Archive | October, 2012

WatchGuard Security Week in Review: Episode 39 – RDP Hostages

Hostage RDP Servers, Pin Pad Hacks, and PS3 Key Leak

Are you ready for some Friday water-cooler security gossip? Did you hear about a bunch RDP servers at Fortune 500 companies getting hacked? How about the story about Dutch law enforcement legally hijacking suspect computers? If not, you’ve come to the right place. I cover those stories and more in today’s WatchGuard Security Week in Review video.

This week’s video comes to you from the road. During the week, I attended Gartner’s Symposium ITxpo, where Gartner analysts covered the trends driving IT innovation. The four main topics included the Cloud, Mobile, Social, and Big Data; many of which match our security predictions themes from this year. In any case, today’s episode is slightly abbreviated due to my travels.

If you are interested in this week’s big RDP hack, a Barnes and Noble pin pad breach, and even a “pwned” gaming console, check out the video below. You can also find links to all the stories I cover in the Reference section of this post.

Thanks for watching, and have a great weekend.

(Episode Runtime: 7:50)

Direct YouTube Link: http://www.youtube.com/watch?v=DTLlJVhDbIg

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Shockwave Update Corrects Five Buffer Overflows

Summary:

  • This vulnerability affects: Adobe Shockwave Player 11.6.7.637 and earlier, running on Windows and Macintosh computers
  • How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave content
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (11.6.8.638) of Adobe Shockwave Player as soon as possible.

Exposure:

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on hundreds of millions of PCs.

In a security bulletin released this week, Adobe warned of six vulnerabilities that affect Adobe Shockwave Player 11.6.7.637 for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail, though it does say that five of them are buffer overflow vulnerabilities, and the last is another memory related flaw. All six of the security flaws have the same impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit any of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version at your earliest convenience.

Solution Path

Adobe has released Shockwave Player version 11.6.8.638 to fix these security flaws. If you use Adobe Shockwave in your network, we recommend you download and deploy the updated player as soon as possible. You can get it from the link below.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Shockwave content. Keep in mind, doing so blocks all Shockwave content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify Shockwave files:

File Extension:

  • .swf –  Adobe Shockwave files

MIME types:

  • application/x-shockwave-flash
  • application/x-shockwave-flash2-preview
  • application/futuresplash
  • image/vnd.rn-realflash

FILExt.com reported Magic Byte Pattern:

  • Hex: 46 57 53

(We believe this pattern is too short, thus prone to false positives. We don’t recommend you use it) 

If you decide you want to block Shockwave files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:

WatchGuard Security Week in Review: Episode 38 – miniFlame

Oracle Updates, miniFlame, and Steam Hack

There was once a time when I had to subscribe to many obscure mailing lists, lurk on underground forums and channels, and visit a ton of buried pages at vendor sites to learn about the latest vulnerabilities, exploits, and breaches. That’s no longer the case.

Today, mainstream media reports on more information and network security news every week than most IT administrators can keep up with. Thus, this weekly security news round-up video. We consolidate and concentrate all the most important security stories into one digestible video each week—throwing in some practical security tips along the way.

This week’s episode includes security updates from Oracle and Apple, a new advanced nation-state threat called miniFlame, and a few fun security stories involving popular gaming platforms and zombie apocalypses. Watch the video below for quick highlights, and check out the Reference section for more details.

Thanks for watching, and keep frosty out there.

(Episode Runtime: 11:11)

Direct YouTube Link: http://www.youtube.com/watch?v=hCYaXy5oUnY

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Oracle Issues October CPU and Apple Updates Java

This week, Oracle released their quarterly Critical Patch Update (CPU) for October 2012, as well as a separate Java SE security patch. Apple also released OS X Java updates, in relation to Oracle’s Java patch. I describe all these updates below.

Oracle CPU for October 2012:

Oracle CPUs are collections of security updates, which fix vulnerabilities in a wide-range of Oracle products. According to their October CPU advisory, this quarter’s updates fix 109 vulnerabilities in many different Oracle products and suites.

Refer to the table below for more details about the affected products and severity of the flaws:

Product or Suite Flaws Fixed (CVE) Max CVSS
Database Server 5 10.0
Fusion Middleware 26 10.0
MySQL 2 9.0
Sun Product Suite 18 7.8
E-Business Suite 9 6.4
Supply Chain Product Suite 9 5.5
Financial Service Software 13 5.5
PeopleSoft Products 9 4.3
Siebel CRM 2 4.3
Industry Applications 2 4.3
Virtualization Products 2 4.3

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share  CVSS severity ratings. While the severity of the 109 vulnerabilities differs greatly, some of them pose a pretty critical risk.

For instance, the updates for Oracle Database Server and Fusion Middleware both fix vulnerabilities with a CVSS score of 10—the highest possible severity rating. One of these flaws allows unauthenticated, remote attackers to potentially gain complete control of your Oracle database server. If you manage any of the affected Oracle products, you’ll want to install the corresponding updates as soon as you can. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert.

Oracle Java SE CPU:

Oracle also released a separate CPU advisory for Java SE, announcing a security update that fixes 30 vulnerabilities in the popular interpreter used to run Java applications. Again, Oracle doesn’t describe these flaws in technical detail. They only share their severity. However, they’ve assigned ten of the vulnerabilities the maximum CVSS severity score (10), which typically means that remote attackers can leverage them to gain complete control of your computer. In the case of Java attacks, this typically means enticing you to a web site containing malicious Java code.

Personally, I think this Java update is more important than all the patches in Oracle’s primary CPU, simply because almost everybody has Java installed. Right now, Java is one of the most targeted applications for drive-by download attacks, and every major underground web exploit framework has many Java exploits built-in. If you haven’t already, you should patch Java immediately. You can find more information on where to get the update in the Patch Availability Table of Oracle’s advisory.

In a related note, awhile back a research found a serious “sandbox escape” vulnerability in Java. This update still does not fix that particular flaw. The good news is the researcher has not disclosed the technical details about this flaw to the public, so attackers aren’t exploiting it in the wild. Nonetheless, I would still keep my eye out for a patch since I’m sure blackhat hackers are now searching for it.

Apple Releases Java Updates for OS X:

Finally, yesterday Apple also released Java updates for all current versions of OS X. Apple packages their own version of Java for OS X, probably to make it easier for users to run Java apps. This means when Oracle updates Java, Apple has to update their version separately.

Yesterday’s OS X Java updates fix the same vulnerabilities mentioned in the official Oracle update above; only OS X users need to install Apple’s version of the updates. If you use OS X, download and install Java for Mac OS X 10.6 Update 11 or Java for OS X 2012-006 immediately, or let Apple’s Software Update program do it for you.

As an aside, this update also removes the Java applet plugin from all OS X web browsers. This means when you visit a web page containing a Java applet, the browser will direct you to  download Oracle’s Java plugin. While this may cause more work for users, it will also ensure OS X users can get the latest version of Java. In the past, Apple has received flak for updating their version of Java much later than the original Oracle update. This change takes the pressure off Apple. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 37 – Cyber Espionage

Nation State Cyber Espionage, WoW Death Hack, and Lots of Patches

Another week has blown by, and if you had a week like mine, you’ve barely gotten a chance to catch your breath between each new task. If that’s the case, you probably also missed this week’s security news. Fear not! WatchGuard Security Center is coming to the rescue. Grab a cup of joe, settle into your seat, and let the security news video below brief you on the latest in about ten minutes.

By far, the biggest story this week concerns cyber espionage accusations between nation states. Today’s episode covers that fiasco, as well as a bunch of security updates, some interesting game and social network hacks, and even a quick mobile security tool tip. Click play (or follow the YouTube link) for all the details.

Too embarrassed to watch a video at work? No problem. Just check the Reference section below for links to these stories’ sources. And if you have any suggestions, leave a comment. Until next time, stay safe out there.

(Episode Runtime: 12:05)

Direct YouTube Link: http://www.youtube.com/watch?v=p1fh5kHuOnY

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Windows Updates Fix Relatively Minor Kernel and Kerberos Flaws

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows and the components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic and enticing users to run malicious applications
  • Impact: In the worst case, a local attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. We summarize these Windows bulletins below:

  • MS12-068: Kernel Elevation of Privilege Vulnerability

The kernel is the core component of any computer operating system. The Windows kernel suffers from an integer overflow vulnerability, which attackers can leverage to  elevate their privilege. By running a specially crafted program, a local attacker could exploit this flaw to gain complete control of your PC. However, the attacker would first need to gain local access to your Windows computer using valid credentials. This factor significantly reduces the severity of the issue

Microsoft rating: Important

Kerberos is one of the authentication protocols used by Windows Servers. The Kerberos service suffers from a Denial of Service (DoS) vulnerability involving the way it handles specially crafted session requests. By sending specially crafted network traffic, an attacker could leverage this flaw to crash and restart your Kerberos server. The attacker could repeatedly exploit this vulnerability to keep your server offline for as long as they continued their attack. That said, most administrators do not allow Internet-based users access to their Kerberos server, which significantly mitigates the severity of this vulnerability

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances can mitigate some of these attacks, by preventing Internet-based attackers from accessing the vulnerable services, it cannot prevent local attacks. Therefore, we recommend you install Microsoft’s updates  to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Mends SQL Server XSS Vulnerability

Severity: Medium

Summary:

  • These vulnerabilities affect: Most current versions of SQL Server
  • How an attacker exploits it: By enticing a you to click a specially crafted link
  • Impact: An attacker can steal your web cookie, hijack your web session, or essentially take any action you could in the SQL server Report Manager
  • What to do: Deploy the appropriate SQL Server updates as soon as possible

Exposure:

SQL Server is Microsoft’s popular database server. It includes the SQL Server Reporting Services (SSRS), which provides web-based access to the SQL Server Report Manager.

According to Microsoft’s security bulletin, the SQL Server Report Manager suffers from a Cross-site Scripting (XSS) vulnerability due to its inability to properly validate and sanitize request parameters. By enticing you to click a specially crafted link, an attacker could leverage this flaw to inject client-side script into your web browser. This could allow the attacker to steal your web cookie, hijack your web session, or essentially take any action you could on the SQL Server Report Manager site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer.

Solution Path:

Microsoft has released SQL Server updates  to correct this vulnerability. You should download, test, and deploy the appropriate update as soon as possible. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s SQL Server bulletin.

As an aside, the Cross-site Scripting (XSS) protection mechanisms built into many modern web browsers, like Internet Explorer (IE) 8 and above, can often prevent these sorts of attacks. We recommend you enable these mechanisms, if you haven’t already.

For All WatchGuard Users:

If you have enabled our XTM security appliance’s IPS service, one of our generic XSS detection signatures already detects and prevents this XSS flaw. Nonetheless, we still recommend you download, test, and apply the SQL Server patches as quickly as possible.

Status:

Microsoft has released updates to fix this vulnerability.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Four Updates Repair Office and Server Software Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word, Works, Sharepoint, InfoPack, Communicator, Lync, Groove, and more
  • How an attacker exploits them: Multiple vectors of attack, including enticing users to click specially crafted links, or to open specially crafted documents
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins that fix around 20 vulnerabilities in a wide range of Microsoft Office and Server Software products. The affected products include:

  • Word and Word Viewer
  • Works 9
  • Sharepoint Server
  • InfoPath
  • Communicator and the new Lync
  • Groove
  • FAST Search Server
  • and the Office Web Apps

I summarize these four security bulletins below, in order from highest to lowest severity.

  • MS12-064: Two Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It suffers from two memory corruptions vulnerabilities having to do with how it handles maliciously crafted Word or RTF documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage either of these flaws to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could leverage these vulnerabilities to gain complete control of their machines. These flaws affect all current versions of Word; including Word Viewer, the Office Compatibility Pack, and the Office Web Apps.

Microsoft rating: Critical

  • MS12-065: Works 9 Heap Buffer Overflow Vulnerability

Works is a light-weight word processor, which is less expensive that Word but lacking in features. It suffers from a buffer overflow vulnerability having to do with how it handles malformed Word documents. By luring one of your users into downloading and opening a malicious Word document, an attacker can exploit this buffer overflow to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. The flaw only affects Works 9.

Microsoft rating: Important

  • MS12-066 :  Microsoft Server Software XSS Vulnerability

Many of Microsoft’s Server Software products (including Sharepoint Server, Communicator and Lync, InfoPath, and Groove) suffer from a Cross-site Scripting (XSS) vulnerability having to do with the servers’ inability to properly sanitize HTML inputs. The bulletin doesn’t describe exactly what element of these web-based servers suffers from the XSS vulnerability; only that they do. In any case, if an attacker can trick you into clicking a specially crafted link, he could leverage this flaw to to steal your web cookie, hijack your web session, or essentially take any action you could on the vulnerable server. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer.

Microsoft rating: Important

  • MS12-067 : FAST Search Server Oracle Outside In Vulnerabilities

Microsoft’s FAST Search Server improves the searchability of your SharePoint infrastructure. In previous alerts and videos, we warned you that Microsoft Exchange leveraged Oracle’s Outside In technology to parse various types of file attachments, and that Outside In suffered from a number remote code execution vulnerabilities. FAST Search Server implements Outside In, and also suffers from these vulnerabilities. If an attacker can upload a specially crafted file to a share that FAST Search Server indexes, he could leverage these vulnerabilities to execute arbitrary code on the FAST Search Server. However, two factors significantly mitigate the severity of these issues. First, most administrators only use this server to index internal file shares, which means the attacker needs local access and privilege to upload her malicious file. Furthermore, the attacker could only execute code with the limited privileges of a “user account with a restricted token.”

Microsoft rating: Important

Solution Path:

Microsoft has released Office and Server Software patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you. That said, we highly recommend you test server updates before deploying them, so you may not want to turn on automatic updates for your servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

Our XTM security appliances can mitigate the risk of many of these flaws. One of our generic XSS detection signatures already detects and prevents the XSS flaw described in MS12-066. Furthermore, with information from Microsoft’s Active Protections Program (MAPP), we have already developed a signature for the RTF exploit described in MS12-064, which we will include in a new signature set your appliance should get shortly.

Furthermore, WatchGuard’s Gataway Antivirus (GAV) service detects most of the common malware attackers try to deliver when exploiting these flaws. In short, if you have our UTM bundle and enable IPS and GAV, we can protect you from many attacks that try to leverage these flaws.

Nonetheless, Attackers can exploit these flaws in other ways as well, including uploading malicious files locally. We still recommend you install Microsoft’s updates as quickly as possible to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Office, Windows, and SQL Server Updates

Like clockwork, Microsoft’s Patch Tuesday has gone live. This month Microsoft seems to be focusing on Office and their Server Software, with the Windows updates posing only a  moderate risk.

As promised, Microsoft released seven bulletins fixing vulnerabilities in several of their products. The affected software includes:

  •  Word and the Word Viewer
  • Works 9
  • SQL Server
  • Windows (all current versions except Windows 8)
  • Sharepoint Server
  • Communicator & Lync
  • InfoPath
  • Groove
  • Fast Search Server
  • Office Web Apps

They only rate the Word update as Critical, and the rest as important. If you’d like more information about these alerts before we release our detailed alerts, check out Microsoft’s summary post for October.

Usually, I tend to recommend you patch Windows (and related products like Internet Explorer) first, since all your users have them, and security flaws in popular products pose a high risk. However, in this case the Windows updates seem the least worrisome of the bunch. Today, I recommend you apply the Office, and related Server Software updates first, the SQL Server update second, and save the Windows updates for last. Of course, I still recommend you test the updates before deploying them; especially the server ones.

We’ll share more details about Microsoft’s bulletins in three upcoming alerts, posted throughout the day. Stay tuned.  — Corey Nachreiner, CISSP (@SecAdept)

Early Adobe Flash Patch Corrects 25 Vulnerabilities

Summary:

  • This vulnerability affects: Adobe Flash Player running on all platforms (including Android devices) and Adobe Air
  • How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player for your platform

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Adobe usually shares Microsoft’s Patch Day, saving their security updates for the second Tuesday of the month. However, today they released a security bulletin one day earlier than expected, announcing a patch that fixes a bunch of critical vulnerabilities in the popular Flash Player application.

Abobe’s bulletin describes 25 security vulnerabilities  (based on CVE numbers) that affect Flash Player running on any platform. It doesn’t describe the flaws in much technical detail, other than mentioning they consist of buffer overflow vulnerabilities and other types of memory corruption flaws. That said, Adobe does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit many of these unspecified vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

Though it doesn’t look like attackers are exploiting these flaws in the wild yet, Adobe rates the flaws as a “Priority 1” issues for Windows users, and recommends you apply the Windows updates within 72 hours. These vulnerabilities also affect other platforms as well, though not as severely. I recommend you update any Flash capable device as soon as you can.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome you’ll have to update it seperately.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p – Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • video/mp4 (used for more than just Flash)
  • audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

  • Hex FLV: 46 4C 56 01
  • ASCII FLV: FLV
  • Hex FLA:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: