Search

See Resources

@RISK Newsletter for August 01, 2013 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 13, Num. 31

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 7/23/2013 - 7/30/2013


TOP VULNERABILITY THIS WEEK: Microsoft announced the first-ever major

update to its Microsoft Active Protections Program (MAPP) this week,
dramatically expanding the list of potential members and providing
several new levels of service in the process. The information-sharing
program has been instrumental to high-quality detection for security
vendors for years, and incident responders are the primary beneficiaries
of the expansion.


NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Microsoft announces major expansion of MAPP program
Description: For the first time since the inception of the Microsoft
Active Protections Program (MAPP) in 2008, the firm is dramatically
increasing its scope, with two new sub-programs designed to increase the
number of people who can benefit from MAPP’s information-sharing regime.
The first, MAPP for Responders, will bring incident responders into the
fold, with data focused on identifying and remediating live exploitation
in the wild. The second, MAPP Scanner, is a cloud-based tool that will
allow an even broader range of organizations to submit files they
suspect might be exploiting a vulnerability in Microsoft software, with
both information on known vulnerabilities and details of suspicious
information being supplied in return. In addition, program benefits are
being expanded for current MAPP members, which will be re-branded as
MAPP for Security Vendors. This expansion of the program comes on the
heels of its dramatic success over the last several years, helping to
validate the strategy of open information-sharing among network
defenders worldwide.
Reference:
http://blogs.technet.com/b/bluehat/archive/2013/07/29/new-mapp-initiatives.aspx
http://blogs.technet.com/b/msrc/archive/2013/07/29/announcing-the-2013-msrc-progress-report-featuring-mapp-expansions.aspx
http://www.computerworld.com/s/article/9241169/ Microsoft_expands_bug_info_sharing_program_to_larger_crowd?taxonomyId=17&pageNumber=2
Snort SID: N/A
ClamAV: N/A

Title: Dovecot + Exim remote code execution attack spotted in the wild
Description: A trivially exploitable remote code execution vulnerability
in the Dovecot mail server, when paired with Exim as a local delivery
agent, was announced in May, with only a workaround being released to
date. Recent notes from the ISC Storm Center show that the attack, which
has several publicly available proofs of concept, is now being exploited
in the wild. Administrators of these systems are urged to check their
configurations and take appropriate mitigation immediately.
Reference:
https://isc.sans.edu/diary/Dovecot++Exim+Exploit+Detects/16243
http://osvdb.org/show/osvdb/93004
Snort SID: 27532
ClamAV: N/A

Title: Internet Explorer 9/10 information disclosure vulnerability
Description: In a post to the popular Full-Disclosure mailing list on
Monday, an independent researcher provided information around a
potential new Internet Explorer information disclosure vulnerability,
which he claimed would be useful in bypassing ASLR. While confirmation
of the vulnerability was pending as of the time of publication, and no
signs of exploitation in the wild are available at this time, security
researchers and incident responders should be paying close attention to
systems they monitor until further information is released.
Reference:
http://seclists.org/fulldisclosure/2013/Jul/267
Snort SID: 27531
ClamAV: N/A

Title: Package using Android “Extra Field” vulnerability spotted in the wild
Description: Independent researcher Zhuowei Zang recently began
distributing an APK on his Github site that used the recently disclosed
“Extra Field” vulnerability in APK file parsing in order to gain root
access on the Kobo Arc tablet. While his particular package contained
no malicious code, and simply took advantage of system package
permissions to install a superuser account, it shows how easy live
exploitation of the vulnerability is, likely setting the stage for
further use of it in the coming weeks.
Reference:
http://vrt-blog.snort.org/2013/07/android-extra-field-vulnerability_30.html
https://www.virustotal.com/en/file/ 06edeb3bab3bfb8c7b272615b8524111d03b17a8875e507a1cc9e4af81f486c6/analysis/
Snort SID:
ClamAV: BC.Exploit.Andr.Extra_Field


USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Windows RT ARMv7-based shellcode development:
http://www.exploit-monday.com/2013/07/WinRT-ARM-Shellcode.html

Styx cool exploit kit: one applet to exploit all vulnerabilities:
http://security-obscurity.blogspot.com/2013/07/styxy-cool-exploit-kit-one-applet-to.html

Spy agencies ban Lenovo PCs on security concerns:
http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_on_security_HVgcKTHp4bIA4ulCPqC7SL

MSI: the case of the invalid signature:
http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/

Security vendors: do no harm, heal thyself:
http://krebsonsecurity.com/2013/07/security-vendors-do-no-harm-heal-thyself/

The evolution of Rovnix: private TCP/IP stacks:
http://blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx

Verizon announces Veris database - raw incident data:
http://www.verizonenterprise.com/security/blog/index.xml?postid=4642

Flush + Reload: a high resolution, low noise L3 cache side-channel attack:
http://eprint.iacr.org/2013/448.pdf

Big poker player loses high-stakes Android scam game:
http://www.symantec.com/connect/blogs/big-poker-player-loses-high-stakes-android-scam-game

Haunted by the ghosts of ZeuS and DNSChanger:
http://krebsonsecurity.com/2013/07/haunted-by-the-ghosts-of-zeus-dnschanger/

Vulnerability disclosed all passwords of Barracuda Networks employees:
http://securityaffairs.co/wordpress/16584/hacking/vulnerability-in-baracuda-network.html

Advanced exploitation of Windows kernel privilege escalation / CVE-2013-3660:
http://www.vupen.com/blog/20130723.Advanced_Exploitation_Windows_Kernel_Win32k_EoP_MS13-053.php

How I found my way into Instagram’s Ganglia, and a bug with Facebook likes:
http://josipfranjkovic.blogspot.com/2013/07/how-i-found-my-way-into-instagrams.html

Dissecting a WordPress brute force attack:
http://blog.sucuri.net/2013/07/dissecting-a-wordpress-brute-force-attack.html


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: CVE-2013-3174
Title: Microsoft DirectShow GIF Parsing Memory Corruption Vulnerability
Vendor: Microsoft
Description: DirectShow in Microsoft Windows XP SP2 and SP3, Windows
Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1,
Windows 7 SP1, Windows 8, and Windows Server 2012 allows remote
attackers to execute arbitrary code via a crafted GIF file, aka
“DirectShow Arbitrary Memory Overwrite Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-2251
Title: Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Vendor: Apache
Description: Apache Struts 2.0.0 through 2.3.15 allows remote attackers
to execute arbitrary OGNL expressions via a parameter with a crafted (1)
action: , (2) redirect:, or (3) redirectAction: prefix.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-1017
Title: Apple Quicktime 7 Invalid Atom Length Buffer Overflow
Vendor: Apple
Description: Buffer overflow in Apple QuickTime before 7.7.4 allows
remote attackers to execute arbitrary code or cause a denial of service
(application crash) via crafted dref atoms in a movie file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-3163
Title: Microsoft Internet Explorer CBlockElement Use-after-Free Vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer 8 through 10 allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted web site, aka “Internet Explorer Memory
Corruption Vulnerability,” a different vulnerability than CVE-2013-3144
and CVE-2013-3151.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-2460
Title: Java Applet ProviderSkeleton Insecure Invoke Method
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK
7, allows remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to Serviceability. NOTE: the
previous information is from the June 2013 CPU. Oracle has not commented
on claims from another vendor that this issue allows remote attackers
to bypass the Java sandbox via vectors related to “insufficient access
checks” in the tracing component.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


MOST PREVALENT MALWARE FILES 7/23/2013 - 7/30/2013 COMPILED BY SOURCEFIRE

SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/
Typical Filename: C8A787C22000AE378610003396E67500D587FA4E.exe
Claimed Product: My Web Search Bar for Internet Explorer and FireFox
Claimed Publisher: MyWebSearch.com

SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename:
smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Product:
smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Publisher:
smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin

SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Typical Filename: avz00001.dta
Claimed Product: avz00001.dta
Claimed Publisher: avz00001.dta

SHA 256: 9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302
MD5: 923c4d13bee966654f4fe4a8945af0ae
VirusTotal: https://www.virustotal.com/file/9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302/analysis/
Typical Filename: winoaox.exe
Claimed Product: winoaox.exe
Claimed Publisher: winoaox.exe

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Typical Filename: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Product: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Publisher: bf31a8d79f704f488e3dbcb6eea3b3e3


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics