Archive | September, 2012

WatchGuard Security Week in Review: Episode 35 – Adobe Certs

New Java 0day, Cisco DoS, and Stolen Adobe Certs

There’s no shortage of information and network security news lately. If you find yourself struggling to keep up with it, due to all your other daily tasks, let my weekly summary videos fill you in. WatchGuard Security Week in Review quickly highlights the most important stories of the week, and lets you know what to do about the ones that might affect you.

This week’s episode includes two important software updates, news of another Java zero day flaw, a story about advanced attackers breaching a Smart Grid vendor’s network, and details about stolen Adobe code signing certificates. There’s patches to install and certificates to revoke, so give this week’s episode a view to learn what to do.

If you’d like more details on any of these stories, or want to see the ones I didn’t have time to cover in the video, check out the Reference section below. Have a great weekend, and see you next Friday.

(Episode Runtime: 8:50)

Direct YouTube Link: http://www.youtube.com/watch?v=R-DbODYoBLI

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Final IE 0day Update: Microsoft Out-of-Cycle Patch Available

If you’ve read my two posts [ 1 / 2 ], and watched this week’s video, you already know all about the zero day vulnerability plaguing Internet Explorer (IE) this week. In my last update, I mentioned Microsoft promised to release a full, out-of-cycle patch for this serious vulnerability today. True to their word, they did just that.

Since you know all about this flaw already, I won’t bore you with the details again. However, I highly recommend you go download, test, and install this update immediately. The patch is your best protection against the attacks in the wild.  — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 34 – IE 0day

IE 0day, Bank Attacks, and Massive Apple Update

Are you too busy to follow security news yourself, but would like quick updates about the latest attacks, vulnerabilities, and trends? Then WatchGuard Security Week in Review is for you. In this weekly video (posted every Friday), I quickly summarize the biggest information and network security news. Rather than let your busy schedule keep you in the dark, give this short recap video a try.

Today’s episode covers a major zero day vulnerability in Internet Explorer (IE), a bunch of security updates for Macs and iOS devices, and a few stories about attackers targeting banks. If you manage Windows systems, it’s worth a watch for the IE vulnerability alone.

As an aside, I’ve been traveling in Europe all this week, so I had to produce this episode quickly, from my hotel room, on my iPhone. The quality is not quite up to its normal par, and due to my schedule, I had to skim over a few details and skip a few stories. However, if you are interested in more information, or would like to see some of the stories I didn’t mention in the video, be sure to check out the Reference section below.

Finally, if you have suggests for what you’d like to see in future episodes, let me know in the comments.

(Episode Runtime: 5:40)

Direct YouTube Link: http://www.youtube.com/watch?v=AqN8zgFj5z8

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Apple Posts Security Updates for OS X, iOS, and Safari

Severity: High

Summary:

  • These vulnerabilities affect: Apple OS X 10.6.x-10.8.x, Safari 6.0 and below, and iOS 5.1.1 and below.
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files, or visiting malicious websites
  • Impact: Various results; in the worst case, an attacker can execute code with your privileges, and leverage other flaws to elevate to root
  • What to do: Install the appropriate OS X, Safari, and iOS update as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Yesterday, Apple released three security updates to fix many vulnerabilities in OS X, iOS, and Safari (Mac version only). Like the iTunes patch from last week, these updates fix an unusually large number of vulnerabilities. For instance, the iOS update fixes around 197 flaws, many of them affecting the Webkit component.  If you use Mac computers, or iOS devices, you should apply these significant updates quickly. I quickly summarize Apple’s three alerts below:

If you paid attention to Apple’s iPhone 5 announcement last week, you may also have been excited about iOS 6, which they posted yesterday. If iOS 6’s new features weren’t enough to sell you on the new firmware, Apple’s iOS 6 security alert should close the deal. According to Apple’s alert, iOS 6 fixes around 197 security vulnerabilities. The flaws differ widely, but attackers can exploit the worst of them to execute arbitrary code on your iOS devices. The attacker only has to lure you to a site containing malicious content, or entice you to interact which some sort of file (whether it be an image, movie, or config file). If you have an iPhone, iPod, or iPad, you should update it to iOS 6 as quickly as possible. See Apple’s security update if you want more details on the individual flaws, including their CVE numbers.
WatchGuard rating: Critical

Apple also released a huge OS X security update to fix vulnerabilities in all current versions of OS X. The almost 700MB patch fixes about 35 (number based on CVE-IDs) security issues in many components that ship as part of OS X or OS X Server, including QuickTime, the Kernel, and BIND. Again, the flaws differ in scope and impact, but the worst allow attackers to execute code with your privileges simply by enticing you into viewing malicious file or web content. Furthermore, some of the Kernel flaws allow attackers to elevate their privilege, gaining complete control of your computer. If you use a Mac, you should install the update as quickly as you can. See Apple’s alert for more detail on each flaw.
WatchGuard rating: Critical

Finally, Apple also released an update to fix about 60 security flaws in Safari for Mac (Apple seems to have discontinued supporting Safari for Windows). Many of these flaws are the same Webkit component issues that Apple recently patched in iTunes. Like those flaw, by enticing you to a web site containing malicious code, attackers can execute code with your privileges. Many of the vulnerabilities are ideal for drive-by download attacks. Again, if you have a Mac, I recommend you patch Safari, even if you don’t use it as your primary browser.
WatchGuard rating: Critical

Solution Path:

Apple has released update for all these products. If you use Mac computers, or iOS devices, you should download and install the updates as soon as you can, or let Apple’s Software Updater do it for you. That said, the OS X update is rather large, and will require a reboot, so plan that update accordingly.  Personally, I have had few issues with Apple’s Automatic Updater. I recommend you use the Automatic Updater to download and remind you of patches regularly, at least on your client machines (you may need to plan your OS X server updates more carefully).

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM appliance can help mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Apple’s updates are your best solution.

Status:

Apple has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

IE 0day Update: Microsoft Releases a FixIt Patch

A few days ago, I posted an alert about a zero day Internet Explorer (IE) vulnerability that attackers were exploiting in the wild. By luring you to a web site containing malicious code, a remote attacker can exploit this flaw to execute code on your computer, with your privileges. To most Windows users, this means the attacker gains complete control of your computer.

Today, Microsoft released a FixIt workaround to temporarily mitigate this attack. If you use IE, I recommend you apply this FixIt immediately. It’s important to note, the FixIt doesn’t replace a full patch. Microsoft says they plan on releasing a more complete patch for this flaw on Friday. You’ll still want to apply that too, once it comes out. In the meantime, however, this FixIt offers the best protection to IE users.

For your convenience, I’ve included the original IE alert below. Be sure to check with Microsoft on Friday, for their full patch. Though I plan on alerting you when Microsoft posts their update, I will be on international flights on Friday, and may not be able to post the update till later. — Corey Nachreiner, CISSP (@SecAdept)


Yesterday, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild.

According to a blog post, a security researcher named Eric Romang first discovered the zero day IE exploit as he was poking around a web server hijacked by the Nitro gang. Romang found four malicious files (.html x2, .swf, .exe) on the server, which acted together to infect his fully patched Windows XP machine.

Shortly after Romang’s release, Microsoft posted their security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects IE 7, 8, and 9, but not 10. Though Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine.

Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this one in the wild, so it poses a significant risk. Furthermore, researchers have already added an exploit for this issue to the popular Metasploit framework, making it even easier for novices to leverage.

Unfortunately, Microsoft just learned of this flaw, so they haven’t had time to patch it yet. I suspect Microsoft may release an out-of-cycle patch for this flaw, but in the meantime here a few workarounds to help mitigate the issue:

  • Use IE 10 – IE 10 is not vulnerable to this issue. However, IE 10 is still only a preview build, and the latest versions only runs on Windows 8 and Server 2012. So this workaround may not help everyone.
  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMETEMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. Nonetheless, installing it could help protect your computer from many types of memory corruption flaws, including this one.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to this attack.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, if you use an XTM appliances with the IPS service, we can already detect and block the Metasploit variant of this attack. Whatever you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.

I’ll continue to follow this issue as it evolves, and will post here as soon as Microsoft releases a patch.

As an aside, I apologize for the slight delay to this post. Unfortunately, I was on an international flight when this news first broke. — Corey Nachreiner, CISSP (@SecAdept)

Attackers Exploit Serious Zero Day Internet Explorer Vulnerability

Yesterday, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild.

According to a blog post, a security researcher named Eric Romang first discovered the zero day IE exploit as he was poking around a web server hijacked by the Nitro gang. Romang found four malicious files (.html x2, .swf, .exe) on the server, which acted together to infect his fully patched Windows XP machine.

Shortly after Romang’s release, Microsoft posted their security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects IE 7, 8, and 9, but not 10. Though Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine.

Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this one in the wild, so it poses a significant risk. Furthermore, researchers have already added an exploit for this issue to the popular Metasploit framework, making it even easier for novices to leverage.

Unfortunately, Microsoft just learned of this flaw, so they haven’t had time to patch it yet. I suspect Microsoft may release an out-of-cycle patch for this flaw, but in the meantime here a few workarounds to help mitigate the issue:

  • Use IE 10 – IE 10 is not vulnerable to this issue. However, IE 10 is still only a preview build, and the latest versions only runs on Windows 8 and Server 2012. So this workaround may not help everyone.
  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMETEMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. Nonetheless, installing it could help protect your computer from many types of memory corruption flaws, including this one.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to this attack.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, if you use an XTM appliances with the IPS service, we can already detect and block the Metasploit variant of this attack. Whatever you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.

I’ll continue to follow this issue as it evolves, and will post here as soon as Microsoft releases a patch.

As an aside, I apologize for the slight delay to this post. Unfortunately, I was on an international flight when this news first broke. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 33 – Elderwood Project

Advanced Attack Campaigns and Stealthy Botnets

The weekend is almost upon us… Yay! Before you run out and enjoy some fun in the sun (hopefully), take eight minutes to check out this summary video highlighting some of the bigger information and network security stories this week.

In this episode, I share a quick UDID leak update, talk about a long-term advanced attack campaign, warn you of a potential HTTPS weakness, and discuss a botnet evolution. I throw in a few “fun” security news tidbits as well. If you want to stay on top of the latest security issues, click the play button below.

As always, if I skim over a topic too quickly for your tastes, feel free to check out the Reference section, where you will find links to all these stories. See you next week.

(Episode Runtime: 8:09)

Direct YouTube Link: http://www.youtube.com/watch?v=gmNPx8dx7Yw

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

iTunes 10.7 Update: Heavy On Security Fixes, Short On Details

Yesterday, Apple released an updated version of their popular media player and mobile syncing software, iTunes 10.7. The update adds new features (like support for upcoming iOS 6) and fixes security vulnerabilities.

I must admit, I pretty much ignored Apple’s email about this update at first. After all, iTunes is a media player. Not really your typical business critical software, and not something I see attackers target very often. That said, it’s important to update all of your software, so I took a peek at Apple’s alert.

Wow!

According to Apple’s security bulletin, iTunes 10.7 fixes over 160 different vulnerabilities. I don’t think I’ve ever seen a security update list so many CVE numbers for one patch.

Apple’s alert doesn’t describe these flaws in any detail, probably because there are just too many to cover. However, they do characterize the majority of the flaws as memory corruption issues in Webkit. Hackers typically exploit memory corruption flaws to either crash a program or execute code on your computer with your privileges. The only question that remains is how attackers might trigger these iTunes vulnerabilities. Apple doesn’t say, but based on past iTunes issues, I suspect that if an attacker can entice you to a special URL within iTunes, or can trick you into running a maliciously crafted media file, they could exploit many of these flaws to execute code on your computer, potentially gaining complete control of it (depending on your privileges).

In short, if you use iTunes on any platform, you should download and install 10.7 as soon as possible. — Corey Nachreiner, CISSP (@SecAdept)

XSS Vulnerabilities in Microsoft Servers and Developer Tools

Severity: Medium

Summary:

  • These vulnerabilities affect: Visual Studio Team Foundation Server 2010, Systems Management Server 2003, and System Center Configuration Manager 2007
  • How an attacker exploits it: By enticing a user to click a specially crafted link, or visit a malicious web site
  • Impact: An attacker can elevate his privileges and take any action your users can
  • What to do: Deploy the appropriate update as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released two security bulletins describing a pair of cross-site scripting (XSS) vulnerabilities in their Server software and development tools. They rate both updates as Important. The bulletins specifically affect:

  • Visual Studio Team Foundation Server 2010
  • Systems Management Server 2003
  • System Center Configuration Manager 2007

We summarize each bulletin below:

  • MS12-061: Visual Studio Team Foundation XSS Vulnerability

Team Foundation Server is a software development collaborative platform that allows developers to manage multi-person projects. It suffers from a cross-site scripting (XSS) vulnerability, which attackers can potentially leverage to elevation their privilege on your development server.

By enticing one of your users to click a specially crafted link, an attacker could exploit this flaw to  execute script with your user’s privileges. This script could steal the user’s cookies, redirect their browser to malicious sites, or essentially take any action the user could on your Team Foundation Server. If you use this development platform, you should apply Microsoft’s updates as soon as possible.

Microsoft rating: Important.

  • MS12-062: System Center Configuration Manager XSS Vulnerability

System Center Configuration Manager is a PC management platform that allows you to manage many Windows computers at once. You can use it for patch management, software distribution, OS deployment, remote control, and more. It too suffers from a cross-site scripting (XSS) vulnerability, very similar to the one described above. Again, if an attacker can lure you into clicking a specially crafted link, he could exploit this flaw to  execute script with your privileges. This would allow him to do anything in System Center Configuration Manager that you could. If you use this management system in your network, you should apply Microsoft’s patch as soon as possible.

Microsoft rating: Important.

Solution Path:

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

As an aside, Internet Explorer 8 and above includes an XSS Filter feature, which prevents these sorts of XSS attacks from working. You may want to enable the XSS Filter feature to benefit from its protections.

For All WatchGuard Users:

If you use a WatchGuard XTM appliance with the Intrusion Prevention Service (IPS), it can help mitigate attacks leveraging either of these flaws. According to our Best-in-Class IPS partner, one of our IPS service’s generic XSS signatures detects and prevents these vulnerabilities. We recommend you turn on our IPS service if you haven’t already.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

Light Patch Tuesday Brings Two XSS Fixes

As I mentioned in last week’s early warning, today’s Patch Day is extremely light with only two updates. According to their September bulletin summary, Microsoft has only released updates for Visual Studio Foundation Server and System Center Configuration Manager. Both updates fix cross-site scripting (XSS) vulnerabilities that Microsoft rates as Important.

If you have either of these products, you should apply today’s patches at your earliest convenience, despite their low severity. If you don’t use either of these products, you’re off the hook this month (whoohoo).  However, don’t forget to check your certificate infrastructure to make sure you are using 1024  bit certificates by October.

Also,  if you use any Cisco products, Microsoft also released a Cisco-related Security Advisory today. The advisory includes a roll-up patch that sets the Killbit for a few different Cisco ActiveX controls. This prevents the 3rd party controls from working in IE, due to vulnerabilities in them. Microsoft administrators should probably apply this update as well.

Finally, Adobe holds their Patch Day today. They only released one security bulletin for ColdFusion. The update fixes a denial of service (DoS) vulnerability in ColdFusion 10 and earlier, running on any platform. If you use ColdFusion, make sure to apply that patch, too.

I’ll release a more detailed alert about the Microsoft issues here shortly — Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: