Eleven Windows Bulletins Patch 23 Security Vulnerabilities

Bulletins Affect SMB Server, XML Core Services, the Kernel, and More

Severity: High

10 August, 2010

Summary:

• These vulnerabilities affect: All current versions of Windows and components that ship with it (one flaw also affects Microsoft Silverlight)
• How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, or enticing your users to open malicious media
• Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released eleven security bulletins describing 23 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS10-054: Three SMB Server Vulnerabilities

Microsoft Server Message Block (SMB) is the protocol Windows uses for file and print sharing. According to Microsoft, the Windows SMB Server suffers from three security vulnerabilities, one of which could allow attackers to execute malicious code. Though the flaws differ technically, an attacker could exploit them all in the same way. By sending a specially crafted network message, an attacker can exploit the worst of these flaws to gain complete control of a vulnerable Windows computer. The remaining two SMB Server flaws only result in Denial of Service (DoS) situations. Attackers often leverage these type of SMB Server vulnerabilities to help their malware automatically propagate within local networks. We recommend you apply this update immediately.
Microsoft rating: Critical.

• MS10-049: SChannel Code Execution Vulnerability

The Secure Channel (SChannel) is a Windows security package that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) authentication protocols. According to today's bulletin, SChannel suffers from two security vulnerabilities. By luring one of your users to a specially crafted website, an attacker could leverage the worst of these two flaws to execute code with full system privileges, gaining complete control of that user's computer. This update also fixes the TLS/SSL renegotiation vulnerability that attackers could leverage for a Man-in-the-Middle (MitM) attack on secured connections.
Microsoft rating: Critical.

• MS10-051: XML Core Services Code Execution Vulnerability

Microsoft XML (MSXML) Core Services is a Windows component that handles XML content. Unfortunately, it suffers from a memory corruption vulnerability involving the way it handles specially malformed HTTP responses. By enticing one of your users to visit a malicious website, an attacker can exploit this flaw to execute code on that user's computer, with that user's privileges. If your user has administrative privileges, the attacker gains complete control of that user's PC.
Microsoft rating: Critical.

• MS10-052: MP3 Codecs Buffer Overflow Vulnerability

MPEG Layer-3, otherwise known as MP3, is an audio encoding format used to compress audio for playback on digital devices, like computers. Windows ships with special codecs used to decode and playback MP3 audio within music files or videos. Windows' MP3 codecs suffer from a buffer overflow vulnerability, involving their inability to handle specially crafted audio files. By luring one of your users into downloading and playing a specially crafted audio file, an attacker could exploit this vulnerability to execute code on that user's computer, with that user's privileges. If your user has administrative privileges, the attacker gains complete control of that user's PC. This flaw only affects Windows XP and Server 2003.
Microsoft rating: Critical.

• MS10-055: Cinepak Codec Code Execution Vulnerability

Cinepak is another media encoding and decoding codec used to compress video for playback on digital devices, like computers. Windows ships with the Cinepak codec to handle video files encoded using this codec. Unfortunately, the Windows Cinepak codec suffers from an unspecified vulnerability involving its inability to handle specially crafted video files. By luring one of your users into downloading and playing a specially crafted video file, an attacker could exploit this vulnerability to execute code on that user's computer, with that user's privileges. If your user has administrative privileges, the attacker gains complete control of that user's PC. This flaw only affects the client versions of Windows (XP, Vista, and 7).
Microsoft rating: Critical.

