Archive | April, 2013

WatchGuard Security Week in Review: Episode 61 – InfoSec UK 2013

AP Twitter Hack, Serial Offenders, and InfoSec UK

This week’s security highlights video comes a bit early due to my travels in London to attend InfoSec UK.

If you’re looking for a quick summary of the week’s top security news, this is the vlog for you. In today’s video, I share a few themes from the biggest security conferences in Europe, news of the AP twitter feed hijack, warnings of a new Java exploit, and information about industry-wide flaws affecting serial port servers. Watch for all the details, and check the Reference section below for other interesting stories from the week.

(Episode Runtime: 7:35)

Direct YouTube Link: http://www.youtube.com/watch?v=pWAMN7j0yyg

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 60 – Oracle CPU

Router Hacks, WordPress Attack, and Huge Oracle Update

During a week of such tragedy, it’s hard to give much thought to network and information security (InfoSec). Yet, we must stay vigilant, lest abhorrent cyber criminals leverage such tragedies against us in social networking campaigns.

In this week’s InfoSec news summary, I cover Oracle’s quarterly Critical Patch Update (CPU), a research project that uncovered vulnerabilities in consumer routers, a WordPress password cracking botnet, and how scammers are exploiting this week’s tragedies in their spam campaigns. Watch the video below for the highlights and some defensive tips.

As an aside, I will be traveling next week so I may not post the weekly video at its normal time.

(Episode Runtime: 7:38)

Direct YouTube Link: http://www.youtube.com/watch?v=Mvikhwg12k8

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 59 – Android PlaneSploit

CISPA, Game Dev Breaches, and Android Plane Hack

Though I’m traveling in Singapore for a security conference, I still found a few spare minutes for my weekly InfoSec news summary. This week I cover some Bitcoin mining malware, CISPA returning from the ashes, some game related network attacks, and most interestingly, an Android smartphone hacking an airplane. For the details, watch the video below.

By the way, I apologize for the shaky camera. I forgot my tripod on this trip and shooting video with a busy schedule has its challenges. Don’t forget to check out the Reference section if you want to learn more.

(Episode Runtime: 7:53)

Direct YouTube Link: http://www.youtube.com/watch?v=8tke-MEdmtA

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

[Friday Fun] WatchGuard’s Security Shop Music Video

First, a fair warning. This post serves no practical purpose, and is just for your entertainment. If you only visit this blog for practical security news and alerts, and you don’t have time for a bit of fun right now, feel free to skip this post. That said, you might find it entertaining, and it does still carry a security theme.

WatchGuard’s a great place to work. To me, one of the most important attributes of a good workplace is great people, and at WatchGuard we have those in spades. Recently, a talented and creative subset of those WatchGuard employees wrote and performed a parody version of Macklemore’s popular Thrift Shop rap. If you haven’t heard of Macklemore, he’s a Seattle-based rapper who recently rocked the Billboard charts with this budget shopper rap anthem. We thought how better to celebrate Macklemore’s success than making our own tongue-in-cheek security tune in this honor. Radio Free Security listeners have already heard this track, but today we bring you the full music video. If you’re up for some InfoSec-themed cheesy fun, watch below.

As an aside, I’m traveling in Singapore this week to speak at security conferences. As a result, I will post the regular WatchGuard Security Week in Review video later than usual. You can expect the “on the road” edition of our weekly video either late Friday or early Saturday. Have a great weekend! — Corey Nachreiner, CISSP (@SecAdept)

(Lyrics below, 3:08 runtime)

—- LYRICS—-

Hey, Jackson! Can we go to WatchGuard?

(Chorus)
I’m gonna block some spam,
Only got one product plugged in the socket
I-I-I’m secure, protected by WatchGuard,
This is freakin awesome!

(Verse 1)
Nah, walk up to the conference like, “what up I got a huge stock”
Got the channel so pumped about the product that we got
Walkin’ n roamin’ round, people tryna come see
All they say is, “damn, that’s a cool ass AP”
Connecting consoles all over like a fiend
APs be all white, cept those LEDs, flashin’ green!
Competitors sweatin’ cuz all their products are cheap plastic
Probably shoulda copied us, everyone thinks ours are fantastic!
(Crissssppppp)
But snaps, not everyone can be WatchGuard! (Trrrruuuuu!)

(Chorus)
I’m gonna block some spam,
Only got one product plugged in the socket
I-I-I’m secure, protected by WatchGuard,
This is freakin awesome!

(Verse 2)
What you know about rockin’ our products for a bargain?
No one can come close, not even by a large margarine.
I’m digging, I’m digging, im searching through the interwebz
One shady website is another man’s privacy!
Thank your granddad’s messin’ with your personal computer
Cleaning up all this Phishing is enough to confuse sea birds (seagull Caws “caw caw”)
So I’m in Sea town, you can find me in the ID (Food Chainz!)
Looking up new threats like a W.G. should properly
Your grammy, your aunty, your momma, your mammy,
I’ll block them malwares and burn up those spammies, first hand, I’ll rock those suckas brotha!
The built in UTM with the anti-virus on that motherboard haha, (match the pitch of the song w/ laugh)
I hit the power on and they stop those viral suckas
Good deals, WatchGuard Tech! Yeah!

(Chorus)
I’m gonna block some spam,
Only got one product plugged in the socket
I-I-I’m secure, protected by WatchGuard,
This is freakin awesome!

(Bridge) 2x
I’ll protect your security codes
I look through LAN cables
While you drinks rootbeer floats
We got your back like a bar of soap

(Chorus)
I’m gonna block some spam,
Only got one product plugged in the socket
I-I-I’m secure, protected by WatchGuard,
This is freakin awesome!

— Is that your new Firebox?

Adobe Patch Day: Patches for Flash, Shockwave, and ColdFusion

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Flash Player, Shockwave Player, and ColdFusion
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released three security bulletins describing vulnerabilities in Flash Player, Shockwave Player, and ColdFusion. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

Adobe Patch Day: April 2013

  • APSB13-11: Four Flash Player Memory Corruption Flaws

Adobe’s bulletin describes four vulnerabilities in Flash Player running on all platforms. More specifically, the flaws consist of various memory corruption and integer overflow flaws. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

They assign these flaws their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

  • APSB13-12: Four Shockwave Player Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin describes four security vulnerabilities that affect Shockwave Player running on Windows and Macintosh computers. All of the flaws consist of memory corruption issues (one being a buffer overflow) that share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB13-10: Two Unspecified ColdFusion Vulnerabilities

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from two security vulnerabilities that Adobe does not describe in much technical detail. They describe one flaw as a vulnerability that allows an attacker to impersonate an authenticated user (CVE-2013-1387), and the other as a flaw that could allow an unauthenticated attacker to gain access to the administrative console. Other than that, the bulletin shares very little about the scope or impact of these flaws, so we’re unsure how easy or hard it is for attackers to leverage them. They rate both vulnerabilities as Priority 2 issues, which is essentially their medium severity rating.

Adobe Priority Rating(Patch within 30 days)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Shockwave files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Shockwave or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Shockwave via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

SharePoint Suffers from XSS and Information Disclosure Flaws

Summary:

  • These vulnerabilities affect: SharePoint Server, Groove Server, Office Web Apps, and InfoPath 2010, which are all part of Microsoft’s Office family products
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious link, or by visiting a specific address on a vulnerable server
  • Impact: In the worst case, an attacker can elevate their privileges, gaining the ability to do anything the victim can on the affected server.
  • What to do: Install the appropriate updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two Office-related  security bulletins describing vulnerabilities found in SharePoint, SharePoint Foundation, Groove, Office Web Apps, and InfoPath — all part of Microsoft’s Office family of products. Microsoft rates both bulletins as Important. We summarize them below:

  • MS13-030:  SharePoint Information Disclosure Flaw

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint Server 2013 does not apply the proper access controls to a SharePoint list, which means any SharePoint user can gain access to items in the list, even if the list owner did not intend that user to have access. However, in order to exploit this flaw, the attacker needs valid credentials on your SharePoint Server, and needs to know the specific URL address for the Sharepoint list in question. These factors significantly mitigate this vulnerability, limiting it primarily to an internal risk

Microsoft rating: Important.

  • MS13-035SharePoint and Office server XSS Vulnerability

SharePoint (and other Office-related servers like InfoPack and Groove) also suffer from an unspecified Cross-Site Scripting vulnerability (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to click a specially crafted link, an attacker could exploit this flaw to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could. These flaws only affect the 2010 versions of these Office servers.

Microsoft rating: Important

Solution Path

Microsoft has released patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate ones as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

WatchGuard’s Intrusion Prevention services can sometimes prevent web application attacks like the XSS one described today. For instance, our IPS signature team has developed a new signature that can detect and block the “HTML Sanitizarion” XSS attack affecting Sharepoint and other Office-related servers:

  • WEB-CLIENT Microsoft IE HTML Sanitization Vulnerability (CVE-2013-1289)

Your XTM appliance should get this new IPS update shortly. Nonetheless, attackers can still exploit these flaws locally, so we still recommend you install Microsoft’s updates.

Status:

Microsoft has released SharePoint and Visio updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Windows Updates Fix Critical RDC Flaw, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and some of the components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including luring users to web sites with malicious code or sending specially crafted network packets
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Update do it for you.

Exposure:

Today, Microsoft released six security bulletins that describe around ten vulnerabilities affecting Windows or components related to it, such as Remote Desktop Client, Active Directory, and the Antimalware client (part of Windows Defender in Windows 8). Each of these vulnerabilities affect different versions of Windows to varying degrees. A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-029: Remote Desktop Client Code Execution Vulnerability

Remote Desktop Protocol (RDP) is a Microsoft networking protocol that allows you to view and control the desktop of one Windows computer from another networked computer. Windows ships with the Remote Desktop Client to support this functionality. According to Microsoft, an ActiveX control the Remote Desktop Client uses suffers from a “use after free” vulnerability, which remote attackers can exploit to execute arbitrary code on your system. The attacker would simply have to entice you to a web site containing malicious code to trigger the flaw. As is typical with Windows vulnerabilities, the attacker would gain your privileges, and if you’re a local administrator that means full control of your system.

Microsoft rating: Critical

  • MS13-031: Two Kernel Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. The Windows kernel suffers from two race condition vulnerabilities, which attackers can leverage to  elevate their privilege. Though the flaws differ technically, the share the same scope and impact. By running a specially crafted program, a local attacker could exploit this flaw to gain complete control of your PC. However, the attacker would first need to gain local access to your Windows computer using valid credentials. This factor significantly reduces the severity of the issue

Microsoft rating: Important

  • MS13-032: Active Directory Memory Consumption Flaw

Active Directory (AD) provides central authentication and authorization services for Windows computers and ships with server versions of Windows. AD suffers from a memory consumption vulnerability having to do with it’s inability to properly handle specially crafted LDAP queries. By sending a malicious LDAP query to an AD server, an attacker can exploit this flaw to force the server’s LDAP service to stop responding, putting it into a Denial of Service (DoS) state. However, administrators typically limit LDAP access to their local network, so this vulnerability primarily poses an internal threat.

Microsoft rating: Important

  • MS13-033CSRSS Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from a local privilege elevation issue. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

  • MS13-034: Antimalware Client Elevation of Privilege Vulnerability

The Antimalware Client is a free host-based security program that does just what you’d expect; protects Windows systems from malicious software (viruses, worms, trojans, etc.) loosely known as malware. It ships with Windows Defender, which comes with Windows 8. It also suffers from a local privilege elevation issue having to do with its inability to handle improper pathnames. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials, which significantly reduces the risk of this flaw. This issue primarily affects Windows 8 computers.

Microsoft rating: Important

  • MS13-036Multiple Kernel-Mode Driver Vulnerabilities

As mentioned above, the kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers five different privilege elevation vulnerabilities. The vulnerabilities differ technically  but share the same scope and impact. By running a specially crafted program, a local attacker can leverage any of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of these issues.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed a new signature that can detect and block the Remote Desktop Client vulnerability described above:

  • WEB-ACTIVEX Microsoft RDC ActiveX Control Remote Code Execution Vulnerability (CVE-2013-1296)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

“Use After Free” Flaws: A New Theme for IE Vulnerability

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Internet Explorer (IE)
  • How an attacker exploits them: By enticing one of your users to visit a malicious web page
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing two new security vulnerabilities affecting Internet Explorer (IE). Similar to the flaws in last month’s update, both of these vulnerabilities are what developers call “use after free” vulnerabilities – a type of memory corruption flaw that attackers can leverage to execute arbitrary code. This class of vulnerability seems to be a theme for IE lately, since Microsoft has been fixing IE use after free flaws quite a bit over the last few months.

In any case, if an attacker can lure one of your users to a web page containing maliciously crafted HTML, she could exploit either of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like more technical detail about either of these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technicalities aside, both of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws may affect you even when visiting legitimate, trusted web sites.

If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus services can often prevent the malware that drive-by download attacks try to force onto your computer. Furthermore, our Reputation Enabled Defense (RED) and WebBlocker service can often prevent your users from accidentally visiting malicious sites. Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from these vulnerabilities.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Remote Desktop and IE Updates Top April’s Patch Day List

Unless you’re new to IT, you’re probably aware that todaythe second Tuesday of the monthis Microsoft Patch Day.

As expected, Microsoft released nine security bulletins today, fixing 13 vulnerabilities across products like Internet Explorer (IE), Windows and its components, Sharepoint Server, and a few other Office server products. The worst two, Critical-rated updates fix security problems in IE and the Remote Desktop Client (RDC) that ships with Windows (specifically, its ActiveX control). The vulnerabilities in both these products could help remote attackers launch drive-by download attacks. If an attacker can get your IE or RDC users to visit a specially crafted web site (or a legitimate, hijacked web site), they could leverage these flaws to execute arbitrary code with those users’ privileges. You should download, test, and apply these Critical updates as soon as you can, or let Windows’ automatic updater do it for you.

As an aside, some experts had expected today’s IE update to fix some publicly disclosed vulnerabilities from the recent Pwn2Own contest at a Canadian security conference. In their IE alert, Microsoft credits two Google security researchers for discovering the flaws they fixed today. However, the Pwn2Own IE 10 flaws were disclosed by different researchers from VUPEN. So it appears the Pwn2Own IE flaws are still open issues.

Microsoft also released seven other updates, which they rate as Important. While not as serious as the ones mentioned above, they all fix some relatively risky issues too. In general, I recommend you always install all of Microsoft’s monthly patches as quickly as you can. That said, be sure to at least try and test the server updates before deploying them to your production network.

I’ll post more detailed alerts about these security bulletins as the day progresses. Stay tuned. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Releases Fireware XTM 11.3.6 for e-Series Appliances

Available for Firebox X Peak, Core, and Edge e-Series appliances

WatchGuard is pleased to announce the general release of Fireware XTM v11.3.6. This release demonstrates our continuing commitment to delivering high quality products to our customers, with a significant number of bug fixes. You can install Fireware XTM OS v11.3.6 on any Firebox X e-Series device. There is no WatchGuard System Manager v11.3.6. We recommend that you use a later version of WatchGuard System Manager to manage Fireware XTM 11.3.6.

Fireware XTM 11.3.6 includes a large number of bug fixes, covering many different areas of Fireware. For more information, see the Resolved Issues section of our Release Notes.

For users of the spamBlocker subscription service, WatchGuard has switched to Mailshell as our new provider of spam detection technology. Mailshell scored highly in the most recent VBSpam Comparative Test, the industry’s leading independent testing program. In the testing, Mailshell’s filter accurately detected 99.84% of spam without a single false positive. This release also includes updates to the Mailshell engine based on feedback submitted after its first release with 11.7.2 for XTM appliances.

Does This Release Pertain to Me?

If you have an e-Series appliance and wish to take advantage of the latest updates, you should upgrade to version 11.3.6. Please read the Release Notes before you upgrade, to understand what’s involved. Users with XTM appliances should consider upgrading to more recent releases like 11.6.5 or 11.7.2.

How Do I Get the Release?

XTM e-Series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button. The 11.3.6 Release Notes include clear upgrade instructions.

As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375
%d bloggers like this: