May Day! Microsoft’s Patch Day is Not Dead… Yet

Despite Microsoft’s recent Ignite Conference announcement—that they’d no longer follow a monthly patch cycle for Windows 10—Patch Tuesday is in full effect for May. Today, Microsoft released 13 security bulletins, including three Critical ones. If you’re a Microsoft administrator, you should get to these updates quickly.

By the Numbers:

Today, Microsoft released 13 security bulletins, fixing a total of 48 security vulnerabilities in many of their products. The affected products include:

• current versions of Windows (and its components),
• Internet Explorer (IE),
• Office,
• SharePoint Server,
• the .NET Framework,
• and Silverlight.

They rate three bulletins as Critical and the rest as Important. As an aside, Microsoft’s main summary post contains a wealth of useful information, including their vulnerability exploitability index, which helps you prioritize the updates based on how dangerous each vulnerability is in the real world.

Patch Day Highlights:

Today’s Patch Day highlights revolve around the Critical rated issues. Most organizations will want to apply the IE update first. Not only does it fix 22 vulnerabilities, but also ones that attackers can leverage in drive-by download attacks, which are one of the most common attacks today.

You should also prioritize the various document related vulnerabilities, since threat actors are increasingly using malicious documents in their spear phishing emails. I recommend you prioritize the Windows Font Driver, Journal, and Office updates as well.

In short, if you apply the updates quickly, in the order Microsoft lists, you’ll do well.

Quick Bulletin Summary:

We summarize the April security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

• MS15-043 – Critical – IE Update Corrects 22 Vulnerabilities – You can normally count on Microsoft releasing a cumulative Internet Explorer (IE) update each month, often fixing many memory corruption vulnerabilities. This month’s IE update fixes a slightly more diverse set of flaws, including some privilege elevation issues, and Address Space Layout Randomization (ASLR) bypass vulnerabilities. However, the memory corruption issues still probably pose the highest risk. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC. The other IE flaws also make it easier for attackers to bypass Windows’ security mechanisms, and even gain more privilege on your system. Combined, these are perfect vulnerabilities for attackers to exploit in drive-by download attacks. I’d make this IE update a top priority.

• MS15-044 – Critical – Windows Font Driver Code Execution Flaw – The Font Driver Windows uses to display OpenType and TrueType fonts suffers from two security flaws; one worse than the other. In essence, if an attacker can get you to view a document or web page that contains a maliciously crafted font, he can exploit the more critical flaw to execute arbitrary code on your computer with your privileges.

• MS15-045 – Critical – Six Journal Code Execution Flaws – Journal is the basic word processing or note taking program that ships with Windows. It suffers from six flaws that share the same scope and impact. If an attacker can get you to view a specially crafted Journal document, she can exploit any of these flaws to execute code on your computer, with your privileges.

• MS15-046 – Important – Two Office Code Execution Flaws – Office suffers from two memory corruption flaws with the same scope and impact. If you open a maliciously crafted Office document, an attacker could exploit either flaw to execute code on your computer.

• MS15-047 – Important – SharePoint Code Execution Flaw – SharePoint Server suffers from a somewhat unspecified code execution vulnerability having to do with its inability to properly sanitize uploaded page content. If an attacker can upload specially crafted content to your Sharepoint Server, they could execute code with the server’s W3WP service account (which has less privilege than the full SYSTEM account).

• MS15-048 – Important – Two .NET Framework Vulnerabilities – The Windows Task Scheduler suffers from an elevation of privilege flaw. If an attacker can log onto your Windows system with valid credentials (even underprivileged ones), she can run a program that exploits this flaw to gain complete control of the computer.

• MS15-049 – Important – Silverlight EoP Flaw – Silverlight suffers from an “out of browser” elevation of privilege vulnerability. While most Silverlight applications are supposed to run with limited permissions, attackers could exploit this vulnerability to escape that “privilege sandbox” and run with your user privileges, or higher. However, an attacker would either have to log into your system with valid credentials and run a malicious Silverlight application, or entice you to run such an application yourself.

• MS15-050 – Important – Local SCM EoP Vulnerability – The Windows Service Control Manager (SCM) suffers from a local privilege escalation vulnerability. By running a specially crafted program, an attacker could leverage this flaw to gain elevated privileges on your Windows systems. However, they’d need valid credential on your systems to do so, which somewhat limits the severity of this flaw.

• MS15-051 – Important – Six Kernel-Mode Driver flaws – Windows’ Kernel-Mode driver suffers from six vulnerabilities. The worst is a local elevation of privilege flaw. If a local attacker can run a malicious application, she can exploit this flaw to gain complete control of your Windows computer, regardless of the malicious user’s original privileges. The five remaining flaws are information disclosure issues, that could help an attacker learn more about your system, and potentially bypass some of Window’s security features (like ASLR).

• MS15-052 – Important – Windows Kernel Security Bypass Flaw – Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Kernel ASLR (KASLR) is essentially the same thing, in regards to kernel memory. The Windows kernel suffers from an information disclosure vulnerability which could help attackers bypass this protection. While it doesn’t allow them to execute code alone, it does make it easier for them to exploit other memory based vulnerabilities.

• MS15-053 – Important – VBScript and JScript ASLR Bypass Flaws – Windows’ JScript and VBScript components suffer from ASLR bypass flaws similar to the ones above. Again, these flaws don’t allow an attacker to execute code by themselves, but they do make it easier for them to exploit other memory corruption vulnerabilities.

• MS15-054 – Important – MMC DoS Vulnerability – The Windows Microsoft Management Console (MMC) suffers from flaw in the way it handles icon information in a .MSC file. If an attacker can lure you into running a maliciously crafted .MSC file, they could cause you system to stop responding.

• MS15-055 – Important – Schannel Information Disclosure Flaw – Secure Channel (Schannel) is Microsoft’s SSL/TLS implementation. Schannel still allows the use of a weaker cryptographic key length (specifically a 512-byte DFE key), which is susceptible to known attacks. This update increases the minimum key length, making it harder to crack.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible.

You can get the updates three ways:

1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
3. Download May’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1658)
• FILE Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1675)
• FILE Microsoft Windows Journal Remote Code Execution Vulnerability
• FILE Microsoft Office Memory Corruption Vulnerability (CVE-2015-1682)
• WEB-CLIENT Microsoft Internet Explorer ASLR Bypass (CVE-2015-1685)
• WEB-CLIENT Microsoft Internet Explorer VBScript and JScript ASLR Bypass (CVE-2015-1686)
• FILE Microsoft Internet Explorer Elevation of Privilege Vulnerability (CVE-2015-1688)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1689)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1691)
• WEB-CLIENT Microsoft Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2015-1692)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1705)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1706)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1708)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1718)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1717)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1714)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1712)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1711)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1710)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1709)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

As an aside, Microsoft also released two new security advisories today. If you are interested in how Microsoft is improving their cipher suite priority and Flash security, be sure to check their advisory page for those new updates. — Corey Nachreiner, CISSP (@SecAdept)

 

Microsoft Rains April Patch Showers

While not quite as bad as last month’s 14 security bulletins, April’s Patch Day is bursting with updates. According to their summary, Microsoft released 11 security bulletins, some fixing serious issues. Windows administrators should put their heads down, dive in, and get patching.

By the Numbers:

Today, Microsoft released 11 security bulletins, fixing a total of 26 security vulnerabilities in many of their products. The affected products include:

• all current versions of Windows,
• Internet Explorer (IE),
• Office,
• SharePoint Server,
• the .NET Framework,
• XML Core Services,
• and Hyper-V.

They rate four bulletins as Critical and the rest as Important.

Patch Day Highlights:

In my opinion, the HTTP.sys vulnerability is the biggest deal this month. While it doesn’t say so directly, this flaw affects all Microsoft’s IIS web servers. Simply by sending a specially crafted web request, an attacker can take over your web server. I would patch all your public Windows-based IIS servers immediately. WatchGuard’s IPS service has a signature for this attack, which should help mitigate its risk until then.

Besides that, you should also apply all of Microsoft’s Critical updates as quickly as you can. The Internet Explorer vulnerabilities also pose a high risk since attackers can use in drive-by download attacks, which are quite popular today.

Quick Bulletin Summary:

We summarize the April security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

• MS15-032 – Critical – IE Memory Corruptions Flaws – You can pretty much count on Microsoft releasing a cumulative Internet Explorer (IE) update that fixes a bunch of memory corruption flaws every month, and this month is no different. These are the types of flaws remote attackers use to execute code, and that are typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC. As an aside, the update also fixes an Address Space Layout Randomization (ASLR) bypass flaw that makes it easier for bad guys to exploit memory corruption issues.

• MS15-033 – Critical- Multiple Office Flaws – Office, and the components that ship with it (such as Word, Excel, etc.), suffer from five vulnerabilities. The worst are four memory-related code execution flaws that black hats can exploit by luring you into opening malicious office documents. If you open such a document, the attacker can execute code on your computer, with your privileges. Finally, the Mac version of Outlook also suffers from a cross-site scripting (XSS) vulnerability as well.

• MS15-034 – Critical – Windows HTTP Stack Code Execution – HTTP.sys is Windows’ HTTP stack; the component it uses to process HTTP protocol requests. It suffers from an unspecified remote code execution vulnerability. By sending a specially crafted HTTP request, an attacker could exploit this flaw to gain complete control of your computer (code executes with SYSTEM privileges). However, you must be running some web service that uses HTTP.sys (such as IIS) to be vulnerable to the flaw. This is a serious flaw that affects IIS servers.

• MS15-035 – Critical – EMF Image Code Execution Flaw – The graphics component Windows uses to handle images suffers from a flaw involving the way it parses Enhanced MetaFile (EMF) images. In short, if a bad guy can get you to view such an image—whether on a web site, in an email, and so forth—he can exploit this flaw to run code on your computer with your privileges.

• MS15-036 – Critical – SharePoint Server XSS flaws – SharePoint suffers from two cross-site scripting vulnerabilities (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to click a specially crafted link, an attacker could exploit this flaw to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could.

• MS15-037 – Important – Task Scheduler EoP Vulnerability – The Windows Task Scheduler suffers from an elevation of privilege flaw. If an attacker can log onto your Windows system with valid credentials (even underprivileged ones), she can run a program that exploits this flaw to gain complete control of the computer.

• MS15-038 – Important – Two Windows EoP Vulnerabilities – Two other Windows components suffer from flaws like the Task Scheduler one above. Though they differ technically, an attack exploiting them has the same scope and impact. If an attacker can login and run a program, they can gain full SYSTEM privileges in Windows.

• MS15-039 – Important – XML Core Services Security Bypass Flaw – Microsoft XML Core Services (MSXML) suffers from a flaw that allows attackers to break the same-origin policy. This could allow attackers to launch an attack similar to a cross-site scripting (XSS) attack. If they can get your user to click a malicious link, they can access resources with your user’s privileges.

• MS15-040 – Important – AD FS Information Disclosure – Active Directory Federation Services (AD FS) doesn’t fully log off users. If a new users logs on, she might have access to application info from the previous user (similar to a flaw last year)

• MS15-041 – Important – .NET Framework Information Disclosure Flaw – The .NET Framework suffers from a flaw that could unintentionally allow attackers to view some of your web applications configuration information. However, you’re only exposed if you configure detailed error messages on your web application (which you shouldn’t do on publicly exposed web applications).

• MS15-042 – Important – Hyper-V DDoS Flaw – Hyper-V, Microsoft’s virtualization component, suffers from a denial of service (DoS) vulnerability. If an attacker can log into one of your virtual machines (VM) using legitimate credentials, he can run a malicious program that will cause all the VMs on the server to stop responding. Of course the attacker needs valid credentials, and access to the VM, in order to launch the attack.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
3. Download February’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

• WEB Microsoft IIS HTTP.sys Remote Code Execution Vulnerability (CVE-2015-1635)
• FILE Microsoft Windows Graphics EMF Processing Remote Code Execution Vulnerability (CVE-2015-1645)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1652)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1668)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1667)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1666)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1665)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1662)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1661)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1660)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1659)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1657)
• FILE Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641)
• FILE Microsoft Office Memory Corruption Vulnerability (CVE-2015-1650)
• WEB Microsoft ASP.NET Information Disclosure Vulnerability (CVE-2015-1648)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

As an aside, Microsoft also released two new security advisories today, if you are interested in how Microsoft is improving their Public Key cryptography, or in learning about an SSL 3.0 issue, be sure to check their advisory page for those new updates. — Corey Nachreiner, CISSP (@SecAdept)

 

Microsoft’s March Patch Day Madness

Pull up your bootstraps Microsoft administrators, because you’re in for a long patch slog this month. According to their March Patch Day summary,  Microsoft released 14 security bulletins, many fixing critical issues. I highlight the details below, so get ready to get patching.

By the Numbers:

Today, Microsoft released 14 security bulletins, fixing a total of 45 security vulnerabilities in many of their products. The affected products include:

• all current versions of Windows,
• Internet Explorer (IE),
• Office,
• Exchange server,
• and VBScript.

They rate five bulletins as Critical and the rest as Important.

Patch Day Highlights:

There are many vulnerabilities worth fixing this month, but two major highlights.

1. Remember FREAK? It’s that SSL implementation vulnerability that I’ve been talking about in blog posts and multiple videos. Well, it affects Windows too and they fixed it this month. If you’ve been concerned about black hats sniffing your SSL, be sure to get the FREAK update (MS15-031).
2. Also, remember Stuxnet? I’m sure you do, since it was one of the most sophisticated attacks the industry has ever seen. When it was discovered, it used four different zero day vulnerabilities to help itself spread, including a .LNK file vulnerability that helped it infect others via USB storage devices. Microsoft tried to patch this flaw years ago, but apparently failed. The MS15-020 update completes the botched job, so be sure to get that update. If you want to learn more about the update’s relation to Stuxnet, check out this HP blog post.

While these those two updates are probably the most interesting, this month’s bulletins include many more critical patches. For instance, March’s Internet Explorer (IE) update fixes 12 security flaws that bad guys can leverage in drive-by download attacks. Also, Exchange administrators will probably want to apply its update quickly, even though Microsoft only reports it as Important. If attackers can get your email users to click a link, they can exploit various Exchange flaws to gain access to your users’ OWA accounts. In short, we recommend you apply Microsofts updates quickly, in the order we share them below.

Quick Bulletin Summary:

We summarize the March security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

• MS15-018 – Critical – IE Memory Corruptions Flaws – The Internet Explorer (IE) update mostly fixes a bunch of memory corruption flaws remote attackers could leverage to execute code. These are the types of flaws typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC. Web-based drive-by downloads are pretty popular with attackers right now, so we recommend you apply this update quickly.

• MS15-019 – Critical- VBScript RCE Flaw – VBScript is a Microsoft specific scripting language that ships with Windows and IE. It suffers from a memory corruption flaw that attackers could leverage to execute code with your privileges. This is actually one of the vulnerabilities corrected by the IE update mentioned above, but Microsoft has to fix it in VBScript as well since it ships independently. Similar to the IE flaws, attackers would likely leverage this vulnerability in drive-by download attacks.

• MS15-020 – Critical – Two Windows Code Execution Flaws – Remember Stuxnet? This update fixes one of its zero day vulnerabilities… again! Windows suffers from two code execution flaws involving its Windows Text Services (WTS) and the way it loads DLLs. The WTS flaw poses the most obvious risk. If an attacker can trick one of your users into visiting a malicious web site, or opening a specially crafted file, she can exploit the WTS issue to execute code on that user’s computer, with the user’s privileges. If the user was a local admin, the attacker gains full control of your user’s PC. However, the “DLL Planting” vulnerability is pretty bad too, since it’s actually one that the infamous Stuxnet malware exploited years ago. While Microsoft’s alert doesn’t describe it this way, the DLL loading fix is related to the shortcut .LNK vulnerability that was supposedly fixed in 2010. You can read more about it on this blog.

• MS15-021 – Critical – Multiple Adobe Font Driver Vulnerabilities – Windows ships with an Adobe font driver to handle—as its name suggests—Adobe fonts. This driver suffers from many flaws, including a denial of service (DoS) issue, an information leak flaw, and a number of memory corruption vulnerabilities. Attackers could exploit the memory corruption flaws to execute code on your computer, assuming they can trick you into visiting a booby-trapped web site, or opening a file with maliciously crafted fonts.

• MS15-022 – Critical – Multiple Office Component Vulnerabilities – Office, and the components that ship with it (such as Word, Excel, and Sharepoint server), suffer from a range of five vulnerabilities. The worst are three code execution flaws that black hats can exploit by luring you into opening malicious office documents. However, Sharepoint also suffers from a few cross-site scripting (XSS) vulnerabilities as well.

• MS15-026 – Important – Five Exchange Server Vulnerabilities – Exchange, Microsoft’s popular email server, suffers from five vulnerabilities. The four worst flaws are all cross-site scripting (XSS) vulnerabilities in various parts of Outlook Web Access (OWA). While they differ technically, they all have the same affect. If an attacker can lure you into clicking a specially crafted link, or into visiting a web site containing a malicious link, he can exploit any of these four flaws to gain control of your OWA account, and do anything you could (for instance, send and read your email). Since OWA is pretty popular among Exchange administrators, and often exposed publicly, I consider this update a fairly high priority.

• MS15-023 – Important – Four Kernel-Mode Driver Flaws– The Windows Kernel-Mode Driver suffers from four security vulnerabilities; the most serious being a local elevation of privilege (EoP) flaw. If an attacker can log into your system, and run a specially crafted program, he can leverage this particular EoP flaw to gain complete control of that Windows computer. The remaining three issues are memory disclosure vulnerabilities attackers could use to gain more information about your system than you would like.

• MS15-024 – Important – PNG Information Disclosure Flaw – Windows doesn’t handle PNG images correctly. If an attacker can get you to open a malicious PNG image, he can leverage this flaw to learn more about your system, which could aid him in further attacks.

• MS15-025 – Important – Windows Kernel EoP Flaws – The Windows kernel suffers from two vulnerabilities that local attackers can exploit to elevate their privileges. Though the flaws differ technically, they share the same impact. By running a specially crafted program, a local attacker (with valid credentials) can gain full control of a Windows system. However, they can’t exploit these flaws unless they can already log onto your systems.

• MS15-027 – Important – NETLOGON Spoofing Vulnerability – The Windows NETLOGON component suffers from a flaw that allows local attackers to spoof another legitimate user on your Windows network. However, to exploit this flaw an attacker must already be able to log in to your network using valid domain credentials, which significantly lessens its impact.

• MS15-028 – Important – Task Scheduler Security Bypass Flaw – The Windows Task Scheduler—a component that allows users to run programs at specified times—suffers from a flaw involving its inability to properly enforce user privileges. In short, an unprivileged user can leverage this issue to run programs they’re not supposed to have access to. That said, they need credentials on your system to exploit this flaw.

• MS15-029 – Important – JPEG XR Information Disclosure Flaw – The component used to display certain JPG images suffers from memory handling flaw that unintentionally leaks information about your system. If you view a malicious image, the attacker may (or may not) gain access to some information that could aid him further in an attack.

• MS15-030 – Important – RDP DoS Vulnerability– The Windows Remote Desktop Protocol (RDP) suffers from a denial of service (DoS) vulnerability. In short, by sending specially crafted packets and unauthenticated attacker can take out your RDP server, and prevent legitimate users from connecting. If you allow access to RDP, you’ll want to fix this flaw.

• MS15-031 – Important – Schannel FREAK Vulnerability– You know that SSL FREAK vulnerability we’ve written about and done multiple videos about over the past week? This Schannel update fixes it for Windows. If you concerned with SSL man-in-the-middle (MitM) attackers, you should apply this patch.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
3. Download February’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1634)
• WEB Cross-site Scripting -11
• WEB Cross-Site Scripting -7
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1626)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1625)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1624)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1623)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1622)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0100)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0099)
• FILE Vulnerabilities in Adobe Font Driver Could Allow Remote Code Execution
• SMB NETLOGON Spoofing Vulnerability (CVE-2015-0005)
• WEB-CLIENT Microsoft Internet Explorer VBScript Memory Corruption Vulnerability (CVE-2015-0032)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0056)
• WEB-CLIENT Microsoft Internet Explorer Elevation of Privilege Vulnerability (CVE-2015-0072)
• WEB-CLIENT Microsoft Internet Explorer JPEG XR Parser Information Disclosure Vulnerability (CVE-2015-0076)
• WEB-CLIENT Microsoft Internet Explorer Malformed PNG Parsing Information Disclosure Vulnerability (CVE-2015-0080)
• WEB-CLIENT Microsoft Internet Explorer WTS Remote Code Execution Vulnerability (CVE-2015-0081)
• FILE Microsoft Office Component Use After Free Vulnerability (CVE-2015-0085)
•  FILE Microsoft Office Memory Corruption Vulnerability (CVE-2015-0086)
• FILE Microsoft Word Local Zone Remote Code Execution Vulnerability (CVE-2015-0097)
• FILE Microsoft DLL Planting Remote Code Exectution Vulnerability (CVE-2015-0096)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Microsoft Delivers Nine Security Bulletins for February

As the second Tuesday of the month, it’s time for Microsoft administrators to get patchin’. You can find this month’s Patch Day details at Microsoft’s February Patch Day Summary page, but I’ll summarize some of the highlights below.

By the Numbers:

Today, Microsoft released nine security bulletins, fixing a total of 60 security vulnerabilities in many of their products. The affected products include:

• all current versions of Windows,
• Internet Explorer (IE),
• Office,
• and Microsoft System Center Virtual Machine Manager (VMM).

They rate three bulletins as Critical, six as Important.

Patch Day Highlights:

The most interesting vulnerability this month is probably Microsoft’s Group Policy remote code execution flaw. This is a rather complex flaw that requires an attacker successfully pull off a man-in-the-middle (MitM) attack on a computer that is configured to connect to an Active Directory domain. Once the attacker can intercept your traffic, he can trick it into running a malicious login script, which allows him to run anything he wants. Since the flaw relies on a domain login, it primarily affects corporate Windows users. Check out this article to learn more.

Internet Explorer (IE) also got a rather beefy patch, which fixes 41 security flaws. The update mostly fixes memory corruption vulnerabilities that bad guys can leverage in drive-by download attacks. However, this update also includes updates to IE’s SSLv3 handling to mitigate the POODLE flaw. Finally, this update does NOT fix the recent IE11 cross-site scripting (XSS) flaw that Google disclosed. That said, I’d recommend you install the IE update first, as web drive-by download attacks are much more popular and targeted than the Group Policy attack mentioned above.

Quick Bulletin Summary:

We summarize February’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

• MS15-009 – Critical – Cumulative Internet Explorer update fixes 41 vulnerabilities – The Internet Explorer (IE) update primarily fixes a bunch of memory corruption flaws remote attackers could leverage to execute code. These are the types of flaws typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC.
• MS15-010 – Critical- Kernel-mode Driver RCE flaw – The kernel-mode driver that ships with Windows suffers from various elevation of privilege flaws that could allow unprivileged users to execute code with full privileges. However, the attacker needs local system access and credentials to carry out the attack.
• MS15-011 – Critical – Group Policy Remote Code Execution Flaw – The Windows Active Directory Group Policy Component suffers from complex code execution vulnerability. If an attacker can successfully intercept all the traffic of a Windows computer that connects to a domain, she can exploit this flaw to run arbitrary code on that computer. However, the attacker would most likely have to be on the same network as the victim in order for such a man-in-the-middle attack to succeed.
• MS15-012 – Important – Office Code Execution Flaws – Various Office components, like Word and Excel, suffer from document handling code execution flaws. If an attacker can get you to open a maliciously crafted document, he could exploit these to gain control of your computer.
• MS15-013 – Important – Office Security Bypass Flaw – Office doesn’t properly leverage Windows’ Address Space Layout Randomization (ASLR) feature. Since ASLR makes it harder for bad guys to exploit memory corruption issues, this bypass flaw makes it easier for attackers.
• MS15-014 – Important – Group Policy Security Bypass Flaw – Using a man-in-the-middle attack, an attacker can trick Group Policy into reverting to its less secure, default state. This attack only works against Windows machines that connect to a domain. This flaw can be used in conjunction with MS15-011 to execute code.
• MS15-015 – Important – Windows Elevation of Privilege Flaw – In short, if a unprivileged user can run code on a Windows machine, he can leverage this flaw to gain system privileges. However, he needs valid credentials and enough access to log in to the computer in the first place.
• MS15-016 – Important – Windows Graphic Component Information Disclosure Flaw – The Graphics component of Windows suffers from a minor flaw that attackers could leverage to learn about the current memory state of your computer. This flaw serves little purpose alone, but could help attackers exploit other memory corruption vulnerabilities easier. Also, the attacker would have to entice you into viewing a TIFF image in order to exploit this flaw.
• MS15-017 – Important – VMM Elevation of Privilege Flaw – If an attacker has credentials to login to your Microsoft Virtual Machine Manager (VMM), even as an under-privileged role, that attacker could leverage this flaw to gain full access to VMM and all your virtual machines.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

IMPORTANT NOTE: We have already read rumors about problems with some of today’s Microsoft updates. We highly recommend you test the patches before applying them to production servers.

You can get the updates three ways:

1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
3. Download February’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-8967)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0017)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0018)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0019)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0020)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0021)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0022)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0023)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0025)
•  WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0026)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0029)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0030)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0031)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0035)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0036)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0037)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0038)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0039)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0040)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0041)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0042)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0043)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0071)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0070)
• WEB-CLIENT Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-0069)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0068)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0067)
• FILE Microsoft Office Word OneTableDocumentStream Remote Code Execution Vulnerability (CVE-2015-0065)
• FILE Microsoft Office Word Remote Code Execution Vulnerability (CVE-2015-0064)
• FILE Microsoft Office Excel Remote Code Execution Vulnerability (CVE-2015-0063)
• FILE Microsoft Office TTF TrueType Font Parsing Remote Code Execution Vulnerability (CVE-2015-0059)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0053)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0052)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0051)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0050)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0049)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0048)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0046)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0045)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0044)
• FILE Adobe Flash Player BitmapFilter Invalid Object Corruption Remote Code Execution (CVE-2015-0314)
• FILE Adobe Flash Player Video Event Dispatch Use After Free (CVE-2015-0315)
• FILE Adobe Flash Player OP_ANYBYTE PCRE Library Memory Corruption (CVE-2015-0316)
• FILE Adobe Flash Player XMLSocket.connect Type Confusion (CVE-2015-0317)
• FILE Adobe Flash Player PCRE Regex Compilation Memory Corruption (CVE-2015-0318)
• FILE Adobe Flash Player Multiple Type Confusion (CVE-2015-0319
• FILE Adobe Flash Player MessageChannel.send() Use After Free (CVE-2015-0320)
• FILE Adobe Flash Player Parsing Malformed mp4 Video Memory Corruption (CVE-2015-0321)
• FILE Adobe Flash Player ActionScript Pushscope Opcode Memory Corruption (CVE-2015-0322)
• FILE Adobe Flash Player Special Regex Character Sets Heap Overflow (CVE-2015-0323)
• FILE Adobe Flash Player JSON.stringify Integer Heap Overflow (CVE-2015-0324)
• FILE Adobe Flash Player RemoveFromDeviceGroup() Use After Free (CVE-2015-0325)
• FILE Adobe Flash Player ActionScript URLRequest.requestHeaders Type Confusion (CVE-2015-0326)
• FILE Adobe Flash Player Stringifying Proxy Objects Heap Overflow (CVE-2015-0327)
• FILE Adobe Flash Player NetConnection Request Null Dereference (CVE-2015-0328)
• FILE Adobe Flash Player Multibyte UTF-8 Characters Regular Expressions Memory Corruption (CVE-2015-0329)
• FILE Adobe Flash Player PCRE Regex Heap Overflow (CVE-2015-0330)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Poodle’s Back – WSWiR Episode 132

Another week, another batch of information security (infosec) news. Would you like a quick summary, rather than hunting it down yourself? No problem! Just check out our weekly video every Friday.

Today’s episode covers the Patch Day bonanza, lots of updates on the Sony Pictures breach, and a new twist on the “Poodle” SSL/TLS vulnerability. Press play for the scoop, and check our the References and Extras section for more stories and details.

(Episode Runtime: 7:13)

Direct YouTube Link: https://www.youtube.com/watch?v=WbbZjRtyODA

EPISODE REFERENCES:

• December Patch Day
  • Microsoft December 2014 Patch Day – WatchGuard Blog
  • UPDATE: Microsoft pulled the Exchange patch. Don’t install it yet! – Microsoft
  • Adobe December 2014 Patch Day – Adobe
  • Apple’s December Security Updates – Apple
• Sony Pictures Breach Updates
  • Sony attackers knew all about Sony’s network beforehand – Dark Reading
  • Attacker’s Also threaten Sony employees – The Guardian
  • North Korea denies Sony hack again, but says it was righteous – Computer World
  • FBI can’t attribute Sony hack to North Korea – CNET
  • FBI says GOP’s attack would beat 90% of defenses – IT Pro Portal
  • Details on Sony breach malware; Destover – Securelist
  • Sony breach traced to Bangkok hotel – Gizmodo
  • Sony allegedly hacks back – Re/code
  • Sony malware signed with Sony certificate; probably prank – SC Magazine
  • GOP threatens Sony employees in email – WSJ
  • Sony exec calls Angelina Jolie a “spoilt brat” in stolen email – The Guardian
  • Sony cancels “The Interview” marketing and interviews – Bloomberg
  • What one alleged employee feels about the Sony breach – Gizmodo
  • UPDATE: GOP sends some Sony employees yet another threatening message – Time
• Poodle Bites Again
  • The Poodle SSL/TLS flaw is back – Network World
  • Details on the new Poodle variant – Imperial Violet
  • Even more details on Poodle 2.0 – Vivaldi.net
  • CVE advisory for new Poodle variant – NIST
  • F5’s advisory on the new Poodle issue – F5
  • Scan your site for the new Poodle issue – Qualys SSL Labs

EXTRAS:

• Lizard Squad DDoSes PSN after Xbox Live – Forbes
• Anonymous warns Lizard Squad to back off on gaming DDoS attacks – CNR Online
• Fake malicious site warning helps distribute Zeus bot – Maximum PC
• Mobile payments company, Charge Anywhere, has been breached for five years – The Register
• The Sand’s allegedly hacked by Iranian hacktivists – Slashgear
• Some information security tips for retails (and everyone really) – Forbes
• Three ways the US government can help fight cyber crime – Network World
• Did a Russian cyber attack cause a Turkish pipeline fire? – Slate
• Nintendo plugs the first software 3DS exploit – Ars Technica
• Trip Advisor site suffers from major XSS vulnerability – Tech Week Europe
• Old vulnerabilities found in Linux X Windows –  The Register
• Rock guitarist sentenced to 10-day for being part of Anonymous attack – The Verge
• Smart watched have been hacked (no surprise there) – Phys.org
• The Pirate Bay raided; watch out for torrent-related scams – WatchGuard Blog
• A new market around surveillance – Daily Dot
• Inception malware hits European governments – Sky.com
• Attackers still using cloud servers for C&C – CBR Online
• Mobile malware might rack up your cell bill – The Guardian
• Canadian teen arrested for SWATing – Kotaku
• BGP hijacking still going strong – Slashdot
• FUN: Watch the trailer for “Blackhat” the movie – Gizmodo

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft’s Last Patch Day Until 2015; Three Critical Patches

It’s that time of the month again; Microsoft Patch Day. Yesterday, Microsoft posted their regular batch of security updates, so it’s time you patch your Windows systems. I’ll summarize some Patch Day highlights below, but you should visit Microsoft’s December Patch Day Summary page for more details

By the Numbers:

On Tuesday, Microsoft released seven security bulletins, fixing a total of 25 security vulnerabilities in many of their products. The affected products include:

• all current versions of Windows,
• Internet Explorer (IE),
• Office,
• and Exchange Server.

They rate three bulletins as Critical, four as Important.

Patch Day Highlights:

The Exchange update is the most interesting one, but lets start with what you should patch first. I’d start with the Internet Explorer (IE) update, as it closes a bunch of holes bad guys can use for drive-by download attacks. Next, even though Microsoft doesn’t rate it as Critical, the Exchange update fixes a few flaws attackers could leverage to access your users’ email (if they can get those users to click links). Since email is so important, I’d take care of that next. Then move on to the various Office updates, to make sure your users aren’t affected by malicious Office documents. Finally, even though it poses minimal risk, finish with the Graphics component update.

Quick Bulletin Summary:

We summarize December’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

• MS14-080 – Critical – Cumulative Internet Explorer update fixes 14 vulnerabilities – The Internet Explorer (IE) update primarily fixes a bunch of memory corruption flaws remote attackers could leverage to execute code. These are the types of flaws typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC.
• MS14-075 – Important– Four Exchange Server Vulnerabilities – Microsoft’s email server, Exchange, suffers from four security flaws. The worst are a pair of cross-site scripting (XSS) flaws. If an attacker can trick you into clicking a specially crafted link on a system you use for OWA, he could exploit these flaws to gain access to your email as you. The remaining flaws allow attackers to spoof emails to appear to come from someone else, or to spoof links that appear to link to somewhere else.
• MS14-081 – Critical – Two Word Remote Code Execution Flaws – Word suffers from two flaws involving how it handles specially crafted Office files. In short, if an attacker can get you to open a malicious Office file, she can exploit these flaws to execute code on your computer.
• MS14-082 – Important – Office Code Execution Flaw – Word, an Office component, suffers from yet another code execution vulnerability, similar to the two described above. I’m not sure why Microsoft included this is a separate bulletin, with a lower severity, since it seems to have a similar impact and mitigating factors as the flaws above.
• MS14-083 – Important – Two Excel Code Execution Flaws – Excel suffers from a pair of code execution vulnerabilities attackers could exploit by getting you to interact with malicious spreadsheets.
• MS14-084 – Important – Windows VBScript Memory Corruption Flaw – The Windows VBScript component suffers from a memory corruption flaw that attackers could leverage through your browser. If an attacker can lure you to a website with malicious code, he could exploit this flaw to execute code with your privileges.
• MS14-085 – Important – Windows Graphic Component Information Disclosure Flaw – The Graphics component of Windows suffers from a minor flaw that attackers could leverage to learn about the current memory state of your computer. This flaw serves little purpose alone, but could help attackers exploit other memory corruption vulnerabilities easier.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
3. Download December’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-8966)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6376)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6375)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6374)
• WEB Microsoft Graphics Component Information Disclosure Vulnerability (CVE-2014-6355)
• FILE Microsoft Word Remote Code Execution Vulnerability (CVE-2014-6357)
• FILE Microsoft Excel Global Free Remote Code Execution Vulnerability (CVE-2014-6360)
• WEB-CLIENT Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6368)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6369)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6373)
• EXPLOIT Adobe Flash Player Memory Corruption (CVE-2014-0574)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6327)
• WEB MIcrosoft Internet Explorer XSS Filter Bypass Vulnerability (CVE-2014-6328)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6329)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6330)
• FILE Microsoft Excel Invalid Pointer Remote Code Execution Vulnerability  (CVE-2014-6361)
• WEB-CLIENT Microsoft VBScript Memory Corruption Vulnerability (CVE-2014-6363)
• WEB-CLIENT Microsoft VBScript Memory Corruption Vulnerability (CVE-2014-6366)
• FILE Adobe Flash Player opcode pushwith Memory Corruption Vulnerability (CVE-2014-0586)
• FILE Adobe Flash Player opcode pushscope Memory Corruption Vulnerability (CVE-2014-0585)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Hardware Malware – WSWiR Episode 112

Tons of Patches, Facebook Botnets, and Infected Hand Scanners

After a couple weeks of hiatus, we’re finally back with our weekly security news summary video. If you want to learn about all the week’s important security news from one convenience resource, this is the place to get it.

This episode covers the latest popular software security updates from the last two weeks, and interesting Litecoin mining botnet that Facebook helped eradicate, and an advanced attack campaign that leverages pre-infected hardware products. Watch the video for the details, and check out the Reference’s for more information, and links to many other interesting InfoSec stories.

Enjoy your summer weekend, and stay safe!

(Episode Runtime: 7:37)

Direct YouTube Link: https://www.youtube.com/watch?v=oAHYUW1KkM0

Episode References:

• Microsoft’s July Patch Day
  • Microsoft July Patch notification – Microsoft
  • Microsoft IE alert fixes over 20 vulnerabilities – WGSC
  • Windows updates fix Journal flaw and more –  WGSC
  • Minor Service Bus issue likely only affects few –  WGSC
  • Microsoft SSL certificate security advisory – Microsoft
• Apple’s June Patches
  • Apple security updates summary page – Apple
  • Apple’s June OS X security updates – Apple
  • Apple’s June Safari security update – Apple
  • iOS 7.1.2 security update – Apple
  • Apple TV June security update – Apple
• Adobe Patch Day
  • Adobe patches Rosetta Flash – WGSC
  • Michele Spagnuolo blog post on Rosetta Flash – Miki.it
• Facebook helps thwart Lecpetex Litecoin botnet – Facebook
• Zombie Zero: Malware found in Chinese Inventory Scanners – Network World
  • TrapX report or Hand Held Scanners attack campaign – TrapX
  • Dark Reading covers Zombie Zer0 – Dark Reading

Extras:

• US arrests accused Russia CC hacker; Russia claims kidnapping – Krebs on Security
• Microsoft botnet shutdown had collateral damage on No-IP – SC Magazine
• EFF sues NSA for using 0day – Network World
• The NSA gathers far more info from general Internet users than it does targeted foreign national – The Washington Post
• HotelHippo shut down after discovery of security flaws on site – SC Magazine
• Accused UK hacker jailed for refusing to hand over his password and crypto keys – The Register
• Google Glass can steal passwords from 10ft away (hyperbole?) – We Live Security
• DoHS accuses Chinese attackers of hacking records from Office of Personnel Management – NY Times
  • Kerry says Chinese hackers didn’t get any sensitive info – NBC News
• New PoS botnet surfaced on the underground in May – The Register
  • PoS Botnet leverages RDP – SC Magazine
• Google patched a Drive file leaking vulnerability – Naked Security
• Flaw in smart bulbs could leak Wifi passwords – Ars Technica
• Google blocks a lot of unauthorized digital certificates from India – Google
• Dragonfly ICS malware affects global energy companies – IT Portal
  • Older F-Secure story – The Register
  • Gizmodo also covers this story – Gizmodo
• Latest iOS jailbreak supports iOS 7.1.2 – CNET
• Hijack Hunter; a comparable tool to HijackThis – Ghacks
• Cloud Remote Access and common password allowed attacker in – Computer World
• Cisco Unified Communications have hard coded SSH key (backdoor) – The Register
  • Patch for Cisco UC backdoor – Cisco
• MiniDuke authors seem to target drug dealers – The Guardian
• CosmicDuke targets drug dealers and military contractors – Techweek
• Dailymotion hijacked to serve Drive-by Download… again! – Network World
• Zeus will never die (re-emerges after a takedown) – Ars Technica
• Tinba malware source code leak – CSIS
  • Tinba malware analysis – Trend Micro

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Service Bus DoS Mostly Affects Enterprise Web Developers.

Among this week’s Microsoft security bulletins is one that likely only affects a small subset of Microsoft customers, and thus not worth a full security alert.

Microsoft Service Bus is a messaging component that ships with server versions of Windows, providing enterprise developers with the means to create message-driven applications. According to Microsoft’s bulletin, Service Bus suffers from a denial of service (DoS) vulnerability involving it’s inability to properly handle a sequence of specially crafted messages. If you have created an application that uses Service Bus, an attacker who could send specially crafted messages to your application could exploit this flaw to prevent the application from responding to further messages. You’d have to restart the service to regain functionality.

Windows itself doesn’t really use Service Bus for anything, but if you have internal applications that do, this vulnerability may be significant to you. If you use Service Bus, be sure to check out the bulletin to get your updates. — Corey Nachreiner, CISSP (@SecAdept)

TweetDeck XSS – WSWiR Episode 111

Patch Day, P.F. Changs Hack, and TweetDeck XSS

This week delivered a lot of infosec news and a ton of software security updates. If you didn’t have time to follow it all, check out our weekly computer security video to fill in the blanks.

During today’s episode, I cover the critical patches from Microsoft, Adobe and Mozilla, mention the latest credit card breach against a U.S. restaurant chain, and talk about the cross-site scripting worm spreading via TweetDeck. Click play below to learn more, and check out the References for other interesting infosec stories.

Before wishing you a great weekend, here are a couple of quick show notes. First, I’m starting a vacation during the middle of next week, so I won’t be publishing this weekly video for the next two weeks. It will return in July.

Second, if you are a WatchGuard customer curious about our OpenSSL updates, we are in the process of posting new versions of software for many of our products. Keep your eye on this blog, as those will likely start coming out early next week.

(Episode Runtime: 7:37)

Direct YouTube Link: https://www.youtube.com/watch?v=hbGqdrxvOyA

Episode References:

• Adobe & Microsoft Patch Day
  • Microsoft’s June Summary – WGSC
  • Huge IE Update– WGSC
  • Consolidated Windows Bulletin for June– WGSC
  • Microsoft fixes Word Flaw – WGSC
  • Adobe patches Flash – WGSC
  • Mozilla fixes seven flaws in Firefox 30 vulnerabilities – Threatpost
• TweetDeck suffers from new XSS flaw – Wired
• P.F. Changs suffers a credit card breach – Krebs on Security
  • UPDATE: P.F. Changs confirms their network breach – Krebs on Security

Extras:

• Feedly and Evernote suffer from DDoS attack extortion – Slate
• New Pandemiya trojan (botnet) sold on underground for around 2K – RSA Blog
• Russian iOS ransomers arrested (related to last week’s iOS ransom) – The Guardian
• Mobiles phones used to hack air-gapped networks with acoustic and electromagnetic emanations – SoftPedia
• Great Motherboard video on hacking mobile phones – Motherboard
• President Bush’s email hacker sent to prison for four years – IBTimes
• ICS-CERT warns of pranksters hacking traffic road signs – CBR Online
• Cryptolocker like ransomware hit’s Android devices (Android/Simplelocker) – Ars Technica
• Aether vulnerability may allow attackers to hijack SmartTVs – Yossi Oren’s Blog
• Anonymous threatens #OpHackingCup hacktivist campaign against World Cup sponsers – The Register
• Latest report claims annual loss of $445M due to cyber crime – Mcafee
• Two teens (14) use operator’s manual and default password to hack ATM – Ars Technica
• Phishme warns of a Dropbox phishing scheme – Phishme
• Yet another iOS lockscreen bypass flaw (yawn) – BGR
• Play Google’s game to test your XSS skills – Appspot.com
• Use F-Secure’s “one click” test to find Zeus on your computer – F-Secure
• Hackers use bad passwords too – Technology Tell
• New video game, Watch Dogs, already used as hacking scapegoat – Techdirt
• Spam campaign preying on the public’s fear of CryptoLocker – Betanews
• Older Android banking trojan (Svpeng) adds ransomware – Securelist blog
• TED talk on Hacker’s being the “immune system” of the Internet – TED

— Corey Nachreiner, CISSP (@SecAdept)

Word 2007 Patch Fixes Embedded Font Vulnerability

Severity: High

Summary:

• These vulnerabilities affect: Microsoft Word 2007 (and related components)
• How an attacker exploits them: By enticing users to open or interact with a maliciously crafted Word document
• Impact: In the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing a vulnerability affecting Word 2007, and related software like the Office compatibility pack.

Word is the popular word processor that ships with Office.  It suffers from A memory corruption vulnerabilities having to do with how it handles embedded fonts in documents. By luring one of your users into downloading and opening a malicious Word document, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs.

Microsoft only rates this update as Important (their medium severity), since it requires user interaction to succeed. However, we’ve seen many attackers successfully use malicious Office documents in emails, as part of their advanced spear-phishing campaigns. For that reason, we recommend you install Microsoft’s Word updates as soon as you can.

Solution Path:

Microsoft has released a Word (and related product) update to correct these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

See the “Affected and Non-Affected Software” section of Microsoft’s Word bulletin for links to the updates.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus service can often prevent the most common malicious documents from reaching your users. You can also leverage our XTM appliance’s proxies policies to block all Word documents if you like; though most administrators prefer not to since Office documents are often shared as part of business. To fully protect yourself, we recommend you install Microsoft’s updates.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS14-034

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

---

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.