Tag Archives: zeroday

UPDATE TO: Advanced Attackers Exploit IE 0day in the Wild

Severity: High

Summary:

  • This vulnerability affects: All versions of Internet Explorer (IE)
  • How an attacker exploits it: By enticing a user to visit web site containing malicious content
  • Impact: An attacker can execute code with your privileges, potentially gaining complete control of your computer
  • What to do: Install Microsoft’s emergency IE patch immediately, or let Windows Update do it for you

Exposure:

On Monday, we released an alert warning about a zero day vulnerability affecting all version of Internet Explorer. Researchers discovered attackers exploiting this critical flaw in the wild, and Microsoft had not yet released a patch at that time.

Today, Microsoft released an out-of-cycle security bulletin containing an update to fix this serious vulnerability. As mentioned in our original alert, IE suffers from something called a “use after free” memory corruption vulnerability. By enticing one of your users to a web site containing malicious content, an attacker can exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker gains full control of your machine.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks. Furthermore, attackers are already exploiting this particular flaw in targeted attacks. We highly recommend you install Microsoft’s IE update immediately

We have included the original alert below for your convenience.

Solution Path:

Microsoft has released IE updates to correct this vulnerability. You should download, test, and deploy the updates immediately, or let Windows Update do it for you. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s IE bulletin. Also note, Microsoft has included updates for Windows XP customers, despite their End-of-Life date last month.

If for some reason you cannot patch immediately, there are also some workarounds than can mitigate the issue. We detail those workarounds in our original alert, which we’ve included below for your convenience.

For All WatchGuard Users:

As mentioned in our original alert, there are a number of things WatchGuard XTM customers can do to protect themselves. For instance, you can use our proxy policies to block Flash content by extension (.SWF) or by MIME type (application/x-shockwave-flash). Furthermore, our IPS service includes signatures that block this IE exploit (update to signature set 4.410). Nonetheless, we still highly recommend you install Microsoft’s IE update to completely protect yourself from this attack.

Status:

Microsoft has released patches to fix this vulnerability.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


Over the weekend, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild. Around the same time, Kaspersky also noted an attack campaign leveraging a new Adobe Flash zero day flaw, which Adobe patched today. I’ll discuss both issues below, starting with the IE issue.

IE Zero Day in the Wild

According to this blog post, researchers at FireEye discovered advanced attackers exploiting this zero day IE flaw as part of a persistent attack campaign they are calling “Operation Clandestine Fox.” The attack targets IE 9-11 and also leverages a Flash flaw to help bypass some of Windows’ security features.

Shortly after FireEye’s post, Microsoft released a security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects all versions of IE (though the attack seems to target IE 9-11). While Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine. It’s interesting to note, the attackers also leverage a known Adobe Flash issue to help defeat some of Microsoft’s Windows memory protection features.

Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this IE one in the wild, so it poses a significant risk. Unfortunately, Microsoft just learned of the flaw, so they haven’t had time to patch it yet. I suspect Microsoft will release an out-of-cycle patch for this flaw very shortly since this is a high-profile issue. In the meantime here a few workarounds to help mitigate the flaw:

  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMETEMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. Installing EMET could help protect your computer from many types of memory corruption flaws, including this one. This Microsoft blog post shares more details on how it can help with this issue.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to many browser-based attacks.
  • Disable VML in IE – This exploit seems to rely on VML to work. Microsoft released a blog post detailing how disabling VML in IE, or running IE in “Enhanced Protection Mode” can help.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, WatchGuard’s IPS engineers have already created signatures to catch this attack. We are QA testing the signatures now, but they should be available to XTM devices shortly. Whatever IPS system you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.
  • WatchGuard XTM customers can block Flash with proxies – If you own a WatchGuard XTM security appliance, you can use our proxy policies to block certain content, including Flash content. For instance, you can use our SMTP or HTTP proxies to block SWF files by extensions (.SWF) or by MIME type (application/x-shockwave-flash). Keep in mind, blocking Flash blocks both legitimate and malicious content. So only implement this workaround if you are ok with your users not accessing normal Flash pages.

Adobe Patches Flash Zero Day

Coincidentally, Adobe also released an emergency Flash update today fixing a zero day exploit that other advanced attackers are also exploiting in a targeted watering hole campaign. The patch fixes a single vulnerability in the popular Flash media player, which attackers could exploit to run arbitrary code on your system; simply by enticing you to a web site containing specially crafted Flash content. This exploit was discovered in the wild by Kaspersky researchers (one of our security partners). According to Kaspersky’s research, the exploit was discovered on a Syrian website, and seems to be designed to target potential Syrian dissidents.

The good news is there is a patch for this flaw. So if you use Adobe Flash, go get the latest update now. By the way, some browsers like Chrome and IE 11 embed Flash directly, so you will also have to update those browsers individually. Finally, though the IE zero day I mentioned earlier does rely on a Flash issue, this particular zero day Flash flaw is totally unrelated. One additional note; WatchGuard’s IPS engineers have also created a signature for this exploit as well. It will be available shortly, once testing is complete.

So to summarize, if you use IE, disable VML, install EMET, and watch for an upcoming patch. If you use Flash, updates as soon as you can. I will be sure to inform you here, as soon as Microsoft releases their real patch or FixIt. — Corey Nachreiner, CISSP (@SecAdept)

Advanced Attackers Exploit IE & Flash 0days in the Wild

Over the weekend, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild. Around the same time, Kaspersky also noted an attack campaign leveraging a new Adobe Flash zero day flaw, which Adobe patched today. I’ll discuss both issues below, starting with the IE issue.

IE Zero Day in the Wild

According to this blog post, researchers at FireEye discovered advanced attackers exploiting this zero day IE flaw as part of a persistent attack campaign they are calling “Operation Clandestine Fox.” The attack targets IE 9-11 and also leverages a Flash flaw to help bypass some of Windows’ security features.

Shortly after FireEye’s post, Microsoft released a security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects all versions of IE (though the attack seems to target IE 9-11). While Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine. It’s interesting to note, the attackers also leverage a known Adobe Flash issue to help defeat some of Microsoft’s Windows memory protection features.

Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this IE one in the wild, so it poses a significant risk. Unfortunately, Microsoft just learned of the flaw, so they haven’t had time to patch it yet. I suspect Microsoft will release an out-of-cycle patch for this flaw very shortly since this is a high-profile issue. In the meantime here a few workarounds to help mitigate the flaw:

  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMETEMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. Installing EMET could help protect your computer from many types of memory corruption flaws, including this one. This Microsoft blog post shares more details on how it can help with this issue.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to many browser-based attacks.
  • Disable VML in IE – This exploit seems to rely on VML to work. Microsoft released a blog post detailing how disabling VML in IE, or running IE in “Enhanced Protection Mode” can help.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, WatchGuard’s IPS engineers have already created signatures to catch this attack. We are QA testing the signatures now, but they should be available to XTM devices shortly. Whatever IPS system you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.
  • WatchGuard XTM customers can block Flash with proxies – If you own a WatchGuard XTM security appliance, you can use our proxy policies to block certain content, including Flash content. For instance, you can use our SMTP or HTTP proxies to block SWF files by extensions (.SWF) or by MIME type (application/x-shockwave-flash). Keep in mind, blocking Flash blocks both legitimate and malicious content. So only implement this workaround if you are ok with your users not accessing normal Flash pages.

Adobe Patches Flash Zero Day

Coincidentally, Adobe also released an emergency Flash update today fixing a zero day exploit that other advanced attackers are also exploiting in a targeted watering hole campaign. The patch fixes a single vulnerability in the popular Flash media player, which attackers could exploit to run arbitrary code on your system; simply by enticing you to a web site containing specially crafted Flash content. This exploit was discovered in the wild by Kaspersky researchers (one of our security partners). According to Kaspersky’s research, the exploit was discovered on a Syrian website, and seems to be designed to target potential Syrian dissidents.

The good news is there is a patch for this flaw. So if you use Adobe Flash, go get the latest update now. By the way, some browsers like Chrome and IE 11 embed Flash directly, so you will also have to update those browsers individually. Finally, though the IE zero day I mentioned earlier does rely on a Flash issue, this particular zero day Flash flaw is totally unrelated. One additional note; WatchGuard’s IPS engineers have also created a signature for this exploit as well. It will be available shortly, once testing is complete.

So to summarize, if you use IE, disable VML, install EMET, and watch for an upcoming patch. If you use Flash, updates as soon as you can. I will be sure to inform you here, as soon as Microsoft releases their real patch or FixIt. — Corey Nachreiner, CISSP (@SecAdept)

Out-of-Cycle Word FixIt Corrects Zero Day Vulnerability

If you’re worried about spear phishing attacks (and if you’re not, you should be), grab Microsoft’s emergency FixIt to mitigate a zero day vulnerability attackers are exploiting in the wild.

In a security advisory released yesterday, Microsoft warned of a zero day vulnerability in Word, which attackers are exploiting in what Microsoft describes as limited, targeted attacks. Apparently, the exploit in the wild targets Word 2010, but the flaw affects other versions of Word as well. Since this is an early advisory, it doesn’t describe the flaw in much technical detail. However, it does mention attackers can trigger the flaw with specially crafted rich text format (RTF) files. If an attacker can entice you to view a malicious RTF in Word, he could exploit this vulnerability to execute code on you computer, with your privileges. If you are an administrator, the attacker gains complete control of your PC.

By default, most current version of Office use Word as Outlook’s email viewer. This mean attackers can trigger this flaw just by getting you to open an RTF attached to an email. According to some on Twitter, simply previewing an email with a malicious RTF triggers the flaw.

While Microsoft hasn’t had time to release a full patch yet, they have posted a FixIt that mitigates the risk of this vulnerability. If you use Office, I highly recommend you install the FixIt as soon as you can. Also, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) can mitigate the risk of any type of memory corruption flaw. In general, I recommend you install EMET on Windows machines to protect them from any zero day, memory-related issues.

I’ll post more details about this flaw during an upcoming Patch Day, when Microsoft releases the final update. In the meantime, if you’d like more information about it you can check out Microsoft’s security blog post— Corey Nachreiner, CISSP (@SecAdept

 

Grab Adobe and Microsoft’s Emergency Flash and IE Fixes

Let’s start with the short version. Yesterday, both Microsoft and Adobe released out-of-cycle updates to fix zero day security vulnerabilities that advanced attackers are exploiting in the wild via “watering hole” campaigns. If you use these products and haven’t installed the updates, go get the Flash and Internet Explorer (IE) fixes now!

The slightly longer story is early this week (during the U.S. President’s Day holiday) two security companies, FireEye and Websense, independently reported discovering two different legitimate web sites serving malware via a drive-by download attack. The web sites included a U.S Veteran’s site (VFW.org) and a French aeronautical company’s web site. The malicious code on these sites exploited two previously undiscovered, zero day vulnerabilities affecting Adobe Flash, and IE 9 and 10. They also delivered some relatively advanced trojan malware (in one case, Gh0strat), which has been used before in attacks that seem to come from China-based hackers. Since these sites have very specific user bases (military and ex-military, or aeronautical engineers), these attack campaigns fall into the category of watering hole attacks, where smart attackers purposely hijack web sites they know their target visits in hopes of poisoning the target’s watering hole. If you’d like to learn more about these types of attacks, and other web threats, you can check out a presentation I recently gave on the subject in a BrightTALK. You can also learn more about these specific attacks in this week’s upcoming security video.

In any case, yesterday both Microsoft and Adobe released advisories that include updates or FixIts that patch these zero day flaws. While you probably haven’t run into these exploits yet, unless you happen to fall into the two victim bases for these attacks, I expect criminal attackers to quickly start leveraging these new flaws. Now that they are public, you can expect criminal hackers to quickly incorporate the new attacks into the exploit kits they sell on the underground. Once they do, you’ll start to see these exploits popping up every where, to serve normal criminal malware. In other words, if you use IE or Flash, you should go get the updates immediately. You can find links to them in Microsoft and Adobe’s advisories. — Corey Nachreiner, CISSP (@SecAdept

 

Microsoft Black Tuesday: Updates Correct One of Two Zero day

Today’s the second Tuesday of the month, which means it’s Microsoft (and Adobe) Patch Day. One of Microsoft updates fixes a zero day vulnerability, so we recommend you install at least that one as quickly as possible.

According to their summary post for November 2013, Microsoft released eight security bulletins today, fixing 18 security flaws in products like Internet Explorer (IE), Windows, Office products, and Hyper-V. They rate three of the bulletins as Critical.

The most critical update is the ActiveX one, since it fixes a zero day flaw. A few days ago, researchers at FireEye reported that advanced attackers were exploiting a previously unknown IE flaw in targeted attacks. Microsoft quickly confirmed the flaw was due to a particular ActiveX control, and promised to fix it today. Since attackers are exploiting this particular ActiveX control in the wild, you should apply the ActiveX “killbit” patch first. The IE and GDI updates also fix some pretty serious issues, so I would apply those patches quickly as well.

For those wondering, Microsoft hasn’t yet released a patch for the previously reported zero day TIFF vulnerability. If you haven’t installed the FixIt I recommended last week, be sure to do that too.

In a nutshell, check out Microsoft’s summary and try to install all the updates at your earliest convenience. Microsoft’s Auto Update can make the process easier, but I still recommend you test server-related updates before applying them.

I’ll post more detailed alerts about Microsoft updates throughout the day, so stay tuned. As an aside, it’s also Adobe patch day. I’ll eventually post an alert for that too, but you can get a preview here.  — Corey Nachreiner, CISSP (@SecAdept)

Attackers Exploiting a Zero Day in Windows, Office, and Lync

Today, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability that affects Windows, Office, and Lync.

In a nutshell, the vulnerability has to do with how certain versions of Windows, Office, and Lync handle specially crafted TIFF images. If an attacker can trick you into viewing a malicious image, including ones embedded in Office documents, he can exploit this flaw to execute code on your computer, with your privileges. If you have local administrative permissions, as most Windows users do, they attacker gains complete control of your computer.

McAfee researchers first discovered this flaw being exploited in the wild, and they share some interesting details about the issue on their blog (Microsoft also shares some extra technical detail here). While the flaw lies in Microsoft’s image handling components (GDI+), the public attack actually arrives as a malicious Word document with an embedded TIFF, which the attackers send via email. Microsoft claims attackers are only exploiting the flaw in limited, targeted cases.

Since they just learned about the flaw recently, Microsoft hasn’t had time to patch it yet. However, they have released a FixIt which mitigates the issue. FixIts are not considered full patches, but they can protect you until Microsoft releases their final update. If you use any of the affected versions of Windows, Office, or Lync, I highly recommend you apply the FixIt as soon as you can. Microsoft does also offers a few other workarounds, such as disabling the TIFF codec, or using the EMET tool (something I suggest you do in general), but I think the FixIt is the quickest and most reliable solution.

I’ll continue to follow this issue as it evolves, and will post here as soon as Microsoft releases a patch. — Corey Nachreiner, CISSP (@SecAdept)

Install IE FixIT to Avoid Zero Day Attack

Summary:

  • This vulnerability affects: Probably all current versions of Internet Explorer (IE), but the targeted exploit only affects IE 8 and 9
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: In the worst case, an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Apply Microsoft’s IE FixIt, or consider the other workarounds below

Exposure:

Today, Microsoft released a critical out-of-cycle security advisory warning customers of a serious new zero day vulnerability affecting Internet Explorer (IE), which attackers are currently exploiting in the wild. The flaw likely affects all current versions of IE (6-11), but Microsoft claims the targeted attack only goes after IE 8 and 9 users.

The early advisory doesn’t describe the vulnerability in much technical detail, but what it does describe sounds very much like a  “use after free” vulnerability involving the way IE handles certain HTML objects. Regardless of the technical details, the scope and impact is the same. If an attacker can lure you to a web site containing malicious code (including a legitimate web site which may have been hijacked and booby-trapped), he could exploit this vulnerability to execute code on your computer, with your privileges.  As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer.

A remote code execution vulnerability is bad enough in theory, but knowing attackers found this one first, and are already exploiting it in the wild makes this flaw a pretty critical issue. The good news is Microsoft has released a FixIt to mitigate the risk of this flaw. We highly recommend you apply that FixIt, and also consider the other protective workarounds mentioned below.

Solution Path:

Since this vulnerability was first discovered in the wild, Microsoft has not yet had time to release a patch. However, they have released a FixIt workaround to temporarily mitigate the attack. If you use IE, I recommend you apply the FixIt immediately.

It’s important to note FixIts are temporary workarounds. They don’t replace full patches. We expect Microsoft to release a full patch for this flaw in the future, perhaps even in an out-of-cycle IE bulletin this month.

Finally, though the FixIt prevents attackers from exploiting this issue, we also offer a few other workarounds below. Some of these tips can help mitigate many web-based, memory-related vulnerabilities, so you might consider making them your regular practice:

  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMET – EMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. Nonetheless, installing it could help protect your computer from many types of memory corruption flaws, including this one.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to this attack.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. Be sure to keep your AV and IPS systems updating regularly, to get the latest protections.

For All WatchGuard Users:

Our IPS signature team belongs to the Microsoft Active Protections Program (MAPP). According to their advisory, Microsoft is sharing information about this attack with MAPP partners now. Due to this partnership, we’ll likely have a signature for this attack shortly. Regardless, we still highly recommend you apply Microsoft’s FixIt to protect your users.

Status:

Microsoft has released a FixIt to mitigate the issue. They plan on releasing a full patch in the future.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

WatchGuard Security Week in Review: Episode 36 – White House Hack

Pwned DSL Routers, White House Hack, and Phone Scams

Cyber security is on the industry’s mind. As a result, every week seems packed with information and network security news. If you don’t have time to keep up because you are too busy putting out normal IT fires, this weekly podcast is for you. WatchGuard Security Week in Review is dedicated to quickly summarizing the biggest security stories each week, and to sharing tips and best practices that can help protect you from the latest threats. If you want a 10 minute or less summary of each week’s security news, give this video podcast a try.

This week, I talk about a FUD-filled White House hack, an attack campaign that infected 4.5 million Brazilian routers, a couple examples of phone scams and social engineering, and much more. If any of this interests you, or you just want to relax for 10 minutes while sipping your first coffee of the day, press play on the video below.

As always, I’ve included a Reference section below, which links to each of the stories. If you want more details than I can cover in this short episode, check the links out. Hope to see you next time, and stay safe out there.

(Episode Runtime: 10:25)

Direct YouTube Link: http://www.youtube.com/watch?v=MupAGOg-RBI

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 35 – Adobe Certs

New Java 0day, Cisco DoS, and Stolen Adobe Certs

There’s no shortage of information and network security news lately. If you find yourself struggling to keep up with it, due to all your other daily tasks, let my weekly summary videos fill you in. WatchGuard Security Week in Review quickly highlights the most important stories of the week, and lets you know what to do about the ones that might affect you.

This week’s episode includes two important software updates, news of another Java zero day flaw, a story about advanced attackers breaching a Smart Grid vendor’s network, and details about stolen Adobe code signing certificates. There’s patches to install and certificates to revoke, so give this week’s episode a view to learn what to do.

If you’d like more details on any of these stories, or want to see the ones I didn’t have time to cover in the video, check out the Reference section below. Have a great weekend, and see you next Friday.

(Episode Runtime: 8:50)

Direct YouTube Link: http://www.youtube.com/watch?v=R-DbODYoBLI

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Final IE 0day Update: Microsoft Out-of-Cycle Patch Available

If you’ve read my two posts [ 1 / 2 ], and watched this week’s video, you already know all about the zero day vulnerability plaguing Internet Explorer (IE) this week. In my last update, I mentioned Microsoft promised to release a full, out-of-cycle patch for this serious vulnerability today. True to their word, they did just that.

Since you know all about this flaw already, I won’t bore you with the details again. However, I highly recommend you go download, test, and install this update immediately. The patch is your best protection against the attacks in the wild.  — Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: