Radio Free Security: April 2012 Episode

Securing Your Servers in The Matrix

Radio Free Security (RFS) is a monthly audio podcast dedicated to spreading knowledge about network and information security, and to keeping busy IT administrators apprised of the latest security threats they face online.  Here’s what to expect in April’s episode:

• April’s Security Spotlight [3:35 – 42:05] – Virtualization, as we know it today,  is like The Matrix for operating systems (OS). Your OS thinks it is running on a “real” computer but it is actually in a “faked” environment, under the control of a higher (or should I say hyper) power. While OS virtualization offers many new solutions, it also presents new security challenges. In this month’s episode, I chat with WatchGuard’s Director of Product Management, Roger Klorese, about the history of virtualization, its security implications, and some solutions to those potential problems. We also discuss two upcoming virtual security solutions from WatchGuard.

• Security Story of the Month [43:00 – 1:23:10] – I join two new co-hosts, Christian and Chris, to discuss April’s biggest security stories. We talk about about scary new cyber legislation, a big data breach, and a nasty Mac botnet. Which story should most concern you? Find out during this roundtable discussion.

You can always find the latest episode of Radio Free Security at:

• WatchGuard’s  Radio Free Security page (offer’s direct download)
• Subscribe to Radio Free Security’s Feedburner RSS feed.
• Subscribe to Radio Free Securtiy on iTunes

Or just listen to April’s episode using the player below [runtime: 1:25:00].

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 15

Major US Cyber Legislation, VMware Source Code Leak, and Hotmail Hacks

This week’s security news round-up video is full of scary Cyber legislation, major network and organization breaches, and a couple of important security updates. If you’re too busy to follow the barrage of security news every day, let WatchGuard’s Security Week in review video summarize it for you.

Would you rather read? No problem. You’ll find links to all these stories in the reference section.

By the way, this week’s stories continued to develop as I produced this episode. Unfortunately, I had to sneak in a quick video update about the CISPA bill during production. I won’t give it all away, but I can say CISPA is one step closer to reality. Watch below for details. (Episode Runtime: 6:54)

Direct YouTube Link: http://www.youtube.com/watch?v=euZUKfEvZvY

Episode References:

• CISPA Stories
  • CISPA threatens net freedom – Tech Watch
  • Concerns about CISPA Bill – InfoWorld
  • Whitehouse raises concerns over CISPA – Computer World
  • UPDATE: CISPA Passes the House – PC World
• Breaches/Attacks
  • NOIC Oil facility hit with computer worm – TechWorld
  • VMware source code leak – Ars Technica
  • VMware security note confirms leak – VMware
• Security Updates
  • Firefox 12 fixes flaws, adds silent update – Computer World
  • Hotmail password reset hack – ZDNET
  • Hotmail password reset advisory with details – Vulnerability Lab

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 14

Oracle CPU Update, Another Mac Trojan, and 20,000 Infected Websites

This week I’ve been traveling in Denmark and Finland, speaking at various security events, which make this week’s WatchGuard Security Week in Review an “on the road” edition. In this very short episode, I quickly cover this week’s big Oracle Critical Patch Update (CPU), yet another mac trojan, and a story about Google warning web administrators about web site infections. Check out the video below for the quick highlights

You’ll find links to the stories in this episode below. Feel free to share thoughts and suggestions in the comments section, and share these videos with your friends. I’ll be back next week with a more regular length episode. (Episode Runtime: 3:50)

Direct YouTube Link: http://www.youtube.com/watch?v=Ss1wKkWqRDI

Episode References:

• Oracle April 2012 CPU – WatchGuard Security Center
• SabPab Mac Word trojan – MSNBC
• Google warns 20,000 web sites about javascript infection – InfoWorld

— Corey Nachreiner, CISSP (@SecAdept)

Oracle’s April Critical Patch Update Fixes 88 Vulnerabilities

Yesterday, Oracle released their quarterly Critical Patch Update (CPU) for April 2012. Oracle CPUs are collections of security updates, which fix security flaws in the wide-range of products Oracle offers. According to their April advisory, this quarter’s CPU fixes 88 vulnerabilities in many of their products, including

• Oracle Database
• Oracle Application Server
• Oracle Identity Manager
• Oracle JDeveloper
• Oracle PeopleSoft
• Oracle MySQL Server
• and many other products.

For a complete list of the affected Oracle products, see the “Affected Products and Components” section of their advisory.

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe their scopes and general impact, as well as assign each of them CVSS severity scores. The 88 vulnerabilities differ greatly in their scope and impact, but the worst of them pose a pretty critical risk. For instance, unauthenticated, remote attackers can exploit a few of the Oracle Database vulnerabilities to gain unauthorized access to your database server. The update also includes a critical fix for JRocket with the highest CVSS score of 10.

If you manage any of the Oracle products listed in their April CPU advisory, I recommend you visit the Patch Availably section of their alert, and download, test and deploy the appropriate updates as soon as you can. — Corey Nachreiner, CISSP (@SecAdept).

WatchGuard Security Week in Review: Episode 13

Flashback Follow-up, Lots of Patches, and MBR Ransomware

In this week’s video, I follow up on Flashback developments, cover the various security updates that came out this week, and warn you about two new interesting malware variants that change their targets or techniques. There’s a lot to learn, so check out this week’s WatchGuard Security Week in Review video below.

For those not interested in video, I share links to all this week’s stories in the Reference section. I had originally intended to cover a few government-related news items in this week’s video, too. However, I decided to cut them due to time. If you’re interested in the new U.S. cyber security act and an interesting new Stuxnet development, I’ve included extra links to those stories as well.

As always, I’d love to hear how to improve these videos, so feel free to leave comments and pass these videos on to your friends and co-workers. (Episode Runtime: 5:57)

Direct YouTube Link: http://www.youtube.com/watch?v=4AXyWowjmeg

Episode References:

• Flashback (Mac botnet) developments
  • Another Apple OS X Java update – WatchGuard Security Center
  • 50% of Mac users still haven’t patched – ZDNet
  • Security industry complains about Apple’s response – ITPro
• Patch Day updates
  • MS April Patch Day summary – WatchGuard Security Center
    • Internet Explorer alert – WatchGuard Security Center
    • Office products alert – WatchGuard Security Center
    • Windows Alert – WatchGuard Security Center
  • Adobe Reader patch – WatchGuard Security Center
  • Critical Samba update – WatchGuard Security Center
• Interesting Malware
  • New Zeus variant targets cloud payroll service – Computer World
  • New Ransomeware infects MBR and prevents boot – Trend Micro blog
• EXTRA:Goverment-related cyber security news
  • Many don’t like the proposed CISPA Act – Tech Dirt
  • New Stuxnet news; Saboteur walked it in  – ISS Source

— Corey Nachreiner, CISSP (@SecAdept)

Another OS X Java Update to Mitigate Flashback-like Malware

In two posts [ 1 / 2 ] last week, I warned you about an Apple OS X Java update that fixed a vulnerability attackers were leveraging to spread a mac trojan called Flashback. According to reports, this botnet trojan infected over 600,000 Mac users.

Today, Apple released yet another OS X Java update, this time designed to remove Flashback infections and to potentially mitigate future Java attacks.

According to Apple’s advisory, Java for OS X Lion 2012-003 configures the Java web plug-in to disable automatic execution of Java applets. This means if you visit a web page containing malicious (or legitimate) Java code, that code will not run automatically; thereby possibly preventing a drive-by download attack. The update does still allow you to manually re-enable automatic Java applet execution. However, if you do so, the plug-in will re-disable it if it detects you haven’t run Java applets for a long period of time.

This update also tries to detect and remove Flashback infections from your computer. It will inform you if it finds and removes an infection, otherwise it will remain silent when installed.

Though I don’t think the 2012-003 Java update is as critical as the first ones (which actually corrected Java vulnerabilities), it can help mitigate future Java-based attacks. If you’re a Mac user, I recommend you install it as soon as you can, or let Apple’s Software Updater do it for you. One note though…at the time of writing, though Apple had released their advisory and email about this update’s availability, I could not locate the update on their download page. I can only assume they either haven’t finished posting it, or have pulled it temporarily for some reason. In any case, I suspect it will show up on their download page, or in their Software Updater shortly.  — Corey Nachreiner, CISSP (@SecAdept)

*nix Administrators Should Patch Samba ASAP

Unless you’re an eagle-eyed, super perceptive Linux administrator, you may have missed the major update the Samba team quietly released during this week’s busy Microsoft and Adobe Patch Day. However, if you use Samba, you’ll want to apply this update post-haste.

If you’re not familiar with it, Samba is a *nix variant of the Microsoft SMB protocol, which Windows uses for file and print sharing. If you have Linux systems and access Windows shares, you use Samba.

According to a security advisory, Samba versions 3.0.x through 3.6.3 suffer from a serious security vulnerability involving the way they handle specially crafted RPC calls. By sending maliciously crafted network traffic to a Samba-enabled computer, a remote, unauthenticated attacker can leverage this vulnerability to gain complete control of that machine with root privileges. This is an extremely critical vulnerability since the attacker doesn’t have to authenticate, and gains full privileges on the victim machine.

The only good news is most administrators don’t expose their SMB file shares (ports 137, 138, 139, and 445) to the Internet. If you have a firewall, or one of our XTM appliances, it blocks external attackers from accessing these ports by default. Nonetheless, this serious flaw still poses a very significant internal threat. If you use Samba on any *nix machines, you should download and deploy the appropriate Samba updates immediately. Fixed versions include:

• 3.6.4
• 3.5.14
• 3.4.16

You can find more details about these patches, and where to get them, in the “Patch Availability” section of Samba’s advisory. — Corey Nachreiner, CISSP (@SecAdept)

Update Adobe Reader or Avoid Potentially Malicious PDFs

Summary:

• This vulnerability affects: Adobe Reader and Acrobat X 10.1.2 and earlier, running on Windows, Mac, and Linux
• How an attacker exploits it: By enticing your users into viewing maliciously crafted PDF documents
• Impact: An attacker can execute code on your computer, potentially gaining control of it
• What to do: Windows users should install Adobe’s Reader and Acrobat X 10.1.3 or 9.5.1 updates as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

Today, Adobe released a security bulletin describing four vulnerabilities in Adobe Reader and Acrobat X 10.1.2 and earlier, running on all supported platforms.  Adobe doesn’t describe these flaws in much technically detail, but most of them involve integer overflow and memory corruption issues within Reader and Acrobat components. Despite their technical differences, all four vulnerabilities share a similar scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit any of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

If you use Adobe Reader to open PDF documents, you should download and install this Reader update as soon as you can.

Solution Path

Adobe has released Reader and Acrobat X 10.1.3 (and 9.5.1 for legacy users) to fix these vulnerabilities. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.

• Adobe Reader X 10.1.3
  • For Windows
  • For Mac
  • For Linux
• Adobe Acrobat X 10.1.3
  • Standard and Pro for Windows
  • Pro Extended for Windows
  • Pro for Mac

For All WatchGuard Users:

If you choose, you can configure the HTTP, SMTP, and FTP proxies on your WatchGuard appliance to block PDF documents from entering your network, thus mitigating the risk of these issues. However, doing so blocks both legitimate and malicious PDF files. If your organization relies on PDF documents, you may not want to implement this mitigation workaround.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexadecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list various ways you can identify PDF documents (.pdf):

File Extension:

• .PDF – Adobe Reader document

MIME types:

• application/pdf
• application/x-pdf
• application/acrobat
• applications/vnd.pdf
• text/pdf
• text/x-pdf

FILExt.com reported Magic Byte Pattern:

• Hex: 25 50 44 46 2D 31 2E
• ASCII: %PDF-1

If you do decide you want to block PDF files, the links below contain instructions that will help you configure your WatchGuard appliance’s content blocking features using the file and MIME information listed above. Also, our Gateway Antivirus (GAV) service does scan PDF files for malware. In many cases, simply enabling our GAV service can protect you from some PDF-based malware.

• XTM Appliance with WSM 11.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP Proxy?

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Adobe has released patches to correct these vulnerabilities.

References:

• Adobe April 2012 Reader and Acrobat Security Bulletin

This alert was researched and written by Corey Nachreiner, CISSP.

Windows Updates Fix .NET Framework and Authenticode Flaws

Severity: High

Summary:

• These vulnerabilities affect: All current versions of Windows and its optional .NET Framework component
• How an attacker exploits them: Multiple vectors of attack, including enticing your users into running specially crafted executable files or visiting web sites with malicious content
• Impact: In the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing vulnerabilities that affect Windows and its optional .NET Framework component. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS12-024: Windows Authenticode Signature Verification Vulnerability

Windows contains Authenticode technology, which is a digital certificate-based code signing implementation designed to allow you and the operating system to verify the integrity and reputation of software. It works on the premise that if you download software signed by a vendor, say WatchGuard, and that software passes Windows’ Authenticode validation, then you can trust the software really comes from WatchGuard and hasn’t been modified in any way.

However, this bulletin describes a flaw in the way the Windows Authenticode Signature Validation function (WinVerifyTrust) checks Portable Executable (PE) files. In short, an attacker can create a specially crafted PE file that passes Windows’ Authenticode validation even after an attacker has maliciously modified the executable. If an attacker can get one of your users to download and run such an executable file, he could exploit this flaw to gain access to that user’s computer, with that user’s privileges. If the user had local administrator privileges, that attacker gains full control of the computer. The good news is, most users are very suspicious of unsolicited executable files they receive via email or the web. Hopefully, your users already know not to handle these sorts of unsolicited files. However, this flaw specifically bypasses a mechanisms Microsoft uses to help users validate the reputation of files. So smart attackers could leverage it to help convince users to run executables they otherwise wouldn’t have. We recommend you patch this vulnerability as quickly as possible.

Microsoft rating: Critical

• MS12-025: .NET Framework Remote Code Execution Vulnerability

The .NET Framework is software framework used by developers to create new Windows and web applications. The .NET Framework suffers from a code execution vulnerability, due to its inability to properly validate certain parameters passed to a particular function. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As always, if your users have local administrator privileges, attackers can leverage this to gain full control of their computers. This flaw can also affect web servers and sites that use .NET Framework elements, as well as any custom .NET-based programs, which you might develop and run in house. In short, if you’ve installed the .NET framework on your servers or clients, you should update them.

Microsoft rating: Critical

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links for the various updates:

• MS12-024
• MS12-025

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run an executable file locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, many of WatchGuard’s proxy policies block executable files by default. This often prevents your users from accessing potentially malicious executable files found on the Internet. Using our proxy policies with these default settings will help mitigate the risk of your users gaining access to malicious executables that leverage these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS11-024
• Microsoft Security Bulletin MS11-025

This alert was researched and written by Corey Nachreiner, CISSP.

---

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

Multiple Office Security Updates: One Affects Other Server Products

Severity: High

Summary:

• These vulnerabilities affect: Microsoft Office, Works, SQL Server, BizTalk Server 2002, Commerce Server, Visual FoxPro, and Visual Basic 6.0 Runtime
• How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web site or link, and enticing them to open malicious Works files
• Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
• What to do: Install the appropriate Microsoft Updates immediately, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two Office-related security bulletins describing vulnerabilities found in Microsoft Office, and other productivity-related software. They rate one of the updates as Critical and the other as Important. Besides affecting Office, the Critical update also affects:

• SQL Server (most versions)
• BizTalk Server 2002
• Commerce Server (all versions)
• Visual FoxPro
• Visual Basic Runtime

We summarize the two bulletins below:

• MS12-027: Common Controls Remote Code Execution Vulnerability
  

Office (and many other Microsoft products listed above) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Three of the controls in this ActiveX library suffer from an unspecified remote code execution vulnerability. By enticing one of your users to visit a malicious web page, or into clicking a specially crafted link, an attacker could exploit the flaw in these controls to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of his machine. Microsoft’s update sets the kill bit for the vulnerable ActiveX controls.  According to Microsoft, attackers are exploiting this vulnerability in the wild, in “limited targeted” attacks. This significantly increases the risk of this already serious vulnerability. You should apply this update immediately.

Microsoft rating: Critical.

• MS12-028: Works Converter Document Parsing Vulnerability

Microsoft Works is a light-weight office productivity package similar to Microsoft Office, though with fewer features and capabilities. Microsoft Office and newer versions of Works ship with a Works converter component, which allows these products to open various Works documents. This Works converter suffers from a vulnerability involving the way it validates and parses Works .wps files. If an attacker can entice one of your users into downloading and opening a maliciously crafted .wps document, he can exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects Office 2007 w/SP2 and Works 9.

Microsoft rating: Important

Solution Path

Microsoft has released many product updates that correct these vulnerabilities. If you use any of the software mentioned in this alert, you should download, test, and deploy the appropriate patches as quickly as possible, or let Windows Update automatically install them for you.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

• MS12-027
• MS12-028

For All WatchGuard Users:

If you choose, you can configure the HTTP, SMTP, and FTP proxies on your XTM appliance to block Microsoft Works documents from entering your network, thus mitigating the risk of one these issues. Keep in mind, doing so blocks both legitimate and malicious Works files. If your business regularly transfers Works files outside your network, you may not want to block them with our appliance.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexadecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify the affected Works document (.wps):

File Extensions:

• .wps – Works document

MIME types:

• application/vnd.ms-works
• application/x-msworks-wp
• zz-application/zz-winassoc-wps

FILExt.com reported Magic Byte Pattern:

• Hex: D0 CF 11 E0 A1 B1 1A E1 00

If you do decide you want to block Works files, the links below contain instructions that will help you configure your WatchGuard appliance’s content blocking features using the file and MIME information listed above.

• XTM Appliance with WSM 11.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP Proxy?

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

• MS Security Bulletin MS12-027
• MS Security Bulletin MS12-028

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).