@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
May 29, 2014=============================================================
@RISK: The Consensus Security Vulnerability Alert
Vol. 14, Num. 21
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.
=============================================================CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 5/20/2014 - 5/27/2014
============================================================TOP VULNERABILITY THIS WEEK: Security updates for Safari 6.1.4 and Safari 7.0.4
******************** Sponsored By SANS *********************Attend the SANS DHS Continuous Diagnostics & Mitigation Award Workshop - - PART II. August 1, 2014 in Washington, DC. This SANS CDM event provides government security managers the opportunity to get the latest status on the DHS Continuous Diagnostic and Mitigiation program and to learn how the early adopters in government are using CDM to increase security. http://www.sans.org/info/159487
============================================================TRAINING UPDATE
- -- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014
8 courses. Bonus evening presentations include Continuous Ownage; Why
You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014
- --SANSFIRE 2014 Baltimore, ND June 21-30, 2014
42 courses. Bonus evening presentations include Avoiding Cyberterrosism
Threats Inside Electrical Substations; Security Awareness Metrics:
Measuring Human Behavior; and penetration Testing Corporate Mobile
Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014
- --SANS Capital City 2014Washington, DC July 7-12, 2014
7 courses. Bonus evening presentations include Weaponizing Digital
Currency; Incident Response and Forensics in the Cloud; and Who's
Watching the Watchers?
http://www.sans.org/event/capital-city-2014
- --SANS Pen Test BerlinBerlin, GermanyJune 15-21, 2014
6 courses.
http://www.sans.org/event/pentest-berlin-2014
- --SANS London Summer 2014 London, UKJuly 14-21, 2014
5 courses.
http://www.sans.org/event/london-summer-2014
- --Can't travel? SANS offers LIVE online instruction.
Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org
- -- Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials
Plus Austin, Malaysia, and Bangkok all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
********************** Sponsored Links: ********************1) Government IT Pros! Tell us Your Wins and Misses with the Continuous
Diagnostics and Mitigation Program by Taking This Survey:
http://www.sans.org/info/160435. Also Enter to Win an iPad!
2) Webcast: Best Practices for Leveraging Security Threat Intelligence.
Wednesday, June 04 at 1:00 PM EDT. Featuring: Russell Spitler & Dave
Shackleford.
http://www.sans.org/info/160440
3) Webcast: Saving Time and Resources Managing Administrator Rights with
a Process-based Whitelist Model. Thursday, June 05 at 1:00 PM EDT.
Featuring: John Pescatore. http://www.sans.org/info/160445
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Security updates for Safari 6.1.4 and Safari 7.0.4
Description: Apple releases 21 updates for Safari 6.1.4 and Safari 7.0.4
on OSX. Multiple memory corruption issues existed in WebKit. These
issues were addressed through improved memory handling.
Reference: http://support.apple.com/kb/HT6254
Snort SID: Detection pending release of vulnerability details
Title: Microsoft Internet Explorer 8 CMarkup Use-After-Free Remote Code
Execution Vulnerability
Description: A vulnerability in the way Microsoft Internet Explorer 8
handles memory allocation for CMarkup objects can lead to execution of
arbitrary code.
Reference: http://zerodayinitiative.com/advisories/ZDI-14-140/
Snort SID: Detection pending release of vulnerability details
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Tech companies are still fuming over the NSA
http://www.washingtonpost.com/blogs/the-switch/wp/2014/05/19/marc-andreessen-tech-companies-are-still-fuming-over-the-nsa/
Angling for Silverlight Exploits
https://blogs.cisco.com/security/angling-for-silverlight-exploits
Volatility - Update All The Things - Book, Training & the upcoming
release of Volatility 2.4
http://volatility-labs.blogspot.com/2014/05/volatility-update-all-things.html
Meet the Zberp Trojan
http://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp
Effective NTLM / SMB Relaying
http://www.room362.com/blog/2014/05/21/effective-ntlm-slash-smb-relaying/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2014-1649
Title: Symantec Workspace Streaming Arbitrary File Upload
Vendor: Symantec
Description: The server in Symantec Workspace Streaming (SWS) before
7.5.0.749 allows remote attackers to access files and functionality by
sending a crafted XMLRPC request over HTTPS.
CVSS v2 Base Score: 7.9 (AV:A/AC:M/AU:N/C:C/I:C/A:C)
ID: CVE-2014-0515
Title: Adobe Flash Player Shader Buffer Overflow
Vendor: Adobe
Description: Buffer overflow in Adobe Flash Player before 11.7.700.279
and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and
before 11.2.202.356 on Linux, allows remote attackers to execute
arbitrary code via unspecified vectors, as exploited in the wild in
April 2014.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
ID: CVE-2014-0094
Title: Apache Struts ClassLoader Manipulation Remote Code Execution
Vendor: Apache
Description: The ParametersInterceptor in Apache Struts before 2.3.16.1
allows remote attackers to "manipulate" the ClassLoader via the class
parameter, which is passed to the getClass method.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/AU:N/C:N/I:P/A:N)
ID: CVE-2014-0497
Title: Adobe Flash Player Integer Underflow Remote Code Execution
Vendor: Adobe
Description: Integer underflow in Adobe Flash Player before 11.7.700.261
and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and
before 11.2.202.336 on Linux, allows remote attackers to execute
arbitrary code via unspecified vectors.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
ID: CVE-2014-1776
Title: Microsoft Internet Explorer Use-after-Free Vulnerability
Vendor: Microsoft
Description: Use-after-free vulnerability in VGX.DLL in Microsoft
Internet Explorer 6 through 11 allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via
unspecified vectors, as exploited in the wild in April 2014.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
ID: CVE-2014-0160
Title: OpenSSL TLS Heartbeat Extension Buffer Oveflow Information
Disclosure Vulnerability (Heartbleed)
Vendor: OpenSSL Project
Description: The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1
before 1.0.1g do not properly handle Heartbeart Extension packets, which
allows remote attackers to obtain sensitive information from process
memory via crafted packets that trigger a buffer over-read, as
demonstrated by reading private keys, related to d1_both.c and t1_lib.c.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
MOST PREVALENT MALWARE FILES 5/20/2014 - 5/27/2014
COMPILED BY SOURCEFIRE
SHA 256: FA802EA3C3F8FBB3EF946A43B757E84A2D2AFD42BC9B035F71CC989A7E349081
MD5: 5454873bb620e77dcb10db8f23529877
VirusTotal:
https://www.virustotal.com/file/FA802EA3C3F8FBB3EF946A43B757E84A2D2AFD42BC9B035F71CC989A7E349081/analysis/#additional-info
Typical Filename: APISupport.dll
Claimed Product: Conduit Search
Detection Name: W32.FA802EA3C3-66.SBX.VIOC
SHA 256: DE79E5A4356CA0EFA56B69E6EDE21DD8E12FC16E2196B7B7366A0D76C65D3ED5
MD5: 11fcb6824b912480af7d54a8547dfcb8
VirusTotal:
https://www.virustotal.com/file/DE79E5A4356CA0EFA56B69E6EDE21DD8E12FC16E2196B7B7366A0D76C65D3ED5/analysis/#additional-info
Typical Filename: wajam_update.exe
Claimed Product: Wajam Internet Technologies Inc
Detection Name: W32.Application.17gw.1201
SHA 256: D2D7439861F407ED2979009F5E755003F3E67022D2612B8761D03C3DC2D1FF31
MD5: ff70d4e62eea5459ded0ebd31189ecf0
VirusTotal:
https://www.virustotal.com/file/D2D7439861F407ED2979009F5E755003F3E67022D2612B8761D03C3DC2D1FF31/analysis/#additional-info
Typical Filename: dt_ie.exe
Claimed Product: Search Results
Detection Name: W32.ADH:PUPgen.17gv.1201
SHA 256: A4BD609891D8373907DC1EC8C8ACFF5924DBFC6C416078918EB3705D6CF472BE
MD5: 9ee9261feabd8ff8df99b6134b43a821
VirusTotal:
https://www.virustotal.com/file/A4BD609891D8373907DC1EC8C8ACFF5924DBFC6C416078918EB3705D6CF472BE/analysis/#additional-info
Typical Filename: anyprotectscannersetup.exe
Claimed Product: Any Protect Setup
Detection Name: W32.A4BD609891-100.SBX.VIOC
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal:
https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/#additional-info
Typical Filename: 0D92F.tmp
Claimed Product: Conficker
Detection Name: W32.Worm:GN.17fr.1201
(c) 2014. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account