If you use Snow Leopard, and you downloaded Apple’s update on February 1, you should download the revised v1.1 update from the Apple Software Download page. Apple doesn’t appear to have changed the text on their download page to reflect this new version. However, they did share new checksums for the revised updates in their email security advisory. You can find those SHA-1 checksums below:

For Mac OS X v10.6.8

• Download file name: SecUpd2012-001Snow.dmg
• SHA-1 digest: 29218a1a28efecd15b3033922d71f0441390490a

For Mac OS X Server v10.6.8

• Download file name: SecUpdSrvr2012-001.dmg
• SHA-1 digest: 105bdebf2e07fc5c0127f482276ccb7b6b631199

Summary:

• These vulnerabilities affect: All current versions of OS X 10.6.x (Snow Leopard) and OS X 10.7.x (Lion)
• How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various document or media files
• Impact: Various results; in the worst case, an attacker executes code on your user’s computer
• What to do: OS X administrators should download, test and install OS X 10.7.3 or Security Update 2012-001 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 52 (number based on CVE-IDs) security issues in 27 components that ship as part of OS X or OS X Server, including Apache, Quicktime, and Time Machine. Some of the fixed vulnerabilities include:

• Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from various security vulnerabilities (including some buffer overflow vulnerabilities) involving the way it handles certain types of image files. Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include TIFF and PNG.

• CoreAudio Buffer Overflow Vulnerability. CoreAudio is a component that helps OS X play audio content. It suffers from a buffer overflow vulnerability. By enticing you to play a specially crafted audio file, an attacker would exploit this flaw to either crash your system, or execute code with your privileges.

• Several Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from six security issues (number based on CVE-IDs) involving how it handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, she could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, elevation of privilege vulnerabilities, and information disclosure flaws. Components patched by this security update include:

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

Solution Path:

Apple has released OS X Security Update 2012-001 and OS X 10.7.3 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can, or let Apple’s automatic Software Update utility do it for you

• OS X Lion Update 10.7.3 (Client)
• OS X Lion Update 10.7.3 (Client Combo)
• OS X Lion Update 10.7.3 (Server)
• OS X Lion Update 10.7.3 (Server) Combo
• Security Update 2012-001 Server (Snow Leopard)
• Security Update 2012-001 (Snow Leopard)

Note: Some of these updates are rather large (700MB or greater), and all require a reboot.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

• February 2012 OS X  Security Update

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

This week’s WatchGuard Security Week in Review comes to you from on the road in Texas. I’m travelling this week to speak at various WatchGuard security events, but was still able to record an episode using my iPhone. You’ve got to love technology!

That said, due to my travel schedule on Friday, I had to produce this episode on Thursday. That means this episode could miss any big security stories that come out today. If that’s the case, I will update this post later to let you know about it

As usual, if you prefer text to video, check out the reference links below. We also love to hear from you, so if I can do anything to improve these weekly summaries for you, let me know in the comments section below. (Video Runtime: 4:21)

Episode References:

• Many WordPress 3.2.1 web sites hijacked:
  • Hackers infect WordPress blogs  - InfoWorld
• Apple releases OS X security update:
  • OS X update fixes 52 vulnerabilities – WatchGuard Security Center
• PC Anywhere patched:
  • Symantec says PC Anywhere is safe - Yahoo News
• Anonymous is still at it:
  • Anonymous Brazil DDoSes Brazilian banks - News.co.nz
  • Anonymous feuds with UFC president on Twitter - Cnet
• Verisign suffered multiple breaches in 2010:
  • Key Internet operator hit by hackers – Reuters

— Corey Nachreiner, CISSP (@SecAdept)

• These vulnerabilities affect: All current versions of OS X 10.6.x (Snow Leopard) and OS X 10.7.x (Lion)
• How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various document or media files
• Impact: Various results; in the worst case, an attacker executes code on your user’s computer
• What to do: OS X administrators should download, test and install OS X 10.7.3 or Security Update 2012-001 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 52 (number based on CVE-IDs) security issues in 27 components that ship as part of OS X or OS X Server, including Apache, Quicktime, and Time Machine. Some of the fixed vulnerabilities include:

• Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from various security vulnerabilities (including some buffer overflow vulnerabilities) involving the way it handles certain types of image files. Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include TIFF and PNG.

• CoreAudio Buffer Overflow Vulnerability. CoreAudio is a component that helps OS X play audio content. It suffers from a buffer overflow vulnerability. By enticing you to play a specially crafted audio file, an attacker would exploit this flaw to either crash your system, or execute code with your privileges.

• Several Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from six security issues (number based on CVE-IDs) involving how it handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, she could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, elevation of privilege vulnerabilities, and information disclosure flaws. Components patched by this security update include:

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

Solution Path:

Apple has released OS X Security Update 2012-001 and OS X 10.7.3 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can, or let Apple’s automatic Software Update utility do it for you

• OS X Lion Update 10.7.3 (Client)
• OS X Lion Update 10.7.3 (Client Combo)
• OS X Lion Update 10.7.3 (Server)
• OS X Lion Update 10.7.3 (Server) Combo
• Security Update 2012-001 Server (Snow Leopard)
• Security Update 2012-001 (Snow Leopard)

Note: Some of these updates are rather large (700MB or greater), and all require a reboot.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

• February 2012 OS X  Security Update

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

As Gizmodo points out, there have been a number of breaches lately where attackers have gotten password databases from some pretty big companies, and these breaches will likely continue. Today is as good a day as any to start following better password creation and handling practices. I’ve pointed this fact out myself in a number of posts involving password losses, which I list below:

• Zappos breach
• Sony PSN Breach
• HBGary Breach

In those posts, I share a number of password tips, but if you need more, you can also check out this old video we made on the subject.

In any case, I encourage you to participate in Change Your Password Day. That said, I’m posting this pretty late (due to business travel), so I also say let’s extend Change Your Password Day to February 2nd as well. –  Corey Nachreiner, CISSP. (@SecAdept)

Radio Free Security is back!

For the new listeners out there, Radio Free Security (RFS) is a monthly podcast, dedicated to spreading knowledge about network and information security, and to keeping busy IT administrators apprised of the latest security threats they face online. WatchGuard’s LiveSecurity team started RFS back in January, 2007.  However, we’ve been off the air since 2009 — but that all changes today, with our first return episode!

In this return episode, we look back at WatchGuard’s 2011 security predictions. Every year, the WatchGuard security team and I pull out our magic tarot cards to try and predict the security threats and trends you can expect for the upcoming year. In this episode, Tim Helming, Ben Brobak, and I revisit these predictions, which include a wide range of topics (Cyberwar, APTs, and Facebook attacks to name a few). Did we call 2011 correctly, and what did we learn from the results? Listen below to find out.

In the future, I will post Radio Free Security’s monthly podcast to its original RSS feed, which also links to an iTunes version. However, right now we are dusting off those old mechanisms, to get them up again. For now, you can listen to this month’s episode with the SoundCloud link below. If you are new to RFS, I also recommend you check out our archive (iTunes archive) of old shows. Though some of the Security Stories of the Month are old, the general security content and advice is still quite relevant.

[UPDATE] The original SoundCloud link for this episode had a repeated segment (from 00:49:49 to 01:13:49). We have uploaded a fixed version of the episode. I’d like to thank @pdbrown811 for letting us know. If you downloaded the episode before, I recommend you download it again from the new link below. — Corey Nachreiner, CISSP (@SecAdept)

Another week, another WatchGuard Security Week in Review. While this week wasn’t quite as action packed as last, there’s plenty of security stories to cover in this episode. I summarize them in the  brisk video below (runtime: 6:03 minutes).

If you prefer text to moving pictures, you can also find a quick descriptions of these stories, as well as reference links, underneath the video. Let us know what you think in the comments.

Episode References:

• Anonymous continues their online riot, taking down more recording industry sites, and defacing a US government internet security site:
  • Anonymous takes out CBS.com – PC World
  • Anonymous defaces US government site – TechSpot
  • US-CERT Anonymous DDoS Advisory
• TSA claims Pacific Northwest railways fell victim to a cyberattack:
  • US railway signals disrupted by cyberattack - InfoSecurity
  • DHS later denies the attack - eWeek
• HD Moore discloses security risk with videoconferencing systems:
  • Cameras open boardroom to hackers - New York Times
• Microsoft accuses ex-antivirus employee of creating Kelihos botnet:
  • Botnet maker worked for security companies – Computer World
• Symantec warns customers to stop using PC Anywhere due to vulnerability:
  • Disable PC Anywhere – ZDNet
  • Symantec Advisory
• Google Releases a Chrome security update:
  • Google patches serious Chrome bugs – ComputerWorld
• EXTRA:  Attackers are exploiting recent Windows Media vulnerability (MS12-004). This late breaking story didn’t make the video, but I felt I should include it here:
  • Hackers pounce on Media Flaw – ZDNet

— Corey Nachreiner, CISSP (@SecAdept)

The WatchGuard SSL appliances are easy-to-use, all-in-one, secure, remote access solutions for small to medium-sized businesses. WatchGuard SSL 100 supports up to 100 concurrent users to make secure connections. The SSL 560 appliance supports up to 500 concurrent users. The WatchGuard SSL appliances deliver applications directly to the desktop of your remote employees to provide increased productivity—from anywhere, at anytime.

Highlights of the WatchGuard SSL OS v3.1.2 release include:

• Internet Explorer (IE) 9 support. You can now use IE9 to both configure the appliance’s WebUI and to access resources with the Access Client
• The WebUI performs faster on SSL 100 devices
• The Access Client has been improved to provide greater stability
• Corrected various potential security vulnerabilities
• Remote Desktop single sign-on now works with Windows Server 2008
• The Web UI is now more stable, with improved error and exception handling
•  … and many other fixes — please see the Release Notes for complete details.

If you’re an SSL 100 or 560 appliance owner with an active LiveSecurity subscription, you can upgrade to SSL OS v3.1.2 free of charge.

Does This Release Pertain to Me?

SSL OS v3.1.2 is a scheduled maintenance release. If you have an SSL 100 or 560 appliance, and wish to take advantage of any of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to v3.1.2. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

WatchGuard SSL 100 and 560 owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center, which also includes clear installation instructions. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

Fireware XTM v11.3.5 is the newest operating system software release for Firebox X Peak, Core, and Edge e-Series appliances. Fireware XTM v11.3.5 demonstrates a continuing commitment to WatchGuard Firebox X e-Series customers, with a significant number of bug fixes and enhancements. It is primarily a sustaining release that resolves many known issues.

NOTE: There is no new WatchGuard System Manager release to accompany Fireware XTM v11.3.5. You can either use WatchGuard System Manager v11.4.x-v11.5.x or WatchGuard System Manager v11.3.2 to connect to a Firebox e-Series device that runs Fireware XTM v11.3.5, although you must use WatchGuard System Manager v11.4.1 or higher if you want to use the Mobile VPN with IPSec Shrew Soft VPN client.

Some of XTM v11.3.5′s fixes and enhancements include:

• Various authentication enhancements, which improve Active Directory and Radius authentication support.
• Improved PPPOE support in multi-WAN situations
• Blocked Site entries can now accept a /32 subnet mask
• Various FireCluster Improvements
• Fixed a problem that prevented Gateway AV from scanning passive FTP connections
• Various Mobile VPN with SSL improvements which improve the client’s overall interoperability
•  … and many other fixes — please see the Release Notes for complete details.

If you’re an active e-Series LiveSecurity subscriber, you can upgrade to Fireware XTM 11.3.5 free of charge.

Does This Release Pertain to Me?

Fireware XTM 11.3.5 is a sustaining release that contains a significant number of bug fixes and enhancements. If you have any Firebox e-Series appliances, and wish to take advantage of any of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to version 11.3.5. XTM appliance owners should not install 11.3.5, but rather stick with 11.5.x. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM series or Firebox e-Series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center, which also includes clear installation instructions. Keep in mind, Fireware XTM 11.3.5 is an e-Series only release, and does not work on more recent XTM appliances. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

Welcome to my first ever episode of WatchGuard Security Week in Review. This vlog — which I hope to bring you weekly — is dedicated to quickly summarizing the biggest network and information security stories from each week. When appropriate, I’ll also share quick tips on how you can protect yourself from some of the threats I talk about.

Normally, I plan to post this weekly vlog late Friday. However, I posted last week’s episode a bit late, due to unexpected production issues with my first attempt at making this. I believe I have my production wrinkles ironed out for next time. So expect the next episode this Friday.

You’ll find the first episode below. Let me know what you think by leaving a comment.

Episode References:

• Zappos Breach
  • Zappos Email
  • Sans ISC Diary Post
  • Techspot Article
• Oracle Patch Day
  • Oracle Patch Summary
  • InfoWorld Article
• Middle Eastern Cyberwar
  • Great The Next Web Article on Middle Eastern Cyberwar
• Anonymous Returns (Megaupload Raid)
  • Gizmodo Article
• Koobface Gang Unveiled
  • Zdnet Article
  • DailyMail Article
  • Sophos Blog Post

.  — Corey Nachreiner, CISSP (@SecAdept)

Zappos hasn’t released any technical details about the attack, and I don’t expect them to. If forced to guess, I’d assume it probably originated from some web application flaw, which is a pretty common vector these days. That’s why I often suggest that IT and web administrators focus their security resources on their web applications; both by encouraging secure web coding practices, and by leveraging security controls with application-layer inspection capabilities (such as the HTTP and HTTPS proxies that WatchGuard’s XTM appliances offer). However, that’s not what I’m here to talk about today. Today, I want to talk about passwords.

I’ve talked about passwords many times before, but as a core principle of security (technically part of Authentication), the advice bears repeating. Here are some password-related tips; both general and related to password security breaches:

• Change your password(s) after a security breach – If a site you use ever has a security breach where attackers gain access to passwords (hashed or not), change your password immediately. In Zappos case, they are forcing this advice by terminating old passwords. If you use Zappos, be sure to change your password now, before a bad guy does it for you.
• Use strong passwords – I believe passwords should be greater than 10 characters. One easy way you can create long passwords, with enough entropy, is by using passphrases, or more specifically something I call pass-sentences. WatchGuard’s Bud Logs In video talks about these concepts in more detail (and is good for basic endusers).
• Use different passphrases on different web sites – This is crucial aspect of password security, especially when considering these types of web breaches. If you, like most people, use the same password for many different web sites, the attacker that has Zappos’ password archive now may have your password for all web sites. If you have been using the same password everywhere, not only should you change your Zappos password, but you should change your password on every site (and make it different this time). This breach situation is exactly why experts recommend you use different passwords everywhere. That said, many people find this advice hard to implement in practice; which brings me to the next tip…
• Leverage password vault software – Password vaults make it easier for you to manage multiple passwords securely. They are not perfect. If you use multiple machines and OSs, you may have trouble finding password management software that meets all your needs. Plus, password vaults become a single point of potential failure, as they almost literally store all the keys to your kingdom. It’s extremely important to use secure password vaults, and protect them. That said, they offer the only practical solution to managing multiple passwords today. This article suggests a few good ones to use (I have used 1password myself).