Archive | May, 2013

WatchGuard Security Week in Review: Ruby on Rails Botnet

Welcome to our weekly network and information security (Infosec) highlights. While I normally deliver these highlights in a short video, I’m currently attending WatchGuard’s 2013 Global Partner Conference, and couldn’t find the time to shoot this week’s episode. I’ll return to my regular programming cycle next week. Until then, here’s a written summary of the week’s security news.

Today’s stories includes a Ruby on Rail exploit plaguing web servers, a new Windows zero day flaw, a Drupal.org user account leak, and much more. Read below for more details, and join us next week when the regular video returns:

  • Ruby on Rails exploit in the wild – During the past week, attackers have exploited a vulnerability in a popular web framework called Ruby on Rails to hijack web servers and force them to join a botnet. The flaw responsible for the hijackings was first discussed and patched back in January, but apparently many web administrators haven’t applied it yet. If you run a server with Ruby on Rail, make sure it’s up to date.
  • Google researcher discloses zero day Windows kernel-mode driver flaw – A Google security researcher named Tavis Ormandy disclosed a zero day vulnerability in the kernel-mode driver that could allow local attackers to gain full system privileges on Windows 7 and 8 computers (and perhaps earlier versions too). In his normal style, Ormandy released details and proof of concept (PoC) code for this flaw before giving Microsoft time to patch the issue. I’ve never personally liked Ormandy’s disclosure strategy, but he does find many security flaws. The good news is attackers can only exploit this flaw if they can run a program locally or the victim’s computer, or can trick one of your users into doing it for them. We’ll let you know when Microsoft patches.
  • Drupal.org breached and user accounts leaked – Like the many sites before them, Drupal.org was breached by an unidentified hacker who stole the user credentials, email addresses, and hashed passwords of millions of their users. They claim no financial information was stolen. If you have a Drupal account, change your Drupal password immediately (and hopefully you don’t use that password anywhere else).
  • Suspected game company hacker charged in Perth –  A  teenaged, Perth-based hacker who calls himself SuperDaE was charged  this week in Australia with various computer related offenses. SuperDaE claims to have breached many game companies, including Microsoft, Sony, Epic, and Blizzard. He also claims to have stolen game engine code, SDK, and early information and details about Sony and Microsoft’s upcoming new consoles. Before his arrest, he threatened to release all this stolen information publicly if he wasn’t released at a certain time. The authorities haven’t shared much detail about the charges yet, but apparently SuperDaE is out on bail.
  • Chinese attackers alleged to steal U.S. weapon system designs – According to a report to the Pentagon from the Defense Science Board, alleged Chinese attackers breached private government networks and accessed the designs of two dozen weapon systems. The report doesn’t blame China outright, but contains language that suggests the attacks were part of a long-term Chinese cyber attack campaign. Other articles correctly point out that many of these reports lack evidence, and we should avoid knee-jerk reactionscblaming China for every attack.
  • Financial service targeted with another huge DDoS attack – According to a DDoS vendor, hackers targeted an unnamed financial service with a 167Gbps DDoS attack. While not quite as large as the recent 300Gbps DDoS attack against Spamhaus, it’s further proof that DDoS attackers are getting bigger every day.
  • Anonymous related twitter feeds hijacked – In an ironic turn of events, a few twitter feeds that promote the Anonymous hacktivist group have been hijacked by rivals.

— Corey Nachreiner, CISSP (@SecAdept)

Profiling Modern Hackers: Hacktivists, Criminals, and Cyber Spies. Oh My!

Sun Tzu, the renowned military strategist and author of The Art of War, was known for the saying, “Know thy enemy and known thyself, and you will not be imperiled in a hundred battles.” While the true intention of this quote is likely to remind us that knowing our own strengths and weaknesses is equally important to knowing those of your enemy, I can’t help but simplify it to the rudimentary,  “know thy enemy.”

I suspect most security professionals, me included, spend much more time analyzing the technical and mechanical aspects of cyber crime than the social and psychological ones. We dissect attacker’s malware and exploit tools, analyze their code and exploit techniques, but don’t always study who they are and why they do what they do. According to General Tzu, this is a good way to lose many battles.

In order to better understand the nature of the cyber threat, security professionals need to act more like criminal investigators, and consider means, motive, and opportunity. We’ve got the means down (tools and techniques), but some of us may need to work a bit on motive. One of the ways to do that is to understand the different hacker profiles.

Over the last few years, the general hacker profiles and motives have changed quite a bit. We no longer live in a world of fame seeking hackers, script kiddies, and cyber criminals—there are some new kids on the block. It’s important for you to understand these motive and profile changes, since they dictate what different types of hackers are ultimately after, whom they target, and how they tend to do business. Knowing these things can be the key to helping your understand which of your resources and assets need the most protection, and how you might protect them.

With that in mind, I’d like to share some quick highlights about the three main type of attackers I think plague us today:

1. The Hacktivist

Simply put, hacktivists are politically motivated cyber attackers. We’re all familiar with traditional activists, including the more extreme ones. Over the past five years, activist have realized the power of the Internet, and have started using cyber attacks to get their political message across. A few examples of hacktivist groups include the infamous Anonymous, and the more recent Syrian Electronic Army. Most hacktivist groups tend to be decentralized and often not extremely organized. For instance, there can be cases where one factor of Anonymous may do things another factor doesn’t even agree with.

As disorganized as they may sound, these activist groups can cause significant problems for governments and businesses. They tend to rely on fairly basic, freely available “Skript Kiddie” tools. For instance, their most common weapon is a DDoS attack, using tools like HOIC or LOIC. However, the more advanced hacktivists also rely on web application attacks (like SQLi) to steal data from certain targets, with the goal of embarrassing them—something they like to call Doxing.

While hacktivists are arguably the least worrisome of today’s attackers, they still have succeeded in causing havoc for many big companies and governments. Since these hacktivist’s political agendas vary widely, even small businesses can find themselves a target depending on the business they are in or partnerships they have.

2. Cyber Criminals

You’re probably most familiar with the cyber criminal hacker profile, since they’ve been around longer than the other two. This group’s motive is pretty obvious; to make money using any means necessary.

Cyber criminal groups can range from a few lone actors who are just out for themselves, to big cyber crime organizations, often financed and headed by traditional criminal organizations. They are the group of hackers responsible for stealing billions of dollars from consumers and businesses each year.

These criminal attackers participate in a rich underground economy, where they buy, sell and trade attack toolkits, zero day exploit code, botnet services, and much more. They also buy and sell the private information and intellectual property they steal from victims. Lately, they’re focusing on web exploit kits, such as Blackhole, Phoenix, and Nuclear Pack, which they use to automate and simplify drive-by download attacks.

Their targets vary from small businesses and consumers, whom they attack opportunistically, to large enterprises and industry verticals, who they target with specific goals in mind. In a recent attack on the banking and credit card industry, a very organized group of cyber criminals was able to steal 45 million dollars globally from ATMs, in a highly synchronized fashion. The attack was made possible due to an initial, targeted network breach against a few banks and a payment processor company.

 3. Nation States (or State-Sponsored Attackers) 

The newest, and most concerning new threat actors are the state-sponsored cyber attackers. These are government-funded and guided attackers, ordered to launch operations from cyber espionage to intellectual property theft. These attackers have the biggest bankroll, and thus can afford to hire the best talent to create the most advanced, nefarious, and stealthy threats.

Nation state actors first appeared in the public eye during a few key cyber security incidents around 2010, including:

      • The Operation Aurora attack, where allegedly Chinese attackers gained access to Google and many other big companies, and supposedly stole intellectual property, as well as sensitive US government surveillance information.
      • The Stuxnet incident, where a nation state (likely the US) launched an extremely advanced, sneaky, and targeted piece of malware that not only hid on traditional computers for years, but also infected programmable logic controllers (PLCs) used in centrifuges. The attack was designed to damage Iran’s nuclear enrichment capabilities.

Unlike the other hackers’ tools, state-sponsored attackers create very customized and advanced attack code. Their attacks often incorporate previously undiscovered software vulnerabilities, called zero day, which have no fix or patch. They often leverage the most advanced attack and evasion techniques into their attack, using kernel level rootkits, stenography, and encryption to make it very difficult for you to discover their malware. They have even been known to carry out multiple attacks to reach their ultimate target. For instance, they might attack a software company to steal a legitimate digital certificate, and then use that certificate to sign the code for their malware, making it seem like it comes from a sanctioned provider. These advanced attacks are what coined the new industry term, advanced persistent threat (APT).

While you’d expect nation state attackers to have very specific targets, such as government entities, critical infrastructure, and Fortune 500 enterprises, they still pose some threat to average organizations as well. For instance, sometimes these military attackers target smaller organizations as a stepping-stone for a bigger attack. Furthermore, now that these advanced attacks and malware samples have started to leak to the public, normal criminal hackers have begun to adopt the advanced techniques, upping the level of traditional malware as well.

Understanding the motives, capabilities, and tools of these three hacker profiles gives you a better idea of what types of targets, resources, and data each one is after. This knowledge should help cater your defenses to the types of attacker you think are most relevant to the business or organization you protect.

Now that you know a little about your enemy, you can focus on getting to know yourself, and match your defenses to your most likely enemy. Once you’ve done that, you will not be imperiled in a hundred cyber battles. — Corey Nachreiner, CISSP (@SecAdept)

To spread the knowledge about today’s three main cyber threat actors, WatchGuard has created a fun and fact-filled info-graphic. Check it out below, and be sure to share it with your friends and co-workers to spread the word. 

WatchGuard profiles the three main classes of cyber attackers.

WatchGuard profiles the three main classes of cyber attackers.

WatchGuard Security Week in Review: Episode 64 – AusCERT 2013

AusCERT, Aurora Updates, and FPS Hacks

Do you know the latest information security (infosec) buzz? If not, you’ve found the right weekly vlog. Every Friday we post a short video sharing the latest network and information security highlights for your consideration. Today’s episode comes to you from the beautiful Australian Gold Coast, which is why I’ve had to post it a bit late due to travel.

In this episode I share a few highlights from the AusCERT security conference, update you on the old Google Aurora attack, warn about new vulnerabilities affecting many FPS engines, and much more. If you want to stay abreast of the latest network security news, in eight minutes or less, watch the video below.

As always, you can find more detail about the stories from this week’s episode in the Reference section, as well as a few extras.

(Episode Runtime: 7:41)

Direct YouTube Link: http://www.youtube.com/watch?v=JLbzY_i8TIc

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)


WatchGuard Announces Fireware XTM and WSM 11.7.3

Available for All XTM Appliances (Except XTM 21/22/23)

WatchGuard is pleased to announce the release of Fireware XTM v11.7.3 and WatchGuard System Manager v11.7.3. This maintenance release includes a large number of bugfixes and some enhancements. For full information on the issues fixed in v11.7.3, see the Resolved Issues section of the Release Notes. Enhancements are outlined in the release notes and also covered in  What’s New in Fireware XTM v11.7.3 [PPT file].

Some of the enhancements include:

  • Ability to set the source IP address in Static NAT and server load balancing actions
  • Modem support for three USB 3G/4G modems
  • Ability to change the port used for connections to a syslog server

There are some notable updates for the new Wireless Access Points and the Gateway Wireless Controller.

  • MAC access control whitelist
  • Station isolation
  • No automatic AP device reboot after AP configuration change

The 11.7.3 release also provides significant improvements in spam detection based on feedback received since the 11.7.2 release. The release notes also provide some guidance on setting appropriate spam threshold settings with for the new Mailshell engine. Some customers have preferred to set the suspect spam threshold to 80 to reduce the amount of legitimate email that gets categorized as suspect spam.

Fireware XTM 11.7.3 enables XTMv support for the Microsoft Hyper-V hypervisor. The virtual appliance (in VHD format) for Hyper-V is not available at initial v11.7.3 release, but will be released in one to two weeks.

Does This Release Pertain to Me?

Fireware XTM 11.7.3 includes many improvements and fixes. If you have a XTM 25/25-W/26/26-W, 3 Series, 5 Series, 8 Series, 800 Series, 1500 Series, 2500 Series, 1050 or 2050 device and wish to take advantage of the updates mentioned in the Release Notes, you should upgrade to version 11.7.3. Please read the Release Notes before you upgrade to understand what’s involved.

Note: This update does not apply to XTM 21/22/23 appliance owners, or Firebox X e-Series owners.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller »

WatchGuard Security Week in Review: Episode 63 – Patch Bonanza

Zero Day Patches, Nasty New Malware, and Jailed Hackers

Ready for a dose of InfoSec news? Your weekly security highlights reel is spooled up and ready to go.

This week was all about software updates. Not only did Microsoft and Adobe’s monthly Patch Day bring us patches for critical zero day vulnerabilities, but we saw security updates for Firefox and iTunes as well. In today’s video, I talk about all those updates, as well as two new interesting malware variants, and the sentencing and jailing of a team of well-known hackers. View the video for all the details.

A quick note… Next week I’ll be attending the AusCERT security conference in Australia. Though I still expect to bring you a weekly video, I may post it earlier or later than normal due to travel and the time zone differences. Keep safe out there and see you next week.

(Episode Runtime: 7:17)

Direct YouTube Link: http://www.youtube.com/watch?v=gjAx6PdFY0k

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Update for ColdFusion Zero Day and More

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Reader and Acrobat, Flash Player, and ColdFusion
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Yesterday, Adobe released three security bulletins describing vulnerabilities in Reader and Acrobat, Flash Player, and ColdFusion. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. Attackers have been exploiting one of the ColdFusion issues in the wild, so we recommend you patch quickly.

The summary below details some of the vulnerabilities in these popular software packages.

Adobe Patch Day May 2013

  • APSB13-15: Multiple Reader and Acrobat  Memory Corruption Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 27 vulnerabilities that affect Adobe Reader and Acrobat X 11.0.2 and earlier, running on any platform (Windows, Mac, Linux).  Adobe’s alert only describes the flaws in minimal detail, but the majority of them involve memory corruption-related vulnerabilities, such as buffer overflows,  integer overflowsuse-after-free issues, and so on. For the most part, they share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit many of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 2 (Patch within 30 days) for most, though 1 for Windows systems with 9.x and below

  • APSB13-14: Multiple Flash Player Memory Corruption Flaws

Adobe’s bulletin describes 13 vulnerabilities in Flash Player running on all platforms (including Linux and Android). More specifically, the flaws consist of various memory corruption flaws. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe rates these flaws with their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

  • APSB13-13: Critical Zero Day ColdFusion Vulnerability Patched

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. This bulletin fixes two serious vulnerabilities; one of which attackers are currently exploiting in the wild. We mentioned this zero day flaw in passing during last week’s security news video. Adobe’s bulletin doesn’t share many details, but the primary flaw is a remote code execution vulnerability. If you expose certain default ColdFusion directories, an attacker could exploit this flaw to execute code on you web server simply by sending specially crafted HTTP packets. Though not quite as bad, the second vulnerability allows attackers to remotely retrieve sensitive files from your server. Adobe rates these flaws Priority 1, so we highly recommend ColdFusion administrators update immediately–especially if you have public facing servers.

You can find a bit more detail about the zero day ColdFusion flaw in a security advisory Adobe released earlier this month.

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

 

Download Adobe Reader

 

 

Download Adobe Flash Player

 

 

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Reader files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Reader or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Reader via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Windows Essentials: Free Programs Need Patches Too

Do you use Windows Essentials? If so, let the Windows Automatic Updater do its job, but no hurry.

Along with their nine other Patch Day bulletins, Microsoft released a less significant software update for Windows Essentials; a suite of free and optional  productivity applications for Windows. Essentials consists of a menagerie of applications, including basic photo gallery, blogging, email, instant messenger, and movie editing software. Many of the applications are cloud-based.

In any case, according to one of today’s bulletins, Windows Essentials suffers from a relatively minor information disclosure vulnerability. If an attacker can get a Windows Live Writer (the blogging app) user to click a specially crafted link, he can leverage this flaw to overwrite some of that user’s files. Certainly not a good thing, but also not the worst flaw in the world.

I personally doubt many business user leverage the Essentials suite, so I don’t think this particular issue poses a huge risk to our readers. That said, if you do use the Windows Essentials Live Writer program, then you certainly wouldn’t want to lose content based on this sort of attack. So I would definitely apply Microsoft’s patch, though there’s no rush. You can find more details about the update in the “Affected and Non-Affected Software” section of Microsoft’s bulletin. — Corey Nachreiner, CISSP (@SecAdept)

Office Patches Mend Word, Visio, Publisher, and Lync

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word, Visio, Publisher, and Lync
  • How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins that fix 14 vulnerabilities in a range of Microsoft Office products, including Word, Visio, Publisher, and Lync. We summarize these four security bulletins below, in order from highest to lowest severity.

  • MS13-041: Lync Remote Code Execution (RCE) Vulnerability

 Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from an unspecified memory corruption vulnerability that attackers could leverage to execute arbitrary code on your computer. If an attacker can convince one of your users to join a Lync or Communicator session containing specially crafted content, they could execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could gain complete control of affected computers. This flaw only affects certain versions of Lync and Communicator. See the “Affected and Non-Affected Software” section of Microsoft’s bulletin for more details.

Microsoft rating: Critical

  • MS13-042: Multiple Publisher Memory Corruption Vulnerabilities

Publisher is Microsoft’s basic desktop publishing and layout program, and part of the Office suite. It suffers from eleven memory corruption vulnerabilities. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Publisher document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Publisher except 2013.

Microsoft rating: Important

Word is the popular word processor that ships with Office. It suffers from a remote code execution (RCE) vulnerability having to do with how it handles Word or RTF documents containing maliciously crafted shape data. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word and Word Viewer 2003.

Microsoft rating: Important

  • MS13-044 : Visio Information Disclosure Vulnerability

Microsoft Visio is a popular diagramming program often used to create network diagrams.  Visio suffers from a complex information disclosure vulnerability, involving the way it parses specially crafted XML content. At a high level, XTM documents can contain “external entities;” essentially text or binary data from an external location. If an attacker can entice one of your users into downloading and opening a malicious Visio document (containing XTM content), he can exploit this flaw to read data from files on the victim’s computer. This flaw affects all versions of Visio except 2013.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed a signature that can detect and block the Visio Information Disclosure issue:

  • EXPLOIT Microsoft Visio XML External Entities Resolution Vulnerability (CVE-2013-1301)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Trio of Windows Bulletins Correct Moderate Vulnerabilities

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows or components often packaged with it (like the .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or running malicious programs locally
  • Impact:  Varies, ranging from a remote Denial of Service (DoS) attack to local attackers gaining complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that describe six vulnerabilities affecting Windows or components related to it (like the .NET Framework). They only rate these bulletins as Important, due to limited impact or mitigating factors. Each of these vulnerabilities affects different versions of Windows to varying degrees. In the worst case, a local attacker could exploit one of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates at your earliest convenience.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

The HTTP Protocol Stack (HTTP.sys) is a Windows component that listens for and handles HTTP requests before passing them to a web server like IIS. It suffers from a Denial of Service (DoS) vulnerability having to do with its inability to properly handle HTTP requests with specially malformed headers. By sending a specially crafted HTTP request, a remote attacker can leverage this flaw to cause your system to stop responding. While this sort of DoS attack doesn’t result in any breach or data loss, attackers can leverage it to knock your public web server offline, which could have significant business implications. You should download, test, and deploy Microsoft’s HTTP.sys update as soon as possible.

Microsoft rating: Important

  • MS13-040Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. The .NET Framework component suffers from two new security vulnerabilities.

The first issue is an XML digital signature spoofing vulnerability. XML files can contain digital signatures, which .NET applications can use to verify the integrity of XML files (ensuring they haven’t been improperly modified). However, the .NET Framework component (CLR) responsible for validating these signatures doesn’t do it right. As a result, attackers can modify the contents of an XML file without invalidating the signature. The impact of this flaw depends on if and how your custom .NET applications leverage this functionality.

The second issue is an authentication bypass vulnerability. The Windows Communication Foundation (WCF) is essentially a set of .NET APIs that developers can use to make applications that communicate securely with one another. However, WCF suffers from an authentication bypass flaw. By sending specially crafted packets, an attacker could gain unauthenticated access to computers that run WCF services. The impact of this bypass depends on your custom .NET application. If you custom application gives your users access to sensitive data, then in can pose a significant risk. If you install the .NET framework, you should download, test, and install Microsoft’s update as soon as you can.

Microsoft rating: Important

  • MS13-046Kernel-Mode Driver Elevation of Privilege Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from three new local elevation of privilege flaws. They all differ technically, but share the same basic scope and impact. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers (or cause it to become unstable). However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of this vulnerability.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows and .NET Framework patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:

  • WEB Microsoft Windows 2012 Server HTTP.sys Denial of Service Vulnerability (CVE-2013-1305)
  • EXPLOIT Microsoft XML Digital Signature Spoofing Vulnerability (CVE-2013-1336)

Your XTM appliance should get this new IPS update shortly.

However, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Two Critical IE Bulletins Fix Zero Day Vulnerability and More

Severity: High

Summary:

  • These vulnerabilities affect: Internet Explorer (IE) versions 6 – 10
  • How an attacker exploits them: Typically, by enticing one of your users to visit a web page with malicious content
  • Impact: In the worst case, an attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released two security bulletins (MS13-037/MS13-038) describing a dozen new security vulnerabilities that affect all current versions of Internet Explorer (IE). They rate both updates as Critical.

Over the last few months, most of the new flaws affecting IE are what developers call “use after free” vulnerabilities – a type of memory corruption flaw that attackers can leverage to execute arbitrary code. May’s duo of IE bulletins continues this theme, with all but one of the vulnerabilities falling under this class of flaw.

Though these dozen vulnerabilities differ technically, they share the same general scope and impact (with one small exception). If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer. Keep in mind, attackers often hijack legitimate web pages and booby trap them with this sort of malicious code, in what the industry refers to as a “watering hole” attack.

Typically, Microsoft only releases one IE cumulative update a month. However, over the last few weeks attackers have exploited a zero day IE8 vulnerability in the wild—most notably against the Department of Labor (DoL) web site. We talked about this exploit in last week’s security video. Although Microsoft had released a temporary “FixIt” to mitigate this serious vulnerability, today’s second IE bulletin (MS13-038) rectifies the issue more completely. Attackers are still exploiting this flaw in the wild. They’ve worked it into their underground exploit toolkits, and even the popular Metasploit framework contains a public version of the exploit. We highly recommend you install both of Microsoft’s IE updates immediately (after testing, of course).

If you’d like more technical detail about any of these flaws, see the “Vulnerability Information” section in both of Microsoft’s bulletins (MS13-037/MS13-038).

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletins:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the “use after free” vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-2551)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1309)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1311)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1312)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1307)
  • WEB-CLIENT Microsoft Internet Explorer Use After Free Vulnerability (CVE-2013-1308)
  • WEB-CLIENT Microsoft Internet Explorer JSON Array Information Disclosure Vulnerability (CVE-2013-1297)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

%d bloggers like this: