[CERT-daily] Tageszusammenfassung - Freitag 17-07-2015

Fri Jul 17 18:20:48 CEST 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 16-07-2015 18:00 − Freitag 17-07-2015 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** MSRT July 2015: Crowti ***
---------------------------------------------
In our ongoing effort to provide malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month:  Win32/Crowti Win32/Reveton  Crowti, a file encryption threat, is one of the top prevalent ransomware families. We have recently seen it sent as a spam email attachment with formats similar to those shown below:   Figure 1: Email spam samples delivering Crowti as an attachment  As well as using spam emails as the entry point or infection...
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2015/07/14/msrt-july-2015-crowti.aspx


*** Running SAP? Checked for patches lately? Nows a good time ***
---------------------------------------------
New round of fixes includes one for security bypass flaw SAP has released its July pack of security fixes, including critical patches one researcher says demand your urgent attention.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/07/17/running_sap_kit_have_you_checked_for_patches_lately_nows_a_good_time/


*** Ad networks beware; Google raises Red Screen of malware Dearth ***
---------------------------------------------
Chrome to take shine off dodgy ad networks. Watch out dodgy ad slingers and news sites; Google is expanding its last line of defence Chrome feature to brand all security-slacker ad networks as unsafe.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/07/17/google_safe_browsing/


*** Fake News App in Hacking Team Dump Designed to Bypass Google Play ***
---------------------------------------------
Looking into the app's routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology. Initially, it only asks for three permissions and can be deemed safe by Google's security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in-hacking-team-dump-designed-to-bypass-google-play/


*** Significant Flash exploit mitigations are live in v18.0.0.209 ***
---------------------------------------------
Whilst Project Zero has gained a reputation for vulnerability and exploitation research, thats not all that we do. One of the main reasons we perform this research is to provide data to defenders; and one of the things that defenders can do with this data is to devise exploit mitigations. Sometimes, well take on exploit mitigations ourselves. Recently, weve been working with Adobe on Flash mitigations, and this post describes some significant mitigations have landed over the past couple of...
---------------------------------------------
http://googleprojectzero.blogspot.co.at/2015/07/significant-flash-exploit-mitigations_16.html


*** Save the Date: 2 November NCSRA-Symposium 2015 ***
---------------------------------------------
For the second time the NCSC will be co-organizing the NCSRA Symposium, which will be held on 2 November during Alert Online (the Dutch national cyber security awareness campaign). This symposium offers possibilities for knowledge sharing and community building in cybersecurity research and innovation.
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/save-the-date-2-november-ncsra-symposium-2015.html


*** Process Explorer and VirusTotal, (Fri, Jul 17th) ***
---------------------------------------------
About a year ago, Rob had a diary entry about checking a file from Process Explorer with VirusTotal. Did you know you can have all EXEs of running processes scanned with VirusTotal? In Process Explorer, add column VirusTotal:  Enable VirusTotal checks:  And accept the VirusTotal terms:  And now you can see the VirusTotal scores:  Process Explorer is not the only Sysinternals tool that comes with VirusTotal support. Ill showcase more tools in upcoming diary entries. Sysinternals:...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19931&rss


*** SANS: Kostenloser Webcast: 5 Jahre nach Stuxnet: Was hat sich geändert, was nicht und was liegt vor uns ***
---------------------------------------------
Wednesday, July 29, 2015 at 17:00 CEST Thomas Brandstetter | In der industriellen Welt war die Entdeckung der Stuxnet-Malware das markanteste Ereignis der letzten Jahre. Viele Präsentationen über Industrial Security haben seither mit dem Satz Seit Stuxnet ist alles anders begonnen. Anlässlich des 5-Jahres-Jubiläums der Entdeckung von Stuxnet lohnt es zu fragen: Stimmt das? Welche Auswirkungen hatte Stuxnet tatsächlich auf die industrielle Welt? Thomas Brandstetter war im...
---------------------------------------------
https://www.sans.org/webcasts/5-years-stuxnet-changed-didnt-lies-100617


*** Flash-Updates für Linux und noch einmal für die Extended-Support-Version ***
---------------------------------------------
Auch Linux-Nutzer, die nicht mit Chrome unterwegs sind, kommen nun in den Genuss des neuesten Flash-Updates. Außerdem müssen Extended-Support-Nutzer noch mal patchen.
---------------------------------------------
http://heise.de/-2752440


*** Kommentar: Weg mit Flash! ***
---------------------------------------------
Bei Adobes Plug-in stimmt die Balance aus Nutzen und Risiko nicht mehr. Es wird Zeit, dieses Relikt abzuschalten, meint Herbert Braun
---------------------------------------------
http://heise.de/-2751583


*** TotoLink Routers Plagued By XSS, CSRF, RCE Bugs ***
---------------------------------------------
A slew of routers manufactured in China are fraught with vulnerabilities, some which have existed in products for as long as six years.
---------------------------------------------
http://threatpost.com/totolink-routers-plagued-by-xss-csrf-rce-bugs/113816


*** Bugtraq: Novell GroupWise 2014 WebAccess vulnerable to XSS attacks ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536023


*** Elasticsearch 1.6.0 Remote Code Execution ***
---------------------------------------------
Topic: Elasticsearch 1.6.0 Remote Code Execution Risk: High Text:Summary: Elasticsearch versions prior to 1.6.1 are vulnerable to an engineered attack on its transport protocol that enables r...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015070089


*** Elasticsearch 1.6.0 Directory Traversal ***
---------------------------------------------
Topic: Elasticsearch 1.6.0 Directory Traversal Risk: Medium Text:Summary: Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015070090


*** WP Backitup <= 1.9.1 - Backup File Disclosure ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8105


*** Cisco Prime Collaboration Assurance Web Interface Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=40003


*** EMC Documentum WebTop Lets Remote Users Redirect the Target User to an Arbitrary Site ***
---------------------------------------------
http://www.securitytracker.com/id/1032965


*** EMC Documentum CenterStage Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1032966


*** Eaton's Cooper Power Series Form 6 Control and Idea/IdeaPlus Relays with Ethernet Vulnerability ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure Portal library on January 6, 2015, and is now being released to the ICS-CERT web site. This advisory provides mitigation details for a predictable TCP sequence vulnerability in Eaton's Cooper Power Systems Form 6 and Idea/IdeaPLUS relays with Ethernet application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-006-01


*** SSA-732541 (Last Update 2015-07-17): Denial-of-Service Vulnerability in SIPROTEC 4 ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-732541.pdf


*** IBM Security Bulletins ***
---------------------------------------------
IBM Vulnerability in Apache Tomcat may affect IBM WebSphere Application Server Community Edition (CVE-2014-0230)
IBM Security Bulletin: Open Source Apache Tomcat vulnerability and vulnerability in Diffie-Hellman ciphers affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2014-0230, CVE-2014-7810, CVE-2015-4000)
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Sterling Secure Proxy and Sterling External Authentication Server (CVE-2015-0488, CVE-2015-1916, CVE-2015-2808, CVE-2015-0478, CVE-2015-0204)
IBM Security Bulletin: Vulnerabilities in OpenSSL including Logjam affect Rational Application Developer for WebSphere Software (CVE-2015-4000, CVE-2015-1793)
IBM Security Bulletin: Vulnerability in OpenSSL affects IBM SDK for Node.js (CVE-2015-1793)
IBM Security Bulletin: Vulnerability in the Dojo Toolkit affects IBM Business Process Manager, which is shipped with IBM SmartCloud Orchestrator and IBM SmartCloud Orchestrator Enterprise (CVE-2014-8917)
IBM Security Bulletin: Tivoli Workload Scheduler Distributed Potential Security vulnerabilities with IBM WebSphere Application Server (CVE-2015-1920)
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us