[CERT-daily] Tageszusammenfassung - Mittwoch 10-07-2013

Daily end-of-shift report team at cert.at
Wed Jul 10 18:02:25 CEST 2013


=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 09-07-2013 18:00 − Mittwoch 10-07-2013 18:00
Handler:     Matthias Fraidl
Co-Handler:  n/a

*** Google patches critical Android threat as working exploit is unleashed ***
---------------------------------------------
Bug allows hackers to surreptitiously turn some legit apps into malicious ones.
---------------------------------------------
http://arstechnica.com/security/2013/07/google-patches-critical-android-threat-as-working-exploit-is-unleashed/




*** Summary for July 2013 - Version: 1.1 ***
---------------------------------------------
This bulletin summary lists security bulletins released for July 2013.
With the release of the security bulletins for July 2013, this bulletin summary replaces the bulletin advance notification originally issued July 4, 2013. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.
---------------------------------------------
http://technet.microsoft.com/en-us/security/bulletin/ms13-jul




*** Adobe Security Bulletins Posted ***
---------------------------------------------
APSB13-17 Security updates available for Adobe Flash Player
APSB13-18 Security update available for Adobe Shockwave
APSB13-19 Security update: Security Hotfixes available for ColdFusion
---------------------------------------------
http://blogs.adobe.com/psirt/2013/07/adobe-security-bulletins-posted-8.html




*** Who's Behind The Styx-Crypt Exploit Pack? ***
---------------------------------------------
Earlier this week I wrote about the Styx Pack, an extremely sophisticated and increasingly popular crimeware kit that is being sold to help miscreants booby-trap compromised Web sites with malware. Today, Ill be following a trail of breadcrumbs that leads back to central Ukraine and to a trio of friends who appear to be responsible for marketing (if not also making) this crimeware-as-a-service.
---------------------------------------------
https://krebsonsecurity.com/2013/07/whos-behind-the-styx-crypt-exploit-pack




*** Joomla Attachments Shell Upload ***
---------------------------------------------
Topic: Joomla Attachments Shell Upload Risk: High Text: # Exploit Title: Joomla Com_Attachments Component Arbitrary File Upload Vulnerability # Google Dork: inurl:...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013070068




*** Cybercriminals spamvertise tens of thousands of fake 'Your Booking Reservation at Westminster Hotel' themed emails, serve malware ***
---------------------------------------------
By Dancho Danchev Cybercriminals are currently mass mailing tens of thousands of fake emails impersonating the Westminster Hotel, in an attempt to trick users into thinking that they've received a legitimate booking confirmation. In reality through, once the socially engineered users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminals behind the ..
---------------------------------------------
http://blog.webroot.com/2013/07/10/cybercriminals-spamvertise-tens-of-thousands-of-fake-your-booking-reservation-at-westminster-hotel-themed-emails-serve-malware




*** Priyanka yanks your WhatsApp contact chain on Android mobes ***
---------------------------------------------
If that really is your name, nobody wants to know you right now A worm spreading through the popular WhatsApp messenging platform across Android devices is likely to cause plenty of confusion, even though it doesnt cause much harm.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/07/10/priyanka_whatsapp_worm/




*** Study: Bug bounty programs provide strong value for vendors ***
---------------------------------------------
A study of Googles and Mozillas browser bug programs shows it is money well spent
---------------------------------------------
http://www.csoonline.com/article/736127/study-bug-bounty-programs-provide-strong-value-for-vendors?source=rss_application_security




*** Datenklau am Automaten: Millionenschaden trotz Milliardeninvestition ***
---------------------------------------------
Im Kampf gegen Datendiebe investieren Banken in bessere Technik. Ganz abhalten lassen sich Kriminelle dadurch nicht: Noch immer k�nnen sie in vielen Staaten mit Daten deutscher Bankkunden an Geld kommen.
---------------------------------------------
http://www.heise.de/security/meldung/Datenklau-am-Automaten-Millionenschaden-trotz-Milliardeninvestition-1914796.html




*** Scanner warnt vor Android-Lücke ***
---------------------------------------------
Eine kostenlose App soll zeigen, ob ein Android-Gerät von der kürzlich entdeckten Lücke in der Code-Signierungstechnik des Betriebssystems betroffen ist. Die Software stammt von der Firma, die auch den Fehler entdeckt hat.
---------------------------------------------
http://www.heise.de/security/meldung/Scanner-warnt-vor-Android-Luecke-1914686.html




*** Blog: Security policies: misuse of resources ***
---------------------------------------------
According to surveys conducted in Europe and the United States, company employees spend up to 30% of their working hours on private affairs. By multiplying the hours spent on non-business-related things by the average cost of the working hour, the analysts estimate the costs to companies amounting to millions of dollars a year.
---------------------------------------------
http://www.securelist.com/en/blog/8109/Security_policies_misuse_of_resources




*** Vuln: VLC Media Player CVE-2013-3245 Remote Integer Overflow Vulnerability ***
---------------------------------------------
VLC Media Player CVE-2013-3245 Remote Integer Overflow Vulnerability
---------------------------------------------
http://www.securityfocus.com/bid/61032




*** Advanced User Tagging vBulletin Stored XSS Vulnerability ***
---------------------------------------------
Topic: Advanced User Tagging vBulletin Stored XSS Vulnerability Risk: Low Text: # # Exploit Title: Advanced User Tagging vBulletin - Stored XSS Vulnerability # Google Dork: ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013070077




*** Preparing For Possible Future Crypto Attacks ***
---------------------------------------------
Security experts warn that current advances in solving a complex problem could make a broad class of public-key crypto systems less secure Security researchers and hackers have always been good at borrowing ideas, refining them, and applying them to create practical attacks out of theoretical results.
---------------------------------------------
http://www.darkreading.com/vulnerability/preparing-for-possible-crypto-attacks-of/240158000





More information about the Daily mailing list