Archive | March, 2014

Paranoia 2014 – WSWiR Episode 100

Word 0day, Cisco DoS, and Bricked Androids

My weekly InfoSec summary arrives bit late this time due to business travel. Last week, I spoke at Watchcom’s Paranoia conference in Oslo Norway, so I couldn’t post my security news summary until the weekend. Nonetheless, why not start your week off by quickly catching up on last week’s news.

This week’s episode includes a quick summary of the Paranoia show, news of a new Word zero day flaw, information about Cisco IOS updates, and a story about a new android vulnerability attackers can use to brick phones. Check out the video for the details, and scroll down to the Reference section for a few extra stories.

As an aside, I’ll be traveling the next two weeks as well, so my weekly video may show up either earlier or later than normal, due to travel.

(Episode Runtime: 5:27)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Out-of-Cycle Word FixIt Corrects Zero Day Vulnerability

If you’re worried about spear phishing attacks (and if you’re not, you should be), grab Microsoft’s emergency FixIt to mitigate a zero day vulnerability attackers are exploiting in the wild.

In a security advisory released yesterday, Microsoft warned of a zero day vulnerability in Word, which attackers are exploiting in what Microsoft describes as limited, targeted attacks. Apparently, the exploit in the wild targets Word 2010, but the flaw affects other versions of Word as well. Since this is an early advisory, it doesn’t describe the flaw in much technical detail. However, it does mention attackers can trigger the flaw with specially crafted rich text format (RTF) files. If an attacker can entice you to view a malicious RTF in Word, he could exploit this vulnerability to execute code on you computer, with your privileges. If you are an administrator, the attacker gains complete control of your PC.

By default, most current version of Office use Word as Outlook’s email viewer. This mean attackers can trigger this flaw just by getting you to open an RTF attached to an email. According to some on Twitter, simply previewing an email with a malicious RTF triggers the flaw.

While Microsoft hasn’t had time to release a full patch yet, they have posted a FixIt that mitigates the risk of this vulnerability. If you use Office, I highly recommend you install the FixIt as soon as you can. Also, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) can mitigate the risk of any type of memory corruption flaw. In general, I recommend you install EMET on Windows machines to protect them from any zero day, memory-related issues.

I’ll post more details about this flaw during an upcoming Patch Day, when Microsoft releases the final update. In the meantime, if you’d like more information about it you can check out Microsoft’s security blog post— Corey Nachreiner, CISSP (@SecAdept


Operation Windigo – WSWiR Episode 99

MH370 Scams, Google Play DDoSed, and Operation Windigo

Each week I summarize the biggest information security news in a short video, so you don’t have to go searching for it yourself. If you’re interested in the latest infosec updates, be sure to watch each Friday. 

Today’s late episode covers a few cyber security stories around the disappeared MH370 flight, news about a penetration tester downing Google Play, and a report about a cyber attack campaign that hijacked 25,000 Linux servers. Watch the video for the full scoops, and check the Reference section below for more info.

Have a great weekend.

(Episode Runtime: 8:41)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

You Got Your Walking Dead in My Cyber Security

Keep Calm and Eat Pudding

Sometimes two things that don’t seem to go together, make the most magical combinations; things like peanut butter and chocolate, maple and bacon, and even Jon Snow and Ygritte. In hopes of adding to such delightful duos, I have started a new series of security articles trying to uncover another unexpected pairing—information security and pop culture.

What can popular movies, TV shows, books, or video games teach us about cyber security? Maybe nothing, maybe everything. In my new Help Net Security series, I plan to see if your favorite guilty pleasures can uncover any cyber security insights you’d never have expected. Join me for my first article at Help Net Security, where I share eight information security tips I learned from The Walking Dead (TWD).

By the way, if you like the article, or you love The Walking Dead, feel to share some TWD cyber security tips of your own? Come back here and add your own interesting infosec parallels to the comments section below. Feel free to draw parallels to other pop culture media too! — Corey Nachreiner, CISSP (@SecAdept)

NSA’s Turbine – WSWiR Episode 98

Patch Day, Missed Logs, and Snowden’s Latest

What to learn about the latest information security (infosec) news in under eight minutes? You’ve found the right place. Check out my weekly security news summary video below.

This week’s episode covers all the big updates from this month’s Adobe & Microsoft Patch Day, the latest news suggesting Target’s breach could have been averted, and another top secret document leak, detailing how the NSA hacks its targets. Check out the video below for the details, and don’t forget the Reference section for links to other stories. 

Enjoy your weekend, and stay safe!

(Episode Runtime: 8:21)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Shockwave Update Misses Adobe Patch Day

A few days ago, I posted an alert mentioning how Adobe Patch Day was particularly light, and pointing out the one minor Flash Player update. Turns out Adobe had other updates in store for us, they just missed their self-appointed patch day.

Today, Adobe released a Shockwave Player update fixing a single critical Shockwave Player vulnerability. They share almost no technical detail about the flaw, other than it is a memory corruption issue that remote attackers could leverage to execute code on a victim’s computer; presumably by getting them to view or interact with malicious Shockwave content. Though it doesn’t look like attackers are exploiting it in the wild yet, this flaw is quite a bit more severe than the Flash flaws mentioned earlier in the week. Nonetheless, Adobe only assigns them a priority (severity) rating of 2, which means you should update in the next 30 days. I think this is a slightly bigger deal than that, and recommend you update Shockwave as soon as you can. If you are using Adobe’s automatic updater, it should be relatively easy to do so.  — Corey Nachreiner, CISSP (@SecAdept

Fireware XTM 11.8.3 Update Corrects XSS Flaw

Overall Severity: Medium


  • This vulnerability affects: WatchGuard Fireware XTM 11.8.1 and earlier
  • How an attacker exploits it: Either by enticing an XTM administrator into clicking a specially crafted link or by directly interacting with the appliance’s web management UI (requires authentication)
  • Impact: An attacker can execute script in the context of the XTM management web UI, which could allow him to attempt to phish your credentials or gain access to your cookies or session information
  • What to do: Install Fireware XTM 11.8.3 (and limit access to the XTM web management interface)


Recently, we released WSM and Fireware XTM 11.8.3, which delivers many customer requested fixes and enhancements to XTM administrators. It also corrects a web application vulnerability reported to us by William Costa (a security researcher and consultant) via US-CERT’s coordinated disclosure process.

Fireware XTM includes a Web UI, which you can use to manage your XTM appliance through a web browser. One of the parameters in the firewall policy management pages (pol_name) suffers from a reflective cross-site scripting (XSS) vulnerability (CVE-2014-0338), due to it’s lack on input validation. If an attacker can trick your XTM administrator into clicking a specially crafted link, he could exploit this vulnerability to execute script in that user’s browser under the context of the XTM Web UI. Among other things, this could mean the attacker might do anything in the Web UI that your user could do.

However, it takes significant interaction for this attack to succeed. It is a reflected XSS attack, which means the attacker must trick an XTM administrator into clicking a link before the attack can take place (unless the attacker has direct access to the Web UI, and valid credentials of his own). Furthermore, the link does not bypass the Web UI authentication. This means that unless the victim is already logged into the Web UI, she would also have to enter her XTM credentials before this malicious link would work. Despite these mitigating factors, we still recommend you install 11.8.3 to fix this XSS flaw quickly.

We’d like to thank William Costa for discovering and responsibly disclosing this flaw, and thank the US-CERT team for coordinating the disclosure and response. You can find more information about this vulnerability in US-CERT’s vulnerability note

Solution Path:

WatchGuard Fireware XTM 11.8.3 corrects this security issue. We recommend you download and install 11.8.3 to fix this vulnerability. You can find more details about 11.8.3 in our release notes.

If, for some reason, you are unable to update your XTM appliances immediately, a few simple workarounds can significantly mitigate these vulnerabilities.

  • Restrict access to your appliance’s web management UI using the WatchGuard Web UI policy.  By default, our physical appliances do not allow external access to the web management UI; meaning Internet-based attackers can’t directly exploit this XSS flaw. If you like, you can fine-tune our policy even more, further limiting access. For instance, you can restrict access to very specific IP addresses or subnets,  use our user authentication capabilities to restrict access to certain users, or use our mobile VPN options to restrict access to VPN users. The more you limit access to the web interface, the less likely an attacker could directly exploit this flaw. Furthermore, this XSS attack does not bypass authentication. So even if an external attacker had access to your Web UI they’d need valid credentials to directly exploit this issue (making it a moot issue since they’d already have access to the web management interface).
  • Train administrators against clicking unsolicited links. In order to exploit this flaw, and attacker would have to trick one of your administrators into clicking a maliciously crafted link, and then entering his valid XTM management credentials. We recommend you train your XTM administrators about the dangers of clicking unsolicited links, especially ones that connect you to security appliances, and ask for additional authentication.


Are any of WatchGuard’s other products affected?

No. These flaws only affect Fireware 11.8.1 and below running on our XTM appliances.

What exactly is the vulnerability?

A reflective cross-site scripting (XSS) vulnerability (CVE-2014-0338) that could allow an attacker to run malicious script, and possibly gaining unauthorized access to your Web UI, assuming he can trick an administrator into clicking a malicious link.

Do these give attackers access to my XTM security appliance?

Potentially. The XSS vulnerability allows attackers to execute script in the context of your XTM appliance’s web UI. Attackers could leverage this to do many things, including stealing your session cookie, or designing a pop-up window designed to phish your credentials. It is possible the attacker might gain enough information to hijack your web session, or login to the web UI.

How serious is the vulnerability?

The XSS flaws poses a medium to low risk. Though attackers can use reflective XSS flaws to gain access to sensitive information, they require significant user interaction; in this case, both clicking a link and entering your credentials. This mitigating factors lessen the severity of this flaw. However, we still recommend you apply this update to fix it.

How was this vulnerability discovered?

These flaws were discovered by an external security researcher, William Costa, who reported them responsibly through US-CERT‘s coordinated disclosure process. We thank them both for working with us to keep our customers secure.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Director of Security Strategy and Research
WatchGuard Technologies, Inc.

New Release: Fireware XTM 11.8.3 and WSM 11.8.3

WatchGuard is pleased to announce that Fireware XTM OS 11.8.3 and WSM 11.8.3 are now available. The Release Notes list all resolved issues and new enhancements in the software.

Highlights include:

  • An updated Gateway Wireless Controller dashboard in the WebUI now gives you connection information for your AP devices and the clients connected to your AP devices, including manufacturer details.
  • Support for the new Firebox T10
  • A fix for a cross-site scripting vulnerability (CERT VU#807134) in the Web UI
  • Support for  Netgear 341U 3G/4G modem.

Full details including screenshots are provided in the What’s New in 11.8.3 presentation.

Does This Release Pertain to Me?

This release applies to all XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances. If you or your customers need one of the bugfixes or new enhancements we recommend upgrading to the 11.8.3 release. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article”, “Support Alerts”, and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller ?

Adobe Patch Day Consists of Minor Flash Update

Adobe shares Microsoft’s Patch Day, and they usually release a handful of security updates themselves. However, this month they’ve kept it pretty simple, with only one relatively minor update for their Flash Player.

According to their bulletin, the latest Flash update fixes two security flaws in their popular web-based media player. Adobe is never one to share much detail about their vulnerabilities, but they do share the impact of each of these flaws.  They mention one of the flaws allows attackers to bypass the same origin policy, while the other allows attackers to read the contents of your computer’s clipboard. Compared to Adobe’s recent emergency Flash patch, which fixed a zero day issue exploited in the wild, these issues are not very severe. In fact, Adobe only assigns them a priority (severity) rating of 2, which means you should think about updating in the next 30 days.

Nonetheless, it doesn’t hurt to update your client computers, and Adobe’s automatic updater should make it pretty easy. If you aren’t already letting Adobe get it’s automatic updates, at least on client machines, I recommend you do so. — Corey Nachreiner, CISSP (@SecAdept

Four Windows Updates: Hijack Windows with Malicious Images

Severity: High


  • These vulnerabilities affect: All current versions of Windows (and related components like Silverlight)
  • How an attacker exploits them: Multiple vectors of attack, including luring users into viewing malicious images
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you


Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as Silverlight. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-013DirectShow JPEG Handling Vulnerability

DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams, images, and files. It suffers from an unspecified memory corruption vulnerability having to do with how it handles specially crafted JPEG (JPG) images. By getting your users to view such a malicious image, perhaps via a web site or email, an attacker could leverage this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, the attacker gains full control of the users’ machines.

Microsoft rating: Critical

  • MS14-015:  Multiple Kernel-Mode Driver Code Execution Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from two security vulnerabilities. The worst is an elevation of privilege flaw having to do with it handles memory. In a nutshell, if a local attacker can run a specially crafted application, he could leverage this flaw to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability. The second issue could allow attackers to gain access to information in restricted sections of your computer’s memory, but doesn’t pose as high a risk as the first.

Microsoft rating: Important

  • MS14-016:  SAMR Lockout Bypass Vulnerability

The Security Account Manager or SAM file is a database file on Windows computers that contains all the hashed user credentials. The Security Account Manager Remote (SAMR) protocol is a client-to-server communication protocol Windows uses to check credentials against a SAM database. SAMR suffers from a flaw that allows attackers to bypass its user lockout feature. Windows allows you to lockout a user who has entered the wrong password a certain number of times. This makes it harder for attackers to launch “brute-force” password cracking attacks, since it limits the amount of failed password attempts. However, by sending specially crafted SAMR messages, an attacker can bypass this lockout feature, and try unlimited passwords against your Windows system. While this doesn’t directly give the attacker access to your computer, it does allow attackers on your local network to try and brute-force your passwords.

Microsoft rating: Important

  • MS14-014:  Silverlight DEP/ASLR Bypass Flaw

Silverlight is a cross-platform and cross-browser software framework used by developers to create rich media web applications. Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems (OS) use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Data Execution Prevention (DEP) is another such feature that makes it hard for attackers to execute code from memory. Unfortunately, Silverlight does not implement Windows’ DEP and ASLR protection properly. This means that it’s relatively easy for attackers to exploit any memory corruption flaws in Silverlight. By itself, this bypass flaw is worthless. It doesn’t give an attacker access to your computer. However, assuming attackers find memory corruption flaws in Silverlight, this bypass flaw would make it easier for them to exploit those flaws to execute code. You should apply this update simply to improve the general security of Silverlight.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as allowing you to block .jpg files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.


Microsoft has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at

%d bloggers like this: