Archive | June, 2013

Carberp Code Leak Means More Malware – WSWiR Episode 68

OpNorthKorea, Opera Breach, and Carberp Leak

This was a pretty packed news week for Information Security (InfoSec), so if you didn’t have time to seek out security stories yourself, let our convenient weekly video summarize the top ones for you.

This week, I decided to take a break from the Snowden updates and only skim patch news so that I could focus more on interesting new security stories. This episode primarily highlights the recent cluster of Korea-focused cyber attacks, some Facebook and Opera breaches, and the public source code leak of one of the most prevalent banking botnets out today. I even threw in a few fun, gamer-related security stories at the end. Click play below to get informed; and don’t forget to check the Reference section for extras.

See you next week.

(Episode Runtime: 8:19)

Direct YouTube Link: https://www.youtube.com/watch?v=-VIfTUyOpiI

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Announces Fireware XTM v11.6.6

Available for All XTM Appliances

WatchGuard is pleased to announce the release XTM v11.6.6.  Full details on the issues fixed in v11.6.6 can be found in the Resolved Issues section of the Release Notes. Key highlights include:

  • Over 35 issues resolved, including fixes for Gateway AV and spamBlocker crashes.
  • It is possible to configure the spam detection thresholds for spamBlocker.
  • We have also included an updated version (2.2) of the Shrew Soft IPSec VPN client with this release. If you’d like the latest Mobile VPN client, we recommend you download the Shrew Soft update as well.

Does This Release Pertain to Me?

If you or your customers have an XTM appliance, you should upgrade to version 11.6.6 if you need any of the provided fixes. Please read the Release Notes before you upgrade, to understand what’s involved.

Note: The Fireware 11.6.6 release also applies to XTM 21/22/23 appliances. Fireware XTM 11.7.3 Update 1 is also available for all appliances, except XTM 21/22/23.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller »

PRISM Update & Java Patch – WSWiR Episode 67

Huge Java Patch, More PRISM News, and Crazy McAfee Video

Every week I highlight the big Infosec stories from the past seven days, and this week is no exception. Today’s episode covers the big Java update, the latest on the PRISM snooping scandal, news on new security camera hacks, and a weird video starring John McAfee. Watch below for the full scoop, and check out the Reference section for extras.

Thanks for watching, and see you next week.

(Episode Runtime: 8:19)

Direct YouTube Link: https://www.youtube.com/watch?v=MzopsxsmwIQ

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Latest Java Update Fixes 40 Vulnerabilities (For Apple Too)

Severity: High

Summary:

  • These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 21 and earlier, on all platforms
  • How an attacker exploits them: Typically by luring your users to a malicious web page containing specially crafted Java
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install JRE and JDK 7 Update 25 (or Apple’s OS X update)

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Oracle’s Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

Today, Oracle released a Java update to fix 40 vulnerabilities in the popular web plugin. Oracle doesn’t describe these flaws in much technical detail, but they do share a Risk Matrix, which describes the severity and impact of each flaw. In a nutshell, most of the flaws are remote code execution issues. Furthermore, Oracle assigns a dozen of them with the maxium CVSS score of ten. By enticing you to a web site with malicious content, attackers can leverage many of these flaws to execute code on your computer, with your privileges. If you are an administrator, it’s game over.

Java is very dangerous right now. Attackers are currently leveraging many Java vulnerabilities in the wild. Cyber criminals are even selling Java exploit kits on the underground market. In short, we highly recommend you apply Oracle’s Java update immediately. In fact, if you can do without Java, I suggest you remove it from your computer.

In related news, Apple has also released a Java update for OS X. Mac users should update Java as well.

Solution Path:

Oracle has released JRE and JDK Update 25 to correct these issues (as well as some legacy version updates). If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Remember, attackers have heavily targeted Java lately. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

WatchGuard XTM appliances can often help protect you from these sorts of Java vulnerability in a number of ways:

  • If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well.
  • WatchGuard constantly develops AV signatures to catch wild Java exploits. If you use our Gateway AntiViris (GAV) service, it can protect you from some of these attacks.
  • WatchGuard’s IPS signature writers also develop generic Java signatures, which can block some variants of this attack.
  • WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.

Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.

Status:

Oracle has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

WatchGuard Announces Fireware XTM 11.3.6 Update 1

Available for All Firebox X e-Series Appliances

WatchGuard has released Update 1 for Fireware XTM v11.3.6. This maintenance release updates the Mailshell detection engine used in spamBlocker. It also makes it possible to configure the spam detection thresholds for spamBlocker. For full information on the issues fixed in v11.3.6 Update 1, please see the Resolved Issues section of the Release Notes.

We have also included an updated version (2.2) of the Shrew Soft IPSec VPN client with this release. If you’d like the latest Mobile VPN client, we recommend you download the Shrew Soft update as well.

Does This Release Pertain to Me?

If you have a Firebox X e-Series appliance and use spamBlocker, you should upgrade to version 11.3.6 Update 1. Please read the Release Notes before you upgrade, to understand what’s involved.

Note: WSM 11.7.3 Update 1 can be used to manage Firebox X e-Series appliances.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller »

NSA Prism Snooping Scandal – WSWiR Episode 66

Advanced Android Malware and NSA Snooping on Citizens

Are you, like most network administrators, too busy to follow all the latest information security (infosec) news each week? If so, this vlog is for you. Each Friday I summarize the biggest infosec stories, and share some practical security advice.

In this episode, I cover some of the week’s software updates, I talk about a new sophisticated Android malware variant , and I discuss Edward Snowden’s leak of NSA’s PRISM program. Watch the video below for the details, and check out the Reference section for more.

Have a great weekend, and stay safe out there.

(Episode Runtime: 9:17)

Direct YouTube Link: https://www.youtube.com/watch?v=5jb3ey1ZRBQ

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day Consists of One Flash Fix

As always, Adobe share’s Microsoft’s Patch Day every second Tuesday of the Month. This month, they also shared Microsoft’s light patch load.

Yesterday, Adobe only released one security bulletin to fix one vulnerability in Flash Player 11.7.700.202 and earlier, running on all platforms. As you probably know, Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Yesterday’s Flash Player update fixed an unspecified memory corruption vulnerability. If an attacker can entice one of your users to visit a malicious website, or into handling specially crafted Flash (SWF of FLV) content, he could exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have administrator privileges, the attacker could gain full control of their computers.

Adobe rates the update as a “Priority 1” for Windows users, and recommends you apply it as soon as possible (within 72 hours). We have noticed that attackers and researchers seem to be finding holes in Flash as often as they are Java. Whatever platform you run it on, we highly recommend you keep Flash up to date. You can find the latest version of flash by clicking the icon below.

— Corey Nachreiner, CISSP (@SecAdept)

Office 2003 Document Handling Code Execution Vulnerability

Severity: Medium

Summary:

  • These vulnerabilities affect: Office 2003 and Office for Mac 2011
  • How an attacker exploits them: By enticing you to open maliciously crafted Office documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office patches as soon as possible, or let Windows Update do it for you.

Exposure:

As part of part of Patch Day, Microsoft released a security bulletin describing a vulnerability in Office 2003 and Office for Mac 2011. Specifically, the Office components used to parse PNG image files suffer from a buffer overflow vulnerability involving the way they handle specially crafted images. By embedding a malicious PNG image into an Office document, and tricking one of your users into downloading and opening or previewing it, an attacker can exploit this vulnerability to execute code on that user’s computer, inheriting that user’s privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Though Microsoft only rates this security update as Important, since the attack requires user interaction to succeed, we believe it poses a significant risk because many normal users trust Microsoft Office documents. You should patch this flaw as soon as you can.

Solution Path

Microsoft has released an update for Office to fix this flaw. If you use Office 2003 or Office for Mac 2011 you should download, test, and deploy the update as soon as possible, or let Windows Update do it for you. See the “Affected and Non-Affected Software” section of Microsoft’s bulletin for more details on where to find the updates.

For All WatchGuard Users:

Though you can use WatchGuard’s XTM and XCS appliances to block certain files and content, such as Office documents, most organizations share these types of documents as part of normal business. Instead, we recommend you install Microsoft’s updates to completely protect yourself from this flaw.

Status:

Microsoft has released an Office update to fix this flaw.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Three Windows Updates Fix Less Risky Vulnerabilities

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows or components often packaged with it (like the print spooler)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or running malicious programs locally
  • Impact:  Varies, ranging from a remote Denial of Service (DoS) attack to local attackers gaining complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins describing vulnerabilities affecting Windows or components related to it. They only rate these bulletins as Important or Moderate, due to limited impact or mitigating factors. Each of these vulnerabilities affects different versions of Windows to varying degrees. In the worst case, a local attacker could exploit one of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates at your earliest convenience.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-048: Windows Kernel Information Disclosure Flaw

The kernel is the core component of any computer operating system. The Windows kernel suffers from an information disclosure vulnerability, which attackers can leverage to gain unauthorized access to the contents in kernel memory. Though this flaw would not allow an attacker to gain elevated privileges on an affected system, the attacker could gain access to privileged information, which might help further their attack.  In order to exploit the flaw, a local attacker would have to run a specially crafted program. However, the attacker would first need to gain local access to your Windows computer using valid credentials. This factor significantly reduces the severity of the issue

Microsoft rating: Important

The TCP/IP driver is one of the kernel-mode drivers that help Windows handle TCP/IP networking traffic. It suffers from an unspecified Denial of Service (DOS) vulnerability having to do with its inability to handle certain TCP packets. By sending specially crafted packets to a vulnerable Windows computer, an attacker could cause the computer to stop responding. Though attackers couldn’t exploit this flaw to gain control of your computers, they can leverage it to cause downtime. Firewalls, like WatchGuard’s XTM appliances, can typically mitigate this type of attack by preventing external attackers access to your internal Windows computers.

Microsoft rating: Moderate

  • MS13-050Print Spooler Elevation of Privilege Flaw

The print spooler is a Windows service that manages printing. It suffers from an unspecified elevation of privilege vulnerability having to do with its inability to properly free memory when you delete a printer connection. If an attacker can gain enough local access to your computer to delete a printer connection, she can exploit this flaw to elevate her privileges and execute code with full system privileges. Of course, they’d need credentials on the targeted system, and local access to it in order to carry out this attack. These requirements significantly mitigate the risk of this flaw.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. However, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Fixes 19 Remote Code Execution Flaws in IE

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Internet Explorer (IE)
  • How an attacker exploits them: By enticing one of your users to visit a web page containing malicious content
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing 19 new security vulnerabilities affecting Internet Explorer (IE). Microsoft describes almost all of these flaws as “memory corruption” vulnerabilities, but they don’t specify the exact type of memory corruption flaw. Being that we’ve seen a lot of “use after free” vulnerabilities (one type of memory corruption issue) in IE lately, I wouldn’t be surprised if many of these vulnerabilities fell into that class of flaw.

Regardless of which type of memory corruption flaws these are, they all share the same scope and impact. If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like more technical detail about these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technicalities aside, all of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve malicious web code in something the industry calls a “watering hole” attack. So these types of flaws may affect you even when visiting legitimate, trusted web sites.

If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus services can often prevent the malware that drive-by download attacks try to force onto your computer. Furthermore, our Reputation Enabled Defense (RED) and WebBlocker service can often prevent your users from accidentally visiting malicious sites. Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from these vulnerabilities.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

%d bloggers like this: