Paul Henry

In the first Patch Tuesday of 2012, Microsoft has addressed 1 critical issue and 6 important. It’s interesting to note that despite all of the media hype over “The Beast”, attacks have simply never materialized and the issue has retained its “Important” classification from Microsoft. Overall, we saw a reduction in the number of critical issues from Microsoft in 2011. To that end, we can anticipate Microsoft will bolster defense-in-depth efforts and will likely increase the numbers of important issues like privilege escalation.

Looking at the details:

MS12-004
Critical – Corrects a Media Player issue with remote code execution probability

MS12-001
Important – Corrects a Windows Kernel issue

MS12-002
Important – Corrects an Object Packager issue

MS12-003
Important – Corrects a CSRSS issue

MS12-005
Important – Corrects a .Net issue

MS12-006
Important – Slays the Beast by correcting the underlying related SSL/TLS issue

MS12-007
Important – Anti-XSS fix

This Patch Tuesday also saw the first use of a new security classification, Security Feature Bypass (SBF). This classification includes exploits that are not directly accessible themselves but could be used to facilitate an attack using another vulnerability (such as turning off UAC, DEP or ASLR before running another exploit). This first SBF patch enhances Microsoft’s SEHOP, or Structured Exception Handler Overwrite Protection to add additional defense-in-depth.

Priorities

For users with web facing assets using .Net / ASP who have not already installed the Out Of Band Patch released over the December holidays – this is your largest priority. Proof –of-concept code for the exploit is now circulating on the public Internet. Second on your priority list should be the Critical Media Player bulletin followed by the remaining important bulletins released today.

Other Patch Tuesday considerations this period

Adobe:
Outside of Microsoft, Adobe has released updates for Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh to resolve critical security issues.

Google Chrome:
Google has pushed out a browser update to fix at least three serious security vulnerabilities in its Chrome browser.

Oracle:
We expect Oracle to do their regular quarterly patch release on January 17.

Open SSL:
Versions 1.0.0f and 0.9.8s of the popular OpenSSL library, released this week, addresses six security flaws, including one that allows DTLS (Datagram Transport Layer Security) communications to be decrypted.

WiFi Issue:
Millions of WiFi Routers are vulnerable to a new attack. Belkin, Buffalo, D-Link, Cisco’s Linksys and Netgear WiFi Routers have been found to be vulnerable to a brute force attacks which can crack the Wi-Fi router’s security in as little as two to ten hours.

QR Codes:
Looking forward into 2012, all the stars are falling in to alignment to make the growing popularity of QR codes a catalyst to dramatically increase drive-by hacking events. Read our blog Post “QR Codes – Leading Lambs To The Slaughter”.

{ Comments on this entry are closed }

In the simplest of terms a QR code (or Quick Response code) is a two dimensional barcode that can contain up to 4,296 alphanumeric characters. A great marketing tool, QR codes drive prospective customers to a website and interestingly, they can be placed virtually anywhere. Their popularity has of course exploded – one recent study showed that in June of 2011 over 14 million Americans scanned QR Codes with their mobile phone.

But what about the inherent risk of a QR code?

QR codes take URL obfuscation to the next level – the large amount of data they can contain as well as their ability to contain binary data opens a new frontier in URL obfuscation for the bad guys.

Obfuscation of a URL is nothing new – back in 2007 according to Gartner, “URL filtering suffers a fundamental flaw to be an effective security filter: It does not monitor threats in real time.” URL filtering products at that time were missing over 30% of malware-laden websites. Current generation browser URL filtering capabilities with reputation databases and heuristics for the performance of URL filters has markedly improved. However at best the leader still only provides 90% effectiveness and some products still afford a dismal 13% effectiveness.

We have been losing the battle of obfuscated URLs for over a decade and QR codes are yet another tool in the bad guys seemingly unlimited obfuscation arsenal. 

But wait, your not scanning QR codes with your desktop PC and its well equipped browser, you’re using your mobile device. Unless you have purposely added a third party product, in all likelihood its browser has no URL filtering capability at all.

Talk about bad timing:

•  Malicious URLs are at all time highs – from Q2 2011 to Q4 2011 they are up an additional 89%
• QR scanning growth is exploding – the Mobile Barcode Trend Report provides interesting statics:
  o Active users of QR codes is up 525%
  o Average number of scans per code is up 39%
• Mobile Marketer reports QR code scanning is up 4,549%
•  It’s easy for anyone to create a QR code with any kind of content
•  Mobile devices such as iPhones and Androids out of the box are poorly equipped to deal with filtering QR codes and their underlying URLs
•  Malicious QR codes are already in use and are making money for the bad guys. It is a certainty that the use of malicious QR codes will expand.

As the use of QR codes gains critical mass, the inherent risks must be addressed sooner than later. Where to begin?

• Educate users to the risks of malicious QR code scanning – most people don’t think twice about it,
• Only use QR code readers that allow the user to confirm any action taken by scanning a QR code and,
• Equip your mobile devices with URL filtering as a second layer of security

{ Comments on this entry are closed }

Think the 12 Days of Christmas jingle:
On this Patch Tuesday before Christmas ….. Microsoft Gave to me ….. 3 critical patches… 10 important ones…and a patch for the Duqu vulnerability…

We initially expected 14 bulletins for this December Patch Tuesday however the much awaited fix for “The Beast” SSL issue was not released today after all. Given the extensive regression testing Microsoft does across various configurations, my assumption is that additional testing is likely required for an issues as complex as this.

Microsoft ended the year with 13 December bulletins and fortunately for all of us, that includes the much needed Duqu patch.

While at first glance 13 bulletins may seem like a large number, only 3 are critical. And while  IT teams will see a needed break on Microsoft vulnerabilities this month, concerns over other, third-party applications should keep them busy through the end of the year.

December Patch Tuesday details:

• 6 Windows vulnerabilities
• 1 IE vulnerability
• 5 Office vulnerabilities
• 1 Windows Media Player vulnerability

2011 in review

Considering the previous years of Microsoft patches this is not a bad way to end the year.  Microsoft released 17 bulletins on the 2010 December Patch Tuesday. In total, 2011 saw 99 bulletins – down from 2010 when we saw 106.  Clearly Microsoft has dramatically improved its software processes and this is reflected in the continued decline of vulnerabilities considered critical in the current codebase. The numbers speak volumes on the improvements from Microsoft – in 2006 70% of security patches were critical and in 2011 critical vulnerabilities fell to just 30%. In an otherwise volatile threat landscape, this is good news for everyone.

Outside of Microsoft, IT staff is dealing with the Zero Day Adobe vulnerability as previously discussed on the Lumension Blog.  Adobe is only releasing a patch for the Windows versions of the issue because that is the primary platform under attack. A fix for Unix and Mac users will not be available from Adobe until January 12, 2012.  In all, Adobe released 121 bulletins this year, also down from last year.

Another trend worth mentioning is the increased use of Java as an emerging leading threat vector. As with the Adobe issues of the past few years, hackers are taking advantage of users’ failure to patch out dated versions. A recent article in Dark Reading noted that “… since the third quarter of 2010, Microsoft has detected or blocked some 6.9 million exploit attempts on Java each quarter, with a total of 27.5 million attempted exploits during that 12-month period”. 

Critical

MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

MS11-090
Cumulative Security Update for ActiveX Kill Bits

MS11-092
Vulnerability in Windows Media Could Allow Remote Code Execution

Important

MS11-088
Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege
MS11-089
Vulnerabilities in Microsoft Office could allow for Remote Code Execution

MS11-091
Vulnerabilities in Microsoft Publisher could allow Remote Code Execution

MS11-093
Vulnerability in Microsoft Windows OLE32 Could Allow Remote Code Execution
MS11-094
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution
MS11-095
Vulnerability in Active Directory Could Allow Remote Code Execution
MS11-096
Vulnerability in Microsoft Excel Could Allow Remote Code Execution
MS11-097
Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege
MS11-098
Vulnerability in Windows Kernel Could Allow Elevation of Privilege
MS11-099
Cumulative Security Update for Internet Explorer

{ Comments on this entry are closed }

Paul Henry, Security and Forensics Analyst for Lumension, discusses the impact of the December 2011 Patch Tuesday releases.

{ Comments on this entry are closed }

Yet another dangerous Adobe Zero Day in the wild

Adobe has posted a Security Advisory for a Day Zero vulnerability that is currently actively targeting Adobe Reader 9.4.6 on the Windows platform. According to the advisory, the vulnerability (CVE-2011-2462) will be addressed first on the current target platform the week of December 12 and, because the risk is lower for Unix and Mac users, a patch will not be released there until the regularly scheduled patch cycle on January 12, 2012.

This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. Adobe further advises users who are still running Adobe Reader or Acrobat 9 and older versions to upgrade to Adobe Reader or AcrobatX, which is not impacted by the current issue.

As recent as 2009, Adopbe earned the title of “most hacked software of the year” when malicious PDF files accounted for more than 80% of all exploits for the year. Be on guard this holiday season – PDF files have long been a popular vehicle to transport obfuscated malware in Spear Phishing Attacks and this vulnerability makes that task even easier.

In light of the never ending stream of issues with Adobe Reader and Acrobat, users may want to consider achieving a little “security by obscurity” with any one of more than a dozen Adobe alternates for PC and Mobile platforms, such as:

Sumatra PDF
Foxit Reader
Cool PDF Reader
Nitro Reader
PDF-XChange Viewer
Skim
Quick PDF
Gnostice (multiple PDF tools)
eXpert PDF Reader
Evince
Okular
STDU Viewer
GoodReader
Chrome PDF Viewer Plug-In
ePDFView
Perfect PDF Reader

{ Comments on this entry are closed }

Back in April, I wrote 2011 had the potential to be a really bad year for securing our networks. I was right and I’m not happy about it.

From ever-growing numbers of malware to an evolving endpoint environment that now includes countless mobile devices, IT security has never been more challenging. And important. Here are what I believe will be key issues in 2012.

More Malware

From a vulnerability perspective we will see more of the same.  In fact, McAfee’s Q3 report forecasts 75 million malware samples in 2011. IT continues to focus on primary applications and they don’t patch third party applications or browser add-ons. It is no wonder this remains our primary threat vector.

While many APT incidents to-date have relied upon unsophisticated attack tools, there is a clear advantage for our foes in the use of DLL Injection malware. Expect its use to grow in 2012. Our ability to respond with traditional incident response techniques also leaves us exposed as the malware never touches the hard drive.

BYOD Security Mis-steps

Enterprises will increasingly rely on Bring Your Own Device (BYOD) yet the improved productivity and efficiencies that makes mobility a hot trend will also come with little, if any, regard to security. Simultaneously, Google’s Android OS will un-seat Apple as the pre-dominate Mobile OS. Together, these two trends create a perfect storm for hackers.  Unlike Apple, the Android market place does not screen applications for security. Juniper recently reported that Android Malware saw a 472% increase since July.

If enterprises continue to focus their security efforts on the gateway, they are leaving endpoints and mobile devices as low hanging fruit for the bad guys.

Slow Adoption of Virtualization

The move to virtualization is slowing but risks are increasing partly due to the lack of security offerings that can apply policy within a private and public cloud environment. While the shift to virtualization offered the promise to correct security mistakes made in the early physical computing days, it looks like we will continue to make the same mistakes and take shortcuts with the basics. Meaning – there are no allowances in a virtual environment for configuration management and server hardening, there continues to be a narrow (at best) focus on flaw remediation, signature based defenses continue to disappoint and we still have misplaced reliance on gateway / perimeter defenses.

Loss of Trust in SSL Ecosystem

Our entire SSL ecosystem is in critical need of overhaul. This became painfully apparent after the 2011 failure of Dutch certificate authority DigiNotar after millions of users were exposed to the threat of Man-In-The-Middle attacks. We will see more people question just how much trust can be afforded to SSL – further undermined with the issues discovered in websites using SSL version 3 and TLS version 1.0 and earlier. New tools have even been released that are capable of decrypting and obtaining the authentication tokens and cookies used in many websites’ HTTPS requests.

IPV6

Many governments – the U.S. included – target 2012 for IPV6 implementation. This will become a problem as few security products actually fully support IPV6 and worse yet many are using technologies to encapsulate IPV6 on top of IPV4. Given this, 2012 could be the dawn of IPV6 malware poised to take advantage of this clear weakness.

I’d like to think 2012 is the year we get serious about security. But time will tell.

{ Comments on this entry are closed }

There may be a Black Friday this month, but there’s also a happy Tuesday from Microsoft with just 4 bulletins this period. Only one of the bulletins is critical; however its exploitability rating is only a 3 and Microsoft suggests it is not likely this patch will be used. The additional patches include 2 important and 1 moderate. All 4 patches will impact Windows platforms and will require a reboot.
 

Details:

MS11-083 Vulnerability in TCP/IP Could Allow Remote Code Execution
Critical - Remote Code Execution

MS11-084 Vulnerability in Microsoft Windows Could Allow Remote Code Execution
Important - Remote Code Execution

MS11-085 Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution
Important - Remote Code Execution

MS11-086 Vulnerability in Active Directory Could Allow Elevation of Privilege
Important - Elevation of Privilege

Of course, the real question on everyone’s mind is Duqu (or the son of Stuxnet). While many dispute the threat imposed by this malware, no one disputes the risk of the Day Zero Vulnerability in Microsoft software that it takes advantage of. The vulnerability is exploited through a malicious Word document – when the user opens the document, a Zero Day Kernel Vulnerability is taken advantage of to execute malicious code. Microsoft did not issue a patch this cycle but has released a temporary fix using their “Fix It” solution http://support.microsoft.com/kb/2639658#FixItForMe

All in all, it seems the primary threat vector of late is browser and third party add-ons. A recent report noted that malicious domains have increased by 89% year over year. Simply put, hackers recognize that users simply do not patch their third party add-ons and as always, they capitalize on that weakness to compromise our environments.

 Social media continues to be a risk to the enterprise as well. After insisting there was no concern, Facebook reportedly corrected an issue that allowed a user to send another user an executable attachment using message capability. This created an easy platform for launching Spear Phishing attacks.
 
In addition, an issue in WordPress may have compromised up to one million blogs. A problem in the popular tool TimThumb, that when used in WordPress blogs to access photo sites, can cause users to be redirected to malicious websites.
 
And let’s not forget the cloud. Security issues continue to cause problems this Patch Tuesday period. Thankfully, Amazon is on top of it and corrected an issue that could allow hackers to hijack Amazon customer accounts.
 

{ Comments on this entry are closed }

Paul Henry, Security and Forensics Analyst for Lumension, discusses the impact of the November 2011 Patch Tuesday releases.

{ Comments on this entry are closed }