Qualys Blog

www.qualys.com
57 posts

SSL: Deceptively Simple, Yet Hard to Implement

An Interview with SSL Expert and SSL Labs Founder Ivan Ristić

Even though SSL/TLS is critiivan-risticcal for the privacy, integrity, and security of internet communications, the protocol is implemented in an optimal way in only a small percentage of web servers, meaning that most websites and web apps aren’t as secure as they could be.

It doesn’t have to be that way, which is why Ivan Ristić, a security researcher, engineer, and author known for his expertise on various aspects of InfoSec, has spent years contributing to the field of SSL/TLS.

He launched SSLLabs.com in 2009 to provide SSL/TLS tools, research and documentation, brought it with him when he joined Qualys in 2010, and ran it until mid-2016, when he became an advisor. Under his leadership, SSLLabs.com became a de-facto standard for secure server assessment and the go-to site for organizations looking for help improving their SSL/TLS configurations.

Ristić also wrote an entire book about the topic titled “Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications.” We recently had a chance to catch up with Ivan and pick his brain about SSL/TLS challenges, best practices and trends. Here’s what he told us.

Continue reading …

New Adobe Flash Addresses Attacks on Firefox

Adobe released a new version of their Flash player fixing three vulnerabilities. The new version should be installed as soon as possible, as Adobe is aware on attacks occurring in the wild against two of the vulnerabilities. Interestingly Adobe found these attack to be directed against Firefox and bypassing the Firefox Sandbox:

"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target Flash Player in Firefox."
We recommend updating your installation of Flash as soon as possible even if you are not using  Mozilla’s Firefox browser.
Microsoft has updated KB2755801 for Internet Explorer 10 (IE10) which indicates that IE10 users are getting a new version of the browser as well. On Tuesday Microsoft had made IE10 available to all Windows 7 users as an optional download, bringing enhanced speed and security to Windows 7.
Adobe states that Google Chrome users will also see automatic updates to their browser:
"Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh and Linux."
but I have not seen the update come out yet. Stay tuned – we will update the post as soon as we hear news on Chrome.

Adobe Reader 0-day – Update 3 – patched

Update 3:
Today, February 20, Adobe released the patch APSB13-07 for Adobe Reader and Acrobat. It addresses 2 CVEs (CVE-2013-0640, CVE-2013-0641) and should be rolled out immediately due to the attacks in the wild. Excellent turn-around time by Adobe.

Update 2:
Adobe announced a patch for Adobe Reader and Acrobat for next week, the week of February 18.

Update:
Users of the newest version of Adobe Reader, XI can enable "Protected View" to mitigate the attack by going to Preferences, Security (Enhanced). Protected View opens the file in an additional Sandbox that disables most Adobe Reader XI advanced features, but should be sufficient to read normal PDF documents.

adobe_xi.png

Original:
Adobe has acknowledged reports of a new 0-day for its Adobe Acrobat and Adobe Reader line. According to the initial report by FireEye researchers that detected the attack all currently supported versions 9, 10 and 11 are affected.

There is currently no information on workarounds available, short of not using PDF documents. Stay tuned for more updates.

February 2013 Patch Tuesday Preview

Today Microsoft published its Advance Notice for this month’s Patch Tuesday. But more importantly Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild on both Windows and Mac OS X. Update your Flash installations as quickly as possible – Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.

Now back to Microsoft itself. We are looking at a little bit heavier Patch Tuesday with 12 bulletins that will address a total of 57 vulnerabilities. Five of the bulletins have a severity of critical, including bulletin 1 and bulletin 2, which both address Internet Explorer vulnerabilities affecting all versions of IE from 6 – 10, including on Windows RT running on the Surface tablet. Bulletin 3 is a critical Operating System level bulletin for Windows XP, 2003 and Vista, whereas users of the newer versions of Windows will not be affected. Bulletin 4 is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month’s Critical Patch Update (CPU). The last critical vulnerability is covered by Bulletin 12 and affects only Windows XP, so again, users of the newer versions of Windows will be spared from having to apply that patch.

The remaining bulletins are all rated important and are mostly "Local Elevation of Privilege" type of vulnerabilities, meaning that one already has to be on the targeted computer to be able to attack them. One exception is Bulletin 5, which can be used for Remote Code Execution. It affects the FAST Indexing server for Sharepoint and it also caused by Oracle’s update of the Outside In libraries that are used by Microsoft for document conversion processes.

Oracle Critical Patch Update January 2013

Oracle has had two major updates in the last 2 days. On Sunday, Jan. 13 a new version of Java 7 was released that addresses the 0-day vulnerability that has been exploited in the wild. And today, the Oracle Critical Patch Update (CPU) came out that addresses all other Oracle products. Overall, the January 2013 CPU fixes over 80 vulnerabilities in 10 product groups.

With the number of products patched being substantial, it is important to have a good map of installed software and versions in your organization. As usual we recommend starting with exposed services first, this month lead by the MySQL patches. Fortunately in most installations Oracle’s core RDBMS will not be affected.

Here is an overview of the update:

  • The Oracle RDBMS product has only one update, and it is located in the Spatial Oracle component. Many Oracle RDBMS will not have that option installed and might be free from installing any patches this quarter.
  • The Mobile/Lite version of Oracle’s database has five vulnerability addressed with a CVSS of 10, which indicates they are highly critical vulnerabilities.
  • Oracle’s other database, MYSQL, has 18 vulnerabilities addressed, with a maximum CVSS score of 9.0, indicating a high level of severity and prompting for a quick turn-around.
  • Oracle’s Fusion product group has seven vulnerabilities addressed, two of them in the Oracle Outside In product. Oracle Outside In is an SDK that is used by outside vendors for document conversions. One of the outside vendors is Microsoft that uses the Outside In in their Exchange Mail Server in the Outlook Web Access part. Microsoft has shipped two updates to Exchange last year, partly due to update the Outside In SDK.
  • Oracle Solaris is affected by eight flaws but has no remotely exploitable vulnerabilities. IT administrators for Solaris should take a look at the vulnerabilities and decide on a adequate roll-out schedule.
  • Further product areas with Security updates include Peoplesoft, JD Edwards, Supply-Chain, E-Business and VirtualBox

Last but not least please do not forget the roll-out of the latest Java 7 version (update 11) that addresses a highly critical vulnerability that has known exploits in the wild.

Internet Explorer 0-day bulletin – Update

Update:
MS13-008 is live for download. Due to the availability of exploits treat with the highest priority and install as quickly as possible.

Please note that this update is a real patch and not a cumulative update, as we are used to for typical Internet Explorer updates. It is highly recommended to have MS12-077 (the last cumulative Internet Explorer update) installed before applying MS13-008.

Original:
Microsoft has posted an advance notification for an Internet Explorer update that will be released later today. The update will address the current 0-day vulnerability (CVE-2012-4792) that was first detected in late December 2012.

January 2013 Patch Tuesday

The first Patch Tuesday of 2013 started with a relatively normal rhythm. We are getting seven bulletins, with two bulletins considered "critical" and five bulletins "important." The one thing upsetting this normal balance is a current 0-day vulnerability that affects Internet Explorer 6, 7 and 8 — which represents 90% of the IE install base at this time — but which is not part of the Patch Tuesday release. It was initially reported by FireEye on December 28 and the exploit has since made it into a Metasploit module and at least one Exploit kit. While Microsoft is not providing a patch today, they have provided a Fix-It for the issue, which addresses the known attacks in the wild, and also counters the Metasploit module. However, as Exodus Intelligence pointed out over the weekend, there are other ways of triggering the vulnerability that have not been covered by the Fix-It. IT admins in enterprises should track this vulnerability closely, as a large percentage of enterprises still run the affected versions of Internet Explorer 6, 7 and 8. And admins should apply the Fix-It even though it can be bypassed because it addresses the currently known attacks

ie_percentages.png

Back to January’s bulletins, where MS13-002 is the most important patch in the lineup. It addresses a vulnerability in the MSXML library, which is an integral part of many Microsoft software packages. It is affecting every Windows version from XP to RT, plus all Office versions and a number of other packages, such a Sharepoint and Groove. The most likely attack vector is a malicious webpage. But an email with Office document attachment can also be a viable alternative for attackers. Patch this one as quickly as possible.

MS13-001, the second critical vulnerability, is in the Microsoft Windows Printer spooler software on the client side. It is located in a part of the spooler that provides extended functionality, and is not exercised by any Windows software, only by third-party software. The necessity of third-party software and the combination of the steps and events necessary to exploit this vulnerability makes us rank it on a lower level than MS13-002. Microsoft has a good post at the SRD blog explaining the components involved.

All the other bulletins are ranked as "important" as they do not allow code execution:

  • MS13-004 addresses several .NET issues, but attacks are limited to the Intranet context and cannot be initiated from the Internet lowering the risk of this bulletin.
  • MS13-005 fixes a flaw in the win32k.sys kernel module that weakens the AppContainer sandbox in Windows 8. By itself it is not a critical flaw, but could be used in conjunction with other vulnerabilities to attack a Windows 8 system.
  • MS13-006 prevents a protocol attack on SSL v3 that can happen when a Microsoft browser communicates with a third-party web server. An attacker that controls a network device in between the browser and server could downgrade communication to SSL v2. The attacker could then exploit any of the common flaws in SSLv2, ultimately eavesdropping on the communication.

In addition to the Microsoft patches, there is new software coming from Adobe as well. Adobe announced a new version of their Adobe Reader and Acrobat software – APSB13-02. The advisory applies to Windows, Mac OS X and Linux. Microsoft also updated security advisory KB2755801 for Internet Explorer 10, because it includes a new Adobe Flash build, and IT admins should look at the standalone Adobe Flash APSB13-01 release, as well. Adobe has also published advisory APSA13-01 for three ColdFusion vulnerabilities. The advisory provides information for workarounds, while Adobe is working on a patch.

Overall we are looking at a pretty normal Patch Tuesday, with the main worry for IT administrators centered on the Internet Explorer situation and its potential workarounds. One interesting option is to look at Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which has a number of additional mitigation steps that can be applied to Internet Explorer. EMET is effective in preventing the current 0-day and has worked the same way against the last IE 0-day in September, too. I have been running EMET for 6 months now with no side effects – highly recommended as an additional security measure.

December 2012 Patch Tuesday Preview

Today Microsoft announced seven bulletins that will be released in next week’s Patch Tuesday. Five of the bulletins are rated critical, and two are important. Between them they affect all currently supported Operating Systems, including Windows 8 and Windows RT.

Bulletin 1 is rated critical and affects Internet Explorer 9 and 10 on all platforms that support IE 9 and IE10, starting at Vista all the way to Windows 8 and RT. Bulletin 2, which is rated critical as well, applies to all versions of Windows and again includes both Windows 8 and Windows RT.

Bulletin 3 is special, as it affects Microsoft Word and is rated critical, which happens very rarely. Usually Microsoft downgrades even Remote Code Execution Office vulnerabilities to "Important," because a user interaction (e.g., opening a malicious file) is required. In this case we assume the "critical" rating comes from Outlook, which can be configured to use Word to visualize documents in its preview pane. This is an automatic mechanism that does not require user interaction. In any case, this is will be an important bulletin to watch out for.

Bulletin 4 is a critical fix for a number of Microsoft server software products. It includes the widely installed Exchange and Sharepoint, plus an update for Microsoft Office Web Apps 2010 Service Pack 1. Office Web Apps are the webified version of Word, Excel, etc., and we expect them to have lesser impact on IT, as the applications have fewer installations. In any case, Server Administrators need to take a good look at this bulletin to see if they need to take action.

All in all, we are looking at a normal-sized Patch Tuesday with a mix of browser, operating system and Office updates that will keep all areas of IT administration quite busy through the end of the year. For many Windows RT users, it will be the first time for a software update, and it will be interesting to see how they react and what the uptake of the patches will be.

Oracle CPU October 2012 Preview

The below is a guest post from Amol Sarwate, Director of Vulnerability Labs for Qualys

Oracle has pre-released information on the patches expected in its quarterly Critical Patch Update (CPU) on October 16.  This Critical Patch Update contains 109 new security vulnerability fixes across hundreds of Oracle products including Oracle Database, WebLogic server, PeopleSoft, Siebel, MySQL and VM Virtual Box. All affected components have one or more vulnerabilities that can be exploited remotely without authentication.

Oracle Fusion Middleware has 26 new security fixes which are more than any other component being fixed in this release.  The CPU contains five new security fixes for the Oracle Database Server, nine new security fixes for Oracle E-Business Suite, Oracle Supply Chain and PeopleSoft. It also has two security fixes for Siebel and 13 for Oracle Financials.

There are 18 security updates for the former Sun products like GlassFish, Solaris and SPARC. MySQL gets 14 security updates.

Overall, this is a big release that will keep system administrators busy on all fronts.

Patch Tuesday October 2012

Microsoft’s Patch Tuesday for October 2012 brings seven bulletins – MS12-064 to MS12-70 and two interesting security advisories.

MS12-064 is the only bulletin rated "critical". It fixes two vulnerabilities in Microsoft Word and applies to all versions of Microsoft Office. It addresses a vulnerability that can be exploited via a malicious RTF formatted e-mail through the Outlook Preview pane without having to open the e-mail. Since the development complexity of an attack against this vulnerability is low, we believe this vulnerability will be the first to have an exploit developed and recommend applying the MS12-064 update as quickly as possible.

All other bulletins are rated as important and apply to a wide variety of software ranging from Windows to Sharepoint to SQL Server, and include:

  • MS12-069 is a bulletin that applies to Windows 7 and Windows 2008 R2 and addresses a DoS style vulnerability where a specifically malformed Kerberos packet can crash the target machine.
  • MS12-066 addresses an XSS vulnerability in Microsoft’s SafeHTML library that is in use in a number of products, including Microsoft Sharepoint and LYNC, Microsoft’s IM client.
  • MS12-067 is another instance of a vulnerability introduced by the Oracle Outside-In library. Oracle addressed a number of critical vulnerabilities in that library in its last CPU in June 2012, and now all software vendors that had embedded a version of this vulnerable library need to provide updates to their products. This instance is a non-default, paid add-on to Sharepoint that provides document indexing capabilities. An organization could be exploited if the add-on is installed and if an attacker is able to upload a malicious file into a Sharepoint server.
  • MS12-070 fixes an XSS vulnerability in one of the reporting modules of Microsoft SQL Server. An attacker could use it to gain information about the SQL Server installation and would have to convince an SQL server administrator to click on a link that contains the malicious XSS code.

We recommend applying the updates as quickly as possible within your organization’s normal patching cycle.

Besides the seven bulletins, there are several security advisories that are being published. This month, KB2661254 is being switched to automatic download and will start enforcing a minimum of 1024 bit key length for certificates. This was announced three months ago and should not cause any disruption. Key lengths of under 1024 bits are forgeable and certificate authorities have stopped emitting such certificates for several years now. KB2749655 is a new advisory and explains a problem in Microsoft’s code signing infrastructure. During the three months in the summer of 2012, a number of binary files in Microsoft Security Bulletins were signed in a flawed way that will lead to their loss of validity – causing them to stop working in January 2013. To solve the problem, Microsoft will publish new versions of the affected bulletins, and organizations will need to reinstall the affected updates. This month the updated packages are MS12-053, MS12-054, MS12-055 and MS12-058. Microsoft provides more background on this process in their post on the SRD blog.

When planning the roll-out of these patches, don’t forget to include yesterday’s critical Adobe Flash update  and to plan for next week’s Oracle Java update, that will contain fixes for a number of critical vulnerabilities that we already know about.