Tuesday, June 12, 2012

Four Windows Bulletins Fix RDP, .NET Framework, and Kernel Flaws | WatchGuard Security Center

Exciting new stuff for this month's Patch Tuesday!

Quoted from http://watchguardsecuritycenter.com/2012/06/12/four-windows-bulletins-fix-rdp-net-framework-and-kernel-flaws/:

Four Windows Bulletins Fix RDP, .NET Framework, and Kernel Flaws

June 12, 2012 by Corey Nachreiner

Severity: High


  • These vulnerabilities affect: All current versions of Windows and its optional .NET Framework component.
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets or enticing your users to web sites with malicious content
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.


Today, Microsoft released four security bulletins describing nine vulnerabilities affecting Windows and components that ship with it, including its optional .NET Framework component. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates -especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-036: RDP Remote Code Execution Vulnerability

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network to directly control your desktop. Windows Terminal Servers also use the RDP protocol to allow many remote users to share one machine.

Unfortunately, the RDP component that ships with all versions of Windows suffers from a serious security vulnerability having to do with how  it handles specially crafted sequences of packets (similar to a flaw described in March). By sending a sequence of such packets to a computer running the RDP service, an attacker could exploit this flaw to gain complete control of that computer.

Luckily, the RDP service is not enabled by default on Windows systems. You are only vulnerable to this issue if you have specifically enabled RDP connections. That said, many companies manage Windows Terminal Servers, which do enable RDP services. Windows’ Remote Assistance and Remote Web Workplace features also expose RDP. If you manage such any workstations of servers using RDP, we highly recommend you apply the RDP patch immediately.

Microsoft rating: Critical

  • MS12-038: .NET Framework Remote Code Execution Vulnerability

The .NET Framework is a software framework used by developers to create new Windows and web applications. The .NET Framework component suffers from a code execution flaw, which has to do with how it handles specially crafted XAML Browser Applications (XBAP). If an attacker can entice a user who’s installed the .NET Framework to a web site containing malicious XBAP, she can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As always, if your users have local administrator privileges, attackers can leverage this flaw to gain full control of their computers. This flaw may also affect custom .NET Framework-based programs, which you might develop and run in-house.

Microsoft rating: Critical

  • MS12-041 and MS12-042 : Kernel & Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level.

Microsoft released two bulletins today, describing seven local elevation of privilege flaws that affect either the kernel or the kernel-mode driver component. Though these seven flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage any of these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computer using valid credentials – even if only with “Guest” user access. The requirement for local access significantly lessens the severity of these flaws.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run executable files locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, WatchGuard’s firewalls and XTM security appliances can mitigate the risk of many of these flaws. For instance, our appliances mitigate the risk of the Windows RDP vulnerability by blocking external access to the RDP ports (TCP port 3389 and 4125). As long as you haven’t specifically allowed RDP, our default setting will prevent Internet-based attackers from exploiting the RDP vulnerability described above.

Furthermore, our XTM appliance’s security services, including Gateway Antivirus (GAV) and Intrusion Prevention Service, can also help protect you. For instance, our GAV service will block much of the malware attackers try do deliver when exploiting these sorts of software vulnerabilities.


Microsoft has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Cumulative Patch Plugs 13 Internet Explorer Vulnerabilities | WatchGuard Security Center

Lots of exciting IE patches this month!

Quoted from http://watchguardsecuritycenter.com/2012/06/12/cumulative-patch-plugs-13-internet-explorer-vulnerabilities/:

Cumulative Patch Plugs 13 Internet Explorer Vulnerabilities | WatchGuard Security Center

Cumulative Patch Plugs 13 Internet ExplorerVulnerabilities

June 12, 2012 by Corey Nachreiner

Severity: High


  • This vulnerability affects: All current versions of Internet Explorer, running on all current versions of Windows
  • How an attacker exploits it:Typically, by enticing one of your users to visit a malicious web page
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you


In a security bulletin released today as part of Patch Day, Microsoft describes 13 new vulnerabilities in Internet Explorer (IE) 9.0 and earlier, running on all current versions of Windows. Microsoft rates the aggregate severity of these new flaws as Critical.

The 13 vulnerabilities differ technically, but many of them share the same general scope and impact. More than half the flaws are remote code execution vulnerabilities having to do with how IE handles various HTML objects, elements, and properties. If an attacker can lure one of your users to a web page containing malicious code, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

The remaining issues include less severe cross-site scripting (XSS) flaws and information disclosure vulnerabilities.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’sbulletin. Technical differences aside, the remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Furthermore, attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws can affect you no matter what types of web sites you frequent on the Internet. If you use IE, you should download and install the cumulative update immediately.

Solution Path:

These updates fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.You can find links to the various IE updates inthe “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

That said, WatchGuard’s Gateway Antivirus and Intrusion Prevention Service can often prevent these sorts of attacks, or the malware they try to distribute. We highly recommend you enable our security services on your WatchGuard XTM and XCS appliances.


Microsoft has released patches to fix these vulnerabilities.


This alert was researched and written by Corey Nachreiner, CISSP

Wednesday, June 6, 2012

LinkedIn Passwords Leaked; Change Your Password | WatchGuard Security Center

Something new and exciting happenning..... this amongst many other reasons is why we recommend passphrases instead of passwords.  It also illustrates the danger of using the same password for every site you have an account on.  Yes "there's an app for that" or program that will allow you to securely store all of those pesky passwords and account names you need for all of your sites.

If you need some ideas, give the office a buzz....724-387-1331

- Mike

Quoted from http://watchguardsecuritycenter.com/2012/06/06/linkedin-passwords-leaked-change-your-password/:

LinkedIn Passwords Leaked; Change YourPassword

June 6, 2012 by Corey Nachreiner

According to many reports, Russian attackers have somehow gotten their hands on 6.5 million hashed LinkedIn passwords. They have posted the hashed passwords to a Russian hacking web site, asking the hacking community to help them crack the hashes. With the increases in computing power and cracking technology, I suspect it’s only a matter of time until they have actual passwords. LinkedIn users; change your passwords immediately!

So far, no one knows exactly how these attackers were able to get their hands on LinkedIn’s password database, though LinkedIn reports they are investigating the incident. If I had to guess, I would place my bet on a SQL injection attack, as it’s a great vector for leeching this kind of data from the database backend behind a complex, insecurely coded web application.

Next, let’s talk about the state of the passwords. As I mention earlier, the stolen LinkedIn password are “hashed.” In computing and cryptography, hash functions are usually one-way crytographicalgorithms that map data sets (of any length) to a unique, fixed-length key. These one-way algorithms are designed so that the key should uniquely match one and only one data set, but also should not help you recreate the original data. Hashes only verify whether the data set you have is valid, it doesn’t encrypt the data.

The good news is that LinkedIn stored their customer’s passwords as hashes, which makes it harder for unauthorized users to figure out the clear text passwords. The bad news is LinkedIn used unsalted SHA-1 hashes. Without getting into all the technical details, a salt is essentially a little more random information you can mix with a one-way function to make it that much harder for certaincryptographicattacks (dictionary attacks)to succeed. At the risk of sounding like a cooking show host, LinkedIn should have salted their hashes.

Back to the state of LinkedIn’s passwords. The passwords posted on the Russian site are still hashed, so the bad guys don’t have your clear text password yet. However, between increased computing power, distributed computing, rainbow tables, and LinkedIn’s lack of salting, I expect motivated attackers will quickly crack many of these passwords any day. So don’t expect the hashes to protect you for long.

As I mentioned at the beginning of this post, if you have a LinkedIn account you should change your password immediately! Furthermore, if you use that password anywhere else (which you shouldn’t), you need to change your passwords on those accounts too. We’ve seen these sort of big password leaks before (Zappos), and will surely see them again. Security professionals have always realized the important of password security, but with so many businesses moving their assets to the cloud, password security has become paramount! So, I’ll leave you with a few “password best practice” tips I’ve dusted off from the last big password breach. If you didn’t follow this advice back then, I truly hope you consider doing so today.

  • Change your password(s) after a security breach– If a site you use ever has a security breach where attackers gain access to passwords (hashed or not), change your password immediately.
  • Use strong passwords– I believe passwords should be greater than 10 characters. One easy way you can create long passwords, with enough entropy, is by using passphrases, or more specifically something I call pass-sentences. WatchGuard’sBud Logs Invideo talks about these concepts in more detail (and is good for basic end users).
  • Use different passphrases on different web sites– This is crucial aspect of password security, especially when considering these types of web breaches. If you, like most people, use the same password for many different web sites, attackers could gain access to all those accounts. If you have been using the same password everywhere, you should change it to a different password on every site. That said, many people find this advice hard to implement in practice; which brings me to the next tip…
  • Leverage password vault software– Password vaults make it easier for you to manage multiple passwords securely. They are not perfect. If you use multiple machines and OSs, you may have trouble finding passwordmanagementsoftware that meets all your needs. Plus, password vaults become a single point of potential failure, as they almost literally store all the keys to your kingdom. It’sextremelyimportant to use secure password vaults, and protect them. That said, they offer the only practical solution to managing multiple passwords today. Thisarticlesuggests a few good ones to use (I have used 1password myself).

Corey Nachreiner, CISSP(@SecAdept)

Monday, June 4, 2012

Microsoft Revokes Certificate Due to Flame Malware | WatchGuard Security Center

More news on Flame Malware

Quoted from http://watchguardsecuritycenter.com/2012/06/04/microsoft-revokes-certificate-due-to-flame-malware/:

Microsoft Revokes Certificate Due to FlameMalware

June 4, 2012 by Corey Nachreiner

Last week, I wrote about a sophisticated new piece of malware called Flame, which infected various organizations in the Middle East. At the time, Antivirus vendors had just begun dissecting this advanced new worm, and expected to unveil even more interesting details about it as time went on. It looks like they won’t disappoint.

Today, two interesting new details have surfaced about Flame. More importantly, onerequiresa Windows update.

First, late Sunday Microsoft released a blog post and Security Advisorywarning that the Flame worm leveraged a previous undiscovered flaw in an older Microsoft cryptographic algorithm. Microsoft’s Terminal Sever Licensing Service previously shipped with an algorithm that allowed you to create certificates and sign code as though it came from Microsoft themselves. Apparently, the Flame worm exploited this fact to sign its code with seemingly legitimate Microsoft certificates, which helps it spread on local networks.More specifically, Flame implements an interesting Man-in-the-Middle (MitM) attack, where it redirects local Windows Update requests through an infected machine. The infected machine then delivers infected “updates” to those new victims. Since the infected update is signed with a perfectly legitimate Microsoft certificate, the victim machine installs the booby-trapped update without any warnings.

Happily, Microsoft has released an updateand taken actions to ensure that bad guys can no longer leverage this flawed cryptographic algorithm to generate rogue certificates in the future. They also have revoked the trust associated with two intermediate CA certificates, which prevents your Windows computers from trusting Flame’s rogue certificates. If you are a Windows user, I recommend you download and install this update as soon as you can, or let Windows Automatic Update do it for you.

The second Flame update has to do with its actual age. In my initial post, I shared that Kaspersky suspected the Flame malware had been around since at least March 2010. New information suggests it’s even older. Over the last week, Kaspersky and OpenDNS have collaborated to furtheranalyseFlame, focusing on its command & control (C&C) domains. OpenDNS reportsthey found at least 85 C&C domains embedded into Flame. More interestingly, the first of these domains was registered as far back as March 2008. This suggests that the Flame attack started two years earlier than first suspected, and also demonstrates just how long advanced malware (or APTs) might hide on a network before being discovered.

This is probably the scariest aspect of these APT malware attacks — that malware can infect protected system and live on those networks for months, or even years, without being noticed. Security experts have long suggested this was possible, but some people have to see it to believe it. So what’s the take away? How about, “visibility is defense.”

As a security industry, we often focus a lot on prevention technologies; things that help keep your network from being breached in the first place. While prevention is very important, the truth is you’ll never block every attack. Even if you have the best network defense in the world, an unsuspecting user could accidentally walk malware through your back door. That’s why administrators also need to focus on visibility tools as part of their security policy. Malware detection, incident handling, and disaster recovery are just as important to security as preventative security controls. If you are not already using graphical network monitors to keep track of what’s happening on your network, start doing so immediately (some of WatchGuard’s real-time monitors can help).

That covers today’s Flame updates. However, I suspect researchers will continue to find interesting new aspects to this headline-grabbing malware for weeks and months to come. I’ll be sure to continue filling you in on the more relevant updates here. —Corey Nachreiner, CISSP(@SecAdept)

Another one bites the dust

Instagram competitor PicPlz to shut down in July http://news360.com/article/55616559

Sunday, June 3, 2012

What is the “Flame” Worm and Should I Worry About It? | WatchGuard Security Center

Something we all should be paying attention to......

Quoted from http://watchguardsecuritycenter.com/2012/05/31/what-is-the-flame-worm-and-should-i-worry-about-it/:

What is the “Flame” Worm and Should I Worry About It? | WatchGuard Security Center

What is the “Flame” Worm and Should I Worry AboutIt?

May 31, 2012 by Corey Nachreiner

If you’ve followed security or technical news over the last few days, you’ve probably heard about the “Flame” worm. Thisinterestingnew piece of malware belongs to a class of attack called an Advanced Persistent Threat (APT), and it’s making headlines worldwide. As a result, many of you may be wondering whether or not this nasty sounding malware will affect your organization. My short answer is, “probably not,” but read on to learn more.

Let’s start with the basics. Kaspersky Labs — one of WatchGuard’s Antivirus (AV) partners — was one of thefirst to discoverand analyze the “Flame” worm (Worm.Win32.Flame). According to their analysis so far, Flame is one of the largest and most complex malware samples they have ever seen. As such, they haven’t finished their full investigation of this malware, but here’s a quick summary of what they know so far:

  • Flame is primarily an information stealing toolkit and backdoor trojan, but it also has worm-like capabilities that allows it to spread over local networks and USB storage.
  • Its information stealing capabilities include network sniffing, keystroke logging, screenshotsnapping,and even audio recording. It also can collect data about Bluetooth devices in the vicinity. It shares all this stolen data over an encrypted Command and Control (C&C) channel.
  • It is one of the largest pieces of malware Kaspersky has seen, at around 20MB, and it contains over 20 different modules. Its author also created it using a scripting language (Lua) that malware writers don’t typically use.
  • Rather than running as an executable file like typical malware, Flame loads itself as a number of malicious DLL files at boot.
  • Kaspersky believes the author originally created the malware in 2010.
  • Flame is targeted. Its infections seem limited to various organizations in Middle Eastern countries, with a primary focus on Iran. It also does not appear to have spread widely (under 400 known infections).

All that said, one thing we don’t know yet is how Flame initially infects its victim. Since this is a very targeted attack, I doubt Flame’s initial infection vector is automated in any way, nor launched on a massive scale. Rather, the attackers probably directly target specific organizations, and may even leverage different infection vectors for each target.If you add up all these facts, you can probably see why many experts consider Flame an APT attack similar to Stuxnet and Duqu. While none of the researchers analyzing this malware can prove it yet, most suspect that a nation-state actor created the Flame malware for cyber-espionage.

This brings us back to our original question, “Should I worry about the Flame malware?” Unless you’re an administrator of a state or education related industry in the Middle East, Flame will probably never directly affect you. So, no. I don’t think typical organizations have anything to worry about Flame. Furthermore, now that AV organizations have identified Flame, they have released signatures to detect and remove its known variants. If you use any of the top AV products, and keep those products up-to-date, you are protected from Flame infections. More specifically, if you’re a WatchGuard customer, our XCS and XTM appliances will protect you from the Flame worm. We partner with both Kaspersky and AVG to deliver Gateway Antivirus to these appliances, and both our partners have signatures to detect Flame.

From a security industry perspective, Flame is a very interesting malware sample. It leverages more advanced attack techniques than typical malware and likely comes from a nation-state attacker, which is why it has garnered so much media attention. However, Flame is probably not going to directly affect normalorganizations. If you’ve been worried about this headline-grabbing worm, you can probably stop. Even if this targeted attack started affecting organizations outside the Middle East, WatchGuard and Antivirus products have you covered. —Corey Nachreiner, CISSP(@SecAdept)