februar patch tuesday 2015 webinar
TRANSCRIPT
![Page 1: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/1.jpg)
Patch Overview
February 2015
Wolfgang Kandek, Qualys, Inc
February 12, 2014
![Page 2: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/2.jpg)
February Patches• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
![Page 3: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/3.jpg)
February Patches• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
![Page 4: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/4.jpg)
February Patches• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
![Page 5: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/5.jpg)
February Patches• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
• January 22 – APSB14-02 for CVE-2015-0310 (no typo)
• Under attack in the wild (0-day)
• Mentions CVE-2015-0311 (sort of)
• Credits 3 Researchers, including @Kafeine
![Page 6: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/6.jpg)
February Patches• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
• January 22 – APSB14-02 for CVE-2015-0310 (no typo)
• Under attack in the wild (0-day)
• Mentions CVE-2015-0311 (sort of)
• Credits 3 Researchers, including @Kafeine
• January 27 – APSB14-03 for CVE-2015-0311/12
• Credits 3 different Researchers, including @Kafeine
![Page 7: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/7.jpg)
February Patches - 2• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313
![Page 8: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/8.jpg)
February Patches - 3• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313
![Page 9: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/9.jpg)
February Patches - 3• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313
![Page 10: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/10.jpg)
February Patches - 2• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
![Page 11: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/11.jpg)
February Patches - 2• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
• All versions of Windows attacked under IE and Firefox
![Page 12: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/12.jpg)
February Patches - 2• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
• All versions of Windows attacked under IE and Firefox
• Flash under Google Chrome not attacked
• Malwarebytes Anti Exploit neutralizes CVE-2014-310
• EMET prevents CVE-2015-0311
• Trend Micro Browser Exploit Prevention: CVE-2015-0313
![Page 13: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/13.jpg)
February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
![Page 14: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/14.jpg)
February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
![Page 15: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/15.jpg)
February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
![Page 16: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/16.jpg)
February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
• Priority 3: MS15-010 – Windows
• 1 publicly disclosed - Google Project Zero 90 day limit
![Page 17: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/17.jpg)
February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
• Priority 3: MS15-010 – Windows
• 1 publicly disclosed - Google Project Zero 90 day limit
• Interesting: MS15-011 - GPO
![Page 18: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/18.jpg)
GHOST• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
![Page 19: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/19.jpg)
GHOST• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
• GHOST similar to Heartbleed and Shellshock
• GHOST = GetHOSTbyname (vulnerable function)
• Newest glibc (2.18) not vulnerable, but not very common
• Ubuntu 14.04, Fedora 20/21, SUSE 12/13, Gentoo
• glibc 2.2-2.17 vulnerable in use in many distros
• RedHat 6/7 (CentOS 6/7), SUSE Enterprise, Ubuntu 12.04
![Page 20: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/20.jpg)
GHOST• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
• GHOST similar to Heartbleed and Shellshock
• GHOST = GetHOSTbyname (vulnerable function)
• Newest glibc (2.18) not vulnerable, but not very common
• Ubuntu 14.04, Fedora 20/21, SUSE 12/13, Gentoo
• glibc 2.2-2.17 vulnerable in use in many distros
• RedHat 6/7 (CentOS 6/7), SUSE Enterprise, Ubuntu 12.04
• Verification program, source in the advisory
• Vulnerability scanner
![Page 21: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/21.jpg)
GHOST - Exploitablity• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
![Page 22: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/22.jpg)
GHOST - Exploitablity• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
• Mitigations
• Hostname can only be 255 characters long (RFC1123)
• Gethostname deprecated
![Page 23: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/23.jpg)
GHOST - Exploitablity• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
• Mitigations
• Hostname can only be 255 characters long (RFC1123)
• Gethostname deprecated
• Examples:
• ping, arping, mtr, mount.nfs – not vulnerable
• clockdiff, procmail, pppd, exim – vulnerable
• exim – (remote!) exploit POC exists
![Page 24: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/24.jpg)
GHOST - Reality• How exploitable is it really?
![Page 25: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/25.jpg)
GHOST - Reality• How exploitable is it really?
• Opinions vary
![Page 26: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/26.jpg)
GHOST - Reality• How exploitable is it really?
• Opinions vary
![Page 27: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/27.jpg)
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
![Page 28: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/28.jpg)
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
![Page 29: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/29.jpg)
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
![Page 30: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/30.jpg)
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
![Page 31: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/31.jpg)
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
![Page 32: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/32.jpg)
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
• Sucuri – there is a problem in Wordpress/PHP - pingback
![Page 33: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/33.jpg)
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
• Sucuri – there is a problem in Wordpress/PHP – pingback
• Now a Metasploit check
• Veracode – there are problems in many enterprise apps
• 202 enterprise apps – 25% use gethostbyname
• 72% C/C++, 28% Java, .NET, PHP
• 64/32 bit are vulnerable – our exploit works against both 64 and 32 bit exim for example
![Page 34: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/34.jpg)
GHOST – beyond Linux• Juniper
![Page 35: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/35.jpg)
GHOST – beyond Linux• Juniper
![Page 36: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/36.jpg)
GHOST – beyond Linux• Juniper
• Cisco
![Page 37: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/37.jpg)
GHOST – beyond Linux• Juniper
• Cisco
![Page 38: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/38.jpg)
GHOST – beyond Linux• Juniper
• Cisco
![Page 39: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/39.jpg)
GHOST – beyond Linux• Juniper
• Cisco
• NetApp
• McAfee
• F-Secure
• BlueCoat
• RiverBed
• …..
![Page 40: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/40.jpg)
Resources• Microsoft - https://technet.microsoft.com/library/security/ms15-feb
• Adobe - http://blogs.adobe.com/psirt
• GHOST - http://www.openwall.com/lists/oss-security/2015/01/27/9
• Sucuri - http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html
• VERACODE - https://www.sans.org/webcasts/99642?ref=174212
• Metasploit - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb
• Juniper -http://kb.juniper.net/InfoCenter/indexid=JSA10671&page=content
![Page 41: Februar Patch Tuesday 2015 Webinar](https://reader033.vdocument.in/reader033/viewer/2022052602/55a78c411a28ab2b6e8b47a9/html5/thumbnails/41.jpg)
Resources 2• Cisco –
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost
• McAfee-https://kc.mcafee.com/corporate/index?page=content&id=SB10100
• NetApp -https://kb.netapp.com/support/index?page=content&id=9010027
• F-Secure - https://www.f-secure.com/en/web/labs_global/fsc-2015-1
• Blue Coat - https://bto.bluecoat.com/security-advisory/sa90
• Riverbed -https://supportkb.riverbed.com/support/index?page=content&id=S25833