• MS10-060: Code Execution Vulnerabilities in Microsoft .NET Framework and Silverlight

Microsoft Silverlight and the .NET Framework are two optional Windows components used to help developers create rich web applications. Windows doesn't ship with these components by default, but many users install them. Both components suffer from two code execution vulnerabilities. Though the flaws differ technically, an attacker can exploit them in the same way, with generally the same result. By enticing your user to a website containing a specially crafted web application, an attacker could exploit either of these flaws to execute code on that user's computer, with that user's privileges. As usual, attackers could gain complete control of the computer if the user has local administrative privileges.
Microsoft rating: Critical

• MS10-047 & MS10-048: Multiple Windows Kernel Elevation of Privilege and DoS Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The Windows kernel and this kernel-mode driver suffer from multiple Denial of Service (DoS) and elevation of privilege vulnerabilities. Though these flaws differ technically, most of them share the same scope and impact. By running a specially crafted program, an attacker could leverage these flaws to either crash or lock up your computer, or to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important

• MS10-050: Windows Movie Maker Memory Corruption Vulnerability

Windows Movie Maker is a video capturing and editing application that you get free with Windows. Movie Maker actually ships with older versions of Windows, such as Windows XP and 2000. However, the latest versions of Windows (Windows Vista and 7), don't provide the Movie Maker application on the installation disc. Instead, you have the option to download it for free as part of the Windows Live Essentials package. In short, if you have Windows XP, you have Windows Movie Maker. However, if you have Windows Vista or 7, you only have it if you chose to download and install the Live Essentials package. Movie Maker suffers from a memory corruption vulnerability involving its inability to properly parse specially crafted project files. If an attacker can entice you to download a specially crafted project file, then open that file in Movie Maker or Producer, he can exploit this flaw to execute code on your computer, with your privileges. If you have local administrative privileges, the attacker gains full control your computer. This flaw does not affect the Windows 7 versions of Movie Maker.
Microsoft rating: Important.

• MS10-058: Multiple Windows TCP/IP Vulnerabilities

The TCP/IP stack that ships with many versions of Windows suffers from an Elevation of Privilege (EoP) and Denial of Service (DoS) vulnerability. By sending specially crafted IPv6 packets, an attacker could leverage the DoS flaw to cause your Windows systems to become unresponsive. Exploiting the EoP vulnerability is a little more difficult. In order to exploit this flaw, an attacker would need to log into an affected system using valid Windows credentials, and then execute a specially crafted program on the local computer. However, doing so gives the attacker complete control of that computer, regardless of the user privileges he logged in with.
Microsoft rating: Important.

• MS10-059: Tracing Feature for Services Elevation of Privilege Vulnerabilities

Windows ships with a component called the Tracing Feature for Services. This component suffers from two technically different vulnerabilities that share the same scope and impact. If an attacker can log into an affected Windows system using valid Windows credentials, he can execute a specially crafted program that gives him complete control of that computer, regardless of the user privileges he logged in with.
Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-054:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)
• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows Server 2008 (w/SP2) *
• For Windows Server 2008 x64 (w/SP2) *
• For Windows Server 2008 Itanium (w/SP2) *
• For Windows 7
• For Windows 7 x64
• For Windows Server 2008 R2 x64
• For Windows Server 2008 R2 Itanium

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

MS10-049:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)
• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows Server 2008 (w/SP2) *
• For Windows Server 2008 x64 (w/SP2) *
• For Windows Server 2008 Itanium (w/SP2) *
• For Windows 7
• For Windows 7 x64
• For Windows Server 2008 R2 x64
• For Windows Server 2008 R2 Itanium

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

MS10-051:

Microsoft XML Core Services 3.0 for:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)
• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows Server 2008 (w/SP2)
• For Windows Server 2008 x64 (w/SP2)
• For Windows Server 2008 Itanium (w/SP2)
• For Windows 7
• For Windows 7 x64
• For Windows Server 2008 R2 x64
• For Windows Server 2008 R2 Itanium

MS10-052:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)

Note: Other versions of Windows are not affected.

MS10-055:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows 7
• For Windows 7 x64

Note: Other versions of Windows are not affected.

MS10-060:

• Windows XP
• Microsoft .NET Framework 2.0 (w/SP1 or SP2)
• Microsoft .NET Framework 3.5
• Windows XP x64
• Microsoft .NET Framework 2.0 (w/SP1 or SP2)
• Microsoft .NET Framework 3.5
• Windows Server 2003
• Microsoft .NET Framework 2.0 (w/SP1 or SP2)
• Microsoft .NET Framework 3.5
• Windows Server 2003 x64
• Microsoft .NET Framework 2.0 (w/SP1 or SP2)
• Microsoft .NET Framework 3.5
• Windows Server 2003 Itanium
• Microsoft .NET Framework 2.0 (w/SP1 or SP2)
• Microsoft .NET Framework 3.5
• Windows Vista (w/SP1)
• Microsoft .NET Framework 2.0 (w/SP1) or 3.5
• Microsoft .NET Framework 2.0 (w/SP2) or 3.5 (w/SP1)
• Windows Vista (w/SP1)
• Microsoft .NET Framework 2.0 (w/SP2) or 3.5 (w/SP1)
• Windows Vista x64 (w/SP1)
• Microsoft .NET Framework 2.0 (w/SP1) or 3.5
• Microsoft .NET Framework 2.0 (w/SP2) or 3.5 (w/SP1)
• Windows Vista x64 (w/SP2)
• Microsoft .NET Framework 2.0 (w/SP2) or 3.5 (w/SP1)
• Windows Server 2008
• Microsoft .NET Framework 2.0 (w/SP1) or 3.5
• Microsoft .NET Framework 2.0 (w/SP2) or 3.5 (w/SP1)
• Windows Server 2008 (w/SP2)
• Microsoft .NET Framework 2.0 (w/SP2) or 3.5 (w/SP1)
• Windows Server 2008 x64
• Microsoft .NET Framework 2.0 (w/SP1) or 3.5
• Microsoft .NET Framework 2.0 (w/SP2) or 3.5 (w/SP1)
• Windows Server 2008 x64 (w/SP2)
• Microsoft .NET Framework 2.0 (w/SP2) or 3.5 (w/SP1)
• Windows Server 2008 Itanium
• Microsoft .NET Framework 2.0 (w/SP1) or 3.5
• Microsoft .NET Framework 2.0 (w/SP2) or 3.5 (w/SP1)
• Windows Server 2008 Itanium(w/SP2)
• Microsoft .NET Framework 2.0 (w/SP2) or 3.5 (w/SP1)
• Windows 7
• Microsoft .NET Framework 3.5.1
• Windows 7 x64
• Microsoft .NET Framework 3.5.1
• Windows Server 2008 R2 x64
• Microsoft .NET Framework 3.5.1
• Windows Server 2008 R2 Itanium
• Microsoft .NET Framework 3.5.1

• Silverlight 2
• For Mac
• For Windows clients
• For Windows Servers
• Silverlight 3
• For Mac
• For Windows clients
• For Windows Servers

MS10-047:

• For Windows XP (w/SP3)
• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows Server 2008 (w/SP2)
• For Windows Server 2008 x64 (w/SP2)
• For Windows Server 2008 Itanium (w/SP2)
• For Windows 7
• For Windows 7 x64
• For Windows Server 2008 R2 x64
• For Windows Server 2008 R2 Itanium

Note: Other versions of Windows are not affected.

MS10-048:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)
• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows Server 2008 (w/SP2)
• For Windows Server 2008 x64 (w/SP2)
• For Windows Server 2008 Itanium (w/SP2)
• For Windows 7
• For Windows 7 x64
• For Windows Server 2008 R2 x64
• For Windows Server 2008 R2 Itanium

MS10-050:

Updates for Movie Maker:

• For Windows XP
  • Movie Maker 2.1
• For Windows XP x64
  • Movie Maker 2.1
• For Windows Vista
  • Movie Maker 6.0
  • Movie Maker 2.6
• For Windows Vista x64 Edition
  • Movie Maker 6.0
  • Movie Maker 2.6

MS10-058:

• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows Server 2008 (w/SP2)
• For Windows Server 2008 x64 (w/SP2)
• For Windows Server 2008 Itanium (w/SP2)
• For Windows 7
• For Windows 7 x64
• For Windows Server 2008 R2 x64
• For Windows Server 2008 R2 Itanium

Note: Other versions of Windows are not affected.

MS10-059:

• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows Server 2008 (w/SP2)
• For Windows Server 2008 x64 (w/SP2)
• For Windows Server 2008 Itanium (w/SP2)
• For Windows 7
• For Windows 7 x64
• For Windows Server 2008 R2 x64
• For Windows Server 2008 R2 Itanium

Note: Other versions of Windows are not affected

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. In fact, by default your Firebox will prevent most of the Microsoft flaws that require network access - specifically, the SMB-related vulnerabilities. You can also configure your Firebox to block the files types necessary to carry out some of these attacks (.AVI, .MP3 files, etc...). That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft's updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS10-047
• Microsoft Security Bulletin MS10-048
• Microsoft Security Bulletin MS10-049
• Microsoft Security Bulletin MS10-050
• Microsoft Security Bulletin MS10-051
• Microsoft Security Bulletin MS10-052
• Microsoft Security Bulletin MS10-054
• Microsoft Security Bulletin MS10-055
• Microsoft Security Bulletin MS10-058
• Microsoft Security Bulletin MS10-059
• Microsoft Security Bulletin MS10-060

This alert was researched and written by Corey Nachreiner, CISSP.

Vulnerabilities in Word and Excel Document Parsing

Severity: High

10 August, 2010

Summary:

• These vulnerabilities affect: All current versions of Microsoft Office for Windows and Mac (specifically Word and Excel)
• How an attacker exploits them: By enticing you to open maliciously crafted Office documents
• Impact: An attacker can execute code, potentially gaining complete control of your computer
• What to do: Install the appropriate Office patches immediately

Exposure:

Today, Microsoft released two security bulletins describing five vulnerabilities found in components or programs that ship with Microsoft Office for Windows and Mac. Some of the vulnerabilities also affect Word Viewer, the Office Compatibility Packs, and the Open XML File Format Converter for Mac. Each vulnerability affects different versions of Office to a different extent. The five flaws affect different components and applications within Office, but the end result is always the same - by enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim's computer, usually inheriting that user's level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user's machine.

According to Microsoft's bulletins, an attacker can exploit these flaws using two types of Office documents: Word (.doc) and Excel (.xls). So beware of all unexpected documents you receive with these file extensions.

If you'd like to learn more about each individual flaw, drill into the "Vulnerability Details" section of the security bulletins listed below:

• MS10-056: Multiple Word Code Execution Vulnerabilities, rated Critical
• MS10-057: Excel Code Execution Vulnerability, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

Word update for:

• Office XP w/SP3
• Office 2003 w/SP3
• 2007 Microsoft Office System w/SP1
• Office 2004 for Mac
• Office 2008 for Mac
• Open XML File Format Converter for Mac
• Microsoft Office Word Viewer
• Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
• Microsoft Works 9

Excel update for:

• Office XP w/SP3
• Office 2003 w/SP3
• Office 2004 for Mac
• Office 2008 for Mac
• Open XML File Format Converter for Mac

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Word and Excel documents, some organizations need to allow them in order to conduct business. Therefore, these patches are your best recourse. Temporarily though, you may still want to block these Office documents until you are able to install Microsoft's patches.

If you want to block Word, Excel, and Works documents, follow the links below for video instructions on using your Firebox proxy's content blocking features to block .doc and .xls files by their file extensions:

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

• MS Security Bulletin MS10-056
• MS Security Bulletin MS10-057

This alert was researched and written by Corey Nachreiner, CISSP.

Cumulative IE Patch Corrects Multiple Memory Corruption Flaws

Severity: High

10 August, 2010

Summary:

• This vulnerability affects: All current versions of Internet Explorer, running on all current versions of Windows
• How an attacker exploits it: By enticing one of your users to visit a malicious web page
• Impact: Various, in the worst case an attacker can execute code on your user's computer, gaining complete control of it
• What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes six new vulnerabilities in Internet Explorer (IE) 8.0 and earlier versions, running on all current versions of Windows (including Windows 7 and Windows Server 2008). Microsoft rates the aggregate severity of these new flaws as Critical.

The six vulnerabilities differ technically, but five of them share the same general scope and impact. These five issues involve various memory corruption flaws having to do with how IE handles various HTML elements and objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these vulnerabilities to execute code on that user's computer, inheriting that user's privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim's computer.

The remaining vulnerability consists of a Cross-Site or Cross-Domain Scripting (XSS) flaw. Among other things, an attacker might leverage this type of vulnerability to view information (such as cookies) from another domain or site, which he shouldn't have access to; or to execute scripts with another domain or sites privileges.

Keep in mind, today's attackers commonly hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and XSS attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

If you'd like to know more about the technical differences between these flaws, see the "Vulnerability Information" section of Microsoft's bulletin. Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you. By the way, Microsoft no longer supports Windows 2000 and IE 5.x. If you still run a legacy version of IE or Windows, we highly recommend you update in order to get the latest security updates.

• Internet Explorer 6.0
• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)
• Internet Explorer 7.0
  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows Vista (w/SP1 or SP2)
  • For Windows Vista x64 (w/SP1 or SP2)
  • For Windows Server 2008 (w/SP2) *
  • For Windows Server 2008 x64 (w/SP2) *
  • For Windows Server 2008 Itanium (w/SP2)
• Internet Explorer 8.0
  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Vista (w/SP1 or SP2)
  • For Windows Vista x64 (w/SP1 or SP2)
  • For Windows Server 2008 (w/SP2) *
  • For Windows Server 2008 x64 (w/SP2) *
  • For Windows 7
  • For Windows 7 x64
  • For Windows Server 2008
  • For Windows Server 2008 x64

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

• MS Security Bulletin MS10-053

This alert was researched and written by Corey Nachreiner, CISSP.

---

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: Log into the LiveSecurity Archive.

Goodbye, WatchGuard Blogs; Hello, WatchGuard Wire!

As you've probably noticed, we haven't posted any updates to this blog in many months. Regular readers are probably wondering where the heck we've been. The short answer is... Due to many changes at WatchGuard, we will be retiring these WatchGuard Blogs and returning to the WatchGuard Wire.

Scott Pinzon and I originally started this blog as an experimental offshoot of the WatchGuard Wire. At the time, we'd been posting blog-like security stories on the Wire for years. However, our voice on the Wire was very business professional; it didn't leave much room for our personalities or personal interests to come out. We started the WatchGuard Blogs with the desire to change that. The Blog was where we could share our personal opinions about the security stories we reported. We also hoped the blog would provide our readers a place to share their opinions. We dreamed of starting our own small security community.

In the beginning, this all worked out well. When we started, we had another analyst, Mark Waldstein, take over the normal news posts on the WatchGuard Wire, which left both Scott and I plenty of time to post on the Blog. So what happened? Well, we lost some people.

Unfortunately, both Scott and Mark have left WatchGuard to pursue other opportunities. While this is great news for them, I'm sad to have seen them go. I enjoyed working with both of them. Scott in particular has been my "partner in crime" for years here at WatchGuard. We pioneered many new projects together, including our well-known Malware Analysis video series.

These personnel changes, as well as a slight change in my own job title, have left our various security content feeds very understaffed. Essentially, it leaves only me to write LiveSecurity Alerts, WatchGuard Wire posts, WatchGuard Blog posts, and to record the Radio Free Security podcast. One man can't do it all. In order to provide regular content, one of these feeds had to go. That's why we're officially discontinuing the WatchGuard Blogs.

Don't fret though, there is a silver lining. You can still get the same type of blog-like security stories I posted here at the WatchGuard Wire. In fact, I plan on adopting the more relaxed voice we used here on the Wire. So if you'd still like to follow my security stories, I encourage you to subscribe to the WatchGuard Wire feed.

Also, if you're crunched for time and just want to know where to find the latest security stories, I recommend you follow me on Twitter. I tweet as SecAdept. With so many task to do, I only post to the WatchGuard Wire around twice a week. However, I tend to tweet daily about the latest security news. So if you're really interested in the latest breaking security news, you can find it on Twitter.

I apologize that it has taken me so long to officially explain our absence on the blog. It simply took a while to adjust to these internal changes, and to formulate a new content plan. I hope you continue to follow our security posts at the WatchGuard Wire and on Twitter. Nonetheless, thank you for reading the WatchGuard Blogs. It was a pleasure to provide it for you, and I enjoyed meeting some of you in the comment section. Adieu.

Want to score a cool quarter mil? Track down Conficker's maker

What's a sure sign that Conficker (also called Downadup) has actually infected lots of innocent users? The answer is, when Microsoft offers a $250,000 bounty on the worm author's head.

According to their press release, if you can supply any information that leads to the arrest and conviction of those responsible for the Conficker worm, Microsoft wants to give you a quarter million dollar reward. That's a nice chunk of change! I suspect many a researcher is scurrying to his or her underground contacts, trying to dig up some information on the gang behind this infection.

Meanwhile, the deplorable malcontents behind Conficker have not rested on their laurels. According to the latest reports, researchers have already discovered a new variant of Conficker called, Conficker B++. The original Conficker generated seemingly random malicious domain using an algorithm that changed daily, in order to find locations where it could download new malware. A group of malware fighters calling themselves the Conficker Cabal, cracked this algorithm and locked those future domains, thus preventing Conficker from downloading future malicious payloads. However, Conficker B++ was designed to combat that problem. In short, Conficker B++ is programmed with alternate means of downloading new binaries. So even if the Conficker Cabal blocks those malicious domains generated by that original algorithm, Conficker B++ can still find its malicious payload using other techniques.

Despite this nasty evolution, all the previous defenses still work against the latest variants of Conficker:

1. Use a firewall
2. Make sure your Windows systems have up-to-date patches
3. Use antivirus programs that automatically download new signatures
4. Be wary of using others' USB devices

If you at least follow those four tips, Conficker will have a tough time getting into your network.

Conficker's virulence continues to confound me

I still don't really understand why the Downadup/Conficker has spread so successfully, but it definitely has.

The latest reports say the virulent worm has infected over 10 million PCs. Some of the big name victims include, New Zealand's Ministry of Health, the UK Ministry of Defence, and some Sheffield hospitals. Furthermore, according to Panda Security the Downadup/Conficker has infected at least 1 in every 16 computers -- and perhaps as many as 1 in 3 (although I'm not sure how Panda came up with those figures).

Nonetheless, Symantec and Mcafee still rate this worm as low risk, and I kind of agree with them. You really should have little problem blocking this worm by following the most basic security practices. Almost any firewall on the market will block the ports this worm needs to spread by default. That only leaves its ability to spread via USB key. Frankly, I don't think this worm's USB capabilities can account for its impressive infection rate. However, if you are worried about USB malware, you can disable Windows' autorun features to help protect yourself from it.

I believe there's more to the story. While I can understand how the worm exploiting weak Windows passwords and the Server Service vulnerability would help it spread quickly inside your network, I don't see how those techniques would get through a typical network's defenses. I still think attackers might have seeded this worm using drive-by download, or spamming techniques.

Regardless of how this worm has spread, it has infected a lot of computers. When I think back a few years, on how the Storm botnet started - it too began as a seemingly basic email worm. I didn't think many people would fall for Storm's early social engineering techniques either. However, a few did. And as Storm slowly infected these first victims, it continued to evolve its infection techniques. In the end, Storm compromised many computers and created a huge botnet for its authors. It looks to me like Downadup/Conficker is following in Storm's path. If you haven't hardened your network from this worm, do so now.

OS X pirates usher trojan onto their computers

If you've recently downloaded iWork 09 illegally using BitTorrent, your Mac probably has a trojan.

According to Intego (a company focused on Mac security), a new Mac trojan is circulating within the illegal copies of iWork 09 floating around on BitTorrent trackers. The trojan, OSX.Trojan.iServices.A, hides within an extra install package included with the iWork image, called iWorkServices.pkg. If you install this illicit version of iWorks, the secret package quietly infects your Mac with the trojan, which has full root privileges. Once installed, the trojan connects back to its author, providing him a backdoor onto your computer. This allows the attacker to continue installing more malware onto your system, and could even potentially allow him to add your computer to a botnet.

In the PC world, it's standard practice for attackers to hide malware within pirated software. However, OS X users probably aren't used to this sort of technique. You better start getting used to it! In my opinion, this is just one more sign that Mac's aren't as bulletproof against security threats as some Apple users would like to think (and I say this as a proud Macbook Pro owner). Malware authors have noticed Apple's growing popularity, and they will continue to try and exploit it. It's time for Apple users to face reality, and become security aware.

So what should you do in this case? Simple! Don't download and install these kinds of illegal, pirated Apple applications. Stay with the legal stuff and this threat won't affect you. If you do succumb to the dark side, beware what you might get.

Huge data breach could affects tens of millions of credit card users

During President Obama's inauguration yesterday, Heartland Payment Systems -- a major debit and credit card transaction company -- admitted that they were the victims of a huge data breach that could affect tens of millions of debit and credit card customers.

According to a Washington Post Security Fix article, Heartland found malware buried somewhere within their payment processing system. Currently, they don't know how long this malware has resided on their system. They only began looking for it last week, after receiving fraudulent activity reports late last year from MasterCard and Visa on cards used at merchants that rely on their systems.

Through this planted malware, intruders had access to all the digital magnetic stripe information stored on any debit or credit card that Heartland processed during the time of the breach. Heartland's president and CFO, Robert Baldwin, claims they process around 100 million transactions a month, 40% of which come from small to mid-sized restaurants. That's a whole lot of credit card data!

However, Heartland claims that the data bandits didn't make off with any personally identifiable customer information, such as Social Security numbers, unencrypted PIN numbers, or addresses. This makes it slightly more difficult for criminals to leverage their stole credit card info. However, they do have enough data to create fake debit and credit cards, and use them at locations that don't verify your identity. In my experience, few retail locations actually verify this info (For instance, I can't count the number of times my wife used my cards undetected).

This is a truly flabbergasting security breach, coming from an organization that should have implemented the strictest, PCI-compliant standards of security. Some have already claimed that this breach could rival the one TJX suffered in 2007, which cost that company over a quarter of a billion in loses.

So what should you do in light of this gargantuan breach? If you process credit cards, do everything in your power to implement Defense in Depth and strive to maintain a PCI-compliant network. WatchGuard has unified threat management (UTM) appliances and some useful whitepapers that can help you with this task.

If you're a card carrier, your card company should contact you if you need to take any action. For now, I'd recommend you always monitor your monthly statements, and take advantage of any fraudulent activity services your card company offers.

If you'd like to learn more about this incident, check out Heartland's public release, or the links supplied below:

• NY Times article
• Security Fix article
• Wired Blog Post
• PC World article
  

Malware preys on Obama-mania

Today is an exciting and historical day in the United States (and the World). In just a few hours we inaugurate an African American man, Barrack Obama, as our 44th president. The nation feels a surge of hope, believing that the new administration will begin to correct some of the woes currently afflicting our country. Leave it to a few despicable malware authors to corrupt that hope, and twist it toward their ill-conceived purposes.

According to a ComputerWorld article, attackers have setup fake Obama/Biden campaign web sites, hoping to lure victims to a malicious drive-by download site. A blogger at MX Logix first noticed this attack. It arrives as spam email with Obama related subject lines. The subjects suggest that Obama has decided to decline the presidency. Some subject examples include:

• Barack Obama abandoned sinking ship
• Who will be our president now?
• Obama doesn't wany anymore to be a president (The misspelling is the attackers, not mine)

If you click the links within these fake Obama emails, you end up at what appears to be the Obama/Biden campaign web site. However, every link on the web site points to a malicious executable file. If you download and install this executable, it infects your computer with the Waledec worm, which experts believe is the latest worm by the Storm authors. In other words, you'll become a botnet zombie.

It still never fails to amaze me how low these attackers will stoop to infect new victims. While I encourage you to celebrate Obama's historical inauguration, be careful where you go while doing so. That seemingly innocuous Obama web site could add you as a drone in another botnet army.

Is the Downadup/Conficker worm creating the next big botnet?

Last week, F-Secure made quite a few blog posts [ 1 / 2 / 3 / 4 ] describing a new worm that seems to be spreading like wild-fire. Called Downadup by some and Conficker by others, the worm appears to spread, primarily, by exploiting the semi-recent Windows Server Service vulnerability (LiveSecurity Subscription required), which Microsoft patched last October. Previous worms have taken advantage of this popular vulnerability, but haven't achieved the success that F-Secure claims Downadup has.

According to F-Secure's last count, Downadup has infected almost nine million individual victims within four days, claiming that the virulent worm infected 1.1 million new casualties in only one day.

Once Downadup infects you, the worm does a number of things. First, it adds itself to certain Windows registry keys to ensure it can restart the next time you reboot. Next, it tries to connect to one of many potential malicious web domains in order to download more malware. The worm generates malicious domain names using a complex algorithm that changes daily and relies on the timestamp found at various public web sites. So far, no one has officially described the malware that Downadup installs. However, I wouldn't be surprised to find it installs a bot client in hopes of creating the next big botnet.

Downadup also starts a malicious web server on your computer. It then scans your local network for other computers vulnerable to the Server Service vulnerability, or for computers with weak Windows credentials, exploiting these weaknesses to infect new victims via its malicious web server. Finally, the worm appears to copy itself and an autorun file to USB devices it detects, hoping to spread when users plug these devices into other computers.

Despite F-Secure's analysis of Downadup's success, I'm not yet convinced that the worm is really as virulent as it seems. By default, even the most basic firewall blocks the ports necessary for Downadup to spread (TCP port 139 and 445). I can't imagine the worm getting very much traction scanning the Internet for these ports. That said… if the worm snuck into your network through other means, and you haven't applied Microsoft's October patches, it would spread within your network very quickly.

This brings us to Downadup's other means of infection - weak Windows credentials and USB devices. Weak Windows credentials, like Server Service vulnerability, require access to those same Windows networking ports to use the Windows credentials. I've already established that most firewalls block these ports by default. Finally, I simply can't imagine a worm infecting almost nine million users by piggy-backing on USB devices. Do people really share USB devices often enough for a worm to spread that successfully through them? I don’t think so.

I’m not the only one that thinks F-Secure may have overstated their warnings about Downadup. Both Mcafee and Symantec, two of the largest antivirus (AV) companies in the industry, rate this new worm as a low to very low risk. My guess is that F-Secure either flubbed their infection calculations or Downadup uses other unreported means of propagation (such as drive-by downloads or malicious emails).

Whether or not Downadup has really spread as widely as F-Secure suggests is negligible - it's still an infection you don't want to contract. Most AV companies already have signatures that detect and block this worm. Make sure your AV software is up-to-date, use a firewall, and make sure it doesn't allow access to the Windows networking ports (TCP port 139 and 445). If you already have a UTM appliance from WatchGuard, you're already fairly safe from an external Downadup attack.