eEye Digital Security - Vulnerability Expert Forum, August 2011
31
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] Vulnerability Expert Forum August 10, 2011
-
date post
21-Oct-2014 -
Category
Technology
-
view
1.296 -
download
1
description
eEye’s monthly Vulnerability Expert Forum provides a complete analysis of recently announced critical vulnerabilities from Microsoft and other software vendors. Join us the second Wednesday of each month - the day after Patch Tuesday, when Microsoft discloses their monthly patches – to get: - A complete analysis on the latest critical vulnerabilities, vendor patches, and zero-day threats - Detailed assessment of the true criticality of each patch to best prioritize rollout - Expert guidance on the actions necessary to protect your systems
Transcript of eEye Digital Security - Vulnerability Expert Forum, August 2011
eEye Digital Security
1.866.339.3732
www.eEye.com
Vulnerability Expert Forum
August 10, 2011
eEye Digital Security
1.866.339.3732
www.eEye.com
Agenda
About eEye
Microsoft’s August Security Bulletins
Other Vendor Updates
Security Landscape: Other InfoSec News
Other Other News?
Secure and Comply with eEye
Q&A
eEye Digital Security
1.866.339.3732
www.eEye.com
Security Experts
Seasoned security professionals
Thousands of customers
Some of the largest VM installations in the world
Award-Winning Solutions
Recognized product leadership
Securing companies of all sizes
Unparalleled services and support
eEye at a Glance
Industry Pioneers
Leaders in IT security since 1998
Developed one of the first vulnerability scanners
Growing and profitable
Thought Leaders
World-renowned security research team
Trusted advisors to organizations across industries and sizes
eEye Digital Security
1.866.339.3732
www.eEye.com
Why eEye
Making the Complex Simple
Unified
Efficient
Effective
“Retina provides a solid feature set with easy-to- use scanning controls. It’s an excellent vulnerability scanner at a good price. This one gets our Best Buy.”
“eEye Digital Security raises the standard in enterprise endpoint protection with a management console that could almost be called next generation.”
“eEye’s security research team continues to provide good Windows vulnerability coverage and mitigation advice for zero-day vulnerabilities.”
“Retina has many desirable features…and an extremely flexible reporting portal. The product is also attractively priced.”
The Industry Experts Say…
eEye Digital Security
1.866.339.3732
www.eEye.com
eEye Research Services
eEye Preview • Advanced Vulnerability Information• Full Zero-Day Analysis and Mitigation• Custom Malware Analysis• eEye Research Tool Access• Includes Managed Perimeter Scanning
eEye AMP• Any Means Possible Penetration Testing• Gain true insight into network insecurities• “Capture-The-Flag” Scenarios
eEye Custom Research• Exploit Development• Malware Analysis
Forensics Support• Compliance Review
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft August Security Bulletins
13 Total Bulletins; 22 Issues Fixed
Cumulative Security Update for Internet Explorer (2559049)
Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485)
Vulnerability in Data Access Components Could Allow Remote Code Execution (2560656)
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2560978)
Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege (2546250)
Vulnerability in Remote Access Service NDISTAPI Driver Could Allow Elevation of Privilege (2566454)
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680)
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft August Security Bulletins (cont.)
13 Total Bulletins; 22 Issues Fixed
Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894)
Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (2570222)
Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943)
Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)
Vulnerability in Windows Kernel Could Allow Denial of Service (2556532)
Vulnerability in .NET Framework Could Allow Information Disclosure (2567951)
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-057
7 Vulnerabilities Fixed in Bulletin
Window Open Race Condition Vulnerability - CVE-2011-1257
Event Handlers Information Disclosure Vulnerability - CVE-2011-1960
Telnet Handler Remote Code Execution Vulnerability - CVE-2011-1961
Shift JIS Character Encoding Vulnerability - CVE-2011-1962
XSLT Memory Corruption Vulnerability - CVE-2011-1963
Style Object Memory Corruption Vulnerability - CVE-2011-1964
Drag and Drop Information Disclosure Vulnerability - CVE-2011-2383
Severity: Critical
IE Gets a Band-Aid
5 privately disclosed, 2 publicly disclosed issues
Remote Code Execution via specially crafted web page
JavaScript, Rendering, Memory handling, Cookie fixes…
Mitigations
Disable scripting, read emails in plain text
Disable WebClient, block TCP ports 139 and 445
Rename default cookie folder
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-058
2 Vulnerabilities Fixed in Bulletin
DNS NAPTR Query Vulnerability - CVE-2011-1966
DNS Uninitialized Memory Corruption Vulnerability - CVE-2011- 1970
Severity: Critical
DNS: DNQ
Two privately reported issues with Windows DNS server
Attacker could remotely execute code by registering a domain, sending specially crafted NAPTR query
Affects Server 2008/R2 (x86 and x64)
Mitigations
Disable DNS if you’re not using it…
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-059
1 Vulnerability Fixed in Bulletin
Data Access Components Insecure Library Loading Vulnerability - CVE-2011-1975
Severity: Important
Data Access Components DLL Hijack
WebDAV, WebDAV, WebDAV
WebDAV
Mitigations
Disable loading of libraries from WebDAV
Disable WebClient
Block TCP ports 139 and 445
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-060
2 Vulnerabilities Fixed in Bulletin
pStream Release RCE Vulnerability - CVE-2011-1972
Move Around the Block RCE Vulnerability - CVE-2011-1979
Severity: Important
Visio – now with RCE
Specially crafted Visio file
Only rated as ‘Important’ despite Remote Code Execution
Privately reported
Mitigations
Do not open untrusted Office files
Be aware of Spear Phishing
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-061
1 Vulnerability Fixed in Bulletin
Remote Desktop Web Access Vulnerability - CVE-2011-1263
Severity: Important
RDP XSS EoP
Fixes a privately reported XSS issue within Remote Desktop Web Access
Attacker could execute arbitrary commands
IE’s XSS filter prevents this attack (nice)
Mitigations
Use the XSS filter in Internet Explorer
Enable the XSS filter in the Intranet Zone for added safety
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-062
1 Vulnerability Fixed in Bulletin
NDISTAPI Elevation of Privilege Vulnerability - CVE-2011-1974
Severity: Important
The Vulnerability That Keeps On Giving
Only affects Server 2003 and XP
Attacker must authenticate and then run a specially crafted program
The fix sanitizes user mode input before shipping to kernel
Mitigations
No reasonable mitigations currently exist
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-063
1 Vulnerability Fixed in Bulletin
CSRSS Vulnerability - CVE-2011-1967
Severity: Important
CSRSSIN
Attacker must authenticate and then run a specially crafted program
Program sends device event messages to higher-integrity process
Mitigations
No reasonable mitigations currently exist
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-064
2 Vulnerabilities Fixed in Bulletin
ICMP Denial of Service Vulnerability - CVE-2011-1871
TCP/IP QOS Denial of Service Vulnerability - CVE-2011-1965
Severity: Important
TCP/IP Stack Flaw
Privately reported DoS
Specially crafted ICMP packets
Specially crafted URL requests to a Web server running URL- based Quality of Service
Mitigations
Block ICMP
Disable Policy-based QoS
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-065
1 Vulnerability Fixed in Bulletin
Remote Desktop Protocol Vulnerability - CVE-2011-1968
Severity: Important
More RDP issues…
DoS via specially crafted RDP packets
Limited use in-the-wild
Only affects XP and Server 2003
Mitigations
Disable Terminal Services, Remote Desktop, Remote Assistance, and Windows Small Business Server 2003 Remote Web Workplace if you’re not using those services
Block TCP port 3389 (RDP)
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-066
1 Vulnerability Fixed in Bulletin
Chart Control Information Disclosure Vulnerability - CVE-2011- 1977
Severity: Important
ASP.NET Chart Controls
Privately reported
Attacker could gain access to information via specially crafted GET request to a server running Chart controls
Could use information to perform other attacks on the target system
Mitigations
No reasonable mitigations currently exist
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-067
1 Vulnerability Fixed in Bulletin
Report Viewer Controls XSS Vulnerability - CVE-2011-1976
Severity: Important
Yeah, I’m gunna need you to come in on Saturday…
Report Viewer improperly validates parameters within a data source
Attacker could use this siphon sensitive data
Mitigations
Disable scripting
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-068
1 Vulnerability Fixed in Bulletin
Windows Kernel Metadata Parsing DOS Vulnerability - CVE- 2011-1971
Severity: Moderate
Kernel Panic!
Kernel DoS parsing meta-data when browsing to a folder
Attacks could come from network shares containing specially crafted files
Mitigations
Disable WebClient
Disable Preview and Details pane in Explorer
Block TCP ports 139 and 445
eEye Digital Security
1.866.339.3732
www.eEye.com
Microsoft Security Bulletin: MS11-069
1 Vulnerability Fixed in Bulletin
Socket Restriction Bypass Vulnerability - CVE-2011-1978
Severity: Moderate
Loose Sockets
Information Disclosure via XAML capable browsers
Could be used to bypass Code Access Security restrictions
Mitigations
Disable XAML browser applications in IE
More Microsoft Updates
Microsoft Security Advisory (2562937)
Update Rollup for ActiveX Kill Bits• CheckPoint SSL VPN On-Demand applications• IBM Rational System Architect ActiveBar• Honeywell EBI R Web Toolkit
Bulletin Re-releases
MS11-049 (XML Editor) – Important
MS11-043 (SMB Client) – Critical
MS11-025 (MFC Library) – Important
eEye Digital Security
1.866.339.3732
www.eEye.com
eEye Digital Security
1.866.339.3732
www.eEye.com
VEF Contest
Simply Like Us on Facebook and eEye’s Facebook page is http://www.facebook.com/eeyedigitalsecurity
Contest ends on 8/31/11 at noon PST
Prize: Amazon Kindle + $25 Amazon gift card
Oracle Critical Patch Update – July 2011
78 Vulnerabilities Addressed
Affecting Database, Fusion Middleware, Enterprise Manager Suite, E-Business Suite, Siebel and Oracle Supply Chain, PeopleSoft, JD Edwards, Industry Applications, and Oracle Sun Product Suite
46 Vulnerabilities are remotely exploitable without authentication
47 Vulnerabilities Scoring 4.0 to 6.1 CVSS v2 Base Score
33 Vulnerabilities Scoring 6.4 or higher CVSS v2 Base Score
OpenOffice Moves to Apache Incubator Project
Oracle controlled OpenOffice as part of Sun acquisition
This was not updated as part of the CPU, nor will it be in the future
Previous patches from Oracle require an account
OpenOffice.org still hosts older, vulnerable version
Beta versions are available that incorporate vulnerability fixes, however may not be desirable for production environments
eEye Digital Security
1.866.339.3732
www.eEye.com
Adobe Updates – August 2011
Shockwave Player (APSB11-19)
Affecting 11.6.0.626 and prior on Windows and Mac OS
7 memory corruption vulnerabilities leading to remote arbitrary code execution
Fixed in version 11.6.1.629 and newer
Flash Player (APSB11-21)
Affecting Flash 10.x on Windows, Mac OS X, UNIX/Linux, Android, Google Chrome; also affects Adobe AIR
Multiple vulnerabilities (overflows, memory corruptions, cross-site information disclosure) leading to arbitrary code execution
Flash fixed in 10.3.183.5 for Windows/Mac/*nix, 10.3.186.3 for Android, and 10.3.183.5 for Google Chrome
AIR fixed in 2.7.1 and newer, AIR for Android fixed in 2.7.1.1961 & newer
eEye Digital Security
1.866.339.3732
www.eEye.com
Adobe Updates – August 2011 (cont.)
Flash Media Server (APSB11-20)
Affecting 4.0.2, 3.5.6, and prior on Windows and Linux
Memory corruption leading to denial of service condition
Fixed in 4.0.3, 3.5.7, and newer
Photoshop CS5 (APSB11-22)
Affecting CS5 and CS5.1 on Windows and Mac OS
Memory corruption when handling a specially crafted .GIF leading to arbitrary code execution
Apply the Standard Multiplugin Update for applicable operating system
RoboHelp (APSB11-23)
Affecting RoboHelp and RoboHelp Server 9.0.1.232 and prior, and 8.x versions
Improper input sanitization on user-supplied data could allow remote users to conduct cross-site scripting attacks
Apply the hotfix for applicable version
eEye Digital Security
1.866.339.3732
www.eEye.com
eEye Digital Security
1.866.339.3732
www.eEye.com
Security Landscape - More than a Microsoft World
CTO/CSO/CxO News
Adobe Acquires EchoSign
In Attacking Tethering, Verizon Isn’t Playing by the Rules
Many employees would sell corporate information, finds study
IT Admin News
Anonymous Takes Aim At Google+ in More Ways Than One
Flash Malware Leads to Poison Ivy RAT on Human Rights Site
Defcon: the Lesson of Anonymous? Corporate Security Sucks
Researcher News
Zeus Banking Trojan Hits Android Phones
Global ATM Skimming Ring Busted
DNS agility leads to botnet detection
Hackers Use Frequent Flyer Miles As Currency
Other Other News
Black Hat
Defcon
…
eEye Digital Security
1.866.339.3732
www.eEye.com
Vulnerability Cheat Sheet
http://redmine.corelan.be/projects/corelanart/files
eEye Digital Security
1.866.339.3732
www.eEye.com
eEye Digital Security
1.866.339.3732
www.eEye.com
Connect with eEye
http://blog.eeye.com
http://www.facebook.com/eEyeDigitalSecurity
http://www.twitter.com/eEye
http://www.YouTube.com/eEyeDigitalSecurity
eEye Digital Security
1.866.339.3732
www.eEye.com
eEye Unified Vulnerability Management
SECURITY RESEARCH
Automation and Efficiency = Minimized Risk and Lower TCO
MANAGE AND REPORT
• End-to-end vulnerability and compliance management• Centralized management, reporting, and controls
• Assess, mitigate, and protect from one console• Advanced trending and analytics
Vulnerability Scanning
Configuration Auditing
Asset Discovery & Inventory
Zero-Day Vulnerability Identification
Vulnerability Reporting
Compliance Auditing
ASSESS
Integrated Patch Management
Prioritized Mitigation
Risk Scoring
Security Alerts
Prescriptive Remediation Reporting
MITIGATE
Zero-Day Protection
Intrusion Prevention
Web Protection
Application Protection
System Protection
PROTECT
eEye Digital Security
1.866.339.3732
www.eEye.com
Visit eEye http://www.eEye.com
About Us, Solutions, Awards, Resources, Downloads
Visit the eEye Security Resource Center http://www.eEye.com/Resources
Demos, Guides, Whitepapers, Videos, Webinars, Events
Contact Us 1.866.339.3732 or [email protected]
Start Today
