Search

See Resources

@RISK Newsletter for July 26, 2012 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 30

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 7/17/2012 - 7/24/2012


TOP VULNERABILITY THIS WEEK: A trivially exploitable remote root

vulnerability exists in the Kindle Touch built-in browser. Based on
its support for the NPAPI, commands can be injected with root-level
privileges with no authentication, simply by visiting a web page.
Exploits are presumed to already exist in the wild.


NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM:

Title: Remote Root Exploit in Kindle Touch
Description: The built-in browser for the Kindle Touch integrates
support for the Netscape Plugin API, a modern cross-browser scripting
language. Unfortunately, it is implemented in such a way that it allows
injection of commands into the browser with root privileges. While the
API is poorly documented, and few public details about exploitation
currently exist in the wild, exploits will be trivial to write and
should be presumed to exist at this point.
Reference:
http://vrt-blog.snort.org/2012/07/dont-panic.html
http://www.mobileread.com/forums/showthread.php?t=175368
Snort SID: 23616, 23617
ClamAV: N/A

Title: Arbitrary Remote File Upload in Wordpress Invit0r Plugin
Description: The WordPress Invit0r plugin, which can be used to invite
Yahoo contacts to visit your blog, has an arbitrary remote file include
vulnerability. While it has been pulled from the official Wordpress
plugins site, multiple public exploits exist and are being actively used
in the wild. While this particular plugin is not especially notable, it
highlights the ongoing challenge of securing Wordpress and other CMS
systems, and the dangers created by such sites being exploited and used
to host malware.
Reference:
http://packetstormsecurity.org/files/113639/WordPress-Invit0r-0.22-Shell-Upload.html
Snort SID: 23484, 23485
ClamAV: N/A

Title: ZeroAccess Trojan Continues To Spread
Description: The ZeroAccess trojan/rootkit, a particularly nasty piece
of malware that was first discovered in the wild in early 2012, is today
considered by some to be one of the top threats to end-users in the
wild. The Sourcefire VRT has been following this malware recently, and
has new signatures for command-and-control traffic generated by infected
systems. As this malware has been known to cause users to exceed
bandwidth caps and be charged by their ISP directly, users both
corporate and private are encouraged to check their systems for signs
of infection regularly.
Reference:
http://threatpost.com/en_us/blogs/report-bandwith-burning-malware-among-biggest-consumer-threats-071912
https://www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/
Snort SID: 23492, 23493
ClamAV: Trojan.ZeroAccess-1 - Trojan.ZeroAccess-693

Title: Use of XML Templates To Embed Malware In PDFs
Description: The Sourcefire VRT has received multiple reports of
malicious PDFs being distributed in the wild that embed their malicious
content inside of an XML tempalte within the PDF. After extensive
testing across thousands of PDF files, both malicious and benign, the
VRT has determined that the number of legitimate uses of this
functionality in the field today is so low that detection of such
documents generically is a useful way to detect new malware variants.
As always, users are highly encouraged to keep their PDF parsing
applications up-to-date at all times.
Reference:
http://www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation
https://www.virustotal.com/file/ECA91825CA5CF6D8C06815CB471A0968F540878121CB13F971FD45C3EA3EBBAC/analysis/
Snort SID: 23612
ClamAV: Exploit.PDF.Dropped-21, Exploit-JS.10


USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Inside VirusTotal’s pants: VirusTotal += Behavioural Information
http://blog.virustotal.com/2012/07/virustotal-behavioural-information.html

DoItQuick: Fast Domains for Dirty Deeds - Krebs on Security
http://krebsonsecurity.com/2012/07/service-secures-domains-for-black-deeds/

New contact-stealing Android malware found in wild:
http://www.zdnet.com/new-contacts-stealing-android-malware-spotted-in-the-wild-7000001296/

Calling all elite security experts: be among the first malware domain taggers:
http://blog.opendns.com/2012/07/19/calling-all-elite-security-experts-apply-to-be-among-the-first-malware-domain-taggers/

How to root the Google Nexus 7:
http://liliputing.com/2012/07/how-to-root-the-google-nexus-7-unlock-the-bootloader-install-custom-recovery.html

Russian hacker battles Apple to keep in-app purchase exploit alive:
http://www.bgr.com/2012/07/18/app-store-hack-in-app-purchases-apple-exploit/

Online dating scam currently circulating in the wild:
http://blog.webroot.com/2012/07/16/online-dating-scam-campaign-currently-circulating-in-the-wild/

Looking at mutex objects for malware discovery and indicators of compromise:
http://computer-forensics.sans.org/blog/2012/07/24/mutex-for-malware-discovery-and-iocs


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: : CVE-2012-2974
Title: SMC SMC8024L2 Switch Web Interface Authentication Bypass
Vendor: SMC Networks
Description: The web interface on the SMC SMC8024L2 switch allows remote
attackers to bypass authentication and obtain administrative access via
a direct request to a .html file under (1) status/, (2) system/, (3)
ports/, (4) trunks/, (5) vlans/, (6) qos/, (7) rstp/, (8) dot1x/, (9)
security/, (10) igmps/, or (11) snmp/.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-2957
Title: Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit
Vendor: Symantec
Description: The management console in Symantec Web Gateway 5.0.x before
5.0.3.18 allows local users to gain privileges by modifying files,
related to a “file inclusion” issue.
CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)

ID: CVE-2012-0663
Title: Apple QuickTime TeXML Buffer Overflow Vulnerability
Vendor: Apple
Description: Multiple stack-based buffer overflows in Apple QuickTime
before 7.7.2 on Windows allow remote attackers to execute arbitrary code
or cause a denial of service (application crash) via a crafted TeXML
file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2012-0664
Title: Apple QuickTime Heap Based Buffer Overflow Vulnerability
Vendor: Apple
Description: Heap-based buffer overflow in Apple QuickTime before 7.7.2
on Windows allows remote attackers to execute arbitrary code or cause a
denial of service (application crash) via a crafted text track in a
movie file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2012-1723
Title: Oracle Java SE Remote Code Execution Vulnerability / Blackhole Exploit Kit
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32
and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows
remote attackers to affect confidentiality, integrity, and availability
via unknown vectors related to Hotspot.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


MOST PREVALENT MALWARE FILES 7/17/2012 - 7/24/2012: COMPILED BY SOURCEFIRE

SHA 256: 9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302
MD5: 923c4d13bee966654f4fe4a8945af0ae
VirusTotal: https://www.virustotal.com/file/9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302/analysis/
Malwr: http://malwr.com/analysis/923c4d13bee966654f4fe4a8945af0ae

Typical Filename:
Claimed Product: -
Claimed Publisher: -

SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Malwr: http://malwr.com/analysis/3291e1603715c47a23b60a8bf2ca73db

Typical Filename: 01.tmp
Claimed Product: -
Claimed Publisher: -

SHA 256: 358289754D01E20D564E39D79124AFA9BED4D35B3BC22F4E09210EC75E6461B2
MD5: b94b0c0efb6f33bddd2f16907a3a9cd1
VirusTotal: https://www.virustotal.com/file/358289754D01E20D564E39D79124AFA9BED4D35B3BC22F4E09210EC75E6461B2/analysis/
Malwr: http://malwr.com/analysis/b94b0c0efb6f33bddd2f16907a3a9cd1

Typical Filename: -
Claimed Product: Firefox
Claimed Publisher: Mozilla

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B /analysis/
Malwr: http://malwr.com/analysis/bf31a8d79f704f488e3dbcb6eea3b3e3

Typical Filename: -
Claimed Product: -
Claimed Publisher: -

SHA 256: D1857A4F3F2739FB64257A53D67F82800755ED4F4019DF760E5400DDAC42EFFA
MD5: 6d5483da06cb7b45f205c51d87eb6d1a
VirusTotal: https://www.virustotal.com/file/D1857A4F3F2739FB64257A53D67F82800755ED4F4019DF760E5400DDAC42EFFA/analysis/
Malwr: http://malwr.com/analysis/6d5483da06cb7b45f205c51d87eb6d1a

Typical Filename: -
Claimed Product: -
Claimed Publisher: -


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics