Archive | October, 2011

WatchGuard XCS 9.2 Update 1 Now Available:

Simplified Email Encryption, Enhanced Protection from Malware, and Extended Web Security with HTTPS Traffic Scanning

October 26, 2011

As part of our ongoing efforts to improve the effectiveness of WatchGuard XCS appliances to protect from data loss, new viruses and malware, and to enhance HTTPS web security, WatchGuard is pleased to announce the availability of XCS 9.2 Update 1.

Highlights of this maintenance release include:

  • Removal of mandatory upload of authorized SecureMail Email Encryption user list to simplify management and administration; the number of users allowed to use SecureMail Email Encryption is based on your license limit.
  • “Send SecureMail” Outlook Add-In is now available that allows end users to place an email encryption button in their Outlook toolbar.
  • Outlook 2010 Add-In for Spam/Not Spam Reporting is now available; Outlook 2003 and Outlook 2007 Add-Ins are also available.
  • New Adaptive Intercept Anti-Spam Decision Strategy transparently transitions spam scoring upon successful training of the system.
  • Postfix Mail Engine Upgrade to the latest version significantly improves mail processing performance and security.
  • Detection of JavaScript in PDF Files allows you to block the transmission of PDF documents containing JavaScript code to protect from malicious code delivered by this method.
  • Kaspersky Anti-Virus Scanning & Pattern Update Engines have been upgraded to the latest version to provide enhanced protection against the latest virus, spyware, and malware threats.
  • Delivery Status Notifications (DSN) is now available with XCS for notification of successful, delayed, or failed message deliveries.
  • Configurable From: and Subject: Notification Headers can now be configured for enhanced message tracking and visibility into message processing. 
  • Global TLS Inbound and Outbound Settings:  TLS encryption settings can now be applied globally for both inbound and outbound TLS connections.
  • Web Security Expanded With HTTPS Scanning:  The XCS Web Security subscription now includes scanning of HTTPS traffic for web-based threats and data loss.  The XCS Web Proxy can now perform deep content inspection of encrypted HTTPS traffic using the same scanners as the HTTP proxy, such as Anti-Virus, the Objectionable Content Filters, Reputation Enabled Defense, and Content Scanning.  This new functionality allows customers to extend enforcement of data security policies by now scanning HTTP, HTTPS, and FTP web traffic.

Does This Release Pertain to Me?

XCS 9.2 Update 1 is available for download from the WatchGuard Software Downloads section within LiveSecurity. Details regarding this new release are available in the Release Notes. If you have any XCS series appliances or are subscribed to the XCS SecureMail Email Encryption subscription, and wish to take advantage of the new simplified administration and user enhancements, you should consider upgrading to XCS 9.2 Update 1. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

If Security Connection is enabled, your XCS appliance will automatically download the XCS 9.2 Update 1 software. However, it will NOT automatically install the update. You must manually install software updates by going to Administration > Software Updates > Updates. You can also manually download the update from our Software Center in the WatchGuard Portal. We highly recommend you thoroughly review the Installation Instructions section of the Release Notes before applying this update.

For a more detailed description of this update, please visit the WatchGuard Support Center at If you need support, please enter a support incident online or call our support staff directly. When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Apple Releases a Pile of Security Updates in October

If you use Apple products, you’ll be busy updating this month. Today, Apple released a bunch of security advisories (on their Security Update page), informing customers of updates for many of their products. Here’s a list of security advisories for all the updated products:

If you use any of the affected Apple products, you should follow the links above to learn more about the flaws these updates fix. You can also download all the relevant updates from Apple’s Downloads page, or let Apple’s automatic update software do it for you.

We’ll release a more complete alert on Apple’s OS X update in awhile. Meanwhile, you can get a head start on the OS X update, and all the others, by visiting the links above. — Corey Nachreiner, CISSP (@SecAdept)

Patch Day Followup: Host Integration Server and Forefront UAG Updates

As you probably noticed, yesterday was Microsoft’s Patch Day. Hopefully, you saw our alerts for the most important October security bulletins, and have already gotten a start patching them. If not, you can find our Internet Explorer and consolidated Windows alerts here:

However, if you follow along with Microsoft’s bulletin releases, you may have noticed we left put two bulletins.We try to restrict our major LiveSecurity alerts to products or issues that we feel are relevant to the majority of our audience. A few of yesterday’s bulletins cover flaws in products that we either don’t believe many of our customers use (since we provide great VPN), or that we just don’t think are very popular. Nonetheless, for the sake of completeness, I wanted to quickly mention these bulletins, just in case you use the relevant Microsoft products.

Below is a quick summary of the two Microsoft bulletins we didn’t alert on:

In a nutshell, Forefront Unified Access Gateway (UAG) is Microsoft’s VPN Gateway product. Our products already provide great VPN solutions (IPSec, SSL, PPTP, etc), so we don’t think many of our customers use this product. That said, it does suffer from five security flaws, including a relatively significant remote code execution vulnerability. In short, if an attacker can entice a user with access to a UAG server to a malicious web site, she could exploit this flaw to execute code on that user’s computer, with that user’s privileges (usually local admin privileges in Windows).
Microsoft rating: Important

Microsoft Host Integration Server (HIS) is a product that helps connect Windows networks to old IBM mainframes and AS/400 servers. I really doubt a large percentage of my audience has heard of it, let alone uses  it (though I could be wrong). Of course, if you do use this server, you should know it suffers from two Denial of Service (DoS) vulnerabilities. By sending specially crafted network packets, an attacker can exploit these flaws to prevent the server from responding to new requests. However, firewalls –like WatchGuard’s XTM appliances– will prevent external users from accessing your HIS server’s ports (TCP 1477 and TCP/UDP 1478) by default; thus preventing this sort of attack.
Microsoft rating: Important

In conclusion, if you happen to use either of these less popular Microsoft products, you should definitely download, test, and install the corresponding updates listed in those bulletins. — Corey Nachreiner, CISSP (@SecAdept)

Five Windows Bulletins, One Critical

Bulletins Affect .NET Framework, Media Center,  Kernel-mode Drivers, and More

Severity: High


  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack including enticing your users to malicious web sites, or into opening booby-trapped files
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.


Today, Microsoft released five security bulletins describing eight vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS11-078: .NET Framework and Silverlight Code Execution Flaw

The .NET Framework is software framework used by developers to create new Windows and web applications. The .NET Framework and SilverLight do not properly restrict inheritance within classes. An attacker could exploit this to create web code that runs stuff with the same privilege as you, the user. Of course, the attacker must first entice you to a specially crafted site (or to a legitimate site that somehow links to his malicious site), to exploit this flaw. As usual, if you are a  local administrator, the attacker could exploit this to gain full control of your machine. This flaw can also affect Web sites that use .NET Framework or Silverlight elements.
Microsoft rating: Critical

  • MS11-075: Active Accessibility Insecure Library Loading Vulnerability

Windows ships with Active Accessibility components to provide customers, who may have impairments, with more ways to interact with their computers. Unfortunately, the Active Accessibility component suffers from the insecure Dynamic Link Library (DLL) loading class of vulnerability that we’ve describing in past alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a specially crafted, malicious DLL file. If you do open the booby-trapped file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. Microsoft doesn’t elaborate on what type of files an attacker might leverage this flaw with; only that it would be a legitimate file. For that reason, we can only assume that attackers could leverage any file type that Windows handles.
Microsoft rating: Important.

  • MS11-076: Media Center Insecure Library Loading Vulnerability

Some versions of Windows (Vista and 7) ship with Media Center, a program that helps you organize,  view, and listen to all your media through one convenient interface. Media Center suffers from an insecure library loading vulnerability almost identical to the one described above. Though the flaw lies in a different component, it has the exact same scope and impact as the Active Accessibility issue. If you download and open a booby-trapped file from the same location as a malicious DLL file, an attacker can leverage this flaw to execute code on your computer with your privileges. If you have local administrative privileges, the attacker gains complete control of your computer.
Microsoft rating: Important.

  • MS11-077: Kernel-mode Driver Code Execution Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The kernel-mode driver suffers from four security vulnerabilities, the worst being a code execution flaw involving the way it handles specially crafted font files (.fon). By enticing one of your users to open a specially crafted font file, an attacker could exploit this flaw to gain full control of that user’s computer (regardless of the user’s privilege).
Microsoft rating: Important.

  • MS11-080: Ancillary Function Driver Privilege Elevation Vulnerability

According to Microsoft, the Ancillary Function Driver (AFD) is a Windows component that support Windows sockets applications. AFD suffers from an elevation of privilege (EoP) vulnerability due to improper input validation. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials, in order to run his evil program. This factor significantly reduces the risk of this flaw. This flaw only affects XP and Server 2003.
Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.


Due to the complicated, version-dependent nature of .NET Framework updates, we recommend you see the Affected & Non-Affected Software section of Microsoft’s Bulletin for patch details (or let Windows Automatic Updates handle the patch for you).



For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.


Microsoft has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP.

Critical IE Cumulative Patch Closes Eight Code Execution Flaws

Severity: High

11 October, 2011


  • This vulnerability affects: All current versions of Internet Explorer (including IE9)
  • How an attacker exploits it: By enticing one of your users to visit a malicious web page, or click a malicious link
  • Impact: In the worst case an attacker can execute code on your user’s computer, gaining control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you


In a security bulletin released today as part of Patch Day, Microsoft describes eight new vulnerabilities in Internet Explorer (IE) 9.0 and earlier versions, running on all current versions of Windows (including Windows 7 and Windows Server 2008). Microsoft rates the aggregate severity of these new flaws as Critical.

The eight vulnerabilities differ technically, but share the same general scope and impact. They’re all remote code execution flaws having to do with how IE handles various HTML objects and elements. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technical differences aside, these remote code execution flaws in IE pose significant risk and allow attackers to launch drive-by download attacks. You should download and install the IE cumulative patch immediately.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.


Microsoft has released patches to fix these vulnerabilities.


This alert was researched and written by Corey Nachreiner, CISSP.

Microsoft Black Tuesday: Browser Related Issues Can Make Surfing Dangerous

Microsoft has released their security patches and updates for October. If you’re one of the brave few that jump on them as soon as possible, they are ready for the taking (or auto-updating for some).

The theme this month–at least for the Critical rated issues–is web browser related vulnerabilities. Between the eight new vulnerabilities in Internet Explorer (IE), and a .NET Framework/Silverlight flaw, attackers have many new flaws they might target in their Drive-by Download attacks. I recommend you install the IE and .NET/Silverlight updates as soon as you can.

Besides the browser related issues, Microsoft also released updates for the following:

  • Various other components that ship with Windows
  • Microsoft Forefront Unified Access Gateway
  • Host Integration Server

You can learn more about today’s updates in Microsoft’s October summary bulletin. As is normally the case with Microsoft updates, you should probably test the patches before deploying them in your production network — especially the ones that affect server software.

We’ll post more detailed alerts about  these Microsoft product vulnerabilities, and how to fix them, very shortly. That  said, I likely won’t post an alert about the Microsoft Host Integration Server issue, since I don’t expect many of my readers use it. Nonetheless, if you do use it,  you should patch it to correct the DoS vulnerability Microsoft warns that it suffers from. – Corey Nachreiner, CISSP

October’s Microsoft Patch Day to Correct 23 Vulnerabilities

Before running out for the weekend, don’t forget to remind your staff of Microsoft’s upcoming Patch Day. While next week’s Black Tuesday isn’t the largest they’ve ever dropped, it’s no slouch, with eight Security Bulletins. Here’s what you should expect:

  • Four updates for Windows and its components, all rated Important
  • A Critical update for Internet Explorer (IE)
  • A Critical update for the .NET Framework and Silverlight
  • An Important patch to fix a vulnerability in Forefront Unified Access Gateway
  • And finally, an important bulletin for Microsoft Host Integration Server

You can find a bit more about these upcoming bulletins, including their order of severity, in Microsoft’s  Advanced Notification post for October. As usual, I recommend you try to install these updates as quickly as possible, especially the Critical ones.

I also recommend you test Microsoft patches before deploying them. That said, for desktop clients, I’ve started to relax my “test patches first” recommendation. As far as I have seen, Microsoft has not released a drastically broken client patch, which really adversely affects a desktop user, in quite a long time. On the flip side, research shows that many desktop users are falling behind in their patching, and have suffered for it. For those reasons, you’re probably better off letting desktop clients get auto-updates immediately. However, production servers are still a different story. While it’s still very important for you to patch them quickly, you should not install production server patches without a little testing. Mostly if they help keep your business running.

I’ll know more about these bulletins on Tuesday, October 11. Check out the WatchGuard Security Center then for the latest update. — Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: