Today Microsoft released the bulletins for March Patch Tuesday. We have five bulletins, MS14-012 to MS14-016, a light patch tuesday by all comparisons, even with Adobe chiming in with an update that is non-critical. If it wasn't for the Internet Explorer (IE) patch that addresses the 0-day that was found during last month's Patch Tuesday, one could call it almost uneventful.
Here is our lineup for today:
MS14-012, a critical bulletin which addresses 18 vulnerabilities in all versions of IE, from IE6 on Windows XP, to IE11 on Windows 8.1. It also includes the fix for a 0-day vulnerability that was identified by FireEye on February 11, first on the website of the organization of the US Veterans of Foreign Wars. The attack used a previously unknown flaw in IE 10 (CVE-2014-0322), plus a known vulnerability in Adobe Flash to bypass ASLR protections and gave the attackers control over the computers visiting the site with that particular configuration. Microsoft has acknowledged the problem and provided a FixIT in KB2934088, but this is the permanent patch for the problem. Apply it as soon as possible.
MS14-013, the second critical bulletin, addresses one critical vulnerability. The attack also uses the webpage vector, but rather than going against IE directly, involves the DirectShow Windows component. Microsoft states that exploitation is hard and gives it an exploitation index of 3, but you should give it priority in your patch cycle.
The remaining bulletins, MS14-014, MS14-015 and MS14-016, are all rated important and do not provide Remote Code Execution (RCE) capabilities. MS14-014 is an ASLR bypass vulnerability that needs to be paired with a code execution vulnerability in order to become useful (see also the recent 0-day that used Adobe Flash exactly for that purpose). MS14-015 is a Windows Kernel driver fix addressing two CVEs, and MS14-016 is a change in the Windows API that allowed an attacker to bypass password shutout rules, which could be used in brute force attack attempts. Take a look at Microsoft SRD blog to see where ASLR fixes fit in overall.
Adobe's update to Flash (APSB14-08) addresses two vulnerabilities in Adobe Flash V12 and V11 on Windows, Mac OS X and Linux. Both are rated as important, meaning they cannot be used to gain remote code execution on the targeted platforms. Organizations that run Chrome or a modern version of IE will get their Flash update delivered through their browsers, others will need to update their software directly via Adobe.
The other major Microsoft issue is the coming end-of-life of Windows XP. We are now less than 28 days away from the final set of patches that XP will receive. Nevertheless, we are not seeing a reduction in vulnerabilities. All of today's bulletins apply to Windows XP and there is really no reason to expect any change in the near future: the majority of vulnerabilities found in the Windows OS and IE will apply also to Windows XP, but IT admins won't have access to patches for these problems anymore. This will make any Windows XP machine an easy target for attackers, and within a few weeks, new tools will be developed that make these exploits widely available.Your best choice is to migrate away from Windows XP to a newer version of the operating system.
So far, you have done an incomplete job. In our latest survey of roughly 35 Million monthly scans, we are still seeing 14% of Windows XP machines, down from 16% In January and 17% in December of 2013. If that trend continues, we are projecting 10% by the end-of-life date, at least in the enterprise space that is covered by QualysGuard.
Two weeks ago at the RSA US 2014 conference in San Francisco Microsoft released a preview version of their EMET 5 (Enhanced Mitigation Experience Toolkit) security toolkit. EMET implements additional restrictions on Windows, monitoring programs for violations of policy and, optionally, shutting down the offending programs. It has been effective against all 0-day attacks of 2013 and 2014, starting with MS13-008, MS13-021, and MS13-038. In the known exploit against this month's MS14-012, the attacker acknowledges that power and tests for the presence of EMET beforehand, proactively forfeiting when the EMET DLL is detected. I recommend IT admins to take a look at this toolkit and test its compatibility with their installations. The new EMET version 5 introduces a plugin whitelisting capability that could be a great asset in controlling browser plugins, for example only allowing Java to run on a controlled subset where the plugin is actually required.
That is it for this month's bulletins, but stay tuned for more coverage about XP in the SMB and home market, plus a breakdown of the numbers that takes geography into account.
Patch the Internet Explorer vulnerability addressed in Bulletin #1, as it covers the current 0-day that was discovered about three weeks ago. Microsoft has so far addressed it with a Fix-It in KB2934088, but this will be the permanent patch reaching a much larger audience.
Windows XP is affected by all five updates, and there is really no reason to expect this picture to change; Windows XP will continue to be impacted by the majority of vulnerabilities found in the Windows ecosystem, but you will not be able to address the issues anymore. Windows XP is getting its penultimate update and is now very close (just over 30 days) to its declared end of of life date:
So you need a strategy for the XP machines remaining in your infrastructure. We are still seeing a significant number of XP machines in our scans, ranging from around 25% in our consumer oriented service BrowserCheck to under 20% in our entreprise oriented data from QualysGuard.
Back to the March bulletins: priority one should be the two critical bulletins: Bulletin #1 for all versions of Internet Explorer, starting with v6 all the way to v11 and bulletin #2 for Windows, affecting all Windows OS versions from XP to 2012, with the exception being WIndows RT. Bulletin #3 and #4 address important vulnerabilities in Windows, and Bulletin #5 will be for users of Silverlight on Mac and Windows.
Stay tuned for our coverage next week, when we get more details on the patches.
QualysGuard Continuous Monitoring enables customers to continuously monitor mission-critical assets throughout their perimeter and immediately get alerted to anomalies that could expose them to cyber attacks.
QualysGuard Web Application Firewall offers rapid deployment of robust security for web applications with minimal cost of ownership, and is constantly updated with new rules to keep up with application updates and newly emerging threats.
Top 4 Security Controls helps organizations quickly determine if the PCs in their environments have properly implemented the Top 4 Critical Security Controls, which the Council on CyberSecurity estimates can help companies prevent 85% of cyber-attacks. The Top 4 Security Controls are released in collaboration with the SANS Institute and the Council on CyberSecurity.
Risk I/O: For businesses that need to understand the vulnerability and threat risks of their organization’s perimeter in real-time, the new integration enables them to sync their vulnerability data with Risk I/O’s threat processing engine, allowing organizations to gain visibility into their most likely vector for a breach.
AlgoSec Partners: The integration provides visibility into the risk levels of data center applications, enabling IT and security teams to effectively communicate with business stakeholders so they can “own their risk” by quickly taking the actions needed to mitigate IT security issues.
Qualys is proud to announce that it was named Best Security Company earlier this week at the 2014 SC Magazine Awards. The awards acknowledge companies with superior security products that help customers tackle today’s most pressing information-technology (IT) challenges. The announcement was made on February 25, 2014 at the 17th annual SC Awards U.S. Gala in San Francisco, in conjunction with the annual RSA Conference. The criteria for the judging included: product line strength, customer base, customer service/support, research and development, and innovation.
“The SC Awards are the security industry’s most prestigious accolade, bestowed only to the most impressive companies in the security industry,” said Illena Armstrong, VP of editorial, SC Magazine. “Qualys can be very proud of this achievement and the many long hours of dedicated service that it represents.”
“We are honored to be named the Best Security Company by SC Magazine,” said Philippe Courtot, chairman and CEO, Qualys. “We share this honor with our customers and partners, who throughout the years, have been our guiding force to continue improving our existing cloud-based security and compliance solutions and design new innovative ones.”
Qualys also won the award for SC Award for Best Security Company in 2011. Read the full news release.
A new release of QualysGuard Portal, Version 2.3.0, is targeted for release in US production in March 2014. The exact release date has not yet been set. This release contains changes to the APIs that requires a 30-day notification. Only the API changes that impact existing APIs are included in the 30 day notification. The notification will be updated to include any new API functionality at least 15 days prior to release.
AM v1 API Changes
In the Portal 2.3.0 release the VM v1 API will remove the <SITE> and <NETWORK> objects in preparation for the new multiple network support feature. These objects were not used in the VM v1 API and there should be no impact to customers.
Full release notes will be available to customers on the day of the release.
Recently, news about an exploit targeting MediaWiki, the software that powers large-scale websites such as Wikipedia, was made available. What makes it really exciting is the fact that it is only the third remote code execution vulnerability to affect this open-source web platform. Discovered by Check Point vulnerability researchers, this vulnerability, CVE-2014-1610, affects MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11. Because it allows the attacker to compromise the underlying system, it is important to identify and patch affected systems.
Exploiting this vulnerability is tricky, as it is exploitable only under the following conditions:
MediaWiki must have uploads enabled. $wgEnableUploads should be set to true.
File types - .PDF & .DjVu must be allowed via $wgFileExtensions and the PdfHandler extension to be enabled.
The user must be in a group with the "upload" rights. By default this is given to all logged-in users.
Under default conditions (even on older versions) the first two conditions are untrue! MediaWiki versions 1.1 and later have their uploads disabled. That is, $wgEnableUploads is always set to false and permitted file types are png, gif, jpg and jpeg only. DjVu is natively supported since MediaWiki version 1.8. Though file uploads and PhdHandler extensions can be easily enabled.
Figure 1: Configuration page for enabling file uploads
The LocalSettings.php file provides local configuration for a MediaWiki installation.
Figure 2: Configuration file, showing that uploads are disabled by default
How the Exploit Works
The vulnerability exists in the PdfHandler_body.php and DjVu.php source files, which fail to sanitize shell meta-characters. Shell meta-characters are special characters in a command that allow you to communicate with the Unix system using a shell. Some examples of shell meta-characters are the opening square bracket [, backslash \, dollar sign $, pipe symbol |, question mark ? and asterisk or star *.
MediaWiki does have a function, wfEscapeShellArg(), to specifically escape such input. But in an apparent programming error, it fails to escape input received via certain parameters such as height and width that are generated while creating a thumbnail of the uploaded file. If file uploads and the PdfHandler extension are enabled, you will be presented with the following screen with an Upload file link in the left column:
Figure 3: Example of MediaWiki page with file uploads enabled
After uploading a .PDF file, the thumb.php source file is used to create a thumbnail and resize images that are used when a web browser requests the file. The PdfHandler is a handler called by thumb.php for viewing PDF files in image mode. You can call it with the width, height, etc. parameters to manipulate the thumbnail directions:
Figure 4: An example of a thumbnail created by thumb.php
Thumb.php actually interfaces extensions to various handlers. This is the key to this vulnerability: simply by passing shell meta-characters to this source file, you can compromise the system.
For demonstration purposes, I will be writing a trivial .php shell file, which can execute commands. In Figure 5 below, the highlighted code is where I’m exploiting the width “w” parameter to ‘write’ <?php system(\\$_GET[ cmd]);"> into images/backdoor.php file.
Figure 5: Exploit in action
Choosing a directory with relevant permissions is of importance here. In this case, we have written the shell in the /images folder:
Figure 6: Directory with backdoor.php installed by the attacker
Now you can run a command of your choice:
Figure 7: Oh no! The attacker can read the /etc/password file
What’s going on in the background?
MediaWiki has a very robust debugging environment that helps you debug anything – SQL errors, server errors, extension errors, etc. In this case, to understand what goes on behind the scenes, we simply add the following line to the LocalSettings.php file.
Here you see that MediaWiki is trying to see if the thumbnail exists or not. Then the PdfHandler is called in with the “–resize 400” parameter to create an image whose width is 400. Then wfShellExec ends up writing the injected PHP shell in the /var/www/mediawiki/images/ folder.
End of story!
QualysGuard uses the BlindElephant engine to detect this vulnerability, using a method called static file fingerprinting to detect web application versions. BlindElephant is a fast, accurate, and very generic web application fingerprinter that identifies application and plugin versions via static files. A whitepaper containing more information about this static file fingerprinting technique can throw more light on this concept. However, it should be noted that the BlindElephant engine included in QualysGuard is an advanced version and has a few more features than the one available publicly.
How to Protect your MediaWiki Systems
What can you do to protect yourselves from such attacks?
The Apache process should be configured only with a 'read only' file access. Ownership and write permissions should be assigned to a separate user. For example, on many systems the Apache process runs as www-data:www-data. This www-data user should be able to read all of the files in your MediaWiki directory either by group permissions or by "other" permissions. It should not have write permissions to the code in your MediaWiki directory. If you use features of MediaWiki which require the "files" directory, then give the www-data user the permission to write files only in that directory.
Qualys customers with VULNSIGS-2.2.644-1 and onwards will be alerted of this vulnerability via QID: 12832 - MediaWiki DjVu and PDF File Upload Remote Code Execution Vulnerability. Customers are advised to upgrade to MediaWiki versions 1.22.2, 1.21.5, 1.19.11 or later to remediate this vulnerability.
Earlier today I gave a presentation at RSA Conference 2014 in San Francisco about the 20 Critical Security Controls (CSC) and some ideas on how to implement them using QualysGuard. The document for the 20 CSC provides a number of suggestions for each control, called Quick Wins that point out aspects of the controls that are relatively easy to implement. One example is the detection of new machines, or how to report on machines that do not run an approved version of the operating system.
The presentation looks at how QualysGuard data can be used to answer these questions. We show how a script can access the QualysGuard API to pull down data and populate a database in a format that is then easily used to output the relevant reports. In our example we use Splunk as the database, mainly for its ease to treat time-based data, its intuitive query language and built-in reporting, alerting and graphing capabilities.
Attach please find the presentation. I would be very interested in hearing from you, especially if you have used solutions such as Splunk to enhance your reporting.
QualysGuard WAF is designed to be *the* simple, scalable way to defend your web applications. Using virtual appliances running in either Amazon EC2 or VMware's vCenter platform, QualysGuard WAF sensors (which analyze traffic to and from your applications) can be deployed rapidly with a minimal level of security expertise. It uses a new approach to strong web app security that evolves and adapts to the changing threat environment.
New Approach: Describe Desired Security, Let the WAF Build the Rules
QualysGuard WAF can be configured and deployed in a matter of minutes in a true highly-available fashion - active/active cluster nodes are the norm, rather than the exception - and can be scaled horizontally to meet the needs of your organization and infrastructure. Unlike other web application firewalls that require intricate sets of rules be specified for each app, QualysGuard WAF lets you define your desired level of security with just a few clicks. These security goals are automatically translated into the appropriate rules to use within the WAF sensor.
This not only makes robust security easy to set up, it also enables the protection of your applications to improve over time – without any extra effort from you. Qualys’s global security research team is constantly coming up with better defenses - these ongoing enhancements are deployed each month and urgent updates are added as needed to combat new exploits found in the wild. These additions are automatically used by QualysGuard WAF to dynamically update the rules used by each sensor.
Visual dashboards for an easy overview and interactive drill-down
QualysGuard WAF makes it easy to understand the security of all your applications at once. A concise, visual dashboard summarizes the various events that have occurred, when they took place, and where they came from to help you spot unusual patterns.
QualysGuard WAF categorizes each potential threat it detects according to a variety of attributes, including: the apps affected, severity, geographic location, source network address, how the threat was handled, and more. Interactive filters help you search for unexpected activity and determine how it impacts your applications.
You can then drill into particular events to learn more about them and how to address them:
We’re very excited to be making QualysGuard WAF generally available. We’re also continuing to enhance its feature set, driving more and better interaction with your WAS results and to provide better, more actionable security data to your teams. We're in Booth 2821 in Moscone North - please feel free to stop by to discuss WAF, your needs, and to walk through our service and see how it truly is groundbreaking in scope.
In collaboration with the SANS Institute and the Council on CyberSecurity, Qualys today announced a new free service to help organizations implement the Top 4 Critical Security Controls to fend off attacks. The new service, available at https://qualys.com/top4, helps organizations quickly determine if the PCs in their environments have properly implemented the Top 4 Critical Security Controls, which the Council on CyberSecurity estimates can help companies prevent 85% of cyber-attacks.
Qualys will unveil this free service with representatives from the SANS Institute and the Council on Cyber Security at the RSA Conference Booth #2821 today at 11:30 am PT.
"The Qualys Top 4 service is an extremely elegant and effective solution that helps both small and large businesses determine how resilient they are to today's advanced threats,” said Jonathan Trull, CISO for the State of Colorado. “This is exactly the type of public-private partnership our country needs to address the cyber attacks threatening our economy and critical infrastructure."
“This is the first time that a major security vendor has implemented a scoring and reporting algorithm that allows organizations to compare themselves with peers,” said Alan Paller, director of research for the SANS Institute. “Scoring like this is the only technique I have ever seen that causes organizations to implement the changes that lead to effective security.”
Today at RSA Conference, Qualys announced its new Continuous Monitoring service, empowering customers to continuously monitor mission-critical assets throughout their perimeter and immediately get alerted to anomalies that could expose them to cyber attacks. The service gives organizations the ability to proactively identify threats and unexpected changes in Internet-facing devices within their DMZ, cloud-based environments, and web applications before they are breached by attackers, bringing a new paradigm to vulnerability management.
"At Ancestry.com, we have millions of visitors per month and many perimeter devices that we operate to secure against possible attacks,” said Deal Daly, VP of information technology for Ancestry.com. “The Qualys Continuous Monitoring service delivers real-time alerts of security and network configuration issues that we can proactively remediate.”
“The Cloud is expanding the boundaries of the corporate perimeter to include every browser, device or application that touches the Internet, leaving us more exposed to cyber-attacks than ever,” said Philippe Courtot, chairman and CEO for Qualys. “With our groundbreaking Continuous Monitoring service, companies can see their perimeter the way today’s hackers do, so that threats can be identified and addressed before they turn into breaches.”
Qualys also announced today the general availability of its QualysGuard Web Application Firewall (WAF) service for web applications running in Amazon EC2 and on-premise. Deployed as a virtual image alongside web applications, the QualysGuard WAF can be set up and configured within minutes, enabling organizations to easily provide protection for their websites.
“Companies today are challenged with protecting their websites against attacks and complying with the Payment Card Industry (PCI) standard for transactions on their sites. But many organizations, especially smaller businesses, do not have the expertise or resources to effectively deploy WAFs,” said Charles Kolodgy, Research VP at IDC. “By introducing a lower cost, easy-to-use and deploy WAF cloud solution, Qualys can aid organizations in improving protection of their websites and web applications.”
The QualysGuard WAF cloud service provides rapid deployment of robust security for web applications with minimal cost of ownership, and it is constantly updated with new rules to keep up with application updates and newly emerging threats.
“Large organizations typically have thousands of web applications to protect, while smaller businesses don’t have the resources and IT staff to protect them,” said Philippe Courtot, chairman and CEO for Qualys. “The general availability our WAF service will offer customers the flexibility they need to protect their applications no matter where they reside and whether they have a few or thousands of them.”
Risk I/Oannounced today that it has partnered with Qualys to integrate QualysGuard Vulnerability Management (VM) into Risk I/O, providing perimeter vulnerability scanning for its customers. For businesses that need to understand the vulnerability and threat risks of their organization’s perimeter in real-time, the new integration enables them to sync their vulnerability data with Risk I/O’s threat processing engine, allowing organizations to gain visibility into their most likely vector for a breach.
“The addition of perimeter scanning to Risk I/O enables organizations to scan their organization’s perimeter and receive a complete risk analysis in a one stop shop so they can take action quickly and lower their risk of a breach,” said Risk I/O Co-founder and CEO Ed Bellis. “We are pleased to partner with Qualys and integrate our solutions together giving customers a comprehensive solution that will ultimately help them become more secure and avoid data breaches.”
On Friday, Apple released patches for iOS 6.x and 7.x, addressing a mysterious bug that affected TLS authentication. Although no further details were made available, a large-scale bug hunt ensued. This post on Hacker News pointed to the problem, and Adam Langley followed up with a complete analysis.
I've just released an update for the SSL Labs Client Test, which enables you to test your user agents for this vulnerability.
This bug affects all applications that rely on Apple's SSL/TLS stack, which probably means most of them. Applications that carry with them their own TLS implementations (for example, Chrome and Firefox) are not vulnerable. For iOS, it's not clear when the bug had been introduced exactly. For OS X, it appears that only OS X 10.9 Mavericks is vulnerable.
What you should do:
iOS 6.x and 7.x: Patches are available, so you should update your devices immediately.
OS X 10.9.x:Apple promised a fix would be available soon. Update as soon as it is released. The vulnerability has been fixed in 10.9.2. Update immediately.
QualysGuard VM and PC version 7.13 includes the following features:
Vulnerability Scorecard Report updates, New Compliance Scorecard Report, MS SQL Authentication – Auto Discover Database Instances, and multiple API enhancements (Ability to download API v2 CSV reports without headers, New HTTP Authentication options, New "Policy Merge” feature, Policy Report XML now includes custom control references, Apache Authentication Support for multiple instances per host)
Please note that none of the QualysGuard services on the EU Platform will be available during this maintenance window. This includes:
QualysGuard Vulnerability Management
QualysGuard Policy Compliance
QualysGuard Wep Application Scanning
QualysGuard Malware Detection Service
QualysGuard Asset Management, including Dynamic Asset Tagging
Any scans scheduled to begin during the downtime will start immediately following the scheduled downtime. Customers are advised to make sure that the restart of scheduled scans after the downtime does not interfere with normal network operations.
If your account has been enabled with New Scanner Services, your running scans will not be interrupted by this downtime and the results will be processed after service is returned. If your account has not been enabled with the New Scanner Services, then any scans running at the start of the scheduled downtime will be canceled.
We appreciate your patience and if you have any further questions regarding this upgrade, please feel free to contact Qualys Technical Support at email@example.com or +44 (0)1753 872102 (UK) or +33 1 41 97 35 81 (France) or +1 (866) 801-6161 (US and Canada).
We thank you for your continued support and look forward to your feedback.