Archive | December, 2012

WatchGuard Security Week in Review: Episode 45 – OpWestboro

Hacktivists Against Hate, SMS Spam Bots, and Exynos Exploits

Hey! Look at that. The world hasn’t ended.

I guess that means my decision to prepare my weekly security news video rather than my apocalyptical fallout shelter wasn’t a tragic mistake. If you are in the mood for some information security (infosec) news on the last Mayan calendar day of the, well, er…ever…then you’ve come to the right place.

In this week’s show, I cover some important software update news, an android SMS botnet, a mobile  zero day flaw, and the latest Anonymous operation, which I suspect many people might appreciate despite its illegal nature. If you’d like to learn how to avoid the latest malware and attacks, or just want to follow the latest infosec drama, play the video below.

Also, don’t forget to check out the Reference section if you’d like to read more details about any of these stories. As always, I’ll include a few extras for those looking for bonus material.

Speaking of end of times, this will be the last WatchGuard Security Week in Review episode for 2012. Enjoy your holiday. I’ll see you next year.

(Episode Runtime: 10:21)

Direct YouTube Link: http://www.youtube.com/watch?v=ua1FfpZy7qI

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

December Radio Free Security: 2013 Security Predictions

WatchGuard’s 2013 Security Predictions Unveiled

Radio Free Security (RFS) is a monthly audio podcast dedicated to spreading knowledge about network and information security, and to keeping busy IT administrators apprised of the latest security threats they face online. If you’re looking for the latest security news and best practice tips, this show is for you.

Love ’em or loath ’em, security predictions have become a pretty regular part of the holiday season. Personally, I believe they contribute value to the information security (infosec) industry. After all, at their core, predictions are based on real industry trends; pundits and analysts (like me) just like to wildly extrapolate those trends to make them sound fun and entertaining. However, the true point of predictions—well, my true point anyway—is to educate and spread awareness. Hopefully, talking about these potential security issues can prepare you to avoid them before they happen to you.

A few weeks ago, you heard the Radio Free Security (RFS) co-hosts and I go over our 2012 security predictions, to see how we did. I’d say we earned a C+. During this month’s episode, I’ll see if I can score better by unveiling my 2013 security predictions to the same team. I purposely kept my annual forecasts from them until this recording, just so you’d get their honest, gut reactions. Do they whole-heartedly agree with my foretellings, or scoff at my foolhardy imaginings? Listen in to find out.

To give you a hint of what you’re in for, the predictions cover topics such as life-threatening hardware hacks, mobile device pick-pockets, cyber strike-back, zombie browsers, and much more. Whether or not our specific predictions come true, the episode explores many real infosec trends that everyone, from the smallest consumer to largest enterprise CSO, will face  in 2013. At the very least, I suspect my predictions will prove a little more accurate than the ancient Mayans’ one about December 21, 2012 (hope I don’t eat my words).

So, grab your favorite holiday beverage, get comfortable, and settle in for Radio Free Security’s final 2012 episode.

Note: Due to the seasonal sniffles, our web team cannot post this episode to its normal feeds until tomorrow. For now, you can download a ZIP version of the episode, or listen to it using the player below. The links to RFS’s normal locations will be updated shortly.

[runtime: 2:02:56]

You can always find the latest episode of Radio Free Security:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 44 – Ar.Drone Virus

Ar.Drone Virus, Skynet Bot, and #ProjectWhiteFox

Despite the upcoming holiday season, information security (infosec) news hasn’t slowed, with plenty of interesting new infosec stories this week. If you want a quick recap of the highlights, check out our short video below.

In this episode, I cover a few breaches—including one that affected an exploit vendor—a botnet that leverages Tor to hide its communications, and a virus that wirelessly infects remote control quadricopters. If you’re passionate about infosec, this was a pretty entertaining and interesting week.

As always, I share links to written versions of these stories in the Reference section below. I had to keep this week’s episode short due to other events, so I’ve also included links to many other stories I couldn’t cover in the video. Be sure to check them out.

As an aside, if you’ve been waiting for December’s promised Radio Free Security episode, which unveils our 2013 Security Predictions, I’ll post it early next week.

(Episode Runtime: 9:03)

Direct YouTube Link: http://www.youtube.com/watch?v=XrEEO7S1mn8

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Announces Fireware XTM and WSM v11.6.3

Available for All XTM Appliances

WatchGuard is excited to announce the general release of Fireware XTM v11.6.3 and WatchGuard System Manager v11.6.3. This release demonstrates our continuing commitment to delivering high quality products to our customers, with a significant number of bug fixes and support for a couple of key enhancements.

You can install Fireware XTM OS v11.6.3 on any WatchGuard XTM device, including 2 Series, 3 Series, 5 Series, 8 Series, XTM 1050, and XTM 2050 devices.

11.6.3 includes a large number of bug fixes, covering many different areas of Fireware and WSM. For more information, see the Resolved Issues section of our Release Notes.

In addition to bug fixes, this release enables support for WatchGuard’s new RapidDeploy feature. With RapidDeploy, network administrators who manage distributed enterprises can easily activate and deploy XTM devices in remote locations without the need for dedicated IT staff available at the site — saving time and money.

Note: RapidDeploy only works with XTM devices that ship with Fireware XTM v11.6.3 or higher pre-installed. A RapidDeploy-capable device will have a cloud “Ready” sticker on its shipping carton.

We’ve also added automatic feature key synchronization as a new option for all XTM devices. You can configure your appliance to automatically download the latest feature key when it’s close to expiration.

For more information about the enhancements included in Fireware XTM v11.6.3, see the “What’s New in Fireware XTM v11.6.3” [PPT file] PowerPoint presentation.

Does This Release Pertain to Me?

If you have an XTM Series appliance and wish to take advantage of the latest fixes or enhancements, you should upgrade to version 11.6.3. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM Series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button. The 11.6.3 Release Notes include clear upgrade instructions. Finally, 11.6.3 is an XTM Series-only release, and does not work on e-Series appliances.

As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Adobe Patch Day: Flash and ColdFusion Updates

Severity: High

Summary:

  • These vulnerabilities affect: Flash Player and ColdFusion 1o
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released two security bulletins, describing vulnerabilities in their Flash Player and ColdFusion products.

Adobe Patch Day: December 2012

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:

  • APSB12-27: Flash Player Code Execution Vulnerabilities

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Adobe’s bulletin describes a three vulnerabilities in Flash Player 11.5.502.110 and earlier for all platforms. The three flaws consist of various buffer overflow and memory corruption flaws, all of which attackers can leverage to execute arbitrary code. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

They assign these flaws their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.

Adobe Priority Rating: 1 (Patch within 72 hours)

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from what Adobe only describes as “a sandbox permissions violation in a shared hosting environment.” The bulletin shares very little about the scope of this flaw (CVE-2012-5675), so we’re unsure how easy or hard it is for attackers to leverage. Adobe rates it as Priority 2 issue, which is essentially their medium severity rating.

Adobe Priority Rating: 2 (Patch within 30 days)

Solution Path:

Adobe has released updates for all their affected software. If you use Flash Player or ColdFusion, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Malformed Fonts and Filenames Mangle Windows

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: Multiple vectors of attack, including enticing users to view maliciously crafted fonts or to view directories with specially crafted files or folder names
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities that affect Windows. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-078: Two Windows Font Handling Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level, and plays a part in font handling. This kernel-mode driver suffers from two remote code execution vulnerabilities involving the way it handles TrueType (TTF) and OpenType (OTF) fonts. By enticing one of your users to view a specially crafted font, perhaps hosted at a malicious web site, an attacker could leverage either of these flaws to gain complete, kernel-level, control of your computer. These are extremely risky issues as you simply have to view something with an evil font to trigger them.

Microsoft rating: Critical

  • MS12-081: Windows Filename Parsing Flaw

Windows suffers from an unspecified vulnerability involving the way it parses specially malformed filenames or folders names. If an attacker can place a specially crafted file or folder onto your computer, or one of the shares you access, and she can lure you into viewing (not opening) that file or folder, she can exploit this flaw to execute code with your privileges. If you have local administrator privileges, the attacker would gain full control of Windows.

Microsoft rating: Critical

  • MS12-082 :  DirectPlay Buffer Overflow Vulnerability

DirectX is a multimedia development API, primarily used by programmers to make games for Windows and to handle multimedia. It includes DirectPlay, a DirectX networking protocol specifically used to create networked, multi-player games. DirectPlay suffers from a heap buffer overflow vulnerability involving its inability to properly handle specially formed office documents. By enticing you to open an office document with malicious embedded content, an attacker can exploit this flaw to execute code on your system, with your privileges. Like always, if you are a local administrator it’s game over. This attack requires some user interaction, which somewhat mitigates its severity.

Microsoft rating: Important

  • MS12-083 :  IP-HTTPS Certificate Bypass Vulnerability

DirectAccess is a Microsoft conceived, VPN-like feature that allows you to securely access your organization’s internal, private networks. It uses something called IP over HTTPS (IP-HTTPS)  to create these secure connections. IP-HTTPS doesn’t properly check the validity of certificates. Specifically, it doesn’t recognize revoked certificates. If an attacker has access to one of your revoked certificates, he can use it to bypass the security of DirectAccess.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed new signatures, which can detect and block many of these new Windows-related vulnerabilities:

  • EXPLOIT Microsoft Open Type Font Parsing Vulnerability (CVE-2012-2556)
  • EXPLOIT Microsoft Windows Filename Parsing Vulnerability (CVE-2012-4774)

Your appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways. We still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Nasty RTFs Nudge Word Into Submission

Severity: High

Summary:

  • These vulnerabilities affect: Word (and Office) 2003 through 2010 for Windows (and related components)
  • How an attacker exploits it: By enticing one of your users to open a malicious RTF document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft’s Word update as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing a serious security vulnerability in the Windows version of Word — part of Microsoft Office package. The flaw doesn’t affect the Mac versions, but does affect the Word viewer and Office Compatibility Packs.

The vulnerability stems from an unspecified memory corruption fkaw having to do with how Word handles rich text format (RTF) documents. If an attacker can entice one of your users into downloading and opening a maliciously crafted RTF document, he can exploit the flaw to execute code on that user’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path

Microsoft has released Word and Office updates to correct these vulnerabilities. If you use Office or Word, download, test, and deploy the appropriate updates as quickly as possible, or let Windows Update do it for you.

You’ll find links to these updates in the “Affected and Non-Affected Software” section for of Microsoft’s Word bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed a signature, which detects and blocks this Word RTF vulnerability:

  • EXPLOIT Microsoft Word RTF listoverridecount Remote Code Execution Vulnerability (CVE-2012-2539)

Your appliance should get this new IPS update shortly.

You can also configure WatchGuard devices to block RTF documents. However, this will block all RTFs, whether legitimate or malicious. If you decide you want to block them, the links below contain instructions that will help you configure proxy’s content blocking features for your device:

Status:

Microsoft has released Word updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Avoid Drive-by Downloads; Patch IE

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Internet Explorer (IE)
  • How an attacker exploits them: By enticing one of your users to visit a malicious web page
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing three new security vulnerabilities affecting Internet Explorer (IE). Technically, the new vulnerabilities seem only to affect IE 9 and 10, yet Microsoft has released the cumulative update for all versions. They rate this update as Critical.

Similar to last month, all three of these security flaws are “use after free” vulnerabilities, which are types of memory corruption flaws that attackers can leverage to execute arbitrary code. They all have to do with how IE handles various HTML objects. If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like more technical detail about these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Details aside, all of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws may affect you even when visiting legitimate, trusted web sites.  If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed a new signatures, which can detect and block at least one of these new IE vulnerabilities:

  • WEB-CLIENT Microsoft Internet Explorer Improper Ref Counting Use After Free (CVE-2012-4787)

Your appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from these vulnerabilities.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Exchange Server Code Execution and DoS Flaws

Severity: High

Summary:

  • These vulnerabilities affect: Exchange Server 2007 and 2010
  • How an attacker exploits it: By enticing an email user to preview a specially crafted email attachment or to visit a malicious RSS feed.
  • Impact: An attacker can execute code with the restricted privileges of the LocalService account, or crash your email server
  • What to do: Deploy the appropriate Exchange Server update as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Microsoft Exchange is one of the most popular email servers used today. Today’s Exchange bulletin describes two Critical security vulnerabilities. We highlight these flaws below:

  1. The first  is another remote code execution vulnerability in the Oracle’s Outside In technology. In our last Exchange alert, we described a feature called WebReady Document Viewing, which allows your email users to preview attached documents as web pages. Exchange leverages Oracle’s Outside In technology to parse these documents and provide these previews. Today’s update fixes more Oracle Outside In vulnerabilities similar to the ones we described in August. In a nutshell, if an attacker can entice one of your email users to preview a specially crafted attachment, he can exploit these flaws to execute code directly on your Exchange server. Luckily, the code only executes with the permissions of the LocalService account, which has limited privileges.
  2. Exchange also suffers from a Denial of Service (DoS) flaw related to how it handles specially crafted RSS feeds. If an attacker can lure one of your users into subscribing to a specially malformed RSS feed, he could cause your email server to stop responding, which would have significant business impact. Worse yet, Microsoft warns Exchange could also dismount its database, possibly leading to mailbox and database corruption.

If you manage an Exchange server, we recommend you update immediately. However, we always recommend you test server patches before applying them to production servers.

Solution Path:

Microsoft has released Exchange updates to correct these vulnerabilities. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Update do it for you. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s Exchange bulletin.

For All WatchGuard Users:

If you like, you can configure WatchGuard’s security appliances to block or strip the document types necessary for attackers to exploit these vulnerabilities. However, some of the affected documents include ones that most administrators prefer to allow, such as Word and PDF documents. Therefore, we recommend you apply the patches instead.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

Microsoft Black Tuesday: Patch Before the Holidays

If you’re anything like me, your late December schedule is quickly filling with holiday parties, family activities, and seasonal days off. This means if you want to secure your Microsoft environment before the end of the year, you better get started earlier rather than later.

Today, Microsoft released seven security bulletins fixing at least 11 vulnerabilities in many of their products, including:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Word (part of Office)
  • and Exchange Server

They rate five of the bulletins as Critical, and the rest as Important. For more details, check out their December bulletin summary, or wait for our detailed alerts.

If I were to pick the order you patched, I’d start with the Exchange update since you need to protect your public servers, follow with the IE patch since attackers like drive-by downloads, fix the Word flaw to avoid targeted phishing attacks, and end with the Windows updates in order of severity… but that’s just me.

In any case, you should download, test, and deploy Microsoft’s updates as soon as possible. If you don’t have time to test everything, at least take the time to test the Exchange update, as you don’t want your production email server suffering any downtime.

I’ll post more detailed alerts throughout the day, but until then feel free to refer to Microsoft’s December bulletin matrix below.  — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day: December 2012

%d bloggers like this: