Archive | June, 2012

WatchGuard Security Week in Review: Episode 24

Malware-Possessed Printers, Apple Embraces Security, and Automated Bank Heists

Compared to the last few months, this week seems relatively quiet as far as security stories are concerned. We saw some security incidents this week, but nothing that would catch your hair on fire.

Today’s weekly summary highlights an older trojan that is causing new problems for network printers, an organized bank malware campaign targeting high rollers, and even some good news about computer attacker arrests and prosecutions. For the full scoop, hit the play button below.

As always, I’ve included a reference section at the end of this post, if you’d prefer reading these stories. Thanks for watching.

UPDATE: A late breaking Mac virus made the week a bit more interesting late Friday. Check out the story in the Reference links below.

(Episode Runtime: 8:29)

Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Releases v3.1.3 for SSL 100 and 560 Appliances

WatchGuard is pleased to announce the release of WatchGuard SSL OS v3.1.3 for the WatchGuard SSL 100 and SSL 560.

WatchGuard SSL OS v3.1.3 is primarily a maintenance release designed to increase the stability of your SSL VPN appliance, and to make improvements to the product based on customer feedback. It contains many enhancements and bug fixes. Some highlights from the release include:

  • Japanese language client support and improved support for double-byte characters
  • Improved performance and reliability for SSL tunnels
  • Enhancements to end-point security assessment (supports additional antivirus products)
  • New User Policy Analysis and User Audit reports
  • Adds option to resolve the SSL/TLS renegotiation DoS vulnerability (CVE-2011-1473)
  • Improved support for Google Chrome and Opera browsers
  • Many Access Client improvements
  • … and many other fixes — please see the Release Notes for complete details.

If you’re an SSL 100 or 560 appliance owner with an active LiveSecurity subscription, you can upgrade to SSL OS v3.1.3 free of charge.

Does This Release Pertain to Me?

SSL OS v3.1.3 is a scheduled maintenance release. If you have an SSL 100 or 560 appliance, and wish to take advantage of any of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to v3.1.3. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

WatchGuard SSL 100 and 560 owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles and Support section of WatchGuard’s Support Center, which also includes clear installation instructions. To make it easier to find the relevant software, be sure to uncheck the “Article”, and “Known Issue” search options, and press the Go button. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

WatchGuard Security Week in Review: Episode 23

Wild Exploit, AutoCAD Malware, and a Hacking Demo

Did you apply Microsoft’s patches and Fixit last week? If not, this week’s news (and attack demo) ought to convince you to jump on those important updates right away.

Today’s episode warns of attackers actively targeting two of Microsoft’s vulnerabilities from last week, a new malware sample that specifically steals AutoCAD diagrams and blueprints, and a trio of Cisco security advisories fixing vulnerabilities in their security and VPN products. For the curious and technically inclined, I’ve even included an attack demo showing how easy it is for script kiddies to exploit the Microsoft XML Core Services vulnerability using Metasploit. If you want to see a drive-by download in action, and get a few Metasploit tips along the way, check out this week’s episode below.

If video’s not your thing, you can also find links to all this week’s stories in the Reference section. Don’t forget to leave feedback, suggestions, or questions in the comment section if you have anything to share. See you next week and have a great weekend.

(Episode Runtime: 13:00)

Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 22

Lots of Software Updates and Security Patches.

The theme of this week’s security summary is software updates.

Microsoft’s Patch Day falls on the second Tuesday of the month, and many others follow Microsoft, releasing their own security updates during the same day or week. This week, we saw updates to fix security vulnerabilities in Microsoft, Adobe, Oracle, Apple, and VMware products. We even saw an emergency workaround to fix a serious zero day vulnerability in Microsoft’s XML Core Services.

Besides the software patches, this week’s video also highlights a few new Flame-related  updates, and a warning about Father’s Day-related malware campaigns. Watch the video below to learn the details.

As usual, if you’d don’t like videos, or want to dive into the details of each of these stories, make sure to check out the Reference section below. Thanks for watching, and if you have any comments, feedback, or questions, leave them in the comments section below.

(Episode Runtime: 13:49)

Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Warns of Zeroday XML Core Services Vulnerability

During their already busy Patch Day, Microsoft snuck out a security advisory warning their customers that attackers are  exploiting a previously undiscovered vulnerability in XML Core Services to launch drive-by download attacks in the wild.

