Search

See Resources

@RISK Newsletter for January 17, 2013 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 13, Num. 3

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 1/10/2013 - 1/16/2013


TOP VULNERABILITY THIS WEEK: A 0-day was discovered in Java by

researchers who saw it being used in several distinct exploit kits.
While Oracle has released a patch, which includes requiring users to
click an applet to run it by default, US-CERT has advised everyone who
does not need Java to disable it in their browser immediately.


NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Java 0-day attack exploited in the wild
Description: Researchers last Thursday discovered a 0-day attack against
the latest version of Java being exploited in the wild by a series of
exploit kits, with owners of multiple kits claiming responsibility for
having added the attack to their kit first. After US-CERT released an
advisory recommending that anyone who does not use Java regularly
disable it immediately, Oracle issued a patch on Sunday, which included
a change to Java’s security settings that would require users to click
on an applet to allow it to run. While experts are praising that
settings update as a proactive defensive mechanism, researchers from
Immunity on Monday noted that the patch issued by Oracle - while
effective against attacks currently in the wild - did not completely
resolve one of the underlying issues with this bug, leaving the door
open for further attacks in the future. The VRT strongly recommends
following US-CERT’s guidance on the issue and disabling Java if
possible, while being vigilant on patches if it must be left enabled.
Reference:
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
http://vrt-blog.snort.org/2013/01/generic-exploit-kit-detection-first.html
http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
http://immunityproducts.blogspot.com.ar/2013/01/confirmed-java-only-fixed-one-of-two.html
Snort SID: 25041, 25042, 25301 25302
ClamAV: Java.Exploit.Agent-14 - Java.Exploit.Agent-16

Title: Ruby on Rails vulnerability could be largest server-side web bug in years
Description: A pair of remotely exploitable vulnerabilities were
discovered in the popular Ruby on Rails web programming framework last
week, one of which allows for code execution in default installations
with the permissions of the application running Rails code. While
estimates on the number of vulnerable sites vary, experts agree that
number could easily be north of 1 million systems, making this one of
the most widespread server-side exploits in years. An official patch has
been issued (including a patch for the popular Metasploit framework,
which was itself vulnerable), and system administrators are urged to
patch immediately, as exploits are known to be circulating in the wild.
Reference:
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ
http://vrt-blog.snort.org/2013/01/the-ruby-on-rails-vulnerability-that.html
http://blog.sourcefire.com/Post/2013/01/09/1357761360-therubyonrailsvulnerabilitiesofwhattheyareandwhatshouldwedo/
Snort SID: 28287, 25288
ClamAV: N/A

Title: Anonymous takes down MIT sites after suicide of Aaron Swartz
Description: Well-known activist Aaron Swartz, while awaiting trial on
charges related to allegations that he had made publicly available the
entire subscription-only section of the JSTOR database of scholarly
journals and a large section of copyrighted documents at MIT, took his
own life last Friday. Amid allegations that he was driven to suicide by
overly zealous prosecution, Anonymous defaced several MIT sites in a
show of support for Swartz and his crusade for online openness, and a
petition has surfaced to remove the federal prosecutor handling the case
for being overly zealous in his prosecution. The case raises questions
about copyright prosecution in the 21st century, particularly in light
of the fact that Swartz was facing a 35-year sentence even after JSTOR
had asked the federal government to drop its prosecution and allow them
to pursue civil action instead.
Reference:
http://www.washingtonpost.com/business/technology/anonymous-hacks-mit-sites-to-post-aaron-swartz-tribute-call-to-arms/2013/01/14/ff6f706c-5e44-11e2-9940-6fc488f3fecd_story.html
http://pastebin.com/PKm921c9
http://news.cnet.com/8301-1023_3-57563752-93/anonymous-hacks-mit-after-aaron-swartzs-suicide/
Snort SID: N/A
ClamAV: N/A

Title: Researchers discover “Red October” worldwide cyber espionage campaign
Description: Kaspersky Labs released a major report this week on a
highly sophisticated, long-term malware campaign designed to infiltrate
diplomatic circles and collect data valuable to both state and private
actors. According to their analysis, which has held up well to scrutiny
from independent researchers, the campaign has been running since at
least 2007, and includes Chinese-created exploits and malware code from
Russian-speaking engineers. The malware was delivered via highly
targeted spear phish, and used a variety of exploits in MS Office and
other file formats to break into victim machines. While the total number
of infected hosts was low, this discovery helps to highlight the extreme
danger high-profile organizations face from online espionage in the
modern era.
Reference:
http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation
Snort SID: 17597, 21902, 22101, 25392-25447
ClamAV: N/A


USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Computer scientists find flaw in Cisco VoIP phones:
http://www.eurekalert.org/pub_releases/2013-01/cu-csf010713.php

Minion - automating security for developers:
https://air.mozilla.org/minion-automating-security-for-developers/

Snapshot of Virut botnet after interruption:
http://www.symantec.com/connect/blogs/snapshot-virut-botnet-after-interruption

Nokia: Yes, we decrypt your HTTPS data, but don’t worry about it:
http://gigaom.com/2013/01/10/nokia-yes-we-decrypt-your-https-data-but-dont-worry-about-it/

GET-PEB: A tool to dump the Process Environment Block (PEB) of any process:
http://www.exploit-monday.com/2013/01/Get-PEB.html

I/O you own: Windows 8 update:
http://blog.crowdstrike.com/2013/01/io-you-own-windows-8-update.html

Yahoo DOM XSS:
http://www.offensive-security.com/offsec/yahoo-dom-xss-0day-prevails/

The future of protocol reversing and simulation applied on ZeroAccess botnet:
http://events.ccc.de/congress/2012/Fahrplan/events/5256.en.html

Black Hole Exploit Kit author’s ‘vertical market integration’ fuels
growth in malicious web activity:
http://blog.webroot.com/2013/01/08/black-hole-exploit-kit-authors-vertical-market-integration-fuels-growth-in-malicious-web-activity/

Private market growing for zero-day exploits and vulnerabilities:
http://searchsecurity.techtarget.com/feature/Private-market-growing-for-zero-day-exploits-and-vulnerabilities


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: : CVE-2013-0422
Title: Oracle Java SE Security Bypass Vulnerability
Vendor: Oracle
Description: Unspecified vulnerability in Oracle Java 7 Update 10 and
earlier allows remote attackers to execute arbitrary code via unknown
vectors, possibly related to “permissions of certain Java classes,” as
exploited in the wild in January 2013, and as demonstrated by Blackhole
and Nuclear Pack.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-4792
Title: Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
6 through 8 allows remote attackers to execute arbitrary code via a
crafted web site that triggers access to an object that (1) was not
properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo
object, and exploited in the wild in December 2012.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2013-0156
Title: Ruby on Rails XML Processor YAML Deserialization Code Execution
Vendor: rubyonrails.org
Description: active_support/core_ext/hash/conversions.rb in Ruby on
Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x
before 3.2.11 does not properly restrict casts of string values, which
allows remote attackers to conduct object-injection attacks and execute
arbitrary code, or cause a denial of service (memory and CPU
consumption) involving nested XML entity references, by leveraging
Action Pack support for (1) YAML type conversion or (2) Symbol type
conversion.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-6066
Title: Freesshd Authentication Bypass
Vendor: freesshd.com
Description: freeSSHd.exe in freeSSHd through 1.2.6 allows remote
attackers to bypass authentication via a crafted session, as
demonstrated by an OpenSSH client with modified versions of ssh.c and
sshconnect2.c.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-0202
Title: IBM Cognos TM1 Buffer Overflow Vulnerability
Vendor: IBM
Description: Multiple stack-based buffer overflows in tm1admsd.exe in
the Admin Server in IBM Cognos TM1 9.4.x and 9.5.x before 9.5.2 FP2
allow remote attackers to cause a denial of service (daemon crash) or
possibly execute arbitrary code via crafted data.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


MOST PREVALENT MALWARE FILES 1/10/2013 - 1/16/2013 COMPILED BY SOURCEFIRE

SHA 256: E82A4FCAC5871ADF5516A2E3DE312EF135537A51EDC3F2E379B68C6AE90961DD
MD5: fe2eb24e6bd36b8be3869ece85aa72bc
VirusTotal: https://www.virustotal.com/file/E82A4FCAC5871ADF5516A2E3DE312EF135537A51EDC3F2E379B68C6AE90961DD/analysis/

Typical Filename: 00000004.@
Claimed Product: 00000004.@
Claimed Publisher: 00000004.@

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/

Typical Filename: mjomn.sys
Claimed Product: mjomn.sys
Claimed Publisher: mjomn.sys

SHA 256: E473A10CEE73DE92042E2ED8E2C12F0BB2B923A44A583E96A37FA9C4D2CFC21C
MD5: 80aebc81a5d1eb392bd7c615a779918c
VirusTotal: https://www.virustotal.com/file/E473A10CEE73DE92042E2ED8E2C12F0BB2B923A44A583E96A37FA9C4D2CFC21C/analysis/

Typical Filename: 00000008.@
Claimed Product: 00000008.@
Claimed Publisher: 00000008.@

SHA 256: 2FB8D429AD85AE810AB4605BFDE78CCA8053A512D6C85B179395725BAE96E199
MD5: 543b96731b80fc30a7583bd22cd0d567
VirusTotal: https://www.virustotal.com/file/2FB8D429AD85AE810AB4605BFDE78CCA8053A512D6C85B179395725BAE96E199/analysis/

Typical Filename: tchcsy.exe
Claimed Product: tchcsy.exe
Claimed Publisher: tchcsy.exe

SHA 256: B73E0A5620E689856ED7EE95387FDB7EBF6D66D1373664AC58B10094CD20318F
MD5: 54ed1955edb126599e3814b6e251bca6
VirusTotal: https://www.virustotal.com/file/B73E0A5620E689856ED7EE95387FDB7EBF6D66D1373664AC58B10094CD20318F/analysis/

Typical Filename: 80000000.@
Claimed Product: 80000000.@
Claimed Publisher: 80000000.@


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics