@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
June 14, 2012=============================================================
@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 24
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked
=============================================================CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 5/29/2012 - 6/5/2012
Top Vulnerability this week: The XML zero day that affects Internet Explorer users as well as Office 2003 and 2007 users. It was important enough for Microsoft to make an extra out-of-cycle patch available. The reason it is so important is that most targeted attacks going after sensitive intellectual property use a vector like the one used in this attack.
================================================================TRAINING UPDATE
--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012
Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012
Techniques and solutions to aid organizations and agencies responding
to crimes and attacks. Maximize your training by also attending one or
more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/
--SANS Canberra 2012, Canberra, Australia July 2-10, 2012
5 courses. Bonus evening presentations include Penetrating Modern
Defenses; and Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/
--Security Impact of IPv6 Summit, Washington, DC July 6, 2012
Walk away with best practices from some who have already implemented
IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/
--SANSFIRE 2012, Washington, DC July 6-15, 2012
44 courses. Bonus evening presentations include Critical Infrastructure
Control Systems Cybersecurity; and Why Don't We Consider Our Cars
Critical Infrastructure?, Authentication Issues Between Entities During
Protocol Message Exchange in SCADA Systems, many more.
http://www.sans.org/sansfire-2012/
--SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012
9 courses. Bonus evening presentations include All Your Hash Are Belong
to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing
and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/
--SANS Boston 2012, Boston, MA August 6-11, 2012
9 courses. Bonus evening presentations include SIFT Workstation: The Art
of Incident Response; and Everything I Know is Wrong! How to Lead a
Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/
--Looking for training in your own community?
http: sans.org/community/
--Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current
Plus Malaysia, Bangkok, San Diego, San Antonio, and Melbourne all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
================================================================NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: MySQL Authentication Brute Force Attack
Description: A trivially exploitable attack exists for certain platforms
running MySQL that allows attackers root access to the database without
any credentials. HD Moore has demonstrated a single-line shell script
that will grant access, so live attacks are presumed to exist in the
wild already, with automated scanners for this vulnerability likely to
follow (if not already available).
Reference:
http://vrt-blog.snort.org/2012/06/mysql-authentication-brute-force-attack.html
https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
Snort SID: 23115
https://isc.sans.edu/port.html?port=3306
Title: Web Shell With GIF Header
Description: A live shell has been observed in the wild as part of
automated attempts to exploit the WordPress TimThumb vulnerability
released in August of 2011. This shell has a validly formed GIF header
prepended to the malicious PHP code, so that TimThumb's built-in file
safety checks will be bypassed (as well as any other check based on
file(1), which declares the shell to be a valid GIF file). Several
monitoring organizations have reported this shell being dropped very
widely in the field.
Reference:
http://vrt-blog.snort.org/2012/06/web-shell-poses-as-gif.html
http://blog.spiderlabs.com/2011/11/wordpress-timthumb-attacks-rising.html
Snort SID: 23113, 23114
ClamAV: PHP.Hide
Title: CVE-2012-1875 Microsoft Internet Explorer DOM manipulation memory corruption
Description: This is a complex Document Object Model heap overwrite, but
several actors are using it in targeted attacks observed across the
globe. Several variants of the attack are in public already, and more
are being traded in the underground. Users of Internet Explorer should
patch this bug as promptly as possible.
Reference:
http://technet.microsoft.com/en-us/security/bulletin/MS12-037
Snort SID: 23125
ClamAV: Exploit.CVE_2012_1875, Exploit.CVE_2012_1875-1
Title: Unauthorized Microsoft Security Certificates Allow Windows Update Spoofing
Description: The recently discovered Flame malware used a specifically
crafted SSL certificate to man-in-the-middle the Windows Update process
and inject code. As any certificate issued by a pair of intermediate
signing authorities could, if used by Flame or others, lead to
unauthorized content being trusted by the operating system, Microsoft
explicitly revoked all certificates issued by those authorities.
Reference:
http://technet.microsoft.com/en-us/security/advisory/2718704
Snort SID: 23090
ClamAV: N/A
Title: CVE-2011-2140 Adobe Flash Player MP4 Buffer Overflow:
Description: A simple buffer overflow attack exists in the way Adobe
Flash parses certain chunks of MP4 files. Public exploits exist, and
have been incorporated into the Chinese Yang Pack exploit kit. Active
exploitation of this vulnerability has been observed in the wild by the
Sourcefire VRT.
Reference:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
Snort SID: 19693, 20555, 21006, 23098
ClamAV: Trojan.GameThief-3, Exploit.SWF-24, Trojan.Cossta-22
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
(1) Flame malware collision attack explained:
http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx
http://www.trailofbits.com/resources/flame-md5.pdf
(2) Facebook begins notifying DNSChanger victims:
http://www.zdnet.com/blog/security/facebook-begins-notifying-dnschanger-victims/12296
(3) Spear Phishing Attempt vs. Digital Bond Analyzed:
http://www.digitalbond.com/2012/06/11/analysis-of-spear-phishing-malware-file/
(4) Post Mortem: Today's attack; apparent Google Apps/Gmail
vulnerability; and how to protect yourself:
http://blog.cloudflare.com/post-mortem-todays-attack-apparent-google-app
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.
ID: CVE-2012-1889
Title: Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability
Vendor: Microsoft
Description: Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses
uninitialized memory locations, which allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via a
crafted web site.
CVSS v2 Base Score: 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
ID: CVE-2012-1875
Title: Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer 8 does not properly handle
objects in memory, which allows remote attackers to execute arbitrary
code by accessing a deleted object, aka "Same ID Property Remote Code
Execution Vulnerability."
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2012-1849
Title: Microsoft Lync CVE-2012-1849 DLL Loading Arbitrary Code Execution Vulnerability
Vendor: Microsoft
Description: Untrusted search path vulnerability in Microsoft Lync 2010,
2010 Attendee, and 2010 Attendant allows local users to gain privileges
via a Trojan horse DLL in the current working directory, as demonstrated
by a directory that contains a .ocsmeet file, aka "Lync Insecure Library
Loading Vulnerability.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2012-0985
Title: Sony VAIO Wireless Manager ActiveX Control 'WifiMan.dll' Multiple
Buffer Overflow Vulnerabilities
Vendor: Sony
Description: Multiple buffer overflows in the Wireless Manager ActiveX
control 4.0.0.0 in WifiMan.dll in Sony VAIO PC Wireless LAN Wizard 1.0;
VAIO Wireless Wizard 1.00, 1.00_64, 1.0.1, 2.0, and 3.0; SmartWi
Connection Utility 4.7, 4.7.4, 4.8, 4.9, 4.10, and 4.11; and VAIO Easy
Connect software 1.0.0 and 1.1.0 allow remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a long
string in the second argument of the (1) SetTmpProfileOption or (2)
ConnectToNetwork method.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2012-2436
Title: Pligg CMS CVE-2012-2436 Multiple Cross Site Scripting Vulnerabilities
Vendor: Pligg
Description: Multiple cross-site scripting (XSS) vulnerabilities in
Pligg CMS before 1.2.2 allow remote attackers to inject arbitrary web
script or HTML via (1) an arbitrary parameter in a move or (2) minimize
action to admin/admin_index.php; (3) the karma_username parameter to
module.php in the karma module; (4) q_1_low, (5) q_1_high, (6) q_2_low,
or (7) q_2_high parameter in a configure action to module.php in the
captcha module; or (8) the edit parameter to module.php in the
admin_language module.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2012-1824
Title: Measuresoft ScadaPro DLL Loading Arbitrary Code Execution Vulnerability
Vendor: Measuresoft
Description: Untrusted search path vulnerability in Measuresoft ScadaPro
Client before 4.0.0 and ScadaPro Server before 4.0.0 allows local users
to gain privileges via a Trojan horse DLL in the current working
directory.
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
MOST POPULAR MALWARE FILES 5/29/2012 - 6/5/2012:
(Compiled by Sourcefire)
SHA 256: 1481ACE90584C46406259C653D2BD3457A2E5F44781E907731C9A618F96C7442
MD5: bb74024a1d4e4808562c090980151653
VirusTotal: https://www.virustotal.com/file/1481ACE90584C46406259C653D2BD3457A2E5F44781E907731C9A618F96C7442
Malwr: http://malwr.com/analysis/63fdbb9c9802d680dc6d622d2e228317/
Typical Filename: MWSSVC.EXE
Claimed Product: My Web Search Bar
Claimed Publisher: MyWebSearch.com
SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
Malwr: http://malwr.com/analysis/7961a56c11ba303f20f6a59a506693ff
Typical Filename: C8A787C22000AE378610003396E67500D587FA4E.exe
Claimed Product: My Web Search Bar for Internet Explorer and FireFox
Claimed Publisher: MyWebSearch.com
SHA 256: DFE385206E3BA737636463B22501B801B88169AF789424E8A33C3CF07A8B2235
MD5: 589c85ad4b3fd73456f32eb9d58e2f9c
VirusTotal: https://www.virustotal.com/file/DFE385206E3BA737636463B22501B801B88169AF789424E8A33C3CF07A8B2235
Malwr: http://malwr.com/analysis/589c85ad4b3fd73456f32eb9d58e2f9c
Typical Filename: 3E229CF2E0B55D93A59C027D284E7A0088209A1A.exe
Claimed Product: ShopAtHome.com Shopping Toolbar
Claimed Publisher: -
SHA 256: D69EE2A46B02A39C7BCCFFE10FB4280EFF268E2633E39697DC59CFA0D5D7CB3C
MD5: 5d3d195648820c95f20e4e9189e1937b
VirusTotal: https://www.virustotal.com/file/D69EE2A46B02A39C7BCCFFE10FB4280EFF268E2633E39697DC59CFA0D5D7CB3C
Malwr: http://malwr.com/analysis/5d3d195648820c95f20e4e9189e1937b
Claimed Product: -
Claimed Publisher: -
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
Typical Filename: avz00001.dta
Claimed Product: -
Claimed Publisher: -
(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account
