Qualys Blog

The SANS Institute recently released its 2017 report on cybersecurity trends. We examined the report’s six threat trends in a recent blog post, as well as in a webcast with the report’s author, security analyst John Pescatore, and with Qualys Product Management Vice President Chris Carlson. Now, we’re providing you with a useful checklist to help put you in a better position to respond these trends, which are expected to continue to dominate this year.

Continue reading …

A new zero-day vulnerability (CVE-2017-7269) impacting Microsoft IIS 6.0 has been announced with proof-of-concept code. This vulnerability can only be exploited if WebDAV is enabled. IIS 6.0 is a component of Microsoft Windows Server 2003 (including R2.) Microsoft has ended support for Server 2003 on July 14, 2015, which means that this vulnerability will most likely not be patched. It is recommended that these systems be upgraded to a supported platform. The current workaround is to disable the WebDAV Web Service Extension if it is not needed by any web applications.

The Qualys Cloud Platform can help you detect the vulnerability, track and manage Server 2003 Assets, as well as block exploits against web-based vulnerabilities like this one.

Continue reading …

An Interview with SSL Expert and SSL Labs Founder Ivan Ristić

Even though SSL/TLS is critical for the privacy, integrity, and security of internet communications, the protocol is implemented in an optimal way in only a small percentage of web servers, meaning that most websites and web apps aren’t as secure as they could be.

It doesn’t have to be that way, which is why Ivan Ristić, a security researcher, engineer, and author known for his expertise on various aspects of InfoSec, has spent years contributing to the field of SSL/TLS.

He launched SSLLabs.com in 2009 to provide SSL/TLS tools, research and documentation, brought it with him when he joined Qualys in 2010, and ran it until mid-2016, when he became an advisor. Under his leadership, SSLLabs.com became a de-facto standard for secure server assessment and the go-to site for organizations looking for help improving their SSL/TLS configurations.

Ristić also wrote an entire book about the topic titled “Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications.” We recently had a chance to catch up with Ivan and pick his brain about SSL/TLS challenges, best practices and trends. Here’s what he told us.

Continue reading …

Adobe released a new version of their Flash player fixing three vulnerabilities. The new version should be installed as soon as possible, as Adobe is aware on attacks occurring in the wild against two of the vulnerabilities. Interestingly Adobe found these attack to be directed against Firefox and bypassing the Firefox Sandbox:

Update 3:
Today, February 20, Adobe released the patch APSB13-07 for Adobe Reader and Acrobat. It addresses 2 CVEs (CVE-2013-0640, CVE-2013-0641) and should be rolled out immediately due to the attacks in the wild. Excellent turn-around time by Adobe.

Update 2:

Adobe announced a patch for Adobe Reader and Acrobat for next week, the week of February 18.

Update:
Users of the newest version of Adobe Reader, XI can enable "Protected View" to mitigate the attack by going to Preferences, Security (Enhanced). Protected View opens the file in an additional Sandbox that disables most Adobe Reader XI advanced features, but should be sufficient to read normal PDF documents.

Original:
Adobe has acknowledged reports of a new 0-day for its Adobe Acrobat and Adobe Reader line. According to the initial report by FireEye researchers that detected the attack all currently supported versions 9, 10 and 11 are affected.

There is currently no information on workarounds available, short of not using PDF documents. Stay tuned for more updates.

Today Microsoft published its Advance Notice for this month’s Patch Tuesday. But more importantly Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild on both Windows and Mac OS X. Update your Flash installations as quickly as possible – Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.

Now back to Microsoft itself. We are looking at a little bit heavier Patch Tuesday with 12 bulletins that will address a total of 57 vulnerabilities. Five of the bulletins have a severity of critical, including bulletin 1 and bulletin 2, which both address Internet Explorer vulnerabilities affecting all versions of IE from 6 – 10, including on Windows RT running on the Surface tablet. Bulletin 3 is a critical Operating System level bulletin for Windows XP, 2003 and Vista, whereas users of the newer versions of Windows will not be affected. Bulletin 4 is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month’s Critical Patch Update (CPU). The last critical vulnerability is covered by Bulletin 12 and affects only Windows XP, so again, users of the newer versions of Windows will be spared from having to apply that patch.

The remaining bulletins are all rated important and are mostly "Local Elevation of Privilege" type of vulnerabilities, meaning that one already has to be on the targeted computer to be able to attack them. One exception is Bulletin 5, which can be used for Remote Code Execution. It affects the FAST Indexing server for Sharepoint and it also caused by Oracle’s update of the Outside In libraries that are used by Microsoft for document conversion processes.

Oracle has had two major updates in the last 2 days. On Sunday, Jan. 13 a new version of Java 7 was released that addresses the 0-day vulnerability that has been exploited in the wild. And today, the Oracle Critical Patch Update (CPU) came out that addresses all other Oracle products. Overall, the January 2013 CPU fixes over 80 vulnerabilities in 10 product groups.

With the number of products patched being substantial, it is important to have a good map of installed software and versions in your organization. As usual we recommend starting with exposed services first, this month lead by the MySQL patches. Fortunately in most installations Oracle’s core RDBMS will not be affected.

Here is an overview of the update:

• The Oracle RDBMS product has only one update, and it is located in the Spatial Oracle component. Many Oracle RDBMS will not have that option installed and might be free from installing any patches this quarter.
• The Mobile/Lite version of Oracle’s database has five vulnerability addressed with a CVSS of 10, which indicates they are highly critical vulnerabilities.
• Oracle’s other database, MYSQL, has 18 vulnerabilities addressed, with a maximum CVSS score of 9.0, indicating a high level of severity and prompting for a quick turn-around.
• Oracle’s Fusion product group has seven vulnerabilities addressed, two of them in the Oracle Outside In product. Oracle Outside In is an SDK that is used by outside vendors for document conversions. One of the outside vendors is Microsoft that uses the Outside In in their Exchange Mail Server in the Outlook Web Access part. Microsoft has shipped two updates to Exchange last year, partly due to update the Outside In SDK.
• Oracle Solaris is affected by eight flaws but has no remotely exploitable vulnerabilities. IT administrators for Solaris should take a look at the vulnerabilities and decide on a adequate roll-out schedule.
• Further product areas with Security updates include Peoplesoft, JD Edwards, Supply-Chain, E-Business and VirtualBox

Last but not least please do not forget the roll-out of the latest Java 7 version (update 11) that addresses a highly critical vulnerability that has known exploits in the wild.

Update:
MS13-008 is live for download. Due to the availability of exploits treat with the highest priority and install as quickly as possible.

Please note that this update is a real patch and not a cumulative update, as we are used to for typical Internet Explorer updates. It is highly recommended to have MS12-077 (the last cumulative Internet Explorer update) installed before applying MS13-008.

Original:
Microsoft has posted an advance notification for an Internet Explorer update that will be released later today. The update will address the current 0-day vulnerability (CVE-2012-4792) that was first detected in late December 2012.

The first Patch Tuesday of 2013 started with a relatively normal rhythm. We are getting seven bulletins, with two bulletins considered "critical" and five bulletins "important." The one thing upsetting this normal balance is a current 0-day vulnerability that affects Internet Explorer 6, 7 and 8 — which represents 90% of the IE install base at this time — but which is not part of the Patch Tuesday release. It was initially reported by FireEye on December 28 and the exploit has since made it into a Metasploit module and at least one Exploit kit. While Microsoft is not providing a patch today, they have provided a Fix-It for the issue, which addresses the known attacks in the wild, and also counters the Metasploit module. However, as Exodus Intelligence pointed out over the weekend, there are other ways of triggering the vulnerability that have not been covered by the Fix-It. IT admins in enterprises should track this vulnerability closely, as a large percentage of enterprises still run the affected versions of Internet Explorer 6, 7 and 8. And admins should apply the Fix-It even though it can be bypassed because it addresses the currently known attacks

Back to January’s bulletins, where MS13-002 is the most important patch in the lineup. It addresses a vulnerability in the MSXML library, which is an integral part of many Microsoft software packages. It is affecting every Windows version from XP to RT, plus all Office versions and a number of other packages, such a Sharepoint and Groove. The most likely attack vector is a malicious webpage. But an email with Office document attachment can also be a viable alternative for attackers. Patch this one as quickly as possible.

MS13-001, the second critical vulnerability, is in the Microsoft Windows Printer spooler software on the client side. It is located in a part of the spooler that provides extended functionality, and is not exercised by any Windows software, only by third-party software. The necessity of third-party software and the combination of the steps and events necessary to exploit this vulnerability makes us rank it on a lower level than MS13-002. Microsoft has a good post at the SRD blog explaining the components involved.

All the other bulletins are ranked as "important" as they do not allow code execution:

• MS13-004 addresses several .NET issues, but attacks are limited to the Intranet context and cannot be initiated from the Internet lowering the risk of this bulletin.
• MS13-005 fixes a flaw in the win32k.sys kernel module that weakens the AppContainer sandbox in Windows 8. By itself it is not a critical flaw, but could be used in conjunction with other vulnerabilities to attack a Windows 8 system.
• MS13-006 prevents a protocol attack on SSL v3 that can happen when a Microsoft browser communicates with a third-party web server. An attacker that controls a network device in between the browser and server could downgrade communication to SSL v2. The attacker could then exploit any of the common flaws in SSLv2, ultimately eavesdropping on the communication.

In addition to the Microsoft patches, there is new software coming from Adobe as well. Adobe announced a new version of their Adobe Reader and Acrobat software – APSB13-02. The advisory applies to Windows, Mac OS X and Linux. Microsoft also updated security advisory KB2755801 for Internet Explorer 10, because it includes a new Adobe Flash build, and IT admins should look at the standalone Adobe Flash APSB13-01 release, as well. Adobe has also published advisory APSA13-01 for three ColdFusion vulnerabilities. The advisory provides information for workarounds, while Adobe is working on a patch.

Overall we are looking at a pretty normal Patch Tuesday, with the main worry for IT administrators centered on the Internet Explorer situation and its potential workarounds. One interesting option is to look at Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which has a number of additional mitigation steps that can be applied to Internet Explorer. EMET is effective in preventing the current 0-day and has worked the same way against the last IE 0-day in September, too. I have been running EMET for 6 months now with no side effects – highly recommended as an additional security measure.

Today Microsoft announced seven bulletins that will be released in next week’s Patch Tuesday. Five of the bulletins are rated critical, and two are important. Between them they affect all currently supported Operating Systems, including Windows 8 and Windows RT.

Bulletin 1 is rated critical and affects Internet Explorer 9 and 10 on all platforms that support IE 9 and IE10, starting at Vista all the way to Windows 8 and RT. Bulletin 2, which is rated critical as well, applies to all versions of Windows and again includes both Windows 8 and Windows RT.

Bulletin 3 is special, as it affects Microsoft Word and is rated critical, which happens very rarely. Usually Microsoft downgrades even Remote Code Execution Office vulnerabilities to "Important," because a user interaction (e.g., opening a malicious file) is required. In this case we assume the "critical" rating comes from Outlook, which can be configured to use Word to visualize documents in its preview pane. This is an automatic mechanism that does not require user interaction. In any case, this is will be an important bulletin to watch out for.

Bulletin 4 is a critical fix for a number of Microsoft server software products. It includes the widely installed Exchange and Sharepoint, plus an update for Microsoft Office Web Apps 2010 Service Pack 1. Office Web Apps are the webified version of Word, Excel, etc., and we expect them to have lesser impact on IT, as the applications have fewer installations. In any case, Server Administrators need to take a good look at this bulletin to see if they need to take action.

All in all, we are looking at a normal-sized Patch Tuesday with a mix of browser, operating system and Office updates that will keep all areas of IT administration quite busy through the end of the year. For many Windows RT users, it will be the first time for a software update, and it will be interesting to see how they react and what the uptake of the patches will be.