@RISK Newsletter for March 07, 2013
The consensus security vulnerability alert.
Vol. 13, Num. 10
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 2/26/2013 - 3/5/2013
TOP VULNERABILITY THIS WEEK: Network administrators were given another
reason to disable Java across their enterprises this week, as another
new Java 0-day was publicly disclosed last Friday. While the
vulnerability had been used for targeted attacks, and a patch was
released on Monday, it is likely to become widely exploited,
particularly in exploit kits, over the next few weeks.
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Fresh Java 0-day hits, Oracle releases patch
Description: Described as “Yet another Java 0-day” by the organization
disclosing it, details emerged last Friday of a bug in the color
management portion of Java applets that Oracle said was “easily
exploitable” in the note it released on Monday to accompany its patches.
Attacks in the wild have been targeted to date, and initially
compromised sites were using C&C channels and malware samples associated
to the recent Bit9 breach, suggesting a coordinated campaign by those
using the exploit. Still, given the proliferation of exploit kits -
including a new one announced Monday that uses nothing but Java
vulnerabilities - it is only a matter of time before mass exploitation
occurs, and users are urged to patch immediately.
Reference:
http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html
https://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/
http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1915099.xml
http://blog.webroot.com/2013/03/05/cybercriminals-release-new-java-exploits-centered-exploit-kit/
Snort SID: 26025 26030
ClamAV: JAVA.Exploit.CVE_2013_1493 , WIN.Trojan.McRat
Title: MiniDuke malware targeting European governments, agencies
Description: A newly discovered piece of targeted malware dubbed
“MiniDuke” has been using CVE-2013-0640 - a PDF vulnerability discovered
in February - to drop particularly sneaky malware on European
governments and their agencies at locations across the world. The
malware uses Twitter to spread information about C&C channels, and
authors left taunting clues inside their binaries, including a reference
to the number 666 just before the decryption routine.
Reference:
http://www.securelist.com/en/blog/208194129/ The_MiniDuke_Mystery_PDF_0_day_Government_Spy_Assembler_0x29A_Micro_Backdoor
Snort SID: -
ClamAV: PDF.Exploit.CVE_2013_0640
Title: 0-day exploit in the wild for Japanese word processor Ichitaro
Description: Trend Micro recently discovered an exploit in the wild for
popular Japanese word processing software Ichitaro. Similar to
vulnerabilities in Microsoft Office discovered in 2011, the program used
an improper path selection criteria for loading DLLs, and could easily
be tricked into loading a malicious DLL and executing arbitrary code on
the system. Patches for some versions of the software were made
available on March 5, while fixes for other versions are scheduled for
release on March 28.
Reference:
http://blog.trendmicro.com/trendlabs-security-intelligence/modified-ichitaro-dll-file-leads-to-backdoor/
http://www.justsystems.com/jp/info/js13001.html
Snort SID: 26070 26071 26072
ClamAV: Win.Exploit.CVE_2013_0707, Win.Trojan.Locati, Win.Trojan.Locati-1
Title: SAP NetWeaver remote code execution
Description: The SAP NetWeaver service is vulnerable to remote code
execution via malformed messages taking advantage of the
MSJ2EE_AddStatistics() function. Exploit code is publicly available, and
attacks are presumed to be occurring in the wild. Users should patch
their systems immediately.
Reference:
http://www.exploit-db.com/exploits/24511/
Snort SID: 26073, 26074
ClamAV: N/A
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
New heapspray technique for Metasploit browser exploitation:
https://community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation
Oracle Java exploits and 0-days since 2012 - interactive timeline:
http://eromang.zataz.com/2013/03/03/oracle-java-exploits-and-0days-since-2012-interactive-timeline/
How much does it cost to buy 10,000 US-based malware-infected hosts?
http://blog.webroot.com/2013/02/28/how-much-does-it-cost-to-buy-10000-u-s-based-malware-infected-hosts/
Bound to fail: why cybersecurity risk cannot be “managed” away:
http://www.brookings.edu/research/papers/2013/02/cyber-security-langner-pederson
Finding hidden vHosts:
http://blog.cyberis.co.uk/2013/02/finding-hidden-vhosts.html
Debugging a debugger to debug a dump:
http://blogs.msdn.com/b/ntdebugging/archive/2013/02/27/debugging-a-debugger-to-debug-a-dump.aspx
How mobile spammers verify the validity of harvested phone numbers:
http://blog.webroot.com/2013/02/27/how-mobile-spammers-verify-the-validity-of-harvested-phone-numbers/
Fixing XSS: A practical guide for developers:
https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
Russian ransomware takes advantage of Windows Powershell:
http://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2013-1493
Title: Oracle Java SE JVM 2D Subcomponent Remote Code Execution Vulnerability (Oracle Security Alert for CVE-2013-1493)
Vendor: Oracle
Description: The color management (CMM) functionality in the 2D
component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and
earlier, and 5.0 Update 40 and earlier allows remote attackers to
execute arbitrary code or cause a denial of service (crash) via an image
with crafted raster parameters, which triggers (1) an out-of-bounds read
or (2) memory corruption in the JVM, as exploited in the wild in
February 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-0431
Title: Java Applet JMX Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 through Update 11 allows
user-assisted remote attackers to bypass the Java security sandbox via
unspecified vectors related to JMX, aka “Issue 52,” a different
vulnerability than CVE-2013-1490.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
ID: CVE-2013-0640, CVE-2013-0641
Title: Adobe Reader and Acrobat Unspecified Code Execution Vulnerability (APSB13-07)
Vendor: Adobe
Description: Unspecified vulnerability in Adobe Reader and Acrobat 9.x
through 9.5.3, 10.x through 10.1.5, and 11.x through 11.0.1 allows
remote attackers to execute arbitrary code via a crafted PDF document,
as exploited in the wild in February 2013.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-0025
Title: Microsoft Internet Explorer SLayoutRun Use-After-Free (MS13-009)
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
8 allows remote attackers to execute arbitrary code via a crafted web
site that triggers access to a deleted object, aka “Internet Explorer
SLayoutRun Use After Free Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2012-3569
Title: VMWare OVF Tools Format String Vulnerability
Vendor: VMWare
Description: Format string vulnerability in VMware OVF Tool 2.1 on
Windows, as used in VMware Workstation 8.x before 8.0.5, VMware Player
4.x before 4.0.5, and other products, allows user-assisted remote
attackers to execute arbitrary code via a crafted OVF file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 2/26/2013 - 3/5/2013 COMPILED BY SOURCEFIRE
SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal: https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe
SHA 256: 9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F
MD5: 3ff52cee72b936c56b4fbb9f970ece74
VirusTotal: https://www.virustotal.com/file/9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F/analysis/
Typical Filename: wintdiyx.exe
Claimed Product: wintdiyx.exe
Claimed Publisher: wintdiyx.exe
SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Product: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Publisher: 573b6cc513e1b7cd9e35b491eacc38f3