Paul Henry

Paul Henry, Security and Forensics Analyst for Lumension, discusses the impact of the December 2011 Patch Tuesday releases.

Yet another dangerous Adobe Zero Day in the wild

Adobe has posted a Security Advisory for a Day Zero vulnerability that is currently actively targeting Adobe Reader 9.4.6 on the Windows platform. According to the advisory, the vulnerability (CVE-2011-2462) will be addressed first on the current target platform the week of December 12 and, because the risk is lower for Unix and Mac users, a patch will not be released there until the regularly scheduled patch cycle on January 12, 2012.

This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. Adobe further advises users who are still running Adobe Reader or Acrobat 9 and older versions to upgrade to Adobe Reader or AcrobatX, which is not impacted by the current issue.

As recent as 2009, Adopbe earned the title of “most hacked software of the year” when malicious PDF files accounted for more than 80% of all exploits for the year. Be on guard this holiday season – PDF files have long been a popular vehicle to transport obfuscated malware in Spear Phishing Attacks and this vulnerability makes that task even easier.

In light of the never ending stream of issues with Adobe Reader and Acrobat, users may want to consider achieving a little “security by obscurity” with any one of more than a dozen Adobe alternates for PC and Mobile platforms, such as:

Sumatra PDF
Foxit Reader
Cool PDF Reader
Nitro Reader
PDF-XChange Viewer
Skim
Quick PDF
Gnostice (multiple PDF tools)
eXpert PDF Reader
Evince
Okular
STDU Viewer
GoodReader
Chrome PDF Viewer Plug-In
ePDFView
Perfect PDF Reader

Back in April, I wrote 2011 had the potential to be a really bad year for securing our networks. I was right and I’m not happy about it.

From ever-growing numbers of malware to an evolving endpoint environment that now includes countless mobile devices, IT security has never been more challenging. And important. Here are what I believe will be key issues in 2012.

More Malware

From a vulnerability perspective we will see more of the same.  In fact, McAfee’s Q3 report forecasts 75 million malware samples in 2011. IT continues to focus on primary applications and they don’t patch third party applications or browser add-ons. It is no wonder this remains our primary threat vector.

While many APT incidents to-date have relied upon unsophisticated attack tools, there is a clear advantage for our foes in the use of DLL Injection malware. Expect its use to grow in 2012. Our ability to respond with traditional incident response techniques also leaves us exposed as the malware never touches the hard drive.

BYOD Security Mis-steps

Enterprises will increasingly rely on Bring Your Own Device (BYOD) yet the improved productivity and efficiencies that makes mobility a hot trend will also come with little, if any, regard to security. Simultaneously, Google’s Android OS will un-seat Apple as the pre-dominate Mobile OS. Together, these two trends create a perfect storm for hackers.  Unlike Apple, the Android market place does not screen applications for security. Juniper recently reported that Android Malware saw a 472% increase since July.

If enterprises continue to focus their security efforts on the gateway, they are leaving endpoints and mobile devices as low hanging fruit for the bad guys.

Slow Adoption of Virtualization

The move to virtualization is slowing but risks are increasing partly due to the lack of security offerings that can apply policy within a private and public cloud environment. While the shift to virtualization offered the promise to correct security mistakes made in the early physical computing days, it looks like we will continue to make the same mistakes and take shortcuts with the basics. Meaning – there are no allowances in a virtual environment for configuration management and server hardening, there continues to be a narrow (at best) focus on flaw remediation, signature based defenses continue to disappoint and we still have misplaced reliance on gateway / perimeter defenses.

Loss of Trust in SSL Ecosystem

Our entire SSL ecosystem is in critical need of overhaul. This became painfully apparent after the 2011 failure of Dutch certificate authority DigiNotar after millions of users were exposed to the threat of Man-In-The-Middle attacks. We will see more people question just how much trust can be afforded to SSL – further undermined with the issues discovered in websites using SSL version 3 and TLS version 1.0 and earlier. New tools have even been released that are capable of decrypting and obtaining the authentication tokens and cookies used in many websites’ HTTPS requests.

IPV6

Many governments – the U.S. included – target 2012 for IPV6 implementation. This will become a problem as few security products actually fully support IPV6 and worse yet many are using technologies to encapsulate IPV6 on top of IPV4. Given this, 2012 could be the dawn of IPV6 malware poised to take advantage of this clear weakness.

I’d like to think 2012 is the year we get serious about security. But time will tell.

There may be a Black Friday this month, but there’s also a happy Tuesday from Microsoft with just 4 bulletins this period. Only one of the bulletins is critical; however its exploitability rating is only a 3 and Microsoft suggests it is not likely this patch will be used. The additional patches include 2 important and 1 moderate. All 4 patches will impact Windows platforms and will require a reboot.
 

Details:

MS11-083 Vulnerability in TCP/IP Could Allow Remote Code Execution
Critical - Remote Code Execution

MS11-084 Vulnerability in Microsoft Windows Could Allow Remote Code Execution
Important - Remote Code Execution

MS11-085 Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution
Important - Remote Code Execution

MS11-086 Vulnerability in Active Directory Could Allow Elevation of Privilege
Important - Elevation of Privilege

Of course, the real question on everyone’s mind is Duqu (or the son of Stuxnet). While many dispute the threat imposed by this malware, no one disputes the risk of the Day Zero Vulnerability in Microsoft software that it takes advantage of. The vulnerability is exploited through a malicious Word document – when the user opens the document, a Zero Day Kernel Vulnerability is taken advantage of to execute malicious code. Microsoft did not issue a patch this cycle but has released a temporary fix using their “Fix It” solution http://support.microsoft.com/kb/2639658#FixItForMe

All in all, it seems the primary threat vector of late is browser and third party add-ons. A recent report noted that malicious domains have increased by 89% year over year. Simply put, hackers recognize that users simply do not patch their third party add-ons and as always, they capitalize on that weakness to compromise our environments.

 Social media continues to be a risk to the enterprise as well. After insisting there was no concern, Facebook reportedly corrected an issue that allowed a user to send another user an executable attachment using message capability. This created an easy platform for launching Spear Phishing attacks.
 
In addition, an issue in WordPress may have compromised up to one million blogs. A problem in the popular tool TimThumb, that when used in WordPress blogs to access photo sites, can cause users to be redirected to malicious websites.
 
And let’s not forget the cloud. Security issues continue to cause problems this Patch Tuesday period. Thankfully, Amazon is on top of it and corrected an issue that could allow hackers to hijack Amazon customer accounts.
 

Paul Henry, Security and Forensics Analyst for Lumension, discusses the impact of the November 2011 Patch Tuesday releases.

VIDEO: Paul Henry, Security and Forensics Analyst for Lumension, discusses the impact of the October 2011 Patch Tuesday releases.

The Treat: October’s bulletins resolve several issues: 2 critical and 6 important, covering a range of products, including Microsoft .NET Windows, IE, Forefront and MS Host Integration Server.
 
The Trick: nearly all require a restart which will cause widespread disruptions across both Internet-connected servers and user community desktops.
 
The Details:

MS11-081: Critical Internet Explorer patches that correct 8 vulnerabilities with typical attack vectors and one involving Java Script. None of the patched issues are related to active exploits; however users are urged to patch this as a high priority. It’s important to note that many of the fixes are related to improving defense in depth to strengthen the browser.

MS11-078: Critical .NET issue, which also impacts SilverLight. Users of .NET Client and SilverLight are urged to apply this patch as a high priority.

MS11-075: Important Windows Active Accessibility that corrects a DLL Injection issue.

MS11-076: Important Media Center Issue, correcting a DLL Injection Issue.

MS11-077: Important patch that resolves a Win32l Kernel Mode Drivers Issue that involves font rendering, which is a low risk with Microsoft IE (as the font would not be rendered), but could be a high risk with third party browsers (that would render the font).

MS11-080: Important Ancillary Function Driver Issue that provides for an escalation of privilege.

MS11-079: Important Forefront UAG Issue, resolving a perimeter firewall XSS issue.

MS11-082: Important Host Integration Server, resolving a DoS issue for the service.

Also released today was SP 3 for Office 2007 and SharePoint 2007. SP3 includes a roll up of previously patched issues, as well as newly discovered issues from the lifecycle of SP2.
 
Yet again vulnerabilities have proven not to be an issue exclusive to Microsoft – third party products and add-ons are our Achilles Heel again this period. The ever increasing integration of mobile devices with little if any regard to security of our enterprise networks, along with the seemingly non-stop release of vulnerabilities from Android and other vendor is placing us in a precarious situation. 

The recently disclosed Android Smart Phone issue can be exploited by third party applications and can effectively render all phone-based protections ineffective.
http://www.theinquirer.net/inquirer/news/2114308/android-vulnerability-renders-antivirus-products-ineffective
 
Also, a Chrome update was released to address several security issues. This period Google paid bounties totaling $8,000 to researcher Glazunov and an additional $2,000 to Miaubiz. Outside of the bounty program, a severe vulnerability discovered by Google’s own security team in audio node handling was also addressed. It’s important to note that one of Google’s fixed issues for Chrome was a buffer overflow that allowed a malicious attacker to arbitrarily execute code on a Chrome user’s computer.
http://news.cnet.com/8301-1009_3-10035720-83.html
 
In addition, a vulnerability in Apache that provides a DoS vector has been patched in release 2.2.20 and users are encouraged to upgrade to the current version to mitigate the risk of exploitation.
http://httpd.apache.org/security/vulnerabilities_20.html
 
Finally, just a week after the quarterly patch update from Adobe, an out of band patch was released to address 6 issues including a zero-day vulnerability.
http://www.eweek.com/c/a/Security/Adobe-Patches-ZeroDay-XSS-Vulnerability-in-Flash-Player-10-787685/
 
Not only are patches of concern but now we are facing a BEAST, both literally and figuratively. Last week, researchers demonstrated software they created called the BEAST (Browser Exploit Against SSL/TLS) that can decrypt parts of an encrypted data stream and can be used in what is known as a “man-in-the-middle” (MITM) type of attack. Browser makers have been a mixed bag on responding to this very real threat. Google is treating it as a serious issue for Chrome and Microsoft released an advisory, whereas Firefox did not issue and update but asked users to disable Java.
 
With respect to the SSL issues and “The BEAST” we are perhaps seeing just the tip of the iceberg in focusing our attention only on browsers. Several other products, such as VoIP phones and SCADA systems that also use SSL, are perhaps more at risk due to expected long term delays in patching them.

Paul Henry, Security and Forensics Analyst for Lumension, discusses the impact of the September 2011 Patch Tuesday releases.