Archive | September, 2013

IceFog APT – WSWiR Episode 79

Fake Fingerprints, IOS DoS Flaws, and IceFog APT

Are you Ready for the latest InfoSec news?

This week, I’m traveling in the windy city of Chicago, speaking at ISC²’s Security Congress Conference. As a result, I did not have time to create a full length video; but fear not. My short video quickly summarizes the five big security stories, and I’ll share a few more written details and links below:

[youtube http://www.youtube.com/watch?v=wYkOtYFci38]

(Episode Runtime: 2:25)

Direct YouTube Link: http://www.youtube.com/watch?v=wYkOtYFci38

  • iPhone 5s’s TouchID hacked in a few days [video] – Shortly before the iPhone 5s’ release, hackers around the world were discussing how easy it would be to hack the device’s new TouchID fingerprint scanner. In fact, some even setup a fund to reward the first to do it. Well they did not disappoint. Just a day or two after its release, researchers from the Computer Chaos Club (CCC) in Germany were successful, using old, well-known technique they have demonstrated before. Check out the video to see how easy it is.
  • Cisco releases many IOS updates, mostly to fix DoS vulnerabilities – On Wednesday, Cisco posted eight security advisories, describing many vulnerabilities in the IOS firmware used on their routing devices. Most of the vulnerabilities are denial of service (DoS) flaws. If you manage Cisco IOS devices, you should install these updates as soon as you can.
  • 200% increase in nasty extortion ransomware – ESET, an anti-virus company, reported seeing a 200% increase in a particular ransomware variant called FileCoder (or CryptoLocker by other AV companies). This nasty malware find many types of documents and images on your computer, and encrypts them using fairly strong public/private key crypto. It then asks you to pay around $300 to get your files back. So far the good guys haven’t cracked it’s encryption, and they are unlikely to do so without actually obtaining the attacker’s private key. If you do pay the ransom, the malware does seem to stick to its word, and decrypt your files. However, I don’t recommend capitulating with criminals. The malware mostly spreads via phishing emails. So if you warn your user about this, you may be able to avoid it. As an aside, a twitter follower anecdotally shared that he’s seen a Cryptolocker infection at his client’s site, which seems to confirm the potential increase in this malware campaign.
  • Kaspersky uncovers IceFog APT campaign [video] – During the week, one of our partners, Kaspersky, released details about a new APT campaign that’s targeting organizations in South Korea and Japan. The attackers seem to be a small group of very skilled hackers, who are targeting government institutes, military contractors, and telecom or satellite operators. Like most APTs of late, the attack starts with a spear-phishing email containing a documents. For more interesting details about this advanced attack campaign, see Kaspersky’s report or watch their video.
  • Criminals steal data from data brokers, and resell on the underground – A well-known security journalist, Brian Krebs, posted an in-depth story about an attack campaign against various data broker organizations. Essentially, attackers gained access to the networks of data brokers like LexisNexus and Dun & Bradstreet, and then leverage this access to loot the personal customer information these brokers collect. The criminals then resell this information on their malicious identity theft service sites. Be sure to read Krebs’ article for the full scoop.

Extra References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Password Cracking? Should I Be Worried?

Yesterday, an external researcher, Jérôme Nokin, posted a blog entry describing how he discovered one of the hashing algorithms our XTM products use when storing a certain kind of user credential. I wanted to point out his post for two reasons; first, to show off the researcher’s impressive reversing work, but also to clarify a few points for our XTM customers, so they understand whether or not this discovery poses them any risk. Let’s dive in.

Nokin’s discovery involves hashing functions, which are one-way cryptographic algorithms that map data sets (of any length) to a unique, fixed-length key. These one-way algorithms are designed so that the key should uniquely match one and only one data set, but also should not help you recreate the original data. Hashes are not intended as encryption, they’re intended to be unique “fingerprints” for specific data sets. However, they are often used as a secure way of storing passwords. Rather than store a clear text password, why not just store the “fingerprint” for that password. If a user enters the right one,  the fingerprint should match.

In a nutshell, Nokin’s post outlines two things:

  1. He found that we store a certain type of user credential in the XTM appliance configuration file
  2. He found the specific hashing algorithm we use for storing passwords (NTLM + null)

Let’s look at each of these things.

What credentials are in the configuration file?

First, we do store a very specific type of user credential, including its hashed password, in the XTM configuration file, but it is not the XTM management credentials. In the original post, Nokin alluded that he was trying to recover management access to his appliance, and the reader might assume that “superuser” credential he demonstrated in the configuration file was this management user. That is not the case. Your XTM appliance’s status and administrator management credentials are not stored anywhere in the configuration file. They are only stored on the appliance itself, and not readily accessible.

The user credentials Nokin found are actually credentials associated with our optional FireboxDB authentication database. Our devices offer the ability for you to create policies by user, not just by IP address. To do this you have to set up authentication. In most cases, users choose to authenticate with their own internal Active Directory, LDAP, or Radius authentication server, in which case we don’t store any credentials. However, we also offer the local FireboxDB database, for small customers who don’t have their own authentication server. The users you set up in this database are just associated with policy creation; for instance, you might use them to create a policy allowing Bob to access the Internet but not Alice. They do not have any privileged access to manage the XTM appliance itself.

It is still important to protect the credentials of your FireboxDB users, if you are using that feature, but the key point is that the management credentials to your security appliance are not compromised in any way.

What’s the big deal about the hashing algorithm?

Nokin’s post also talks about discovering the hashing algorithm we use to store these FireboxDB credential. So what are the implications to this information?

There are two issues here, but the main one is if an attacker knows the hashing function a particular credential uses, he can attempt to use cracking tools to find the actual password. However, notice I said attempt. Password cracking tools can attempt to crack any hashing function (LM, NTLM, MD5, SHA-1, etc), but whether or not they succeed will depend on a few things, including password length and complexity. Simply put, if you use strong passwords, it still would take way to long too crack your password.

However, the second issue here is which hashing algorithm is used. Though you can attempt to brute-force any hashing function, some hashing algorithms take longer than others. Computers can generate NTLM hashes more quickly than newer hashing functions (like SHA2), so cracking NTLM hashes takes less time. That said, it still takes an exponentially longer time as your password length grows. Though an attacker might be able to crack an eight character password in hours, it would take years once the password grew to 11 or 12 characters.

In any case, Nokin is correct to point out that NTLM, even with a salt, is an older hash function, and worth updating.

So should I be worried about this as a major risk?

The short answer is, no.

Though Nokin has made a good point about our hashing algorithm, ultimately this issue poses you very little risk. Here’s why:

  1. The only hashed passwords we expose are for FireboxDB users, which are not your XTM appliances management credentials. Attackers cannot leverage this knowledge to gain management access to your XTM device. Furthermore, if you don’t use FireboxDB authentication, there are no credential at all in the configuration file.
  2. The password hashes Nokin found are stored in your XTM appliance’s configuration file. As you surely already know, this is a very sensitive configuration file that typically lives on the computer of your security administrator. It contains all the configuration information for your XTM device. By default, it is stored in a directory that is only accessible by the administrative user that installed our product software. Frankly, if an attacker already has enough access to the administrator machine you use to manage your network security appliance, you already have bigger problems
  3. Even if an attacker could obtain the hashes needed to attempt a password crack, there’s no guarantee he’d succeed in his attempt. If you use strong passwords (complex combinations of 12 characters or more), it would likely take too long for attackers to crack them.

So to summarize, Nokin’s reversing work is quite impressive, and his identification of our FireboxDB hashing algorithm is right on. However, this is not an issue XTM administrators should worry about, assuming you are following a few security best practices. Attackers can’t use it to gain management access to your XTM appliance, and if you protect your XTM configuration file, as you already are, there is really little risk.

That said, I agree with Nokin. The NTLM hash algorithm, even with a salt, is not as strong in this day and age. We have already started looking at updating it. — Corey Nachreiner, CISSP (@SecAdept)

Hidden Lynx – WSWiR Episode 78

NASDAQ Vulnerabilities, NASA Defacement, and Hidden Lynx

It’s that time again; when I summarize the biggest information security (Infosec) news into a short video. If you’d like to get a quick take of what’s going on in the computer security industry, this is the show for you.

This week’s episode includes a quick note on the latest software updates, a story about NASDAQ’s delayed reaction to vulnerabilities on their site, news about Brazilian hackers potentially mistaking NASA for the NSA, and the uncovering of an advanced cyber criminal gang responsible for some of the most concerning attacks over the last few years. Check out the video for the full skinny, and don’t forget to take a peek at the Reference section for links to other stories.

Have a fun weekend and a fantastic day.

(Episode Runtime: 8:37)

Direct YouTube Link: http://www.youtube.com/watch?v=V23GxAovB-w

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Apple’s September Security-a-palooza; Includes iOS 7

If you follow my weekly security video, WatchGuard Security Week in Review, you probably already heard me mention that Apple released both an OS X and Safari security update last week. I’m guessing, you’ve already applied those two updates, but if not get to it.

However, that wasn’t the end of Apple’s patch bonanza. Throughout this week, they also released updates to fix security flaws in OS X ServeriTunesXcode, and of course the big one, iOS. As you probably know, the iOS update is actually the new iOS 7; a huge feature release that significantly changes and adds many features on your iPhones and iPads. What you may not know is that it also fixes over 80 vulnerabilities in the popular mobile operating system. I suspect that iOS 7 has probably already become the most quickly adopted security update ever, simply because iOS folks tend to get the latest version quickly. That said, if you haven’t taken the leap to iOS 7 yet, perhaps the security aspect of the equation might convince you.

iOS 7 aside, the other updates also fix a number of security issues in each of those popular products. I’m guessing that few users actually used Xcode (it’s for developers) or OS X Server, so the iTunes update is probably the other one you’ll be most concerned with.

In any case, if you use Apple products or devices, you’re probably affected by at least one of these issues. So I recommend you go get the corresponding updates, or let Apple’s automatic update mechanisms do their job. — Corey Nachreiner, CISSP (@SecAdept)

Install IE FixIT to Avoid Zero Day Attack

Summary:

  • This vulnerability affects: Probably all current versions of Internet Explorer (IE), but the targeted exploit only affects IE 8 and 9
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: In the worst case, an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Apply Microsoft’s IE FixIt, or consider the other workarounds below

Exposure:

Today, Microsoft released a critical out-of-cycle security advisory warning customers of a serious new zero day vulnerability affecting Internet Explorer (IE), which attackers are currently exploiting in the wild. The flaw likely affects all current versions of IE (6-11), but Microsoft claims the targeted attack only goes after IE 8 and 9 users.

The early advisory doesn’t describe the vulnerability in much technical detail, but what it does describe sounds very much like a  “use after free” vulnerability involving the way IE handles certain HTML objects. Regardless of the technical details, the scope and impact is the same. If an attacker can lure you to a web site containing malicious code (including a legitimate web site which may have been hijacked and booby-trapped), he could exploit this vulnerability to execute code on your computer, with your privileges.  As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer.

A remote code execution vulnerability is bad enough in theory, but knowing attackers found this one first, and are already exploiting it in the wild makes this flaw a pretty critical issue. The good news is Microsoft has released a FixIt to mitigate the risk of this flaw. We highly recommend you apply that FixIt, and also consider the other protective workarounds mentioned below.

Solution Path:

Since this vulnerability was first discovered in the wild, Microsoft has not yet had time to release a patch. However, they have released a FixIt workaround to temporarily mitigate the attack. If you use IE, I recommend you apply the FixIt immediately.

It’s important to note FixIts are temporary workarounds. They don’t replace full patches. We expect Microsoft to release a full patch for this flaw in the future, perhaps even in an out-of-cycle IE bulletin this month.

Finally, though the FixIt prevents attackers from exploiting this issue, we also offer a few other workarounds below. Some of these tips can help mitigate many web-based, memory-related vulnerabilities, so you might consider making them your regular practice:

  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMET – EMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. Nonetheless, installing it could help protect your computer from many types of memory corruption flaws, including this one.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to this attack.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. Be sure to keep your AV and IPS systems updating regularly, to get the latest protections.

For All WatchGuard Users:

Our IPS signature team belongs to the Microsoft Active Protections Program (MAPP). According to their advisory, Microsoft is sharing information about this attack with MAPP partners now. Due to this partnership, we’ll likely have a signature for this attack shortly. Regardless, we still highly recommend you apply Microsoft’s FixIt to protect your users.

Status:

Microsoft has released a FixIt to mitigate the issue. They plan on releasing a full patch in the future.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Q&A w/Frank Ohlhorst – WSWiR Episode 77

Encryption Backdoors, iPhone Fingerprint Scanners, and Ohlhorst Q&A

In my regular Infosec video, I typically summarize the big network and information security stories from the week; but last week’s episode was a little different. WatchGuard had the pleasure of having Frank Ohlhorst, an award winning journalist in our offices. Ohlhorst writes for many publications, including eWeek, Computerworld, TechTarget, and PC World. Rather than just cover the news, I took the opportunity to ask Ohlhorst a few questions about the InfoSec industry.

That said, I did spend a bit of time on the news. The episode also covers the many software updates from last week, the iPhone’s upcoming fingerprint reader, a little on a North Korean cyber attack campaign, and the latest on the NSA encryption fiasco. If you subscribe to my YouTube channel, you may have seen this episode late last Friday. If not, take the opportunity to watch below, and don’t forget see the Reference section for more details.

(Episode Runtime: 11:38)

Direct YouTube Link: http://www.youtube.com/watch?v=7eGS4iK29zY

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Minor Local Privilege Escalation Flaw in WSM Server Software

Severity: Low

Summary:

  • This vulnerability affects: WatchGuard System Manager (WSM) Server Software.
  • How an attacker exploits it: By placing a specially crafted DLL into a specific WatchGuard path
  • Impact: When you install WSM into a non-hardened, non-default directory, local users can execute code on your Windows computer with SYSTEM privileges (see mitigating factors below)
  • What to do: If you install WSM in a non-default location, or use XP, change the directory permissions of the WatchGuard folder

Exposure:

This week, Julien Ahrens of RCE Security disclosed a local elevation of privilege vulnerability that affects the Server Software portion of WatchGuard System Manager (WSM) 11.7.4 and below. Ahrens responsibly informed us of the flaw a month before his disclosure, and had our blessing to post his findings.

Specifically, the flaw is an insecure library loading vulnerability involving two services installed as part of our Server Software package; our Log Collector and WebBlocker services. These services run with SYSTEM privileges, and load certain libraries and DLLs found in WSM’s default install directory (typically %program files%/WatchGuard/wsm11). By placing a specially crafted version of a DLL file our services look for into one of WSM’s directories, a local, authenticated attacker could exploit this flaw to execute arbitrary code with SYSTEM privileges.

However, there are many mitigating factors that significantly lessen the severity of this vulnerability.

First, in order to exploit this flaw the attacking user must have the permissions necessary to access WatchGuard’s WSM directories. By default, our installer sets restrictive permissions to these folders, but the permissions differ depending on your version of Windows:

  • If you install WSM in the default location on Windows Vista, 7, 8, Server 2008 and 2012 computers, only users with administrative privileges can access the WSM directories, making this issue moot.
  • However, if you install WSM on Windows XP, Server 2000 and 2003 computers, we also allow the Windows Power User group to access the WatchGuard folders. That said, the Power User is already a fairly privileged user. Though still a vulnerability, a Power User => SYSTEM elevation of privilege is less severe.
  • Finally, there is one case of most concern. If you install WSM on Windows Vista, 7, 8, Server 2008 and 2012 computers in a non-default location, we do not change the permissions of the folder you choose. So if you install into a folder a guest could access, this becomes a guest => SYSTEM elevation of privilege.

In other words, if you install in default locations on Windows Vista and above, you are not vulnerable to this flaw. If you use older versions of Windows, this is only a slight elevation of privilege flaw. Only when you purposely decide to install the product into a non-hardened directory does this become a more significant issue.

Also, don’t forget the normal mitigating factors associated with local vulnerabilities. In order to exploit this issue, an attacker would already need local access to the Windows computer you use for management, and he’d need credentials to log into the machine. Normal security best practices suggest that you are already protecting the machine you use to manage your security appliance, and restricting access to it in many ways. If an attacker already has local access to your management computer, you already have a big problem.

Finally, remember that this flaw only allows the attacker to elevate his privilege on your Windows computer. It does not give him access to your WatchGuard management console, nor your XTM security appliance, both of which require separate authentication.

In short, though we take all vulnerabilities in our product seriously, and do plan on fixing this one, we think it poses a very low risk in the real world. Furthermore, the simple workaround below will totally alleviate the issue.

We’d like to thank Julien Ahrens and RCE Security for bringing this matter to our attention, and following a responsible disclosure path. If you’d like to learn more detail about this flaw, including Ahrens’ technical discussion, see this Full Disclosure post or his blog post.

Solution Path:

Though we have not patched this flaw yet, a simple workaround can protect you from this issue. If you are concerned with this issue, simply hardening the directory permissions of your WatchGuard WSM folders will protect you. Here’s how:

  • If you’re using a modern version of Windows, like Vista and above, and you’ve installed WSM in the default location, you’re already safe
  • If you’re using an older version of Windows, like XP, change the folder permissions of the %program files%/WatchGuard folder to reflect the users and groups you trust. To do so, right-click on the folder and choose Properties=>Security tab and remove the write permissions for any users or groups you don’t want to have access, such as the Power User group. We recommend you limit write access to administrator users.
  • Finally, if you are using a modern version of Windows, like Vista and above, and you’ve installed WSM in the non-default location, you should also change the folder permissions of the %install dir%/WatchGuard folder to reflect the users and groups you trust, using the same directions mentioned above.

We plan on releasing a fix for the flaw in the version of WSM that immediately follows the one coming out shortly (the next release is currently in QA “code lock” status, so is not a candidate for the fix).

FAQ:

Are any of WatchGuard’s other products affected?

No. This only affects the Server Software that ships with WSM 11.7.4 and below.

What exactly is the vulnerability?

This is a local elevation of privilege vulnerability. If an attacker can gain physical (or remote desktop) access to your WatchGuard management computer, she may be able to exploit this flaw to execute code on the computer with SYSTEM privileges. However, whether or not the attacker can leverage the flaw depends on how you installed WSM, and what version of Windows you use. If you install using our defaults, you’re either not vulnerable to the issue, or the elevation is only from Power User to SYSTEM.

Does this give attackers access to my XTM security appliance?

No. This flaw only potentially allows a local user to elevate their Windows privileges. It does not give attackers any access to your management console or security appliance. That requires separate credentials.

How serious is the vulnerability?

In our opinion, this is a minor vulnerability, especially if you install WSM using our defaults. We believe most of our customers follow security best practices, and significantly restrict access to their WatchGuard management station.

Other than the workaround, when will you release an update to fix this?

We plan on fixing this issue in the release immediately following the next one. We are due to ship our latest version of WSM shortly, and it’s currently in a code lock status for QA, so we haven’t been able to work the fix into that release. Regardless, the simple workaround above—hardening your WatchGuard folder—will completely alleviate the issue.

How was this vulnerability discovered?

This flaw was discovered by Julien Ahrens of RCE Security, and confidentially reported to WatchGuard through a very responsible disclosure process. We thank Mr. Ahrens for working with us to keep our customers secure.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild, nor do we believe them likely to be in the future. In fact, we believe this flaw poses a very limited risk in the real world, due to its many mitigating factors.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Director of Security Strategy and Research
WatchGuard Technologies, Inc.
http://www.watchguard.com
corey.nachreiner@watchguard.com

Adobe Patch Day: Flash, Shockwave, and Reader; Oh My!

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Flash Player, Shockwave Player, and Reader (and Acrobat)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released three security bulletins describing vulnerabilities in Flash Player, Shockwave Player, and Reader (and the related Acrobat). A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

Adobe Patch Day: Sept. 2013

  • APSB13-23: Two Shockwave Player Memory Corruption Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin describes two unspecified memory corruption vulnerabilities that affects Shockwave Player running on Windows and Macintosh computers.They don’t share any technical details about the flaw, but do share its scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit the flaw to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this vulnerability to gain full control of their computer.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB13-22: Multiple Reader and Acrobat  Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes eight vulnerabilities that affect Adobe Reader and Acrobat X 11.0.03 and earlier, running on Windows or Mac.  Adobe’s alert only describes the flaws in minimal detail, but most of them involve memory corruption-related vulnerabilities, such as buffer overflow and  integer overflow issues, and so on. For the most part, they share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit many of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 2 for version 10 (Patch within 30 days)

  • APSB13-21: Four Flash Player Memory Corruption Flaws

Adobe’s bulletin describes four vulnerabilities in Flash Player running on all platforms. More specifically, the flaws consist of various unspecified memory corruption flaws. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe assigns these flaws their highest severity rating for Windows and Mac computers, but a lesser severity for Linux and Android devices.

Adobe Priority Rating: 1 for Windows and Mac (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash, Shockwave, or Reader files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Shockwave, Flash, or Reader content. This, however, blocks both legitimate and malicious content. If you do want to block this content via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

One Critical and Four Important Windows Updates

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: Multiple vectors of attack, including luring users to open malicious files or to run specially crafted programs
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing 11 vulnerabilities in Windows. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-070OLE Code Execution Vulnerability

Object Linking and Embedding (OLE)  is a protocol that allows Windows to handle special compound documents, which contain embedded links to content from other document types, in other formats. OLE suffers from an unspecified object handling vulnerability, involving its inability to properly handle specially crafted OLE objects within documents. By tricking one of your users into opening a specially crafted document, an attacker could exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains complete control of their machines. All Microsoft Office documents, as well as many third-party files, can contain OLE objects, which attackers can use to exploit this flaw. This flaw only affects Windows XP and Server 2003.

Microsoft rating: Critical

  • MS13-071:  Windows Theme Code Execution Vulnerability

Windows Themes are preconfigured sets of customized settings that provide a specific look, feel, and sound to your Windows desktop. Unfortunately, Windows doesn’t properly handle maliciously crafted theme files. By enticing you to load a specially crafted theme or screensaver file, an attacker can exploit this flaw to execute code on your computer with your privileges. If you’re a administrator, the attacker gains complete control of your computer. This flaw does not affect Windows 7 or 8 systems, nor Server 2012.

Microsoft rating: Important

  • MS13-076: Multiple Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers from several serious code execution flaws. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

  • MS13-077:  Service Control Manager Elevation of Privilege Vulnerabilities

The Service Control Manager (SCM) is a component Windows uses to start and stop various operating system services. It suffers from a specific memory corruption vulnerability called a double free condition, which local attacker could leverage to elevate their privileges. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials, which significantly reduces the severity of this flaw. Also, the flaw only affects Windows 7 and Server 2008.

Microsoft rating: Important

Active Directory (AD) provides central authentication and authorization services for Windows computers and typically ships with server versions of Windows. AD suffers from a denial of service (DoS) vulnerability having to do with its inability to properly handle specially crafted LDAP queries. By sending a malicious LDAP query to an AD server, an attacker can exploit this flaw to force the server’s LDAP service to stop responding, putting it into a Denial of Service (DoS) state. However, administrators typically limit LDAP access to their local network, so this vulnerability primarily poses an internal threat. Note: this flaw also affects the AD Lightweight Directory Services (AD LDS), so it affects standard versions of Windows, not just the Server ones.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (like blocking access to your AD server, or preventing users from downloading theme or screensaver files), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Office Updates Fix SharePoint, Outlook, Word, and More

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and other components
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released seven security bulletins that fix 26 vulnerabilities in a range of Microsoft Office products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and an IME component. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-067: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from a number of vulnerabilities, ranging from remote code execution flaws to a denial of service (DoS) condition. The worst vulnerability is an input validation flaw involving how SharePoint handles specially crafted content. If an attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.

Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. In either case, Microsoft assigns this particular flaw their highest severity rating, so SharePoint administrators should patch as soon as possible, especially if you expose your services publicly.

These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.

Microsoft rating: Critical

  • MS13-068: Outlook S/MIME Code Execution Flaw

Outlook is the popular Windows email client that ships with Office. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting MIME data, or put more simply, it allows you to encrypt email. Outlook suffers from a code execution vulnerability involving the way it handles specially crafted S/MIME messages. An attacker could exploit this flaw to execute code on your computer simply by sending you a specially crafted email (though you’d have to open or preview the message first). The code runs with your privileges, and if your users have local administrator privileges, the attacker gains complete control of their PCs. This flaw sounds, and is, pretty severe with one small exception. Microsoft believes it is technically pretty difficult to exploit. Nonetheless, we recommend you apply the patch posthaste.

Microsoft rating: Critical

  • MS13-072 :  Ten Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It suffers from ten memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects the Windows versions of Word and Word Viewer, not Word for Mac.

Microsoft rating: Important

  • MS13-073 Two Excel Memory Corruption Vulnerabilities

Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. These flaws are essentially the same as the Word ones described above, but they affect Excel related documents. So in short, if an attacker tricks your into opening a malicious excel file, he can execute code as you. If you’re a local administrator, he has full control of your computer.  Again, the flaws only affects the Windows versions, not Mac ones.

Microsoft rating: Important

  • MS13-074 Three Access Memory Corruption Vulnerabilities

Access is the popular database program that ships with Office. It suffers from three memory corruption vulnerabilities having to do with how it handles specially crafted database files. These flaws are identical in scope and impact to the two above, only they affect Access files. If you open the wrong database, an attack can execute code as you.

Microsoft rating: Important

  • MS13-078: FrontPage Information Disclosure 

FrontPage is a WYSIWYG HTML editor for creating web sites, which ships with Office.  It suffers from an information disclosure. If an attacker can trick a FrontPage user into opening a specially crafted FrontPage document, she could exploit this flaw to read the contents of any file on that user’s computer (assuming they knew the location of a specific file).

Microsoft rating: Important

  • MS13-075 : Chinese IME Elevation of Privilege Vulnerability

Input Method Editors (IME) are optional components that allows Latin keyboard users to type non-Latin characters in Office or Windows. Unfortunately, the Office IME for Pinyin Chinese suffers from an elevation of privilege (EoP) vulnerability. If an attacker can gain local access to your computer using valid Windows credentials, he could run a specially crafted program that would give him full SYSTEM-level privileges on your computer. Of course, the attack only affects those who’ve specifically installed the Pinyin Chinese Office IME, and the attacker must have a valid login to exploit the issue.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server, or use the SMTP proxy to block messages containing S/MIME content (by blocking the application/pkcs7-mime MIME content type).

Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of these attacks:

  • EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -1 (CVE-2013-0081)
  • EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -2 (CVE-2013-0081)
  • EXPLOIT Microsoft Office Could Allow Remote Code Execution (CVE-2013-3850)
  • EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -1 (CVE-2013-3180)
  •  EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -2 (CVE-2013-3180)
  • EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -3 (CVE-2013-3180)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

%d bloggers like this: