Adobe Flash 0-day in the wild..

It’s back again to haunt Adobe – a new 0-day was confirmed by the inventors of the PDF format yesterday. Adobe released an advisory to confirm the vulnerability in Flash Player being exploited in the wild.

The vulnerability (CVE-2011-0609) exists in Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems (Adobe Flash Player 10.2.154.18 and earlier for Chrome users), Adobe Flash Player 10.1.106.16 and earlier versions for Android. Even the authplay.dll component that ships with Adobe Reader and Acrobat X is affected. According to Adobe -

“This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system.”

The vulnerability is being exploited via a Excel file (.xls) embedded with a malicious Flash file (.swf). Once the malicious excel file is executed, the payload is known to connect  to “good.mincesur.com (119.70.119.30)” possibly to download more malware.

There are reports of the malicious excel file being delivered through email as an attachment with probably the usual dose of phishing content.  It seems to be a logical move by the attackers – since the exploit vector via Adobe Reader is subverted by the Reader X’s sandbox (protected) mode, Microsoft Office seems to be the next perfect delivery mechanism for such vulnerabilities. Apparently, the protected mode is also a reason for Reader X patch to come a little late (June) ! I won’t be too surprised if we start seeing more such attacks that involve piggy-backing of two different software components in the future.

Talking about targeted attacks, Google recently confirmed that it was a victim of a highly targeted and apparently politically motivated attack that involved abuse of another publicly-disclosed Internet Explorer 0-day – the MHTML vulnerability.

Adobe has promised a emergency patch for this vulnerability but users will have to wait till 21st March for the patch to be available. In the mean time, I would suggest users to avoid opening excel attachments received from unknown or un-trusted sources and watch this space for further updates !

Neeraj Thakar

(18/03/2011) Update1:

Some more technical details have been disclosed since the news about the Flash 0-day started making rounds.

While Adobe prepares for the patch release, Office 2010 and 2007 users have some relief as Microsoft has published some workarounds to prevent the exploit from working. For Excel 2007 users, disabling “all controls” from the “Trust Center” ActiveX options prevents the flash object from loading, thus preventing the exploit from working.

Excel Tust Center ActiveX settings

However, you might lose other functionality since this option can potentially break other add-ons and ActiveX controls. So, be sure to test the changes out in your environment before deploying on multiple systems. As for Office 2010 users, they are not vulnerable to this since Office 2010 enables DEP by default and the current exploit does not use any DEP bypass mechanisms.

Beyond this, one can use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) to help prevent the exploit from working. It provides additional layer of security mechanisms that prevent the exploit from working.

While these workarounds will prevent the exploit from working via Excel, the vulnerability is in Flash and can be triggered from the browser also. So, choosing a browser that uses DEP by default such as Internet Explorer 8/9 or Firefox with NoScript/NoFlash add-on will help. Incidentally, Google Chrome has already released a new version (10.0.648.134) that includes a patch that plugs this Flash vulnerability.

(23/03/2011) Update 2:

Adobe has released an update for the flash player (version 10.2.153.1 for windows). We recommend all users to upgrade to this new version ASAP ! Adobe Reader X users though not affected by this vulnerability, will have to wait till 14th June to get the update.

Posted in Vulnerabilities | Leave a comment

Upgrade to Windows 7 SP1 or not?

The much awaited Windows 7 Service Pack 1 was released recently by Microsoft. It seems to have broken the record for the largest Service Pack (SP) for any desktop OS with the size of update reaching almost 1GB! Microsoft for sure has packed a ton of updates – but before you rejoice and start pushing that update on your desktops, you need to get answers to some of these questions.

  • Do I really need Windows 7  SP1? (Most important)
  • Will it break any of my applications?
  • Are there any new features/services added in the SP?

Well for starters, a Service Pack (SP) is really just a collection of all the patches that Microsoft has released for Windows 7 till date. So, if you have been keeping your systems up-to-date, then upgrading to SP1 should not make much of a difference in terms of getting latest security updates. But on a huge network of 1000+ machines, keeping all systems up-to-date is a challenging task. So, in such cases, it serves as a shortcut to get your system up-to-date with the latest set of patches.

Moreover, the Service Pack is not just about security updates, it also adds some improvements to features and services such as -

  • Better support/compatibility for HDMI audio devices
  • Better printing support using the XPS Viewer
  • Restoring previous folders in Windows Explorer after restart

None of them tempting enough for an average corporate or enterprise user, but then again it totally depends on your environment and nature of work.

A word of caution though to all the system/network administrators – Service Packs are notoriously famous for breaking a lot of applications. For example: your drivers and antivirus software are likely to be the first ones to hate the SP upgrade. If your organization is using a lot of custom designed applications, it makes sense to try update on a staging environment to iron out compatibility issues before deploying the SP. As expected, there have been some issues reported, so be sure to Google out before you go ahead with your deployment. Microsoft even offers a tool to block installation of Service Pack in case organizations have enabled automatic updates and do not want SP to be deployed automatically.

Big organizations need to do a lot of homework before they can deploy a service pack but making sure that update is uniformly applied across all machines is a different story all together! – which is where solutions like Nevis NAC really help. It allows organizations to achieve 100% patch compliance and even allows quarantine and auto-remediation of non-compliant systems. For existing Nevis customers deploying the SP, be sure to get the latest CEI updates. For details on how to enable Windows 7 Service Pack 1 on the LANsight, get in touch with Nevis Technical Assistance Center (NTAC).

Neeraj Thakar

Posted in Endpoint Security | Leave a comment

Microsoft to fix 4 vulnerabilities this month

There will be total 3 Bulletins (2 Important and 1 Critical) in this month’s Microsoft Patch Tuesday release (March’11). Users and Administrators will have a relatively easy patch-week this month, thanks to Microsoft’s tiny patch release as compared to February, where there were tons of patches from Microsoft as well as Oracle.

As per the advanced notification from Microsoft, total 4 vulnerabilities will be covered this month that include fixes for Windows operating systems as well as for Microsoft Office Groove. All the vulnerabilities can likely result in remote code execution. The critical bulletin affects Windows XP SP3, Windows Vista and Win 7 systems.

Though Microsoft had confirmed the Browser Protocol Zero-day Vulnerability in mid-February, it is not clear if it is going to ship a patch in this month’s release or in OOB (Out-of-Band) patch release. Microsoft, on previous occasions, has been known to release unscheduled patches when there were increased reports of 0-days being exploited in the wild. The vulnerability nevertheless affects Domain Controllers (DC) in major; the chances of remote code execution (though difficult) are possible. So, if you are a Nevis customer, please make sure that your IPS signatures are up-to-date. This will ensure that your network is well protected from this vulnerability.

A good NAC solution can help a lot when it comes down to patch compliance in your organization as it can ensure that your endpoints have the required patches before they connect to the enterprise network. So, if you are not a Nevis customer yet, please get in touch with our sales team (sales@nevisnetworks.com) for a NAC demo, today!

Neeraj Thakar

Posted in Patch Tuesday, Vulnerabilities | Leave a comment

Why are My Endpoints Not Up-to-Date?

This is the question that most IT administrators and organization security teams have been asking us since last couple of years. These organizations have a patch management system to automatically update OS patches on the endpoints and also have an AV/AS server to automatically update the Antivirus signature (.DAT) files on the endpoints. In spite of these measures, many endpoints are not updated.

Based on our experiences on the field and feedback received from our customers, the reasons for non-compliance generally vary based on size of the organization. So, broadly the reasons could be broken into the following categories.

  • Large organizations having headquarters (HQ) and branches distributed in geographically different locations connecting over WAN links
  • Small to medium size organizations located in the same building or premises

Large Size Organizations: These organizations have Patch Management System and AV/AS server placed at the HQ. The branches from various geographical locations connect to the HQ over leased lines or MPLS links. The number of endpoints in the organization can be over 3000.

Typical issues faced by the organization due to which the endpoints are not updated to the latest OS patches on Patch Management Server or to the latest .DAT files on AV/AS server are:

  • The last mile link speed is typically low. Example is 64 Kbps.
  • Large patches require long time to download. Before the download gets complete, the end user switches off the endpoint at the end of the day; as per the policy in many large organizations.
  • If there are multiple machines which are trying to download patches from the HQ, the patch download for each endpoint takes even longer time which, coupling with the above fact, aggravates the situation making all these endpoints unable to update.
  • Certain organizations have QoS parameters configured on intermediate routers or switches which gives higher priority to business critical application traffic. Hence the patch update traffic is given a lower priority resulting far slower download of patches.
  • Many endpoints requesting the patch management server for patch downloads can result in overloading requests to the server due to which the performance of the server itself goes down. This again results in lower speed.
  • Certain patches require a reboot of host machine. End users typically postpone rebooting their machines for a longer duration.

All the above factors together compound the problem further.

Another related point worth mentioning in this discussion is that as the number of endpoints goes beyond 5000, the IT administrators find it very difficult to locate or physically track down non-compliant endpoints to take manual corrective action. This problem is further compounded by the fact that the IT administrators have no easy way or user friendly mechanism to find out endpoints update status.

Small and Medium Size Organizations: These organizations have a Patch Management System and AV/AS server located at the local premises. The bulk of the endpoints are at the same location/premises or near to the server location connected with fibre cables. The users typically have admin rights on the endpoints. The number of endpoints varies from 500 to 3000.

Typical issues faced by these organizations due to which the endpoints do not get updated to the latest OS patches on Patch Management Server or to the latest .DAT files on AV/AS server are:

  • End user has admin rights on the endpoint. The user disables the AV update agent as AVs having Host IPS can make the endpoint applications slower.
  • Some patches require a reboot of end host machine. End users typically postpone rebooting their machines for a longer duration.

In summary, it is not enough to have a Patch Management and an AV/AS update server in place in an organization. What is important is to find out the reasons for the endpoint not being up-to-date. These reasons can be due to bandwidth constraints, network configuration issues, performance issues or end-user habits, which will vary in each organization.

To protect critical data servers against the vulnerabilities which the “not up-to-date” endpoints carry, it is essential for IT administrators to find out the status of every endpoint on his network with respect to the OS patch levels or AV/AS .DAT file versions. It would also be beneficial if the endpoints that are not up-to-date with respect to the organizational servers, are quarantined and then auto-remediated. Only after successful remediation, these machines should be allowed to access the network. This purpose is easily achieved using the Nevis solution comprising of LANenforcer and LANsight family of products. For details please check www.nevisnetworks.com.

Author: Girish Kale

Posted in Endpoint Security | Leave a comment