Severity: High

17 November, 2008

Summary:

• This vulnerability affects: Firebox X Edge 10.2.3 (and earlier versions)
• How an attacker exploits it: By entering a specially crafted username into the authentication page, or by manually visiting a specific URL
• Impact: A remote attacker can authenticate to your Edge without valid login credentials, in some cases gaining VPN access to your network
• What to do: Install 10.2.4 immediately

Exposure:

In order for you to verify that your users really are who they claim to be, the Firebox X Edge supports various types of user authentication. With user authentication configured, you can create URL filtering or VPN policies that permit or deny data traffic based on who someone is, rather than based on the IP address they come from. You also utilize user authentication when setting up mobile VPN access to your network. The Edge provides a secure HTTPS web page that allows your users to authenticate to your Edge.

SEVERITY: HIGH
28 April, 2009
SUMMARY:

• This vulnerability affects: Adobe Reader and Acrobat 9.1 and earlier, on Windows, Mac, *nix computers
• How an attacker exploits it: By enticing your users into viewing a maliciously crafted PDF document
• Impact: An attacker can execute code on your computer, potentially gaining control of it
• What to do: Implement the workarounds described in the Solutions section of this alert

EXPOSURE:
Yesterday, SecurityFocus released an advisory describing a new zero day Adobe Reader exploit they found in the wild. The Proof of Concept (PoC) exploit — written by some calling himself “Arr1val” — seems to leverage a flaw in the Adobe Reader function called “getAnnots()”. As it turns out, Arr1val released two new zero day exploits. The second exploit leverages another Adobe Reader function called “spell.customDictionaryOpen().” Arr1val’s code suggests he confirmed these flaws using Adobe Reader 9.1 and 8.1.4 for Linux. However, we suspect the flaws may affect all current versions of Reader running on any platform.

WatchGuard is pleased to announce the release of version 10.2.8 for WSM, Fireware, Fireware Pro, and Edge. Version 10.2.8 contains a number of defect fixes for issues reported by WatchGuard customers. Areas affected include High Availability, Mobile VPN with SSL, Single Sign-On, and more. There is also a new Mobile VPN with IPSec client (v10.2) available with this release.

Contained in this release are:

• An enhancement for the Firebox X Edge that allows traffic to be masqueraded via 1 to 1 NAT in IPSec VPN tunnels with IKE KeepAlive
• Fixes to several stability issues on Firebox devices that have the upper four ports (eth4 through eth7) in use
• Several manageability improvements, including reduced configuration save times and better manageability of Firebox devices under heavy load
• Several improvements to Single Sign-On (SSO)
• Several improvements to real-time monitoring, reporting, logging, and notification
• Several improvements to SSL VPN client functionality on Macintosh OS X
• Several High Availability improvements
• Several improvements to Edge Wireless functionality
• Edge networking and stability improvements
• Improved Mobile VPN support for devices with dynamically addressed external interfaces
• Enhancements to the Mobile VPN for IPSec client (v10.2), including support for increased numbers of remote networks

Does This Release Pertain to Me?

10.2.8 is a regularly scheduled maintenance release. If you are impacted by any of the issues outlined above or those contained in the Release Notes, you should consider upgrading to version 10.2.8. Please read the Release Notes before you upgrade, to understand what’s involved.

Severity: High

10 March, 2009

Summary:

• These vulnerabilities affect: All current versions of Windows
• How an attacker exploits them: Multiple vectors of attack, including enticing your users to a malicious web site
• Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches immediately

Exposure:

Today, Microsoft released three security bulletins describing eight vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

WatchGuard is pleased to announce the availability of version 10.2.7 of WatchGuard System Manager, Edge, Fireware, and Fireware Pro. This update is a maintenance release and contains a number of enhancements and fixes for critical issues as reported by WatchGuard customers.

Contained in this release are:

• Improvements to configuration save behavior in Fireware
• Improvements to High Availability in Fireware
• An enhancement, adding the ability to create Traffic Management, Policy Scheduling, and QoS actions on Drag and Drop VPN tunnels
• Improvements to Server Load Balancing in Fireware
• Improvements to Mobile VPN with SSL client behavior
• A fix for Firebox (Core) stability issues under certain conditions
• Improvement to SSL VPN user authentication on Edge
• A fix for e-Series BOVPN stability issues under certain conditions
• A fix for an Edge spamBlocker Exception List problem

WatchGuard is pleased to announce the availability of version 10.2.2 of WatchGuard System Manager, Edge, Fireware, and Fireware Pro. This update is a maintenance release and contains a number of enhancements and fixes for critical issues as reported by WatchGuard customers.

Contained in this release are improvements to:

§ Memory management in our authentication system

§ Log Viewer search function

§ Improved interoperability in Mobile VPN, and BOVPN

§ Device stability when ethernet ports 4-7 are used in an High Availability configuration

§ The firebox Edge multi-lingual installer

§ Edge NAT code when Mobile VPN with SSL is used.

Severity:High

1 August, 2008

Summary:

§ These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), both client and server versions

§ How an attacker exploits them: Multiple vectors of attack, including enticing one of your users into visiting a malicious web site or into downloading a malicious document

§ Impact: Various results; in the worst case, attacker executes code on your user’s computer, potentially gaining full control of it

§ What to do: OS X administrators should download, test and install Security Update 2008-005

DNS Proxy Helps; NAT/PAT Devices Exacerbate Issue

Severity: Medium

18 July, 2008

Update:

Last week, we published an alertabout some DNS protocol vulnerabilities that could affect any software or networking devices that run DNS servers, and to a lesser extent, DNS clients. By sending your DNS server (or client) a series of specially crafted DNS queries and/or responses, an attacker could poison your DNS server’s cache with arbitrary IP addresses, thus potentially forcing your users to visit arbitrary, malicious web sites.

This alert adds one new wrinkle pertaining to this issue, then explains a DNS proxy configuration that may help mitigate the risk of DNS cache poisoning attacks in general. First, the new wrinkle:

Severity: Medium

9 July, 2008

Summary:

§ These vulnerabilities affect: Microsoft Word 2002 w/SP3. Doesn’t affect any other versions of Word.

§ How an attacker exploits them: By enticing one of your users into downloading and opening a malicious Word document

§ Impact: An attacker can execute code, potentially gaining complete control of your user’s computer

§ What to do: Implement workarounds found in the “Solution Path” section below

Severity: Medium

9 July, 2008

Summary:

§ This vulnerability affects: All software and networking devices that run DNS servers; to a lesser extent, software or devices with DNS clients

§ How an attacker exploits it: By sending your DNS server (or client) a series of specially crafted DNS queries and/or responses

§ Impact: The attacker could poison your DNS server’s cache with arbitrary IP addresses, thus forcing your users to visit arbitrary, malicious web sites

§ What to do: Deploy the appropriate updates from your DNS vendors as quickly as possible

Severity: High

8 July, 2008

Summary:

§ These vulnerabilities affect: Microsoft Access 2000, 2002, and 2003

§ How an attacker exploits them: By enticing one of your users to a malicious web site

§ Impact: An attacker can execute code, potentially gaining complete control of your user’s computer

§ What to do: Implement workarounds described in the “Solution Path” section below

Severity: High

10 June, 2008

Summary:

• This vulnerability affects: Quicktime 7.4.5 for Mac and PC (and possibly earlier versions)
• How an attacker exploits it: By enticing your users to download and play a malicious multimedia file in Quicktime
• Impact: Attacker executes code on your user’s computer, potentially gaining complete control of it
• What to do: If you allow Quicktime (or iTunes), upgrade to version 7.5; otherwise, remove these applications from your company’s computers

Exposure:

Today, Apple released an alert fixing five vulnerabilities in its popular media player application, Quicktime. (Current versions of iTunes ship with the program as well; if your users have iTunes, they most likely have Quicktime.) These applications run on Windows and Macintosh computers, and both platforms are susceptible to exploitation of these security flaws. Apple’s alert specifies Vista and XP SP2 as the vulnerable versions of Windows.

The vulnerabilities relate to different processes in Quicktime (for example, how it opens picture files, how it displays movie files, how it handles audio files, and so on); but the flaws share a similar result if successfully exploited. If an attacker can get one of your users to open a specially crafted multimedia file, or to click a URL that links to malicious QuickTime content, he could trigger any of these flaws to execute code on your user’s computer, with the same privileges and permissions your user has. If your users have local administrative privileges, the attacker could gain complete control of their machines.

The primary difference between these flaws involves which multimedia file the attacker can use to exploit them. The potentially dangerous files that could trigger these flaws are:

• PICT images (.pict)
• AAC audio files (.aac)
• Indeo video files (.mov, .avi, etc…)

Critical Internet Explorer Cumulative Patch Fixes Two Vulnerabilities

Severity: High

10 June, 2008

Summary:

• This vulnerability affects: Internet Explorer 7 and earlier versions
• How an attacker exploits it: By enticing one of your users to visit a malicious Web page
• Impact: In the worst case, the attacker can execute code on your user’s computer, gaining complete control of it
• What to do: Deploy the appropriate Internet Explorer patches immediately

Severity: High

5 June, 2008

Summary:

• This vulnerability affects: Hewlett-Packard desktop and laptop computers running Windows
• How an attacker exploits it: By luring one of your users to a maliciously crafted website, where a drive-by download occurs
• Impact: The attacker can take complete control of your user’s computer
• What to do: Either set the kill bit for the vulnerable ActiveX control, or update your HP Instant Support software to version 1.0.0.24

Exposure:

Hewlett-Packard (HP) is the world’s largest PC dealer. HP has sold millions of desktop and laptop computers, and according to industry observers, accounts for as much as 20 percent of the PC market. Somewhere among your users, it is probable that an HP computer regularly connects to your network. If you have no HP computers on your network, this security alert does not pertain to you.

By Mark Waldstein, LiveSecurity Content Specialist, WatchGuard Technologies

[Editor's Note: In the March, 2008 edition of my podcast Radio Free Security: Firebox Special, WatchGuard's lead technical trainer Kyle Porter told our listeners all about Single Sign-On, a new feature in Fireware Version 10. It's available on any WatchGuard appliance that can run Version 10, including our e-Series Fireboxes and our Edge product line. I've summarized Kyle's descriptions here, for those who prefer reading to listening; or, for those who've heard the podcast and want some backup documentation. --Mark]

Single Sign-On should be seen as a part of the larger authentication setup on Fireboxes. Before SSO, users could authenticate to the firewall, either as a specific user or as a member of a group. The network administrator could restrict access to particular services, or apply particular WebBlocker rules, to users who were authenticated. You, the administrator, could also integrate that authentication with your existing domain controller (such as an Active Directory server), but there was a limitation: End users had to affirmatively authenticate to the firewall using a web browser. Whether or not they were logged onto their Active Directory domain was unimportant to the firewall; it still needed them to prove who they were by directing our web app to the firewall.

So, if you had a hundred users on your network, all one hundred of them had to know how to get to a particular web page, and what to type when they got there. (In most cases, they had to enter the same username and password they had already entered when they logged onto the network that morning.) This process also meant that you probably spent more time than you wanted in educating users how to do that. So, it was probably not our most popular feature. Admins really liked the results…but that first week could be a little painful for them.

Severity: Medium

18 March, 2008

Summary:

• These vulnerabilities affect: Safari 3 for OS X and Windows
• How an attacker exploits them: By enticing one of your users into visiting a malicious web site
• Impact: Various results; in the worst case, attacker executes code on your user’s computer, with your user’s privileges
• What to do: Install Safari 3.1

Severity: High

11 March, 2008

Summary:

• These vulnerabilities affect: Most current versions of Microsoft Office for Windows, and in some cases for Mac (and some other Office-related programs)
• How an attacker exploits them: By enticing you to open maliciously crafted Office documents, visit a malicious web site, or click a malicious link
• Impact: An attacker can execute code, potentially gaining complete control of your computer
• What to do: Install the appropriate Office or Office related patches immediately

New! SSL Appliances from WatchGuard^® Later this month, WatchGuard will release two important new products – the WatchGuard SSL 500 and the SSL 1000. Now that SSL has gone mainstream and basic features have standardized among most vendors, the new WatchGuard SSL is just what the market has been asking for and is a genuine standout for many reasons. 

• Supports the widest range of applications and resources – so your customers have access to the tools they need to stay productive
• Offers the broadest range of mobile device and platform support in its class – making access available from virtually anywhere
• Includes powerful mid-point and endpoint security – to ensure connecting devices are healthy and up-to-date, so your network infrastructure stays that way
• Provides flexible, extensible authentication – with more options than competitors, including software and SMS tokens to streamline and reduce the cost of remote access
• Has lowest total cost of ownership – unlike competitors who charge extra for advanced features, WatchGuard SSL comes complete with every option at a standard price