Search

See Resources

@RISK Newsletter for March 14, 2013 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 13, Num. 11

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 3/5/2013 - 3/12/2013


TOP VULNERABILITY THIS WEEK: Last week’s new Java 0-day, CVE-2013-1493,

has been spotted in the wild in Cool Exploit Kit, and is likely to work
its way into other kits in the near term. Users who have not or cannot
patch should consider using their browser’s “click to play” solution,
if available, which would require a user to click on an applet to allow
it to run, thereby taking attacks like these from automatic after a
click to a state where further user interaction is required for
exploitation.


NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Recent Java 0-day Added To Cool Exploit Kit
Description: Researchers have spotted last week’s Java 0-day in the
high-end Cool Exploit Kit, marking a shift from originally being a
targeted attack to a mass-market one. The vulnerability is likely to
appear in other exploit kits as details on exploitation become more
widely available in the underground; users are urged to patch
immediately if they have not already. Those who have not patched should
also strongly consider Click-to-Play if available in their browser,
which requires users to actually click on an applet to allow it to run,
helping to minimize harm from drive-by exploit attempts.
Reference:
http://malware.dontneedcoffee.com/2013/03/cve-2013-1493-jre17u15-jre16u41.html
http://blog.mozilla.org/security/2013/01/29/putting-users-in-control-of-plugins/
http://www.ghacks.net/2010/08/13/google-chrome-gets-click-to-play/
Snort SID: 25952, 25953, 26025, 26030,
ClamAV: JAVA.Exploit.CVE_2013_1493, WIN.Trojan.McRat

Title: Microsoft Releases Patches for 20 CVEs
Description: Microsoft dumped another large Patch Tuesday on the
Internet this week, with 7 bulletins covering a total of 20 CVEs. While
none of the bugs are currently being exploited in the wild, the slew of
user-after-free bugs in Internet Explorer are likely to be targeted by
attackers in the coming weeks, as reverse engineers have a chance to
examine and break them apart. Users are urged to patch as soon as
feasible.
Reference:
http://technet.microsoft.com/en-us/security/bulletin/ms13-mar
https://krebsonsecurity.com/2013/03/critical-updates-for-windows-adobe-flash-air/
Snort SID: Multiple
ClamAV: Multiple

Title: TP-Link Router HTTP Backdoor
Description: An advisory was released on Monday detailing how to gain a
shell on certain TP-Link routers, popular in the SOHO market, simply by
querying a specific URL on the device. While it was unclear at the time
of publication whether this could be accessed only while on the internal
network, this is the second remote shell problem with that type of
router in the last year; users may wish to consider switching models at
the next feasible opportunity.
Reference:
http://sekurak.pl/tp-link-httptftp-backdoor/
http://websec.ca/advisories/view/root-shell-tplink-wdr740
Snort SID:
ClamAV: N/A

Title: New Attack on TLS Disclosed
Description: Researchers at the Royal Holloway University of London
released on Wednesday details of a new attack against TLS when RC4 is
used as a block cipher. While not as severe as previous attacks such as
BEAST - this new attack can only recover 220 bytes of cleartext data
from a packet, and then only after at least 2^24 sessions have been
analyzed - this further flaw in the protocol pushes TLS/RC4 one step
further towards obsolescence. Patches are currently under development
by impacted vendors; users are urged to use different cyper suites
wherever possible in TLS transactions.
Reference:
http://www.isg.rhul.ac.uk/tls/
Snort SID: N/A
ClamAV: N/A


USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Kelihos is dead…No, wait…Long live Kelihos! Again!
http://blog.spiderlabs.com/2013/03/kelihos-is-dead-no-wait-long-live-kelihos-again.html

Stars aligners’ how-to: kernel pool spraying and VMware CVE-2013-1406:
http://blog.ptsecurity.com/2013/03/stars-aligners-how-to-kernel-pool.html

New DIY hacked email account content grabbing tool facilitates cyber
espionage on a massive scale:
http://blog.webroot.com/2013/03/07/new-diy-hacked-email-account-content-grabbing-tool-facilitates-cyber-espionage-on-a-mass-scale/

Frozen Android phones give up data secrets:
http://www.bbc.co.uk/news/technology-21697704

Hello Neutrino: one more exploit kit:
http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

Breakdown of BitInstant compromise:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Sinkholing of Trojan Downloader Zortob.B reveals fast growing malware threat:
http://www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/

Intercepting system calls on x86_64 Windows:
http://jbremer.org/intercepting-system-calls-on-x86_64-windows/


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: CVE-2013-1288
Title: Microsoft Internet Explorer CTreeNode Use After Free Vulnerability (MS13-021)
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
allows remote attackers to execute arbitrary code via a crafted web
site, aka “CTreeNode Use After Free Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-1493
Title: Oracle Java SE JVM 2D Subcomponent Remote Code Execution
Vulnerability (Oracle Security Alert for CVE-2013-1493)
Vendor: Oracle
Description: The color management (CMM) functionality in the 2D
component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and
earlier, and 5.0 Update 40 and earlier allows remote attackers to
execute arbitrary code or cause a denial of service (crash) via an image
with crafted raster parameters, which triggers (1) an out-of-bounds read
or (2) memory corruption in the JVM, as exploited in the wild in
February 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2013-0431
Title: Java Applet JMX Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 through Update 11 allows
user-assisted remote attackers to bypass the Java security sandbox via
unspecified vectors related to JMX, aka “Issue 52,” a different
vulnerability than CVE-2013-1490.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

ID: CVE-2013-0640, CVE-2013-0641
Title: Adobe Reader and Acrobat Unspecified Code Execution Vulnerability (APSB13-07)
Vendor: Adobe
Description: Unspecified vulnerability in Adobe Reader and Acrobat 9.x
through 9.5.3, 10.x through 10.1.5, and 11.x through 11.0.1 allows
remote attackers to execute arbitrary code via a crafted PDF document,
as exploited in the wild in February 2013.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-0025
Title: Microsoft Internet Explorer SLayoutRun Use-After-Free (MS13-009)
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
8 allows remote attackers to execute arbitrary code via a crafted web
site that triggers access to a deleted object, aka “Internet Explorer
SLayoutRun Use After Free Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


MOST PREVALENT MALWARE FILES 3/5/2013 - 3/12/2013 COMPILED BY SOURCEFIRE

SHA 256: bcc6188203e7b42073209f9356aa15598f61151217eb25dbd869db0e5b99b0c9
MD5: efac97460bd2e8fad7f5118bc4020fdc
VirusTotal: https://www.virustotal.com/file/bcc6188203e7b42073209f9356aa15598f61151217eb25dbd869db0e5b99b0c9/analysis/
Typical Filename: D3D Damag CF v11.8.exe
Claimed Product: -
Claimed Publisher: -

SHA 256: fe1e4987cd97c1198da240aa490e94c4def8db61b95815d1379220fd7bed603a
MD5: 595f95f3b1f54d51a179d60804184ceb
VirusTotal: https://www.virustotal.com/file/fe1e4987cd97c1198da240aa490e94c4def8db61b95815d1379220fd7bed603a/analysis/
Typical Filename: jf_1hitcf.exe
Claimed Product: -
Claimed Publisher: www.crazyfrost.com

SHA 256: a316c76591ec14102164ef345cd2bd61a8a455724cfcd1591b1fe1d50543ad25
MD5: 7a402a1cf3be24a2eb97e79973df91e7
VirusTotal: https://www.virustotal.com/file/a316c76591ec14102164ef345cd2bd61a8a455724cfcd1591b1fe1d50543ad25/analysis/
Typical Filename: 9DF.exe
Claimed Product: -
Claimed Publisher: -

SHA 256: 213692eb100ee731c78852c50d3fd46d87e787e33ce15ce3d987b741eda8396e
MD5: 5f8323b86b648dae0aed2e93fe753ded
VirusTotal: https://www.virustotal.com/file/213692eb100ee731c78852c50d3fd46d87e787e33ce15ce3d987b741eda8396e/analysis/
Typical Filename: jf_cf_zm.exe
Claimed Product: -
Claimed Publisher: www.crazyfrost.com

SHA 256: 611a1be1c5637480b0b8decc45f959ade2d73aa26a28a0fc70c6de050ed8f5a7
MD5: a273babaefcff8f5fe61992a54e3ef1d
VirusTotal: https://www.virustotal.com/file/213692eb100ee731c78852c50d3fd46d87e787e33ce15ce3d987b741eda8396e/analysis/
Typical Filename: jf_cf_bezpaleva.exe
Claimed Product: -
Claimed Publisher: www.crazyfrost.com


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics