Daily

daily@lists.cert.at

1 participants
3084 discussions

Tageszusammenfassung - Mittwoch 2-07-2014
by Daily end-of-shift report 02 Jul '14

02 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 01-07-2014 18:00 − Mittwoch 02-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Microsoft Expands TLS, Forward Secrecy Support *** --------------------------------------------- Microsoft announced TLS support on Outlook.com and that OneDrive cloud storage now supports Perfect Forward Secrecy. --------------------------------------------- http://threatpost.com/microsoft-expands-tls-forward-secrecy-support/106965 *** Cisco Small Cell Command Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** DOWNAD Tops Malware Spam Source in Q2 2014 *** --------------------------------------------- DOWNAD , also known as Conficker remains to be one of the top 3 malware that affects enterprises and small and medium businesses. This is attributed to the fact that a number of companies are still using Windows XP, susceptible to this threat. It can infect .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/downad-tops-malw… *** VMSA-2014-0006.4 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** Microsoft Digital Crimes Unit disrupts Jenxcus and Bladabindi malware families *** --------------------------------------------- Today, following an investigation to which the Microsoft Malware Protection Center (MMPC) contributed, the Microsoft Digital Crimes Unit initiated a disruption of the Jenxcus and Bladabindi malware families. These families are believed to have been created by individuals Naser Al Mutairi, aka njQ8, and .. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/06/30/microsoft-digital-crimes… *** MONSTER COOKIES can nom nom nom ALL THE BLOGS *** --------------------------------------------- Blog networks can be force-fed more than they can chew Giant cookies could be used to create a denial of service (DoS) on blog networks, says infosec researcher Bogdan Calin. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/02/monster_coo… *** Transparenzzentrum: Microsoft gewährt Behörden Quellcode-Einsicht *** --------------------------------------------- In einem Transparenzzentrum will Microsoft Behörden, die Code-Manipulationen durch fremde Geheimdienste befürchten, die Gelegenheit bieten, den Source-Code selbst zu untersuchen. --------------------------------------------- http://www.heise.de/security/meldung/Transparenzzentrum-Microsoft-gewaehrt-… *** Anatomy of a buffer overflow - Googles "KeyStore" security module for Android *** --------------------------------------------- Heres a cautionary tale about a bug, courtesy of IBM. Not that IBM had the bug, just to be clear: Google had the bug, and IBM researchers spotted it. --------------------------------------------- http://nakedsecurity.sophos.com/2014/07/02/anatomy-of-a-buffer-overflow-goo… *** OpenSSL legt Sanierungsplan vor *** --------------------------------------------- Nach der Heartbleed-Katastrophe hat das OpenSSL-Projekt nun eine Roadmap veröffentlicht, die helfen soll, organisatorische Mängel im Entwicklungsprozess auszubessern. --------------------------------------------- http://www.heise.de/security/meldung/OpenSSL-legt-Sanierungsplan-vor-224810… *** Rig Exploit Kit Used in Recent Website Compromise *** --------------------------------------------- Attackers planted code in a popular Web portal to redirect users to an exploit kit .. --------------------------------------------- http://www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-c…

1 0

Tageszusammenfassung - Dienstag 1-07-2014
by Daily end-of-shift report 01 Jul '14

01 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 30-06-2014 18:00 − Dienstag 01-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Microsoft Darkens 4MM Sites in Malware Fight *** --------------------------------------------- Millions of Web sites were shuttered Monday morning after Microsoft executed a legal sneak attack against a malware network thought to be responsible for more than 7.4 million infections of Windows PCs worldwide. --------------------------------------------- http://krebsonsecurity.com/2014/07/microsoft-darkens-4mm-sites-in-malware-f… *** Apple Releases Security Updates for OS X, Safari, iOS devices, and Apple TV *** --------------------------------------------- Apple has released security updates for Mac OS X, Safari, iOS devices, and Apple TV to address multiple vulnerabilities, some of which could allow attackers to execute arbitrary code with system privileges or cause an unexpected application termination. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2014/07/01/Apple-Releases-Sec… *** [2014-06-30] Multiple vulnerabilities in IBM Algorithmics RICOS *** --------------------------------------------- Abusing multiple vulnerabilities within IBM Algorithmics RICOS, an attacker can take over foreign user accounts and bypass authorization mechanisms. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** JBoss Seam org.jboss.seam.web.AuthenticationFilter code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94090 *** ICS Focused Malware *** --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-178-01 *** CERT-Bund: Trojaner-Opfer ändern Passwörter, PCs bleiben infiziert *** --------------------------------------------- Die Auswertung von zehntausenden kompromittierten Mail-Zugangsdaten zeigt, dass ein beträchtlicher Teil der Opfer zwar sein Passwort ändert, allerdings schnell erneut zum Opfer wird - möglicherweise, weil der Rechner nicht desinfiziert wurde. --------------------------------------------- http://www.heise.de/security/meldung/CERT-Bund-Trojaner-Opfer-aendern-Passw… *** [2014-07-01] Stored cross site scripting in EMC Documentum eRoom *** --------------------------------------------- Due to improper input validation, EMC Documentum eRoom suffers from multiple stored cross-site scripting vulnerabilities, which allow an attacker to steal other users sessions, to impersonate other users and to gain unauthorized access to documents hosted in eRooms. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Apple testet Zwei-Faktor-Authentifizierung auf iCloud.com *** --------------------------------------------- Künftig sollen auch auf Apples Cloud-Portal Zugangsdaten besser abgesichert werden. Gestern war die Funktion kurzzeitig freigegeben. --------------------------------------------- http://www.heise.de/security/meldung/Apple-testet-Zwei-Faktor-Authentifizie… *** Verwirrung um Microsofts Sicherheits-Newsletter *** --------------------------------------------- Wer Windows-Rechner administriert, weiss den Security-Notifications-Newsletter von Microsoft zu schätzen. Letzte Woche kündigte das Unternehmen an, diesen einzustellen - um die Entscheidung kurz darauf zu revidieren. --------------------------------------------- http://www.heise.de/security/meldung/Verwirrung-um-Microsofts-Sicherheits-N… *** Cyberspying Campaign Comes With Sabotage Option *** --------------------------------------------- New research from Symantec spots US and Western European energy interests in the bulls eye, but the campaign could encompass more than just utilities. --------------------------------------------- http://www.darkreading.com/vulnerabilities---threats/advanced-threats/cyber… *** Geodo: New Cridex Version Combines Data Stealer and Email Worm *** --------------------------------------------- Recent efforts by our Research Lab has revealed new activity related to Cridex. As you may recall, Cridex is a data stealer also referred to as Feodo, and Bugat. The new Cridex version we are seeing now, aka Geodo, combines a self-spreading infection method - effectively turning each bot in the botnet .. --------------------------------------------- http://www.seculert.com/blog/2014/07/geodo-new-cridex-version-combines-data… *** Remote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters) *** --------------------------------------------- Marc-Alexandre Montpas, from our research team, found a serious security vulnerability in the MailPoet WordPress plugin. This bug allows an attacker to upload any file remotely to the vulnerable website (i.e., no authentication is required). This is a serious vulnerability, The MailPoet plugin (wysija-newsletters) .. --------------------------------------------- http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet… *** IBM BladeCenter Advanced Management Module (AMM), Integrated Management Module (IMM), and Integrated Management Module 2 (IMM2) Potential IPMI credentials Exposure *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90880

1 0

Tageszusammenfassung - Montag 30-06-2014
by Daily end-of-shift report 30 Jun '14

30 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 27-06-2014 18:00 − Montag 30-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** The Akamai State of the Internet Report *** --------------------------------------------- The globally distributed Akamai Intelligent Platform delivers over 2 trillion Internet interactions and defends against multiple DDoS attacks each day. This provides us with unique visibility into Internet connection speeds, broadband adoption, mobile usage, outages, and attacks. Drawing .. --------------------------------------------- http://www.akamai.com/stateoftheinternet/ *** OpenAFS Memory Error Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030459 *** 20 Jahre alte Kompressionsverfahren-Lücke sorgt für Verwirrung *** --------------------------------------------- Sicherheitsforscher deckte Schwachstelle auf, von der hauptsächlich Linux-User betroffen sein sollen - Entwarnung von Autoren --------------------------------------------- http://derstandard.at/2000002429137 *** Serious Android crypto key theft vulnerability affects 86% of devices *** --------------------------------------------- Bug in Android KeyStore that leaks credentials fixed only in KitKat. --------------------------------------------- http://arstechnica.com/security/2014/06/serious-android-crypto-key-theft-vu… *** Anatomy of an Android SMS virus - watch out for text messages, even from your friends! *** --------------------------------------------- Paul Ducklin looks into "Andr/SlfMite-A", an Android SMS virus. The malware sends itself to your top 20 contacts and foists an third party app for an alternative Android software market onto your device... --------------------------------------------- http://nakedsecurity.sophos.com/2014/06/29/anatomy-of-an-android-sms-virus-… *** DSA-2970 cacti *** --------------------------------------------- http://www.debian.org/security/2014/dsa-2970 *** Microsoft Kills Security Emails, Blames Canada *** --------------------------------------------- In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the companys recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software. --------------------------------------------- http://krebsonsecurity.com/2014/06/microsoft-kills-security-emails-blames-c… *** ICS Focused Malware (Update A) *** --------------------------------------------- This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-14-176-02 ICS Focused Malware that was published June 25, 2014 on the ICS-CERT web site, and includes information previously published to the US-CERT secure portal. --------------------------------------------- http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A *** Disqus Wordpress Plugin Flaw Leaves Millions of Blogs Vulnerable to Hackers *** --------------------------------------------- A Remote code execution (RCE) vulnerability has been discovered in the comment and discussion service, Disqus plugin for the most popular Blogging Platform Wordpress. While there are more than 70 million websites on the Internet currently running WordPress, about 1.3 million of them use the 'Disqus Comment System' Plugin, making it one of the popular plugins of Wordpress for web comments --------------------------------------------- http://thehackernews.com/2014/06/disqus-wordpress-plugin-flaw-leaves.html *** Medienplayer VLC mit kritischer Krypto-Lücke *** --------------------------------------------- Eine Schwachstelle in GnuTLS kann offenbar auch VLC-Nutzern zum Verhängnis werden: Versucht der Mediaplayer einen Stream von einem präparierten Server zu öffnen, droht die Infektion mit Schadcode. --------------------------------------------- http://www.heise.de/security/meldung/Medienplayer-VLC-mit-kritischer-Krypto… *** Analysis: Spam in May 2014 *** --------------------------------------------- In the run-up to the summer, spammers offered their potential customers seedlings and seeds for gardening. In addition, English-language festive spam in May was dedicated to Mother's Day - the attackers sent out adverts offering flowers and candies. --------------------------------------------- http://www.securelist.com/en/analysis/204792339/Spam_in_May_2014 *** How to protect yourself against privileged user abuse *** --------------------------------------------- Network World - The typical organization loses 5% of its revenues to fraud by its own employees each year, with most thefts committed by trusted employees in executive management, operations, accounting, sales, customer service or purchasing, .. --------------------------------------------- http://www.computerworld.com/s/article/9249440/How_to_protect_yourself_agai… *** Auch Google schliesst Datenleck im Cloud-Speicher *** --------------------------------------------- Wer Links in bei Google Drive abgelegten Dokumenten anklickt, hinterlässt Datenspuren. Durch diese können Dritte auf die Dokumente zugreifen. --------------------------------------------- http://www.heise.de/security/meldung/Auch-Google-schliesst-Datenleck-im-Clo…

1 0

Tageszusammenfassung - Freitag 27-06-2014
by Daily end-of-shift report 27 Jun '14

27 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 26-06-2014 18:00 − Freitag 27-06-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Stuxnet-like Havex Malware Strikes European SCADA Systems *** --------------------------------------------- Security researchers have uncovered a new Stuxnet like malware, named as "Havex", which was used in a number of previous cyber attacks against organizations in the energy sector. Just like Famous Stuxnet Worm, which was specially designed to sabotage the Iranian nuclear project, the new trojan Havex is also programmed to infect industrial control system softwares of SCADA and ICS systems,... --------------------------------------------- http://thehackernews.com/2014/06/stuxnet-like-havex-malware-strikes.html *** Integer-Overflow: Sicherheitslücke in Kompressionsverfahren LZ4 und LZO *** --------------------------------------------- Im Code für die weit verbreiteten Kompressionsverfahren LZO und LZ4 wurde eine Sicherheitslücke entdeckt. Das betrifft zahlreiche Anwendungen, darunter den Linux-Kernel, die Multimediabibliotheken FFmpeg und Libav, sowie OpenVPN. --------------------------------------------- http://www.golem.de/news/integer-overflow-sicherheitsluecke-in-kompressions… *** Image Stock Spam Reemerges *** --------------------------------------------- Image stock spam, which can affect share prices and cause financial loss, has become more prominent in the last week. Image spam has been around for a longtime and peaked in January 2007 when Symantec estimated that image spam accounted for nearly 52 percent of all spam. Pump-and-dump image stock spam made up a significant portion of that 52 percent. --------------------------------------------- http://www.symantec.com/connect/blogs/image-stock-spam-reemerges *** 1st International Conference on Information Systems Security and Privacy - ICISSP 2015 *** --------------------------------------------- Venue: ESEO, Angers, Loire Valley, France Event date: 9 - 11 February, 2015 Scope: The International Conference on Information Systems Security and Privacy aims at creating a meeting point of researchers and practitioners that address security and privacy challenges that concern information systems, especially in organizations, including not only technological issues but also social issues. --------------------------------------------- http://www.securityfocus.com/archive/1/532572 *** Neue PHP-Versionen verarzten Sicherheitslücken *** --------------------------------------------- PHP 5.4.30 und 5.5.14 schließen jeweils eine größere Anzahl von Sicherheitslücken; die Entwickler empfehlen ein zügiges Upgrade. --------------------------------------------- http://www.heise.de/security/meldung/Neue-PHP-Versionen-verarzten-Sicherhei… *** Thomson TWG87OUIR Cross Site Request Forgery *** --------------------------------------------- Topic: Thomson TWG87OUIR Cross Site Request Forgery Risk: Medium Text:#Author: nopesled #Date: 24/06/14 #Vulnerability: POST Password Reset CSRF #Tested on: Thomson TWG87OUIR (Hardware Version) ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060148 *** Bugtraq: [RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/532571 *** Security Notice-Statement About the Impact of the Dual_EC_DRBG Vulnerability on Huawei Devices *** --------------------------------------------- Jun 27, 2014 17:39 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Vuln: LZ4 lz4.c Memory Corruption Vulnerability *** --------------------------------------------- LZ4 lz4.c Memory Corruption Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/68218

1 0

Tageszusammenfassung - Donnerstag 26-06-2014
by Daily end-of-shift report 26 Jun '14

26 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 25-06-2014 18:00 − Donnerstag 26-06-2014 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** Symantec Data Insight Management Console HTML Injection and Cross-Site Scripting *** --------------------------------------------- The management console for Symantec Data Insight does not sufficiently validate/sanitize arbitrary input in two separate fields within the management GUI. This could potentially allow unauthorized command execution or potential malicious redirection. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** VMware Patches Apache Struts Flaws in vCOPS *** --------------------------------------------- VMware has patched several serious security vulnerabilities in its vCenter Operations Center Management suite, one of which could lead to remote code execution on vulnerable machines. --------------------------------------------- http://threatpost.com/vmware-patches-apache-struts-flaws-in-vcops/106858 *** phpMyAdmin 4.2.3 XSS *** --------------------------------------------- Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.1.x before 4.1.14.1 and 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name that is improperly handled after a hide or unhide action. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060139 *** Sophos Anti-Virus Input Validation Flaw in Configuration Console Permits Cross-Site Scripting Attacks *** --------------------------------------------- A vulnerability was reported in the Sophos Anti-Virus Configuration Console. A remote user can conduct cross-site scripting attacks. Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Sophos Anti-Virus configuration console software and will run in the security context of that site. --------------------------------------------- http://www.securitytracker.com/id/1030467 *** IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.33 *** --------------------------------------------- Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 7.0.0.33 and IBM WebSphere Application Server Hypervisor Edition 7.0.0.33 CVE(s): CVE-2013-6323, CVE-2013-6329, CVE-2013-6349, CVE-2013-6738, CVE-2014-0859, CVE-2013-6438, CVE-2013-6747, CVE-2014-3022, CVE-2014-0891, CVE-2014-0965, CVE-2014-0050, CVE-2014-0098, CVE-2014-0963 and CVE-2014-0114 Affected product(s) and affected version(s): WebSphere Application Server and bundling --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.9 *** --------------------------------------------- Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 8.0.0.9 and IBM WebSphere Application Server Hypervisor 8.0.0.9 CVE(s): CVE-2013-6323, CVE-2013-6329, CVE-2013-6349, CVE-2014-0823, CVE-2013-6738, CVE-2014-0857, CVE-2014-0859, CVE-2013-6438, CVE-2013-6747, CVE-2014-3022, CVE-2014-0891, CVE-2014-0965, CVE-2014-0050, CVE-2014-0098, CVE-2014-0963 and CVE-2014-0076 Affected product(s) and affected version(s): WebSphere Application Server and bundling --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Rational ClearQuest is affected by the following OpenSSL vulnerabilities: CVE-2014-0224, CVE-2014-3470 *** --------------------------------------------- Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project. The OpenSSL commponent is shipped as embedded in cqperl. Customers might be affected when there is perl hooks or scripts that are using SSL connections. ClearQuest itself does not provide any service using OpenSSL. CVE(s): CVE-2014-0224 and CVE-2014-3470 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** PayPal 2FA mobe flaw chills warm and fuzzy security feeling *** --------------------------------------------- PayPal's second factor authentication (2FA) protection can be mitigated through mobile device interfaces that allow fraudsters to steal funds with a victim's username and password, Duo Security researchers say. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/06/26/paypal_2fa_… *** Multiple Cross Site Scripting in Sophos Antivirus Configuration Console (Linux) *** --------------------------------------------- The Configuration Console of Sophos Antivirus 9.5.1 (Linux) does not sanitize several input parameters before sending them back to the browser, so an attacker could inject code inside these parameters, including JavaScript code. ... CVE: CVE-2014-2385 Affected version: 9.5.1 Fixed version: 9.6.1 --------------------------------------------- https://www.portcullis-security.com/security-research-and-downloads/securit… *** Weniger NTP-Server für dDoS ausnutzbar, aber... *** --------------------------------------------- Die noch verwundbaren Zeitserver sind aber zum Teil so schlecht konfiguriert, dass verheerende NTP-Verstärkungsangriffe nach wie vor möglich sind. --------------------------------------------- http://www.heise.de/newsticker/meldung/Weniger-NTP-Server-fuer-dDoS-ausnutz… *** Fighting cybercrime: Strategic cooperation agreement signed between ENISA and Europol *** --------------------------------------------- The heads of ENISA and Europol today signed a strategic cooperation agreement in Europol's headquarters in The Hague, to facilitate closer cooperation and exchange of expertise in the fight against cybercrime. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/fighting-cybercrime-strateg… *** 2014 Cyber Attacks Timeline Master Index (at least so far) *** --------------------------------------------- Finally I was able to organize the timelines collected in 2014. I have created a new page with the 2014 Cyber Attacks Timeline Master Index accessible either directly or from the link in the top menu bar. Hopefully it will be regularly updated. With this opportunity I also re-ordered the timelines and stats for 2013. Now everything should be more structured. --------------------------------------------- http://hackmageddon.com/2014/06/24/2014-cyber-attacks-timeline-master-index… *** Update to Microsoft Update client *** --------------------------------------------- This article describes the update that further improves the security of Windows Update (WU) / Microsoft Update (MU) client for Windows 8, Windows RT, Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1. Note: Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 with update 2919355 already include these improvements. --------------------------------------------- http://support.microsoft.com/kb/2887535 *** Hacking Blind (PDF) *** --------------------------------------------- Abstract We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. --------------------------------------------- http://www.exploit-db.com/download_pdf/33872

1 0

Tageszusammenfassung - Mittwoch 25-06-2014
by Daily end-of-shift report 25 Jun '14

25 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 24-06-2014 18:00 − Mittwoch 25-06-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** TimThumb WebShot Code Execution Exploit (0-day) *** --------------------------------------------- If you are still using Timthumb after the serious vulnerability that was found on it last year, you have one more reason to be concerned. A new 0-day was just disclosed on TimThumb's "Webshot" feature that allows for certain commands to be executed on the vulnerable website remotely (no authentication required). With a simple command,... --------------------------------------------- http://blog.sucuri.net/2014/06/timthumb-webshot-code-execution-exploit-0-da… *** SPAM Hack Targets WordPress Core Install Directories *** --------------------------------------------- Do you run your website on WordPress? Have you checked the integrity of your core install lately for SPAM like "Google Pharmacy" stores or other fake stores? We have been tracking and analyzing a growing trend in SEO Spam (a.k.a., Search Engine Poisoning (SEP)) attacks in which thousands of compromised WordPress websites are being used... --------------------------------------------- http://blog.sucuri.net/2014/06/spam-hack-targets-wordpress-core-install-dir… *** Asprox botnet campaign shifts tactics, evades detection *** --------------------------------------------- FireEye researchers are tracking spikes in malicious emails attributed to an ongoing Asprox campaign. --------------------------------------------- http://www.scmagazine.com/asprox-botnet-campaign-shifts-tactics-evades-dete… *** R2DR2: ANALYSIS AND EXPLOITATION OF UDP AMPLIFICATION VULNERABILITIES *** --------------------------------------------- Since we began our studies in the Masters degree on ICT security at the European University, drew our attention the possibility of doing a project under the guidance of Alejandro Ramos (@aramosf), a professional of the scene that we admire. After several ideas and proposals by both parties, we decided to make a project about finding new attack vectors on distributed reflection denial of service attacks (DRDOS). Recently this blog talked about it in a article focused on SNMP vulnerability,... --------------------------------------------- http://www.securitybydefault.com/2014/06/r2dr2-analysis-and-exploitation-of… *** PlugX RAT With "Time Bomb" Abuses Dropbox for Command-and-Control Settings *** --------------------------------------------- Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network. Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications. Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/4SyyRxr49gU/ *** HackPorts - Mac OS X Penetration Testing Framework and Tools *** --------------------------------------------- HackPorts was developed as a penetration testing framework with accompanying tools and exploits that run natively on Mac platforms. HackPorts is a "super-project" that leverages existing code porting efforts, security professionals can now use hundreds of penetration tools on Mac systems without the need for Virtual Machines. --------------------------------------------- http://hack-tools.blackploit.com/2014/06/hackports-mac-os-x-penetration-tes… *** Flaw Lets Attackers Bypass PayPal Two-Factor Authentication *** --------------------------------------------- There's a vulnerability in the way that PayPal handles certain requests from mobile clients that can allow an attacker to bypass the two-factor authentication mechanism for the service and transfer money from a victim's account to any recipient he chooses. The flaw lies in the way that the PayPal authentication flow works with the service's... --------------------------------------------- http://threatpost.com/flaw-lets-attackers-bypass-paypal-two-factor-authenti… *** ZyXEL P660RT2 EE rpAuth_1 cross-site scripting *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93924 *** [papers] - Searching SHODAN For Fun And Profit *** --------------------------------------------- http://www.exploit-db.com/download_pdf/33859 *** Cisco IOS Software IPsec Denial of Service Vulnerability *** --------------------------------------------- CVE-2014-3299 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** GnuPG data packets denial of service *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93935 *** VMSA-2014-0006.3 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** VMSA-2014-0007 *** --------------------------------------------- VMware product updates address security vulnerabilities in Apache Struts library --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0007.html *** TimThumb 2.8.13 Remote Code Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060134 *** Bugtraq: [security bulletin] HPSBMU03053 rev.1 - HP Software Database and Middleware Automation, OpenSSL Vulnerability, Remote Unauthorized Access or Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/532541

1 0

Tageszusammenfassung - Dienstag 24-06-2014
by Daily end-of-shift report 24 Jun '14

24 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 23-06-2014 18:00 − Dienstag 24-06-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Stop running this script? notification redirects to Angler Exploit Kit *** --------------------------------------------- ESET researchers identified a website serving up a Stop running this script? notification that, when clicked, redirects Internet Explorer users to the Angler Exploit Kit. --------------------------------------------- http://www.scmagazine.com/stop-running-this-script-notification-redirects-t… *** Android KeyStore::getKeyForName buffer overflow *** --------------------------------------------- Google Android is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the KeyStore::getKeyForName method. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system under the keystore process. ... Remedy: Upgrade to the latest version of Android (4.4 or later), available from the Google Web site. See References. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93916 *** Havex Hunts for ICS/SCADA Systems *** --------------------------------------------- During the past year, weve been keeping a close eye on the Havex malware family and the group behind it. Havex is known to be used in targeted attacks against different industry sectors, and it was earlier reported to have specific interest in the energy sector. The main components of Havex are a general purpose Remote Access Trojan (RAT) and a server written in PHP. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002718.html *** Beware of Skype Adware *** --------------------------------------------- During our daily log analysis, we recently encountered a sample purporting to power up Skype with different emoticons. The binary, when installed, integrated itself with Skype and sent the following message contacts without further intervention. --------------------------------------------- http://research.zscaler.com/2014/06/beware-of-skype-adware.html *** Dramatic Drop in Vulnerable NTP Servers Used in DDoS Attacks *** --------------------------------------------- 95 percent of vulnerable NTP servers leveraged in massive DDoS attacks earlier this year have been patched, but the remaining servers still have experts concerned. --------------------------------------------- http://threatpost.com/dramatic-drop-in-vulnerable-ntp-servers-used-in-ddos-…

1 0

Tageszusammenfassung - Montag 23-06-2014
by Daily end-of-shift report 23 Jun '14

23 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 20-06-2014 18:00 − Montag 23-06-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** IBM Security Bulletin: IBM Security Proventia Network Enterprise Scanner is affected by the following OpenSSL vulnerabilities *** --------------------------------------------- Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project. CVE(s): CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 Affected product(s) and affected version(s): Products: IBM Security Enterprise Scanner Versions: 2.3 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Wordpress 3.9.1-CSRF vulnerability *** --------------------------------------------- This is the new version released by Wordpress. version is 3.9.1(Latest) Cross site request Forgery(CSRF) is present in this version at the url shown: http://localhost/wordpress/wp-comments-post.php --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060119 *** cups-filters 1.0.52 execute arbitrary commands *** --------------------------------------------- Topic: cups-filters 1.0.52 execute arbitrary commands Risk: High Text:The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP print... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060124 *** [SECURITY] [DSA 2966-1] samba security update *** --------------------------------------------- Multiple vulnerabilities were discovered and fixed in Samba, a SMB/CIFS file, print, and login server: CVE-2014-0178 Information leak vulnerability in the VFS code.. CVE-2014-0244 Denial of service (infinite CPU loop) in the nmbd.. CVE-2014-3493 Denial of service (daemon crash) in the smbd.. --------------------------------------------- https://lists.debian.org/debian-security-announce/2014/msg00147.html *** Security Bulletin: IBM Security Access Manager for Mobile and IBM Security Access Manager for Web appliances - LMI Authentication Bypass *** --------------------------------------------- IBM Security Access Manager for Mobile / IBM Security Access Manager for Web fails to properly handle certain input data such that it could be possible for an attacker to authenticate to the appliance Local Management Interface using invalid authentication data. CVE: CVE-2014-3053 CVSS Base Score: 8.0 --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21676700 *** A peek inside a commercially available Android-based botnet for hire *** --------------------------------------------- Relying on the systematic release of DIY (do-it-yourself) mobile malware generating tools, commercial availability of mobile malware releases intersecting with the efficient exploitation of legitimate Web sites through fraudulent underground traffic exchanges, as well as the utilization of cybercrime-friendly affiliate based revenue sharing schemes, cybercriminals continue capitalizing on the ever-growing Android mobile market segment for the purpose of achieving a positive ROI ... --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/m9Fm5dNY9bg/

1 0

Tageszusammenfassung - Freitag 20-06-2014
by Daily end-of-shift report 20 Jun '14

20 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 18-06-2014 18:00 − Freitag 20-06-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-062 Project: Password policy (third-party module) Version: 6.x, 7.x Date: 2014-June-18 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Description: The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords.Access bypass and information disclosure (7.x only) --------------------------------------------- https://drupal.org/node/2288341 *** KDE: Fehler in Kmail ermöglicht Man-in-the-Middle-Angriffe *** --------------------------------------------- Im Code des POP3-Kioslaves in KDEs E-Mail-Anwendung Kmail beziehungsweise in Kdelibs ist ein Fehler, durch den ungültige Zertifikate ohne Abfrage akzeptiert werden. Angreifer könnten sich so in den verschlüsselten E-Mail-Verkehr einklinken. --------------------------------------------- http://www.golem.de/news/kde-fehler-in-kmail-erlaubt-man-in-the-middle-angr… *** Cisco WebEx Meeting Server Sensitive Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in the XML programmatic interface (XML PI) of Cisco WebEx Meeting Server could allow an authenticated, remote attacker to access sensitive information. The vulnerability is due to disclosure of the meeting information. An attacker could exploit this vulnerability by sending a crafted URL request to a vulnerable device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Tausende Android-Apps geben geheime Schlüssel preis *** --------------------------------------------- Viele Android-Programme betten geheime Zugangsschlüssel direkt in ihren Quellcode ein. Ein Angreifer kann diese nutzen, um private Daten der App-Nutzer zu erbeuten und im schlimmsten Fall die Server-Infrastruktur der Entwickler übernehmen. --------------------------------------------- http://www.heise.de/security/meldung/Tausende-Android-Apps-geben-geheime-Sc… *** Android 4.4.4 is rolling out to devices; contains OpenSSL fix *** --------------------------------------------- Official change log lists "security fixes;" Googler says it is OpenSSL related. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/rMSXTBPBcjU/ *** 'Your fault - core dumped' - Diving into the BSOD caused by Rovnix *** --------------------------------------------- Recently we have noticed some Win32/Rovnix samples (detected as TrojanDropper:Win32/Rovnix.K) causing the BSOD on Windows 7 machines. We spent some time investigating this situation and discovered an interesting story behind the BSOD. Analyzing the crash dump We first saw TrojanDropper:Win32/Rovnix.K in October 2013. During a normal Windows Boot the malware will cause the BSOD. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/06/18/your-fault-core-dumped-d… *** Linux Kernel PI Futex Requeuing Bug Lets Local Users Gain Elevated Privileges *** --------------------------------------------- A vulnerability was reported in the Linux Kernel. A local user can obtain elevated privileges on the target system. A local user can can exploit a flaw in the requeuing of Priority Inheritance (PI) to PI futexes to gain elevated privileges on the target system. --------------------------------------------- http://www.securitytracker.com/id/1030451 *** Yet Another BMC Vulnerability (And some added extras) *** --------------------------------------------- After considering the matter for the past 6 months while continuing to work with Supermicro on the issues, I have decided to release the following to everyone. On 11/7/2013, after reading a couple articles on the problems in IPMI by Rapid7's HD Moore (linked at the end), I discovered that Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152. --------------------------------------------- http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-… *** Simplocker ransomware: New variants spread by Android downloader apps *** --------------------------------------------- Since our initial discovery of Android/Simplocker we have observed several different variants. The differences between them are mostly in: Tor usage - some use a Tor .onion domain, whereas others use a more conventional C&C domain. Different ways of receiving the 'decrypt' command, indicating that the ransom has been paid. ... --------------------------------------------- http://www.welivesecurity.com/2014/06/19/simplocker-new-variants/ *** Pen Testing Payment Terminals - A Step by Step How-to Guide *** --------------------------------------------- There is plentitude of payment terminals out there and the design principles vary quite a bit. The ones I have run into in Finland appear to be tightly secured with no attack surface. At first glance, that is. These generally open only outbound connections and use SSL encryption to protect the traffic. Here, I explain why testing a simple, tightly secured payment terminal is not as simple as one might think. --------------------------------------------- http://pen-testing.sans.org/blog/pen-testing/2014/06/12/pen-testing-payment…

1 0

Tageszusammenfassung - Mittwoch 18-06-2014
by Daily end-of-shift report 18 Jun '14

18 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 17-06-2014 18:00 − Mittwoch 18-06-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Evernote forum breached, profile information compromised *** --------------------------------------------- The official discussion forum of Evernote has been hacked, leaving users profile information accessible to attackers. --------------------------------------------- http://www.scmagazine.com/evernote-forum-breached-profile-information-compr… *** Xen Lets Local Guests Obtain Hypervisor Heap Memory Contents *** --------------------------------------------- A vulnerability was reported in Xen. A local user can obtain potentially sensitive information from other domains. The system does not properly control access to memory pages during memory cleanup for dying guest systems. A local user on a guest system can access information from guest or hypervisor memory, potentially including guest CPU register state and hypercall arguments. --------------------------------------------- http://www.securitytracker.com/id/1030442 *** HP Software Executive Scorecard, Remote Execution of Code, Directory Traversal *** --------------------------------------------- VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Executive Scorecard. The vulnerability could be exploited remotely to allow remote code execution and directory traversal. References: CVE-2014-2609 (ZDI-CAN-2116, SSRT101436) CVE-2014-2610 (ZDI-CAN-2117, SSRT101435) CVE-2014-2611 (ZDI-CAN-2120, SSRT101431) --------------------------------------------- http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl… *** OpenStack Neutron L3-agent Remote Denial of Service Vulnerability *** --------------------------------------------- OpenStack Neutron is prone to a remote denial-of-service vulnerability. An attacker can leverage this issue to cause a denial-of-service condition; denying service to legitimate users. The following versions are vulnerable: Versions Neutron 2013.2.3 and prior. Versions Neutron 2014.1 and prior. --------------------------------------------- http://www.securityfocus.com/bid/68064/discuss *** Microsoft bessert absturzgefährdeten Virenschutz nach *** --------------------------------------------- Mit einem Update außer der Patchday-Reihe beseitigt Microsoft einen Fehler in der Malware Protection Engine durch den Schädlinge den Virenschutz lahmlegen konnten. --------------------------------------------- http://www.heise.de/newsticker/meldung/Microsoft-bessert-absturzgefaehrdete… *** VU#774788: Belkin N150 path traversal vulnerability *** --------------------------------------------- Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a path traversal vulnerability through the built-in web interface. The webproc cgi module accepts a getpage parameter which takes an unrestricted file path as input. The web server runs with root privileges by default, allowing a malicious attacker to read any file on the system. --------------------------------------------- http://www.kb.cert.org/vuls/id/774788 *** [remote] - Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability *** --------------------------------------------- Summary: Rayman Legends is a 2013 platform game developed by Ubisoft Montpellier and published by Ubisoft. ... Desc: The vulnerability is caused due to a memset() boundary error in the processing of incoming data thru raw socket connections on TCP port 1001, which can be exploited to cause a stack based buffer overflow by sending a long string of bytes on the second connection. Successful exploitation could allow execution of arbitrary code on the affected node. --------------------------------------------- http://www.exploit-db.com/exploits/33804 *** Forensik-Tool soll iCloud-Backups ohne Passwort herunterladen können *** --------------------------------------------- Elcomsoft hat angekündigt, dass sein "Phone Password Breaker" Authentifizierungstokens von Rechnern auslesen kann, mit denen sich Ermittler dann Zugang zu iCloud-Daten eines Verdächtigen verschaffen können. Dessen Passwort sei nicht mehr nötig. --------------------------------------------- http://www.heise.de/security/meldung/Forensik-Tool-soll-iCloud-Backups-ohne… *** When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities *** --------------------------------------------- One of the questions I get asked from time to time is about the days of risk between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen? Trustworthy Computing's Security Science team published new data that helps put the timing of exploitation into perspective, in the recently released Microsoft Security Intelligence Report volume 16. --------------------------------------------- http://blogs.technet.com/b/security/archive/2014/06/17/when-vulnerabilities…

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily