@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
March 27, 2014=============================================================
@RISK: The Consensus Security Vulnerability Alert
Vol. 14, Num. 12
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.
=============================================================CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 3/18/2014 - 3/25/2014
============================================================TOP VULNERABILITY THIS WEEK: Vulnerability in Microsoft Word Could Allow Remote Code Execution
******************** Sponsored By SANS *********************Plan to attend the SANS Security Leadership Summit, April 30th and May
1st, in Boston. The format will partner CISOs with leading SANS experts
across a broad range of key security topics and emerging trends. Choose
from four classes that take place afterwards (May 2nd - 6th) including
ICS/SCADA Security Essentials, Security Leadership, Implementing the
Critical Security Controls and Security Bootcamp.
http://www.sans.org/info/154465
TRAINING UPDATE
-- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp. http://www.sans.org/info/154465
- -- SANS 2014Orlando, FLApril 5-14, 2014
42 courses. Bonus evening presentations include Effective Phishing that
Employees Like; and The Law of Offensive Countermeasures. Active
Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014
- -- SANS Security WestSan Diego, CAMay 8-17, 2014
30 courses. Keynote sessions: Emerging Security Trends: Crossing the
Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next
Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014
-- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014
8 courses. Bonus evening presentations include Continuous Ownage; Why
You Need Continuous Monitoring; and APT: It is Time to Act.
- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014
7 courses. Bonus evening presentations includes Incident Response and
Forensics in the Cloud.
http://www.sans.org/event/singapore-2014
- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014
11 courses.
http://www.sans.org/event/secure-europe-2014
- --Can't travel? SANS offers LIVE online instruction.
Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org
- -- Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials
Plus Munich, Austin, Malaysia, and London all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
********************** Sponsored Links: ********************1) Higher Ed IT Pros! What's On Your Security Wish List? Tell us here:
http://www.sans.org/info/155855
2) Defending ICS Against Cyberthreats with Next Generation Security
Tuesday, April 29 at 1:00 PM EDT Michael Assante, Del Rodillas.
http://www.sans.org/info/155865
http://www.sans.org/info/155870 ============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Microsoft Word RTF Remote Memory Corruption Vulnerability
(CVE-2014-1761)
Description: A vulnerability in how multiple Microsoft products handle
RTF files can lead to memory corruption.
Reference:
http://arstechnica.com/security/2014/03/zero-day-vulnerability-in-microsoft-word-under-active-attack/
Snort SID: 24975, 24975
ClamAV: RTF.Exploit.CVE_2012_2539
Title: Internet Explorer TextRange Use-After-Free Vulnerability
(MS14-012)
Description: A use-after-free vulnerability exists in Internet Explorer.
The vulnerability is due to an error in the way TextRange objects are
handled.
Reference: http://technet.microsoft.com/en-us/security/bulletin/ms14-012
http://telussecuritylabs.com/threats/show/TSL20140311-15
Snort SID: Coverage is pending
ClamAV: Coverage is pending
Title: Stealth malware sneaks onto Android phones, then "turns evil"
when OS upgrades
Description: Applications installed on an Android device can be
automatically granted extra privileges during an upgrade of the Android
OS.
Reference:
http://www.welivesecurity.com/2014/03/21/stealth-malware-sneaks-onto-android-phones-then-turns-evil-when-os-upgrades/
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Zorenium Bot: Heading to an iPhone Near You?
http://www.infosecurity-magazine.com/view/37612/zorenium-bot-heading-to-an-iphone-near-you/
AWS urges developers to scrub GitHub of secret keys
http://www.itnews.com.au/News/375785,aws-urges-developers-to-scrub-github-of-secret-keys.aspx
New Android Bug Causes "Bricked" Devices
blog.trendmicro.com/trendlabs-security-intelligence/new-android-bug-causes-bricked-devices/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2014-1761
Title: Microsoft Word Remote Memory Corruption Vulnerability Vendor: Microsoft Description: Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Word Viewer; Office Compatibility Pack SP3; Office for Mac 2011; Word Automation Services on SharePoint Server 2010 SP1 and SP2 and 2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, as exploited in the wild in March 2014. CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)ID: CVE-2014-0307
Title: Internet Explorer TextRange Use-After-Free Vulnerability (MS14-012) Vendor: Microsoft Description: Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a certain sequence of manipulations of a TextRange element, aka "Internet Explorer Memory Corruption Vulnerability." CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)ID: CVE-2014-0783,CVE-2014-0784
Title: Yokogawa CENTUM CS 3000 Vulnerabilities Vendor: Yokogawa Description: Stack-based buffer overflows in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet. CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:N/C:P/I:P/A:C)ID: CVE-2013-2347
Title: HP Data Protector Backup Client Service Remote Code Execution Vendor: HP Description: Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1885. CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)ID: CVE-2014-0502
Title: Adobe Flash Player 12.0.0.44 Memory Corruption Vulnerability Vendor: Adobe Description: Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014. CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)ID: CVE-2014-0322
Title: Internet Explorer CMarkup use-after-free vulnerability Vendor: Microsoft Description: Use-after-free vulnerability in Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, as exploited in the wild in January and February 2014. CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) =========================================================MOST PREVALENT MALWARE FILES 3/18/2014 - 3/25/2014
COMPILED BY SOURCEFIRE
SHA 256: A1A212E0B59ABBB2F520F1D35E68AE00944931A5A0A514947555359CCEF2366F
MD5: 09b8de9389103831a84bb1711ebef153
VirusTotal:
https://www.virustotal.com/file/A1A212E0B59ABBB2F520F1D35E68AE00944931A5A0A514947555359CCEF2366F/analysis/#additional-info
Typical Filename: wajam_update.exe
Claimed Product: Wajam Internet Technologies
Detection Name: W32.A1A212E0B5-100.SBX.VIOC
SHA 256: C9D0E4A0EB68983AEF109E059E53C1510874BDB2D045F51F3645F3C06050D4BC
MD5: 488ab9e11c6d560ec43141366aadfc4c
VirusTotal:
https://www.virustotal.com/file/C9D0E4A0EB68983AEF109E059E53C1510874BDB2D045F51F3645F3C06050D4BC/analysis/#additional-info
Typical Filename: Unknown
Claimed Product: Conduit Ltd. SearchProtect
Detection Name: W32.C9D0E4A0EB-100.SBX.VIOC
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal:
https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/#additional-info
Typical Filename: wincdgja.exe
Claimed Product: Sality
Detection Name: W32.Sality:StubOfSalityTrj.17co.1201
SHA 256: B76B843FF8E57BC0AD5B3A8C0730BA2A40DA2C99D5D3BAC20A5D5235664A3170
MD5: 39dd5df876441584c8b3c5377edb19b7
VirusTotal:
https://www.virustotal.com/file/B76B843FF8E57BC0AD5B3A8C0730BA2A40DA2C99D5D3BAC20A5D5235664A3170/analysis/#additional-info
Typical Filename: au_.exe
Claimed Product: Conduit Ltd. SearchProtect
Detection Name: W32.B76B843FF8-100.SBX.VIOC
SHA 256: 54EC6309345B846CBB52F0D3942767D34D545CEAD2048A871841474612588280
MD5: 2d1225eec3c1829063d0aae4fc3c4b87
VirusTotal:
https://www.virustotal.com/file/54EC6309345B846CBB52F0D3942767D34D545CEAD2048A871841474612588280/analysis/#additional-info
Typical Filename: Unknown
Claimed Product: Conduit Ltd. SearchProtect
Detection Name: W32.54EC630934-100.SBX.VIOC
(c) 2014. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account
