[CERT-daily] Tageszusammenfassung - Montag 20-04-2015

Mon Apr 20 18:11:29 CEST 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 17-04-2015 18:00 − Montag 20-04-2015 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Handling Special PDF Compression Methods, (Sun, Apr 19th) ***
---------------------------------------------
Maarten Van Horenbeeck posted a diary entry (July 2008) explaining how scripts and data are stored in PDF documents (using streams), and demonstrated a Perl script to decompress streams. A couple of months before, I had started developing my pdf-parser tool, and Maartens diary entry motivated me to continue adding features to pdf-parser. Extracting and decompressing a stream (for example containing a JavaScript script) is easy with pdf-parser. You select the object that contains the stream...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19597&rss


*** Taking Down Fraud Sites is Whac-a-Mole ***
---------------------------------------------
I've been doing quite a bit of public speaking lately - usually about cybercrime and underground activity - and there's one question that nearly always comes from the audience: "Why are these fraud Web sites allowed to operate, and not simply taken down?" This post is intended to serve as the go-to spot for answering...
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/Da3rhmEIBt0/


*** An Analysis Of MS15-034 ***
---------------------------------------------
By now you've undoubtedly heard about MS15-034. The following is a collection of my cursory research and thoughts on this vulnerability.
---------------------------------------------
http://www.securitysift.com/an-analysis-of-ms15-034/


*** How to use a malicious JPEG to hack corporate networks ***
---------------------------------------------
Security researcher Marcus Murray discovered a method to exploit a malicious JPEG to compromise modern Windows servers inside corporate networks. Security expert and penetration tester Marcus Murray discovered a way to use a malicious JPEG to compromise modern Windows servers and elevate privileges over targeted networks. The researcher has demonstrated the attack a few days....
---------------------------------------------
http://securityaffairs.co/wordpress/36130/hacking/malicious-jpeg-hack-corporate-networks.html


*** Fiesta Exploit Kit Spreading Crypto-Ransomware - Who Is Affected? ***
---------------------------------------------
Exploits kits have long been used to deliver threats to users, but they seem to have gone retro: it was recently being used to deliver fake antivirus malware. We closely monitor exploit kit activity because of their widespread use (we discussed their use in malvertising recently), so it was no great surprise to see the Fiesta...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/F_yFw0VwfG8/


*** "Rootpipe"-Lücke in OS X besteht offenbar weiter ***
---------------------------------------------
Trotz Patch in der letzten Yosemite-Version scheint die Rechteausweitung nicht behoben zu sein. Schadcode soll die Lücke schon 2014 ausgenutzt haben. Ein Blogger zeigt unterdessen eine Möglichkeit auf, den Bug auch in früheren OS-X-Versionen zu fixen.
---------------------------------------------
http://heise.de/-2612346


*** Bypassing Same Origin Policy, Part 3: Clickjacking, Cursorjacking & Filejacking ***
---------------------------------------------
Same origin bypasses using clickjacking Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web...
---------------------------------------------
http://resources.infosecinstitute.com/bypassing-same-origin-policy-part-3-clickjacking-cursorjacking-filejacking/


*** Bypassing Packet Filters with IP Fragmentation Overlapping ***
---------------------------------------------
1. Introduction The process of IP fragmentation occurs when the data of the network layer is too large to be transmitted over the data link layer in one piece. Then the data of the network layer is split into several pieces (fragments), and this process is called IP fragmentation. The intention of this article is...
---------------------------------------------
http://resources.infosecinstitute.com/bypassing-packet-filters-with-ip-fragmentation-overlapping/


*** Threats From Within: The Out of Office Reply ***
---------------------------------------------
As the guy who sends out the marketing emails at Cyveillance (yes, I'm THAT guy) I see a lot of Out-of-Office auto-responders in any given month. Having worked in cybersecurity for more than seven years, I've developed an appreciation for both information and physical security. With the RSA Conference coming up in a few days, and awaiting my barrage of Out of Office emails, I think now is the perfect time to discuss this seemingly innocuous topic. Why? Amazingly, even in the security...
---------------------------------------------
https://blog.cyveillance.com/threats-from-within-the-out-of-office-reply/


*** Upatre malware gets full SSL comms encryption ***
---------------------------------------------
The extremely popular Upatre Trojan downloader has undergone considerable changes that will make it and its communication more difficult to spot and block. The changes were implemented in the new v...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/qIIbd4nwtHA/malware_news.php


*** Critical Magento Shoplift Vulnerability (SUPEE-5344) - Patch Immediately! ***
---------------------------------------------
The Magento team released a critical security patch (SUPEE-5344) to address a remote command execution (RCE) vulnerability back in February. It's been more than two months since the release and still more than 50% of all the Magento installations have not been patched, leaving them open to attacks. This means hundreds of thousands of websites are...
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/lfn2WVKTfWo/critical-magento-shoplift-vulnerability-supee-5344-patch-immediately.html


*** DSA-3228 ppp - security update ***
---------------------------------------------
Emanuele Rocca discovered that ppp, a daemon implementing thePoint-to-Point Protocol, was subject to a buffer overflow whencommunicating with a RADIUS server. This would allow unauthenticatedusers to cause a denial-of-service by crashing the daemon.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3228


*** GnuTLS RSA PKCS security bypass ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/102423


*** Zenworks Architecture ZDI Vulnerability - See TID 7016431 ***
---------------------------------------------
Abstract: Fix for ZDI-CAN-2491: ZENworks Preboot Policy Service Stack Buffer Overflow Remote Code Execution Vulnerability  Document ID: 5206350Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:ZCM_11.3.2_FRU1_Patch_921190.zip (3.53 MB)ZCM_11.2.4_MU1_Patch_921190.zip (1.63 MB)Products:ZENworks Configuration Management 11.3.2ZENworks Configuration Management 11.2.4ZENworks Configuration Management 11.3.1ZENworks Configuration Management 11 SP3Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=BJbybNUmQRQ~


*** Invoice - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-085 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2015-085Project: Invoice (third-party module)Version: 6.x, 7.xDate: 2015-March-25 Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Scripting, Cross Site Request ForgeryDescriptionInvoice module allows you to create invoices in Drupal.The module doesnt sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.Additionally, some URLs were not
---------------------------------------------
https://www.drupal.org/node/2459337


*** DSA-3229 mysql-5.5 - security update ***
---------------------------------------------
Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by upgrading MySQL to the new upstreamversion 5.5.43. Please see the MySQL 5.5 Release Notes and OraclesCritical Patch Update advisory for further details:
---------------------------------------------
https://www.debian.org/security/2015/dsa-3229


*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21883028


*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Rational Tau (CVE-2015-0208, CVE-2015-0286, CVE-2015-0292) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21713653


*** IBM Security Bulletin: RC4 stream cipher vulnerability and HTTP request smuggling vulnerability affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2015-2808, CVE-2014-0227) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21882717


*** Bugtraq: CVE-2014-7953 Android backup agent code execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/535296


*** Android 4.4 MTP Path Traversal ***
---------------------------------------------
Topic: Android 4.4 MTP Path Traversal Risk: Medium Text:MTP path traversal vulnerability in Android 4.4 -- doSendObjectInfo() method of the MtpServer class implemen...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015040116