Archive | November, 2012

WatchGuard Security Week in Review: Episode 42 – Vulnerability Markets

Vuln Market 0day, Printer Backdoors, and Downed Internet

We’re back from hiatus. After a two week break, our weekly security news podcast has returned.

This week’s episode covers interesting new malware that leverages new command & control channels or targets specific victims, lots of zero day exploits being sold on vulnerability markets, a security industry murder mystery, and much more. If you’d like the latest information security updates, watch below.

As always, I’ve also included a Reference section, which contains links to all the stories mentioned in the video, as well as a few extra ones. Don’t forget to leave your feedback in our comments section.

Enjoy the show, and see you next week.

(Episode Runtime: 11:41)

Direct YouTube Link: http://www.youtube.com/watch?v=_DW3EcXbFlM

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Releases SSL OS v3.2

For SSL 100 and 560 Appliances

WatchGuard is pleased to announce the release of WatchGuard SSL OS v3.2 for the WatchGuard SSL 100 and SSL 560.

WatchGuard SSL OS v3.2 includes new features, enhancements and bug fixes aimed at the improving the client experience with respect to flexibility, ease of use, performance and overall stability of your SSL VPN appliance. Some highlights from this release include:

  • Windows 8 Support
  • 64-bit Internet Explorer Support
  • Outlook Anywhere Support
  • Nested Group Support
  • Access Client Settings Synchronization and Client Favorites
  • Access Client History Menu
  • Optimized Assessment Scan
  • Startup Command Confirmation
  • DNS Suffix Assignment
  • Log File Rotation and Deletion

If you’re an SSL 100 or 560 appliance owner with an active LiveSecurity subscription, you can upgrade to SSL OS v3.2 free of charge.  And if your LiveSecurity subscription has lapsed, now is a great time to renew so you can enjoy the many benefits of the SSL OS v3.2 release.

Does This Release Pertain to Me?

SSL OS v3.2 is a feature release that also includes many enhancements and bug fixes. If you have an SSL 100 or 560 appliances, and wish to take advantage of any of the items listed above, or those mentioned in the Release Notes, you should consider upgrading to v3.2. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

WatchGuard SSL 100 and 560 owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles and Support section of WatchGuard’s Support Center, which also includes clear installation instructions. To make it easier to find the relevant software, be sure to uncheck the “Article”, and “Known Issue” search options, and press the Go button. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

WatchGuard XCS 9.2 Update 4 Now Available:

Internationalized Content Scanning and Web Proxy Enhancements, Plus Security and Functionality Improvements

As part of our ongoing efforts to improve the effectiveness of WatchGuard XCS appliances to protect from data loss, new viruses, and malware, and to enable organizations to customize their environments, WatchGuard is pleased to announce the availability of XCS 9.2 Update 4.

Highlights of this maintenance release include:

  • Content Scanning Internationalization Support. WatchGuard XCS now supports non-Western languages when you use the Content Scanning feature on messages and files that use international Unicode character sets. This includes languages such as Chinese (traditional and simplified), Japanese, Korean, Russian, and Greek. In addition, accented characters in Western languages such as German, Norwegian, and French are now processed and displayed properly.
  • SSL Renegotiation Option for TLS Sessions. A new option has been added to the TLS Encryption configuration page that controls SSL renegotiation after a TLS session has been established between the XCS and another mail server. While this option is enabled by default for compatibility with earlier releases, you can disable this option to mitigate SSL renegotiation denial-of-service attacks and avoid issues with standard security scans.
  • End-User Agreement for Login Page. A new End-User Agreement option allows you to display a disclaimer on the WatchGuard XCS login page that a user must accept before they can log in. This option applies to logins by administrators, tiered administrators, Spam Quarantine/Trusted Senders, and WebMail users. You can customize the default End-User Agreement text to reflect the specific acceptable use or legal policies of your organization.
  • Download a List of Imported Directory Users. You can now download a list of users imported to the XCS via LDAP. You can use the downloaded list to examine the email addresses of imported and mirrored users to verify the stored information for recipient verification.
  • Embed Fonts Option for PDF Reports. A new Embed Fonts option has been added that allows you to enable or disable the embedding of fonts directly into a PDF report. This option is enabled by default and improves compatibility for PDF viewers, but significantly increases the size of PDF reports.
  • Private Root CA Certificate Bundle Support.  Secure sites that want to utilize a private Root CA certificate bundle can now upload a new file that contains it.
  • HTTP/1.1 Compatibility for Web Proxy. A new Ignore HTTP/1.1 Expect Header option has been added to allow HTTP/1.1-based web applications to work properly through the WatchGuard XCS Web Proxy.
  • Tiered Admin User Profile Page. Tiered administrators who do not have full admin privileges and do not have a local account (for example, on a clustered system) can now update their user profile and change their password from a User Profile page.
  • Over 25 additional bug fixes and minor enhancements have been included.

For more details, see the Release Notes.

Does This Release Pertain to Me?

XCS 9.2 Update 4 is a maintenance release that contains a number of enhancements and bug fixes, including security fixes. Because of the security updates, it is strongly advised that users install the software update. Please read the Release Notes before you upgrade, to understand what is involved.

How Do I Get the Release?

Your XCS appliance will automatically download the XCS 9.2 Update 4 software. However, it will NOT automatically install the update. You must manually install software updates by going to Administration > Software Updates > Updates. You can also manually download the update from the Articles and Support section of WatchGuard’s Support Center. We highly recommend you thoroughly review the Installation Instructions section of the Release Notes before applying this update.

For a more detailed description of this update, please visit the WatchGuard Support Center at http://www.watchguard.com/support/.

If you need support, please enter a support incident online or call our support staff directly. When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t Be a Target – Anticipate and Monitor for APT Activity

Our security predictions for 2012 forecasted that the class of targeted attacks known at APTs – advanced persistent threats – would trickle down, and begin to affect smaller organizations.

And while it might not make the headlines like the recent story about the data breach at Coca-Cola in 2009 that is still affecting the company three years later, a successful attack can be devastating regardless of the size of the organization or the motive for the attack.

Historically, APT attacks have been created by sophisticated hackers using advanced attack techniques and blended threat malware, but it is only a matter of time before “normal” malware criminals learn from these sophisticated hacks and the evolution of the APT speeds up, making organizations of every size a target.

So let’s revisit this prediction and figure out how to make your organization the smallest target possible with the tools you already have at your disposal.

What’s in an Acronym: APT?

  • Advanced – APTs use the most advanced malware and attack techniques available. By the nature of the name, they often leverage techniques such as encrypted communication channels, kernel-level rootkits, and sophisticated evasion capabilities to get past a network’s defenses. More importantly, they often leverage zero-day vulnerabilities – flaws which software vendors haven’t yet discovered or fixed – to gain access to our systems. In short, APTs are Q-level, James Bond malware.
  • Persistent – This malware is designed to stick around. It carefully hides its communications, using techniques like stenography. It “lives” in a victim’s network for as long as possible, often cleaning up after itself (deleting logs, using strong encryption, and only reporting back to its controller in small, obfuscated bursts of communication).
  • Threat– APTs are extremely blended threats, much like botnets, and very targeted. APT attackers are groups of highly skilled, motivated, and financially-backed attackers with very specific targets and goals in mind. Typically, the often nation-state sponsored attackers have targeted Fortune 500 companies, government-related infrastructure, or the industrial sector – and we anticipate this broadening to organizations of all sizes.

No network security provider can block every APT attack, no matter what they claim. According to Gartner, an estimated $60 billion is invested by corporations and governments in network security systems, yet hackers are still finding ways to sneak past them. By definition, APTs often leverage new techniques, which may not even have a defense yet. However, there are defense strategies that can significantly mitigate the chance of an advanced and persistent infection. WatchGuard supports a variety of reporting and monitoring functions that provide smart and strategic defense against these blended threats.

We’ve outlined a variety of best practices for mitigating risk and monitoring unusual activity across a network that may better detect or stop the next APT, including:

  • Multiple layers of security controls – WatchGuard “defense-in-depth”

A multi-layered approach to network security is the best protection. When combined together, firewalls, intrusion prevention services, proactive anti-virus (AV) solutions, anti-spam and anti-phishing protection, and cloud-based reputation defenses maximize the chance that one or more security controls will catch part of an APT attack.

  • Signature-less malware protection – WatchGuard Proactive Malware Detection

Similar to zero-day attacks, APTs often use malware that has not already been found by AV protection and therefore no signature exists. The only way to catch this kind of APT is to use proactive, non-signature techniques. WatchGuard partners with best-in-class anti-malware and anti-virus service providers such as Kaspersky and AVG Technologies, which both have the capability to detect malware without signatures. Our partners specialize in code emulation, behavior analysis, and sandboxing to determine what a file does and if it may be malware. These techniques can often catch malicious files without actually having reactive signatures for them.

  • An evolving defense framework – WatchGuard XTM (eXtensible Threat Management)

APTs are just further proof that hackers and attacks on the Internet are constantly evolving, so naturally, the only way to really protect against evolving threats is to have a defensive platform that can change along with them. WatchGuard’s strategic XTM hardware and platform design lend to a modular framework that is easily adaptable to adding new security layers to WatchGuard appliances – as new technologies are released, we can better protect against APTs as we integrate them into the platform. This allows WatchGuard to incorporate new defense technologies, such as cloud reputation and the use of heuristics to detect malware, much more quickly than other network security providers.

  • Better manageability through visibility – WatchGuard Firebox System Manager (FSM) and HostWatch

Often, security practitioners focus on prevention and forget about discovery and response. Tools that help quickly identify anomalies or problems in a network and real-time visibility tools such as HostWatch and FSM help find malware through unique monitors, network traffic reports and administrator access to approved or denied external sites. Some network security companies require the purchase of additional reporting tools or appliances in order to have this important insight into a network. WatchGuard believes that customers should not have to pay for the proof (reporting) that indicates a system is providing internal network protection. Visibility tools like FSM and HostWatch are key for APT defense and these WatchGuard tools come free with the WatchGuard XTM appliance.

  • Enforcing Standards – Protocol Anomaly Detection (PAD)

For the most common and important Internet services, such as Web traffic (HTTP), e-mail traffic (SMTP), domain name traffic (DNS), and file transfers (FTP), WatchGuard deploys proxies, or deep application-layer content inspection services. Among other things, these proxy services include our Protocol Anomaly Detection (PAD) feature, which can tell the difference between bad and good traffic by enforcing RFC (request for comment) standards for that particular service. For instance, if the SMTP RFC states that the maximum line length for an email is 1000 bytes; our proxies enforce that standard, and by extension protect you from any attacks (like buffer overflows) that try to leverage overly-long email lines… and that’s just one example. These are “signature-less” protections that can even block zero-day attacks, if they break protocol standards.

  • Reputation Services – WatchGuard Reputation Enabled Defense (RED)

WatchGuard RED is a cloud-based reputation authority that aggregates many sources of security intelligence to provide our appliances with a dynamic, real-time view of the internet threat landscape. It proactively monitors and stores the IPs and URLs of known sources of malware, drive-by download sites, and phishing and spam email. It gets its intelligence from aggregating many known lists of malware distributors and mixing that with real-time feedback from the thousands of appliances we have protecting customers’ sites. This real-time feedback gives RED a very accurate and dynamic view of the quickly changing threat landscape

Because APTs are continually evolving and getting more elusive by the day, no network security solution will be able to anticipate or block every attack. Our advice: Always assume that a network is already breached and then build a security vault using the tools and services noted here. We strongly suggest the utilization of more than just preventative tools – strong visibility tools will help recognize threats and ensure that IT administrators are talking all necessary action to help mitigate them. — Corey Nachreiner, CISSP (@SecAdept)

Two IIS Information Disclosure Vulnerabilities

Severity: Medium

Summary:

  • These vulnerabilities affect: The IIS FTP service running on Windows Vista, 2008, 7, and 2008 R2
  • How an attacker exploits them: By sending specially crafted FTP commands or accessing a local log file
  • Impact: In the worst case, a local attacker can learn the credentials for a local account
  • What to do: Deploy the appropriate IIS update at your earliest convenience

Exposure:

Internet Information Services (IIS) is the popular Web and FTP server that ships with all server versions of Windows.

In a security bulletin released today as part of Patch Day, Microsoft describes two relatively minor information disclosure vulnerabilities that affect the popular web server and its optional FTP server.

The first is a local credential disclosure vulnerability due to an unprotected log file. Basically, a particular IIS log file stores the credentials for a configured user in clear text. If an attacker can already log into your IIS server, they can learn the credentials of your configured IIS users. Granted, if an attacker can already log into your IIS server, you have bigger problems to solve.

The second issue is an unspecified FTP command injection vulnerability. Microsoft doesn’t describe this flaw in much detail, only saying that an unauthenticated attacker can execute a limited set of FTP commands on IIS servers, by sending specially crafted FTP commands. The attack works even if you do not enable “anonymous” FTP access. According to Microsoft’s bulletin, a malicious client can leverage this vulnerability to “obtain information disclosure on a vulnerable system.” However, they don’t really say what information the attacker can disclose; whether it be access to the files on the FTP site or some other information. Since the IIS FTP service is not enabled by default, and Microsoft only rates this flaw as Moderate, it doesn’t sound that severe.

That said, we still recommend you download, test, and deploy Microsoft’s IIS updates at your earliest convenience.

Solution Path:

Microsoft has released IIS updates to correct these vulnerabilities. If you manage IIS servers, download, test, and deploy the corresponding update at your earliest convenience.

You’ll find links to the updates in the “Affected and Non-Affected Software” section for of Microsoft’s IIS security bulletin.

For All WatchGuard Users:

Since at least one of these attacks is a local-only threat, which a gateway appliance can’t prevent, we recommend you apply the updates described above.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Four Critical Spreadsheet Handling Flaws in Excel

Severity: Medium

Summary:

  • These vulnerabilities affect: Excel (and Office) 2003 through 2010 for Mac and PC (and related components)
  • How an attacker exploits it: By enticing one of your users to open a malicious Excel document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft’s Excel updates as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing four vulnerabilities found in Excel — part of Microsoft Office for Windows and Mac. The flaws also affect the Excel viewer and Office Compatibility Package.

Though the four vulnerabilities differ technically, they are all memory corruption issues which share the same scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted Excel document, he can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path

Microsoft has released Excel and Office updates to correct these vulnerabilities. If you use Office or Excel on a PC or Mac, download, test, and deploy the appropriate updates as quickly as possible, or let Windows Update do it for you.

You’ll find links to these updates in the “Affected and Non-Affected Software” section for of Microsoft’s Excel security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed four signatures, which can detect and block these new Excel file handling vulnerabilities:

  • EXPLOIT Microsoft Excel SST Invalid Length Use After Free Vulnerability (CVE-2012-1887)
  • EXPLOIT Microsoft Excel Memory Corruption Vulnerability (CVE-2012-1886)
  • EXPLOIT Microsoft Excel SerAuxErrBar Heap Overflow Vulnerability (CVE-2012-1885)
  • EXPLOIT Microsoft Excel Stack Overflow Vulnerability (CVE-2012-2543)

Your appliance should get this new IPS update shortly.

You can also configure certain WatchGuard devices to block Microsoft Excel documents. However, this will block all Excel documents, whether legitimate or malicious. If you decide you want to block Excel files, the links below contain instructions that will help you configure proxy’s content blocking features for your device:

Status:

Microsoft has released Excel updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Three Critical Windows and .NET Bulletins

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and the .NET Framework
  • How an attacker exploits them: Multiple vectors of attack, including enticing users to view malicious fonts or to open specially crafted Briefcase folders
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released three security bulletins describing ten vulnerabilities that affect Windows and components that often ship with it, such as the .NET Framework. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-072: Two Windows Briefcase Memory Corruption Flaws

Briefcase is a Windows feature that allows you to keep files on two computers in sync, by placing them in a special “briefcase” folder. Unfortunately, Briefcase suffers from two memory corruptions flaws; an integer overflow and underflow vulnerability. By enticing one of your users to a maliciously crafted Briefcase folder, an attacker could exploit this flaw to execute code on that user’s computer, with that user’s level of privilege. Since most Windows users have local administrative rights, this typically means the attacker gains complete control of the victim computer.

Microsoft rating: Critical

  • MS12-074: Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create new Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers since it is essential to many applications.

The .NET Framework component suffers from five new security vulnerabilities.  The flaws differ greatly in scope and impact, and include an information disclosure issue, some elevation of privilege flaws, and a few remote code execution vulnerabilities. If an attacker has access to your local network, and can perform an ARP poisoning attack, he can exploit one of the worst vulnerabilities (in WPAD) to execute code on your Windows computers, with the local user’s privileges. If the user has local administrator privileges, the attacker gains full control of the computer. In short, if you install the .NET Framework on your Windows computers, you should update it as soon as possible.

Microsoft rating: Critical

  • MS12-075 :  Kernel-Mode Driver Elevation of Privilege Flaw

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from two elevation of privilege flaws and a remote code execution flaw. By enticing one of your users to view a specially crafted font, perhaps hosted at a malicious web site, an attacker could leverage the worst of these flaws to gain complete, kernel-level, control of your computer.

Microsoft rating: Critical

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed new signatures, which can detect and block many of these new Windows-related vulnerabilities:

  • EXPLOIT Microsoft Web Proxy Auto-Discovery Vulnerability (CVE-2012-4776)
  • EXPLOIT .NET Framework Insecure Library Loading -1 (CVE-2012-2519)
  • EXPLOIT .NET Framework Insecure Library Loading -2 (CVE-2012-2519)
  • EXPLOIT Windows Font Parsing Vulnerability (CVE-2012-2897)
  • EXPLOIT Microsoft Windows Briefcase Integer Underflow Vulnerability (CVE-2012-1527)
  • EXPLOIT Microsoft Windows Briefcase Integer Overflow Vulnerability (CVE-2012-1528)

Your appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Three Critical Vulnerabilities Only Affect IE 9

Severity: High

Summary:

  • These vulnerabilities affect: Internet Explorer (IE) 9 only
  • How an attacker exploits them: By enticing one of your users to visit a malicious web page
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s Internet Explorer 9 updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing three new security vulnerabilities that affect Internet Explorer (IE) 9.0, running on Windows Vista, 7, and Server 2008. These vulnerabilities do not affect any other versions of IE. Microsoft rates the aggregate severity of these new flaws as Critical.

The three security flaws are all “use after free” vulnerabilities, which are types of memory corruption flaws that attackers can leverage to execute arbitrary code. They all have to do with how IE handles various specially crafted HTML objects.  If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Details aside, all of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws may affect you even when visiting legitimate, trusted web sites.  If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware these attacks try to distribute.

More specifically, our IPS signature team has developed three new signatures, which can detect and block these new IE vulnerabilities:

  • WEB-CLIENT Microsoft IE CTreeNode Use After Free Vulnerability (CVE-2012-4775)
  • EXPLOIT Microsoft IE CFormElement Use After Free Vulnerability (CVE-2012-1538)
  • EXPLOIT Microsoft IE CTreePos Use After Free Vulnerability (CVE-2012-1539)

Your appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from these vulnerabilities.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Microsoft Black Tuesday: Critical Updates Affect Windows 8 and More

It’s Microsoft Patch Day and I have a question for you. How quick are you at applying software updates? Do you jump on them within the day; a week, or are you months behind?

If you are one of the many who fall behind, know that patching is one of the practices that can most improve your security posture. I recommend you take this opportunity to improve your patching practices with a small challenge. Try to test and deploy all of today’s patches before Turkey Day (Thanksgiving, Nov. 22). That way you can enjoy a guilt-free feast, knowing your network is relatively safe and secure. If you accept this challenge, here’s what you are in for…

Today, Microsoft released six security bulletins fixing 19 vulnerabilities in many of their popular products, including:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Excel (part of Office)
  • .NET Framework
  • IIS Server

They rate four of the bulletins as Critical, one as Important, and one as Moderate. For more details, check out this November bulletin summary, or wait for our detailed alerts.

With so many critically rated issues, it’s hard to recommend a patch order. I would personally apply the IE update first, since attackers often exploit web browser issues in drive-by download attacks. Follow that with the Critical Windows updates, but don’t forget the Important Excel vulnerability.  While this sort of document handling vulnerability requires a little user interaction to succeed, spear-phishers often leverage it in their email-based attacks. Whatever order you choose, I recommend you apply all of today’s update as quickly as you can.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 41 – Coke Cracked

Coca-Cola Cracked, Fawkes Day Fail, and Lots of Updates

This week’s security news round-up includes a story about an old Coca-Cola network breach, the results of Anonymous’ Fawkes Day fiasco, a little Twitter password hiccup, and lots of software security updates. If you have a little extra time on Fridays to catch up on the latest information security news, watch the video below.

Of course, if you have no time for videos, and would prefer to pick and choose your news items, see the Reference section below for link to all this week’s security headlines.

Show Note: I will be out for vacation starting the middle of next week, so will not be posting any WatchGuard Security Week in Review videos for the next couple of weeks. See you again at the end of November, and stay frosty out there.

(Episode Runtime: 10:42)

Direct YouTube Link: http://www.youtube.com/watch?v=S3LyJUK3MLw

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: