============================================================= =============================================================



Similar documents
IBM Advanced Threat Protection Solution

Enterprise Mobility Report 06/2015. Creation date: Vlastimil Turzík

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security

Modular Network Security. Tyler Carter, McAfee Network Security

JBoss security: penetration, protection and patching. David Jorm

Software Vulnerability Assessment

IBM Protocol Analysis Module

Background. How much does EMET cost? What is the license fee? EMET is freely available from Microsoft without material cost.

MCAFEE FOUNDSTONE FSL UPDATE

How To Classify A Dnet Attack

Shellshock. Oz Elisyan & Maxim Zavodchik

CORPORATE AV / EPP COMPARATIVE ANALYSIS

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

6. Exercise: Writing Security Advisories

Put a Firewall in Your JVM Securing Java Applications!

Security Intelligence Services.

Bypassing Memory Protections: The Future of Exploitation

The Importance of Patching Non-Microsoft Applications

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

New Tool for Discovering Flash Player 0-day Attacks in the. Wild from Various Channels

Cisco Security IntelliShield Alert Manager Service

SourceFireNext-Generation IPS

Introducing IBM s Advanced Threat Protection Platform

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

How To Manage A Network Security Risk

The Leader in Cloud Security SECURITY ADVISORY

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

DATA CENTER IPS COMPARATIVE ANALYSIS

RIA SECURITY TECHNOLOGY

Defense in Depth: Protecting Against Zero-Day Attacks

GlobalSign Malware Monitoring

Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report

Deep Security Vulnerability Protection Summary

Virtualization System Security

Symantec Advanced Threat Protection: Network

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Priority One: Client-side software that remains unpatched. Priority Two: Internet-facing web sites that are vulnerable.

The Fundamental Failures of End-Point Security. Stefan Frei Research Analyst Director

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Thick Client Application Security

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Detecting P2P-Controlled Bots on the Host

Tackling Third-Party Patches

Anti-exploit tools: The next wave of enterprise security

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

IBM Security X-Force Threat Intelligence

VALIDATING DDoS THREAT PROTECTION

Exploiting nginx chunked overflow bug, the undisclosed attack vector

SSA : Multiple Vulnerabilities in WinCC flexible and WinCC V11 (TIA Portal)

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Streamlining Web and Security

JOOMLA REFLECTION DDOS-FOR-HIRE

MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March Contents

Cloud Based Secure Web Gateway

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?

IBM Security Strategy

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Rise of the Machines: An Internet-Wide Analysis of Web Bots in 2014

Microsoft Security Intelligence Report volume 7 (January through June 2009)

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Web Application Security

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Xerox Next Generation Security: Partnering with McAfee White Paper

Getting Ahead of Malware

Security Incidents And Trends In Croatia. Domagoj Klasić

MCAFEE FOUNDSTONE FSL UPDATE

IBM Managed Security Services Vulnerability Scanning:

Five Tips to Reduce Risk From Modern Web Threats

WHITEPAPER. Nessus Exploit Integration

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Adaptive IPS Security in a changing world. Dave Venman Security Engineer, UK & Ireland

Database Security & Auditing

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Transcription:

Stephan Lantos Subject: FW: @RISK: The Consensus Security Vulnerability Alert: Vol. 13, Num. 23 In partnership with SANS and Sourcefire, Qualys is pleased to provide you with the @RISK Newsletter. This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straight forward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter. = @RISK: The Consensus Security Vulnerability Alert Vol. 13, Num. 23 Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked = CONTENTS: NOTABLE RECENT SECURITY ISSUES USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE MOST PREVALENT MALWARE FILES 5/30/13-6/4/13 TOP VULNERABILITY THIS WEEK: Google researcher Tavis Ormandy provided exploit code for an unpatched local kernel vulnerability in Windows this week, after having first published details on the Full-Disclosure mailing list in mid-may. The release coincides with Google's shift from giving vendors 60 days on actively exploited vulnerabilities to 7 days before Google will release details. NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM Title: Google Shifts Policy, Will Release 0-days After A Week; Researcher Provides 0-day PoC Description: In a major policy announcement made last week, Google stated that it will publicly disclose details of new vulnerabilities in other vendors' products 7 days after discovery, if those issues are being actively exploited in the wild. This is a major shift from its previous policy of giving vendors 60 days before disclosure. While acknowledging that this new policy may be too short of a time frame for vendors to develop a patch, Google stated that vendors should at least make users aware of the situation and offer any possible mitigations while a patch is being developed. Meanwhile, Google researcher Tavis Ormandy has released exploit code for a local kernel vulnerability in Windows ahead of a patch by Microsoft, after having released initial details in mid-may. Microsoft claims that no active exploitation was taking place prior to the release of the exploit code, although it is likely that will change in the face of publicly available PoC. http://googleonlinesecurity.blogspot.ch/2013/05/disclosure-timeline-for-vulnerabilities.html 1

http://seclists.org/fulldisclosure/2013/may/91 http://seclists.org/fulldisclosure/2013/jun/5 Snort SID: N/A ClamAV: N/A Title: RFI Botnet Compromising WordPress, Joomla Sites Worldwide Description: Researchers at the Deep End Research group released an in-depth report this week on a major botnet that has been responsible for compromising hundreds of thousands of WordPress and Joomla web sites across the planet over the past year. The report, which is designed to raise awareness among administrators of these notoriously vulnerable web services, corresponds to attack techniques seen by Sourcefire since September of 2011. System administrators are urged to check their systems for signs of compromise by this botnet, and to ensure that their systems have all of the latest available security patches and recommended settings applied. http://www.deependresearch.org/2013/05/under-this-rock-vulnerable.html Snort SID: 26813 ClamAV: Trojan.Dapato-* Title: Black Revolution DDoS Trojan In The Wild Description: DDoS continues to be a favorite activity of attackers worldwide, with recent attacks on financial institutions in particular reaching 100+ Gbps levels. Researchers at Arbor Networks this week profiled a particularly advanced DDoS trojan by the name of "Black Revolution" they have been observing in the wild lately, with different variants of the malware showing its creators' progress at evading detection over time. http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/ http://www.prolexic.com/news-events-pr-prolexic-stops-largest-ever-dns-reflection-ddos-attack-167-gbps.html Snort SID: 26713-26715,26725-26750 ClamAV: Win.Trojan.BlackRev Title: German Torrent Contains Source For 309 Bots Description: The authors of the well-respected "Malware Must Die" blog this week published information on a huge dump of botnet source code they discovered on a German torrent, which has since been shut down. While most of the source is several years old, it provides valuable insight into multiple important families of malware, including Zeus, Skype-based bots, SDbot, and others. The source code is being shared with security researchers, and should provide useful information for network defenders worldwide. http://malwaremustdie.blogspot.com/2013/06/full-disclosure-of-309-botbotnet-source.html?spref=tw Snort SID: Various ClamAV: Various USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK Shellcodecs - a huge collection of shellcode, loaders, etc.: http://www.blackhatlibrary.net/shellcodecs Ruby's $SAFE may go away: https://bugs.ruby-lang.org/issues/8468 Phishing as a service: http://blog.thinkst.com/2013/06/phish-your-company-before-someone-else.html 2

Cisco in the sky with diamonds: http://securityops.wordpress.com/2013/06/01/http_exec-automated-vt-analysis-of-downloaded-executable-files/ How to search encrypted text in SQL server 2005/2008: http://geekswithblogs.net/chrisfalter/archive/2008/10/06/how-to-search-encrypted-text.aspx Trawling for Tor hidden services - detection, measurement, deanonymization: http://www.ieee-security.org/tc/sp2013/papers/4977a080.pdf Microsoft releases new mitigation guidance for Active Directory: http://blogs.technet.com/b/security/archive/2013/06/03/microsoft-releases-new-mitigation-guidance-for-activedirectory.aspx NSA official mitigations for DDoS: http://info.publicintelligence.net/nsa-iad-ddos.pdf ========================================================= RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity. ID: CVE-2012-5946 Title: IBM SPSS SamplePower C1Tab ActiveX Heap Overflow Vendor: IBM Description: Buffer overflow in the c1sizer ActiveX control in C1sizer.ocx in IBM SPSS SamplePower 3.0 before FP1 allows remote attackers to execute arbitrary code via a long TabCaption string. CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) ID: CVE-2013-2028 Title: Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow Vendor: nginx.org Description: Remote exploitation of an integer overflow vulnerability in version 1.4.0 of nginx, as included in various vendors' operating system distributions, could allow attackers to execute arbitrary code on the targeted host. ID: CVE-2013-1347 Title: Microsoft Internet Explorer 8 Use-After-Free Memory Corruption Vulnerability Vendor: Microsoft Description: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly allocated or (2) is deleted, as exploited in the wild in May 2013. ID: CVE-2013-3336 Title: Adobe ColdFusion Information Disclosure Vulnerability (APSB13-13) Vendor: Adobe Description: Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors. 3

CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) ID: CVE-2013-2423 Title: Java Applet Reflection Type Confusion Remote Code Execution Vendor: Oracle Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager. CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) ID: CVE-2013-1493 Title: Oracle Java SE JVM 2D Subcomponent Remote Code Execution Vulnerability (Oracle Security Alert for CVE-2013-1493) Vendor: Oracle Description: The color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (crash) via an image with crafted raster parameters, which triggers (1) an out-of-bounds read or (2) memory corruption in the JVM, as exploited in the wild in February 2013. ========================================================= MOST PREVALENT MALWARE FILES 5/30/13-6/4/13: COMPILED BY SOURCEFIRE SHA 256: 94A1A26F61B015C2CED2FD50BDBA4070B6C9AEC7D2938FBF7EB9E99960D3B7A9 MD5: bfacf78644ca41fd6d4b23976e7574a1 https://www.virustotal.com/file/94a1a26f61b015c2ced2fd50bdba4070b6c9aec7d2938fbf7eb9e99960d3b7a9/an Typical Filename: RemoveWAT.exe Claimed Product: RemoveWAT.exe Claimed Publisher: RemoveWAT.exe SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615 MD5: 3291e1603715c47a23b60a8bf2ca73db https://www.virustotal.com/file/aa0bbaecb678868e1e7f57c7ca9d61b608b3d788be490790eb1d148beadf4615/an Typical Filename: 01.tmp Claimed Product: 01.tmp Claimed Publisher: 01.tmp SHA 256: 7BB7125EC5ECF99F975D7CB127009E615847D3FF05FA9F2F79F92CB480B28DC5 MD5: 2f0550df2d7e60752765b44aeb772091 https://www.virustotal.com/file/7bb7125ec5ecf99f975d7cb127009e615847d3ff05fa9f2f79f92cb480b28dc5/anal ysis/ Typical Filename: pricepeep_130001_0101.exe Claimed Product: pricepeep_130001_0101.exe 4

Claimed Publisher: pricepeep_130001_0101.exe SHA 256: A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03 MD5: 8ac1e580cf274b3ca98124580e790706 https://www.virustotal.com/file/a6b140ec734c258c5ebf19c0bc0b414b5655adc00108a038b5be6a8f83d0bd03/an Typical Filename: Virus.Win32.Sality.ab Claimed Product: Virus.Win32.Sality.ab Claimed Publisher: Virus.Win32.Sality.ab SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C MD5: 25aa9bb549ecc7bb6100f8d179452508 https://www.virustotal.com/file/df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c/anal ysis/ Typical Filename: ygrqpx.exe Claimed Product: ygrqpx.exe Claimed Publisher: ygrqpx.exe = 2013. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner. --END-- You are receiving this email because you indicated that you wanted to receive information from Qualys about industry news, product updates, security alerts and other information that may be of interest to you. To manage your subscriptions, visit our communication preferences page. Click here to report this email as spam. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information