Archive | December, 2013

2014 Security Predictions: Defending Against Future Digital Disaster

Click on the image to download the “2014 Security Predictions Infographic.”

Click on the image to download the “2014 Security Predictions Infographic.”

After all the headline-grabbing cyber attacks this year, don’t you wish you could gaze into future headlines and project the next big cyber threat? While we may not have that superpower just yet, we can make our 2014 security predictions.

At the end of every year, WatchGuard reflects on the threat landscape and analyzes past information security incidents, in order to forecast next year’s security trends and major threats. Our hope is to provide a little insight into the future, so you can prepare your defenses in advance.

Last year was quite eventful, from NSA leaks to a huge Adobe data breach, and we expect the fast pace of security incidents to continue to grow next year. Could a Hollywood hack come true? Will there be a U.S. Healthcare.gov data breach? Should you expect CryptoLocker clones?

Here’s a quick high-level list of WatchGuard’s eight security predictions. Want more detail… keep scrolling down for a complete breakdown of each topic:

  1. Hackers Harass U.S. Healthcare Hangout – WatchGuard anticipates that the U.S. HealthCare.gov site will suffer at least one data breach in 2014.
  2. Increased Cyber Kidnappings Raise Attacker Profits – In 2014, WatchGuard expects many other cyber criminals will try to copy CryptoLocker’s success by mimicking its techniques and capabilities.
  3. A Hollywood Hack – In 2014 a major state-sponsored attack may bring a Hollywood movie hack to life that exploits a flaw against critical infrastructure.
  4. Bad Guys Break the Internet of Things (IoT) – Next year, WatchGuard expects white and black hat hackers to spend more time cracking non-traditional computer devices such as cars, watches, toys and medical devices.
  5. 2014 is the Year of Security Visibility – WatchGuard anticipates that in 2014 more organizations will deploy security visibility tools to help identify vulnerabilities and set stronger policies to protect crucial data.
  6. A High-profile Target Suffers a Chain-of-Trust Hack – As advanced attackers go after harder targets, expect to see more “chain-of-trust” cyber breaches in 2014, where hackers hijack partners in order to gain access to high level organizations.
  7. Malware Gets Meaner – Plan for an increase in destructive viruses, worms and Trojans in 2014.
  8. Network Attackers Become Cyber Shrinks – In 2014, expect attackers to focus more on psychology than technology, with techniques like convincing phishing emails and leveraging pop culture, to target the weakest link – the user.

Read below for an in-depth review of these predictions, and check out our prediction page for more.

US Healthcare

In-Depth Review:

Hackers Harass U.S. Healthcare HangoutWatchGuard anticipates that the U.S. HealthCare.gov site will suffer at least one data breach in 2014. Between its topical popularity, and the value in its data store, Healthcare.gov is an especially attractive cyber attack target. In fact, this has already happened to some extent. Security researchers have already pointed out minor security issues like evidence of web application vulnerabilities and an attempted Denial-of-Service (DDoS) attack.

The Deep Dive: The United States’ (US) new Patient Protection and Affordable Care Act (PPACA), colloquially known as Obamacare, hinges on the use of online healthcare insurance exchanges, which are essentially cyber marketplaces where patients can purchase healthcare at discounted group rates. Healthcare.gov is the glue connecting US citizens to all the state exchanges and the oracle that helps you navigate your way through the new healthcare and health insurance process. Unfortunately, its key position also makes Healthcare.gov an especially attractive cyber attack target in 2014.

First, as the online cornerstone of the new US healthcare system, heathcare.gov will certainly garner a lot of attention over the next year. It is already the topic of heated political debate, which puts it in the news quite regularly. This increased media coverage will certainly draw the attention of white and black hat hackers alike. Imagine you’re a hacktivist trying to make a big political message… what better place to capture the notice of millions?

Second, in order to do its job the site needs to ask citizens for some pretty personally identifying information (PII). For instance, you have to share your social security number with the site for identity purposes. This makes Healthcare.gov, and all the online exchanges under it, a pretty important overseer for some pretty sensitive data, which obviously also makes it an attractive target to malicious hackers.

Between its topical popularity, and the value in its data store, we believe both good and bad hackers will target Healthcare.gov in 2014. None of this is to say you should avoid healthcare.gov, or that it’s any worse than any of the millions of other websites we share our valuable data with. In fact, its current high-profile means that the folks managing it will likely focus heavily on its defense. We’d argue that in time the Healthcare.gov will likely be more secure than the majority of sites out their. However, we also know things sometimes have to get a bit worse before they get better. That’s why we forecast that Healthcare.gov will suffer at least one data breach in 2014.

Increased Cyber Kidnappings Raise Attacker ProfitsRansomware, a class of malicious software that tries to take a computer hostage, has grown steadily over the past few years, but a particularly nasty variant emerged in 2013: CryptoLocker. This year, it has affected millions and it is suspected that the authors have made a high return in their criminal investment. In 2014, WatchGuard expects many other cyber criminals will try to copy CryptoLocker’s success by mimicking its techniques and capabilities. Plan for a surge of ransomware in 2014.

Criminal hackers are always looking for surprising new ways to increase their profits. Ransomware is a class of malicious software that tries to take your computer hostage, or “kidnaps” your important files; making it so you can’t access your data or use your computer. Criminals then try to extort you for a relatively small sum of money in order for you to regain access to your computer or its files.

But, a particularly nasty variant emerged in 2013 – Cryptolocker. It arrives in various ways, including as an attachment to a phishing email, or through websites hosting malicious drive-by downloads. It encrypts many of your important files, including Office documents, pictures, and digital certifications. Then it tries to get you to pay $300 to get them back.

However, Cryptolocker is much smarter and much more aggressive in its techniques. It uses industry-standard encryption to ensure you can’t reclaim your files; it uses domain generation algorithms (DGA) to make sure it can always reach its master, and it uses Bitcoin to make it harder for authorities to track these illegal payments. In short, Cryptolocker has affected millions and we suspect its authors have made quite the return in their criminal investment.

A Hollywood Hack In 2014 a major state-sponsored attack may bring a Hollywood movie hack to life that exploits a flaw against critical infrastructure. Even if these systems are kept offline, the often-cited Stuxnet proved that motivated cyber attackers could infect non-networked infrastructure, with some potentially disastrous results.

You’ve seen it in the movies. A big hack that drains the Federal Reserve Bank, shuts down power in all the big cities, or causes a critical dam to fail and flood a town downstream.  These types of cyber attacks sound like science fiction, and so far they have mostly stayed in that realm. However, our critical infrastructure really does rely on computers and—despite best practices saying otherwise—we are slowly putting some of this infrastructure online.

As a result, researchers have spent the past few years discovering and studying the vulnerabilities in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) solutions, and their findings aren’t great… These systems have many holes.

We think a malicious actor or nation-state might realize a Hollywood-like hack next year, by exploiting a flaw against critical infrastructure.

Bad Guys Break the Internet of Things (IoT) There are computers in everything!

Ok… Not literally, but some days it sure seems that way. We have computers in our cars, pace makers, televisions, watches, kids toys, cameras, baby monitors, and we are even trying to strap them to our head inside a pair of eyeglasses. Furthermore, most of these non-traditional computers include all kinds of interesting, information gathering sensors, including GPS, accelerometers, altimeters, photodetectors, and good old fashion cameras (video and still). Finally, most of them can connect wirelessly, and they treat security like an afterthought.

When you add this all up, it’s like Christmas for hackers – white hat and black hat alike. The Internet of Things (IoT) provides a playground of connected devices for curious and malicious computer experts to have fun with.  Want to make a car think it’s flying? You can! How about trolling a baby over the Internet? It’s been done. However, things can also take a dark turn as well, with an ex-vice president disabling his implanted defibrillator’s wireless feature to avoid assassination.

Security experts have warned about securing the IoT for a while now. However, the market is just now catching up with the expectation, with more and more embedded computing devices showing up in stores everyday. Next year, WatchGuard expects white and black hat hackers to spend more time cracking non-traditional computer devices such as cars, watches, toys and medical devices. While security experts have warned about securing these devices for the past few years, the market is just now catching up with the expectation. WatchGuard suspects that good and bad hackers will focus heavily on finding holes in these IoT devices in 2014.

2014 is the Year of Security Visibility In the past few years, cyber attackers have successfully breached many big companies, despite the victims having common security defenses, like firewalls and antivirus. Furthermore, many of these victims didn’t even realize they were compromised until it was much too late.

So what’s the problem? Do our cyber security controls not work or are we doing something wrong? We think the issue is threefold:

  1. Most businesses still rely on legacy defenses, such as stateful packet filtering firewalls, which don’t help against today’s threats.
  2. They don’t configure their security controls properly, and often don’t enable their best defenses, or accidentally bypass them. (In fact, Gartner says 95% of firewall breaches are due to misconfigurations),
  3. And they are drowning in oceans of security logs, making it impossible for them to recognize the important security events that they need to react too.

WatchGuard anticipates that in 2014 more organizations will deploy security visibility tools to help identify vulnerabilities and set stronger policies to protect crucial data. Expect 2014 to be the year of security visibility.

A High-profile Target Suffers a Chain-of-Trust Hack Cyber attackers have clearly gotten more sophisticated over the years; especially those associated with state-sponsored hacking. These advanced hackers also target a higher level of victim, regularly going after government and military organizations, critical infrastructure providers, and Fortune 500 businesses.

These top-level victims tend to have a higher security pedigree, and do NOT pose soft targets. Yet, they still can fall to the persistent, advanced attacker who preys on the weakest link in a victim’s chain of trust—your partners and contractors.

In many of the most sophisticated attacks, bad actors had to first infiltrate secondary or tertiary targets in order to gain access to some asset needed to compromise the intended victim. For instance, hackers targeting Lockheed Martin first needed to steal SecureID seed data from RSA (and their ultimate target may have been the US military, a customer of Lockheed Martin). We’re also seeing more and more cases where attackers hijack digital certificate providers, or steal the certificates from smaller companies, for use in a more specific targeted attack.

As advanced attackers go after harder targets, expect to see more “chain-of-trust” cyber breaches in 2014, where hackers hijack partners in order to gain access to high level organizations.

Malware Gets MeanerWhether it’s because we are more paranoid than the average bear, or just plain tinfoil hats, security professionals often like to imagine worst-case scenarios. You know, scenarios like some doomsday malware that deletes everyone’s hard drives, launches the world’s complete arsenal of nuclear weapons, and evolves into an evil, self-aware “Skynet” to enslave humankind.

While often amusing to imagine, and sometimes even theoretically possible, these worst-case scenarios are rarely seen in the real world. Most cyber attacks and malware are not purposely destructive. If you think about it from the attacker’s perspective, it typically just doesn’t make sense to destroy your victim’s resources. If you destroy your victim’s computer, you can’t spy on them and gain access to other resources. Not to mention, you also give yourself away.

However, changes in hacker profiles have resulted in more cases where cyber destruction might become a valid goal for network attackers. For instance, hacktivists or nation-states actors who want to send a brash message, or to disable an adversary’s systems, may turn to destructive attacks; like the case of the disk wiper malware seen in a South Korean attack. Cyber criminals may also realize the threat of imminent destruction could help increase cyber extortion success rates, as seemed to be the case with the countdown timer Cryptolocker used scare victims into compliance.

Whatever the reason, we think malware will get meaner in 2014, and you can expect to see more cases of destructive malware and attacks.

Network Attackers Become Cyber Shrinks The information security battle has always been like a pendulum, with the technical advantage swinging back and forth between the attacker and defender. As defenders develop new security technologies to get the leg up, attackers develop new evasion techniques and reclaim advantage—the cycle goes on ad infinitum.

Over the last few years, the attackers have had the advantage; leveraging more sophisticated attack techniques and using advanced evasion tactics to get past legacy defenses. However, the tide is turning. Next year, defenders will have more access to next generation security solutions and new advanced threat protection capabilities, swinging the technological security pendulum back in our direction.

While that’s good news, don’t expect cyber criminals to give up that easily; rather expect them to change their strategy.  There are two ways attackers can compromise our networks; they can exploit technical weaknesses or they can prey on sociological ones. As we regain the technical advantage, expect cyber criminals to refine their social engineering skills, and concentrate more on attacking flaws in human nature. In fact, they’ve already done a good job in this area. Their phishing emails are better written and more convincing, they’re masters at leveraging pop culture, and they know our worst habits.

In 2014, you should expect attackers to focus more on psychology than technology, and target your weakest link—the user.  — Corey Nachreiner, CISSP (@SecAdept)

Cyber Sharking – WSWiR Episode 88

Tons of Patches, Facebook Scams, and Games for Security

If you’re in a country that celebrates the Christmas holidays, it’s probably getting a little quieter at work lately. With that extra free time, why don’t you catch up on the week’s latest security news with our regular episode of WatchGuard Security Week in Review?

Today’s show covers the patches from patch week, the latest NSA hijinks, a wide-spread Facebook phishing scam, and a story about how playing video games can help improve software security. Like always, I also include links to all these stories, and a few extras, in the references below.

Quick show note: I’ll be taking some time off for the holidays, so this may be the last video until next year (though a may release a short one next week). Keep safe out there, and have a happy holiday!

(Episode Runtime: 7:27)

Direct YouTube Link: http://www.youtube.com/watch?v=7325aKAWktg

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Zero Day Flash Patch & Shockwave Update

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Flash and Shockwave Player
  • How an attacker exploits them: By enticing you to run malicious Flash or Shockwave content from web pages or embedded within documents
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released two security bulletins describing vulnerabilities in Flash and Shockwave Player. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

Adobe Patch Day - Dec, 2013

  • APSB13-29: Two Shockwave Player Memory Corruption Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin describes two unspecified memory corruption vulnerabilities that affects Shockwave Player running on Windows and Macintosh computers.They don’t share any technical details about the flaw, but do share its scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit the flaw to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this vulnerability to gain full control of their computer.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB13-28: Zero Day Flash Player Code Execution Flaw

Adobe’s bulletin describes two vulnerabilities in Flash Player running on all platforms, including one code execution flaw attackers are currently exploiting in the wild. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit the worst of these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe warns that attackers are exploiting this flaw in the wild. The attack arrives as a malicious Word document containing embedded Flash content. They have assigned these flaws their highest severity rating for Windows and Mac computers, but a lesser severity for Linux and Android devices. If you are a Windows Flash user, we recommend you apply this update immediately.

Adobe Priority Rating: 1 for Windows and Mac (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

Keep in mind, if you use Google Chrome you’ll have to update it separately to get the latest Flash fixes.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Shockwave files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Shockwave and Flash. This, however, blocks both legitimate and malicious content. If you do want to block this content via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Trio of Office Updates Fix SharePoint Flaw & ASLR Bypass

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products, including SharePoint
  • How an attacker exploits them: Varies. Typically by enticing users to visit malicious web content or open Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a like number of vulnerabilities in Microsoft Office and related products like SharePoint. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-100: SharePoint Code ExecutionVulnerability

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from an unspecified remote code execution flaw having to do with how it parses specially crafted page content. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.

Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. However, Microsoft assigns this particular flaw an Important severity rating, probably because the attacker needs valid SharePoint credentials to exploit it.

Microsoft rating: Important

  • MS13-104: Office Access Token Hijacking Flaw

When you login to an Office or Sharepoint server, the server verifies your credentials and then produces an access token, which allows you to continue accessing the server for a limited period of time. Office suffers from an unspecified flaw having to do with how it handles documents hosted on web sites. If an attacker can entice you into opening an Office document hosted on a malicious site, he could exploit this flaw to gain access to your access token, and then may be able to leverage that token to hijack your SharePoint of Office server sessions.

Microsoft rating: Important

Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. One of the shared components that ships with Office products doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. Since Internet Explorer (IE) loads this component, it’s particularly useful for attackers. This update fixes the ASLR bypass hole. If you’d like more details about this fix, and how it helps your overall Windows security, see this Microsoft blog post. Though Microsoft only gives this their medium severity rating, we recommend you apply the update quickly.

Microsoft rating: Important

As an aside, Microsoft also released a security bulletin (MS03-103) describing a flaw that primarily affects developers and organizations that specifically use the ASP.NET SignalR library. If you happen to use the ASP.NET SignalR library, do know it suffers from a relatively minor cross-site scripting (XSS) vulnerability, and you should update.

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server. Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Quintuple of Windows Updates Patch Zero Day Flaw and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites or into viewing malicious images
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing a like number of vulnerabilities in Windows and its components. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-096GDI+ Memory Corruption Vulnerability

The Graphics Device Interface (GDI+) is one of the Windows components that helps applications output graphics, to your display or printer. GDI+ suffers from a memory corruption vulnerability involving its inability to properly handle specially malformed TIFF images (.tif). By enticing one of your users into view a malicious image, perhaps embedded in an email or web site, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer. This the zero day vulnerability we warned you about early November. Attackers are already exploiting it in the wild, so we recommend you patch immediately.

Microsoft rating: Critical

  • MS13-098:  Windows Authenticode Signature Validation Vulnerability

Windows contains Authenticode technology, which is a digital certificate-based code signing implementation designed to allow you and the operating system to verify the integrity and reputation of software. It works on the premise that if you download software signed by a vendor, say WatchGuard, and that software passes Windows’ Authenticode validation, then you can trust the software really comes from WatchGuard and hasn’t been modified in any way.

However, this bulletin describes a flaw in the way the Windows Authenticode Signature Validation function (WinVerifyTrust) checks Portable Executable (PE) files. In short, an attacker can create a specially crafted PE file that passes Windows’ Authenticode validation even after an attacker has maliciously modified the executable. If an attacker can get one of your users to download and run such an executable file, he could exploit this flaw to gain access to that user’s computer, with that user’s privileges. If the user had local administrator privileges, that attacker gains full control of the computer. The good news is, most users are very suspicious of unsolicited executable files they receive via email or the web. Hopefully, your users already know not to handle these sorts of unsolicited files. However, this flaw specifically bypasses a mechanisms Microsoft uses to help users validate the reputation of files. So smart attackers could leverage it to help convince users to run executables they otherwise wouldn’t have. We recommend you patch this vulnerability as quickly as possible.

Microsoft rating: Critical

  • MS13-099: Scripting Runtime Object Library Code Exectution Vulnerability

Windows ships with a component called the Microsoft Scripting Runtime Object Library to help the operating system handle running VBA or scripts. This component suffers from a type of memory corruption vulnerability called a use-after-free flaw. By luring one of your users to a website containing some evil script, and attacker could exploit this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, then the attacker gains full control of their computer.

Microsoft rating: Critical

  • MS13-101:  Multiple Kernel-Mode Driver Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers from five vulnerabilities, including two memory corruption vulnerabilities that local attackers can leverage to elevate their privileges. If an hacker can login to your system with valid credentials, and can run a specially crafted program, she can exploit these memory corruption flaws to gain full SYSTEM level privileges on your computer (regardless of the attacker’s original privileges).

Microsoft rating: Important

  • MS13-102:  LRPC Buffer Overflow Vulnerability

Remote Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and then receive the results of that task. Windows uses something called Local RPC (LRPC) to send messages and tasks to a server running on the same computer as the client. There is a buffer overflow vulnerability in Windows’ implementation of LRPC. By running a malicious server on a victim computer, and having the server send a specially crafted LRPC message, an attacker could exploit this vulnerability to gain complete control of your Windows machines. That said, the attacker need to have valid credentials to log into your Windows computer in order to run his malicious server locally.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as allowing you to block .tif files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

December IE Patch Corrects Memory Corruption and Privilege Elevation Issues

Summary:

  • This vulnerability affects: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes seven new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

The seven vulnerabilities differ technically, but the five most serious ones share the same general scope and impact, and involve various memory corruption flaws having to do with how IE handles certain HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these five vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

The remaining two vulnerabilities are elevation of privilege flaws that attackers might use in conjunction with other attacks.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s December IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. Make sure to use our security services, and keep they’re signatures up to date. Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Latest Exchange Update Fixes Three Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Exchange Server 2007, 2010, and 2013
  • How an attacker exploits it: By sending an email with a specially crafted email attachment
  • Impact: An attacker can execute code with the restricted privileges of the LocalService account
  • What to do: Deploy the appropriate Exchange Server update as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Microsoft Exchange is one of the most popular email servers used today. It includes many advanced features and capabilities. One such feature, called WebReady Document Viewing, allows your email users to preview attached documents as web pages. Exchange leverages Oracle’s Outside In technology to parse these documents and provide these previews. Newer Exchange servers also have a Data Loss Prevention (DLP) feature which uses this technology

According to today’s bulletin, Exchange suffers from three vulnerabilities, including two remote code execution flaws and a cross-site scripting (XSS) vulnerability. The worst flaw has to do with the Oracle Outside In technology used by WebReady Document Viewing and DLP. By sending an email with a specially crafted attachment to your Exchange server, an attacker can exploit the worst of these flaws to execute code directly on your server. Luckily, the code only runs with LocalService account permissions, which has very limited privileges. On most Exchange servers, this attack only works against victims who check and preview mail using Exchange’s Outlook Web App (OWA). However, if you’ve enable DLP in Exchange 2013, just receiving a malicious email can trigger this flaw.

By the way, if this issue seems familiar to you, it’s because it is very similar to some previous Exchange WebReady Document Viewing issues.

Solution Path:

Microsoft has released Exchange updates to correct these vulnerabilities. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Update do it for you. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s Exchange bulletin.

Be sure to test this Exchange update before pushing it to your production servers. Administrators have had issues with past Exchange updates.

For All WatchGuard Users:

Though you can configure 0ur XTM and XCS appliances to strip certain attachments from email, this sort of attack may arrive as many types of attachments, including ones you may want to allow for business. We recommend you apply the patches instead.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Five Critical Patches, Including GDI+ 0day Fix

If you haven’t started dedicating the second Tuesday of each month to security updates, it might be time to start. Today is Patch day, and it’s a busy one for Microsoft with 11 security bulletins (and three new security advisories).

According to the summary post, today’s 11 bulletins fix 24 vulnerabilities in a wide range of Microsoft software, including Internet Explorer (IE), Windows, Office, Exchange, Lync, Sharepoint Server, and more. Microsoft rates five of the bulletins as Critical, and the remaining six as Important.

While it’s hard to give priority to updates when there are so many critical ones, Here’re my recommendations. I’d apply the GDI+ update (MS13-096) first, since it fixes an zero day flaw that has been exploited in the wild; install the Exchange server update (MS13-105) next, since attackers can exploit its flaws just by sending you an email; and run the IE update (MS13-097) third, as it fixes vulnerabilities that bad guys can leverage in drive-by download attacks. You can apply the remaining Critical ones in any order you like, and finish off with all the Important ones. Whatever order you pick, I recommend downloading, testing, and installing these updates as quickly as you can.

As far as testing goes, I really recommend you test updates first, especially server updates like the Exchange one. You don’t want a bad patch causing downtime for your production environment. Creating virtual copies of your production servers provides an easy way to test patches in a virtual environment.

As an aside, today is also Adobe patch day, and Mozilla released Firefox 26  to fix security issues as well. You can learn more about those updates now using the provided links, but I’ll post more details about the Adobe one later.

I’ll post more details about today’s Microsoft updates as the day progresses. Stay Tuned. — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Drops 11 Security Bulletins in December

If you’re not already used to the Microsoft patch Cycle, don’t forget that tomorrow is Patch Day (the second Tuesday of every month).

Based on Microsoft’s early notification, this month looks a little more patch heavy than normal, with an expected eleven security bulletins. The updates will fix security flaws in a number of Microsoft products, including:

  • Internet Explorer
  • Windows
  • Office
  • Exchange
  • Lync
  • Server Software
  • Developer Tools

Five of the upcoming patches have a Critical rating, and the rest have an Important rating.

With a few outstanding zero day exploits in the wild, it will be interesting to see what Microsoft fixes. Let your IT staff know Patch Day is coming tomorrow, and watch this blog for detailed posts about them tomorrow. — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day - 12/2013

Drone Skyjacking – WSWiR Episode 87

NSA Botnet, Windows 0day, and Bitcoin Robberies

It’s time for our regular Information Security (Infosec) summary video. If you want to hear about all the latest network and computer security news from one quick and easy source, this video is for you. This week’s episode comes a bit late, but I will return to the Friday schedule this week.

In this episode, I talk about the NSA botnet, more Bitcoin heists, a Windows zero day exploit, and a new hack that can hijack AR.drone quadcopters. Watch the video for the details, and check out the references from more information (and some extra stories).

Keep safe out there!

(Episode Runtime: 9:36)

Direct YouTube Link: http://www.youtube.com/watch?v=w4cIM12wCKE

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)


%d bloggers like this: