Skip to content

Citrix XenApp 7.6 Released

Today, Citrix XenApp 7.6 was released (and XenDesktop 7.6). It addresses some features that have been “missing” from XenApp since the 7.x platform was released. If this release is all it’s cracked up to be, I think you’ll see most XenApp customers on 6.x (or those still on 4.5, you know who you are) will be looking to upgrade to 7.6 sooner than later.

So, what exactly is in 7.6 that changes this thinking?

  • Connection Leasing – Remember the local host cache? Well most of my clients do, and have noted its departure on the 7.x architecture. Connection leasing is how Citrix is addressing it starting with 7.6. Though it doesn’t offer quite the same functionality, and highly available databases are still recommended, it can keep the environment running and allow access to a user’s commonly used applications and desktops while the database is down
  • Anonymous Users – We have a handful of clients (Healthcare, I am talking about you) who leveraged the anonymous user capability in previous versions. It comes back with 7.6.
  • Session pre-launch and linger – These features made a quick appearance in XenApp 6.5 then went away. Now they are back. Pre-launch offers an enhanced user experience for situations where published applications are launched from a desktop by a user after logging into their PC. It launches a session in the background, loads the applications, and keeps it in a disconnected state until the user opens it. Once the application is open, the user connects to an existing session, which is almost instantaneous. Linger keeps the session open (disconnected) longer after closing out applications so if another application is launched, the session is reconnected and the applications is loaded. Both features are designed to hide and/or eliminate the authentication/logon process from the user.
  • Application Folders – You can now put applications in folders to allow for groupings of applications or suites. This was possible using keywords, but this version makes it easier to administrate.
  • Application Usage in Director – Director can now report on concurrent application usage in the environment, like EdgeSight had in the past.

Of course, XenDesktop 7.6 also has these new features (at least the ones that apply) as they share the same foundation and architecture. So, features like Connection Leasing will help Citrix XenApp and XenDesktop customers.

Contact Gotham to discuss your upgrade to XenApp / XenDesktop 7.6!

Gotham Security Daily Threat Alerts

September 25, Softpedia – (International) Bash bug “Shellshock” is as large as issue as Heartbleed. A researcher found a security vulnerability in the GNU Bourne Again Shell (Bash) command interpreter named Shellshock available through versions 1.14 and 4.3 and used in several Unix-based operating systems such as Linux and Mac OS X that poses the risk of remote code execution and can be executed in many ways by applications. A patch was issued for the vulnerability CVE-2014-6271 but remained incomplete, and a second vulnerability, CVE-2014-7169, that was issued as a result remains unpatched. Source:

September 25, Securityweek – (International) Critical signature forgery flaw found in Mozilla NSS crypto library. Mozilla released an update for its products and Google updated Chrome and Chrome OS to address the “BERserk” vulnerability exposed by two independent researchers from Intel Security Advanced Threat Research Team and INRIA Paris-Rocquencourt who found that the Mozilla Network Security Services (NSS) cryptographic library can be exploited for signature forgery acts. The hackers can leverage the flaw in the parsing of ASN.1 encoded messages which use Basic Encoding Rules (BER) by exploiting the fact that the length of a field in BER can be made to use many bytes of data. Source:

September 24, Threatpost – (International) More trouble for jQuery as second compromise reported. JQuery, an open source JavaScript library, worked to mitigate a second compromise after its site’s homepage was defaced. Representatives announced that the Web site was taken down and cleaned of infected files and that the company is working on re-securing its servers, and working to address vulnerabilities. Source:

September 24, Securityweek – (International) SMB employees targeted with fake termination emails: Bitdefender. Researchers at Bitdefender warned employees and IT administrators of small and medium-sized businesses about a rash of fake emails claiming false termination that is designed to distribute information-stealing malware using an ARJ file archiver. Once the attached file is decompressed and executed, the malware opens a clean rich text format (RTF) document which connects to attackers who execute instructions to the victim. Source:

September 24, Network World – (International) Apple yanks buggy iOS 8 update. Apple pulled its iOS 8.0.1 update and is working on a patch after reports that the update was cutting off cell service and making the Touch ID fingerprint sensor inoperable. Source:

September 26, Softpedia – (International) Honeypot catches malware exploiting Shellshock Bash bug. Alien Vault researchers found two pieces of malware through their honeypots, an Internet Relay Chat (IRC) bot and an Executable and Linkable Format (ELF) binary that offers malicious actors the possibility to use the infected machine in distributed denial of service (DDoS) attacks in order to exploit the Shellshock Bash vulnerability. Patches are available for several software platforms as attackers are rapidly working to exploit the CVE-2014-6271 vulnerability. Source:

September 26, Macworld – (International) Apple quickly issues iOS 8.0.2 update. Apple released the iOS 8.0.2 patch which addresses several issues including reinstating improvements and flaws from the former update, iOS 8.0.1, that was promptly removed after it disabled Touch ID and cellular capabilities on the iPhone 6 and iPhone 6 Plus. Source:

September 26, Help Net Security – (International) Phishers go after unprecedented breadth of targets. The Anti-Phishing Working Group (APWG) released its Global Phishing Survey co-authored with Internet Identity (IID) and found that in the first half of 2014 Apple was the most phished brand in the world, accounting for 17 percent of all reports sampled. Paypal came in second accounting for 14.4 percent or 17,811 targeted attacks the report stated, among other findings. Source:

September 25, Securityweek – (International) BlackEnergy malware linked to targeted attacks. ESET and F-Secure researchers found that the BlackEnergy malware has been active in targeted attacks in 2014, modified to be used as a tool for sending spam and for online bank fraud. The alteration was dubbed “BlackEnergyLite” by researchers due to the lack of a kernel-mode driver component and less support for plug-ins and a lighter overall footprint. Source:

Gotham Security Threat Alert – SHELLSHOCK

September 25, 2014- CERT-UK Update BASH Vulnerability AKA SHELLSHOCK Announcement CVE-2014-6271 and CVE-2014-7169.

Please see the article for full details including a testing procedure.

  1. Overnight a vulnerability was announced in the computer program ‘bash’ (ref CVE-2014-6271). This vulnerability enables unauthenticated users to run arbitrary commands, and in some configurations remote code execution is possible. This has been scored the highest possible threat ratings by independent security research bodies, including NIST, for both impact and exploitability.
  1. Bash is a standard program installed on most machines running non-Windows operating systems as standard including, but not limited to, Unix, Linux, MacOS and many embedded architecture devices. The affected versions go back to bash 1.14 which was first released in ~1995. Unlike the Heartbleed vulnerability which affected only openssl (an additional program that only certain users actually implemented), SHELLSHOCK is likely to affect a much wider community.
  1. CVE-2014-6271 has a working patch for most distributions (more details in the below Advisory link), however there are reports that the patch is not a complete fix and so a further vulnerability ID has been established (CVE-2014-7169). There is the potential that the increased focus on bash will lead to further vulnerabilities being discovered in the coming days. This follows a recent trend of security researchers to identify vulnerabilities in hitherto trusted applications.
  1. The real-world impact of this vulnerability depends greatly on the systems on which they are deployed. However, due to the common usage of *nix systems as servers in network environments it should be assumed that most server-based architectures are affected. This will inevitably include organisations that are part of the CNI. As such, all organisations that make use of *nix-based environments should pay particular attention to the patching requirements and other mitigation steps.

This vulnerability has the ID CVE-2014-6271, and has been given an Exploitability score of 10.0 – the same as Heartbleed

Check Point has published a response that they are aware and researching, as follows.


Gotham Security Daily Threat Alerts

September 22, Softpedia – (International) Hackers target Destiny and Call of Duty servers with DDoS attack. Several servers for online games Destiny and Call of Duty: Ghost went down during the weekend of September 20 due to a distributed denial of service (DDoS) attack that affected PlayStation and Xbox users. Attackers claiming affiliation with the Lizard Squad group claimed responsibility for the attacks. Source

September 22, The Register – (International) Exercise-tracking app not QUITE fit for purpose. A researcher identified and reported a direct object reference vulnerability in the MyFitnessPal app that allowed users’ personal information, including location and dates of birth, to be accessed by any user. The vulnerability was closed 2 days after being reported. Source

September 22, Securityweek – (International) Yahoo fixes RCE flaw leading to root server access. A researcher identified and reported a series of vulnerabilities in a Yahoo domain which led to a remote code execution vulnerability that was leveraged to gain root access to a Yahoo server. The vulnerability was reported September 5 and closed September 7. Source

September 19, Securityweek – (International) Apple fixes numerous vulnerabilities with release of Mac OS X 10.9.5. Apple released the latest version of its OS X operating system September 18, which addresses over 40 vulnerabilities that could lead to information disclosure, arbitrary code execution, privilege escalation, and other issues. Apple also released security updates for its OS X Server, Apple TV, Xcode development platform, and Safari Web browser. Source

September 18, IDG News Service – (International) Malicious advertisements distributed by DoubleClick, Zedo networks. Researchers at Malwarebytes found that the DoubleClick and Zedo advertisement networks have been delivering malicious ads to several popular Web sites including, The Times of Israel, and The Jerusalem Post. The malicious ads redirect users to a page hosting the Nuclear exploit kit which then attempts to drop the Zemot malware used by attackers to download additional malicious components. Source

September 18, Threatpost – (International) Dyre trojan caught in the cookie jar. An analysis by Adallom researchers found that a new variant of the Dyre banking trojan is targeting login credentials for large banks and corporate accounts. The new variant is capable of stealing client certificates and browser cookies, potentially acquiring the same account persistence for attackers as that held by legitimate users. Source

Gotham Security Daily Threat Alerts

September 18, Securityweek – (International) Apple fixes “backdoors” with release of iOS 8. Apple released the newest version of its mobile operating system, iOS 8, September 17, which adds improvements and closes over 50 security vulnerabilities. Source:

September 17, Threatpost – (International) Series of vulnerabilities found in Schneider Electric SCADA products. An advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned users of Schneider Electric StruxureWare SCADA Expert ClearSCADA products after researchers discovered unpatched, remotely-exploitable vulnerabilities. Included in the vulnerabilities is a cross-site scripting (XSS) issue that could allow industrial control systems (ICS) to be shut down, while an authentication bypass issue could give attackers access to sensitive information. Source:

September 17, Securityweek – (International) AppBuyer iOS malware targets jailbroken iPhones. Researchers with Palo Alto Networks analyzed a piece of iOS malware discovered by WeiPhone Technical Group in May and found that the malware dubbed AppBuyer is targeting jailbroken iPhones in order to steal Apple ID and password information and make unauthorized purchases from the App Store. Source:

September 17, SC Magazine – (International) Analysts spot ‘Critolock,’ ransomware claims to be CryptoLocker. Researchers at Trend Micro identified a new piece of ransomware known as Troj_Critolock.A or Critolock that infects devices and encrypts users’ data and demands a ransom. The malware purports to be the CryptoLocker ransomware but contains several differences including its use of the Rijndael symmetric-key algorithm. Source:

September 17, Threatpost – (International) Drupal patches XSS vulnerability in spam module. Drupal released a patch September 17 for the Mollom spam and content moderation module that closes a cross-site scripting (XSS) vulnerability that could allow an attacker to gain admin-level access to Web sites and enable them to steal data or hijack sessions. Source:

September 17, Securityweek – (International) Website of U.S. oil and gas company abused in watering hole attack. Researchers at Bromium found that attackers injected malicious code into the Web site of an unnamed U.S. oil and gas company in an effort to infect the computers of its visitors, known as a watering hole attack. The malicious script used on the compromised Web site utilized the Internet Explorer vulnerability CVE-2013-7331 which allows resources loaded into memory to be queried. Source:

Gotham Security Daily Threat Alerts

September 17, Securityweek – (International) Twitter fixes vulnerability potentially impacting company’s ad revenue. A security researcher identified and reported a vulnerability in a Twitter subdomain that could be used to delete the payment card information used by advertisers to pay for ads on the social media network. Twitter addressed the vulnerability and awarded a $2,800 bounty to the researcher. Source:

September 17, Securityweek – (International) Amazon fixes persistent XSS vulnerability affecting Kindle library. Amazon addressed a cross-site scripting (XSS) vulnerability on the Amazon Web page used to manage users’ Kindle libraries that could be used by an attacker to inject malicious code through eBook metadata. Source:

September 17, Help Net Security – (International) Macro based malware is on the rise. Researchers with Sophos found that macro-based malware created in Visual Basic rose from around 6 percent of document malware to 28 percent in July, among other findings. Source:

September 16, Threatpost – (International) Adobe gets delayed Reader update out the door. Adobe released new versions of Adobe Reader and Acrobat September 16 that were delayed during Adobe’s scheduled patch release the week of September 8. The updates close eight vulnerabilities including two memory corruption issues and a cross-site scripting (XSS) vulnerability affecting Macintosh users. Source:

September 16, Threatpost – (International) Archie exploit kit targets Adobe, Silverlight vulnerabilities. Researchers at AlienVault Labs analyzed a new exploit kit first identified by EmergingThreats researchers and found that the Archie exploit kit attempts to exploit older versions of Adobe Flash, Reader, and Microsoft Silverlight and Internet Explorer. Source:

Gotham Security Daily Threat Alerts

September 16, Softpedia – (International) Malicious Kindle eBooks can give hackers access to your Amazon account. A security researcher identified a security issue in Amazon’s “Manage your Kindle page” that can be exploited using a malicious eBook file to take over a user’s Amazon account. The same vulnerability was reported and fixed in November 2013 but was reintroduced in a new version of the page. Source

September 16, The Register – (International) THREE QUARTERS of Android mobes open to web page spy bug. A Metasploit developer released a Metasploit module for a vulnerability in Android versions 4.2.1 and below that was discovered September 1, which could automate an exploitation of the vulnerability and allow attackers behind a malicious Web page to see users’ other open pages and hijack sessions. Source

September 15, KrebsOnSecurity – (International) LinkedIn feature exposes email addresses. Researchers with Rhino Security Labs demonstrated how an attacker could use a ‘find connections’ feature in LinkedIn and a large number of email contacts generated with likely email addresses to identify the email address of specific individuals for possible use in spear-phishing or other malicious activities. LinkedIn stated that it was planning at least two changes to the way the professional network handles user email addresses to counteract the issue. Source

September 15, Threatpost – (International) SNMP DDoS scans spoof Google public DNS server. The SANS Internet Storm Center reported September 15 that large-scale scans of Simple Network Management Protocol (SNMP) spoofing Google’s public DNS server traffic were taking place, indicating a scan being used to identify routers and devices using default SNMP passwords. Vulnerable routers and devices could have their configuration variables changed, creating a denial of service (DoS) situation on the affected devices. Source


%d bloggers like this: