@RISK Newsletter for June 14, 2012
The consensus security vulnerability alert.
Vol. 12, Num. 24
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 5/29/2012 - 6/5/2012
Top Vulnerability this week: The XML zero day that affects Internet
Explorer users as well as Office 2003 and 2007 users. It was important
enough for Microsoft to make an extra out-of-cycle patch available. The
reason it is so important is that most targeted attacks going after
sensitive intellectual property use a vector like the one used in this
attack.
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: MySQL Authentication Brute Force Attack
Description: A trivially exploitable attack exists for certain platforms
running MySQL that allows attackers root access to the database without
any credentials. HD Moore has demonstrated a single-line shell script
that will grant access, so live attacks are presumed to exist in the
wild already, with automated scanners for this vulnerability likely to
follow (if not already available).
Reference:
http://vrt-blog.snort.org/2012/06/mysql-authentication-brute-force-attack.html
https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
Snort SID: 23115
https://isc.sans.edu/port.html?port=3306
Title: Web Shell With GIF Header
Description: A live shell has been observed in the wild as part of
automated attempts to exploit the WordPress TimThumb vulnerability
released in August of 2011. This shell has a validly formed GIF header
prepended to the malicious PHP code, so that TimThumb’s built-in file
safety checks will be bypassed (as well as any other check based on
file(1), which declares the shell to be a valid GIF file). Several
monitoring organizations have reported this shell being dropped very
widely in the field.
Reference:
http://vrt-blog.snort.org/2012/06/web-shell-poses-as-gif.html
http://blog.spiderlabs.com/2011/11/wordpress-timthumb-attacks-rising.html
Snort SID: 23113, 23114
ClamAV: PHP.Hide
Title: CVE-2012-1875 Microsoft Internet Explorer DOM manipulation memory corruption
Description: This is a complex Document Object Model heap overwrite, but
several actors are using it in targeted attacks observed across the
globe. Several variants of the attack are in public already, and more
are being traded in the underground. Users of Internet Explorer should
patch this bug as promptly as possible.
Reference:
http://technet.microsoft.com/en-us/security/bulletin/MS12-037
Snort SID: 23125
ClamAV: Exploit.CVE_2012_1875, Exploit.CVE_2012_1875-1
Title: Unauthorized Microsoft Security Certificates Allow Windows Update Spoofing
Description: The recently discovered Flame malware used a specifically
crafted SSL certificate to man-in-the-middle the Windows Update process
and inject code. As any certificate issued by a pair of intermediate
signing authorities could, if used by Flame or others, lead to
unauthorized content being trusted by the operating system, Microsoft
explicitly revoked all certificates issued by those authorities.
Reference:
http://technet.microsoft.com/en-us/security/advisory/2718704
Snort SID: 23090
ClamAV: N/A
Title: CVE-2011-2140 Adobe Flash Player MP4 Buffer Overflow:
Description: A simple buffer overflow attack exists in the way Adobe
Flash parses certain chunks of MP4 files. Public exploits exist, and
have been incorporated into the Chinese Yang Pack exploit kit. Active
exploitation of this vulnerability has been observed in the wild by the
Sourcefire VRT.
Reference:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
Snort SID: 19693, 20555, 21006, 23098
ClamAV: Trojan.GameThief-3, Exploit.SWF-24, Trojan.Cossta-22
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
(1) Flame malware collision attack explained:
http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx
http://www.trailofbits.com/resources/flame-md5.pdf
(2) Facebook begins notifying DNSChanger victims:
http://www.zdnet.com/blog/security/facebook-begins-notifying-dnschanger-victims/12296
(3) Spear Phishing Attempt vs. Digital Bond Analyzed:
http://www.digitalbond.com/2012/06/11/analysis-of-spear-phishing-malware-file/
(4) Post Mortem: Today’s attack; apparent Google Apps/Gmail
vulnerability; and how to protect yourself:
http://blog.cloudflare.com/post-mortem-todays-attack-apparent-google-app
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
ID: CVE-2012-1889
Title: Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability
Vendor: Microsoft
Description: Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses
uninitialized memory locations, which allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via a
crafted web site.
CVSS v2 Base Score: 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
ID: CVE-2012-1875
Title: Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote
Code Execution Vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer 8 does not properly handle
objects in memory, which allows remote attackers to execute arbitrary
code by accessing a deleted object, aka “Same ID Property Remote Code
Execution Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2012-1849
Title: Microsoft Lync CVE-2012-1849 DLL Loading Arbitrary Code Execution Vulnerability
Vendor: Microsoft
Description: Untrusted search path vulnerability in Microsoft Lync 2010,
2010 Attendee, and 2010 Attendant allows local users to gain privileges
via a Trojan horse DLL in the current working directory, as demonstrated
by a directory that contains a .ocsmeet file, aka “Lync Insecure Library
Loading Vulnerability.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2012-0985
Title: Sony VAIO Wireless Manager ActiveX Control ‘WifiMan.dll’ Multiple
Buffer Overflow Vulnerabilities
Vendor: Sony
Description: Multiple buffer overflows in the Wireless Manager ActiveX
control 4.0.0.0 in WifiMan.dll in Sony VAIO PC Wireless LAN Wizard 1.0;
VAIO Wireless Wizard 1.00, 1.00_64, 1.0.1, 2.0, and 3.0; SmartWi
Connection Utility 4.7, 4.7.4, 4.8, 4.9, 4.10, and 4.11; and VAIO Easy
Connect software 1.0.0 and 1.1.0 allow remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a long
string in the second argument of the (1) SetTmpProfileOption or (2)
ConnectToNetwork method.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2012-2436
Title: Pligg CMS CVE-2012-2436 Multiple Cross Site Scripting Vulnerabilities
Vendor: Pligg
Description: Multiple cross-site scripting (XSS) vulnerabilities in
Pligg CMS before 1.2.2 allow remote attackers to inject arbitrary web
script or HTML via (1) an arbitrary parameter in a move or (2) minimize
action to admin/admin_index.php; (3) the karma_username parameter to
module.php in the karma module; (4) q_1_low, (5) q_1_high, (6) q_2_low,
or (7) q_2_high parameter in a configure action to module.php in the
captcha module; or (8) the edit parameter to module.php in the
admin_language module.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2012-1824
Title: Measuresoft ScadaPro DLL Loading Arbitrary Code Execution Vulnerability
Vendor: Measuresoft
Description: Untrusted search path vulnerability in Measuresoft ScadaPro
Client before 4.0.0 and ScadaPro Server before 4.0.0 allows local users
to gain privileges via a Trojan horse DLL in the current working
directory.
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
MOST POPULAR MALWARE FILES 5/29/2012 - 6/5/2012
(Compiled by Sourcefire)
SHA 256: 1481ACE90584C46406259C653D2BD3457A2E5F44781E907731C9A618F96C7442
MD5: bb74024a1d4e4808562c090980151653
VirusTotal: https://www.virustotal.com/file/1481ACE90584C46406259C653D2BD3457A2E5F44781E907731C9A618F96C7442
Malwr: http://malwr.com/analysis/63fdbb9c9802d680dc6d622d2e228317/
Typical Filename: MWSSVC.EXE
Claimed Product: My Web Search Bar
Claimed Publisher: MyWebSearch.com
SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
Malwr: http://malwr.com/analysis/7961a56c11ba303f20f6a59a506693ff
Typical Filename: C8A787C22000AE378610003396E67500D587FA4E
.exe
Claimed Product: My Web Search Bar for Internet Explorer and FireFox
Claimed Publisher: MyWebSearch.com
SHA 256: DFE385206E3BA737636463B22501B801B88169AF789424E8A33C3CF07A8B2235
MD5: 589c85ad4b3fd73456f32eb9d58e2f9c
VirusTotal: https://www.virustotal.com/file/DFE385206E3BA737636463B22501B801B88169AF789424E8A33C3CF07A8B2235
Malwr: http://malwr.com/analysis/589c85ad4b3fd73456f32eb9d58e2f9c
Typical Filename: 3E229CF2E0B55D93A59C027D284E7A0088209A1A
.exe
Claimed Product: ShopAtHome.com Shopping Toolbar
Claimed Publisher: -
SHA 256: D69EE2A46B02A39C7BCCFFE10FB4280EFF268E2633E39697DC59CFA0D5D7CB3C
MD5: 5d3d195648820c95f20e4e9189e1937b
VirusTotal: https://www.virustotal.com/file/D69EE2A46B02A39C7BCCFFE10FB4280EFF268E2633E39697DC59CFA0D5D7CB3C
Malwr: http://malwr.com/analysis/5d3d195648820c95f20e4e9189e1937b
Claimed Product: -
Claimed Publisher: -
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
Typical Filename: avz00001.dta
Claimed Product: -
Claimed Publisher: -