Moderate.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-059:

MS11-061:

MS11-063:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Microsoft DNS Server NAPTR Code Execution Vulnerability

Severity: High

9 August, 2011

Summary:

  • This vulnerability affects: The DNS service that ships with the Server versions of Windows
  • How an attacker exploits it: By sending specially crafted DNS queries
  • Impact: In the worst case, an attacker gains complete control of your DNS server
  • What to do: Deploy the appropriate Windows  update immediately, or let Windows Automatic Update do it for you

Exposure:

The Server versions of Windows ships with a DNS Server to allow administrators to offer Domain Name System services on their networks.

In a security bulletin released today as part of Patch Day, Microsoft describes two vulnerabilities that affects the DNS Server that ships with Server versions of Windows. While this is technically a Windows flaw, which we typically include in a combined Windows alert, we feel that it deserves individual attention due to its high severity.

The worst of the two issues is a remote code execution flaw involving the way the DNS server handles specially crafted Naming Authority Pointer (NAPTR) DNS resource records (RR). By sending a specially crafted NAPTR query to your DNS server, and attacker could exploit this vulnerability to gain complete control of your server. However, the attacker would have to own the malicious domain name, and the authoritative DNS server for that domain name, in order for this attack to succeed. Despite this slight mitigating factor, the DNS server vulnerability poses a serious risk to your network. You should patch your Microsoft DNS servers immediately.

The DNS Server also suffers from a less serious  Denial of Service (DoS) flaw, which an attacker could exploit to cause your DNS server to stop responding. If an attacker can prevent your users from accessing DNS services, they essentially prevent access to the Internet (by making it difficult for users to find resources by name).

Solution Path:

Download, test, and deploy the appropriate DNS server patches immediately, or let Windows Automatic Update do it for you.

For All WatchGuard Users:

This attack leverages seemingly normal DNS traffic. You should apply the updates above.

Status:

Microsoft has released patches to fix this vulnerability

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: Log into the LiveSecurity Archive.

Cumulative Patch Corrects Drive-by Download Flaws in IE9

Severity: High

9 August, 2011

Summary:

  • This vulnerability affects: All current versions of Internet Explorer, including IE9
  • How an attacker exploits it: In most cases, by enticing one of your users to visit a malicious web page
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes seven new vulnerabilities in Internet Explorer (IE) 9.0 and earlier versions, running on all current versions of Windows (including Windows 7 and Windows Server 2008). Microsoft rates the aggregate severity of these new flaws as Critical.

The seven vulnerabilities differ technically, but the three worst share the same general scope and impact. These three issues involve remote code execution flaws having to do with how IE handles various HTML objects and URIs. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

The remaining vulnerability consists mostly of Information Disclosure flaws.

Keep in mind, today’s attackers commonly hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and XSS attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technical differences aside, the remote code execution flaws in IE pose significant risk and allow attackers to launch drive-by download attacks. You should download and install the IE cumulative patch immediately.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Microsoft Black Tuesday: IE9 and DNS Server Flaws Pose Critical Risk

Are you ready for a long week of patching? Microsoft’s August Patch Day is live, with thirteen security bulletins that fix 22 security vulnerabilities in their popular software packages. The flaws affect many Microsoft products, including:

  • Windows and its many components (like DNS server)
  • Internet Explorer
  • Visio
  • the .NET Framework
  • and Visual Studio.

Microsoft only rates two of the thirteen bulletins as Critical, but this duo of updates  fix some pretty serious issues. The worst are probably the remote code execution vulnerabilities in Internet Explorer 9 and below. By enticing you to a web site containing evil code, an attacker could exploit many of these IE flaws to launch Drive-by Download attacks. Windows’ DNS Server also suffers from a fairly serious remote code execution flaw, which attackers can leverage by sending specially crafted DNS queries. I’d recommend you patch the IE and DNS server flaws immediately.

The rest of Microsoft’s bulletins fix various Important and Moderate severity vulnerabilities. Though not as bad as the two above, some of these remaining flaws do pose significant risk as well.  I recommend you follow the priority recommended in Microsoft’s August summary bulletin. As is normally the case with Microsoft updates, you should probably test the patches before deploying them in your production network — especially the ones that affect server software.

As an aside, Adobe also posted various security patches today, including updates for their Flash and Shockwave software.

We’ll post more detailed alerts about both the Microsoft and Adobe flaws, and how to fix them, over the next two days.  – Corey Nachreiner, CISSP

Microsoft Drops a Dozen Updates in August

After every light Microsoft Patch Day, you can almost always expect a much bigger one to follow. August is no exception, with an expected dozen Microsoft Security Bulletins.

According to their advanced Notification post, Microsoft plans to releases twelve bulletins next Tuesday, fixing vulnerabilities in Windows, Internet Explorer (IE), Office, the .NET Framework, and some of their development tools. Microsoft rates two of these bulletins as Critical, eight as Important, and the remaining two as Moderate.

There is little I can share about these flaws, until Microsoft releases more details, next Tuesday. However, I suspect the Critical IE vulnerability will pose you the greatest risk — likely allowing attackers to remotely gain control of your computer if you visit a web site containing malicious code. With twelve updates to apply, I recommend you prepare your IT staff for a long day of testing and patching next week.

I’ll know more about these bulletins on Tuesday, August 9, so be sure to return here to get the full scoop. — Corey Nachreiner, CISSP (@SecAdept)


%d bloggers like this: