WatchGuard Security Week in Review: Episode 23

Wild Exploit, AutoCAD Malware, and a Hacking Demo

Did you apply Microsoft’s patches and Fixit last week? If not, this week’s news (and attack demo) ought to convince you to jump on those important updates right away.

Today’s episode warns of attackers actively targeting two of Microsoft’s vulnerabilities from last week, a new malware sample that specifically steals AutoCAD diagrams and blueprints, and a trio of Cisco security advisories fixing vulnerabilities in their security and VPN products. For the curious and technically inclined, I’ve even included an attack demo showing how easy it is for script kiddies to exploit the Microsoft XML Core Services vulnerability using Metasploit. If you want to see a drive-by download in action, and get a few Metasploit tips along the way, check out this week’s episode below.

If video’s not your thing, you can also find links to all this week’s stories in the Reference section. Don’t forget to leave feedback, suggestions, or questions in the comment section if you have anything to share. See you next week and have a great weekend.

(Episode Runtime: 13:00)

Direct YouTube Link: http://www.youtube.com/watch?v=rWGE7i-AIU4

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

10 Responses to “WatchGuard Security Week in Review: Episode 23”

  1. Does the WatchGuard IPS protect against the XML vulnerability?

    • Corey Nachreiner Reply June 26, 2012 at 1:37 pm

      Rob,

      Yes. We have signatures for both the XML Core Services vulns, and for the IE Same_ID vuln. We got the signatures shortly after Patch Day. If you have updated to signature set 4.208, you can go to FSM, and show signatures, then search for MSXML or for “Same ID”, and you will find the signatures in question.

      Also, though I didn’t have time before the weekly video, I have since done that same Metasploit attack with an XTMv appliance between the attacker and victim. Our XTM appliance blocks the attack multiple ways. First we catch the malicious Javascript metasploit uses with GAV. But also, our IPS triggers for Malicious Javascript too… We don’t even really need the XML signature necessarily, since we detect the evel Javascript used to launch this web-based attack.

  2. When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get several emails with
    the same comment. Is there any way you can remove people from that service?

    Thanks a lot!

Trackbacks/Pingbacks

  1. Attackers Exploit Serious Zero Day Internet Explorer Vulnerability | WatchGuard Security Center - September 18, 2012

    […] Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. […]

  2. IE 0day Update: Microsoft Releases a FixIt Patch | WatchGuard Security Center - September 20, 2012

    […] Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. […]

  3. IE 0day Update: Microsoft Releases a FixIt Patch « microreksa - September 21, 2012

    […] Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. […]

  4. Install IE FixIT to Avoid Zero Day Attack | WatchGuard Security Center - September 17, 2013

    […] Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. […]

  5. Install IE FixIT to Avoid Zero Day Attack - September 27, 2013

    […] Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. […]

  6. Attackers Exploit Serious Zero Day Internet Explorer Vulnerability - Arlington, Fort Worth, Dallas | Marjen Technology Group - October 5, 2015

    […] Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. […]

  7. IE 0day Update: Microsoft Releases a FixIt Patch - Arlington, Fort Worth, Dallas | Marjen Technology Group - October 5, 2015

    […] Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: