Vol. 16, Num. 22
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 2016-05-24 - 2016-05-31
TOP VULNERABILITY THIS WEEK: New Method “SandJacking” Potentially Allows
Attackers to Install Malicious iOS Apps
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: New Method “SandJacking” Potentially Allows Attackers to Install
Malicious iOS Apps
Description: Chilik Tamir of mobile security firm Mi3 disclosed a
previously unknown way of installing malicious iOS apps at Hack in the
Box - Amsterdam. Tamir previously released a proof-of-concept tool call
“Su-A-Cyder” that could be used to replace legitimate apps with
malicious ones on an iOS device. Since then, he has identified a new
technique called “SandJacking” that leverages the “Su-A-Cyder” method
which works on the latest iOS devices. The newest method leverages the
restore process. This issue has been reported to Apple, but a patch for
this has not yet been released.
Reference: https://conference.hitb.org/hitbsecconf2016ams/materials/D1T2%20-%20Chilik%20Tamir%20-%20Profiting%20from%20iOS%20Malware.pdf
Research Spotlight: ROPMEMU - A Framework for the Analysis of Complex
Code Reuse Attacks
http://blog.talosintel.com/2016/06/ropmemu.html?f_l=s
Inside The Million-Machine Clickfraud Botnet
https://labs.bitdefender.com/2016/05/inside-the-million-machine-clickfraud-botnet/
Dridex Poses as Fake Certificate in Latest Spam Run
http://blog.trendmicro.com/trendlabs-security-intelligence/dridex-poses-as-fake-certificate/?
DDoS Attacks via TFTP Protocol Become a Reality After Research Goes Public
http://news.softpedia.com/news/ddos-attacks-via-tftp-protocol-become-a-reality-after-research-goes-public-504713.shtml
SWIFT attackers’ malware linked to more financial attacks
http://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2016-0185
Title: Microsoft Windows Media Center Input Validation Remote Code
Execution Vulneraiblity (MS16-059)
Vendor: Microsoft
Description: Media Center in Microsoft Windows Vista SP2, Windows 7 SP1,
and Windows 8.1 allows remote attackers to execute arbitrary code via a
crafted Media Center link (aka .mcl) file, aka “Windows Media Center
Remote Code Execution Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2016-4117
Title: Adobe Flash Player Integer Overflow Code Execution Vulnerability
(APSA16-02)
Vendor: Adobe
Description: Adobe Flash Player 21.0.0.226 and earlier allows remote
attackers to execute arbitrary code via unspecified vectors, as
exploited in the wild in May 2016.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2016-0189
Title: Microsoft Internet Explorer Scripting Engine Memory Corruption
Vulnerability
Vendor: Microsoft
Description: The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8
engines, as used in Internet Explorer 9 through 11 and other products,
allow remote attackers to execute arbitrary code or cause a denial of
service (memory corruption) via a crafted web site, aka “Scripting
Engine Memory Corruption Vulnerability,” a different vulnerability than
CVE-2016-0187.
CVSS v2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
ID: CVE-2016-1287
Title: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
Vendor: Cisco
Description: Buffer overflow in the IKEv1 and IKEv2 implementations in
Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before
9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7),
9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA
5500-X devices, ASA Services Module for Cisco Catalyst 6500 and Cisco
7600 devices, ASA 1000V devices, Adaptive Security Virtual Appliance
(aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000 devices
allows remote attackers to execute arbitrary code or cause a denial of
service (device reload) via crafted UDP packets, aka Bug IDs CSCux29978
and CSCux42019.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2016-3081
Title: Apache Struts Input Validation Remote Code Execution Vulnerability
Vendor: Apache Structs
Description: Apache Struts 2.x before 2.3.20.2, 2.3.24.x before
2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation
is enabled, allow remote attackers to execute arbitrary code via method:
prefix, related to chained expressions.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2016-1019
Title: Adobe Flash Player Code Execution Vulnerability
Vendor: Adobe
Description: Adobe Flash Player 21.0.0.197 and earlier allows remote
attackers to cause a denial of service (application crash) or possibly
execute arbitrary code via unspecified vectors, as exploited in the wild
in April 2016.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2016-1010
Title: Adobe Flash Player Integer Overflow Code Execution Vulnerability
Vendor: Adobe
Description: Integer overflow in Adobe Flash Player before 18.0.0.333
and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before
11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before
21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows
attackers to execute arbitrary code via unspecified vectors, a different
vulnerability than CVE-2016-0963 and CVE-2016-0993.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 2016-05-24 - 2016-05-31 COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 671F56304C53B1C54736ED760C65A99955258D18A5EFA2C39989FFB62F4F9D97
MD5: 971d031e0468644ccbadbf22270f5b6c
VirusTotal:
https://www.virustotal.com/file/671F56304C53B1C54736ED760C65A99955258D18A5EFA2C39989FFB62F4F9D97/analysis/#additional-info
Typical Filename: le2438.zip
Claimed Product: N/A
Detection Name: W32.671F56304C-100.SBX.VIOC
SHA 256: 848F73D2A209B00283A244C764E990E22DDD4F999B0AE4D3E37A21824569C8DF
MD5: 9197b4fa7e0004c3738e04eecc5acb71
VirusTotal:
https://www.virustotal.com/file/848F73D2A209B00283A244C764E990E22DDD4F999B0AE4D3E37A21824569C8DF/analysis/#additional-info
Typical Filename: 5668190953.doc
Claimed Product: N/A
Detection Name: W32.848F73D2A2-100.SBX.TG
SHA 256: D6F0900270940398C4C0673D4AF77B9158A24F69E8DCB39F9EBB6F949E59D9A6
MD5: 371fa4d720b241cc1b21c80970e3262a
VirusTotal:
https://www.virustotal.com/file/D6F0900270940398C4C0673D4AF77B9158A24F69E8DCB39F9EBB6F949E59D9A6/analysis/#additional-info
Typical Filename: contract_3101747.doc
Claimed Product: N/A
Detection Name: W32.D6F0900270-100.SBX.TG
SHA 256: 25D0963F8E33FA800F9E0A1700FE15A441D6E04B18D522DED18672A044569BCA
MD5: 2d0e3c6a1ca54a92250317eeeec0df18
VirusTotal:
https://www.virustotal.com/file/25D0963F8E33FA800F9E0A1700FE15A441D6E04B18D522DED18672A044569BCA/analysis/#additional-info
Typical Filename: sogouexe.exe
Claimed Product: “???????”
Detection Name: W32.25D0963F8E-100.SBX.VIOC
SHA 256: 93E434C5554AED4C0770D4F58F1AD56EB7208109A84473FE39CBB6BC4E8E85F7
MD5: 16e9736ea3577e7844d67f96b738faf2
VirusTotal:
https://www.virustotal.com/file/93E434C5554AED4C0770D4F58F1AD56EB7208109A84473FE39CBB6BC4E8E85F7/analysis/#additional-info
Typical Filename: 6013190921.doc
Claimed Product: N/A
Detection Name: W32.93E434C555-100.SBX.TG
OVERVIEW
CAPABILITIES
PLATFORM APPS
Use Cases
Segments
Resources
Research
Enterprise TruRisk Platform
Free Services