eeye digital security - vulnerability expert forum, september 2011
DESCRIPTION
eEye’s monthly Vulnerability Expert Forum provides a complete analysis of recently announced critical vulnerabilities from Microsoft and other software vendors. Join us the second Wednesday of each month - the day after Patch Tuesday, when Microsoft discloses their monthly patches – to get:A complete analysis on the latest critical vulnerabilities, vendor patches, and zero-day threatsDetailed assessment of the true criticality of each patch to best prioritize rolloutExpert guidance on the actions necessary to protect your systemsTRANSCRIPT
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected]
Vulnerability Expert Forum
September 15, 2011
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 2
Agenda
About eEye
Microsoft’s September Security Bulletins
Other Vendor Updates
Security Landscape: Other InfoSec News
Secure and Comply with eEye
Q&A
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 3
Security Experts
Seasoned security professionals
Thousands of customers
Some of the largest VM installations in the
world
Award-Winning Solutions
Recognized product leadership
Securing companies of all sizes
Unparalleled services and support
eEye at a Glance
Industry Pioneers
Leaders in IT security since 1998
Developed one of the first vulnerability
scanners
Growing and profitable
Thought Leaders
World-renowned security research team
Trusted advisors to organizations
across industries and sizes
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 4
Why eEye
Making the Complex Simple
Unified
Efficient
Effective
“Retina provides a solid feature set with easy-to-
use scanning controls. It’s an excellent
vulnerability scanner at a good price. This one
gets our Best Buy.”
“eEye Digital Security raises the standard in
enterprise endpoint protection with a management
console that could almost be called next
generation.”
“eEye’s security research team continues to
provide good Windows vulnerability coverage and
mitigation advice for zero-day vulnerabilities.”
“Retina has many desirable features…and an
extremely flexible reporting portal. The product is
also attractively priced.”
The Industry Experts Say…
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 5
eEye Research Services
eEye Preview
• Advanced Vulnerability Information
• Full Zero-Day Analysis and Mitigation
• Custom Malware Analysis
• eEye Research Tool Access
• Includes Managed Perimeter Scanning
eEye AMP
• Any Means Possible Penetration Testing
• Gain true insight into network insecurities
• “Capture-The-Flag” Scenarios
eEye Custom Research
• Exploit Development
• Malware Analysis
Forensics Support
• Compliance Review
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 6
Microsoft September Security Bulletins
5 Total Bulletins; 15 Issues Fixed
Vulnerability in WINS Could Allow Elevation of Privilege
(2571621)
Vulnerability in Windows Components Could Allow Remote
Code Execution (2570947)
Vulnerabilities in Microsoft Excel Could Allow Remote Code
Execution (2587505)
Vulnerabilities in Microsoft Office Could Allow Remote Code
Execution (2587634)
Vulnerabilities in Microsoft SharePoint Could Allow Elevation of
Privilege (2451858)
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 7
Microsoft Security Bulletin: MS11-070
1 Vulnerability Fixed in Bulletin
WINS Local Elevation of Privilege Vulnerability - CVE-2011-
1984
Severity: Important
#WINS
Privately reported vulnerability
EoP possible if a user received a specially crafted WINS
replication packet
Attacker must have valid logon credentials to exploit the
vulnerability
Mitigations
No practical mitigations are available at this time
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 8
Microsoft Security Bulletin: MS11-071
1 Vulnerability Fixed in Bulletin
Windows Components Insecure Library Loading Vulnerability -
CVE-2011-1991
Severity: Important
DLL PRELOADING IT NEVER ENDS
Publically disclosed vulnerability
Can be triggered by loading
.txt, .rtf or .doc files
Mitigations
Disable loading of libraries from WebDAV
Disable WebClient
Block TCP ports 139 and 445 at the firewall
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 9
Microsoft Security Bulletin: MS11-072
5 Vulnerabilities Fixed in Bulletin
Excel Use after Free WriteAV Vulnerability – CVE-2011-1986
Excel Out of Bounds Array Indexing Vulnerability – CVE-2011-1987
Excel Heap Corruption Vulnerability – CVE-2011-1988
Excel Conditional Expression Parsing Vulnerability – CVE-2011-1989
Excel Out of Bounds Array Indexing Vulnerability – CVE-2011-1990
Severity: Important
Excel can help you balance your budget and serve as a backdoor!
Privately reported, triggered by a maliciously crafted Excel file
Mitigations
Set Office File Validation to disable the opening of files that fail
validation in Excel 2003 & 2007
Set Office File Validation to disable the edit in Protected View of files
that fail validation in Excel 2010
MOICE
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 10
Microsoft Security Bulletin: MS11-073
2 Vulnerabilities Fixed in Bulletin Office Component Insecure Library Loading Vulnerability – CVE-2011-
1980
Office Uninitialized Object Pointer Vulnerability – CVE-2011-1982
Severity: Important
The Never Ending Vulnerability Two privately reported issues
Mitigations Disable loading of libraries from WebDAV
Disable WebClient
Block TCP ports 139 and 445 at the firewall
Use MOICE
Block the loading of binary files within Word, Excel, and PowerPoint
2007 and 2010
Definitely Falkor
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 11
Microsoft Security Bulletin: MS11-074
6 Vulnerabilities Fixed in Bulletin XSS in SharePoint Calendar Vulnerability – CVE-2011-0653
HTML Sanitization Vulnerability – CVE-2011-1252
Editform Script Injection Vulnerability – CVE-2011-1890
Contact Details Reflected XSS Vulnerability – CVE-2011-1891
SharePoint Remote File Disclosure Vulnerability – CVE-2011-1892
SharePoint XSS Vulnerability – CVE-2011-1893
Severity: Important
Sharing… sometimes… is definitely not caring SharePoint does not properly parse and sanitize XML and XSL files
JavaScript in specific request parameters not handled correctly
Mitigations IE 8 & 9 XSS filter protects against the XSS attack
No other mitigations exist at this time
Apache Updates – August 2011
Byte-Range Filter Memory Exhaustion
Vulnerability when handling “Range” and “Request-Range” headers expressing
multiple overlapping ranges
Leading to denial of service condition due to memory resource exhaustion
Exploitation seen in-the-wild
Public exploit code has been released
Affects version Apache 2.0 prior to 2.0.65 and version 2.2 prior to 2.2.20
Fixed in versions 2.0.65, 2.2.20, or newer
Some other info
Version 2.2.20 fixes the issue but has side effects (i.e. protocol
defect/response)
Version 2.0.65 not yet released; expected September
Apache 1.3 is not vulnerable but could cause stress
LimitRequestFieldSize workaround is insufficient; newer mitigations involve
handling “Range” and “Request-Range” headers
Details on mitigations at http://wiki.apache.org/httpd/CVE-2011-3192
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 12
Adobe Updates – September 2011
Adobe Reader and Acrobat (APSB11-24)
13 vulnerabilities leading to remote arbitrary code execution
• Local Privilege Escalation (10.x Windows Only)
• Numerous overflows (heaps and stacks)
• Use-after-free
• Others (“security bypass”, “logic error”, “memory leakage condition”)
• 3 image parsing and 2 font related vulnerabilities; the rest are unspecified
Incorporates last month’s Flash Player fixes (APSB11-21)
Fixed in 10.1.1, 9.4.6, and 8.3.1 for Windows and Mac OS X
APSB11-24 heads-up
Support for 8.x on Windows and Mac OS X ends November 3, 2011 (oh snap)
Reader 9.4.6 for UNIX scheduled for release November 7, 2011 (double snap)
Next quarterly update scheduled for December 13, 2011
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 13
Cisco Updates – September 2011
CiscoWorks LAN Management Solution (SA-20110914-LMS)
Vulnerabilities when handling a crafted series of packets sent to TCP port 9002
Leading to remote unauthenticated arbitrary code execution
Versions 3.1, 3.2, and 4.0 are affected
No workarounds are available
Fixed in Cisco Prime LAN Management Solution version 4.1 and newer
Cisco Unified Service Monitor and Cisco Unified Operations
Manager (SA-20110914-CUSM)
Same vulnerabilities as SA-20110914-LMS
Vulnerabilities when handling a crafted series of packets sent to TCP port 9002
Leading to remote unauthenticated arbitrary code execution
Versions prior to 8.6 are affected
No workarounds are available
Fixed in CUSM and CUOM version 8.6 and newer
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 14
Cisco Updates – September 2011 (continued)
Cisco Nexus Switches ACL Bypass (SA-20110907-NEXUS)
Cisco Nexus 5000 and 3000 Series Switches
Vulnerability when a remark is configured before a deny statement on an ACL
Could allow traffic to bypass “deny” statements in IP, VLAN, or MAC ACLs
All ACE’s after a remark are affected; can workaround by removing remarks
QoS classification and route-map ACLs are not affected
Nexus 3000 – fixed in NX-OS version 5.0(3)U1(2a), 5.0(3)U2(1), or newer
Nexus 5000 – fixed in NX-OS version 5.0(3)N2(1) or newer
Example of a IPv4 ACL remark ip access-list acl-ipv4-01
remark this ACL denies the 10.1.1.0/24 access to the 10.1.2.0/24 network
deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 15
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 16
Security Landscape - More than a Microsoft World
CTO/CSO/CxO News Android is No. 1 Target of Mobile Hackers
Coordinated ATM Heist Nets Thieves $13M
Kaspersky Accuses McAfee of Crying Wolf Over Shady RAT
CNET Hacker Chart
DigiNotar
IT Admin News Nations with Low Malware Rates have Better ISPs, Microsoft Research Finds
Linux Foundation & Linux.com Multiple Servers Compromised
Data Privacy ‘Should be Taught in Schools‘
20GB of Domain Typosquatting E-mails Nabbed
Researcher News Chinese Military TV Show Slip-up (Shows Hack in Progress)
Bitcoin Mining with Trojan.Badminer
Researchers Uncover the Email that Led to the RSA Hack
Air Traffic System Vulnerable to Cyber Attack
Lawmakers Call for Probe of Medical Devices After Researcher Hacks Insulin Pump
ATMs Open to Thermal Imaging Attack, Researchers Confirm
Retina Community
Powered by the renowned Retina
Network Security Scanner
technology, Retina Community is a
completely FREE vulnerability
assessment solution.
Scan up to 32 Unique IP
Addresses
Assessment Audits for Operating
Systems, Applications, Network
Devices, and Virtualized
Environments
SCAP Configuration Scanning
Vulnerability and Executive
Reporting
Exploit Identification from Core
Impact, Metasploit, and Exploit-
DB.com
Right-click Metasploit Integration
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 17
Download Now: http://community.eeye.com
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 18
eEye Unified Vulnerability Management
SECURITY RESEARCH
Automation and Efficiency = Minimized Risk and Lower TCO
MANAGE AND REPORT
• End-to-end vulnerability and compliance management
• Centralized management, reporting, and controls
• Assess, mitigate, and protect from one console
• Advanced trending and analytics
Vulnerability Scanning
Configuration Auditing
Asset Discovery & Inventory
Zero-Day Vulnerability Identification
Vulnerability Reporting
Compliance Auditing
ASSESS
Integrated Patch Management
Prioritized Mitigation
Risk Scoring
Security Alerts
Prescriptive Remediation Reporting
MITIGATE
Zero-Day Protection
Intrusion Prevention
Web Protection
Application Protection
System Protection
PROTECT
eEye Digital Security 1.866.339.3732 www.eEye.com [email protected] 19
Thanks! Connect with Us for More Great
Security Industry Content
http://blog.eeye.com
http://www.facebook.com/eEyeDigitalSecurity
http://www.twitter.com/eEye
http://www.YouTube.com/eEyeDigitalSecurity