Tag Archives: memory corruption

IE 0day & AM Hack Update – Daily Security Byte EP.128

I missed yesterday’s daily video due to an offsite meeting, so today’s episode contains two important stories; an emergency update to fix a zero day vulnerability in Internet Explorer (IE) and the latest update to the Ashley Madison breach. If you run a Microsoft network, or you know anyone that had an account on Ashley Madison, you’ll want to watch the video below to learn what you can do to protect yourself from attackers.

(Episode Runtime: 2:18)

Direct YouTube Link: https://www.youtube.com/watch?v=w9CI3Fk5NiE

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Rowhammer Pwns DRAM – Daily Security Byte EP.42

The new Rowhammer attack exploits the physics of electricity on DRAM chips to gain root control of computers. Want to learn more? Watch the video or check out the references below.

 

(Episode Runtime: 2:31)

Direct YouTube Link: https://www.youtube.com/watch?v=SKycd-eE8Js

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Mega IE Update Corrects 37 Vulnerabilities; Including Zero Day

Summary:

  • These vulnerabilities affect: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released as part of Patch Day, Microsoft posted an update that fixes a 37 new vulnerabilities in all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

All but one of the vulnerabilities described in this alert are memory corruption vulnerabilities, which share the same general scope and impact. If an attacker can lure you to a web page containing malicious web code, he can exploit these flaws to execute code on your computer, inheriting your privileges. If you have local administrative privileges, which most Windows users do, the attack could potentially gain full control of your computer.

These types of memory corruption vulnerabilities are ideal for attackers launching drive-by download attacks—a class of attack where malicious code hidden on a web page can silently install malware on your computer. Today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way. In fact, one of today’s fixes closes a zero day vulnerability that attackers have exploited in the wild. I highly recommend you install this update immediately

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4095)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4094)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability -1 (CVE-2014-4092)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability -2 (CVE-2014-4092)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4089)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4082)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4081)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4086)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4087)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4088)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4084)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4065)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4080)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2799)

Your XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Latest IE Patch Corrects 26 Vulnerabilities

Summary:

  • These vulnerabilities affect: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released as part of Patch Day, Microsoft released an update that fixes a 26 new vulnerabilities in all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Most of the vulnerabilities described in this alert (24 of the 26) are memory corruption vulnerabilities, which share the same general scope and impact. If an attacker can lure you to a web page containing malicious web code, he can exploit these flaws to execute code on your computer, inheriting your privileges. If you have local administrative privileges, which most Windows users do, the attack could potentially gain full control of your computer

The patch also fixes a pair of privilege escalation vulnerabilities, but the memory corruption flaws alone should convince you to update IE as soon as you can.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4063)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4057)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4050)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2824)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2823)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2820)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2799)

Your XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

IE Update Fixes Remote Code Execution and Certificate Issues

Summary:

  • This vulnerability affects: All current versions of Internet Explorer
  • How an attacker exploits it: Mostly by enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released as part of Patch Day, Microsoft describes an update that fixes a 23 new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Most of the vulnerabilities described in this alert (22 of the 23) are memory corruption vulnerabilities, which share the same general scope and impact. If an attacker can lure you to a web page containing malicious web code, he can exploit these memory corruption vulnerabilities to execute code on your computer, inheriting your privileges. If you have local administrative privileges, which most Windows users do, the attack could potentially gain full control of your computer

The update also fixes a publicly reported certificate handling issue having to do with how IE handles extended validation (EV) certificates and wildcards. Attackers could leverage this flaw to help make their phishing sites look more legitimate. Though this issue is pretty bad, the memory corruption flaws pose even more risk. They alone should convince you to update IE as soon as you can.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1765)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2787)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2795)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2797)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2801)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2804)

Your XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Word 2007 Patch Fixes Embedded Font Vulnerability

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Word 2007 (and related components)
  • How an attacker exploits them: By enticing users to open or interact with a maliciously crafted Word document
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing a vulnerability affecting Word 2007, and related software like the Office compatibility pack.

Word is the popular word processor that ships with Office.  It suffers from A memory corruption vulnerabilities having to do with how it handles embedded fonts in documents. By luring one of your users into downloading and opening a malicious Word document, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs.

Microsoft only rates this update as Important (their medium severity), since it requires user interaction to succeed. However, we’ve seen many attackers successfully use malicious Office documents in emails, as part of their advanced spear-phishing campaigns. For that reason, we recommend you install Microsoft’s Word updates as soon as you can.

Solution Path:

Microsoft has released a Word (and related product) update to correct these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

See the “Affected and Non-Affected Software” section of Microsoft’s Word bulletin for links to the updates.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus service can often prevent the most common malicious documents from reaching your users. You can also leverage our XTM appliance’s proxies policies to block all Word documents if you like; though most administrators prefer not to since Office documents are often shared as part of business. To fully protect yourself, we recommend you install Microsoft’s updates.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Humongous IE Patch Fixes 59 Security Issues

Summary:

  • This vulnerability affects: All current versions of Internet Explorer
  • How an attacker exploits it: Mostly by enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes an update that fixes a whooping 59 new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

The biggest story about today’s IE update is the sheer number of vulnerabilities it corrects. I don’t think I remember a Microsoft update that fixed more flaws than this one. While all 59 of these flaws are technically different, most of them share the same general scope and impact, and involve memory corruption flaws having to do with how IE handles certain HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit many of these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

The update also includes fixes some information disclosure and elevation of privileges flaws as well, but the memory corruption issues pose the most risk. Technical differences aside, this is a very important IE update that plugs many serious holes in IE. Furthermore, this update also fixes a zero day IE flaw that the Zero Day Initiative (ZDI) disclosed a few weeks ago. You should download and install the IE cumulative patch immediately.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1802)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1800)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1766)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1805)

Your XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Office Updates Include Patches for SharePoint Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products like SharePoint Server
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents, or interacting with web resources
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a number of vulnerabilities in Office, SharePoint, and related components. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS14-022: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both multiple remote code execution vulnerabilities and a cross-site scripting (XSS) flaw. The remote code execution flaws pose the most risk, and involve several unspecified input sanitation vulnerabilities in a number of SharePoint pages. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges. Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. If you run SharePoint servers, you should patch this as quickly as you can.

Microsoft rating: Critical

  • MS14-023: Office Remote Code Execution Flaw

Various Office components suffer from two publicly reported vulnerabilities. The worst is a remote code execution flaw involving the way Office’s “Grammar Checker” feature loads Dynamic Link Libraries (DLL). However, the flaw only affects Grammar Checker when the language is set to Chinese (Simplified). If a remote attacker can convince you to open an Office document that resides in the same directory (local or over a network) as a malicious DLL, she could exploit this flaw to execute code with your privileges. If you have local administrative access, the attacker gains complete control of your computer. However, this flaw will likely primarily affect Chinese Office users, which somewhat limits its impact. Office also suffers from something call a “token reuse” flaw, but it poses a lesser risk that the remote code execution one.

Microsoft rating: Important

  • MS13-086 MCCOMCTL ASLR Bypass Vulnerabilities

Office (and many other Microsoft products) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Office’s MSCOMCTL component doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

May’s IE Update Corrects Two New Memory Corruptions

Summary:

  • This vulnerability affects: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes two new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Though the two vulnerabilities differ technically, they share the same general scope and impact, and involve memory corruption flaws having to do with how IE handles certain HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit either of these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately. Also note, this IE cumulative patch also includes a fix for the zero day IE flaw Microsoft fixed earlier, in an out-of-cycle update. If, for some reason, you haven’t applied that update yet, this is a good time to fix that serious zero day flaw.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0310)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1815)

Your XTM appliance should get this new IPS 4.414 signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

UPDATE TO: Advanced Attackers Exploit IE 0day in the Wild

Severity: High

Summary:

  • This vulnerability affects: All versions of Internet Explorer (IE)
  • How an attacker exploits it: By enticing a user to visit web site containing malicious content
  • Impact: An attacker can execute code with your privileges, potentially gaining complete control of your computer
  • What to do: Install Microsoft’s emergency IE patch immediately, or let Windows Update do it for you

Exposure:

On Monday, we released an alert warning about a zero day vulnerability affecting all version of Internet Explorer. Researchers discovered attackers exploiting this critical flaw in the wild, and Microsoft had not yet released a patch at that time.

Today, Microsoft released an out-of-cycle security bulletin containing an update to fix this serious vulnerability. As mentioned in our original alert, IE suffers from something called a “use after free” memory corruption vulnerability. By enticing one of your users to a web site containing malicious content, an attacker can exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker gains full control of your machine.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks. Furthermore, attackers are already exploiting this particular flaw in targeted attacks. We highly recommend you install Microsoft’s IE update immediately

We have included the original alert below for your convenience.

Solution Path:

Microsoft has released IE updates to correct this vulnerability. You should download, test, and deploy the updates immediately, or let Windows Update do it for you. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s IE bulletin. Also note, Microsoft has included updates for Windows XP customers, despite their End-of-Life date last month.

If for some reason you cannot patch immediately, there are also some workarounds than can mitigate the issue. We detail those workarounds in our original alert, which we’ve included below for your convenience.

For All WatchGuard Users:

As mentioned in our original alert, there are a number of things WatchGuard XTM customers can do to protect themselves. For instance, you can use our proxy policies to block Flash content by extension (.SWF) or by MIME type (application/x-shockwave-flash). Furthermore, our IPS service includes signatures that block this IE exploit (update to signature set 4.410). Nonetheless, we still highly recommend you install Microsoft’s IE update to completely protect yourself from this attack.

Status:

Microsoft has released patches to fix this vulnerability.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


Over the weekend, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild. Around the same time, Kaspersky also noted an attack campaign leveraging a new Adobe Flash zero day flaw, which Adobe patched today. I’ll discuss both issues below, starting with the IE issue.

IE Zero Day in the Wild

According to this blog post, researchers at FireEye discovered advanced attackers exploiting this zero day IE flaw as part of a persistent attack campaign they are calling “Operation Clandestine Fox.” The attack targets IE 9-11 and also leverages a Flash flaw to help bypass some of Windows’ security features.

Shortly after FireEye’s post, Microsoft released a security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects all versions of IE (though the attack seems to target IE 9-11). While Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine. It’s interesting to note, the attackers also leverage a known Adobe Flash issue to help defeat some of Microsoft’s Windows memory protection features.

Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this IE one in the wild, so it poses a significant risk. Unfortunately, Microsoft just learned of the flaw, so they haven’t had time to patch it yet. I suspect Microsoft will release an out-of-cycle patch for this flaw very shortly since this is a high-profile issue. In the meantime here a few workarounds to help mitigate the flaw:

  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMETEMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. Installing EMET could help protect your computer from many types of memory corruption flaws, including this one. This Microsoft blog post shares more details on how it can help with this issue.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to many browser-based attacks.
  • Disable VML in IE – This exploit seems to rely on VML to work. Microsoft released a blog post detailing how disabling VML in IE, or running IE in “Enhanced Protection Mode” can help.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, WatchGuard’s IPS engineers have already created signatures to catch this attack. We are QA testing the signatures now, but they should be available to XTM devices shortly. Whatever IPS system you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.
  • WatchGuard XTM customers can block Flash with proxies – If you own a WatchGuard XTM security appliance, you can use our proxy policies to block certain content, including Flash content. For instance, you can use our SMTP or HTTP proxies to block SWF files by extensions (.SWF) or by MIME type (application/x-shockwave-flash). Keep in mind, blocking Flash blocks both legitimate and malicious content. So only implement this workaround if you are ok with your users not accessing normal Flash pages.

Adobe Patches Flash Zero Day

Coincidentally, Adobe also released an emergency Flash update today fixing a zero day exploit that other advanced attackers are also exploiting in a targeted watering hole campaign. The patch fixes a single vulnerability in the popular Flash media player, which attackers could exploit to run arbitrary code on your system; simply by enticing you to a web site containing specially crafted Flash content. This exploit was discovered in the wild by Kaspersky researchers (one of our security partners). According to Kaspersky’s research, the exploit was discovered on a Syrian website, and seems to be designed to target potential Syrian dissidents.

The good news is there is a patch for this flaw. So if you use Adobe Flash, go get the latest update now. By the way, some browsers like Chrome and IE 11 embed Flash directly, so you will also have to update those browsers individually. Finally, though the IE zero day I mentioned earlier does rely on a Flash issue, this particular zero day Flash flaw is totally unrelated. One additional note; WatchGuard’s IPS engineers have also created a signature for this exploit as well. It will be available shortly, once testing is complete.

So to summarize, if you use IE, disable VML, install EMET, and watch for an upcoming patch. If you use Flash, updates as soon as you can. I will be sure to inform you here, as soon as Microsoft releases their real patch or FixIt. — Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: