Everything you need to measure, manage, and reduce your cyber risk in one place
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Automate scanning in CI/CD environments with shift left DAST testing
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Everything you need to measure, manage, and reduce your cyber risk in one place
Contact us below to request a quote, or for any product-related questions
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Discover, track, and continuously secure containers – from build to runtime
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Automate scanning in CI/CD environments with shift left DAST testing
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Vol. 13, Num. 31
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 7/23/2013 - 7/30/2013
update to its Microsoft Active Protections Program (MAPP) this week,
dramatically expanding the list of potential members and providing
several new levels of service in the process. The information-sharing
program has been instrumental to high-quality detection for security
vendors for years, and incident responders are the primary beneficiaries
of the expansion.
Title: Microsoft announces major expansion of MAPP program
Description: For the first time since the inception of the Microsoft
Active Protections Program (MAPP) in 2008, the firm is dramatically
increasing its scope, with two new sub-programs designed to increase the
number of people who can benefit from MAPP’s information-sharing regime.
The first, MAPP for Responders, will bring incident responders into the
fold, with data focused on identifying and remediating live exploitation
in the wild. The second, MAPP Scanner, is a cloud-based tool that will
allow an even broader range of organizations to submit files they
suspect might be exploiting a vulnerability in Microsoft software, with
both information on known vulnerabilities and details of suspicious
information being supplied in return. In addition, program benefits are
being expanded for current MAPP members, which will be re-branded as
MAPP for Security Vendors. This expansion of the program comes on the
heels of its dramatic success over the last several years, helping to
validate the strategy of open information-sharing among network
defenders worldwide.
Reference:
http://blogs.technet.com/b/bluehat/archive/2013/07/29/new-mapp-initiatives.aspx
http://blogs.technet.com/b/msrc/archive/2013/07/29/announcing-the-2013-msrc-progress-report-featuring-mapp-expansions.aspx
http://www.computerworld.com/s/article/9241169/ Microsoft_expands_bug_info_sharing_program_to_larger_crowd?taxonomyId=17&pageNumber=2
Snort SID: N/A
ClamAV: N/A
Title: Dovecot + Exim remote code execution attack spotted in the wild
Description: A trivially exploitable remote code execution vulnerability
in the Dovecot mail server, when paired with Exim as a local delivery
agent, was announced in May, with only a workaround being released to
date. Recent notes from the ISC Storm Center show that the attack, which
has several publicly available proofs of concept, is now being exploited
in the wild. Administrators of these systems are urged to check their
configurations and take appropriate mitigation immediately.
Reference:
https://isc.sans.edu/diary/Dovecot++Exim+Exploit+Detects/16243
http://osvdb.org/show/osvdb/93004
Snort SID: 27532
ClamAV: N/A
Title: Internet Explorer 9/10 information disclosure vulnerability
Description: In a post to the popular Full-Disclosure mailing list on
Monday, an independent researcher provided information around a
potential new Internet Explorer information disclosure vulnerability,
which he claimed would be useful in bypassing ASLR. While confirmation
of the vulnerability was pending as of the time of publication, and no
signs of exploitation in the wild are available at this time, security
researchers and incident responders should be paying close attention to
systems they monitor until further information is released.
Reference:
http://seclists.org/fulldisclosure/2013/Jul/267
Snort SID: 27531
ClamAV: N/A
Title: Package using Android “Extra Field” vulnerability spotted in the wild
Description: Independent researcher Zhuowei Zang recently began
distributing an APK on his Github site that used the recently disclosed
“Extra Field” vulnerability in APK file parsing in order to gain root
access on the Kobo Arc tablet. While his particular package contained
no malicious code, and simply took advantage of system package
permissions to install a superuser account, it shows how easy live
exploitation of the vulnerability is, likely setting the stage for
further use of it in the coming weeks.
Reference:
http://vrt-blog.snort.org/2013/07/android-extra-field-vulnerability_30.html
https://www.virustotal.com/en/file/ 06edeb3bab3bfb8c7b272615b8524111d03b17a8875e507a1cc9e4af81f486c6
/analysis/
Snort SID:
ClamAV: BC.Exploit.Andr.Extra_Field
Windows RT ARMv7-based shellcode development:
http://www.exploit-monday.com/2013/07/WinRT-ARM-Shellcode.html
Styx cool exploit kit: one applet to exploit all vulnerabilities:
http://security-obscurity.blogspot.com/2013/07/styxy-cool-exploit-kit-one-applet-to.html
Spy agencies ban Lenovo PCs on security concerns:
http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_on_security_HVgcKTHp4bIA4ulCPqC7SL
MSI: the case of the invalid signature:
http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/
Security vendors: do no harm, heal thyself:
http://krebsonsecurity.com/2013/07/security-vendors-do-no-harm-heal-thyself/
The evolution of Rovnix: private TCP/IP stacks:
http://blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx
Verizon announces Veris database - raw incident data:
http://www.verizonenterprise.com/security/blog/index.xml?postid=4642
Flush + Reload: a high resolution, low noise L3 cache side-channel attack:
http://eprint.iacr.org/2013/448.pdf
Big poker player loses high-stakes Android scam game:
http://www.symantec.com/connect/blogs/big-poker-player-loses-high-stakes-android-scam-game
Haunted by the ghosts of ZeuS and DNSChanger:
http://krebsonsecurity.com/2013/07/haunted-by-the-ghosts-of-zeus-dnschanger/
Vulnerability disclosed all passwords of Barracuda Networks employees:
http://securityaffairs.co/wordpress/16584/hacking/vulnerability-in-baracuda-network.html
Advanced exploitation of Windows kernel privilege escalation / CVE-2013-3660:
http://www.vupen.com/blog/20130723.Advanced_Exploitation_Windows_Kernel_Win32k_EoP_MS13-053.php
How I found my way into Instagram’s Ganglia, and a bug with Facebook likes:
http://josipfranjkovic.blogspot.com/2013/07/how-i-found-my-way-into-instagrams.html
Dissecting a WordPress brute force attack:
http://blog.sucuri.net/2013/07/dissecting-a-wordpress-brute-force-attack.html
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2013-3174
Title: Microsoft DirectShow GIF Parsing Memory Corruption Vulnerability
Vendor: Microsoft
Description: DirectShow in Microsoft Windows XP SP2 and SP3, Windows
Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1,
Windows 7 SP1, Windows 8, and Windows Server 2012 allows remote
attackers to execute arbitrary code via a crafted GIF file, aka
“DirectShow Arbitrary Memory Overwrite Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-2251
Title: Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Vendor: Apache
Description: Apache Struts 2.0.0 through 2.3.15 allows remote attackers
to execute arbitrary OGNL expressions via a parameter with a crafted (1)
action: , (2) redirect:, or (3) redirectAction: prefix.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-1017
Title: Apple Quicktime 7 Invalid Atom Length Buffer Overflow
Vendor: Apple
Description: Buffer overflow in Apple QuickTime before 7.7.4 allows
remote attackers to execute arbitrary code or cause a denial of service
(application crash) via crafted dref atoms in a movie file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-3163
Title: Microsoft Internet Explorer CBlockElement Use-after-Free Vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer 8 through 10 allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted web site, aka “Internet Explorer Memory
Corruption Vulnerability,” a different vulnerability than CVE-2013-3144
and CVE-2013-3151.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-2460
Title: Java Applet ProviderSkeleton Insecure Invoke Method
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK
7, allows remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to Serviceability. NOTE: the
previous information is from the June 2013 CPU. Oracle has not commented
on claims from another vendor that this issue allows remote attackers
to bypass the Java sandbox via vectors related to “insufficient access
checks” in the tracing component.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/
Typical Filename: C8A787C22000AE378610003396E67500D587FA4E
.exe
Claimed Product: My Web Search Bar for Internet Explorer and FireFox
Claimed Publisher: MyWebSearch.com
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename:
smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Product:
smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Publisher:
smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Typical Filename: avz00001.dta
Claimed Product: avz00001.dta
Claimed Publisher: avz00001.dta
SHA 256: 9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302
MD5: 923c4d13bee966654f4fe4a8945af0ae
VirusTotal: https://www.virustotal.com/file/9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302/analysis/
Typical Filename: winoaox.exe
Claimed Product: winoaox.exe
Claimed Publisher: winoaox.exe
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Typical Filename: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Product: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Publisher: bf31a8d79f704f488e3dbcb6eea3b3e3