Archive | February, 2013

Another Abode Zero Day: Patch Flash

Summary:

  • This vulnerability affects: Adobe Flash Player  11.6.602.168 and earlier, running on all platforms
  • How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player (version 11.6.602.171 for PC and Mac)

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

In a security bulletin released yesterday, Adobe announced a patch that fixes three critical zero day vulnerabilities in their popular Flash Player; two of which attackers are currently exploiting in the wild.

The three vulnerabilities differ technically. For instance, one is a buffer overflow flaw and another is a sandbox bypass vulnerability. However, combined they share the same general impact. If an attacker can entice one of your users to visit a malicious website, or into handling specially crafted Flash (SWF of FLV) content, he could exploit these flaws to execute code on that user’s computer, with that user’s privileges. If your users have administrator privileges, the attacker could gain full control of their computers.

According to Abobe’s alert, the exploits for these vulnerabilities target the Firefox web browser running on Windows systems, which is why they rate this a “Priority 1” issue for Windows, and recommend you apply the updates as soon as possible (within 72 hours).   However, the vulnerability technically affects other platforms as well, so I recommend you update any Flash capable device as soon as you can.

Solution Path

Adobe has released new versions of Flash Player (11.6.602.171 for PC and Mac) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

  • Download Flash Player for your computer:
NOTE: Chrome ships with its own version of Flash, built-in. If you use Chrome as you web browser, you will also have to update it separately, though Chrome often receive its updates automatically.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

  • .swf – Shockwave
  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p – Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • application/x-shockwave-flash
  • application/x-shockwave-flash2-preview
  • application/futuresplash
  • image/vnd.rn-realflash

FILExt.com reported Magic Byte Pattern:

  • Hex SWF: 46 57 53
  • ASCII SWF: FWS

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Adobe Reader X Update Corrects Zero Day Vulnerability

Severity: High

Summary:

  • These vulnerabilities affect: Reader X (and Acrobat) 11.0.0.1 and earlier running on all platforms
  • How an attacker exploits them: By tricking you into opening malicious PDF documents (or by visiting web sites hosting such documents)
  • Impact: In the worst case, an attacker can execute code on your computer with your privileges. If you are an administrator, they gain complete control
  • What to do: Install the appropriate Reader update immediately, or let Adobe’s updater do it for you.

Exposure:

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Last week, Adobe released a security bulletin fixing two zero day vulnerabilities in the popular Reader program. We first described these zero day vulnerabilities in a WatchGuard Security Week in Review episode earlier in the month. Though the two flaws may differ technically, they share the same general scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit either of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Since attackers are exploiting these flaws in the wild, Adobe has assigned them a Priority 1 rating; especially against Windows and Mac computers. We recommend you patch immediately, if you haven’t already

Solution Path:

Adobe has released Reader and Acrobat updates. We recommend you download and deploy the corresponding update immediately, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Though our IPS and AV services may help prevent some of these attacks, or the malware they try to load, installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

WatchGuard Security Week in Review: Episode 52 – China APT1

China APT1 Attackers and Java 0day Breaches

Welcome to another week of InfoSec news. If you’re subscribed to the YouTube channel directly, you probably noticed I posted last week’s video late last Friday. Unfortunately, I was catching a plane at the time, so I decided to wait until today to post the video blog entry. If you missed any of last week’s big information and network security news, you’ve come to the right place.

This week’s “on the road” episode covers Apple and Facebook network compromises, the zero day Java exploit that caused them, and one security company’s research alleging the Chinese government is behind many recents advanced persistent threat (APT) attacks. I also recommend some critical updates for Windows, Linux, and OS X users, so make sure to watch below.

This week I’ll be attending the RSA security conference, and recording another episode on the go, which means I may also post next week’s episode earlier or later than normal depending on my travel and event schedule. Until then, thanks for watching and stay frosty out there.

(Episode Runtime: 6:39)

Direct YouTube Link: http://www.youtube.com/watch?v=MolGboEK7nE

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Apple and Facebook Breaches Result in Multi-Platform Java Updates

If you’re still using Java, you need to patch it yet again—even if you’re using a Mac.

Over the last few days both Facebook and Apple have reported network breaches. In both cases, employees at those companies visited a particular web site that was infected with a zero day Java exploit, which then infected the victims with malware. Though Facebook and Apple admit that they found malware on their systems, both claim that there is no evidence suggesting the attackers stole any sensitive customer data.

With all the zero day Java vulnerabilities we’ve reported recently, this probably doesn’t come as a huge surprise. Attackers are obviously targeting this popular web plugin. Yet, this incident is a very significant admission from Apple. Not only does it prove what security professionals have been arguing for years—that Macs aren’t immune from malware—but it demonstrates that even large enterprises, like Apple are suffering from cyber attacks.

Attack disclosures aside, both Oracle and Apple have released Java security updates as a result of these attacks. Despite just releasing an earlier Java update this month, Oracle released yet another emergency update on February 19th, fixing five more security vulnerabilities in Java. If you use Java on Windows, Linux, or Solaris computers, you should go get that update immediately. Apple also released their own Java update for OS X today. If you’re a Mac user,  you should also install either Java for OS X 2013-001 or Mac OS X v10.6 Update 13 immediately.

After repeated cases of zero day exploits over the past fews months, you’ve probably discerned that Java is very dangerous right now. Apparently, it is rife with security holes and there is no doubt that attackers have focused their efforts on finding them before Oracle does. I’ve said this before, but if there is any way you can live without Java on your computer, you should remove it. Frankly, this advice is easier said than done. Unfortunately, many business applications (even some security ones) rely on Java to function. These applications may prevent you from removing Java immediately. That said, with the current prevalence of Java attacks, perhaps it’s time to re-evaluate any applications that forces Java upon you.— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Reader 0day

Reader 0Day, Zombie Broadcast, and Bit9 Breach

Due to a busy work week, I was unable to create a fully produced InfoSec news summary video this week. I did post a very brief video (which you can find below), mostly to warn our YouTube subscribers about the missing episode. It contains very minimal detail about this week’s top security stories.

However, I won’t leave you hanging for your weekly security news fix. Below, you’ll find a bullet-list, which quickly summarizes many of this week’s most interesting Infosec news. See you next week.

  • Zero day Adobe Reader vulnerability – A security company, FireEye, discovered attackers exploiting a previously unknown vulnerability in Adobe Reader to install malware. Adobe hasn’t had time to fix it yet, but recommends you use “Protected View” mode to mitigate the issue. We’ll post more details when they patch.
  • President Obama signs cyber security executive order  – As many expected, President Obama signed a cyber security executive order this week that allows government organizations to share security intelligence with some private organizations  and asks critical infrastructure providers to up their security.
  • Bit9 breached and digital certificates stolen – A security company, Bit9, confirmed they were breached this week, and that attackers had stolen their digital certificates and used them to sign malware. Their excuse for the breach? They didn’t use their own product enough.
  • Hacked emergency broadcast system warns of zombie attack  – Folks in some Montana counties were surprise when their television emergency broadcast system warned of a zombie attack. Unsurprisingly, it turns out the system was hacked.
  • More Ruby on Rail vulnerabilities – Researchers have found more vulnerabilities, like SQL injections, in Ruby on Rails. If you are a web developer who uses this package, go patch.
  • Microsoft’s February Patch Day– As always, Microsoft released a bunch of security updates this week. They fixed flaws in Windows, Exchange, Internet Explorer, and a few lesser known products. I released details about the updates here, so hopefully you’ve already patched.
  • Adobe Flash and Shockwave updates – Adobe also released important Shockwave and Flash Player updates during Microsoft’s Patch Day. I talked about those earlier, too. Make sure to patch!
  • The dangers of losing your master password – A well-known security researcher, Jeremiah Grossman, shares a great anecdote on how very strong security practices can come back and bite you due to user error.

