Search

See Resources

@RISK Newsletter for January 24, 2013 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 13, Num. 4

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 1/16/2013 - 1/23/2013


TOP VULNERABILITY THIS WEEK: There continue to be reports of Java 0days

by research groups. It is our recommendation that Java be disabled
entirely in the browser.


NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Bulgarian Android SMSsend
Description: Researcher Dancho Danchev has released information about a
new piece of Android Malware that is found by visiting a “popular
Bulgarian website for branded watches”. He also indicates that the
watch website is not the only website being used to distribute this
piece of malware. Users are to use caution when installing any piece
of software, even from legit Android sites.
Reference:
http://blog.webroot.com/2013/01/22/android-malware-spreads-through-compromised-legitimate-web-sites/
http://vrt-blog.snort.org/2013/01/bulgarian-android-smssend.html
Snort SID: 25512
ClamAV: Andr.Trojan.SMSsend-1

Title: Java 7 Update 11 still has a flaw
Description: According to several research sites on the internet, Java
7 Update 11 is still vulnerable to several bugs. One of which has been
highlighted on the Internet Storm Center as being a “complete Java
security sandbox bypass”. Information about these bugs is still being
assessed and US-CERT has recommended that you completely disable Java
in the browser.
Reference:
http://seclists.org/fulldisclosure/2013/Jan/142
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
http://www.security-explorations.com/en/SE-2012-01-status.html
https://isc.sans.edu/diary/Java+0-Day+patched+as+Java+7+U+11+released/14932
http://www.kb.cert.org/vuls/id/625617
http://www.java.com/en/download/help/disable_browser.xml
Snort SID: N/A
ClamAV: N/A

Title: Sourcefire VRT rules update addresses remote stack buffer
overflow in rule 3:20275
Description: A Shared Object rule released by the VRT (20275) has been
altered to fix a potential DoS in the Shared Object rule itself. This
Shared Object rule is disabled by the default policy and has to be
explicitly enabled. This rule was fixed within 48 hours of the
notification by Tavis Ormandy.
Reference:
http://blog.snort.org/2013/01/sourcefire-vrt-certified-snort-rules_18.html
http://isc.sans.edu/diary/ Sourcefire+VRT+rules+update+addresses+remote+stack+buffer+overflow+in+rule+3%3A20275/14980
Snort SID: 20275
ClamAV: N/A

Title: Moveable Type 4.x Unauthenticated Remote Command Execution
Description: By directly calling an update-related CGI script with
crafted input, and without requiring authentication, it is possible to
execute arbitrary system commands on the host server.
Reference: http://www.sec-1.com/blog/?p=402
Snort SID: Not released yet
ClamAV: Not released yet


USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Randomware with Backdoor being distributed through the BlackHole Exploit Kit:
http://malwaremustdie.blogspot.com/2013/01/case-of-ransomware-with-backdoor.html

Analysis of the .xxx domain:
https://discussions.nessus.org/thread/5645

Hackers Deface Entire MIT Website in Aaron Swartz Suicide Revenge Attack (Updated: Hackers Speak)
http://gizmodo.com/5978039/hackers-incoherently-deface-entire-mit-website

Reporters Without Borders Victim of Watering Hole Campaign
http://eromang.zataz.com/2013/01/22/reporters-without-borders-victim-of-watering-hole-campaign/


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: CVE-2013-0422
Title: Oracle Java SE Security Bypass Vulnerability
Vendor: Oracle
Description: Multiple vulnerabilities in Oracle Java 7 before Update 11
allow remote attackers to execute arbitrary code by (1) using the public
getMBeanInstantiator method in the JmxMBeanServer class to obtain a
reference to a private MBeanInstantiator object, then retrieving
arbitrary Class references using the findClass method, and (2) using the
Reflection API with recursion in a way that bypasses a security check
by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method
due to the inability of the sun.reflect.Reflection.getCallerClass method
to skip frames related to the new reflection API, as exploited in the
wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and
a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE:
some parties have mapped the recursive Reflection API issue to
CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose
details are not public as of 20130114. CVE-2013-0422 covers both the
JMX/MBean and Reflection API issues. NOTE: it was originally reported
that Java 6 was also vulnerable, but the reporter has retracted this
claim, stating that Java 6 is not exploitable because the relevant code
is called in a way that does not bypass security checks. NOTE: as of
20130114, a reliable third party has claimed that the
findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update

  1. If there is still a vulnerable condition, then a separate CVE
    identifier might be created for the unfixed issue.
    CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2012-4792
Title: Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
6 through 8 allows remote attackers to execute arbitrary code via a
crafted web site that triggers access to an object that (1) was not
properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo
object, and exploited in the wild in December 2012.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-0156
Title: Ruby on Rails XML Processor YAML Deserialization Code Execution
Vendor: rubyonrails.org
Description: active_support/core_ext/hash/conversions.rb in Ruby on
Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x
before 3.2.11 does not properly restrict casts of string values, which
allows remote attackers to conduct object-injection attacks and execute
arbitrary code, or cause a denial of service (memory and CPU
consumption) involving nested XML entity references, by leveraging
Action Pack support for (1) YAML type conversion or (2) Symbol type
conversion.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2012-0432
Title: Novell NCP Pre-Auth Remote Root Exploit
Vendor: Novell
Description: Stack-based buffer overflow in the Novell NCP
implementation in NetIQ eDirectory 8.8.7.x before 8.8.7.2 allows remote
attackers to have an unspecified impact via unknown vectors.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2012-6066
Title: Freesshd Authentication Bypass
Vendor: freesshd.com
Description: freeSSHd.exe in freeSSHd through 1.2.6 allows remote
attackers to bypass authentication via a crafted session, as
demonstrated by an OpenSSH client with modified versions of ssh.c and
sshconnect2.c.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


MOST PREVALENT MALWARE FILES 1/16/2013 - 1/23/2013 COMPILED BY SOURCEFIRE

SHA 256: 9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F
MD5: 3ff52cee72b936c56b4fbb9f970ece74
VirusTotal: https://www.virustotal.com/file/9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F/analysis/

Typical Filename: wintdiyx.exe
Claimed Product: wintdiyx.exe
Claimed Publisher: wintdiyx.exe

SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/

Typical Filename: File_0_2.ok
Claimed Product: File_0_2.ok
Claimed Publisher: File_0_2.ok

SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal: https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/

Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/

Typical Filename: lmlkl.sys
Claimed Product: lmlkl.sys
Claimed Publisher: lmlkl.sys

SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/

Typical Filename: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Product: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Publisher: 573b6cc513e1b7cd9e35b491eacc38f3


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics