Search

See Resources

@RISK Newsletter for October 10, 2013 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 13, Num. 41

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


CONTENTS:

NOTABLE RECENT SECURITY ISSUES
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 6/11/2013 - 6/18/2013


TOP VULNERABILITY THIS WEEK: Vulnerability in Microsoft Internet Explorer 8


NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Microsoft Office Patch Tuesday Release
Description: This month’s Microsoft Tuesday Update brings us 8 bulletins
for a total of 26 CVEs. Four of these bulletins are marked as critical,
while the rest are marked as important.
Reference:
http://sfi.re/1b8L3Qp
http://technet.microsoft.com/en-us/security/bulletin/ms13-080
http://technet.microsoft.com/en-us/security/bulletin/ms13-081
http://technet.microsoft.com/en-us/security/bulletin/ms13-082
http://technet.microsoft.com/en-us/security/bulletin/ms13-083
http://technet.microsoft.com/en-us/security/bulletin/ms13-084
http://technet.microsoft.com/en-us/security/bulletin/ms13-085
http://technet.microsoft.com/en-us/security/bulletin/ms13-086
http://technet.microsoft.com/en-us/security/bulletin/ms13-087
http://vrt-blog.snort.org/2013/10/ie-zero-day-cve-2013-3897-youve-been.html
https://isc.sans.edu/forums/diary/Microsoft+October+2013+Patch+Tuesday/16760
Snort SID: 27943-27944, 28151, 28158-28163, 28191, 28202-28206
ClamAV: BC.Exploit.CVE_2013_3893-1, Otf.Exploit.2013_3128

Title: Avira AVG DNS Server attacked
Description: The DNS records of various websites, including those of
Avira.com, were changed to point to other domains that do not belong to
Avira.
Reference:
http://techblog.avira.com/2013/10/08/major-dns-hijacking-affecting-major-websites-including-avira-com/en/
Snort SID: N/A
ClamAV: N/A

Title: Adobe Systems hacked
Description: Adobe Systems was hacked by intruder gaining access to
Adobes Acrobat, Coldfusion, and Coldfusion Builder source code as well
as customer username, password, and credit card for 2.0 million Adobe
customers.
Reference:
http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
http://blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html
http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html
Snort SID: N/A
ClamAV: N/A

Title: Blackhole Exploit Kit Author Arrested:
Description: Maarten Boone, a security researcher at Dutch firm Fox-IT,
claimed the Blackhole creator known as ‘Paunch’ had been arrested in
Russia.
Reference:
http://www.techweekeurope.co.uk/news/blackhole-exploit-kit-author-arrested-in-russia-128978
Snort SID: The VRT maintains over 119 rules to cover the Blackhole
Exploit Kit in the Exploit-Kit category of rules.
ClamAV: The VRT maintains hundreds of pieces of detection for various
parts of the Blackhole Exploit Kit


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: CVE-2013-3893
Title: Microsoft Internet Explorer SetMouseCapture Use-After-Free
Vendor: Microsoft
Description: Use-after-free vulnerability in the SetMouseCapture
implementation in mshtml.dll in Microsoft Internet Explorer 6 through
11 allows remote attackers to execute arbitrary code via crafted
JavaScript strings, as demonstrated by use of an ms-help: URL that
triggers loading of hxds.dll.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-3576
Title: HP System Management Homepage “ginkgosnmp.inc” Command Injection
Vulnerability
Vendor: HP
Description: ginkgosnmp.inc in HP System Management Homepage (SMH)
allows remote authenticated users to execute arbitrary commands via
shell metacharacters in the PATH_INFO to smhutil/snmpchp.php.en.
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

ID: CVE-2013-3205
Title: Microsoft Internet Explorer CCaret Use-After-Free (MS13-069)
Vendor: Microsoft
Description: Microsoft Internet Explorer 6 through 8 allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted web site, aka “Internet Explorer Memory
Corruption Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: Not Available
Title: Joomla! Unauthorised Uploads
Vendor: Joomla!
Description: Inadequate filtering leads to the ability to bypass file
type upload restrictions.
Affects Joomla! version 2.5.13 and earlier 2.5.x versions; and version
3.1.4 and earlier 3.x versions
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2013-2251
Title: Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Vendor: Apache
Description: Apache Struts 2.0.0 through 2.3.15 allows remote attackers
to execute arbitrary OGNL expressions via a parameter with a crafted (1)
action: , (2) redirect:, or (3) redirectAction: prefix.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


MOST PREVALENT MALWARE FILES 6/11/2013 - 6/18/2013 COMPILED BY SOURCEFIRE

SHA 256: 6090C85CF5750E141F2BD6D2334EC0EB79188E2DE05DE06235726E73C0B0D792
MD5: 2ebbe2521176388c7bc5365e197bf801
VirusTotal:
https://www.virustotal.com/en/file/ 6090C85CF5750E141F2BD6D2334EC0EB79188E2DE05DE06235726E73C0B0D792/analysis/

Typical Filename: BitGuard.dll
Claimed Product: Protector
Claimed Publisher: MediaTechSoft Inc.

SHA 256: 055788eb475e7ac5ea2e03383d3f95bcc88d62f06e4456a5f5dd6b9e78506ab5
MD5: 12336775941d49ce6a4d6f391cb5e02f
VirusTotal:
https://www.virustotal.com/en/file/ 055788EB475E7AC5EA2E03383D3F95BCC88D62F06E4456A5F5DD6B9E78506AB5/analysis/

Typical Filename: WebCakeDesktop.exe
Claimed Product: WebCakeDesktop.exe
Claimed Publisher: Web Cake

SHA 256: df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal:
https://www.virustotal.com/en/file/ DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/

Typical Filename: (Random)
Claimed Product: None
Claimed Publisher: None

SHA 256: A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03
MD5: 8ac1e580cf274b3ca98124580e790706
VirusTotal:
https://www.virustotal.com/file/A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03/analysis/

Typical Filename: Virus.Win32.Sality.ab
Claimed Product: Virus.Win32.Sality.ab
Claimed Publisher: Virus.Win32.Sality.ab

SHA 256: d14b66bd4c4c8f66a6edf2820fd4162d09b326beaf6a42014596571e81a1a503
MD5: 68b7f7a26b76805432e3d50009d2ab1f
VirusTotal:
https://www.virustotal.com/en/file/ D14B66BD4C4C8F66A6EDF2820FD4162D09B326BEAF6A42014596571E81A1A503/analysis/

Typical Filename: Random
Claimed Product: None
Claimed Publisher: None


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics