Daily

daily@lists.cert.at

1 participants
3085 discussions

Tageszusammenfassung - Freitag 24-10-2014
by Daily end-of-shift report 24 Oct '14

24 Oct '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 23-10-2014 18:00 − Freitag 24-10-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Operation Pawn Storm: Putting Outlook Web Access Users at Risk *** --------------------------------------------- In our recently released report, Operation Pawn Storm, we talked about an operation that involved three attack scenarios. For this post, we will talk about the third scenario: phishing emails that redirect victims to fake Outlook Web Access login pages. What's most notable about this is that it is simple, effective, and can be easily replicated. Through one... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/CrAgUjYrv14/ *** Has the "Sandworm" zero-day exploit burrowed back to the surface? *** --------------------------------------------- You may have noticed that Microsoft recently published a Security Advisory that sounds a lot like the "Sandworm" vulnerability all over again. Paul Ducklin explains... --------------------------------------------- http://nakedsecurity.sophos.com/2014/10/24/has-the-sandworm-exploit-burrowe… *** The Insecurity of Things : Part One *** --------------------------------------------- Everyday we read about some newfangled internet connected device being released. Things we use everyday are being made "smart" with some rushed-to-production software embedded in a cheap micro-controller. Fitness trackers, smoke alarms, televisions, cars, wall-outlets, even water-bottles. Internet connected-water bottles? What a time to be alive! --------------------------------------------- http://www.xipiter.com/musings/the-insecurity-of-things-part-one *** The Insecurity of Things: Part Two *** --------------------------------------------- When we last left off, we were setting the stage for sharing what the Interns found in a handful of "IOT" or internet connected devices they purchased. So well be starting with a simple one. One that only required simple techniques to compromise it. This first device is a "Smart"-Home Controller. For a bit of background on whats going on here, please see "Part One" of this series otherwise were going to jump right in but first a disclaimer:... --------------------------------------------- http://www.xipiter.com/musings/the-insecurity-of-things-part-two *** The Case of the Modified Binaries *** --------------------------------------------- After creating and using a new exitmap module, I found downloaded binaries being patched through a Tor exit node in Russia. Tor is a wonderful tool for protecting the identity of journalists, their sources, and even regular users around the world; however, anonymity does not guarantee security. --------------------------------------------- http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/ *** Sipgate: Dienste nach DDoS-Angriff wiederhergestellt *** --------------------------------------------- Nachdem Sipgate über Nacht seine Dienste teilweise wiederhergestellt hatte, ist das Unternehmen am Freitagmorgen erneut einem DDoS-Angriff ausgesetzt worden. Jetzt sollen die Dienste wieder funktionieren. --------------------------------------------- http://www.golem.de/news/sipgate-dienste-nach-ddos-angriff-wiederhergestell… *** QuickTime-Update für Windows schließt Bündel an Sicherheitslücken *** --------------------------------------------- Insgesamt vier Fehler steckten in der Windows-Version von Apples Multimedia-Unterstützung, die sich von Angreifern über manipulierte Dateien ausnützen lassen sollen. --------------------------------------------- http://www.heise.de/security/meldung/QuickTime-Update-fuer-Windows-schliess… *** Manipulating WordPress Plugin Functions to Inject Malware *** --------------------------------------------- Most authors of website malware usually rely on the same tricks, making it easy for malware researchers to spot obfuscated code, random files that don't belong, and malicious lines injected at the top of a file. However, it can become difficult when the malware is buried deep within the lines of code on normal files. --------------------------------------------- http://blog.sucuri.net/2014/10/manipulating-wordpress-plugin-functions-to-i… *** Filr 1.1 - Security Update 1 *** --------------------------------------------- Abstract: This patch addresses the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability on the Filr 1.1.0 appliance.Document ID: 5194317Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:readme-Filr-1.1.0.654.HP.txt (1.26 kB)Filr-1.1.0.654.HP.zip (5.64 MB)Products:Filr 1.1Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=3wpN2nVj2D8~ *** Filr - Security Update 3 *** --------------------------------------------- Abstract: This patch addresses the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability on the Filr 1.0.0 and 1.0.1 appliances.Document ID: 5194316Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:readme-Filr-1.0.0-SU3.txt (2.49 kB)readme-Filr-1.0.1-SU3.txt (2.49 kB)Filr-1.0.0-SU3.zip (5.64 MB)Filr-1.0.1-SU3.zip (5.64 MB)Products:Filr 1.0Filr 1.0.1Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=_N6A9M3Jvig~ *** Cisco IOS and IOS XE Software Ethernet Connectivity Fault Management Vulnerability *** --------------------------------------------- CVE-2014-3409 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Bugtraq: [SECURITY] [DSA 3055-1] pidgin security update *** --------------------------------------------- http://www.securityfocus.com/archive/1/533797 *** ZDI-14-368: Apple OS X GateKeeper Bypass Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple OS X. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-368/

1 0

Tageszusammenfassung - Donnerstag 23-10-2014
by Daily end-of-shift report 23 Oct '14

23 Oct '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 22-10-2014 18:00 − Donnerstag 23-10-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** New CVE-2014-4114 Attacks Seen One Week After Fix *** --------------------------------------------- Despite the availability of fixes related to the Sandworm vulnerability (CVE-2014-4114), we are still seeing new attacks related to this flaw. These attacks contain a new routine that could prevent detection. A New Evasion Technique In our analysis of the vulnerability, we noted this detail:... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/BYhEqtnNGxs/ *** NIST to hypervisor admins: secure your systems *** --------------------------------------------- Hypervisor security draft open for comment US standards body the National Institute of Standards and Technology (NIST) has laid out the basics of hypervisor security in a draft publication released for comment on 20 October. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/10/23/nist_to_hyp… *** Kommentar zur UEFI-Lücke: Sie lernen es einfach nicht *** --------------------------------------------- Sicherheitsexperten haben eine kritische Lücke entdeckt, die in vielen UEFI-Firmware-Versionen klafft - vor fast einem Jahr. Doch viele PC- und Mainboard-Hersteller wissen bisher nichts davon. Das ist untragbar. --------------------------------------------- http://www.heise.de/newsticker/meldung/Kommentar-zur-UEFI-Luecke-Sie-lernen… *** Linux Container Security *** --------------------------------------------- First, read these slides. Done? Good.Hypervisors present a smaller attack surface than containers. This is somewhat mitigated in containers by using seccomp, selinux and restricting capabilities in order to reduce the number of kernel entry points that untrusted code can touch, but even so there is simply a greater quantity of privileged code available to untrusted apps in a container environment when compared to a hypervisor environment[1].Does this mean containers provide reduced security? --------------------------------------------- http://mjg59.dreamwidth.org/33170.html *** Xen says its security policies might be buggier than its software *** --------------------------------------------- Users didnt know if they were allowed to patch bug behind world cloud reboot The Xen project has asked for help to ensure future bugs arent as disruptive as the XSA-108 flaw that saw major cloud operators reboot an awful lot of servers. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/10/23/xen_says_it… *** A look at a phishing website *** --------------------------------------------- Yesterday we came across a phishing website under .ch where we were able to download the phishing kit. A phishing kit is an archive file which contains all the relevant files for hosting a phishing website. In this case, the... --------------------------------------------- http://securityblog.switch.ch/2014/10/23/a-look-at-a-phishing-website/ *** Cisco Patches Three-Year-Old Telnet Remote Code Execution Bug in Security Appliances *** --------------------------------------------- There is a severe remote code execution vulnerability in a number of Cisco's security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years. The FreeBSD Project first disclosed the vulnerability in telnet in December 2011... --------------------------------------------- http://threatpost.com/cisco-patches-three-year-old-telnet-remote-code-execu… *** Sicherheit: Apple verbietet SSLv3 für Push-Server *** --------------------------------------------- Entwickler, die den Apple-Push-Notification-Dienst nutzen, dürfen ab Ende des Monats nur noch TLS einsetzen. Grund ist die problematische "Poodle"-Lücke. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheit-Apple-verbietet-SSLv3-fuer-… *** APPLE-SA-2014-10-22-1 QuickTime 7.7.6 *** --------------------------------------------- https://support.apple.com/kb/HT6493 *** VMSA-2014-0011 *** --------------------------------------------- VMware vSphere Data Protection product update addresses a critical information disclosure vulnerability. --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0011.html *** TCP Vulnerabilities in Multiple Non-IOS Cisco Products *** --------------------------------------------- cisco-sa-20040420-tcp-nonios --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Wireshark Multiple Dissector Bugs Let Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1031111 *** [R2] SSLv3 Protocol Vulnerability Affects Tenable Products (POODLE) *** --------------------------------------------- October 19, 2014 --------------------------------------------- http://www.tenable.com/security/tns-2014-09 *** SA-CONTRIB-2014-102 - Document - Cross Site Scripting *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-102Project: Document (third-party module)Version: 6.x, 7.xDate: 2014-October-08Security risk: 8/25 ( Less Critical) AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescriptionDocument module is a basic Document Management System for Drupal. Cross Site Scripting (XSS)The module wasnt sanitizing user input sufficiently in a few use cases. This vulnerability is mitigated by the the fact that a user must have permissions to --------------------------------------------- https://www.drupal.org/node/2361617 *** SA-CONTRIB-2014-101 - Ubercart - Cross Site Request Forgery *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-101Project: Ubercart (third-party module)Version: 6.x, 7.xDate: 2014-October-22Security risk: 13/25 ( Moderately Critical) AC:None/A:Admin/CI:None/II:Some/E:Proof/TD:AllVulnerability: Cross Site Request ForgeryDescriptionThe Ubercart module provides a shopping cart and e-commerce features for Drupal.Cross Site Request Forgery (CSRF)The country administration links are not properly protected. A malicious user could trick a store administrator into enabling or --------------------------------------------- https://www.drupal.org/node/2361613 *** SA-CONTRIB-2014-100 - Bad Behavior - Information Disclosure *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-100Project: Bad Behavior (third-party module)Version: 6.x, 7.xDate: 2014-October-22Security risk: 15/25 ( Critical) AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:AllVulnerability: Information DisclosureDescriptionThis module enables you to to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts.Information DisclosureThe module --------------------------------------------- https://www.drupal.org/node/2361611 *** IBM Security Bulletins for SSLv3 Vulnerability (POODLE) *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Other IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…

1 0

Tageszusammenfassung - Mittwoch 22-10-2014
by Daily end-of-shift report 22 Oct '14

22 Oct '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 21-10-2014 18:00 − Mittwoch 22-10-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Security Advisory 3010060 released *** --------------------------------------------- Today, we released Security Advisory 3010060 to provide additional protections regarding limited, targeted attacks directed at Microsoft Windows customers. A cyberattacker could cause remote code execution if someone is tricked into opening a maliciously-crafted PowerPoint document that contains an infected Object Linking and Embedding (OLE) file. As part of this Security Advisory, we have included an easy, one-click Fix it solution to address the known cyberattack. Please review the... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/10/21/security-advisory-301006… *** Android NFC hack allow users to have free rides in public transportation *** --------------------------------------------- More and more people keep talking about the feature of payments via NFC. The problem in this particular case is that somebody reversed the "Tarjeta BIP!" cards and found a means to re-charge them for free. --------------------------------------------- http://securelist.com/blog/virus-watch/67283/android-nfc-hack-allow-users-t… *** SSL-Verschlüsselung: Noch viel Arbeit für Mail-Provider und Banken *** --------------------------------------------- heise Security hat getestet und festgestellt, dass einige Mail-Provider bereits auf die jüngsten Angriffe auf Verschlüsselung reagiert haben - aber längst nicht alle. Schlimmer noch sieht es bei den Servern für das Online-Banking via HBCI aus. --------------------------------------------- http://www.heise.de/security/meldung/SSL-Verschluesselung-Noch-viel-Arbeit-… *** Malvertising Payload Targets Home Routers *** --------------------------------------------- A few weeks ago we wrote about compromised websites being used to attack your web routers at home by changing DNS settings. In that scenario the attackers embedded iFrames to do the heavy lifting, the short fall with this method is they require a website to inject the iFrame. As is often the case, tacticsRead More --------------------------------------------- http://blog.sucuri.net/2014/10/malvertising-payload-targets-home-routers.ht… *** Gezielte Angriffe über Onlinewerbung *** --------------------------------------------- Datendiebe haben offenbar mit manipulierter Onlinewerbung Rüstungs- und Luftfahrtkonzerne angegriffen. Die Werbung konnte über das so genannte Real Time Bidding gezielt platziert werden. --------------------------------------------- http://www.golem.de/news/phishing-gezielte-angriffe-ueber-onlinewerbung-141… *** Netzangriffe: DDoS-Botnetz weitet sich ungebremst aus *** --------------------------------------------- Ein kürzlich entdecktes Botnetz für DDoS-Angriffe breitet sich nach Angaben von Experten ungehemmt aus. Inzwischen seien auch Windows-Server gefährdet. Der Zweck der darüber gefahrenen Angriffe bleibt aber unklar. --------------------------------------------- http://www.golem.de/news/netzangriffe-ddos-botnetz-weitet-sich-ungebremst-a… *** Hostile Subdomain Takeover using Heroku/Github/Desk + more *** --------------------------------------------- Hackers can claim subdomains with the help of external services. This attack is practically non-traceable, and affects at least 17 large service providers and multiple domains are affected. Find out if you are one of them by using our quick tool, or go through your DNS-entries and remove all which are active and unused OR pointing to External Services which you do not use anymore. --------------------------------------------- http://blog.detectify.com/post/100600514143/hostile-subdomain-takeover-usin… *** TYPO3 CMS 4.5.37, 4.7.20, 6.1.12 and 6.2.6 released *** --------------------------------------------- IMPORTANT: These versions include important security fixes to the TYPO3 core. A security announcement has just been released: http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa… --------------------------------------------- https://typo3.org/news/article/typo3-cms-4537-4720-6112-and-626-released/ *** Security_Advisory-DLL Hijacking Vulnerability on Huawei USB Modem products *** --------------------------------------------- Oct 21, 2014 20:23 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** IBM Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere MQ, IBM WebSphere MQ Internet Pass-Thru and IBM Mobile Messaging and M2M Client Pack (CVE-2014-3566) *** --------------------------------------------- SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in IBM WebSphere MQ. CVE(s): CVE-2014-3566 Affected product(s) and affected version(s): The vulnerability affects all versions and releases of IBM WebSphere MQ, IBM WebSphere MQ Internet Pass-Thru and IBM Mobile Messaging and M2M Client Pack. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Bugtraq: FreeBSD Security Advisories *** --------------------------------------------- http://www.securityfocus.com/archive/1/533773 http://www.securityfocus.com/archive/1/533772 http://www.securityfocus.com/archive/1/533771 http://www.securityfocus.com/archive/1/533770 *** Bugtraq: File Manager v4.2.10 iOS - Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/533778 *** Files Document & PDF Reader for iOS Ordner Erstellen code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/97698

1 0

Tageszusammenfassung - Dienstag 21-10-2014
by Daily end-of-shift report 21 Oct '14

21 Oct '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 20-10-2014 18:00 − Dienstag 21-10-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Apple Multiple Security Updates, (Mon, Oct 20th) *** --------------------------------------------- Apple released security update today for iOS 8 and Apple TV 7. iOS 8.1 (APPLE-SA-2014-10-20-1 iOS 8.1) is now available for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later, to addresses the following: Bluetooth CVE-2014-4448 House Arrest CVE-2014-4448 iCloud Data Access CVE-2014-4449 Keyboards CVE-2014-4450 Secure Transport CVE-2014-3566 Apple TV 7.0.1 (APPLE-SA-2014-10-20-2 Apple TV 7.0.1) is now available for Apple TV 3rd generation and later, to address the... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18857&rss *** Palo Alto Networks boxes spray firewall creds across the net *** --------------------------------------------- Crummy configurations to blame, Moore hardening offered as remedy Misconfigured user identities for Palo Alto Networks firewalls are leaking onto the public web potentially exposing customer services including VPN and webmail, says security luminary HD Moore. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/10/21/palo_alto_c… *** Download-Sicherheit: Blackberry muss App-Store nachbessern *** --------------------------------------------- Wegen fehlender Sicherung der Downloads aus Blackberry World, dem offiziellen App Store für alle Blackberry-10-Modelle, hätte ein Angreifer ganz leicht Schadsoftware auf die Geräte schmuggeln können. --------------------------------------------- http://www.heise.de/security/meldung/Download-Sicherheit-Blackberry-muss-Ap… *** CSAM Month of False Positives: Ghosts in the Pentest Report, (Tue, Oct 21st) *** --------------------------------------------- As part of most vulnerability assessments and penetration tests against a website, we almost always run some kind of scanner. Burp (commercial) and ZAP (free from OWASP) are two commonly used scanners. Once youve done a few website assessments, you start to get a feel for what pages and fields are likely candidates for exploit. But especially if its a vulnerability assessment, where youre trying to cover as many issues as possible (and exploits might even be out of scope), its always a safe bet --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18861&rss *** Delivering Malicious Android Apps Hidden In Image Files *** --------------------------------------------- An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/mKMqgWAvhIM/story01.htm *** Google Adds Hardware Security Key For Account Protection *** --------------------------------------------- Google is introducing an improved two-factor authentication system for Gmail and its other services that uses a tiny hardware token that will only work on legitimate Google sites. The new Security Key system is meant to help defeat attacks that rely on highly plausible fake sites that are designed to capture users' credentials. Attackers often go... --------------------------------------------- http://threatpost.com/google-adds-hardware-security-key-for-account-protect… *** R7-2014-17: NAT-PMP Implementation and Configuration Vulnerabilities *** --------------------------------------------- In the summer of 2014, Rapid7 Labs started scanning the public Internet for NAT-PMP as part of Project Sonar. NAT-PMP is a protocol implemented by many SOHO-class routers and networking devices that allows firewall and routing rules to be manipulated to enable internal, assumed trusted users behind a NAT device to allow external users to access internal TCP and UDP services for things like Apple's Back to My Mac and file/media sharing services. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-1… *** Denial-of-service attacks - short but strong *** --------------------------------------------- DDoS amplification attacks continue to increase as attackers experiment with new protocols. Summary: DDoS amplification attacks continue to increase as attackers experiment with new protocols. read more --------------------------------------------- http://www.symantec.com/connect/blogs/denial-service-attacks-short-strong *** [R1] SSLv3 Protocol Vulnerability Affects Tenable Products (POODLE) *** --------------------------------------------- October 19, 2014 --------------------------------------------- http://www.tenable.com/security/tns-2014-09 *** Vuln: Zend Framework CVE-2014-8088 Authentication Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/70378 *** DSA-3054 mysql-5.5 *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-3054 *** Asterisk SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic *** --------------------------------------------- http://www.securitytracker.com/id/1031078 *** HP Security Bulletins *** --------------------------------------------- http://www.securityfocus.com/archive/1/533732 http://www.securityfocus.com/archive/1/533733 http://www.securityfocus.com/archive/1/533736 http://www.securityfocus.com/archive/1/533737 http://www.securityfocus.com/archive/1/533738 http://www.securityfocus.com/archive/1/533739 http://www.securityfocus.com/archive/1/533740 http://www.securityfocus.com/archive/1/533742 http://www.securityfocus.com/archive/1/533754

1 0

Tageszusammenfassung - Montag 20-10-2014
by Daily end-of-shift report 20 Oct '14

20 Oct '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 17-10-2014 18:00 − Montag 20-10-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Erneut Sicherheitsupdates für PHP *** --------------------------------------------- Zum zweiten Mal im laufenden Monat veröffentlichten die PHP-Entwickler sicherheitsrelevante Patches für ihr Projekt. Allein im Versionszweig 5.6 haben sie vier Schwachstellen beseitigt. --------------------------------------------- http://www.heise.de/security/meldung/Erneut-Sicherheitsupdates-fuer-PHP-242… *** Spike in Malware Attacks on Aging ATMs *** --------------------------------------------- This author has long been fascinated with ATM skimmers, custom-made fraud devices designed to steal card data and PINs from unsuspecting users of compromised cash machines. But a recent spike in malicious software capable of infecting and jackpotting ATMs is shifting the focus away from innovative, high-tech skimming devices toward the rapidly aging ATM infrastructure in the United States and abroad. --------------------------------------------- http://krebsonsecurity.com/2014/10/spike-in-malware-attacks-on-aging-atms/ *** Breaking International Voicemail Security via VVM Exploitation *** --------------------------------------------- A few days ago, I gave a presentation at Ruxcon about breaking international voicemail security. Whilst the crowd and conference were absolutely amazing - my overall research, I think has a much wider scope in the terms of whom it could affect. This blog post acts as a technical writeup and companion to my slides presented at Ruxcon. TL;DR Briefly put, through researching the visual voicemail protocol, we were able to document a number of different vulnerabilities, including some which affected... --------------------------------------------- https://shubh.am/breaking-international-voicemail-security-via-vvm-exploita… *** Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2 *** --------------------------------------------- V1.0 (October 14, 2014): Advisory published. V2.0 (October 17, 2014): Removed Download Center links for Microsoft security update 2949927. Microsoft recommends that customers experiencing issues uninstall this update. Microsoft is investigating behavior associated with this update, and will update the advisory when more information becomes available. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/2949927 *** An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) *** --------------------------------------------- Three zero-day vulnerabilities - CVE-2014-4114, CVE-2014-4148, and CVE-2014-4113 - were reported last week and patched by Microsoft in their October 2014 Patch Tuesday. CVE-2014-4114, also known as the Sandworm vulnerability, can enable attackers to easily craft malware payloads when exploited. This particular vulnerability has been linked to targeted attacks against European sectors and industries. In addition, our researchers found that... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/vwOtSBJrH3I/ *** Smart Lock Devices: Security Risks and Opportunities *** --------------------------------------------- Security is one of the top concerns when consumers consider buying smart devices. With cybercrime making the headlines every day, one has to think: is this smart device vulnerable to cyber attacks? Are these technologies secure enough for us to rely on them in our everyday lives? A good example of a technology that we need... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/gtATHkHYNv4/ *** Black Hat Europe - day 2 *** --------------------------------------------- IPv6 versus IDPS, XSS in WYSIWYG editors, and reflected file downloads.After a busy first day, I was somewhat glad that the talks on the second day of Black Hat Europe appealed slightly less to my personal tastes and interests, as this gave me a chance to meet some old and new friends, and to have those conversations that perhaps form the heart of a security conference.I did attend three talks though, each of which was very interesting.Early in the morning, Antonios Atlasis, Enno Rey and Rafael... --------------------------------------------- http://www.virusbtn.com/blog/2014/10_20.xml?rss *** Dropbox-Server als Phishing-Helfer *** --------------------------------------------- Phishing-Mails verweisen meist auf dubiose Domains - nicht so in diesem Fall: Datensammler nutzen eine offizielle Dropbox-Domain, um Zugangsdaten aller Art abzugreifen. --------------------------------------------- http://www.heise.de/security/meldung/Dropbox-Server-als-Phishing-Helfer-242… *** Soundsquatting Unraveled: Homophone-based Domain Squatting *** --------------------------------------------- The Domain Name System (DNS) plays a vital role in the operation of the Internet. Over the years, it has been a primary target for malicious users looking for vulnerabilities in its protocol and infrastructure. Some examples include cache poisoning attacks, vulnerable DNS server implementations, and bogus user interactions. Taking advantage of users' spelling mistakes... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Jv_ckUgwnAs/ *** Targeted Attack Protection via Network Topology Alteration *** --------------------------------------------- When it comes to targeted attacks, attackers are not omniscient. They need to gather information in the early stages to know the target they may gather information from various sources of intelligence, like Google, Whois, Twitter, and Facebook. They may gather data such as email addresses, IP ranges, and contact lists. These will then be used as... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/75OKb_Lt8XA/ *** Microsoft MSRT October Update, (Sun, Oct 19th) *** --------------------------------------------- This past week Microsoft MSRT push contains detections/removals for several widely used APT tools. The coalition (led by Novetta) that brought about the inclusions of these tools in this month MSRT, are encouraging enterprises to push/execute this month MSRT update. Some of malware included in this month MSRT update have a preliminary report posted here. If you are using either Snort or Sourcefire, the ruleIDs to detect some of the threat/family in this month MSRT release are listed below and... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18853&rss *** Staying in control of your browser: New detection changes *** --------------------------------------------- This week we made some important changes to how we detect browser modifiers and adware. These changes are designed to better protect your browsing experience. We have already blogged about the changes to the behaviors we detect as adware. I will explain the changes to our browser modifier detections below. Our objective criteria has all the details about how and why we detect unwanted software. Unacceptable behaviors There are two new browser modifier behaviors that we detect: Bypassing --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/10/17/staying-in-control-of-yo… *** Drupal SQL Injection Attempts in the Wild *** --------------------------------------------- Less than 48 hours ago, the Drupal team released an update (version 7.32) for a serious security vulnerability (SQL injection) that affected all versions of Drupal 7.x. In our last post, we talked about the vulnerability and that we expected to see attacks starting very soon due to how severe and easy it was to... --------------------------------------------- http://blog.sucuri.net/2014/10/drupal-sql-injection-attempts-in-the-wild.ht… *** Metasploit Weekly Wrapup: POODLE Mitigations *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/10/17/metasploi… *** OpenX multiple open redirect *** --------------------------------------------- OpenX could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the adclick.php and the ck.php scripts. By sending a specially-crafted URL, an attacker could exploit this vulnerability using the dest and _maxdest parameters to redirect a victim to arbitrary Web sites. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/97621 *** VMSA-2014-0010.13 *** --------------------------------------------- VMware product updates address critical Bash security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0010.html *** Rich Counter 1.1.5 - Cross Site Scripting (XSS) *** --------------------------------------------- 2014-10-18T19:45:31 --------------------------------------------- https://wpvulndb.com/vulnerabilities/7648 *** Information Disclosure vulnerability in Dynamic Content Elements (dce) *** --------------------------------------------- It has been discovered that the extension "Dynamic Content Elements" (dce) is susceptible to Information Disclosure. --------------------------------------------- http://www.typo3.org/news/article/information-disclosure-vulnerability-in-d… *** DSA-3050 iceweasel *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-3050 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2014-4244, CVE-2014-4263) *** --------------------------------------------- There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7 that is used by Rational Service Tester and were disclosed as part of the IBM Java SDK updates in July 2014. CVE(s): CVE-2014-4263 and CVE-2014-4244 Affected product(s) and affected version(s): Rational Service Tester versions 8.1 - 8.6 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21685122 X-Force --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2014-4244, CVE-2014-4263) *** --------------------------------------------- There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7 that is used by Rational Performance Tester and were disclosed as part of the IBM Java SDK updates in July 2014. CVE(s): CVE-2014-4263 and CVE-2014-4244 Affected product(s) and affected version(s): Rational Performance Tester versions 8.1 - 8.6 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21685121 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Sametime Classic Meeting Record and Playback File Vulnerability (CVE-2014-4766) *** --------------------------------------------- A vulnerability in the Record and Playback (RAP) file that is exported by Classic Meeting (CVE-2014-4766). CVE(s): CVE-2014-4766 Affected product(s) and affected version(s): IBM Sametime Classic Meeting Server versions 8.0.x and 8.5.x Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21687361 X-Force Database: http://xforce.iss.net/xforce/xfdb/94793 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…

1 0

Tageszusammenfassung - Freitag 17-10-2014
by Daily end-of-shift report 17 Oct '14

17 Oct '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 16-10-2014 18:00 − Freitag 17-10-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Logging SSL, (Thu, Oct 16th) *** --------------------------------------------- With POODLE behind us, it is time to get ready for the next SSL firedrill. One of the questions that keeps coming up is which ciphers and SSL/TLS versions are actually in use. If you decide to turn off SSLv3 or not depends a lot on who needs it, and it is an important answer to have ready should tomorrow some other cipher turn out to be too weak. But keep in mind that it is not just numbers that matter. You also need to figure out who the outliers are and how important (or dangerous?) they are. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18847&rss *** Bad news, fandroids: He who controls the IPC tool, controls the DROID *** --------------------------------------------- A security flaw in a core message-passing mechanism leaves every Android device potentially vulnerable to attack, security researchers warned on Thursday. The flaw relates to Binder, Android's inter-process communication (IPC) tool. The message passing mechanism for Android devices acts as a communications hub on smartphones and tablets running the Google-developed mobile OS, making it a prime target for Android malware developers. --------------------------------------------- http://www.theregister.co.uk/2014/10/16/android_messaging_mechanism_securit… *** SAP Netweaver Enqueue Server denial of service *** --------------------------------------------- SAP Netweaver is vulnerable to a denial of service. By sending a specially-crafted SAP Enqueue Server packet to remote TCP port 32NN, a remote attacker could exploit this vulnerability to cause the system to become unresponsive. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/97610 *** Close means close: New adware detection criteria *** --------------------------------------------- In April we introduced the rules that software developers should follow when creating advertisements to avoid being detected by Microsoft security products as adware. These rules are designed to keep our customers in control of their Internet browsing experience. Since then, we have had great success working with some companies through our developer contact process. At the same time we have started to see other advertising programs trying to bend and even circumvent our rules. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/10/16/close-means-close-new-ad… *** Siemens RuggedCom ROX-based Devices Certificate Verification Vulnerability (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-14-135-03 Siemens RuggedCom ROX-Based Devices Certificate Verification Vulnerability that was published May 15, 2014, on the NCCIC/ICS-CERT web site. This advisory provides mitigation details for an incorrect certificate verification in Siemens RuggedCom ROX based devices. --------------------------------------------- https://ics-cert.us-cert.gov//advisories/ICSA-14-135-03A *** Siemens OpenSSL Vulnerabilities (Update F) *** --------------------------------------------- This updated advisory is a follow-up to the updated advisory titled ICSA-14-198-03E Siemens OpenSSL Vulnerabilities that was published October 15, 2014, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov//advisories/ICSA-14-198-03F *** IOServer Resource Exhaustion Vulnerability *** --------------------------------------------- This advisory provides mitigation details for an out of bound read vulnerability in the IOServer application. --------------------------------------------- https://ics-cert.us-cert.gov//advisories/ICSA-14-289-01 *** Fox DataDiode Proxy Server CSRF Vulnerability *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on September 26, 2014, and is being released to the ICS-CERT web site. This advisory provides mitigation details for a Cross-Site Request Forgery (CSRF) in the proxy server web administration interface for the Fox DataDiode Appliance Proxy Server. --------------------------------------------- https://ics-cert.us-cert.gov//advisories/ICSA-14-269-02 *** Black Hat Europe - day 1 *** --------------------------------------------- Programme packed with interesting talks.Though the prestige of Black Hat Europe doesnt compare to that of its American parent conference, and the event certainly doesnt dominate the debate on Twitter in quite the same way, more than 800 security experts descended on Amsterdam this week where, in the RAI Convention Centre, the 14th edition of Black Hat Europe is taking place.The conference opened with a keynote from Adi Shamir (perhaps still best known as the S in the RSA protocol) on side --------------------------------------------- http://www.virusbtn.com/blog/2014/10_17.xml?rss *** Abusing TZ for fun (and little profit) *** --------------------------------------------- Topic: Abusing TZ for fun (and little profit) Risk: Low Text: By default, sudo preserves the TZ variable[1] from users environment. This is a bad idea on glibc systems, where TZ can be abused to trick the program to read an arbitrary file. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014100107 *** Denial of Service vulnerability in extension Calendar Base (cal) *** --------------------------------------------- It has been discovered that the extension "Calendar Base" (cal) is susceptible to Denial of Service. --------------------------------------------- http://www.typo3.org/news/article/several-vulnerabilities-in-extension-cale… *** Hacking Smart Electricity Meters To Cut Power Bills *** --------------------------------------------- Smart devices are growing at an exponential pace with the increase in connecting devices embedded in cars, retail systems, refrigerators, televisions and countless other things people use in their everyday life, but security and privacy are the key issues for such applications, which still face some enormous number of challenges. --------------------------------------------- http://thehackernews.com/2014/10/hacking-smart-electricity-meters-to-cut.ht… *** Apple Updates (not just Yosemite), (Fri, Oct 17th) *** --------------------------------------------- Apple yesterday released the latest version of its operating system, OS X 10.10 Yosemite. As usual, the new version of the operating system does include a number of security related bug fixes, and Apple released these fixes for older versions of OS X today. This update, Security Update 2014-005 is available for versions of OS X back to 10.8.5 (Mountain Lion). Among the long list of fixes, here a couple of highlights: Apple doesnt turn off SSLv3 in this release, but restricts it to non-CBC --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18851&rss

1 0

Tageszusammenfassung - Donnerstag 16-10-2014
by Daily end-of-shift report 16 Oct '14

16 Oct '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 15-10-2014 18:00 − Donnerstag 16-10-2014 18:00 Handler: Robert Waldner Co-Handler: Otmar Lendl *** Multiple Vulnerabilities in Cisco TelePresence Video Communication Server and Cisco Expressway Software *** --------------------------------------------- cisco-sa-20141015-vcs --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability *** --------------------------------------------- cisco-sa-20141015-poodle --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** JSA10656 - 2014-10 Out of Cycle Security Bulletin: Multiple products affected by SSL "POODLE" vulnerability (CVE-2014-3566) *** --------------------------------------------- --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10656&actp=RSS *** SA-CONTRIB-2014-098 - CKEditor - Cross Site Scripting (XSS) *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-098Project: CKEditor - WYSIWYG HTML editor (third-party module)Version: 6.x, 7.xDate: 2014-October-15Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescriptionThe CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.Both --------------------------------------------- https://www.drupal.org/node/2357029 *** [DSA 3052-1] wpa security update *** --------------------------------------------- CVE ID : CVE-2014-3686 Jouni Malinen discovered an input sanitization issue in the wpa_cli and hostapd_cli tools included in the wpa package. A remote wifi system within range could provide a crafted string triggering arbitrary code execution running with privileges of the affected wpa_cli or hostapd_cli process. --------------------------------------------- https://lists.debian.org/debian-security-announce/2014/msg00238.html *** The October 2014 issue of our SWITCH Security Report is available! *** --------------------------------------------- A new issue of our monthly SWITCH Security Report has just been released. The topics covered in this report are: Same again? Fingerprint sensor on new iPhone 6 hacked using same method as for previous model Up in the air: --------------------------------------------- http://securityblog.switch.ch/2014/10/15/the-october-2014-issue-of-our-swit… *** MindshaRE: Statically Extracting Malware C2s Using Capstone Engine *** --------------------------------------------- I decided to share a technique I've been playing around with to pull C2 and other configuration information out of malware that does not store all of its configuration information in a set structure or in the resource section ... Being able to statically extract this information becomes important in the event that the malware does not run properly in your sandbox, the C2s are down or you don?t have thetime / sandbox bandwidth to manually run and extract the information from network indicators. --------------------------------------------- https://www.arbornetworks.com/asert/2014/10/mindshare-statically-extracting… *** C&C Botnet Detection over SSL *** --------------------------------------------- ...we have designed, implemented and validated a method to detect botnet C&C communication channels over SSL, the security protocol standard de-facto. ... Our analysis also indicates that 0.6% of the SSL connections were broken. --------------------------------------------- http://essay.utwente.nl/65667/1/Riccardo_Bortolameotti_MasterThesis.pdf *** VB2014 paper: DNSSEC - how far have we come? *** --------------------------------------------- Nick Sullivan describes how DNSSEC uses cryptography to add authentication and integrity to DNS responses.Over the next months, we will be sharing conference papers as well as video recordings of the presentations. Today, we have added DNSSEC - how far have we come? by CloudFlares Nick Sullivan.It is rather scary to think about how much of the Internet depends on DNS, and how little guarantee that protocol provides about its responses being correct. The Kaminsky attack is well mitigated these --------------------------------------------- http://www.virusbtn.com/blog/2014/10_16.xml?rss *** Factsheet Vulnerability in libxml2 *** --------------------------------------------- On 16 October 2014, a vulnerability was reported in libxml2, a library for the processing of eXtensible Markup Language (XML). XML is a language for the exchange of structured information between applications. Attackers can use this vulnerability to disrupt the availability of (web) applications through a so called Denial-of-Service (DoS) attack. --------------------------------------------- http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/fact… *** POODLE attack takes bytes out of your encrypted data - heres what to do *** --------------------------------------------- Heartbleed, Shellshock, Sandworm...and now POODLE. Its a security hole that could let crooks read your encrypted web traffic. Paul Ducklin takes you through how it works, and what you can do to avoid it, in plain (well, plain-ish) English... --------------------------------------------- http://feedproxy.google.com/~r/nakedsecurity/~3/nyUmrkuhxuM/

1 0

Tageszusammenfassung - Mittwoch 15-10-2014
by Daily end-of-shift report 15 Oct '14

15 Oct '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 14-10-2014 18:00 − Mittwoch 15-10-2014 18:00 Handler: Robert Waldner Co-Handler: Otmar Lendl *** Accessing Risk for the October 2014 Security Updates *** --------------------------------------------- Today we released eight security bulletins addressing 24 unique CVE's. Three bulletins have a maximum severity rating of Critical, and five have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploitability Platform mitigations and key notes MS14-058 (Kernel mode drivers [win32k.sys]) Attacker loads a malicious --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-oc… *** MS14-OCT - Microsoft Security Bulletin Summary for October 2014 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for October 2014. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-OCT *** More Details About CVE-2014-4073 Elevation of Privilege Vulnerability *** --------------------------------------------- Today Microsoft shipped MS14-057 to the .NET Framework in order to resolve an Elevation of Privilege vulnerability in the ClickOnce deployment service. While this update fixes this service, developers using Managed Distributed Component Object Model (a .NET wrapped around DCOM) need to take immediate action to ensure their applications are secure. Managed DCOM is an inherently unsafe way to perform communication between processes of different trust levels. Microsoft recommends moving --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/10/14/more-details-about-cve-20… *** BlackBerry 10 Devices Open to Bug That Allows Malicious App Installation *** --------------------------------------------- BlackBerry has patched a vulnerability in its BlackBerry 10 devices that could allow an attacker to intercept users' traffic to and from the BlackBerry World app store and potentially install malware on a targeted device. The vulnerability is a weakness in the integrity checking system that BlackBerry uses to verify the apps that users download. --------------------------------------------- http://threatpost.com/blackberry-10-devices-open-to-bug-that-allows-malicio… *** An Analysis of Windows Zero-day Vulnerability "CVE-2014-4114" aka "Sandworm" *** --------------------------------------------- Prior to the release of Microsoft's monthly patch Tuesday, a new zero-day exploiting Windows vulnerability covered in CVE-2014-4114 was reported by iSight. The said vulnerability affects desktop and server versions of Vista and Sever 2008 to current versions. It was believed to be associated in cyber attacks related to NATO by Russian cyber espionage group. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/jSCRsk2zaNU/ *** Analysis of Linux Backdoor Used In Freenode Hack *** --------------------------------------------- An anonymous reader writes "A detailed analysis has been done of the Linux backdoor used in the freenode hack. It employed port knocking and encryption to provide security against others using it. This seems a little more sophisticated than your average black-hat hacker. Read more of this story at Slashdot. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/K3FWymutqls/story01.htm *** Siemens OpenSSL Vulnerabilities (Update D) *** --------------------------------------------- This updated advisory is a follow-up to the updated advisory titled ICSA-14-198-03C Siemens OpenSSL Vulnerabilities that was published August 21, 2014, on the NCCIC/ICS-CERT web site. This updated advisory provides mitigation details for vulnerabilities in the Siemens OpenSSL cryptographic software library affecting several Siemens industrial products. --------------------------------------------- https://ics-cert.us-cert.gov//advisories/ICSA-14-198-03D *** Oracle stopft kritische Lücken in Java *** --------------------------------------------- Oracle hat mit seinem Oktober-Update 154 Sicherheitsupdates veröffentlicht, die fast alle Produkte des Unternehmens abdecken. Aber besonders die Sicherheitsupdates für Java sollten laut der Firma so schnell wie möglich installiert werden. --------------------------------------------- http://www.heise.de/security/meldung/Oracle-stopft-kritische-Luecken-in-Jav… *** Security Advisory 3009008 released *** --------------------------------------------- Today, we released Security Advisory 3009008 to address a vulnerability in Secure Sockets Layer (SSL) 3.0 which could allow information disclosure. This is an industry-wide vulnerability that affects the protocol itself, and is not specific to Microsoft's implementation of SSL or the Windows operating system. This advisory provides guidance for customers so that they can disable SSL 3.0 in the browser. Customers should be aware that once they disable SSL 3.0, if they visit a website that --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/10/14/security-advisory-300900… *** October 2014 Updates *** --------------------------------------------- Today, as part of Update Tuesday, we released eight security updates three rated Critical and five rated Important - to address 24 Common Vulnerabilities & Exposures (CVEs) in Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. Here's an overview slide and video of the security updates released today: --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/10/14/october-2014-updates.aspx *** [2014-10-15] Potential Cross-Site Scripting in ADF Faces *** --------------------------------------------- The Oracle ADF Faces framework fails to encode certain characters in the goButton component. This may lead to Cross-Site Scripting vulnerabilities in applications that use this component. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Bugtraq: two browser mem disclosure bugs (CVE-2014-1580 and CVE-something-or-other) *** --------------------------------------------- two browser mem disclosure bugs (CVE-2014-1580 and CVE-something-or-other) --------------------------------------------- http://www.securityfocus.com/archive/1/533692 *** Java Reflection API Woes Resurface in Latest Oracle Patches *** --------------------------------------------- Oracles Critical Patch update addresses 154 vulnerabilities, many of which are remotely exploitable. Security Explorations of Poland, meanwhile, published details on a number of Java flaws in the Java Reflection API. --------------------------------------------- http://threatpost.com/java-reflection-api-woes-resurface-in-latest-oracle-p… *** Bugtraq: Multiple Cross-Site Scripting (XSS) in WP Google Maps WordPress Plugin *** --------------------------------------------- Multiple Cross-Site Scripting (XSS) in WP Google Maps WordPress Plugin --------------------------------------------- http://www.securityfocus.com/archive/1/533699 *** Bugtraq: Paypal Inc MultiOrderShipping API - Filter Bypass & Persistent XML Vulnerability *** --------------------------------------------- Paypal Inc MultiOrderShipping API - Filter Bypass & Persistent XML Vulnerability --------------------------------------------- http://www.securityfocus.com/archive/1/533698 *** OpenSSL Releases OpenSSL 1.0.1j, 1.0.0o and 0.9.8zc, (Wed, Oct 15th) *** --------------------------------------------- This update to the OpenSSL Library addresses 3 vulnerabilities. One of these is the POODLE vulnerability announced yesterday. CVE-2014-3513: A memory leak in parsing DTLS SRTPmessages can lead to a denial of service. You are vulnerable, unless you specificly compiled your OpenSSL library with the OPENSSL_NO_SRTP option. All 1.0.1 versions of OpenSSL are affected. CVE-2014-3567: Another memory leak that can lead to a DoS attack. In this case, memory is not free up if an SSL session ticket fails --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18835&rss

1 0

Tageszusammenfassung - Dienstag 14-10-2014
by Daily end-of-shift report 14 Oct '14

14 Oct '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 13-10-2014 18:00 − Dienstag 14-10-2014 18:00 Handler: Stefan Lenzhofer Co-Handler: Otmar Lendl *** Developer of hacked Snapchat web app says "Snappening" claims are hoax *** --------------------------------------------- 500 MB of images pulled from third-party site, but no user data was attached. --------------------------------------------- http://arstechnica.com/security/2014/10/developer-of-hacked-snapchat-web-ap… *** VB2014 paper: The evolution of webinjects *** --------------------------------------------- Jean-Ian Boutin looks at the increased commoditization of webinjects.Virus Bulletin has always been about sharing information, and the Virus Bulletin conference is an important part of that. We would love to be able to share some of the discussions attendees had during the lunch and coffee breaks, the late-night or early-morning meetings in the hotel lobby, and the inspiration one gets from being around such bright minds.Of course, we are unable to do that. But what we can do is share some of --------------------------------------------- http://www.virusbtn.com/blog/2014/10_13.xml?rss *** Cisco AsycnOS Software ZIP Filtering By-Pass Vulnerability *** --------------------------------------------- CVE-2014-3381 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Exploring and Exploiting iOS Web Browsers *** --------------------------------------------- Today we begin a three-post series about mobile security. We start with a discussion of vulnerabilities in iOS web browsers. Later this week well cover jailbreaking and the detection of it. While the release and adoption of iOS 8 may plug some of the holes discussed in this post, many users will continue to use iOS 7 for some time and may remain vulnerable. In Q1 2014, the market share of web traffic from mobile browsers exceeded 30% [1], and it is constantly growing. According to data provided --------------------------------------------- http://blog.spiderlabs.com/2014/10/exploring-and-exploiting-ios-web-browser… *** VMSA-2014-0010.12 *** --------------------------------------------- VMware product updates address critical Bash security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0010.html *** A Code Signature Plugin for IDA *** --------------------------------------------- When reversing embedded code, it is often the case that completely different devices are built around a common code base, either due to code re-use by the vendor, or through the use of third-party software; this is especially true of devices running the same Real Time Operating System. For example, ... --------------------------------------------- http://www.devttys0.com/2014/10/a-code-signature-plugin-for-ida/ *** vBulletin Input Validation Flaw in XMLRPC API Lets Remote Users Inject SQL Commands *** --------------------------------------------- vBulletin Input Validation Flaw in XMLRPC API Lets Remote Users Inject SQL Commands --------------------------------------------- http://www.securitytracker.com/id/1031001 *** vBulletin Input Validation Flaw in XMLRPC API Permits Cross-Site Scripting Attacks *** --------------------------------------------- vBulletin Input Validation Flaw in XMLRPC API Permits Cross-Site Scripting Attacks --------------------------------------------- http://www.securitytracker.com/id/1031000 *** iSIGHT discovers zero-day vulnerability CVE-2014-4114 *** --------------------------------------------- Zero-day impacting all versions of Microsoft Windows used in Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors. --------------------------------------------- http://www.isightpartners.com/2014/10/cve-2014-4114/ *** HTTPS-Zertifikate: Key Pinning schützt vor bösartigen Zertifizierungsstellen *** --------------------------------------------- Eine bislang wenig beachtete HTTPS-Erweiterung mit dem Namen HTTP Public Key Pinning (HPKP) steht kurz vor ihrer Standardisierung. Durch Public Key Pinning könnten viele Probleme mit den Zertifizierungsstellen gelöst werden. (Google, Browser) --------------------------------------------- http://www.golem.de/news/https-zertifikate-key-pinning-schuetzt-vor-boesart… *** Windows-Exploit: Russische Hacker greifen angeblich Nato und Regierungen an *** --------------------------------------------- Russische Hacker sollen in den vergangenen Jahren zahlreiche Ziele im Westen und in der Ukraine angegriffen haben. Sie nutzten dabei offenbar eine Sicherheitslücke aus, die in allen aktuellen Windows-Versionen bestehen und am Dienstag gepatcht werden soll. (Microsoft, Datenschutz) --------------------------------------------- http://www.golem.de/news/windows-exploit-russische-hacker-greifen-angeblich… *** Truly scary SSL 3.0 vuln to be revealed soon: sources *** --------------------------------------------- So worrying, no ones breathing a word until patch is out Gird your loins, sysadmins: The Register has learned that news of yet another major security vulnerability - this time in SSL 3.0 - is probably imminent. --------------------------------------------- http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_… *** Angeblich 7 Millionen Dropbox-Passwörter im Umlauf *** --------------------------------------------- Hacker wollen Millionen von Passwörtern für Dropbox-Accounts abgegriffen haben. Diese sollen gegen Bitcoins nun veröffentlicht werden. Dropbox streitet ab, dass die Daten echt sind. --------------------------------------------- http://www.heise.de/security/meldung/Angeblich-7-Millionen-Dropbox-Passwoer… *** VeraCrypt a Worthy TrueCrypt Alternative *** --------------------------------------------- If youre reluctant to continue using TrueCrypt now that the open source encryption project has been abandoned, and you dont want to wait for the CipherShed fork to mature, one alternative thats well worth investigating is VeraCrypt. --------------------------------------------- http://www.esecurityplanet.com/open-source-security/veracrypt-a-worthy-true… *** Apache mod_cache Null Pointer Dereference Lets Remote Users Deny Service *** --------------------------------------------- Apache mod_cache Null Pointer Dereference Lets Remote Users Deny Service --------------------------------------------- http://www.securitytracker.com/id/1031005 *** Analysis of the Linux backdoor used in freenode IRC network compromise *** --------------------------------------------- Background freenode is a large IRC network providing services to Free and Open Source Software communities, and in September the freenode staff team blogged about a potential compromise of an IRC server. NCC Group's Cyber Defence Operations team provided pro bono digital forensic and reverse engineering services to assist the freenode infrastructure team with their incident response activities. In this post we discuss a subset of the information we documented about one of the components --------------------------------------------- https://www.nccgroup.com/en/blog/2014/10/analysis-of-the-linux-backdoor-use… *** [webapps] - Bosch Security Systems DVR 630/650/670 Series - Multiple Vulnerabilities *** --------------------------------------------- Bosch Security Systems DVR 630/650/670 Series - Multiple Vulnerabilities --------------------------------------------- http://www.exploit-db.com/exploits/34956 *** YouTube Ads Lead To Exploit Kits, Hit US Victims *** --------------------------------------------- Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube. Over the past few months, we have been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/youtube-ads-lead… *** IBM Security Bulletin: Vulnerabilities in Bash affect IBM SAN b-type Switches (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) *** --------------------------------------------- Six Bash vulnerabilities were disclosed in September 2014. This bulletin addresses the vulnerabilities that have been referred to as "Bash Bug" or "Shellshock" and two memory corruption vulnerabilities. Bash is used by IBM SAN b-type Switches. CVE(s): CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278 Affected product(s) and affected version(s): IBM MTM: 2499-816 IBM System --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Endpoint Manager for Remote Control. CVE-2014-3511, CVE-2014-5139 *** --------------------------------------------- There are multiple vulnerabilities in OpenSSL that is used by IBM Endpoint Manager for Remote Control. These issues were disclosed on August 6, 2014 by the OpenSSL Project. CVE(s): CVE-2014-3511 and CVE-2014-5139 Affected product(s) and affected version(s): IBM Endpoint Manager for Remote Control version 9.1.0. Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21682034 X-Force --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect IBM Endpoint Manager for Remote Control *** --------------------------------------------- There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7 Service Refresh 7 and earlier, and IBM Runtime Environment Java Technology Edition, Version 7 Service Refresh 7 and earlier, that is used by IBM Endpoint Manager for Remote Control. These issues were disclosed as part of the IBM Java SDK updates in July 2014. CVE(s): CVE-2014-3086, CVE-2014-4227, CVE-2014-4262, CVE-2014-4219, CVE-2014-4209, CVE-2014-4220, --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.35 *** --------------------------------------------- Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 7.0.0.35, IBM WebSphere Application Server Hypervisor 7.0.0.35 and IBM HTTP Server 7.0.0.35. CVE(s): CVE-2014-3021, CVE-2014-3083, CVE-2014-0226, CVE-2014-0231, CVE-2014-0118, CVE-2013-5704, CVE-2014-4770 and CVE-2014-4816 Affected product(s) and affected version(s): Version 8.5 Full Profile and Liberty Profile Version 8 Version 7 Refer to the following reference URLs for remediation and --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Jailbreak Detection Methods *** --------------------------------------------- This post concludes our three-part series about mobile security. Todays post will outline some options for detecting jailbroken devices, should you choose to do so. Yesterday, we asked whether blocking an apps execution on jailbroken devices was worth it. Earlier this week, we described some vulnerabilities in iOS web browsers. Many iOS applications contain some sort of jailbreak detection mechanism. Some of the detection mechanisms can be bypassed by attackers (sometimes easily), whereas --------------------------------------------- http://blog.spiderlabs.com/2014/10/jailbreak-detection-methods.html *** Executing Apps on Jailbroken Devices *** --------------------------------------------- This post is part two of a three-part series about mobile security. Todays post will discuss the execution of apps on jailbroken devices. Yesterday, we described some vulnerabilities in iOS web browsers. Tomorrow, well explore detecting jailbroken devices. --------------------------------------------- http://blog.spiderlabs.com/2014/10/executing-apps-on-jailbroken-devices.html *** 5 steps to lock down your webmail account *** --------------------------------------------- For most people Gmail, Outlook.com or Yahoo! Mail is their main personal account. Here are some of the most important steps to keep unwanted people out of your web-based email account. --------------------------------------------- http://nakedsecurity.sophos.com/2014/10/14/5-steps-to-lock-down-your-webmai…

1 0

Tageszusammenfassung - Montag 13-10-2014
by Daily end-of-shift report 13 Oct '14

13 Oct '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 10-10-2014 18:00 − Montag 13-10-2014 18:00 Handler: Stefan Lenzhofer Co-Handler: Otmar Lendl *** Poor punctuation leads to Windows shell vulnerability *** --------------------------------------------- An attack on Windows scripts shows that quotation marks aren't just for writers. --------------------------------------------- http://arstechnica.com/security/2014/10/poor-punctuation-leads-to-windows-s… *** Researchers observe new type of SYN flood DDoS attack *** --------------------------------------------- Researchers with Radware are referring to the new type of distributed denial-of-service attack as a Tsunami SYN Flood Attack. --------------------------------------------- http://www.scmagazine.com/researchers-observe-new-type-of-syn-flood-ddos-at… *** IBM Security Bulletin: Vulnerabilities in Bash affect IBM SDN VE (CVE-2014-6271,CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) *** --------------------------------------------- Six Bash vulnerabilities were disclosed in September 2014. This bulletin addresses the vulnerabilities that have been referred to as "Bash Bug"? or "Shellshock"? and two memory corruption vulnerabilities. Bash is used by IBM SDN VE. CVE(s): CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278 Affected product(s) and affected version(s): IBM SDN VE, Unified Controller, VMware Edition: 1.2.0 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Malware overview: Threats to Mac OS X and other IT security hazards of September 2014 *** --------------------------------------------- October 2, 2014 In September, a number of new threats to Mac OS X were discovered by Doctor Webs security researchers. They included the complex backdoor Mac.BackDoor.iWorm as well as the Trojan Mac.BackDoor.Ventir.1 and the spyware program Mac.BackDoor.XSLCmd. Unexpectedly, gamers came under attack by Trojan.SteamBurglar which steals virtual game items from Steam users to later resell them to other players. As usual, plenty of virus definitions for malware programs geared towards Windows were --------------------------------------------- http://news.drweb.com/show/?i=5982&lng=en&c=9 *** Androids Cyanogenmod open to MitM attacks *** --------------------------------------------- Code re-use spells zero day for millions of modders More than 10 million users of the popular Cyanogen build of Android are exposed to man-in-the-middle (MitM) attacks thanks to reuse of vulnerable sample code. --------------------------------------------- http://www.theregister.co.uk/2014/10/13/androids_cyanogenmod_open_to_mitm_a… *** Adobe, Microsoft, Oracle: Oktober-Patchtag wird aufwendiger als sonst *** --------------------------------------------- Adobe, Microsoft und Oracle werden am kommenden Dienstagabend zahlreiche Patches veröffentlichen: Der Oktober-Patchtag bei allen drei Unternehmen überschneidet sich. Einerseits entlastet dies die Admins, andererseits müssen sie sich auf eine größere Patch-Menge einstellen. (Microsoft, Java) --------------------------------------------- http://www.golem.de/news/adobe-microsoft-oracle-oktober-patchtag-wird-aufwe… *** WordPress is the Most Attacked CMS: Report *** --------------------------------------------- Data security firm Imperva released its fifth annual Web Application Attack report (WAAR) this week, a study designed track the latest trends and cyber threats facing web applications. --------------------------------------------- http://www.securityweek.com/wordpress-most-attacked-cms-report *** SSA-860967 (Last Update 2014-10-13): GNU Bash Vulnerabilities in Siemens Industrial Products *** --------------------------------------------- SSA-860967 (Last Update 2014-10-13): GNU Bash Vulnerabilities in Siemens Industrial Products --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** SSA-234763 (Last Update 2014-10-13): OpenSSL Vulnerabilities in Siemens Industrial Products *** --------------------------------------------- SSA-234763 (Last Update 2014-10-13): OpenSSL Vulnerabilities in Siemens Industrial Products --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** SSA-839231 (Last Update 2014-10-13): Incorrect Certificate Verification in Ruggedcom ROX-based Devices *** --------------------------------------------- SSA-839231 (Last Update 2014-10-13): Incorrect Certificate Verification in Ruggedcom ROX-based Devices --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** PHP 5.6.1 schlie�t potentiell gef�hrlichen Puffer�berlauf *** --------------------------------------------- Die aktuelle PHP-Version behebt eine Reihe von Bugs, darunter auch eine von Stefan Esser entdeckte Sicherheitslücke. Diese ist einfach auszunutzen und kann missbraucht werden, um aus der Ferne Schadcode auszuführen. --------------------------------------------- http://www.heise.de/security/meldung/PHP-5-6-1-schliesst-potentiell-gefaehr… *** Mobile threats in September 2014 *** --------------------------------------------- October 2, 2014 As in previous months, in September Doctor Webs security researchers registered multiple attacks on handhelds. In particular, the Dr.Web virus database was expanded to include numerous definitions of threats to Android involving banking Trojans, ransomware, spies, and even a dangerous vandal Trojan, among others. Also added to the database was an entry for another malicious application that operates on jailbroken devices. The number of new malicious programs for Android and --------------------------------------------- http://news.drweb.com/show/?i=5983&lng=en&c=9 *** FinFisher Malware Analysis - Part 3 (Last) *** --------------------------------------------- I've already covered most parts of FinFisher malware in last two articles. This time, in this article, which is last article related to FinFisher, I'll cover last important tricks, methods and techniques used by FinFisher. So I'll make categorize them by subject:... --------------------------------------------- https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-3 *** Who�s Watching Your WebEx? *** --------------------------------------------- KrebsOnSecurity spent a good part of the past week working with Cisco to alert more than four dozen companies -- many of them household names -- about regular corporate WebEx conference meetings that lack passwords and are thus open to anyone who wants to listen in. --------------------------------------------- http://krebsonsecurity.com/2014/10/whos-watching-your-webex *** Kmart becomes the latest retail data breach victim *** --------------------------------------------- Kmart has been confirmed as the latest retail chain to be breached after its parent company admitted that some customers� debit and credit card numbers had been compromised. --------------------------------------------- http://nakedsecurity.sophos.com/2014/10/13/kmart-becomes-the-latest-retail-…

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily