Archive | July, 2012

WatchGuard Security Week in Review: Episode 27

Blackhat 2012 Edition

Blackhat Vegas and Defcon are arguably two of the biggest security conferences of the year, where thousands of CSOs, security administrators, and hackers get together to share the latest attack and defense techniques. Blackhat wrapped up last night, and Defcon starts today.

During this week’s security recap, I highlight some of the briefings I attended at Blackhat this year. Topics include strick back, NFC attacks, iOS Security, and a zero day consumer router exploit. Of course, other security news doesn’t stop just because of Blackhat, so I also cover the normal big security stories this week, including a new OS X trojan, another password breach, and an Anonymous strike on Australian ISPs. Watch the YouTube video below for complete details

Since I’m reporting first hand from the Blackhat conference, I can’t provide reference links to the Blackhat stories. You’ll have to check out the video for those details. However, if you’re interested in more information about the non-Blackhat stories, see the Reference section below. As always, feel free to drop us a comment or suggestion at the end of this post.

(Episode Runtime: 15:41)

Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Text Version

As you probably noticed, I did not post a WatchGuard Security Week in Review episode this week. An extremely busy travel schedule, and a day off to run a long distance race with the WatchGuard team, made it impossible for me to record and produce my weekly video. But don’t worry… The weekly security recap video will return next week with a special episode.

I am attending the Blackhat Vegas security conference next week. Blackhat Vegas and Defcon (which falls on the same week) are two of the biggest security conferences of the year. Security researchers often disclose major breaking research and vulnerabilities during these exciting shows. You can look forward to an “on the road” edition of my weekly video next Friday, and it’ll likely include some big stories from Blackhat.

In the meantime, I won’t leave you hanging for your weekly security news fix. Below, you’ll find a bulleted-list, which quickly summarizes many of this week’s most interesting security stories. See you next week.

  • Oracle Quarterly Patch Day, July 2012 – On Tuesday, Oracle posted their quarterly patch update for July. They fixed 87 security vulnerabilities in many of their popular products. If you use Oracle software, you should check their CPU advisory and apply the necessary updates.
  • Rumored Android botnet may just be Yahoo MitM attack – Last week’s video, warned you about a potential new botnet might affect Android devices. Microsoft and others noticed spam coming from Android devices via Yahoo, and thought an android botnet may be involved. It turns out these emails may be the result of a Man-in-the-Middle (MitM) attack on Yahoo email from public hotspots.
  • Android 4.1 Harder to Hack – Various researchers have pointed out that Google’s upcoming Android Jellybean update (4.1) will make Android devices harder to hack. This new version implements some OS memory protection features like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to make memory corruption flaws, such as buffer overflows, harder to exploit.
  • Anonymous is targeting Oil Companies in the Arctic – Anonymous has pointed their guns at oil companies drilling in the Arctic, such as Exxon and Shell. So far they have stolen a bunch of email account credentials.
  • Possible Dropbox breach – Many Dropbox users have complained about spam to their Dropbox accounts, which has the company investigating for a potential network breach. Little else is known yet, but I’ll update you if they find anything relevant.
  • Facebook photo tag spam – Attackers are spamming out a new malware campaign on Facebook. It arrives as a message saying someone has tagged a photo of you on Facebook. If you interact with it, it tries to install malware on your computer. Be wary of any unusual Facebook photo tagging messages.
  • DHS warns of ICS vulnerabilities – The US Department of Homeland Security has warned of vulnerabilities in a popular Industrial Control System (ICS) application called Niagara. If you work at an organization that uses this software, you need to implement the recommended workarounds (see this article).
  • Grum botnet partially disabled – Researchers and authorities have shutdown two of the Command and Control (C&C) servers used by a huge botnet called Grum. The botnet still has two other C&C servers to fallback on, but hasn’t so far. This takedown has significantly lessened email spam, however, botherders often just rebuild their zombie networks. So I wouldn’t expect the spam decrease to last for long.
  • data breach – Attackers claimed to have gained access to 50,000 user records from the IT Wall Street web site. If you use this site, you should changed your password, and monitor your accounts for identity fraud.

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 26

Multi-platform Malware, MS Gadget Flaw, and More Password Leaks

No time to follow the security news this week? Let my weekly video fill you in.

Today’s episode includes all the software updates for the week (e.g. Microsoft Patch Day), two more vendor password leaks, some interesting android and multi-platform malware, and an unpatched Microsoft Gadget vulnerability.

This week was so news-packed that I couldn’t cover every interesting or important security story in the video. If you want to check out the stories I skipped, or just prefer reading over watching, scroll down to the Reference section below for links to this week’s stories.

Finally, feel free to share your security tips, favorite security stories, or any other feedback in the comment section.

Production Note: Unfortunately, I felt like I had every post production problem possible this week. A cord issue killed my audio, and forced me to re-record many segments, so please excuse the slight difference in audio during the video. I’m also posting this late since I had a software crash that forced me to re-edit half the video. The joy of modern technology, eh?

(Episode Runtime: 9:59)

Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Office Patches Mend SharePoint, Visual Basic, and Mac Specific Flaws

Severity: Medium


  • These vulnerabilities affect: Microsoft Office (for PC and Mac), the SharePoint suite of products, and Visual Basic
  • How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting web sites with malicious content
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.


Today, Microsoft released three Office-related security bulletins describing eight vulnerabilities found in various Office and Office-related packages including the SharePoint suite of products, Office for Mac, and Visual Basic. We summarize the bulletins below:

  • MS12-046: VBA Insecure Library Loading Vulnerability 

Microsoft Visual Basic for Applications (VBA) is a development platform that ships with Office, and helps you create new applications that integrate with existing Office applications and data systems. It suffers from a Dynamic Link Library (DLL) loading class vulnerability, which we’ve described in many previous Microsoft alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a maliciously crafted DLL file. If you open the booby-trapped file, it executes code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. In this particular case, the vulnerability is triggered by opening Office documents, such as .docx or xlsx.

Microsoft rating: Important

  • MS12-050: Multiple SharePoint Vulnerabilities

SharePoint is Microsoft’s web and document collaboration and management platform. SharePoint, and other related packages, suffer from six new security flaws, including three Cross-Site Scripting vulnerabilities (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to visit a malicious web page or into clicking a specially crafted link, an attacker could exploit any of the three XSS flaws to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could. The remaining issues include two information disclosure flaws and a URL redirection vulnerability attackers could leverage in spoofing attacks. See the “Vulnerability Information” security of the bulletin for more details.

Microsoft rating: Important

  • MS12-051: Office for Mac Elevation of Privilege Flaw

Office for Mac 2011 (the Apple OS X version of Microsoft’s productivity software) suffers from a vulnerability involving the way it sets folder permissions. If an attacker can gain physical access to your computer, plant a malicious executable in an Office folder, and then entice you to run it, the executable launches with your elevated privileges. Of course, if an attacker already has enough access to your computer to do all this, you already have significant problems. This flaw only poses a marginal risk.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

Attackers can exploit these vulnerabilities using diverse methods, including by placing files locally. Though you can configure WatchGuard appliances to block some of the Office documents related to a few of these attacks, and you can leverage our security services to mitigate the risk of malware delivered via these attacks, we cannot protect you against all these attacks, especially the local ones. We recommend you apply Microsoft’s patches to best protect your network.


Microsoft has released updates to fix these vulnerabilities.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Five July Windows Bulletins: MSXML Fix Included

Severity: High


  • These vulnerabilities affect: All current versions of Windows, as well as optional components like MSXML and MDAC.
  • How an attacker exploits them: Multiple vectors of attack, including  enticing your users to web sites with malicious content or getting them to run malicious executables
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.


Today, Microsoft released five security bulletins describing six vulnerabilities affecting Windows and optional components that sometimes ship with it (XML Core Services and Microsoft Data Access Components). Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-043: MSXML Code Execution Vulnerability

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It ships with various versions of Windows, and other Microsoft products. If you have a Windows computer, you very likely have MSXML.

MSXML suffers from a memory corruption vulnerability, which attackers found before Microsoft. By luring your users to a web site with malicious code, an attacker could exploit this flaw to execute code on that user’s computer, with the user’s privileges. If you give your users local administrator privilege, the attacker gains full control of their computer.

As we mentioned in June, attackers have exploited this previously unpatched vulnerability in the wild for over a month. You should install Microsoft’s MSXML patch immediately!

Microsoft rating: Critical

  • MS12-045: MDAC Code Execution Vulnerability
The Microsoft Data Access Components (MDAC) are a collection of Windows components that allow other programs to easily access and manipulate databases. Unfortunately, MDAC suffers from a heap overflow vulnerability involving its mishandling of specially crafted XML code. By luring one of your users to a malicious web page, or to a legitimate page that has been hijacked, an attacker can leverage this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, attackers could leverage these flaws to gain complete control of their PCs. 

Microsoft rating: Critical

  • MS12-047 :  Kernel-Mode Driver Elevation of Privilege Flaw

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from two local elevation of privilege flaws. Though the flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage either of these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computer, which significantly lessens the severity of this vulnerability

Microsoft rating: Important

  • MS12-048 :  Windows Shell Command Injection Vulnerability

The Windows Shell is the primary GUI component for Windows. It suffers from a vulnerability having to do with the way it handles specially crafted file or directory names. If an attacker can entice you to interact with a maliciously crafted file or directory, she could exploit this flaw to gain full control of your computer. Attackers could deliver such files via email, web sites, or by placing them in local folders or shared files systems within your network.

Microsoft rating: Important

  • MS12-049 :  TLS Protocol Information Disclosure Flaw

The Transport Layer Security (TLS) protocol is an encryption standard for privately encoding network communications, including Web and email traffic. According to Microsoft’s bulletin, the TLS protocol suffers from an industry-wide design flaw when using TLs with the cipher-block chaining (CBC) mode of operation. If an attacker can monitor your encrypted TLS communications, they could leverage this complex vulnerability to decrypt your TLS traffic, and gain access to your confidential communications. Since web sites often use TLS to secure their communications, attackers could leverage this flaw to decrypt secure web traffic. That said, attackers would first need find a way to intercept your web communications in order to set up this sort of Man-in-the-Middle (MitM) attack.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run executable files locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, our XTM appliance’s security services, including Gateway Antivirus (GAV) and Intrusion Prevention Service, can often help protect you from these vulnerabilities. For instance, our GAV service will block much of the malware attackers try to deliver when exploiting these sorts of software vulnerabilities.


Microsoft has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at

Internet Explorer Update Plugs a Vulnerability Duo

Severity: High


  • These vulnerabilities affect: Internet Explorer 9 (IE 9)
  • How an attacker exploits them: By enticing one of your users to visit a malicious web page
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s Internet Explorer 9 update immediately, or let Windows Automatic Update do it for you


During Patch Day, Microsoft released a security bulletin to fix two vulnerabilities in Internet Explorer 9 (IE9). The flaws only affect IE 9, and not previous versions of Microsoft’s popular browser.

Though the two flaws differ technically, they both stem from IE inappropriately accessing a previously deleted object. These sorts of invalid access vulnerabilities often result in memory corruptions, which attackers can expertly leverage to force code to execute on your computer, with your privileges.

So in short, if an attacker can lure you to a web site with specially crafted code, he can exploit this flaw to execute code on your computer. If you have local administrator privileges, the attacker gains complete control of your PC.

As an aside, hackers commonly target legitimate web sites and booby-trap them with malicious code, by exploiting various web application vulnerabilities. In other words, you can sometimes encounter these sorts of “drive-by download” attacks even while visiting trusted, legitimate web sites.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin.

Solution Path:

These updates fix serious issues. You should download, test, and deploy the appropriate IE 9 patches immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin. If you use IE 8 or below, you do not have to update.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

That said, WatchGuard’s Gateway Antivirus and Intrusion Prevention Service can often prevent these sorts of attacks, or the malware they try to distribute. We highly recommend you enable our security services on your WatchGuard XTM and XCS appliances.


Microsoft has released patches to fix these vulnerabilities.


This alert was researched and written by Corey Nachreiner, CISSP.

Microsoft Black Tuesday: Get the XML Core Services Patch Immediately

Have you been jonesing for Microsoft Patch Day like a kitty anticipating the next hit of that sweet, sweet catnip? Ah… probably not. Nonetheless, Patch Day has arrived, so run off and snort your latest dose of security updates now.

Microsoft Patch Day: July 2012

Microsoft’s July bulletin summary highlights nine security bulletins, which fix 16 vulnerabilities in various products including Windows, Office, Internet Explorer (IE), Sharepoint Server, and some of their development tools. They rate three of the bulletins as Critical, and the rest as Important.

The “headlining” issue this month is Microsoft’s fix for the zero day XML Core Services vulnerability. I first warned you about this unpatched code-execution vulnerability last month. In short, if an attacker can entice you to a malicious web site, he could leverage this flaw to force malware on your computer. Microsoft released a “FixIt” workaround for this flaw, but today’s update is the real patch. At the very least, I recommend you download, test, and deploy this update as quickly as you can. Though I’d also recommend you grab all the other updates as well, especially the Critical ones.

I’ll share more details about these issues, and how to fix them, in consolidated alerts I’ll post here shortly.  — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Announces Fireware XTM and WSM v11.6

Available for All XTM Appliances

WatchGuard is excited to announce the general release of Fireware XTM and WatchGuard System Manager v11.6, which contains significant enhancements to many feature areas within our XTM software.

You can install Fireware XTM OS v11.6 on any WatchGuard XTM device, including 2 Series, 3 Series, 5 Series, 8 Series, XTM 1050 and 2050 devices, and with any edition of XTMv. The new features, enhancements, and bug fixes included in this release have been carefully chosen to improve the efficiency, performance, and reliability of all XTM devices.

Some of Fireware XTM 11.6’s new features and enhancements include:

  • SSO for Citrix and Terminal Services. Fireware XTM 11.6 has been updated to provide single sign-on so that users coming through Citrix XenApp or Microsoft Terminal Services environments don’t require any additional authentication steps.
  • Authentication improvements. WatchGuard user authentication page has been updated to support smart phones (Android, iPhone, Windows Mobile), enabling mobile users to be identified for use in policy management and reporting.
  • Updated in-the-cloud services. Reputation Enabled Defense, the powerful cloud-based URL reputation service that protects web users from malicious web pages, has been updated to include new phishing and malware information feeds from PhishTank and MalwareDomainList.
  • Scalability and performance. Firewall throughput has been increased on all XTM 5 and 8 Series models, by as much as 50 percent in some cases.
  • Compliance reporting in Report Manager. Report Manager has been updated to include a dashboard and a single set of reports for both PCI and HIPAA. It now provides easy one-click access to information needed for compliance requirements.
  • Increased VLANs. The number of VLANs on XTM 3, 5, and 8 Series platforms has been increased.
  • VPN diagnosis improvements. Fireware XTM 11.6 provides new diagnostic capabilities that help users to troubleshoot VPN interoperability and connectivity issues.
  • Auto redirection page improvements. User authentication auto redirect page can be configured to point to a specified hostname, enabling customers to use commercial CA signed certificates for users.
  • Automatic WebBlocker database updates. WebBlocker URL database updates are scheduled to occur automatically every 24 hours, avoiding the need to set up a scheduled task.
  • IPSec Pass-through improvements. IPSec Pass-through works with Static NAT, enabling branch office tunnels to be built from remote sites to routers behind the WatchGuard firewall.
  •  Preview of policy enhancements. Fireware XTM 11.6 introduces a preview in the Web UI of new tools to help simplify the understanding and maintenance of policies as defined on the firewall.
    • On-line Policy Checker. Helps to quickly simulate and understand how traffic is handled through the firewall. Users can enter IP address and port combinations to determine which firewall rule is triggered and whether traffic will be allowed.
    • Graphical representation and print option for configuration. Easy-to-read and simple-to-print policy view of the Fireware XTM configuration is useful for sharing with management.
    • Authentication Server Connection Tool. Test and diagnose Active Directory and LDAP connections and verify group membership information.

In addition to the features and enhancements listed above, 11.6 also includes numerous smaller enhancements, bug fixes, and improvements to the product based on customer feedback. If you manage an XTM appliance, we recommend you download and install 11.6 to enjoy its new features and increased stability.

For more information about the feature enhancements included in Fireware XTM v11.6, see the Release Notes or What’s New in Fireware XTM v11.6 [PPT file].

Does This Release Pertain to Me?

Fireware XTM 11.6 is a feature release that also includes many other improvements If you have any XTM Series appliance and wish to take advantage of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to version 11.6. Please read the Release Notes before you upgrade, to understand what’s involved. As always, the Release Notes contain a comprehensive list of fixed bugs and current known issues. Administrators that use both PPPoE connections and Multi-WAN together should pay special attention to a known issue related to this configuration.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button. Fireware XTM 11.6 is an XTM Series-only release, and does not work on e-Series appliances. If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

WatchGuard Security Week in Review: Episode 25

Uyghur Mac Malware, Mobile Threat Trio, and Last DNSChanger Warning

Are you ready for your weekly serving of hot, fresh security news, in video form? Well just click the big YouTube arrow below, and get your fill.

This week’s stories include China-based Mac malware targeting the Uyghur people, three different mobile threats focusing primarily on Android devices, and a Cisco router firmware update debacle, which has users up in arms over their privacy.  It’s all covered in the video, so watch below.

Or, if you don’t like video (or feel weird watching it at work), check out the Reference section for links to this week’s stories. Don’t forget to drop me a line in the comments section if you have any thoughts.

(Episode Runtime: 8:35)


Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Bring on the July Microsoft Patches!

Do you just absolutely adore applying patches because you know they make your systems more resilient against attacks? If so, do I have good news for you. Next Tuesday is Microsoft Patch Day… Whoohoo!

Microsoft’s July 2012 Security Bulletins

Based on their Advanced Notification page, Microsoft plans to release nine security bulletins on July 10, and they rate three of the bulletins as Critical. The updates will primarily fix vulnerabilities in Windows, Internet Explorer, and Office.

While they don’t specifically mention it in their Advanced Notification post, Microsoft has confirmed they will fix the zero day XML Core Services vulnerability I mentioned last month. You’ll want to apply Microsoft’s Critical patches as quickly as you can next week; for this flaw, if anything else. In general, I recommend you install the Critical updates first, and that you test the updates before deploying them — especially any server related updates.

While patching really is a good thing, it also requires a significant amount of work. I doubt anyone is quite as excited for Patch Day as I alluded to at the beginning of this post. That said, I still recommend you prepare your staff to deploy Microsoft patches as quickly as you can next Tuesday.

I’ll know more about these bulletins on Tuesday, and will publish alerts about them here. — Corey Nachreiner, CISSP

%d bloggers like this: