Home
Systeembeheer
Consultancy
Connectivity
Training
Development

Klanten

Inloggen

Resources

Sans artikelen
Security artikelen

Software

Linux
Windows









[ terug ]
=============================================================
     @RISK: The Consensus Security Vulnerability Alert
                    Vol. 13, Num. 9

Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked

=============================================================

CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 2/19/2013 - 2/26/2013
============================================================

TOP VULNERABILITY THIS WEEK: Oracle's Java woes continued this week,
with a detail-free announcement of a pair of new vulnerabilities by
Security Explorations and confirmation that a previously patched
vulnerability is now being actively exploited in the wild.

============================================================
TRAINING UPDATE

- -- SANS 2013     		Orlando, FL           March 8-March 15, 2013
47 courses. Bonus evening sessions include Please keep Your Brain Juice
Off My Enigma: A True Story; InfoSec in the Financial World: War Stories
and Lessons Learned; and Finding Unknown Malware.
http://www.sans.org/event/sans-2013

- -- SANS Monterey 2013     Monterey, CA           March 22-March 27, 2013
8 courses. Bonus evening presentations include Base64 Can Get You
Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! -
The Recon-ng Framework.
http://www.sans.org/event/monterey-2013

- --SANS Northern Virginia 2013      Reston, VA   April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How
to be a More Effective Security Professional; Pentesting Web Apps with
Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013

- --SANS Cyber Guardian 2013      Baltimore, MD      April 15-April 20, 2013
9 courses. Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker; Offensive Countermeasures, Active Defenses,
and Internet Tough Guys; and Tactical SecOps: A Guide to Precision
Security Operations.  http://www.sans.org/event/cyber-guardian-2013

- --SANS Security West 2013      San Diego, CA      May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The
Ancient Art of Falconry; and You Can Panic Now. Host Protection is
(Mostly) Dead.
http://www.sans.org/event/security-west-2013

- --SANS Secure Singapore 2013      February 25-March 2, 2013
6 courses. Bonus evening presentations include APT: It is Time to Act;
and Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --Secure Canberra 2013    Canberra, Australia   March 18 - March 23, 2013
Featuring Network Penetration Testing and Ethical Hacking and Computer
Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

********************** Sponsored Link: *********************
1) Take the Mobile Application security Survey! Enter to Win an iPad!
http://www.sans.org/info/125672
============================================================

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: New Java vulnerabilities announced, old one exploited in the wild
Description: Polish security firm Security Explorations has privately
disclosed details of two vulnerabilities in Java to Oracle, while
publicly disclosing their existence.  The firm stated that these new
vulnerabilities do affect the newest released version of Java 1.7.
Information concerning these vulnerabilities is not yet public and no
proofs of concept are known outside of this firm's shared information
with Oracle. Meanwhile, Java 7u11 exploit CVE-2013-0431 is being
exploited in the wild via multiple exploit kits; users are urged to
patch immediately.
Reference:
https://threatpost.com/en_us/blogs/two-more-java-zero-days-found-polish-research
-team-022513
https://community.rapid7.com/community/metasploit/blog/2013/02/25/java-abused-in
-the-wild-one-more-time
Snort SID: 25861, 25862
ClamAV: Java.Trojan.Agent-22


Title: Vulnerability in Adobe Flash Player (CVE-2013-0633) seeing broad
exploitation
Description: Since last week's newsletter, which noted that this attack
had been limited in scope, this particular vulnerability has seen
mainstream adoption, including inclusion in the "Gong Da" exploit kit.
Originally traveling primarily through email embedded in Word documents,
this now-patched vulnerability is now being exploited heavily over HTTP.
Users are strongly encouraged to patch as soon as possible.
Reference:
http://www.adobe.com/support/security/bulletins/apsb13-04.html
http://eromang.zataz.com/2013/02/26/gong-da-gondad-exploit-pack-add-flash-cve-
2013-0633-support/
Snort SID: 25681, 25683
ClamAV: BC.Exploit.CVE_2013_0633


Title: Apple iPhone lock screen bypass
Description: The Apple iPhone on version <= 6.1.2 can be bypassed by a
certain sequence of commands issued to the phone.  It involves accessing
the phone through the "Make an emergency call" feature.  It's not trivial
to perform without practice, and a patch is currently being tested by
Apple.
Reference:
http://bgr.com/2013/02/25/apple-ios-6-1-vulnerability-343637
Snort SID: N/A
ClamAV: N/A

============================================================

USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Injecting a DLL in a Modern UI Metro Application
http://blog.nektra.com/main/2013/02/25/injecting-a-dll-in-modernui-metro-app-
win8/

REMnux: A Linux distribution for reverse-engineering malware:
http://zeltser.com/remnux/

CVE-2013-0634 being exploited in the wild:
http://malwaremustdie.blogspot.jp/2013/02/cve-2013-0634-this-ladyboyle-is-not.
html#gongda

Deobfuscating Java 7u11 exploit from Cool Exploit Kit:
http://security-obscurity.blogspot.it/2013/02/deobfuscating-java-7u11-exploit-
from.html

Stuxnet "Beta's" devious alternate attack on Iran nuke program:
http://arstechnica.com/security/2013/02/new-version-of-stuxnet-sheds-light-on-
iran-targeting-cyberweapon/

Japanese government builds APT database to study targeted attack info:
http://www.theregister.co.uk/2013/02/26/japan_apt_database_us/

Bit9 security incident update:
https://blog.bit9.com/2013/02/25/bit9-security-incident-update/

cPanel support compromised:
http://forum.whmcs.com/showthread.php?68611-cPanel-support-compromised&p=296646

ShadowServer notes on The Comment Group:
http://blog.shadowserver.org/2013/02/22/comment-group-cyber-espionage-additional
-information-clarification/

Symantec: Comment Crew indicators of Compromise:
http://www.symantec.com/content/en/us/enterprise/media/security_response/
whitepapers/comment_crew_indicators_of_compromise.pdf

How I hacked Facebook OAuth to get full permission on any Facebook
account (without app "Allow" interaction):
http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.
html

Dissecting NBC's exploits and malware serving web site compromise:
http://ddanchev.blogspot.com/2013/02/dissecting-nbcs-exploits-and-malware.html

=========================================================

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID:     CVE-2013-0431
Title: 	Java Applet JMX Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 through Update 11 allows
user-assisted remote attackers to bypass the Java security sandbox via
unspecified vectors related to JMX, aka "Issue 52," a different
vulnerability than CVE-2013-1490.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

ID:     CVE-2013-0640, CVE-2013-0641
Title:  Adobe Reader and Acrobat Unspecified Code Execution
Vulnerability (APSB13-07)
Vendor: Adobe
Description: Unspecified vulnerability in Adobe Reader and Acrobat 9.x
through 9.5.3, 10.x through 10.1.5, and 11.x through 11.0.1 allows
remote attackers to execute arbitrary code via a crafted PDF document,
as exploited in the wild in February 2013.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID:     CVE-2013-0025
Title: 	Microsoft Internet Explorer SLayoutRun Use-After-Free (MS13-009)
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
8 allows remote attackers to execute arbitrary code via a crafted web
site that triggers access to a deleted object, aka "Internet Explorer
SLayoutRun Use After Free Vulnerability."
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID:     CVE-2012-5088
Title: 	Java Applet Method Handle Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote
attackers to affect confidentiality, integrity, and availability via
unknown vectors related to Libraries.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID:     CVE-2012-3569
Title: 	VMWare OVF Tools Format String Vulnerability
Vendor: VMWare
Description: Format string vulnerability in VMware OVF Tool 2.1 on
Windows, as used in VMware Workstation 8.x before 8.0.5, VMware Player
4.x before 4.0.5, and other products, allows user-assisted remote
attackers to execute arbitrary code via a crafted OVF file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

=========================================================

MOST PREVALENT MALWARE FILES 2/19/2013 - 2/26/2013:
COMPILED BY SOURCEFIRE

SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal:
https://www.virustotal.com/file/
B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/

Typical Filename: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Product: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Publisher: 573b6cc513e1b7cd9e35b491eacc38f3


SHA 256: 9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F
MD5: 3ff52cee72b936c56b4fbb9f970ece74
VirusTotal:
https://www.virustotal.com/file/
9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F/analysis/

Typical Filename: wintdiyx.exe
Claimed Product: wintdiyx.exe
Claimed Publisher: wintdiyx.exe


SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal:
https://www.virustotal.com/file/
0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/

Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe


SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal:
https://www.virustotal.com/file/
E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/

Typical Filename: lmlkl.sys
Claimed Product: lmlkl.sys
Claimed Publisher: lmlkl.sys

SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal:
https://www.virustotal.com/file/
DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/

Typical Filename: File_0_2.ok
Claimed Product: File_0_2.ok
Claimed Publisher: File_0_2.ok
[ terug ]