Microsoft’s XML Core Services (MSXML)  is basically a component that helps Windows, Internet Explorer, and other Microsoft products to handle XML content. XML Core Services ships with various versions of Windows, and many other Microsoft products. If you have a Windows computer, you probably have XML Core Services installed.

According to the security advisory, XML Core Services suffers from an unpatched memory corruption vulnerability, which attackers can exploit to execute code on your machine. The attacker only has to lure you to a web site containing maliciously crafted code for his attack to succeed.

Since Microsoft first learned of this vulnerability through actual attacks in the wild, they haven’t had time to create and release a full patch yet. However, they have released what they call a “Fixit“, which is supposed to block this particular attack vector. If you manage a Microsoft network, I recommend you apply this Fixit on your Windows machines.

I’ll be sure to update you when Microsoft releases the real patch in the weeks or months to come. — Corey Nachreiner, CISSP (@SecAdept)

Less Severe Flaws affect Two Lesser-known Microsoft Products

Do you use, or have you even heard of, Microsoft’s Lync or Dynamic AX Enterprise Portal? If so, you should go patch.

Along with the other Patch Day bulletins, Microsoft released updates for two products which I suspect only limited audiences know about. Nonetheless, if you use either of these products, you will want to install Microsoft’s security updates for them at your earliest convenience.

The first update is a security patch for Microsoft Lync. Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator, which I think most people have heard of. Being so new, I don’t think many organizations have moved to Lync yet, but it surely will become more popular as people move away from Communicator.

In any case, Lync suffers from four security vulnerabilities, the worst involving how it handles specially crafted TrueType fonts. By enticing you to open content containing a malicious TrueType font in Lync, an attacker can exploit this flaw to execute code on your machine, with your privileges. If you have local administrative privilege, as most Windows users do, the attacker gains full control of your machine. If you are an early adopter of Microsoft’s Lync, be sure to apply its updates found in the “Affected and Non-Affected Software” section of Microsoft’s bulletin.

The second update for lesser-known Microsoft software affects their Dynamics AX Enterprise Portal. Apparently, Dynamics AX is one of Microsoft’s enterprise resource planning (ERP) solutions, and the Enterprise Portal is a web-based application to interact with Dynamic AX. Unfortunately, the web portal suffers from a cross-site scripting (XSS) flaw, which attackers could leverage to gain access to your portal with the same privilege as one of your users, thus potentially gaining access to sensitive corporate data. If you use Dynamics AX, make sure to apply Microsoft’s update.

To conclude, though I suspect less of you use these relatively new Microsoft products, you should definitely check out today’s bulletins for them, and apply the appropriate updates if you do.  — Corey Nachreiner, CISSP (@SecAdept)

Four Windows Bulletins Fix RDP, .NET Framework, and Kernel Flaws

Severity: High


  • These vulnerabilities affect: All current versions of Windows and its optional .NET Framework component.
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets or enticing your users to web sites with malicious content
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.


Today, Microsoft released four security bulletins describing nine vulnerabilities affecting Windows and components that ship with it, including its optional .NET Framework component. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates -especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-036RDP Remote Code Execution Vulnerability

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network to directly control your desktop. Windows Terminal Servers also use the RDP protocol to allow many remote users to share one machine.

Unfortunately, the RDP component that ships with all versions of Windows suffers from a serious security vulnerability having to do with how  it handles specially crafted sequences of packets (similar to a flaw described in March). By sending a sequence of such packets to a computer running the RDP service, an attacker could exploit this flaw to gain complete control of that computer.

Luckily, the RDP service is not enabled by default on Windows systems. You are only vulnerable to this issue if you have specifically enabled RDP connections. That said, many companies manage Windows Terminal Servers, which do enable RDP services. Windows’ Remote Assistance and Remote Web Workplace features also expose RDP. If you manage such any workstations of servers using RDP, we highly recommend you apply the RDP patch immediately.

Microsoft rating: Critical

  • MS12-038: .NET Framework Remote Code Execution Vulnerability

The .NET Framework is a software framework used by developers to create new Windows and web applications. The .NET Framework component suffers from a code execution flaw, which has to do with how it handles specially crafted XAML Browser Applications (XBAP). If an attacker can entice a user who’s installed the .NET Framework to a web site containing malicious XBAP, she can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As always, if your users have local administrator privileges, attackers can leverage this flaw to gain full control of their computers. This flaw may also affect custom .NET Framework-based programs, which you might develop and run in-house.

Microsoft rating: Critical

  • MS12-041 and MS12-042 : Kernel & Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level.

Microsoft released two bulletins today, describing seven local elevation of privilege flaws that affect either the kernel or the kernel-mode driver component. Though these seven flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage any of these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computer using valid credentials – even if only with “Guest” user access. The requirement for local access significantly lessens the severity of these flaws.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run executable files locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, WatchGuard’s firewalls and XTM security appliances can mitigate the risk of many of these flaws. For instance, our appliances mitigate the risk of the Windows RDP vulnerability by blocking external access to the RDP ports (TCP port 3389 and 4125). As long as you haven’t specifically allowed RDP, our default setting will prevent Internet-based attackers from exploiting the RDP vulnerability described above.

Furthermore, our XTM appliance’s security services, including Gateway Antivirus (GAV) and Intrusion Prevention Service, can also help protect you. For instance, our GAV service will block much of the malware attackers try do deliver when exploiting these sorts of software vulnerabilities.


Microsoft has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at

Cumulative Patch Plugs 13 Internet Explorer Vulnerabilities

Severity: High


  • This vulnerability affects: All current versions of Internet Explorer, running on all current versions of Windows
  • How an attacker exploits it: Typically, by enticing one of your users to visit a malicious web page
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you


In a security bulletin released today as part of Patch Day, Microsoft describes 13 new vulnerabilities in Internet Explorer (IE) 9.0 and earlier, running on all current versions of Windows. Microsoft rates the aggregate severity of these new flaws as Critical.

The 13 vulnerabilities differ technically, but many of them share the same general scope and impact. More than half the flaws are remote code execution vulnerabilities having to do with how IE handles various HTML objects, elements, and properties. If an attacker can lure one of your users to a web page containing malicious code, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

The remaining issues include less severe cross-site scripting (XSS) flaws and information disclosure vulnerabilities.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technical differences aside, the remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Furthermore, attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws can affect you no matter what types of web sites you frequent on the Internet. If you use IE, you should download and install the cumulative update immediately.

Solution Path:

These updates fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

That said, WatchGuard’s Gateway Antivirus and Intrusion Prevention Service can often prevent these sorts of attacks, or the malware they try to distribute. We highly recommend you enable our security services on your WatchGuard XTM and XCS appliances.


Microsoft has released patches to fix these vulnerabilities.


This alert was researched and written by Corey Nachreiner, CISSP.

Microsoft Black Tuesday: Another Critical RDP Update

If you manage or run Microsoft products, it’s time to patch; especially if you use Remote Desktop and expose it outside your network.

Microsoft has posted their June security bulletin summary, which describes seven security bulletins fixing 27 vulnerabilities in many of their products, including:

  • Windows
  • Internet Explorer (IE)
  •  .NET Framework
  • Microsoft Lync (and Communicator 2007)
  • Microsoft Dynamics AX Enterprise Portal

They rate three of these bulletins as Critical, which typically means remote attackers can exploit them to gain control of affected computers.

The Remote Desktop Protocol (RDP) bulletin and Internet Explorer cumulative patch seem the most concerning to me. RDP is a very popular service, which some users and administrators enable externally. Today’s RDP update fixes a serious vulnerability that remote attackers could leverage to gain full control of your RDP servers. It’s similar in scope to another serious RDP flaw Microsoft fixed in March. If you manage RDP-enabled machines, I’d apply this update quickly.

The IE patch fixes 13 security flaws in the popular web browser. Many of the vulnerabilities allow for code execution, meaning attackers could exploit them to launch drive-by download attacks. Since almost all Microsoft users run IE, and attackers have increasingly leveraged web attacks to spread malware, I’d consider this the most important update, and apply it first. You can apply the other updates in the order suggested by Microsoft’s summary post.

I’ll share more details about these issues, and how to fix them, in consolidated LiveSecurity alerts I’ll post here shortly. Since I suspect only a few administrators use Lync and the Dynamic AX Enterprise Portal, I probably will only describe those updates in a short blog post, later. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 21

Huge Linkedin Password Leak, Flame Updates, and Microsoft Patch Day

Need a quick video summary of the biggest security stories of the week? Well, you’ve come to the right place.

This week’s news includes interesting new analysis of the Flame worm, a major Linkedin password leak, and some information about new software updates, including Microsoft’s upcoming Patch day. Check out the video below for all the details, or follow the links in Reference section if you prefer to read.

By the way, I apologize that this week’s episode is coming out later in the afternoon than normal. I finished it early this morning, but my hotel network severely limited my upload speed, which delayed this video post.

(Episode Runtime: 10:45)

Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: