@RISK Newsletter for June 20, 2013
The consensus security vulnerability alert.
Vol. 13, Num. 25
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 6/11/2013 - 6/18/2013
TOP VULNERABILITY THIS WEEK: Denial of service in Wordpress 3.5.1
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: JavaDoc frame injection vulnerability
Description: Javadoc is a tool that generates frames for online
documentation webapps such as
http://docs.oracle.com/javase/7/docs/api/. However there is a
vulnerability in how javadoc interprets user supplied frames and by
using the a variation, the frame will use the user supplied frame. This
can be put into a webpage and the user will click it, thinking he is
going to the docs.oracle site, but the frame will incorporate the
malicious redirection. Oracle has just released its security update for
June 2013 - a release that comprises of 40 security updates, with 37 of
them addressing vulnerabilities that lead to malware execution. Among
the updates is one that fixes the vulnerability found in Javadoc.
Reference:
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
Snort SID: TBD
ClamAV: N/A
Title: Denial of service in Wordpress 3.5.1
Description: Version 3.5.1 (latest) of popular blogging engine WordPress
suffers from remote denial of service vulnerability. The bug exists in
encryption module (class-phpass.php). The exploitation of this
vulnerability is possible only when at least one post is protected by a
password.
Reference: http://seclists.org/bugtraq/2013/Jun/41
https://vndh.net/note:wordpress-351-denial-service
Snort SID: 26981
ClamAV: N/A
Title: APSB13-15 Adobe Reader X XML Forms BMP handling
Description: Adobe Reader X is vulnerable to specially crafted
compressed BMP images. When they are decompressed, an integer overflow
allows an attacker to possibly gain arbitrary code execution.
Reference: www.adobe.com/support/security/bulletins/apsb13-15.html
Snort SID: 26651,26652,26927,26928
ClamAV: PDF.Exploit.CVE_2013_2729, PDF.Exploit.CVE_2013_2729-1, PDF.Exploit.CVE_2013_2729-2
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
AntiTaintDroid (a.k.a. ScrubDroid) source code released
http://gsbabil.github.io/AntiTaintDroid/
Statically Recompiling NES Games into Native Executables with LLVM and Go
http://andrewkelley.me/post/jamulator.html
pa_kt’s half of the ASLR/timing attacks speech at SummerCon 2013
http://gdtr.files.wordpress.com/2013/06/leak1.pdf
Dion Blazakis’ half of the ASLR/timing attacks speech at SummerCon 2013
http://www.trapbit.com/talks/Summerc0n2013-GCWoah.pdf
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2013-2551
Title: Microsoft Internet Explorer COALineDashStyleArray Integer
Overflow (MS13-009)
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
6 through 10 allows remote attackers to execute arbitrary code via a
crafted web site that triggers access to a deleted object, as
demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013,
aka “Internet Explorer Use After Free Vulnerability,” a different
vulnerability than CVE-2013-1308 and CVE-2013-1309.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2012-1533
Title: Java Web Start Double Quote Injection Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update
35 and earlier, allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors related to Deployment.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-1311
Title: Microsoft Internet Explorer textNode Use-After-Free
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
8 allows remote attackers to execute arbitrary code via a crafted web
site that triggers access to a deleted object, aka “Internet Explorer
Use After Free Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-1559
Title: Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code
Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Oracle WebCenter Content
component in Oracle Fusion Middleware 10.1.3.5.1 and 11.1.1.6.0 allows
remote authenticated users to affect availability via unknown vectors
related to Content Server.
CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
ID: CVE-2013-2423
Title: Java Applet Reflection Type Confusion Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK
7, allows remote attackers to affect integrity via unknown vectors
related to HotSpot. NOTE: the previous information is from the April
2013 CPU. Oracle has not commented on claims from the original
researcher that this vulnerability allows remote attackers to bypass
permission checks by the MethodHandles method and modify arbitrary
public final fields using reflection and type confusion, as demonstrated
using integer and double fields to disable the security manager.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2013-1493
Title: Oracle Java SE JVM 2D Subcomponent Remote Code Execution
Vulnerability (Oracle Security Alert for CVE-2013-1493)
Vendor: Oracle
Description: The color management (CMM) functionality in the 2D
component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and
earlier, and 5.0 Update 40 and earlier allows remote attackers to
execute arbitrary code or cause a denial of service (crash) via an image
with crafted raster parameters, which triggers (1) an out-of-bounds read
or (2) memory corruption in the JVM, as exploited in the wild in
February 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 6/11/2013 - 6/18/2013 COMPILED BY SOURCEFIRE
SHA 256: 94A1A26F61B015C2CED2FD50BDBA4070B6C9AEC7D2938FBF7EB9E99960D3B7A9
MD5: bfacf78644ca41fd6d4b23976e7574a1
VirusTotal: https://www.virustotal.com/file/94A1A26F61B015C2CED2FD50BDBA4070B6C9AEC7D2938FBF7EB9E99960D3B7A9/analysis/
Typical Filename: RemoveWAT.exe
Claimed Product: RemoveWAT.exe
Claimed Publisher: RemoveWAT.exe
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Typical Filename: 01.tmp
Claimed Product: 01.tmp
Claimed Publisher: 01.tmp
SHA 256: 7BB7125EC5ECF99F975D7CB127009E615847D3FF05FA9F2F79F92CB480B28DC5
MD5: 2f0550df2d7e60752765b44aeb772091
VirusTotal: https://www.virustotal.com/file/7BB7125EC5ECF99F975D7CB127009E615847D3FF05FA9F2F79F92CB480B28DC5/analysis/
Typical Filename: pricepeep_130001_0101.exe
Claimed Product: pricepeep_130001_0101.exe
Claimed Publisher: pricepeep_130001_0101.exe
SHA 256: A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03
MD5: 8ac1e580cf274b3ca98124580e790706
VirusTotal: https://www.virustotal.com/file/A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03/analysis/
Typical Filename: Virus.Win32.Sality.ab
Claimed Product: Virus.Win32.Sality.ab
Claimed Publisher: Virus.Win32.Sality.ab
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename: ygrqpx.exe
Claimed Product: ygrqpx.exe
Claimed Publisher: ygrqpx.exe