Archive | January, 2014

Java DDoS Botnet – WSWiR Episode 93

Cross-Platform Bots, Deceitful Ransomware, and Oracle Exploits

Ok… I know all your minds are already on this weekend’s upcoming Super Bowl, and if you’re anything like my Seattle-based office, you’ve got that Seahawk 12ᵗʰ man spirit going on. But, before running off to your tailgate party, why not take a few minutes to catch up on this week’s information security news with our weekly Infosec video?

On today’s episode, I talk about some deceitful new ransomware, share news of how hackers hijacked another Twitter handle, warn of a cross-platform Java-based botnet, and share details about some serious unpatched Oracle vulnerabilities. If you want to learn about all that and more, plus get some tips for protecting your organization, click on the white triangle play button below. Of course, if you hate staring at my ugly mug, you can also read about all these stories in the reference section instead. 

Have a great Super Bowl weekend and GO HAWKS!!

(Episode Runtime: 9:00)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Building Defense Out of Disaster; Learning from the Target Breach

If you’ve ever parented a teen, you might have noticed that the human species sometimes only learns hard lessons after suffering—firsthand—through the negative consequences of an experience. As much as we try to warn our kids of the potential risks of certain decisions (usually based on mistakes we’ve already made ourselves), it seems they occasionally have to get “burned” before learning themselves.

Unfortunately, evangelizing information security (InfoSec) best practices sometimes seems like giving advice to teens. Everyone understands what you are saying, and might even see some logic behind your advice, but still secretly thinks, “That horrible network breach won’t happen to me; I’m fine with just my [insert some legacy defense here].”

Nonetheless, I still sincerely believe we can learn from history if we pay close enough attention to what it tells us. With that in mind, let’s take a closer look at what the industry knows so far about the Target data breach, so we can try to learn from someone else’s painful experience.

In this article, I will describe:

There’s a lot to cover, so I’ll jump right in, but feel free to skip to whatever section most interests you.

Let’s Start with the Facts So Far

Though you’d have to live with an undiscovered, indigenous tribe in Papa New Guinea to not have heard about it, let me share a few facts about the Target breach, as we know them so far.

  • On Dec. 18th, 2013, Brian Krebs reports that sources had informed him Target was investigating a potentially big data breach.
  • Dec. 19th, Target officially confirms and discloses the first real information about the breach, sharing the following:
    • Between Nov. 27 and Dec. 15, unknown attackers breached Target’s network and stole the debit and credit card data of 40 million account holders.
    • The stolen data included the card’s magnetic track information (track 1 and track 2 data), which includes the cardholder’s name, card expiration data, and CVV number (but not CVV2 number).
    • Target also noted that the breach did NOT affect their online shoppers, which suggests it was not due to a web application vulnerability in their e-commerce site.
  • Dec. 20th, Target’s CEO apologizes to customers for the data breach.
  • Dec. 27th, Target warns the attackers also stole the PIN information associated with the cards, contrary to their original report. However, the PINs were scrambled with Triple-DES encryption (and probably salted); thus, likely unrecoverable by the attackers.
  • Jan. 10th, Target disclosed that the attackers had also stolen 70 million other accounts, unrelated to the cardholder data. These accounts contained a lot of personally identifying information (PII), including names, addresses, phone numbers, and email accounts. Though there is likely customer overlap between the 40 million cardholder records and the 70 million account records, the total account loss jumps to 110 million.
  • Jan. 10th, Krebs also reports that Neiman Marcus and three other unnamed small retailers are also investigating a network infiltration and card data breach. Despite the parallel timeline, this breach seems unrelated so far, though similar.
  • Jan. 13th, we learn the first technical detail about the breach. In a video interview with CNBC, Target’s CEO shares that Point-of-Sale (PoS) malware was found on Target PoS register systems (more likely, it was found on the central servers responsible for processing the register transactions)
  • Jan. 15th, Krebs claims that the PoS malware associated with the breach is BlackPoS, a malware variant I talked about early last year.
  • Jan. 16th, iSIGHT Partners claim that the Target malware was not directly BlackPoS, rather a derivative variant called Trojan.POSRAM . They call the attack campaign KAPTOXA. The Wall Street Journal also leaks a 16-page report by iSIGHT and the US government, detailing the malware and some “indicators of compromise,” intended for private distribution to big retailers and security companies.
  • Jan. 17th, a security research firm called Intercrawler allegedly ties the BlackPoS malware to a 17-year-old hacker from Russia, along with another Russian “bad actor.” However, it’s still unclear if these actors are really associated directly with the Target breach, or just created and sold the malware.
  • Jan 20th, Texan authorities arrest two credit card fraudsters that used fraudulent cards allegedly associated with the Target breach, and may (or may not) be associated with the breach.
  • Jan 23th, Neiman Marcus finally shares some details about their breach. They say attackers stole 1.1 million credit cards and that the breach occured between July 16 and Oct. 30.
  • Jan 23thFBI warns retailers to expect more PoS system attacks. Be on the lookout for retail cyber attackers.
  • Jan 25th, Michaels craft stores also report they suffered from a payment system breach. It’s still unclear whether it’s related to the Target breach.
  • Jan 29th, Brian Krebs released a story identifying a popular IT management server product that may have played a role in the target breach.

So now you know all that’s publicly disclosed about the attacks so far. However, I think it’s just as important to recognize what we don’t know about this attack yet.

  • We don’t know how  attackers got the PoS malware into Target’s network and onto PoS systems (It could be spear phishing, watering hole attacks, web application flaws, or an insider attack).
  • We don’t know if Target made any sort of security mistake or wrongdoing. In fact, I’d argue that so far it sounds like they are handling this horrible situation pretty responsibly.  Signs point toward them following basic security and encryption best practices so far, and having invested in at least some security (though we still don’t know all the details). At the very least, they had been PCI compliant.

Hey, I Shop at Target! What Should I Do?

Before I move on to what other retailers, businesses, and security practitioners might learn from this breach, let’s first talk about what to do if you are a normal Target shopper yourself.

If you shopped at Target between Nov. 25 and Dec. 15, like my wife did, you likely have already received a letter or email from Target warning you about the breach, and you’re wondering what to do as a consumer. Well, my advice all comes down to remain vigilant!

During the breach, attackers stole two distinctly different types of information, both of which serve different purposes to attackers:

  1. Credit card magnetic stripe data – They can use this to create fake credit cards for physical purchases, or physical ATM withdrawals (if they can decode the PINs, which is unlikely).
  2. Personally Identifying Information (PII) – They have 70 million customer names, numbers, addresses, and emails, which they can start to use for identity theft (though they’d probably have to first get your social security number, too), or they can use the email addresses in future phishing attacks.

As far as the PII is concerned… Frankly things like your name, address, phone number, and email are probably already out there. The additional risk on this info due to the Target breach isn’t zero, but it’s probably relatively negligible.  Furthermore, without other information, like your social security number (or your national ID number if you’re outside the US), attackers don’t have enough info to totally steal your identity. Nonetheless, you should monitor your credit to make sure fraudsters aren’t registering new accounts as you, and be on the lookout for scam emails that seem to come from Target.

The credit card data leak has more severe repercussions though. The good news is most experts believe the attackers do not have enough information to make unattended, online (sometimes called card-not-present) purchases with this stolen card data. For instance, even though a credit card stores a CVV number on its magnetic stripe (magstripe), it doesn’t store the CVV2 number there. The CVV2 is the physically written number on your card, which you use to confirm online purchases. That said, attackers do have enough data to make a clone copy of your card, which they can try to use to make fraudulent, in-person purchases. Finally, if they do crack the supposedly protected PINs, they could also make ATM withdrawals, like in the big $45 million dollar ATM heist of last year.

With that in mind, here are four things you can do to protect yourself from the Target credit card data theft. The tips are in order of importance.

    1. Monitor your credit – Pay attention to your credit card statements regularly and look for unexpected purchases. You should also sign up for Target’s free year of credit monitoring and identity theft protection (details here). The good news here is Target has made a promise of “zero liability,” meaning if you find fraudulent charges on a card due to this breach, Target or your bank will pay for them.

      As an aside, these credit-monitoring agencies will likely ask you for personal information, like your social security number, when you sign up. While it might seem ironic to be sharing such sensitive information again, do know the agencies already have your information (since you have a credit card), they are just asking for it to verify who you are. There really is no additional harm in giving it to them again. Also, you really ought to always monitor your credit, as a general rule, and Lifehacker shares a great article with tips on how you can do so for free.
    2. Change your card’s PIN – Though Target is still fairly adamant that they don’t believe the attackers can decrypt the PIN data they stole; I recommend you change your card’s PIN anyway (for any cards you used at Target during the breach period). Changing a card’s PIN is a relatively easy and painless process, and it’s better to be safe than sorry.
    3. Get a new credit card – So far Target is not actively pushing customers to get replacement credit cards. Their logic is that criminals cannot use this stolen data in online purchases, and that so far fraudulent activity from this theft has been low. However, I worry that they just don’t want to absorb the cost of all the replacements.

      In the end it’s up to you. Do you think the future chance of fraudulent activity is so low that it’s not worth your time and the hassle of changing your card, or would you rather just change the card now so you don’t have to worry about it at all? Personally, I don’t see the down side to replacing your card, unless you happen to use it for many automatic payments, in which case you’d have to update all those as well. Note: At least one card issuer, Citi, has already decided to replace all their users’ cards on their own.
    4. Close unused accounts – I don’t know about you, but sometimes in the past I’ve opened a credit account I don’t really need, simply to take advantage of some promotion. For instance, you go to a store and learn you can get 30% off on your first purchase if you apply for free, in-store credit. Maybe you open the account for that one time deal, and then never use it again? Perhaps Target’s REDcard was that unused account for you?

      The problem with these unused accounts is you often forget about them. Since you forgot about them, you probably won’t even notice when bad guys use them fraudulently. While this advice doesn’t necessarily pertain directly to the Target breach, I recommend you use this opportunity to review your credit accounts, and close any that you never use (Granted, be aware closing too many accounts can affect your credit score).

If you follow at least the first two or three tips above, the Target breach shouldn’t cost you anything, other than a bit of time.

What Can Businesses and Retailers Learn from the Target Attack?

Now that we know the facts around the breach, let’s get to the true point of this article—trying to figure out what we can learn from Target’s misfortune. Based on what we know about the attack so far, here are some of my take-aways and tips:

    • PoS targeted malware is on the rise; prepare for it – Over the past few years, experts in the Infosec field have noticed the steady increase in malware that specifically targets point-of-sale (PoS) systems, and this Target breach illustrates just how popular it’s become with cyber criminals.

      Since many PoS systems are just Windows or Linux computers, PoS malware looks and acts, for the most part, very much like normal malware… with two distinct differences. First, it’s designed to search the victim computer’s active memory, rather than just searching its file storage system (a technique security folks call RAM scraping). Why, you ask? Well, the bad guys know PCI requires retailers to encrypt sensitive data in motion or at rest. However, no matter how aggressively you encrypt data, there is a split second where the device getting the data has to see and store it in active memory, in the clear. Second, PoS malware is designed specifically to sniff our credit card magstripe data. In other words, it specifically looks for the data PoS systems handle.So, how do you prepare for PoS malware?

      A few basic tips include:

      • Patch PoS systems – You don’t want them suffering from flaws that make it easier to install malware on them.
      • Enforce a separation of duties – If you’re browsing the Internet or checking your email from the same device that you use to run PoS software to take payments, you’re doing it wrong.
      • Educate your cashiers – Sometimes simple vigilance makes the best defense. If your cashiers understand that your PoS systems may be susceptible to malware, they might stay on the lookout for unusual signs of attack or infection.
      • And to the XP folks out there – I suspect many PoS systems (and supposedly 95% of ATMs) are actually running on top of Windows XP systems. Unfortunately, XP is going “End-of-Support” in the next four months or less, which means it will not receive security updates in the future. I recommend you migrate your PoS systems away from XP to ensure the most secure operating environment.

      Some of the other take-aways I share below will also help you protect PoS systems.

    • You need to segment your trusted network – Unfortunately, I think many organizations still have a very myopic view of how they segment their network. As an industry, we have adopted this general trilateral paradigm that includes the external network (the Internet), a demilitarized zone (for semi-public servers), and our trusted network. The problem with this paradigm is our trusted network should not be flat!

      In every organization, there are people or assets that have different levels of privilege or sensitivity than others. For instance, there is no reason that someone in your HR department should have network access to your engineers’ source code repositories. By the same token, there is no reason that the computers your employees use to browse the Internet in the break room should be on the same network as the ones your PoS registers are on (and this doesn’t even get into wireless networks).

      The good news is many security appliances– be they legacy firewalls, Unified Threat Management (UTM) devices or Next Generation Firewalls (NGFW) – have many physical interfaces, and even VLAN tagging capabilities, which allow you to segment your internal, trusted network more granularly, based on the roles difference users and assets play in your organization. This additional network segmentation allows you to have a “roadblock” where you can enforce explicit policies for what is and isn’t allowed. If you place your PoS systems on a separate network, you can create policies that only allow the specific PoS traffic to these systems. This means any PoS malware trying to exfiltrate data from your network will have more hurdles to get the data out. For instance, in the Target attack the hackers used good old FTP, which you may decide to block on your PoS network.

      The only downside to more granular internal segmentation is that it will require a bit more work on the front end. In many cases, the devices within different trust groups will still need to communicate in certain ways with one another. The downside to this is that you will have to explicitly write a policy allowing that communication, which may entail some research on how different proprietary systems “talk,” and may generate a few help desk calls until you have properly allowed all business-critical communication. Of course, the upside is you have total control of what communication is and isn’t allowed.

      In any case, we can no longer leave our trusted networks flat, as it makes it much too easy for attackers to perform lateral movement (e.g. turning the infection of one low-value employee into the full compromise of an important internal server). By the way, none of this is to say Target is or isn’t segmenting their internal network. Since we don’t yet know how the malware got on their systems, we don’t know whether or not lack of network segmentation contributed to the attack. Nonetheless, I think it is an important security tip retailers should follow when considering the sensitivity of their critical PoS systems.
    • You need more proactive malware detection – Unfortunately, antivirus (AV) technology still relies very heavily on reactive, signature-based detection. This means that it can’t find and block new malware until after it’s first analyzed, which is typically not until after it’s infected at least one victim.

      Cyber criminals have long known techniques that allow them to take evil programs, and change them on a binary level so that signature-based solutions “see” it as something new (even though it really isn’t).  They often call this packing and crypting, and you can learn more about it in one of my old botnet videos.

      Over time, AV vendors have started implementing more proactive detection technologies, which use techniques like behavior analysis or code emulation to help detect new malware without signatures. However, since most AV primarily runs on the endpoint, it often has limited resources to work with, so AV vendors cannot always adopt “whole-hog” sandboxing solutions.

      Recently, however, newer malware detection controls have surfaced that use something called virtual execution to run unknown binaries in a fully virtualized Windows environment, in real-time. These solutions are much better at proactively finding previously undiscovered malware by monitoring for suspicious behaviors. If you’re concerned with advanced attacks, like the one Target just went through, you should consider these types of advanced malware detection solutions in the future (and keep an eye on WatchGuard this year).
    • Focus your defenses on data – In a presentation I gave at Gartner’s ITxpo Symposium last year, I talked about how most of our preventative security controls are focused on protecting machines and devices, and not necessarily on protecting data directly. While we do need to protect the container of data, I also believe we need to spend a bit more time monitoring and protecting our data directly.

      In this blog post, I offer five tips to doing that, one being investing in data loss prevention (DLP) technologies that can see sensitive data as it passes your borders. For instance, the DLP service WatchGuard offers can monitor for credit card numbers and magnetic stripe information. In fact, we specifically monitor for this type of data when sent over FTP, which happens to be how Target’s attackers got their loot out the door. DLP is not fool proof—smart attackers might encrypt things to get it past sensors—but it does pose another roadblock, making things harder for the attacker. Be sure to check out my blog post and video for more tips on protecting data.
    • Focus more on detection and response – Preventative controls are a must for any organization, and they are probably the best bang for your buck, as far as ROI. However, I’m afraid many organizations have focused too singularly on prevention, and have forgotten to consider two other very important aspects of network security—detection and response!

      As much as we don’t like it, cyber security is a continuous arms race, and you will never have the perfect defense. The technology that protects us today will eventually get bypassed tomorrow, and we’ll have to think up something new. Furthermore, even if we had the perfect technological solution, there’s still a human element to the security problem, and criminals would still prey on our social weaknesses to infiltrate our networks. If a motivated, persistent, and well-financed attacker wants into your network, he or she will probably find a way over time.

      That’s why you should focus some of your security efforts on security visibility and analytics solutions this year. They can help you quickly identify anomalies or security events on your network, so that your incident response team can immediately research them, and hopefully cut off any attacks in progress, before the thieves make off with the keys to your kingdom.

      WatchGuard believes so strongly that detection and response is a key component of your security strategy that we have released a fantastic new tool to help our customers achieve better visibility of their networks, called WatchGuard Dimension™. As more businesses start adopting better security visibility tools, and they monitor those tools more regularly, we expect to see them discover network breaches much faster, and perhaps nip them in the bud before the bad guys exfiltrate important data.
    • The US must update its credit and debit card standards – In his video interview, Target’s CEO mentioned an industry-wide problem that I think might be the crux of many of the US’s credit and debit card fraud issues; our continued use of magstripe cards as opposed to the newer, and more secure EMV or “chip and pin” cards.

      Without going into all the technical details, most of the data stored on magstripe cards are stored in clear text, and you can easily recover or clone the data with a cheap reader. EMV cards actually have small microprocessors on them. They include cryptographic keys that prove the card is the original, and follow a dynamic authentication process that confirms the validity of both the card and the card reader. In short, EMV makes it much harder for attackers to clone cards and use them for in-person, fraudulent purchases.

      That said, EMV cards are not perfect. Researchers have found flaws in some implementations, and have developed new techniques for fraud. Nonetheless, EMV makes things much harder for hackers. Sounds good, right! The sad thing is, EMV has been out for over a decade. Europe uses EMV cards almost exclusively (so much so, US travelers sometimes have problems using their old magstripe cards overseas). Yet, the US has not yet fully adopted it.

      Why not? Well, it’s expensive and it takes a village. To reap the benefit of EMV’s additional security, retailers, payment processors, and everyone that takes cards will have to update their infrastructure to use these new cards. The good news is, over the past year the US seems to have started this migration. You have probably already noticed many of your cards getting chips, and some of your retailers offering tap to pay (PaypPass) readers. However, these cards still have their magstripes to fall back on. Until the entire industry makes the jump, no one will realize the benefits of EMV. If you’re a retailer, and you haven’t started the move towards EMV, I recommend you look into it as it will save you money from fraud in the long run.

So far, we’ve only scratched the surface of what we may eventually know about the Target breach, and how the attackers infiltrated what many think was a relatively well-protected network. Yet already, there’s a lot we can learn from this unfortunate incident, if we’re willing to look closer.

As an industry, I feel like security professionals are often quick to lambast the victims of network breaches. We’re always looking for that one big mistake some company made that allowed an attacker in… “See, I told you so!”

However, in my opinion, Target has actually handled this breach quite responsibly so far. They have apologized, been as transparent about the incident as they can, and even taken accountability, offering zero liability to their customers. It also looks like they had many industry-approved security practices and controls in place. Perhaps I’m naive, but I believe Target is sincere in their promise to find the culprit and improve their security.

The truth is, any one of us can suffer a breach like Target did. Even if you do all the right things, and implement all the right defenses, everyone is human. A simple mistake can be the hole that lets that persistent advanced attacker in. Rather than blame the victim, we need to find and prosecute the attackers, but also learn from these unfortunate events so that we can make it a little harder for the criminals to succeed next time. Consider implementing some of my tips and take-aways above, and perhaps you can avoid the next big credit card data breach.

— Corey Nachreiner, CISSP (@SecAdept)

Sniffin’ Android VPN – WSWiR Episode 92

Energetic Bear APTs, Bugged Browsers, and Trojaned Extension

Another week, another pile of scary sounding security stories. But don’t freak out… If you know how to protect yourself, you can easily avoid most of these vulnerabilities and issues. Enjoy another episode of WatchGuard Security Week in Review for a quick recap of the Infosec news from the week, and what to do about it.  .

Today’s show includes how shady advertisers are booby-trapping Chrome extensions, a speech recognition issue that might allow malicious websites to bug your browser, and news of a Russian APT campaign targeting the foreign energy sector. For all that and more, watch the video below, and don’t forget to peruse the Reference section for links to some extra security stories too!

Keep vigilant and have a great weekend!

(Episode Runtime: 9:31)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

BlackPOS Robs Target – WSWiR Episode 91

Patching Trifecta, Mobile Banking Risks, and Hacktivist Hijackings

Patches, mobile malware, hacked off hacktivists, Point-of-Sale (PoS) malware… all that and more in this week’s information and computer security news summary video! If you need a quick roundup of the latest security news in one convenient package, you’ve come to the right place.

Today’s episode covers the week’s huge, triple-vendor patch day, the latest hacktivist hijacking, research on flaws in popular mobile banking apps, and more. I also talk about the latest updates on the huge holiday Target breach, including reports that begin to uncover the specific malware used in the attack. If you want to keep your organization’s network safe, don’t miss this video for the latest news and tips. Remember, check the Reference section below for links to many other security stories too!

Keep vigilant and have a great weekend!

(Episode Runtime: 12:45)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Oracle Patch Day: January’s CPU and Java Updates Correct 144 Vulnerabilities

Today, Oracle released their quarterly Critical Patch Update (CPU) for January 2014. CPUs are Oracle’s quarterly collections of security updates, which fix vulnerabilities in a wide-range of their products. Oracle publishes their quarterly updates on the Tuesday closest to the 17th of the month, and this quarter that happens to fall on Microsoft and Adobe’s Patch Tuesday.

Overall, Oracle’s CPU and Java updates fix around 144 security vulnerabilities in many different Oracle products and suites. The table below outlines the affected product categories, and the severity of the fixed flaws. The flaws with the highest CVSS rating are the most risky, meaning you should handle them first:

Product or Suite Flaws Fixed (CVE) Max CVSS
Java SE 36 10
Fusion Middleware 22 10
MySQL 18 10
Financial Services Software 1 10
Sun Systems Products Suite 11 7.2
Hyperion 2 7.1
Virtualization 9 6.8
E-Business Suite 4 5.5
Supply Chain Product Suite 16 5.5
Database Server 5 5
Seibel CRM 2 5
PeopleSoft Products 17 5
iLearning 1 4.3

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share  CVSS severity ratings. While the severity of the 144vulnerabilities differs greatly, some of them pose a pretty critical risk; especially the Java SE ones.

Almost everyone has Java installed. If you do, I recommend you install the Java update immediately, or perhaps consider uninstalling Java or restricting it in some way using its security controls. With many flaws that have a CVSS rating of 10, the Java exploits allow remote attackers to install malware on your computer via web-based drive-by download attacks; and right now attackers really like targeting Java flaws.

Of course,  if you use any of the other affected Oracle software, you should update it as well. I recommend scheduling the updates based on the max CVSS rating for the products. For instance, if you use MySQL, update it quickly, but you can allow yourself to more time to fix the iLearning issues. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert. — Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Flash and Reader Updates Fix Five Flaws

Severity: High


  • These vulnerabilities affect: Flash Player, Reader XI, and Acrobat XI (and Adobe Air)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.


Today, Adobe released or updated two security bulletins that describe vulnerabilities in two of their popular software packages; Flash Player and Reader/Acrobat X.

Adobe Patch Day, Jan 2014

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:

  • APSB14-01: Trio of Reader and Acrobat Memory Corruption Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes three vulnerabilities that affect Adobe Reader and Acrobat XI 11.0.05 and earlier, running on Windows and Macintosh.  Adobe doesn’t describe the flaws in much technical detail, but does note that they involve integer overflow and memory corruption issues. They all share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit any of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB14-02: Flash Player Code Execution Vulnerability

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Adobe’s bulletin describes two serious flaws in Flash Player 11.9.900.170 and earlier for all platforms. They don’t describe the  vulnerabilities in much technical detail, just mentioning that one allows you to “bypass security protections” and the other allows you to defeat Address Space Layout Randomization (ASLR), which is a memory obfuscation technique that some software uses to make it harder for attackers to exploit memory corruption flaws. They do, however, describe the flaws’ impacts. In the worst case, if an attacker can lure you to a web site, or get you to open documents containing specially crafted Flash content, he could exploit a combination of these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.


Adobe has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Multiple Word Memory Corruptions Make for Malicious Documents

Severity: High


  • These vulnerabilities affect: Microsoft Office related products, including Word and Outlook
  • How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents or email
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.


As part of today’s Patch Day, Microsoft released a security bulletin describing three vulnerabilities affecting the Windows versions of Word, and related software like Word Viewer, the Office compatibility packs, and Web Application products.

Word is the popular word processor that ships with Office.  It suffers from three memory corruption vulnerabilities having to do with how it handles certain objects in memory. Though they differ technically, all three flaws share the same scope and impact. By luring one of your users into downloading and opening a malicious Word or Office document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Word except for Word for Mac.

Microsoft only rates this update as Important (their medium severity), since it requires user interaction to succeed. However, we’ve seen many attackers successfully use malicious Office documents in emails, as part of their advanced spear-phishing campaigns. For that reason, we recommend you install Microsoft’s Word updates as soon as you can.

Solution Path:

Microsoft has released Word (and related product) updates to correct these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

See the “Affected and Non-Affected Software” section of Microsoft’s Word bulletin for links to the updates.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus service can often prevent the most common malicious documents from reaching your users. You can also leverage our XTM appliance’s proxies policies to block all Word documents if you like; though most administrators prefer not to since Office documents are often shared as part of business. To fully protect yourself, we recommend you install Microsoft’s updates.


Microsoft has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at

One of Windows’ Two Updates Corrects 0day Flaw

Flaws in Kernel and Kernel-mode Drivers

Severity: High


  • These vulnerabilities affect: Windows XP, 7, Server 2003, and Server 2008
  • How an attacker exploits them: By running a malicious program locally or by tricking a user into running something they shouldn’t
  • Impact: In the worst case, a local attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.


Today, Microsoft released two security bulletins describing the same number of vulnerabilities affecting many versions of Windows. Specifically, the flaws affect Windows XP, 7, Server 2003, and Server 2008. Microsoft has assigned both these vulnerabilities their medium severity rating of Important. However, attackers have already been found exploiting one of them in the wild, so we recommend you at least patch that one (MS14-002) as quickly as possible.

Quick note: Before diving into the bulletin details, we’d like to share a quick note for Windows XP users. Over the past few months, Microsoft has diligently been informing its customers that Windows XP will reach the “end-of-support” phase of its lifecycle on April 8th, 2014… which is in three short months. Among other things, this means that Windows XP will no longer receive security updates, even if attackers find new flaws in the popular OS. Microsoft has a great blog post discussing the risks of running unsupported software. XP was one of the better versions of Windows, and one we suspect some will be sad to see go (and in some cases it’s embedded in products that are hard to upgrade). That said, if you still use XP in your organization, you may want to consider a transition plan before time runs out. Now back to our regular programming…

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-002Kernel Elevation of Privilege Vulnerability

The kernel is the core component of any computer operating system. The NDProxy.sys kernel component that ships with Windows XP and Server 2003 suffers from an input validation vulnerability, which attackers can leverage to elevate their privilege. By running a specially crafted program, or by tricking a user into running something malicious, a local attacker could exploit this flaw to gain complete control of your PC. However, the attacker would first need to gain local access to your Windows computer using valid credentials. This factor significantly reduces the severity of the issue. However, researchers have already found attackers exploiting this vulnerability in the wild, to elevate their privileges as part other attacks. For this reason, we highly recommend you patch Windows XP and Server 2003 systems as quickly as possible.

Microsoft rating: Important

  • MS14-003: Kernel-Mode Drivers Thread-owned Object Handling Vulnerability

As mentioned earlier, the kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The kernel-mode driver suffers from a unspecified vulnerability involving how it handles “thread-owned objects”. By enticing one of your users to run an evil program, or by gaining local access and running it himself, an attacker could exploit this flaw to gain complete control of your Windows computer. Since this flaw requires local access or user interaction, it poses only a medium risk. The flaw also only affects Windows 7 and Server 2008. Nonetheless, we recommend you patch as quickly as you can.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible, especially the MS14-002 patch. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Both of these flaws require local access to exploit. While our XTM appliance’s gateway antivirus (GAV) service may sometimes find malware that may try and leverage these flaws, our network protection does not protect you from local exploits. Therefore, Microsoft’s updates are your best solution.


Microsoft has released patches correcting these issues.


— This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Hefty Patch Day Despite Light Microsoft Turnout

If any security professionals need quick reminder that the end-of-year holidays are over, and it’s time to get back to protecting information, Microsoft’s first Patch Day of the year will likely do that for you. However, the good news is Microsoft is giving us a slow start with only four security updates for January. Unfortunately, two other companies, Oracle and Adobe, have filled in the gaps with big updates of the own.

Let’s start with Microsoft.

According to their summary post, Microsoft released four bulletins today which fix security flaws in Windows, Office, and their Dynamics AX server (an enterprise resource planning or ERP solution).  They didn’t release any Critical bulletins this month, only ones with an Important rating; essentially their “medium” severity. Though vulnerabilities with this rating might be a bit more difficult to exploit (requiring local access or victim interaction), some of them could still allow remote attackers to gain full control of your users’ machines. In short, you should still takes these updates seriously despite the light load, and their less critical nature.

As far as priority, start with the Windows kernel vulnerability, as it fixes a zero day flaw that attackers are actively exploiting in the wild. Granted, the attackers exploiting it need local access to your computer to leverage the flaw, but if they do they gains full (SYSTEM) control of the PC. The remaining Windows and Office flaws are just about equal in severity. Which you focus on first is up to you. I’d probably consider the Office one since bad guys like using malicious documents in their spear phishing emails lately. Finally, the Dynamix AX update fixes a DoS flaw. I don’t suspect many smaller organizations use this product, and DoS flaws aren’t quite as severe as others. So save this one for last, if you happen to use the product.

With Microsoft done, your focus this month is probably better served with patching Adobe and Oracle products. Adobe’s patch day always falls on the same Tuesday as Microsoft’s. However, Oracle happens to follow a quarterly patch cycle, which only occasionally lines up directly with Microsoft’s Patch Day. Unfortunately, this is one such month, and you get to enjoy the unholy trifecta of patching three big corporations’ products at once. Yay (sarcasm)!

Today, Adobe has released updates for Reader, Acrobat, and Flash Player, and Oracle has released their huge Critical Patch Update, fixing over a hundred flaws in a wide variety of products. I’ll post more details about these updates later today, but for now you can check out Adobe or Oracles pre-announcement advisories if you want a head start.

I’ll post the detailed alerts for Microsoft’s Windows and Office updates shortly. Since I doubt the majority of customer use Dynamics AX, I don’t plan on posting a full alert for it, so if you use it be sure to check out Microsoft alert (MS14-004) yourself, and grab the corresponding updates. Stay tuned! — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day Summary, Jan 2014

Cryptolocker Copycat – WSWiR Episode 90

Linkedin Sues Hackers, Yahoo Spreads Malware, and PowerLocker Copies CryptoLocker

What are the latest vulnerabilities, who’s the most recent breach victim, and how do you protect yourself from the newest cyber attacks? Learn all this and more in WatchGuard weekly security news summary video!

This week I share how ads on the European Yahoo site spread malware, I talk about how Linkedin is using the legal system to try to unmask hackers, and you’ll learn how one of my annual security predictions is already coming true with some copycat cryptolocker ransomware. For all that, and more, watch the video below. Of course, if you prefer reading, check the links in the Reference section for more details, as well as a few extra security stories to boot.

Keep vigilant and have a great weekend!

(Episode Runtime: 11:33)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: