Update Aug 13, 2019: Detect and Patch Windows Remote Desktop Vulnerabilities

This month’s Microsoft Patch Tuesday addresses 93 vulnerabilities with 29 of them labeled as Critical. Of the 29 Critical vulns, 10 are for scripting engines and browsers, 6 for Windows Graphics/Font Library, and 4 are for Office apps. In addition, Microsoft has patched 4 (!) Critical RCEs in Remote Desktop (plus 3 Important), 2 for Hyper-V, 2 in DHCP Client/Server, and one for LNK files. Adobe has also released a large number of patches covering multiple products.

Continue reading …

This month’s Microsoft Patch Tuesday included a very high-risk vulnerability (CVE-2019-0708, aka BlueKeep) in Remote Desktop that impacts Windows XP, Windows 7, Server 2003, Server 2008, and Server 2008 R2. This vulnerability allows an unauthenticated attacker (or malware) to execute code on the vulnerable system. It is very likely that PoC code will be published soon, and this may result in a WannaCry-style attack.

Microsoft has not only released patches for Windows 7, Server 2008 & R2, but also has taken the extra step to issue patches for Windows XP and Server 2003. Patch now!

UPDATE: Network Level Authentication (NLA) partially mitigates this vulnerability. QID 90788 (Microsoft Windows Network Level Authentication Disabled) can be used to find hosts that have NLA disabled. This forces the attacker to have valid credentials in order to perform RCE.

UPDATE: A new remote (unauthenticated) check was released under QID 91541. See below for details.

Continue reading …

An Interview with SSL Expert and SSL Labs Founder Ivan Ristić

Even though SSL/TLS is critical for the privacy, integrity, and security of internet communications, the protocol is implemented in an optimal way in only a small percentage of web servers, meaning that most websites and web apps aren’t as secure as they could be.

It doesn’t have to be that way, which is why Ivan Ristić, a security researcher, engineer, and author known for his expertise on various aspects of InfoSec, has spent years contributing to the field of SSL/TLS.

He launched SSLLabs.com in 2009 to provide SSL/TLS tools, research and documentation, brought it with him when he joined Qualys in 2010, and ran it until mid-2016, when he became an advisor. Under his leadership, SSLLabs.com became a de-facto standard for secure server assessment and the go-to site for organizations looking for help improving their SSL/TLS configurations.

Ristić also wrote an entire book about the topic titled “Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications.” We recently had a chance to catch up with Ivan and pick his brain about SSL/TLS challenges, best practices and trends. Here’s what he told us.

Continue reading …

Update 3:
Today, February 20, Adobe released the patch APSB13-07 for Adobe Reader and Acrobat. It addresses 2 CVEs (CVE-2013-0640, CVE-2013-0641) and should be rolled out immediately due to the attacks in the wild. Excellent turn-around time by Adobe.

Update 2:

Adobe announced a patch for Adobe Reader and Acrobat for next week, the week of February 18.

Update:
Users of the newest version of Adobe Reader, XI can enable "Protected View" to mitigate the attack by going to Preferences, Security (Enhanced). Protected View opens the file in an additional Sandbox that disables most Adobe Reader XI advanced features, but should be sufficient to read normal PDF documents.

Original:
Adobe has acknowledged reports of a new 0-day for its Adobe Acrobat and Adobe Reader line. According to the initial report by FireEye researchers that detected the attack all currently supported versions 9, 10 and 11 are affected.

There is currently no information on workarounds available, short of not using PDF documents. Stay tuned for more updates.

Today Microsoft published its Advance Notice for this month’s Patch Tuesday. But more importantly Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild on both Windows and Mac OS X. Update your Flash installations as quickly as possible – Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.

Now back to Microsoft itself. We are looking at a little bit heavier Patch Tuesday with 12 bulletins that will address a total of 57 vulnerabilities. Five of the bulletins have a severity of critical, including bulletin 1 and bulletin 2, which both address Internet Explorer vulnerabilities affecting all versions of IE from 6 – 10, including on Windows RT running on the Surface tablet. Bulletin 3 is a critical Operating System level bulletin for Windows XP, 2003 and Vista, whereas users of the newer versions of Windows will not be affected. Bulletin 4 is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month’s Critical Patch Update (CPU). The last critical vulnerability is covered by Bulletin 12 and affects only Windows XP, so again, users of the newer versions of Windows will be spared from having to apply that patch.

The remaining bulletins are all rated important and are mostly "Local Elevation of Privilege" type of vulnerabilities, meaning that one already has to be on the targeted computer to be able to attack them. One exception is Bulletin 5, which can be used for Remote Code Execution. It affects the FAST Indexing server for Sharepoint and it also caused by Oracle’s update of the Outside In libraries that are used by Microsoft for document conversion processes.

Update
Great explanation and technical detail on how to exploit MS12-052 through use-after-free with heapspray by Derek Soeder.

Orginal
On this month’s Patch Tuesday, Microsoft released nine bulletins addressing a total of 26 vulnerabilities. In addition, Adobe also released new versions of its Adobe Acrobat and Adobe Reader(APSB12-16), Shockwave (APSB12-17) and Flash (APSB12-18) products. Taken together, both workstation and server administrators will have their hands full.

All of the Adobe bulletins and five of the Microsoft bulletins are rated "critical" and at least the first four in our list deserve an even higher urgency due to their potential impact on workstations and servers:

• MS12-060 fixes a vulnerability that is already being exploited in the wild. The vulnerability is located in the Windows Common Control and can be triggered through Office documents and through malicious web pages. The currently known attacks have been targeting Word and WordPad through RTF files attached to e-mail messages.
• APSB12-18 is a fix for a single vulnerability in the Adobe Flash Player. According to Adobe the vulnerability is currently being used in targeted attacks. The known attack vector is a Word document with an embedded ActiveX Flash object.
• MS12-054 addresses a flaw in the Remote Administration Protocol (RAP) of Windows Networking, that an attacker can use to spread quickly within enterprise networks. The attacker first needs to gain access to a machine on the network and then needs to share a resource (say a printer) with a specifically crafted name that encodes the exploit for the vulnerability. All Windows machines will periodically query the network for shared resources and automatically execute the exploit code contained in the resource name. The vulnerability allows Remote Code Execution only for Windows XP and 2003; if you are on a current version, you are not affected. Microsoft published a detailed post with more background information on the SRD blog.
• MS12-058 patches the flaw in the Exchange Server disclosed three weeks ago in KB2737111. The popular Outlook Web Access (OWA) Exchange component uses a vulnerable module from Oracle’s Outside In product to perform document conversions. An attacker who can lure a user to look at a malicious document through OWA can gain access to the Exchange server at a low privilege level. The attacker would have to combine the exploit with a second exploit, a local privilege escalation to gain full control over the server. Again, Microsoft published more details on the SRD blog.
• MS12-052 is a new version of Internet Explorer (IE) that addresses two critical vulnerabilities. All versions of IE from 6 to 9 are affected. Web browsing is one of the most common attack entry points and this new version should be included in the initial patch rollout. Remember that Microsoft in July implemented an accelerated rollout cycle for IE, so from now on you can expect to get an update for IE every rather than every other month.
• MS12-053 is a fix for a remote desktop protocol (RDP) vulnerability in Windows XP running Terminal Services. This is the third RDP vulnerability this year (MS12-020, MS12-04X) and we are hopeful that most organizations have been cataloging their externally exposed RDP services and will be able to patch this vulnerability as quickly as possible.

These five vulnerabilities together with the Adobe updates should be on your priority list of updates to evaluate and install where applicable. Also don’t forget that the vulnerable Oracle Outside In is used in other industry software packages; that will have to be patched eventually. For a list of software known to contain Outside In see the list at US CERT.

The remaining Microsoft bulletins are rated "important" and address a local privilege escalation vulnerability Windows (MS12-055), a file format problem in Visio DXF format (MS12-059), a problem in Javascript on 64 bit machines (MS12-056) and a fix for the Office CGM, a graphics file format (MS12-057). They are lower priority and their installation can be postponed until a fitting maintenance window becomes available.

For a more technical background on the Adobe Reader vulnerabilities, take a look at the blog post by Mateusz Jurczyk and Gynvael Coldwind.

We blogged about the DNS Changer malware in January, but there are only a couple of days left until July 9th, when the DNS Changer Working Group will stop operating the DNS servers used by the DNS Change malware. According to the latest stats there are still 300,000 machines infected. These machines will lose Internet access once the servers are shut down.

I know that you as professionals and readers of this blog are most likely not in the affected group, but you are probably the IT resource for many of your friends and relatives, so please remind them one more time that BrowserCheck is an easy way to find out whether one is infected. In case of infection have them head over to the Fix page of DNS Changer Working Group. Please make sure that they turn on "System Checks" as the DNS Changer Malware detection is grouped with the other system level checks, such as AV, Updates and Firewalls.

This week Brian Krebs posted some important news – according to his sources, the BlackHole exploit kit has been equipped with an exploit for the Java vulnerability CVE-2012-0570, released a mere month ago on Feb. 14 by Oracle. BlackHole is a widely disseminated, exploit kit, commercially available in the underground. It allows interested groups with basic computer knowledge to implement an operation to attack target machines through their web browsers by setting up malicious web sites. Used in conjunction with a malware kit such as Zeus or SpyEye, these groups can build botnets that can then be used to harvest personal information for sale, rented out for SPAM or DDoS operations or handed over to pay-per-install operators.

The quality of exploit kits play an important role in such a setup, as it concentrates the rather sophisticated attack knowledge. The kit has to select the correct exploit based on the user’s configuration and the detected vulnerabilities. Most included exploits focus on older and well-known vulnerabilities (such as CVE-2010-1885 in Internet Explorer or CVE-2011-2110 in Adobe Flash), because they are the most stable and well-researched. A well-maintained target machine can usually not be penetrated with one of these off-the-shelf toolkits, as all software components are at the latest level. However, Java is difficult to update and the addition of an exploit for such new vulnerability in Java sharply increases the risk of an attack for the Internet population at large.

Our recommendation: update your Java installation to the latest version available. There are a number of tools available to help you to find out the version of Java you are running, including Oracle’s own version checker. I recommend our own tool, BrowserCheck. Just point your browser to https://browsercheck.qualys.com and get a precise diagnostic on the state of your browser and its plugins, including Java and other attacker favorites such as Adobe Flash and Adobe Reader.

If you cannot update Java (or you want to make your machine or the ones that you are responsible for more resilient to future attacks) there is a configuration setting in Windows that can be used to limit Java to a few selected and trusted sites. This requires a simple modification of the Windows Registry: changing Registry Value 1C00 to Setting 0 in Zone 3 (Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3) which prohibits the Java from running in the Internet Zone.

Sites that need Java can be whitelisted under Internet Options/Security/Trusted Sites. This works across all versions of IE and is non-overridable. Google Chrome has a similar mechanism, but I like the Internet Explorer better than Google’s implementation, which prompts the user for a decision on whether to run the plugin. Unfortunately most users will opt-in just to get rid of the prompt and continue to load the site, which has the potential to increase their security exposure.

Verizon released yesterday its 2012 Data Breach Investigations Report (DBIR), full of interesting data. For the first time, Verizon distinguished between small and large organizations in the data and we see a clear difference in the maturity of their security implementations. That distinction alone offers quite a number of hints on where to focus our attention as security professionals.

The main lessons for security professionals from this report: 1) the overall results represent a continuation on the trends from the reports of previous years; and 2) many of the problems documented are within the security industry’s ability to address – for both smaller and larger organizations. That’s really good news.

Here’s a recap of what I consider to be the most important findings for security professionals:

• 97 percent of breaches (96 percent for both preceding years) could have been avoided with simple controls.
• The types of beneficial controls cover the same areas for both small and larger organizations, but vary in their details.
• Small organizations' biggest issues are default passwords on their remote access applications (think RDP, VNC, pcAnywhere).
• Large organizations seem to have overcome the default password problem on their remote access applications but are faced with stolen login credentials and brute forcing.
• Both small and large organizations are victims of malware that criminals install to maintain access to the breached network and to send the stolen data to their servers. In small organizations, the malware is installed largely by hand, whereas large organizations face more advanced infection mechanisms: close to 50 percent were infected through e-mail attachments, drive-by-downloads and web-borne malware.

Fortunately, we have the technical solutions available today for both small and large organizations to resolve all of these issues. The challenge to the solution often lies in the lack of knowledge, rather than complexity or cost. As a security community, it’s up to all of us to make successful implementations more visible and effectively promote the architects and operators who are doing it right. For an example see the work done at the US Department of State in recent years.

You can find the full DBIR report here.

Last week Symantec published a whitepaper "pcAnywhere Security Recommendations" which recommended increased security measures to all users who are managing pcAnywhere installations. The whitepaper was prompted by the recent disclosure of Symantec source code announced by the hacker group "Lords of Dharmaraja" affiliated with Anonymous, and it points out the increased risk associated with pcAnywhere given that attackers can now search the source code for flaws.

Somewhat surprisingly, the whitepaper’s first recommendation is to uninstall the product, of course only if it is not absolutely required. Personally I am a big fan of uninstalling unnecessary software, and it is always sound advice to minimize one’s software footprint and related attack surface. If uninstalling pcAnywhere is not an viable option, Symantec recommends a number of additional security configurations, including moving Internet exposed pcAnywhere installations behind a VPN gateway, blocking standard pcAnywhere ports 5631 and 5632 on the firewall and to disable the autostartup of pcAnywhere.

Last week Symantec also released patches for the currently supported versions 12.5, 12.0.x and 12.1.x in advisory SYM12-02. The patches address CVE-2011-3478, a remote code execution vulnerability with CVSS base score of 8.3 and CVE-2011-3479, a local file tampering vulnerability with CVSS base score of 6.8.

We recommend installing these patches as quickly as possible if you have pcAnywhere installed.

QualysGuard users can scan for Qualys ID 119873 for pcAnywhere installations that lack the latest patch, or use Qualys ID 38448 to find all pcAnywhere instances in their networks. Alternatively you can also use Qualys ID 42017 to scan for remote access in general and gain a complete understanding of all remote access applications, which is very helpful in these type of situations.