eEye Digital Security - Vulnerability Expert Forum, June 2011

eEye Digital Security

1.866.339.3732

www.eEye.com

[email protected]

Vulnerability Expert Forum

June 15, 2011

Agenda

About eEye

Microsoft’s June Security Bulletins

Retina Community

Other Vendor Security Updates

Security Landscape: InfoSec News

Secure and Comply with eEye

Q&A


1.866.339.3732

www.eEye.com

[email protected] 2

eEye at a Glance

Industry Pioneers

Leaders in IT security since 1998

Developed one of the first vulnerability scanners

Growing and profitable

Thought Leaders

World-renowned security research team

Trusted advisors to organizations across industries and sizes


1.866.339.3732

www.eEye.com

[email protected] 3

Security Experts

Seasoned security professionals

Thousands of customers

Some of the largest VM installations in the world

Award-Winning Solutions

Recognized product leadership

Securing companies of all sizes

Unparalleled services and support

Why eEye

Making the Complex Simple

Unified

Efficient

Effective


1.866.339.3732

www.eEye.com

[email protected] 4

“Retina provides a solid feature set with easy-to- use scanning controls. It’s an excellent vulnerability scanner at a good price. This one gets our Best Buy.”

“eEye Digital Security raises the standard in enterprise endpoint protection with a management console that could almost be called next generation.”

“eEye’s security research team continues to provide good Windows vulnerability coverage and mitigation advice for zero-day vulnerabilities.”

“Retina has many desirable features…and an extremely flexible reporting portal. The product is also attractively priced.”

The Industry Experts Say…

eEye Research Services

eEye Preview • Advanced Vulnerability Information• Full Zero-Day Analysis and Mitigation• Custom Malware Analysis• eEye Research Tool Access• Includes Managed Perimeter Scanning

eEye AMP• Any Means Possible Penetration Testing• Gain true insight into network insecurities• “Capture-The-Flag” Scenarios

eEye Custom Research• Exploit Development• Malware Analysis

Forensics Support• Compliance Review


1.866.339.3732

www.eEye.com

[email protected] 5

Microsoft June Security Bulletins

16 Total Bulletins; 34 Issues Fixed

Vulnerability in MHTML Could Allow Information Disclosure (2544893)

Vulnerability in OLE Automation Could Allow Remote Code Execution (2476490)

Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2514842)

Vulnerability in Threat Management Gateway Firewall Client Could Allow Remote Code Execution (2520426)

Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2525694)

Vulnerabilities in Distributed File System Could Allow Remote Code Execution (2535512)

Vulnerability in SMB Client Could Allow Remote Code Execution (2536276)

Vulnerability in .NET Framework Could Allow Remote Code Execution (2538814)


1.866.339.3732

www.eEye.com

[email protected] 6

Microsoft June Security Bulletins

16 Total Bulletins; 34 Issues Fixed

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2537146)

Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2503665)

Vulnerability in Hyper-V Could Allow Denial of Service (2525835)

Vulnerability in SMB Server Could Allow Denial of Service (2536275)

Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure (2543893)

Cumulative Security Update for Internet Explorer (2530548)

Vulnerability in Active Directory Certificate Services Web Enrollment Could Allow Elevation of Privilege (2518295)

Vulnerability in Vector Markup Language Could Allow Remote Code Execution (2544521)


1.866.339.3732

www.eEye.com

[email protected] 7

Microsoft Security Bulletin: MS11-037

1 Vulnerability Fixed in Bulletin

MHTML MIME-Formatted Request Vulnerability - CVE-2011- 1894

Severity: Important

My Magical Mime and Me

Allows Information Disclosure

Publicly Disclosed

Mitigations

Disable the MHTML Protocol


1.866.339.3732

www.eEye.com

[email protected] 8



OLE Automation Underflow Vulnerability - CVE-2011-0658

Severity: Critical

Ole! Ole ole ole!

Remote code execution under the context of the currently logged in user

Privately Reported

Likely attack vector is a webpage hosting a specially crafted Windows Metafile image.

Mitigations

Disable scripting, make use of trusted zones


1.866.339.3732

www.eEye.com

[email protected] 9



.NET Framework Array Offset Vulnerability - CVE-2011-0664

Severity: Critical

You wearing your Hair.NET?

Remote code execution under the context of the currently logged in user

Privately Reported

Mitigations

Disable the ability to run partially trusted .NET applications

Adjust settings to prompt before running XAML browser applications in Internet Explorer

Prevent the Microsoft Silverlight ActiveX control from running


1.866.339.3732

www.eEye.com

[email protected] 10



TMG Firewall Client Memory Corruption Vulnerability - CVE- 2011-1889

Severity: Critical

Fe Fi Fofront Fum

Requires that the client make specially crafted network requests

Privately Reported

Mitigations

Disable the TMG Client


1.866.339.3732

www.eEye.com




Win32k OTF Validation Vulnerability - CVE-2011-1873

Severity: Critical

Oh That OTF!!!

Remote code execution with Kernel level privileges

Privately Reported

Exploited when a user views a specially crafted OpenType font

Mitigations

Disable the WebClient service

Disable the Preview the Details Panes in Windows Explorer

Block TCP ports 139 and 445 at the firewall


1.866.339.3732

www.eEye.com



2 Vulnerabilities Fixed in Bulletin

DFS Memory Corruption Vulnerability - CVE-2011-1868

DFS Referral Response Vulnerability - CVE-2011-1869

Severity: Critical

DFS = Dress For Success

Possible unauthenticated remote code execution with elevated privileges

Both Privately Reported

Mitigations

No mitigations have been identified with these vulnerabilities


1.866.339.3732

www.eEye.com




SMB Response Parsing Vulnerability - CVE-2011-1268

Severity: Critical

1-Up's and Koopa Shells

Vulnerability is in the processing of an SMB response sent to a client initiated request

Unauthenticated remote code execution with elevated privileges

Privately Reported

Mitigations

Block ports 139 and 445 at the firewall


1.866.339.3732

www.eEye.com




.NET Framework JIT Optimization Vulnerability - CVE-2011- 1271

Severity: Critical

Just In Time For Another .NET Vulnerability

Remote code execution with same privileges as the currently logged in user

Publicly Disclosed

Mitigations

Disable the ability to run partially trusted .NET applications

Adjust settings to prompt before running XAML browser applications in Internet Explorer


1.866.339.3732

www.eEye.com




Excel Insufficient Record Validation Vulnerability - CVE-2011-1272

Excel Improper Record Parsing Vulnerability - CVE-2011-1273

Excel Out of Bounds Array Access Vulnerability - CVE-2011-1274

Excel Memory Heap Overwrite Vulnerability - CVE-2011-1275

Excel Buffer Overrun Vulnerability - CVE-2011-1276

Excel Memory Corruption Vulnerability - CVE-2011-1277

Excel WriteAV Vulnerability- CVE-2011-1278

Excel Out of Bounds WriteAV Vulnerability - CVE-2011-1279

Severity: Important

Excel With a Chance of a Shell

Standard Microsoft Office file format vulnerabilities

Mitigations

Office file block policy

Prevent opening of files that fail Office File Validation


1.866.339.3732

www.eEye.com




Ancillary Function Driver Elevation of Privilege Vulnerability - CVE-2011-1249

Severity: Important

Kernel Privileges At An Ancillary Function Near You

Local elevation of privilege

Publicly Disclosed

Mitigations



1.866.339.3732

www.eEye.com




VMBus Persistent DoS Vulnerability - CVE-2011-1872

Severity: Important

Wheels on the VMBus Go Round then Down

Privately Reported

Authenticated denial of service

Mitigations



1.866.339.3732

www.eEye.com




SMB Request Parsing Vulnerability- CVE-2011-1267

Severity: Important

Watch Your Toadstool

Privately Reported

Remote, unauthenticated, denial of service via SMB requests

Mitigations

Block TCP ports 139 and 445 at the firewall


1.866.339.3732

www.eEye.com




XML External Entities Resolution Vulnerability - CVE-2011-1280

Severity: Important

Party at the Disco

Exploited via specially crafted .disco files

Privately Reported

Information disclosure

Mitigations



1.866.339.3732

www.eEye.com




MIME Sniffing Information Disclosure Vulnerability - CVE-2011-1246

Link Properties Handling Memory Corruption Vulnerability - CVE-2011-1250

DOM Manipulation Memory Corruption Vulnerability - CVE-2011-1251

toStaticHTML Information Disclosure Vulnerability - CVE-2011-1252

Drag and Drop Memory Corruption Vulnerability - CVE-2011-1254

Time Element Memory Corruption Vulnerability - CVE-2011-1255

DOM Modification Memory Corruption Vulnerability - CVE-2011-1256

Drag and Drop Information Disclosure Vulnerability - CVE-2011-1258

Layout Memory Corruption Vulnerability - CVE-2011-1260

Selection Object Memory Corruption Vulnerability - CVE-2011-1261

HTTP Redirect Memory Corruption Vulnerability - CVE-2011-1262

Severity: Critical

I before E right after Vulnerability

All Privately Reported

Remote code execution

Mitigations


Read emails in plain text


1.866.339.3732

www.eEye.com




Active Directory Certificate Services Vulnerability - CVE-2011-1264

Severity: Important

Cross Your T’s and Sign Your Certificates

Cross-Site Scripting (XSS)

Privately Reported

Requires that the user browse to an attacker controlled web site

Mitigations

Enable XSS filter for Intranet Zone in Internet Explorer


1.866.339.3732

www.eEye.com




VML Memory Corruption Vulnerability - CVE-2011-1266

Severity: Critical

What's Our Vector, Victor?

Privately Reported

Remote code execution with the same rights as the user

Requires that the user view an attacker controlled web site

Mitigations


Read emails in plain text


1.866.339.3732

www.eEye.com


Retina Community

Powered by the renowned Retina Network Security Scanner technology, Retina Community is a completely FREE vulnerability assessment solution.

Scan up to 32 Unique IP Addresses

Assessment Audits for Operating Systems, Applications, Network Devices, and Virtualized Environments

SCAP Configuration Scanning

Vulnerability and Executive Reporting

Data Export to XML, CSV, PDF

Auto Update for Vulnerability Audits


1.866.339.3732

www.eEye.com


Download Now: http://community.eeye.com

http://community.eeye.com/

Oracle Java CPU – June 2011

18 Vulnerabilities Addressed

Affecting JDK and JRE versions 6, 5, and 1.4.2

13 Vulnerabilities affect confidentiality, integrity, and availability

10 Vulnerabilities Scoring 10.0 CVSS v2 Base Score

All Vulnerabilities Remotely Exploitable

Cup o’ Java

Vulnerabilities may be in an extremely common component (e.g. Sound)

Watch out for old versions not supported or those only supported by a contract

Applications package JRE as a component• “Shared” sense where Java is installed as a separate but required component• “Static” sense where Java is installed and buried within the application directory

Remove older versions of JRE/JDK if not needed


1.866.339.3732

www.eEye.com


Adobe Security Updates – June 2011

Flash Player (APSB11-18)

Affecting 10.x on Windows, Mac OS X, UNIX/Linux, Android, Google Chrome

Exploitation seen in-the-wild; leading to execution of arbitrary code

Fixed in 10.3.181.26 for Windows, Mac, Unix, and Chrome

Android update not yet available

Shockwave Player (APSB11-17)

24 Vulnerabilities Fixed Affecting Windows and Mac OS X

All Vulnerabilities could lead to code execution.

Fixed in 11.6.0.626 or newer

Reader and Acrobat (APSB11-16)

13 Vulnerabilities Fixed Affecting Windows and Mac OS X

Code execution, Cross-document script execution, Security bypass

Incorporates APSB11-12 and APSB11-13 updates

Fixed in 10.1, 9.4.5, 8.3, or newer


1.866.339.3732

www.eEye.com


http://www.adobe.com/support/security/bulletins/apsb11-12.html

http://www.adobe.com/support/security/bulletins/apsb11-13.html

Security Landscape - More than a Microsoft World

CTO/CSO/CxO News

Computer Sabotage Between Nations is an Act of War

Back to the Wild West days of the Internet, oh 90s, how I missed you...

Android Wallet

IT Admin News

Google Apps - What do you mean I have to update my browser now...

RSA Hacks

Apple Malware Outbreak - Because nobody predicted this would ever happen...

Researcher News

Windows PatchGuard Protection

Android Trojans, Easy as 1, 2, 3... 4... 5!


1.866.339.3732

www.eEye.com



1.866.339.3732

www.eEye.com


VEF Contest

You must post a comment on the “What Do You Think About eEye’s Zero- Day Tracker” blog post on the eEye blog found at http://blog.eeye.com

• http://blog.eeye.com• We will pick someone at random from the responses posted• Give us your Questions, Comments, and Suggestions

You must post your comment on the eEye Blog by Friday 6/17 at noon PST

Prize: Amazon Kindle + $25 Amazon gift card

eEye Unified Vulnerability Management


1.866.339.3732

www.eEye.com


SECURITY RESEARCH

Automation and Efficiency = Minimized Risk and Lower TCO

MANAGE AND REPORT

• End-to-end vulnerability and compliance management• Centralized management, reporting, and controls

• Assess, mitigate, and protect from one console• Advanced trending and analytics

Vulnerability Scanning

Configuration Auditing

Asset Discovery & Inventory

Zero-Day Vulnerability Identification

Vulnerability Reporting

Compliance Auditing

ASSESS

Integrated Patch Management

Prioritized Mitigation

Risk Scoring

Security Alerts

Prescriptive Remediation Reporting

MITIGATE

Zero-Day Protection

Intrusion Prevention

Web Protection

Application Protection

System Protection

PROTECT

Connect with eEye

http://blog.eeye.com

http://www.facebook.com/eEyeDigitalSecurity

http://www.twitter.com/eEye

http://www.YouTube.com/eEyeDigitalSecurity


1.866.339.3732

www.eEye.com


Start Today

Visit eEye http://www.eEye.com

About Us, Solutions, Awards, Resources, Downloads

Visit the eEye Security Resource Center http://www.eEye.com/Resources

Demos, Guides, Whitepapers, Videos, Webinars, Events

Contact Us 1.866.339.3732 or [email protected]


1.866.339.3732

www.eEye.com


Technology

eEye Digital Security - Vulnerability Expert Forum, June 2011