6 Days Left to Save $400 on Cyber Threat Intelligence Summit 2017

Newsletters: @RISK


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

June 14, 2012
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 12, Num. 24

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 5/29/2012 - 6/5/2012

Top Vulnerability this week: The XML zero day that affects Internet Explorer users as well as Office 2003 and 2007 users. It was important enough for Microsoft to make an extra out-of-cycle patch available. The reason it is so important is that most targeted attacks going after sensitive intellectual property use a vector like the one used in this attack.

================================================================

TRAINING UPDATE

--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

--SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.
http://www.sans.org/sansfire-2012/

--SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

--SANS Boston 2012, Boston, MA August 6-11, 2012 9 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

--Looking for training in your own community?
http: sans.org/community/

--Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current

Plus Malaysia, Bangkok, San Diego, San Antonio, and Melbourne all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

================================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: MySQL Authentication Brute Force Attack
Description: A trivially exploitable attack exists for certain platforms running MySQL that allows attackers root access to the database without any credentials. HD Moore has demonstrated a single-line shell script that will grant access, so live attacks are presumed to exist in the wild already, with automated scanners for this vulnerability likely to follow (if not already available).
Reference:
http://vrt-blog.snort.org/2012/06/mysql-authentication-brute-force-attack.html
https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
Snort SID: 23115
https://isc.sans.edu/port.html?port=3306

Title: Web Shell With GIF Header
Description: A live shell has been observed in the wild as part of automated attempts to exploit the WordPress TimThumb vulnerability released in August of 2011. This shell has a validly formed GIF header prepended to the malicious PHP code, so that TimThumb's built-in file safety checks will be bypassed (as well as any other check based on file(1), which declares the shell to be a valid GIF file). Several monitoring organizations have reported this shell being dropped very widely in the field.
Reference:
http://vrt-blog.snort.org/2012/06/web-shell-poses-as-gif.html
http://blog.spiderlabs.com/2011/11/wordpress-timthumb-attacks-rising.html
Snort SID: 23113, 23114
ClamAV: PHP.Hide

Title: CVE-2012-1875 Microsoft Internet Explorer DOM manipulation memory corruption
Description: This is a complex Document Object Model heap overwrite, but several actors are using it in targeted attacks observed across the globe. Several variants of the attack are in public already, and more are being traded in the underground. Users of Internet Explorer should patch this bug as promptly as possible.
Reference:
http://technet.microsoft.com/en-us/security/bulletin/MS12-037
Snort SID: 23125
ClamAV: Exploit.CVE_2012_1875, Exploit.CVE_2012_1875-1

Title: Unauthorized Microsoft Security Certificates Allow Windows Update Spoofing
Description: The recently discovered Flame malware used a specifically crafted SSL certificate to man-in-the-middle the Windows Update process and inject code. As any certificate issued by a pair of intermediate signing authorities could, if used by Flame or others, lead to unauthorized content being trusted by the operating system, Microsoft explicitly revoked all certificates issued by those authorities.
Reference:
http://technet.microsoft.com/en-us/security/advisory/2718704
Snort SID: 23090
ClamAV: N/A

Title: CVE-2011-2140 Adobe Flash Player MP4 Buffer Overflow:
Description: A simple buffer overflow attack exists in the way Adobe Flash parses certain chunks of MP4 files. Public exploits exist, and have been incorporated into the Chinese Yang Pack exploit kit. Active exploitation of this vulnerability has been observed in the wild by the Sourcefire VRT.
Reference:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
Snort SID: 19693, 20555, 21006, 23098
ClamAV: Trojan.GameThief-3, Exploit.SWF-24, Trojan.Cossta-22

============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

(1) Flame malware collision attack explained:
http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx
http://www.trailofbits.com/resources/flame-md5.pdf

(2) Facebook begins notifying DNSChanger victims:
http://www.zdnet.com/blog/security/facebook-begins-notifying-dnschanger-victims/12296

(3) Spear Phishing Attempt vs. Digital Bond Analyzed:
http://www.digitalbond.com/2012/06/11/analysis-of-spear-phishing-malware-file/

(4) Post Mortem: Today's attack; apparent Google Apps/Gmail
vulnerability; and how to protect yourself:
http://blog.cloudflare.com/post-mortem-todays-attack-apparent-google-app

=============================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

ID: CVE-2012-1889
Title: Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability
Vendor: Microsoft
Description: Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
CVSS v2 Base Score: 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C

ID: CVE-2012-1875
Title: Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Same ID Property Remote Code Execution Vulnerability."
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2012-1849
Title: Microsoft Lync CVE-2012-1849 DLL Loading Arbitrary Code Execution Vulnerability
Vendor: Microsoft
Description: Untrusted search path vulnerability in Microsoft Lync 2010, 2010 Attendee, and 2010 Attendant allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .ocsmeet file, aka "Lync Insecure Library Loading Vulnerability.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

ID: CVE-2012-0985
Title: Sony VAIO Wireless Manager ActiveX Control 'WifiMan.dll' Multiple
Buffer Overflow Vulnerabilities
Vendor: Sony
Description: Multiple buffer overflows in the Wireless Manager ActiveX control 4.0.0.0 in WifiMan.dll in Sony VAIO PC Wireless LAN Wizard 1.0; VAIO Wireless Wizard 1.00, 1.00_64, 1.0.1, 2.0, and 3.0; SmartWi Connection Utility 4.7, 4.7.4, 4.8, 4.9, 4.10, and 4.11; and VAIO Easy Connect software 1.0.0 and 1.1.0 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the second argument of the (1) SetTmpProfileOption or (2) ConnectToNetwork method.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2012-2436
Title: Pligg CMS CVE-2012-2436 Multiple Cross Site Scripting Vulnerabilities
Vendor: Pligg
Description: Multiple cross-site scripting (XSS) vulnerabilities in Pligg CMS before 1.2.2 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter in a move or (2) minimize action to admin/admin_index.php; (3) the karma_username parameter to module.php in the karma module; (4) q_1_low, (5) q_1_high, (6) q_2_low, or (7) q_2_high parameter in a configure action to module.php in the captcha module; or (8) the edit parameter to module.php in the admin_language module.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

ID: CVE-2012-1824
Title: Measuresoft ScadaPro DLL Loading Arbitrary Code Execution Vulnerability
Vendor: Measuresoft
Description: Untrusted search path vulnerability in Measuresoft ScadaPro Client before 4.0.0 and ScadaPro Server before 4.0.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory.
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

=========================================================
MOST POPULAR MALWARE FILES 5/29/2012 - 6/5/2012:

(Compiled by Sourcefire)

SHA 256: 1481ACE90584C46406259C653D2BD3457A2E5F44781E907731C9A618F96C7442
MD5: bb74024a1d4e4808562c090980151653
VirusTotal: https://www.virustotal.com/file/1481ACE90584C46406259C653D2BD3457A2E5F44781E907731C9A618F96C7442
Malwr: http://malwr.com/analysis/63fdbb9c9802d680dc6d622d2e228317/
Typical Filename: MWSSVC.EXE
Claimed Product: My Web Search Bar
Claimed Publisher: MyWebSearch.com

SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
Malwr: http://malwr.com/analysis/7961a56c11ba303f20f6a59a506693ff
Typical Filename: C8A787C22000AE378610003396E67500D587FA4E.exe
Claimed Product: My Web Search Bar for Internet Explorer and FireFox
Claimed Publisher: MyWebSearch.com

SHA 256: DFE385206E3BA737636463B22501B801B88169AF789424E8A33C3CF07A8B2235
MD5: 589c85ad4b3fd73456f32eb9d58e2f9c
VirusTotal: https://www.virustotal.com/file/DFE385206E3BA737636463B22501B801B88169AF789424E8A33C3CF07A8B2235
Malwr: http://malwr.com/analysis/589c85ad4b3fd73456f32eb9d58e2f9c
Typical Filename: 3E229CF2E0B55D93A59C027D284E7A0088209A1A.exe
Claimed Product: ShopAtHome.com Shopping Toolbar
Claimed Publisher: -

SHA 256: D69EE2A46B02A39C7BCCFFE10FB4280EFF268E2633E39697DC59CFA0D5D7CB3C
MD5: 5d3d195648820c95f20e4e9189e1937b
VirusTotal: https://www.virustotal.com/file/D69EE2A46B02A39C7BCCFFE10FB4280EFF268E2633E39697DC59CFA0D5D7CB3C
Malwr: http://malwr.com/analysis/5d3d195648820c95f20e4e9189e1937b
Claimed Product: -
Claimed Publisher: -

SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
Typical Filename: avz00001.dta
Claimed Product: -
Claimed Publisher: -

=============================================================

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account