Archive | August, 2012

WatchGuard Security Week in Review: Episode 31 – Java 0day

Java 0days, Hacktivist Data Breaches, and Dropbox Improvements

Though I cover four stories in this week’s security recap video, one incident far outweighed all the others this week. If you use Java—and almost everyone does—you’ll want to check out today’s episode.

The video below covers, Dropbox’s two-token authentication update, a Firefox security update, a new hacktivist data breach, and two zero day Java vulnerabilities that attackers have exploited in the wild throughout the week. If you want to protect yourself from the latest drive-by download attacks, watch the video for tips.

For more details on any of the stories in the video, see the references below. In the meantime, surf safe and if you’re in the US, enjoy your holiday weekend.

As an aside, if there are any Radio Free Security (RFS)  listeners out there, I recorded August’s episode and will complete final edits today. However, I don’t intend on posting it till never Tuesday, due to the holiday weekend. If you’re looking for RFS, check back next week.

(Episode Runtime: 6:22)

Direct YouTube Link: http://www.youtube.com/watch?v=jTf7_5NA8Rg

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

When VMs Get Pwned: Real Security in Virtual Environments

This week I wrote an article for a few of our partners, include the well-known SpiceWorks IT pro forum. If you’re interesting in learning about the additional risks introduced by hardware vritualization and in securing your virtual environment, read on.

Spinning up a virtual machine (VM) without a good security policy, a hardened hypervisor, and virtual security controls is like diving into a public pool with your mouth wide open—you may not contract a disease immediately, but eventually you’ll have a very bad day.

I’m not sure why some administrators forget to harden their virtual environment. Perhaps they imagine it like the virtual realm of “World of Warcraft“; if a VM gets pwned they can just return, ghost-like, and resurrect it. Personally, I think it’s more like the “Tron” universe; if data on your VM gets popped, it disappears “IRL” too. This article discusses the additional security risks hardware virtualization introduces, and shares a few quick virtual security best practices to mitigate those risks.

A brief history of virtualization
The concept of virtualization has existed since the inception of computing. Back in the mainframe days, and again when personal computers emerged, we virtualized our computers’ input/output (I/O) system via the operating system (OS). The OS (also called the supervisor) abstracts I/O functions so individual applications don’t have to “re-invent the wheel” and figure out how to handle them.

Next, we wanted to run many programs at once, so we virtualized memory. Multi-tasking OSs like Windows present virtual memory pages to each application. Every application thinks it has all your computer’s memory resources, but your OS secretly virtualizes it.

Finally, we come to virtualization as we know it today; specifically, hardware virtualization. Hardware virtualization allows us to abstract our computer’s hardware and run multiple OSs on one physical machine. In order to do this, hardware virtualization requires an additional authority to manage everything, called the hypervisor.

Hardware virtualization presents many benefits, most of which you’re probably aware of. It saves us time, money, space, HVAC costs, and may even help us go green. So why hasn’t everyone virtualized everything? While there is no simple answer to that question, security is one major inhibitor.

Virtual environments increase real-world risks
Hardware virtualization introduces new security risks and concerns. I’ve heard people generalize this risk as, “the same security issues as physical computers, just on virtual ones.” There’s some truth to that, but hardware virtualization also adds additional layers of concern. Let me share a few of those issues:

  • Hypervisor security issues – I mentioned the hypervisor — the higher-level authority that abstracts your computer’s hardware, and manages multiple VMs. A hypervisor is just software, albeit complex software. Like all software, it can suffer from development bugs (buffer overflows and the like), which may result in security vulnerabilities. The hypervisor is a high-privileged system, so vulnerabilities in its software pose dire consequences. Hypervisors also introduce new management interfaces and services to your infrastructure, both of which present new targets for attackers. In short, hardware virtualization increases the potential attack surface of your network.
  • Multi-tenant security issues – Running multiple computers on one physical platform introduces new problems. Information security has the concept of security domains. You segment resources by what they do, and how much you trust them. In the physical world, servers typically do one thing, so separating them is easy. In the virtual world, you can place many servers on one machine, making it more difficult to separate them by domain. Furthermore, VMs can communicate instantly with one another, sans a physical network. This leads to the “bad neighbor” syndrome, where one infected VM can quickly infect others on the same hardware, if configured improperly. Multi-tenancy also introduces data remnant risks, where one VM might access the data left in memory by another VM.
  • Virtual network blind spot – I mentioned VMs can communicate with each other over a virtual network, never hitting a physical network. Though we have many great physical network visibility and security tools, they can’t see anything happening on virtual networks. Unless you implement virtual security controls, you won’t see the attacks until it’s too late.
  • It’s relatively new and complex – While virtualization (even hardware virtualization) has been around for decades, many small business administrators only dove into it recently. Some of us are just starting to wrap our heads around virtual networking and switching, let alone learning how to harden hypervisors and implement virtual security controls. Additionally, some virtualization benefits complicate security. Its increased flexibility and mobility means you can copy and paste a VM instantly, but also allows you to quickly replicate, multiple, and further expose security mis-configurations. In short, virtual servers often move quicker than security policies can keep up.

Those are just a few unique virtualization security concerns. VMs also suffer from “normal” computer security risks too – only these risks are further complicated by the liquid nature of virtual environments.

Virtual attacks: From theory to reality
You might ask, “Well that sounds scary in theory, but are attackers really targeting virtualization?” In a word, yes.

For instance, security researchers have demonstrated virtualization rootkits (Blue Pill), attackers have designed malware that avoids researcher VMs, and criminals have leveraged VMs as Command and Control (C&C) channels for botnets. Most recently, the Crisis malware included a spreading mechanism that searched for and infected virtual images, making it the first wild malware that specifically targets VMs.

Security best practices for a virtual world
At this point, you might be balking at the idea of virtualizing anything, but don’t worry. Virtualization’s benefits far outweigh its risks, and there are defenses for all these dangers. Here are a few virtualization best practices to get you started:

  • Favor bare metal hypervisors over hosted ones – Without going into full detail, there are two types of hypervisors: those that run directly on hardware (Type 1), and those that run on top of an OS (Type 2). I recommend using a Type1 (or bare metal) hypervisor like VMware ESXi; the benefit being that it limits the scope of hypervisor attacks. For instance, an elevation of privilege attack against a Type 2 hypervisor may give an attacker full control of your native OS, whereas there is no OS to access on a Type 1 hypervisor.
  • Segment your hypervisor’s management network – Hypervisors have management interfaces which you can access over a network. Make sure to separate this management network from other virtual and physical networks you don’t trust, and limit access to management interfaces.
  • Disable unnecessary hypervisor services – Hypervisors provide many services to virtual machines, including access to USB devices, Bluetooth, disc drives, file services, physical network cards, and so on. They also provide ease-of-use features, like the ability to drag and drop files between virtual machines. Each of these services exposes more attack surface. If you don’t use it, disable it.
  • Patch your hypervisor regularly – It’s software; it has vulnerabilities; patch it. Hypervisors fall into the class of things people tend to deploy and forget. Don’t let that be the case for you.
  • Apply least privilege principles to hypervisors and guest VMs – You already know the least privilege principle, now extend it to your virtual environment. Who can manage the hypervisor, build new VMs, launch VMs, and what privileges do users on guest VMs have? These are all things you can control.
  • Standardize your VM images – VMs move fast. People clone, copy, and redeploy them at the speed of file transfer. Badly configured VMs can spread security mis-configurations quickly. On the same token, creating a well-hardened, properly configured VM to use as a base image ensures your newly deployed virtual servers will at least start with secure defaults.
  • Deploy virtual security controls – Today, virtual networks are a huge blind spot in our infrastructure. Though hypervisor vendors have started to provide some basic virtual security controls, they lack high-end security and visibility tools. Some third parties, like WatchGuard,  have started to provide these virtual security solutions. Consider using them.
  • Extend normal security controls to VMs – The tips above help you specifically harden your virtual environment, but virtual machines still act like normal computers. They need OS and software patches, as well as normal host-based security controls like antivirus (AV). Luckily, there are solutions which help you apply such controls across multiple virtual machines at once.

At the end of the day, all the information and network security practices we use to protect physical devices still apply to protecting the virtual ones. The only difference is we have to extend these practices across new surfaces, and introduce our familiar tools to new environments. Once you understand the new attack surface that hypervisors and virtual networks present, you can start to mitigate these risks using familiar defenses. It’s just a matter of diligently doing what you already know. — Corey Nachreiner, CISSP (@SecAdept)

Oracle’s Out-of-Cycle Java Update Closes Two Serious Zero Day Holes

Severity: High

Summary:

  • These vulnerabilities affect: Current versions of Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) running on all platforms
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate  Java update as soon as possible

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Most operating systems today implement a Java interpreter to recognize and process Java code from websites and other sources. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

If you followed my twitter posts this week, you’ve surely heard of the serious new zero day Java exploit, which researchers found in the wild last weekend. First discovered by FireEye, and analysed by Deep End Research, the exploit leverages a previously unknown code execution flaw in Java 1.7 to launch drive-by download attacks. Worse yet, some underground criminal exploit kits, like Blackhole, have already added the zero day flaw to their arsenal. Even Metasploit, the popular penetration testing tool, has a working version of the exploit. Later in the week, researchers also pointed out a second vulnerability.

Typically, Oracle follows a quarterly patch cycle, which would have placed their next update two month from now. However, in an unprecedented move, Oracle has released an out-of-cycle update to fix this extremely dangerous zero day flaw, as well as two others.

According to Oracle’s alert and blog post, all three of the corrected vulnerabilities received a base CVSS score of 10.0, the most severe rating. They all allow attackers to execute code, are easily exploitable, very reliable, and often give attackers full control of victim machines. Furthermore, many attackers are already exploiting them in the wild. If you use Java, I highly recommend you apply Oracle’s emergency update immediately. In fact, if you don’t need Java, I suggest you remove it from your computer.

Solution Path:

Oracle has released JRE and JDK updates to correct these issues. If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Furthermore, attackers have heavily targeted Java lately in their exploit frameworks. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading Java applets from websites. However, doing so also cripples legitimate websites using Java applets. If you do not want to block Java applets, download the appropriate Java updates as soon as possible. Furthermore, blocking Java applets may mitigate the risk of some of these attacks, but not all of them. Oracle’s update is the best solution.

To learn how to use your Firebox’s HTTP proxy to block Java applets, see the “Deny Java Applets” section of the HTTP Proxy Advanced FAQ.

Also, WatchGuard is working to provide IPS signatures for all these Java exploits. Our IPS system already blocks the Metasploit variant of this attack with one of our generic Metasploit Java shellcode signatures. If you have our security services, be sure to enable IPS.

Finally, Gateway antivirus can also help you prevent these sorts of Java attacks. WatchGuard leverages two Best-in-Class AV providers in our security appliances–Kaspersky and AVG. According to a recent test by AV-Comparitives, only nine out of 22 AV providers actually detect the public versions of these exploits. Both AVG and Kaspersky are on the lists of engines that do catch them.

Status:

Oracle has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

WatchGuard Security Week in Review: Episode 30

VM Malware, Mac Attack Toolkits, and iPhone SMS Spoofing

I’ve posted today’s weekly security news summary video a bit late, due to some work travel that got in the way of production, but better late than never right? If you’re interested in the biggest information security stories from the week, you’re at the right place.

This week’s episode covers a SMS spoofing vulnerability that primarily affects iPhones, a Mac attack toolkit criminals are selling on the cyber-underground, and some paradigm shifting malware that specifically targets and infects VMware virtual machines. For details on these stories and more, check out the video below.

Since I had to create this week’s episode quickly, I left out a few extra security stories from the week. If you want to learn about these missing additions, or just want more details about the stories in the video, check out the Reference section at the end of this post.

Have a good weekend, and stay frosty.

(Episode Runtime: 8:02)

Direct YouTube Link: http://www.youtube.com/watch?v=brkjMbpE_Ec

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Flash Player Patch Tuesday Repeat

Last week, you endured a busy Patch Tuesday, which included a pile of security updates from Microsoft and Adobe. Adobe’s patch day included big updates for Reader, ShockWare, and Flash. Unfortunately, Adobe wasn’t quite finished fixing the Flash Player vulnerabilities.

Just a week after Patch Day, Adobe has released yet another Flash Player update to fix six more critical vulnerabilities in the popular web multimedia player. The six new flaws differ technically, but mostly share the same scope and impact. In fact, they’re generally the same type of memory corruption flaws as Adobe fixed last week — just more of them. In any case, if an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

These six new Flash Player flaws affect all platforms, including Windows, Macintosh, Linux, and Android. So if you are running Flash Player on any platform, make sure to install this week’s Flash update, even if you already applied the patch from last week. You can find the proper update in the “Solutions” section of Adobe’s Flash Bulletin.

As an aside, if you are waiting for today’s WatchGuard Security Week in Review Episode, it’s coming, but won’t show up until later this afternoon. I wasn’t able to shoot and produce the video when I normally do, due to work travel. So I will have to post it late in the day. If you’re gone before it goes up today, be sure to check it out Monday. — Corey Nachreiner, CISSP (@SecAdept)

Crisis Malware Specifically Targets Virtual Machines

In a WatchGuard Security Week in Review video from about three weeks ago, I highlighted a new cross-platform malware variant called Crisis, which could infect both Windows and Mac computers by using a Java vulnerability that affected both platforms. The cross-platform nature of this malware alone made it pretty unique and interesting. This week, Symantec has uncovered new details about Crisis, which makes it even more impressive and scary; and could also represent an evolutionary new step  for malware. In short, Crisis specifically targets and infects virtual machines.

According to Symantec’s blog post, when Crisis executes on a Windows computer, it searches the hard drive for VMware format virtual images. When it finds a VM image, it mounts the image and copies itself to the virtual machine, thus infecting it as well. Since virtual machines pretty much look identical to physical ones, malware has always been able to inadvertently infect virtual machines. However, this is the first time that I have seen malware that specifically targets and infects virtual images.

I think this is a pretty big deal in malware evolution. Unlike physical computers, virtual images get cloned, copied, and shared quite a bit. Often, IT administrators have pre-set virtual images they use as the base image whenever building a new virtual machine. If one of these base images got infected, you could inadvertently spread that infection to every new virtual image you spun up.

Furthermore, many administrators haven’t yet implemented the same security controls they have on their physical networks, on their virtual ones. This makes their virtual network a black hole, as far as visibility and security are concerned. One of my predictions this year was that SMB’s increased adoption of virtualization technology would reawaken the need for virtual security solutions. Crisis’ new virtual spreading technique reinforces that prediction.

The good news is there are solutions out there. For instance, WatchGuard’s own XTMv and XCSv virtual appliances can deliver all the typical layers of security you use today to your virtual network.

Today’s malware authors use modular code and like to share. I suspect many other malware authors will adopt this new virtual image infection trick soon, and we will see them more aggressively target virtual machines. If you haven’t already implemented virtual security solutions, I recommend you do so soon. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Post Vacation Edition

If you follow my weekly security recap vlog, you probably noticed I didn’t post a WatchGuard Security Week in Review video last week. Instead, I was soaking up some rays on the beach. Ok… I was on a Washington state beach so there weren’t many “rays” involved — but at least there was sand.

Anyway, my scheduled vacation prevented me from posting the video last week. I would have mentioned the lack of video in a blog post, but I felt that the Security Center had its share of posts during an extremely hectic Black Patch Tuesday, and didn’t want to bother you with yet another one.

To make up for it, I’m posting a belated text-version of last week’s security news summary. If you’re interested in the important and interesting security stories you may have missed last week, check out the bulleted-list below. You can expect my video summaries to resume this Friday, though this week may be an “on the road” episode:

  • Shamoon malware wipes HD and MBR – An Israeli security firm called Seculert discovered a malware variant that steals info, then erases your hard drive (HD) and wipes your master boot record (MBR), preventing your computer from booting. Though the malware has infected at least one Middle Eastern energy company, experts do not think Shamoon comes from the same authors as other APTs.
  • Citadel trojan seems to target airline employees – A security company found a version of the Citadel botnet trojan that seems to target airlines, by attempting to steal employees’ VPN credentials. The malware specifically tries to capture some of the additional authentication tokens certain VPN clients require.
  • Blizzard credential breach – Blizzard is the latest victim of yet another password/credential breach. Though Blizzard salts their hash, you should still change your Blizzard credentials
  • Anonymous claims another PSN hack; Sony says no – In a tweet and Pastebin post, Anonymous claims they breached Sony PSN network again, and stole the information from 10 million PSN users. Sony says the breach didn’t happen. Chalk this one up to an Anonymous hoax.
  • Tridium releases ICS software patches – Tridium creates automation software for lighting and HVAC systems. US-CERT warned of many vulnerabilities in their software, and Tridium released updates to fix them this week. Just more evidence of how digital attacks can affect physical infrastructure.
  • Android malware triples in a quarter – One of WatchGuard’s partners, Kaspersky, released a security report last week that included some interesting facts about mobile malware. They found that Android malware has increased three-fold, and mostly focuses on SMS trojans that steal money.
  • Wikileaks Trapwire release and DDoS attack– A few weekends ago, Wikileaks released information about how certain agencies are leveraging video surveillance systems to track people (codenamed Trapwire). Shortly after this release, the Wikileaks site suffered DDoS attacks from a group called Antileaks. Antileaks says the incidents are unrelated.

Well, that covers the biggest security news from last week. On an unrelated note, I saw a video last week that does a great job of summarizing DEF CON 20. I can’t directly embed the video here, but you can find it in this article. If you missed DEF CON, and want to get its general vibe, I recommend checking the video out.

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Updates for Reader X, Flash, and Shockwave Player

Severity: High

Summary:

  • These vulnerabilities affect: Shockwave Player, Flash Player, Reader X, and Acrobat X
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released three security bulletins describing vulnerabilities in many of their popular software packages, including Shockwave Player, Flash Player, and Reader and Acrobat X.

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize these three Adobe security bulletins below:

  • APSB12-16: Multiple Reader and Acrobat  Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 20 vulnerabilities that affect Adobe Reader and Acrobat X 10.1.3 and earlier, running on Windows and Macintosh.  Adobe doesn’t describe the flaws in much technical detail, but does note that most of them involve buffer overflow and memory corruption issues. Almost all of them share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit any of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB12-17: Five Shockwave Memory Corruption Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin warns of five unspecified memory corruption vulnerabilities that affect Shockwave Player 11.6.5.635 and earlier for Windows and Macintosh. All five flaws share the same impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

Adobe Priority Rating: 2 (Patch within 30 days)

  • APSB12-18: Flash Player Code Execution Vulnerability

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Adobe’s bulletin describes a serious flaw that affects Flash Player 11.3.300.270 and earlier for all platforms. They don’t describe the  vulnerability (CVE-2012-1535) in detail, but they do describe its impact. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit this flaw to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe also warns that attackers are currently exploiting this flaw in the wild via malicious Word documents, which target Windows users. We highly recommend you patch Flash Player immediately

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Exchange Update Corrects Oracle Outside In Vulnerabilities

Severity: Medium

Summary:

  • These vulnerabilities affect: Exchange Server 2007 and 2010
  • How an attacker exploits it: By enticing a user to preview a specially crafted attachment within an email
  • Impact: An attacker can execute code with the restricted privileges of the LocalService account
  • What to do: Deploy the appropriate Exchange Server update as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Microsoft Exchange is one of the most popular email servers used today. It includes many advanced features and capabilities. One such feature, called WebReady Document Viewing, allows your email users to preview attached documents as web pages. Exchange leverages Oracle’s Outside In technology to parse these documents and provide these previews.

Unfortunately, Oracle recently found a number of vulnerabilities in their Outside In libraries, which they fixed during their quarterly Critical Patch Update (CPU) last July. Early August, Microsoft realized Exchange was also affected by Oracle’s Outside In vulnerabilities, and they released a security advisory warning their customers about it (we highlighted this advisory in WatchGuard Security Week in Review a few weeks ago). Though Microsoft’s advisory provided a workaround for the issue, it didn’t completely fix it

Today’s Exchange security bulletin does completely resolve the Oracle Outside In vulnerabilities within Exchange.

In a nutshell, the Outside In libraries that Exchange leverages suffer from a number of code execution vulnerabilities having to do with how they parse various types of files. By enticing one of your email users to preview a specially crafted document attached to an email, an attacker can exploit any of these flaws to execute code directly on your Exchange server. Luckily, the code only executes with the permissions of the LocalService account, which has very limited privileges. Nonetheless, we recommend Exchange administrators update as soon as possible.

Solution Path:

Microsoft has released Exchange updates to correct these vulnerabilities. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Update do it for you. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s Exchange bulletin.

For All WatchGuard Users:

If you like, you can configure WatchGuard’s security appliances to block or strip the document types necessary for attackers to exploit these vulnerabilities. However, some of the affected documents include ones that most administrators prefer to allow, such as Word and PDF documents. Therefore, we recommend you apply the patches instead.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

One Critical and Two Important Microsoft Office Updates

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office, Visio, SQL Server, Commerce Server, Host Integration Server 2004, Visual FoxPro, and Visual Basic 6.0 Runtime
  • How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting web sites with malicious content
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released three Office-related security bulletins describing vulnerabilities found in Microsoft Office, Visio, and other productivity-related software. They rate one of the updates as Critical and the others as Important.

Besides affecting Office, the Critical update also affects:

  • SQL Server (most versions)
  • Commerce Server (all versions)
  • Host Integration Server 2004
  • Visual FoxPro
  • Visual Basic Runtime

We summarize the three bulletins below:

  • MS12-060: Common Controls Remote Code Execution Vulnerability

Office (and many other Microsoft products listed above) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). One of the ActiveX controls in this library suffers from an unspecified remote code execution vulnerability. By enticing one of your users to visit a malicious web page, or into clicking a specially crafted link, an attacker could exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of his machine. Microsoft’s update sets the kill bit for the vulnerable ActiveX control.

According to Microsoft, attackers are exploiting this vulnerability in the wild, in “limited targeted” attacks. This significantly increases the risk of this already serious vulnerability. You should apply this update immediately.

Microsoft rating: Critical.

  • MS12-057: CGM File Memory Corruption Vulnerability 

Computer Graphics Metafiles (CGM) are text-based file representations of 2D vector or raster graphics. Though few people actually use CGM files today, Microsoft Office still supports this legacy file type.

According to the bulletin, Office suffers from an unspecified memory corruption vulnerability involving the way it handles CGM files. By enticing one of your users into opening a CGM file, or into opening an Office document containing an embedded CGM file, an attacker can exploit this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative rights, the attacker gains complete control of the computer.

Microsoft rating: Important

  • MS12-059: Visio DXF Buffer Overflow Vulnerability

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams.

Visio and Visio Viewer suffer from a buffer overflow vulnerability involving the way they handle a specific type of specially crafted Visio document, called a DXF file. If an attacker can entice one of your users into downloading and opening a maliciously crafted DXF file, he can exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects Visio and Visio Viewer 2010.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

Many of WatchGuard’s security appliances can help mitigate the risk of some of these attacks. For instance, you can configure WatchGuard appliances to block the Office documents related to a few of these attacks (such as DOC, XLS, and DXF files) and you can leverage our security services to mitigate the risk of malware delivered via these attacks.

However, most administrators prefer to allow Office documents into their network, and our appliances cannot protect you against all avenues attacks, especially local ones. So we still recommend you apply Microsoft’s patches to best protect your network.

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

%d bloggers like this: