News

WatchGuard Security Week in Review: Episode 5

February 17, 2012 in News Comments off

February 17, 2012
by Corey Nachreiner 0 Comments

Lots of Patches, Big Nortel Breach, and More Anonymous Shenanigans

Are you ready for another week of software updates, Enterprise breaches, and hacktivist cyber-riots? If so, this week’s episode of WatchGuard Security Week in Review is hot off the NLE system. Watch it below, and tell us what you think in the comments section.

As usual, if you’d rather read then look at my ugly mug, see the Reference section below for links to all these stories. (Video Runtime: 8:50)

NOTE: Due to a rendering problem, the intro music is missing from this video. We will upload a corrected version shortly.

 

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Source: WatchGuard Security Alerts

Adobe Flash Update Plugs Zero Day XSS Hole and Others

February 16, 2012 in News Comments off

Summary:

  • This vulnerability affects: Adobe Flash Player 11.1.102.55 and earlier, running on all platforms. This also affects the Android version of Flash.
  • How an attacker exploits it: By enticing your users to visit a website containing malicious Flash content
  • Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Though Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including some mobiles like Android.

In a security bulletin released yesterday, Adobe warned of seven vulnerabilities (based on CVE numbers) that affect Adobe Flash Player 11.1.102.55 and earlier running on all platforms (including Android). Adobe’s bulletin doesn’t describe the flaws in much detail. However, it does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit many of these unspecified vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

Adobe also warns that attackers are exploiting one of these flaws, a zero day XSS vulnerability, in the wild. If you use Adobe Flash Player in your network, we recommend you download and deploy the latest version throughout your network immediately to mitigate the risk of this current attack.

Solution Path

Adobe has released new versions of Flash Player (11.1.102.62 for computers and 11.1.11x.x for Androids) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately:

  • Download Flash Player for your computer [any platform]:

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

  • .flv –  Adobe Flash file  (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p - Protected Flash video file
  • .f4a – Flash audio  file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • video/mp4 (used for more than just Flash)
  • audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

  • Hex FLV: 46 4C 56 01
  • ASCII FLV: FLV
  • Hex FLA:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Source: WatchGuard Security Alerts

Grab Adobe’s Shockwave Update to Avoid Web-based Attacks

February 15, 2012 in News Comments off

Summary:

  • This vulnerability affects: Adobe Shockwave Player 11.6.3.633 and earlier, running on Windows and Macintosh computers
  • How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave content
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (11.6.4.634) of Adobe Shockwave Player as soon as possible.

Exposure:

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on hundreds of millions of PCs.

In a security bulletin released late Tuesday, Adobe warned of nine critical vulnerabilities that affect Adobe Shockwave Player 11.6.3.633 for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail. For the most part, the flaws consist of memory related vulnerabilities, including heap buffer overflows and other memory corruption flaws. Though the flaws differ technically, they all share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit any of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version as soon as you can.

Solution Path

Adobe has released Shockwave Player version 11.6.4.634 to fix these security flaws. If you use Adobe Shockwave in your network, we recommend you download and deploy the updated player as soon as possible. You can get it from the link below.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Shockwave content. Keep in mind, doing so blocks all Shockwave content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify Shockwave files:

File Extension:

  • .swf –  Adobe Shockwave files

MIME types:

  • application/x-shockwave-flash
  • application/x-shockwave-flash2-preview
  • application/futuresplash
  • image/vnd.rn-realflash

FILExt.com reported Magic Byte Pattern:

  • Hex: 46 57 53

(We believe this pattern is too short, thus prone to false positives. We don’t recommend you use it) 

If you decide you want to block Shockwave files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:

Source: WatchGuard Security Alerts

wordpress