WatchGuard Live Security Three Visio Code Execution Vulnerabilities

Severity: Medium

10 February, 2009

Summary:

§  This vulnerability affects: All current versions of Visio

§  How an attacker exploits it: By enticing one of your users into opening a maliciously crafted Visio document

§  Impact: An attacker can execute code, potentially gaining complete control of your users’ computers

§  What to do: Deploy the appropriate Visio patch as soon as possible

Exposure:

Microsoft Visio is a very popular diagramming application, which many administrators use to create network diagrams.

In a security bulletin released today, Microsoft describes three security vulnerabilities that affect all current versions of Visio (but not the standalone viewer application). Though technically different, all three vulnerabilities share the same scope and impact: By enticing one of your users into downloading and opening a maliciously crafted Visio document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path:

Microsoft has released patches to fix these vulnerabilities. You should download, test, and deploy the appropriate Visio patch as soon as possible.

§  Visio 2002

§  Visio 2003

§  Visio 2007

For All WatchGuard Users:

If the practice fits your business environment, you can use the HTTP and SMTP proxies to block Visio documents with the .VSD extension. However, using this method blocks all such files, both malicious and legitimate. If you would like to use our proxies to block Visio documents, follow the links below for instructions:

§  Firebox X Edge running 10.x

§  How do I block files with the FTP proxy?

§  How do I block files with the HTTP proxy?

§  How do I block files with the POP3 proxy?

§  How do I block files with the SMTP proxy

§  Firebox X Core and X Peak running Fireware 10.x

§  How do I block files with the FTP proxy?

§  How do I block files with the HTTP proxy?

§  How do I block files with the POP3 proxy?

§  How do I block files with the SMTP proxy?

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

§  MS Security Bulletin MS09-005

WatchGuard Live Security February’s Cumulative IE Patch Corrects Two Critical Vulnerabilities

Severity: High

10 February, 2009

Summary:

§  This vulnerability affects: Internet Explorer 7 and earlier versions

§  How an attacker exploits it: By enticing one of your users to visit a malicious web page or link

§  Impact: In the worst case, the attacker can execute code on your user’s computer, gaining complete control of it

§  What to do: Deploy the appropriate Internet Explorer patches immediately

Exposure:

In a security bulletin released today as part of its monthly patch update, Microsoft describes two vulnerabilities in Internet Explorer (IE) 7.0. These flaws may also affect IE 5.x and 6.x; however, Microsoft no longer supports those versions.

Though they differ technically, both vulnerabilities share the same general characteristics: IE doesn’t properly handle certain HTML objects or elements, which causes memory corruption. By luring one of your users into visiting a maliciously crafted web page, an attacker can exploit either of these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could gain complete control of the victim’s computer.

In addition to fixing these two newly announced flaws, today’s Internet Explorer patch also fixes all previously known flaws.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches as soon as possible.

§  Internet Explorer 7.0

§  For Windows XP

§  For Windows XP x64

§  For Windows Server 2003

§  For Windows Server 2003 x64

§  For Windows Server 2003 Itanium

§  For Windows Vista

§  For Windows Vista x64

§  For Windows Server 2008

§  For Windows Server 2008 x64

§  For Windows Server 2008 Itanium

Note: While these flaws may also affect older versions of IE, Microsoft currently only supports IE 7.0. If you use an older version, you should upgrade to 7.0, then apply this patch.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

§  MS Security Bulletin MS09-002

Watchguard Live Security Maliciously Crafted Email Can Pwn Your Exchange Server

Maliciously Crafted Email Can Pwn Your Exchange Server

Severity: High

10 February, 2009

Summary:

§  This vulnerability affects: All current versions of Exchange Server

§  How an attacker exploits it: By sending a specially crafted email (no user interaction necessary)

§  Impact: An attacker can potentially gain control of your Exchange Server

§  What to do: Deploy the appropriate Exchange Server patch immediately

Exposure:

Microsoft Exchange is one of the most popular email servers used today.

In a security bulletin released today, Microsoft describes two security vulnerabilities that affect all current versions of Exchange. The worst of these flaws has to do with how Exchange handles any email that uses a special formatting called the Transport Neutral Encapsulation Format (TNEF). By sending a specially crafted TNEF email to any valid account, an attacker could exploit this vulnerability to execute code on your email server with the same privileges as the Exchange Server service account. In some cases, this special Exchange account has administrative privileges, which means an attacker could potentially exploit this vulnerability to gain complete control of your email server. Not only would this earn the attacker full access to your sensitive email, it also provides a valuable foothold for the attacker to penetrate the rest of your network. You should consider this flaw of the utmost risk and patch it immediately.

Microsoft’s bulletin also describes a lower risk Denial of Service (DoS) vulnerability in Exchange. However, the TNEF vulnerability alone should convince most administrators to patch right away.

Solution Path:

Microsoft has released patches to fix these vulnerabilities. You should download, test, and deploy the appropriate Exchange patch as soon as possible.

§  Exchange Server 2000 w/SP3

§  Exchange Server 2003 w/SP2

§  Exchange Server 2007 w/SP1

For All WatchGuard Users:

An attacker can only exploit this vulnerability by sending a specially crafted TNEF email which typically includes a TNEF attachment with the Application/MS-TNEF MIME type. To mitigate the risk of this vulnerability, you can use your Firebox’s SMTP proxy to block all attachments with the Application/MS-TNEF MIME type. Keep in mind, doing this will also block legitimate TNEF formatted emails. If you would like to block the TNEF MIME type, the help files below contain instructions on how to allow or block MIME types within our SMTP proxy:

§  Edge SMTP proxy help

§  WFS SMTP proxy help

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

MS Security Bulletin MS09-003

WatchGuard Releases Version 10.2.7 for WSM, Edge, Fireware, and Fireware Pro

WatchGuard is pleased to announce the availability of version 10.2.7 of WatchGuard System Manager, Edge, Fireware, and Fireware Pro. This update is a maintenance release and contains a number of enhancements and fixes for critical issues as reported by WatchGuard customers.

Contained in this release are:

• Improvements to configuration save behavior in Fireware
• Improvements to High Availability in Fireware
• An enhancement, adding the ability to create Traffic Management, Policy Scheduling, and QoS actions on Drag and Drop VPN tunnels
• Improvements to Server Load Balancing in Fireware
• Improvements to Mobile VPN with SSL client behavior
• A fix for Firebox (Core) stability issues under certain conditions
• Improvement to SSL VPN user authentication on Edge
• A fix for e-Series BOVPN stability issues under certain conditions
• A fix for an Edge spamBlocker Exception List problem

Does This Release Pertain to Me?

10.2.7 is a regularly scheduled maintenance release. If you are impacted by any of the issues outlined above or those contained in the Release Notes, you should consider upgrading to version 10.2.7. Before you upgrade please read the Release Notes to better understand what’s involved.

How Do I Get the Release?

Firebox X Edge, Core, and Peak e-Series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Software Downloads web page, which also includes clear installation instructions. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

LiveSecurity | Urgent: Latest Firefox Update Fixes Eight Security Flaws

Latest Firefox Update Fixes Eight Security Flaws

Severity: Medium

4 February, 2008

Summary:

§  This vulnerability affects: Firefox 3.0.5 (and previous versions) for Windows, Linux, and Macintosh

§  How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page

§  Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it

§  What to do: Upgrade to Firefox 3.0.6

Exposure:

Late yesterday, the Mozilla Foundation released Firefox 3.0.6, fixing approximately eight security vulnerabilities (based on CVE-IDs) in the popular web browser. We summarize three of the vulnerabilities below:

§  Memory corruption vulnerabilities (2009-001). Firefox suffers from several crash bugs, which corrupt memory. Mozilla’s alert shares scant detail about these memory corruption flaws, but it does say the flaws lie within Firefox’s layout engine and its Javascript engine (the flaws also affect some other Mozilla-based products). Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. And if the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
Mozilla Impact rating: Critical

§  XSS vulnerability in chrome XBL method (2009-002). Firefox suffers from a cross-site scripting (XSS) vulnerability involving the way it handles a particular method (specifically, the chrome XBL method). By enticing one of your users into clicking a specially crafted link, an attacker can exploit this flaw to bypass the same origin policy. Among other things, this allows attackers to execute scripts under the context of a legitimate web site or read data from a legitimate site. For instance, if your users visit secure web sites which store sensitive data, an attacker might leverage this flaw to steal that sensitive data.
Mozilla Impact rating: High

§  XSS vulnerabilities in SessionStore (2009-003). Since version 2.x, Firefox has shipped with a SessionStore feature that saves your current browser session data. For example, if Firefox crashes when you have several web sites opened in various tabs, Firefox can recover all those tabs and web sessions when you re-run the program. Unfortunately, Firefox suffers from a convoluted security vulnerability involving the way SessionStore restores closed tabs. If an attacker knows the specific location of a file he’d like to steal, and can convince one of your users to close and then restore a Firefox tab, he can exploit this vulnerability to steal any file on that user’s computer.
Mozilla Impact rating: High

Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that this update fixes.

Solution Path:

Mozilla has updated Firefox 3, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.0.6 as soon as possible. We recommend that 1.5.x and 2.x users migrate to 3.0.6 now.

§  Windows

§  Linux

§  Mac OS X

Note: The latest versions of Firefox 3.0 automatically inform you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

For All Users:

Many of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.0.6, fixing these security issues.

References:

§  Firefox 3.0.6 Release Notes

§  Vulnerabilities Fixed in Firefox 3.0.6