Direct YouTube Link: http://www.youtube.com/watch?v=wQP_5bXgHbg (Runtime: 2:08)

Extra Stories:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Shockwave and (More) Flash Updates

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Shockwave and Flash Player
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Yesterday, Adobe released two security bulletins describing vulnerabilities in both Shockwave and Flash Player. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

  • APSB13-06: Two Shockwave Player Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin describes two security vulnerabilities that affect Shockwave Player 11.6.8.638 and earlier for Windows and Macintosh (as well as all earlier versions). Both flaws consist of memory corruption vulnerabilities (one being a stack buffer overflow), which share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

Adobe Priority Rating: 2 for Windows (Patch within 30 days)

  • APSB11-21 : Flash Player Update Corrects 13 Security Flaws

Adobe Flash Player displays interactive, animated web content called Flash. A report from Secunia states that 99% of Windows computers have Adobe Flash Player installed, so you users very likely have it.

Adobe’s update fixes 17 security vulnerabilities in Flash Player (for Windows, Mac, Linux, and Android), which they only describe in minimal detail. The flaws include buffer overflow vulnerabilities,  “use after free” flaws, and other memory corruption issues. Though the vulnerabilities differ technically, most share the same scope and impact. In the worst case, if an attacker can lure one of your users to a web site with malicious Flash content, they could exploit some of these flaws to gain control of that user’s computer. We assume the attacker would only gain the privileges of the logged-in user. However, since most Windows users have local administrator privileges, the attacker would likely gain full control of Windows machines.

Flash has suffered many zero day vulnerabilities recently. This is actually the second Flash update for the month; the last being an emergency update. Since attackers are exploiting these vulnerabilities actively, we highly recommend you patch immediately.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Shockwave files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Shockwave or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Shockwave via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

FAST Search Server 2010 Flaws Likely Affect Few

Along with their more critical updates, Microsoft released a security bulletin describing flaws in their FAST Search Server 2010 for SharePoint (that is a mouthful of a product name). If you haven’t heard of FAST Search Server 2010 for SharePoint, it’s essentially an enterprise search platform for SharePoint and your intranet. My guess is only a small subset of Microsoft customer use it.

Anyway, the FAST Search Server 2010 suffers from the same Oracle Outside In vulnerabilities that we’ve described in previous Exchange alerts. These vulnerabilities include both code execution and Denial of Service (DoS) issues. Though remote code execution flaws sound pretty severe, there are a number of factors which significantly reduce the severity of these issues:

  1. I suspect few organizations use FAST Search Server 2010 with Sharepoint
  2. You are only affected by this flaw if you’ve enabled the Advanced Filter Pack (it’s disabled by default).
  3. The attacker needs access to SharePoint resources to upload a malicious file to leverage this flaw.

In a nutshell, I don’t think these FAST Search vulnerabilities will affect many people in the real-world, and likely pose little risk to most organizations. However, that’s not an excuse to skip the update. If you are one of the few that do use FAST Search Server 2012, you should apply Microsoft’s update at your earliest convenience, but give today’s early updates a higher priority. — Corey Nachreiner, CISSP (@SecAdept)

Windows Updates Fix a Wide Range of Security Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and some of the components that ship with it (such as DirectShow and the .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets, luring users to view malicious media or email, and so on
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released eight security bulletins that describe around 39 vulnerabilities affecting Windows or components related to it, such as the .NET Framework and DirectShow. Each of these vulnerabilities affects different versions of Windows to varying degrees.

A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-011: DirectShow Media Decompression Vulnerability

DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams and files. It suffers from an unspecified vulnerability having to do with how it handles specially crafted media. By getting your users to interact with malicious media, an attacker could leverage this flaw to execute code on that user’s computer, with the user’s privileges. Attackers might lure users to their booby-trapped media by linking it as a direct download, embedding it in a document, or by hosting it as a malicious media stream.

Microsoft rating: Critical

  • MS13-020: Windows XP OLE Automation Vulnerability

Object Linking and Embedding (OLE) Automation is a Microsoft protocol which allows one application to share data with, or control, another application. It suffers from an unspecified remote code execution flaw having to do with how it parses maliciously crafted  RTF files. If an attacker can convince you to open or preview a specially crafted RTF file in Windows, he could exploit this flaw to execute code on your machine, with your privileges.  If you have administrative rights, the attacker would gain complete control of your computer. This flaw only affects Windows XP.

Microsoft rating: Critical

  • MS13-014: NFS Server DoS Vulnerability

Network File System (NFS) is an industry-wide protocol for sharing files and directories over a network. Windows Server software ships with NFS support to share files in mixed, Unix and Windows environments.

Windows’ NFS service suffers from something called a null dereference vulnerability, which attackers can leverage to cause a Denial of Service (DoS) condition on Windows servers. By attempting to rename a file or folder on a read-only share, an attacker could exploit this flaw to cause the server to stop responding or crash. However, a few factors mitigate the severity of this issue. Specifically, the flaw only affects servers with the NFS role enabled; the attacker needs access to an NFS share and legitimate credentials; and finally, most administrators don’t allow NFS access through their firewall.

Microsoft rating: Important

  • MS13-015: .NET Framework EoP Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework suffers from a technically complex elevation of privilege (EoP) vulnerability, where it unnecessarily elevates the permissions of a callback function when a .NET application creates a particular object. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit this flaw to execute code on that user’s computer with full system privileges. This flaw also can affect non-web .NET applications, which an attacker runs directly on a system. The good news is most versions of IE will either block or warn you about the particular web content (XBAP) attackers use to leverage this flaw, which significantly mitigates its risk.

Microsoft rating: Important

  • MS13-016: Multiple Kernel-Mode Driver Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers 30 race condition vulnerabilities. The vulnerabilities differ technically  but share the same scope and impact. By running a specially crafted program, a local attacker can leverage any of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of these issues.

Microsoft rating: Important

  • MS13-017 Kernel Elevation of Privilege Vulnerability

As mentioned above, the kernel is the core component of any computer operating system. The Windows kernel suffers from three vulnerabilities (two race conditions), which attackers can leverage to  elevate their privilege. By running a specially crafted program, a local attacker could exploit this flaw to gain complete control of your PC. However, the attacker would first need to gain local access to your Windows computer using valid credentials.

Microsoft rating: Important

  • MS13-018: Windows TCP/IP Stack  DoS Vulnerability

As you would expect, the Windows TCP/IP stack is a set of networking protocols that allows your computer to get on the Internet and participate in modern networking. Unfortunately, the Windows TCP/IP stack suffers from a DoS vulnerability involving the way it parses specially crafted packets.  In short, an attacker can lock or crash a Windows computer simply by sending it a sequence of specially crafted packets. Though Microsoft only rates this update as Important, attackers could repeatedly exploit it against your public Windows server, essentially knocking them offline. This could have serious implications for essential production servers. We recommend you test and apply this update immediately.

Microsoft rating: Important

  • MS13-019CSRSS Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from a local privilege elevation issue. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows, DirectShow (quartz.dll), and .NET Framework patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed new signatures that can detect and block the DirectShow Media Decompression and OLE Automation vulnerabilities. Your XTM appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Specially Crafted Attachments Can Crack Exchange Servers

Severity: High

Summary:

  • These vulnerabilities affect: Exchange Server 2007 and 2010
  • How an attacker exploits it: By enticing a user to preview a specially crafted email attachment using OWA
  • Impact: An attacker can execute code with the restricted privileges of the LocalService account
  • What to do: Deploy the appropriate Exchange Server update as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Microsoft Exchange is one of the most popular email servers used today. It includes many advanced features and capabilities. One such feature, called WebReady Document Viewing, allows your email users to preview attached documents as web pages. Exchange leverages Oracle’s Outside In technology to parse these documents and provide these previews.

According to today’s bulletin, Exchange suffers from two vulnerabilities related to Oracle’s Outside In; a remote code execution flaw and a Denial of Service (DoS) issue. Both vulnerabilities have to do with how WebReady Document Viewing parses certain files when showing previews. By enticing one of your web-based email users to preview an email with a specially crafted attachment, an attacker can exploit the worst of these flaws to execute code directly on your Exchange server. Luckily, the code only runs with LocalService account permissions, which has very limited privileges.

Also, this attack only works against victims who check and preview mail using Exchange’s Outlook Web App (OWA). If your users only get email from Exchange using email clients, and you don’t enable OWA, attackers may not be able to leverage this flaw against your server. However, we still recommend Exchange administrators update as soon as possible.

By the way, if this issue seems familiar to you, it’s because it is very similar to a previous Exchange WebReady Document Viewing issue from last year.

Solution Path:

Microsoft has released Exchange updates to correct these vulnerabilities. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Update do it for you. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s Exchange bulletin.

UPDATE: At least one of our readers has reported issues when trying to install the Exchange update. Be sure to test before pushing this to production.

For All WatchGuard Users:

Though you can configure 0ur XTM and XCS appliances to strip certain attachments from email, this sort of attack may arrive as many types of attachments, including ones you may want to allow for business. We recommend you apply the patches instead.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Two IE Bulletins Double the Browser Updates

Severity: High

Summary:

  • These vulnerabilities affect: Internet Explorer (IE) 10 and earlier
  • How an attacker exploits them: Typically, by enticing one of your users to visit a web page with malicious content
  • Impact: Various; In the worst case, an attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s Internet Explorer updates immediately, or let Windows Automatic Update do it for you

Exposure:

In a relatively unusual move, Microsoft released two Internet Explorer (IE) security bulletins today, rather than their typical single cumulative update. Combined, the two bulletins fix 14 vulnerabilities in the popular web browser, many of which allow attackers to execute code on vulnerable Windows systems.

We summarize the two bulletins below:

  • MS13-009: February IE Cumulative Update

This update fixes 13 vulnerabilities in IE, most of them being  “use after free” vulnerabilities similar to the ones Microsoft fixed with last month’s out-0f-cycle IE bulletin.  By luring one of your users to a web site containing malicious code, a remote attacker can exploit most of these vulnerabilities to execute code on your computer, with your privileges.  As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer.

Microsoft rating: Critical

  • MS13-010: VML Memory Corruption Vulnerability

Vector Markup Language (VML) is a graphics standard for creating 2D vector illustrations with XML files. The VML component in IE suffers from a memory corruption vulnerability having to do with how it allocates buffers. By enticing your users to a web site with specially crafted content, a remote attacker could exploit this flaw to execute code on that user’s computer, with the user’s privileges. Since most Windows users have local administrative privileges, this sort of attack often gives the attacker complete control of their computers.

Microsoft rating: Critical

Malicious hackers often leverage these types of vulnerabilities in drive-by download attacks, and they also target legitimate web sites and booby-trap them with malicious code. In other words, you can sometimes encounter these sorts of “drive-by download” attacks even while visiting trusted, legitimate web sites. We recommend you update your IE users immediately.

Solution Path:

These updates fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

That said, WatchGuard’s Gateway Antivirus and Intrusion Prevention Service can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS team has created signatures for  the following:

  • Various “use after free” vulnerabilities – CVE-2013-0018, CVE-2013-0019, CVE-2013-0020, CVE-2013-0021, CVE-2013-0022, CVE-2013-0023, CVE-2013-0024, CVE-2013-0025, CVE-2013-0026, CVE-2013-0027, CVE-2013-0028, CVE-2013-0029
  • JIS character encoding vulnerability – CVE-2013-0015
  • VML memory corruption vulnerability – CVE-2013-0030

These signatures will be available in our next IPS update, which should come out shortly. We highly recommend you enable our security services on your WatchGuard XTM and XCS appliances, and keep IPS and AV up to date.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

%d bloggers like this: