[CERT-daily] Tageszusammenfassung - Montag 4-05-2015
Daily end-of-shift report
team at cert.at
Mon May 4 18:14:34 CEST 2015
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 30-04-2015 18:00 − Montag 04-05-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** eBay ignoriert XSS-Lücke ein Jahr lang ***
---------------------------------------------
Eine Schwachstelle in eBay erlaubt es Angreifern eine Session mitzuschneiden und im schlimmsten Fall einen Account zu übernehmen. Die Lücke ist ein Jahr alt und wurde immer noch nicht geschlossen.
---------------------------------------------
http://heise.de/-2630964
*** Threatpost News Wrap, May 1, 2015 ***
---------------------------------------------
Dennis Fisher and Mike Mimoso discuss the post-RSA news, including the MySQL bug, the progress of the OpenSSL overhaul and the wildly entertaining House hearing on crypto backdoors.
---------------------------------------------
http://threatpost.com/threatpost-news-wrap-may-1-2015/112538
*** 3062591 - Local Administrator Password Solution (LAPS) Now Available - Version: 1.0 ***
---------------------------------------------
Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/3062591
*** New Google Password Alert extension already hacked ***
---------------------------------------------
A few hours after the presentation of the Google Password Alert extension a researcher already have developed two methods to bypass it. A few hours ago, Google released the Password Alert extension that was designed to warn users when they are submitting their Google credentials to fraudulent websites. Here's how it works for consumer accounts. Once you've...
---------------------------------------------
http://securityaffairs.co/wordpress/36483/hacking/password-alert-extension-hacked.html
*** VolDiff, for memory image differential analysis, (Sun, May 3rd) ***
---------------------------------------------
VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution providing a differential analysis, helping identify IOCs and understand advanced malware behaviour. I had intended to include it in my latest toolsmith article, Attack Detection: Hunting in-memory adversaries with Rekall and WinPmem, but quite literally ran out of space and time. Using WinPmem, as part of Rekall and GRR offerings, you can acquire two memory images, one clean
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19651&rss
*** Traffic pattern change noted in Fiesta exploit kit, (Mon, May 4th) ***
---------------------------------------------
A few hours ago, Jerome Segura, the Senior Security Researcher at Malwarebytes, tweeted about a change in traffic patterns from Fiesta exploit kit (EK) [1]. What had been semi-colons in the URLs from Fiesta EK are now commas. Here" /> Here" /> Any signatures for detecting Fiesta EK that depend on those semi-colons will need to be updated. A pcap of the traffic is available at http://malware-traffic-analysis.net/2015/05/04/2015-05-04-Fiesta-EK-traffic.pcap, and a zip file of the
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19655&rss
*** Securing the smart grid: European Network of Cyber Security ***
---------------------------------------------
Dr. Klaus Kursawe is the Chief Scientist at the European Network of Cyber Security (ENCS), where he is leading the research and development activities for critical infrastructure security. In this int...
---------------------------------------------
http://www.net-security.org/article.php?id=2270
*** Nasty Dyre malware bests white hat sandboxes ***
---------------------------------------------
Core checker a defensive wrecker Seculert CTO Aviv Raff says a nasty piece of malware linked to widespread destruction and bank account plundering has become more dangerous with the ability to evade popular sandboxes.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/05/04/dyre_malware_sandbox_evasion/
*** Anti-Phishing-Erweiterung für Chrome mehrfach unterwandert ***
---------------------------------------------
Eigentlich soll das Chrome-Plug-in Passwort-Warnung Alarm schlagen, wenn Nutzer ihre Log-in-Daten auf Phishing-Webseiten eingeben. Mittlerweile wurde die Funktion aber schon zum wiederholten Male ausgehebelt.
---------------------------------------------
http://heise.de/-2632031
*** Linuxwochen von 7. bis 9. Mai in Wien ***
---------------------------------------------
Am FH Technikum Wien finden von Donnerstag bis Sonntag Workshops und Vorträge zu Verschlüsselung, 3D-Druck und Open Hardware statt.
---------------------------------------------
http://futurezone.at/produkte/linuxwochen-von-7-bis-9-mai-in-wien/128.621.444
*** AlphaCrypt ***
---------------------------------------------
We've encountered yet another encrypting ransomware variant and at this point it's expected since the scam has exploaded in popularity since it's inception in late 2013. This one has a GUI that is almost...
---------------------------------------------
http://www.webroot.com/blog/2015/05/04/alphacrypt/
*** Microsoft Security Bulletin MS15-032 - Critical ***
---------------------------------------------
V2.0 (April 30, 2015): Updated bulletin to inform customers running Internet Explorer on Windows Server 2003 Service Pack 2 that the 3038314 update on the Microsoft Download Center was updated on April 22, 2015. Microsoft recommends that customers who installed the 3038314 update prior to April 22 should reinstall the update to be fully protected from the vulnerabilities discussed in this bulletin.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS15-032
*** DSA-3249 jqueryui - security update ***
---------------------------------------------
Shadowman131 discovered that jqueryui, a JavaScript UI library fordynamic web applications, failed to properly sanitize its titleoption. This would allow a remote attacker to inject arbitrary codethrough cross-site scripting.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3249
*** DSA-3244 owncloud - security update ***
---------------------------------------------
Multiple vulnerabilities were discovered in ownCloud, a cloud storageweb service for files, music, contacts, calendars and many more.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3244
*** IBM Security Bulletins ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us
*** Cisco Finesse Server Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=38607
*** Squid SSL-Bump Certificate Validation Flaw Lets Remote Servers Bypass Client-side Certificate Validation ***
---------------------------------------------
http://www.securitytracker.com/id/1032221
*** VMSA-2015-0003.6 ***
---------------------------------------------
VMware product updates address critical information disclosure issue in JRE
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0003.html
*** VU#581276: EMC AutoStart is vulnerable to remote code execution via specially crafted packets ***
---------------------------------------------
Vulnerability Note VU#581276 EMC AutoStart is vulnerable to remote code execution via specially crafted packets Original Release date: 30 Apr 2015 | Last revised: 30 Apr 2015 Overview EMC AutoStart, version 5.5.0 and earlier, is vulnerable to remote command execution via specially crafted packets. Description EMC AutoStart is an enterprise software application developed to help networks and service maintain a high level of availability. AutoStart can manage clusters of applications or nodes
---------------------------------------------
http://www.kb.cert.org/vuls/id/581276
*** Splunk Enterprise 6.2.3 and Splunk Light 6.2.3 address five vulnerabilities ***
---------------------------------------------
Description Splunk Enterprise 6.2.3 and Splunk Light 6.2.3 address five vulnerabilities. Multiple vulnerabilities in OpenSSL prior to 1.0.1m (SPL-98351) Disable SSLv3 in KV Store Replication (SPL-96280) Secure flag inconsistently set for session cookies when appServerPorts!=0 (SPL-95798) Cross-site scripting in Search (SPL-95594) Cross-site scripting in management and configuration (SPL-93516) At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have
---------------------------------------------
http://www.splunk.com/view/SP-CAAANZ7
*** RSA Identity Management and Governance Password Reset Weakness Lets Remote Users Gain Privileged Access ***
---------------------------------------------
http://www.securitytracker.com/id/1032218
*** Security Advisory: TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 ***
---------------------------------------------
(SOL14190)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/14000/100/sol14190.html?ref=rss
*** OPTO 22 Multiple Product Vulnerabilities ***
---------------------------------------------
This advisory provides mitigation details for vulnerabilities that are present in the OPTO 22 PAC Project Professional, PAC Project Basic, OptoOPCServer, OptoDataLink, PAC Display Basic, and PAC Display Professional products.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-120-01
*** Clam AntiVirus Multiple File Processing Flaws Let Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1032223
*** Dell SonicWALL Secure Remote Access Access Control Flaw in cgi-bin/editBookmark Lets Remote Users Conduct Cross-Site Request Forgery Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1032227
*** SSA-311412 (Last Update 2015-05-04): Incorrect Certificate Verification in Android App HomeControl for Room Automation ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-311412.pdf
More information about the Daily
mailing list