@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
August 1, 2013=============================================================
@RISK: The Consensus Security Vulnerability Alert
Vol. 13, Num. 31
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.
=============================================================CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 7/23/2013 - 7/30/2013
============================================================TOP VULNERABILITY THIS WEEK: Microsoft announced the first-ever major update to its Microsoft Active Protections Program (MAPP) this week, dramatically expanding the list of potential members and providing several new levels of service in the process. The information-sharing program has been instrumental to high-quality detection for security vendors for years, and incident responders are the primary beneficiaries of the expansion.
******************** Sponsored By Bit9 *********************
Do you know if you are the target of an advanced threat or have unauthorized software in your organization? How can you trust what's running on your systems if you don't have answers to these questions? Download Bit9's Trust Assessment Tool to tell you exactly what is running on your system. Learn more /info/13657
============================================================TRAINING UPDATE
- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.
- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013
7 courses. Bonus evening sessions include Offensive Digital Forensics;
and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013
- -- SANS Boston 2013 Boston, MA August 5-10, 2013
9 courses. Bonus evening sessions include Cloud R and Forensics; and You
Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013
- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013
10 courses. Bonus evening presentations include Thanks for Recovering
... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is
Time to Act.
http://www.sans.org/event/virginia-beach-2013
- -- SANS Capital City 2013 Washington, DC September 3-8, 2013
6 courses. Bonus evening presentations include Look Ma, No Exploits! -
The Recon-ng Framework; and How the West was Pwned.
Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013
- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013
50 courses. Bonus evening presentations include The Security Impact of
IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small
Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC
Law Firm.
http://www.sans.org/event/network-security-2013
- -- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis. http://www.sans.org/event/baltimore-2013
- -- SANS Forensics Prague 2013Prague, Czech RepublicOctober 6-13 2013
SANS's European forensics summit and dedicated forensics training event.
Four of SANS's most important forensics training courses and
opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013
- -- SANS Dubai 2013Dubai, UAEOctober 26th - November 7th 2013
SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013
- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org
- -- Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials
Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org
********************** Sponsored Links: ********************1) Jane Lute former Deputy Secretary of the DHS to keynote Critical Security Controls Summit! Register today http://www.sans.org/info/136577
2) In-depth, hands-on technical courses led by top SCADA experts. Industrial Control Systems Training in Washington DC http://www.sans.org/info/136582
3) WhatWorks Webcast: WhatWorks in Detecting and Blocking Advanced Threats at a Large Research Organization. Tuesday, August 06, 2013 at 1:00 PM EDT. http://www.sans.org/info/136587
============================================================NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Microsoft announces major expansion of MAPP program
Description: For the first time since the inception of the Microsoft
Active Protections Program (MAPP) in 2008, the firm is dramatically
increasing its scope, with two new sub-programs designed to increase the
number of people who can benefit from MAPP's information-sharing regime.
The first, MAPP for Responders, will bring incident responders into the
fold, with data focused on identifying and remediating live exploitation
in the wild. The second, MAPP Scanner, is a cloud-based tool that will
allow an even broader range of organizations to submit files they
suspect might be exploiting a vulnerability in Microsoft software, with
both information on known vulnerabilities and details of suspicious
information being supplied in return. In addition, program benefits are
being expanded for current MAPP members, which will be re-branded as
MAPP for Security Vendors. This expansion of the program comes on the
heels of its dramatic success over the last several years, helping to
validate the strategy of open information-sharing among network
defenders worldwide.
Reference:
http://blogs.technet.com/b/bluehat/archive/2013/07/29/new-mapp-initiatives.aspx
http://blogs.technet.com/b/msrc/archive/2013/07/29/announcing-the-2013-msrc-progress-report-featuring-mapp-expansions.aspx
http://www.computerworld.com/s/article/9241169/Microsoft_expands_bug_info_sharing_program_to_larger_crowd?taxonomyId=17&pageNumber=2
Snort SID: N/A
ClamAV: N/A
Title: Dovecot + Exim remote code execution attack spotted in the wild
Description: A trivially exploitable remote code execution vulnerability
in the Dovecot mail server, when paired with Exim as a local delivery
agent, was announced in May, with only a workaround being released to
date. Recent notes from the ISC Storm Center show that the attack, which
has several publicly available proofs of concept, is now being exploited
in the wild. Administrators of these systems are urged to check their
configurations and take appropriate mitigation immediately.
Reference:
https://isc.sans.edu/diary/Dovecot++Exim+Exploit+Detects/16243
http://osvdb.org/show/osvdb/93004
Snort SID: 27532
ClamAV: N/A
Title: Internet Explorer 9/10 information disclosure vulnerability
Description: In a post to the popular Full-Disclosure mailing list on
Monday, an independent researcher provided information around a
potential new Internet Explorer information disclosure vulnerability,
which he claimed would be useful in bypassing ASLR. While confirmation
of the vulnerability was pending as of the time of publication, and no
signs of exploitation in the wild are available at this time, security
researchers and incident responders should be paying close attention to
systems they monitor until further information is released.
Reference:
http://seclists.org/fulldisclosure/2013/Jul/267
Snort SID: 27531
ClamAV: N/A
Title: Package using Android "Extra Field" vulnerability spotted in the wild
Description: Independent researcher Zhuowei Zang recently began
distributing an APK on his Github site that used the recently disclosed
"Extra Field" vulnerability in APK file parsing in order to gain root
access on the Kobo Arc tablet. While his particular package contained
no malicious code, and simply took advantage of system package
permissions to install a superuser account, it shows how easy live
exploitation of the vulnerability is, likely setting the stage for
further use of it in the coming weeks.
Reference:
http://vrt-blog.snort.org/2013/07/android-extra-field-vulnerability_30.html
https://www.virustotal.com/en/file/06edeb3bab3bfb8c7b272615b8524111d03b17a8875e507a1cc9e4af81f486c6/analysis/
Snort SID:
ClamAV: BC.Exploit.Andr.Extra_Field
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Windows RT ARMv7-based shellcode development:
http://www.exploit-monday.com/2013/07/WinRT-ARM-Shellcode.html
Styx cool exploit kit: one applet to exploit all vulnerabilities:
http://security-obscurity.blogspot.com/2013/07/styxy-cool-exploit-kit-one-applet-to.html
Spy agencies ban Lenovo PCs on security concerns:
http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_on_security_HVgcKTHp4bIA4ulCPqC7SL
MSI: the case of the invalid signature:
http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/
Security vendors: do no harm, heal thyself:
http://krebsonsecurity.com/2013/07/security-vendors-do-no-harm-heal-thyself/
The evolution of Rovnix: private TCP/IP stacks:
http://blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx
Verizon announces Veris database - raw incident data:
http://www.verizonenterprise.com/security/blog/index.xml?postid=4642
Flush + Reload: a high resolution, low noise L3 cache side-channel attack:
http://eprint.iacr.org/2013/448.pdf
Big poker player loses high-stakes Android scam game:
http://www.symantec.com/connect/blogs/big-poker-player-loses-high-stakes-android-scam-game
Haunted by the ghosts of ZeuS and DNSChanger:
http://krebsonsecurity.com/2013/07/haunted-by-the-ghosts-of-zeus-dnschanger/
Vulnerability disclosed all passwords of Barracuda Networks employees:
http://securityaffairs.co/wordpress/16584/hacking/vulnerability-in-baracuda-network.html
Advanced exploitation of Windows kernel privilege escalation / CVE-2013-3660: http://www.vupen.com/blog/20130723.Advanced_Exploitation_Windows_Kernel_Win32k_EoP_MS13-053.php
How I found my way into Instagram's Ganglia, and a bug with Facebook likes:
http://josipfranjkovic.blogspot.com/2013/07/how-i-found-my-way-into-instagrams.html
Dissecting a WordPress brute force attack:
http://blog.sucuri.net/2013/07/dissecting-a-wordpress-brute-force-attack.html
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2013-3174
Title: Microsoft DirectShow GIF Parsing Memory Corruption Vulnerability
Vendor: Microsoft
Description: DirectShow in Microsoft Windows XP SP2 and SP3, Windows
Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1,
Windows 7 SP1, Windows 8, and Windows Server 2012 allows remote
attackers to execute arbitrary code via a crafted GIF file, aka
"DirectShow Arbitrary Memory Overwrite Vulnerability."
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-2251
Title: Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Vendor: Apache
Description: Apache Struts 2.0.0 through 2.3.15 allows remote attackers
to execute arbitrary OGNL expressions via a parameter with a crafted (1)
action:, (2) redirect:, or (3) redirectAction: prefix.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-1017
Title: Apple Quicktime 7 Invalid Atom Length Buffer Overflow
Vendor: Apple
Description: Buffer overflow in Apple QuickTime before 7.7.4 allows
remote attackers to execute arbitrary code or cause a denial of service
(application crash) via crafted dref atoms in a movie file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-3163
Title: Microsoft Internet Explorer CBlockElement Use-after-Free Vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer 8 through 10 allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted web site, aka "Internet Explorer Memory
Corruption Vulnerability," a different vulnerability than CVE-2013-3144
and CVE-2013-3151.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-2460
Title: Java Applet ProviderSkeleton Insecure Invoke Method
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK
7, allows remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to Serviceability. NOTE: the
previous information is from the June 2013 CPU. Oracle has not commented
on claims from another vendor that this issue allows remote attackers
to bypass the Java sandbox via vectors related to "insufficient access
checks" in the tracing component.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 7/23/2013 - 7/30/2013
COMPILED BY SOURCEFIRE
SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/
Typical Filename: C8A787C22000AE378610003396E67500D587FA4E.exe
Claimed Product: My Web Search Bar for Internet Explorer and FireFox
Claimed Publisher: MyWebSearch.com
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename:
smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Product:
smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Publisher:
smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Typical Filename: avz00001.dta
Claimed Product: avz00001.dta
Claimed Publisher: avz00001.dta
SHA 256: 9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302
MD5: 923c4d13bee966654f4fe4a8945af0ae
VirusTotal: https://www.virustotal.com/file/9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302/analysis/
Typical Filename: winoaox.exe
Claimed Product: winoaox.exe
Claimed Publisher: winoaox.exe
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Typical Filename: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Product: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Publisher: bf31a8d79f704f488e3dbcb6eea3b3e3
(c) 2013. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account