Newsletters: @RISK

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

March 27, 2014
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 14, Num. 12

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 3/18/2014 - 3/25/2014
============================================================

TOP VULNERABILITY THIS WEEK: Vulnerability in Microsoft Word Could Allow Remote Code Execution

******************** Sponsored By SANS *********************

Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp.
http://www.sans.org/info/154465

============================================================

TRAINING UPDATE

-- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp. http://www.sans.org/info/154465

- -- SANS 2014Orlando, FLApril 5-14, 2014
42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014

- -- SANS Security WestSan Diego, CAMay 8-17, 2014
30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014

-- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014
8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.

http://www.sans.org/event/rocky-mountain-2014

- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014
7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014

- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014

- --Can't travel? SANS offers LIVE online instruction.
Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!

- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org

- -- Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Munich, Austin, Malaysia, and London all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

********************** Sponsored Links: ********************

1) Higher Ed IT Pros! What's On Your Security Wish List? Tell us here:
http://www.sans.org/info/155855

2) Defending ICS Against Cyberthreats with Next Generation Security Tuesday, April 29 at 1:00 PM EDT Michael Assante, Del Rodillas.
http://www.sans.org/info/155865

3) In case you missed it - Webcast: Threat Intelligence: What It Is, and Why Your Security Program Needs More of It.
http://www.sans.org/info/155870

============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Microsoft Word RTF Remote Memory Corruption Vulnerability
(CVE-2014-1761)
Description: A vulnerability in how multiple Microsoft products handle RTF files can lead to memory corruption.
Reference:
http://arstechnica.com/security/2014/03/zero-day-vulnerability-in-microsoft-word-under-active-attack/
Snort SID: 24975, 24975
ClamAV: RTF.Exploit.CVE_2012_2539

Title: Internet Explorer TextRange Use-After-Free Vulnerability
(MS14-012)
Description: A use-after-free vulnerability exists in Internet Explorer. The vulnerability is due to an error in the way TextRange objects are handled.
Reference: http://technet.microsoft.com/en-us/security/bulletin/ms14-012
http://telussecuritylabs.com/threats/show/TSL20140311-15
Snort SID: Coverage is pending
ClamAV: Coverage is pending

Title: Stealth malware sneaks onto Android phones, then "turns evil" when OS upgrades
Description: Applications installed on an Android device can be automatically granted extra privileges during an upgrade of the Android OS.
Reference:
http://www.welivesecurity.com/2014/03/21/stealth-malware-sneaks-onto-android-phones-then-turns-evil-when-os-upgrades/

============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Zorenium Bot: Heading to an iPhone Near You?
http://www.infosecurity-magazine.com/view/37612/zorenium-bot-heading-to-an-iphone-near-you/

AWS urges developers to scrub GitHub of secret keys
http://www.itnews.com.au/News/375785,aws-urges-developers-to-scrub-github-of-secret-keys.aspx

New Android Bug Causes "Bricked" Devices
blog.trendmicro.com/trendlabs-security-intelligence/new-android-bug-causes-bricked-devices/

============================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2014-1761

Title: Microsoft Word Remote Memory Corruption Vulnerability

Vendor: Microsoft

Description: Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Word Viewer; Office Compatibility Pack SP3; Office for Mac 2011; Word Automation Services on SharePoint Server 2010 SP1 and SP2 and 2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, as exploited in the wild in March 2014.

CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2014-0307

Title: Internet Explorer TextRange Use-After-Free Vulnerability (MS14-012)

Vendor: Microsoft

Description: Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a certain sequence of manipulations of a TextRange element, aka "Internet Explorer Memory Corruption Vulnerability."

CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2014-0783,CVE-2014-0784

Title: Yokogawa CENTUM CS 3000 Vulnerabilities

Vendor: Yokogawa

Description: Stack-based buffer overflows in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet.

CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:N/C:P/I:P/A:C)

ID: CVE-2013-2347

Title: HP Data Protector Backup Client Service Remote Code Execution

Vendor: HP

Description: Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1885.

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2014-0502

Title: Adobe Flash Player 12.0.0.44 Memory Corruption Vulnerability

Vendor: Adobe

Description: Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014.

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2014-0322

Title: Internet Explorer CMarkup use-after-free vulnerability

Vendor: Microsoft

Description: Use-after-free vulnerability in Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, as exploited in the wild in January and February 2014.

CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

=========================================================
MOST PREVALENT MALWARE FILES 3/18/2014 - 3/25/2014
COMPILED BY SOURCEFIRE

SHA 256: A1A212E0B59ABBB2F520F1D35E68AE00944931A5A0A514947555359CCEF2366F MD5: 09b8de9389103831a84bb1711ebef153
VirusTotal:
https://www.virustotal.com/file/A1A212E0B59ABBB2F520F1D35E68AE00944931A5A0A514947555359CCEF2366F/analysis/#additional-info
Typical Filename: wajam_update.exe
Claimed Product: Wajam Internet Technologies
Detection Name: W32.A1A212E0B5-100.SBX.VIOC

SHA 256: C9D0E4A0EB68983AEF109E059E53C1510874BDB2D045F51F3645F3C06050D4BC
MD5: 488ab9e11c6d560ec43141366aadfc4c
VirusTotal:
https://www.virustotal.com/file/C9D0E4A0EB68983AEF109E059E53C1510874BDB2D045F51F3645F3C06050D4BC/analysis/#additional-info
Typical Filename: Unknown
Claimed Product: Conduit Ltd. SearchProtect
Detection Name: W32.C9D0E4A0EB-100.SBX.VIOC

SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal:
https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/#additional-info
Typical Filename: wincdgja.exe
Claimed Product: Sality
Detection Name: W32.Sality:StubOfSalityTrj.17co.1201

SHA 256: B76B843FF8E57BC0AD5B3A8C0730BA2A40DA2C99D5D3BAC20A5D5235664A3170
MD5: 39dd5df876441584c8b3c5377edb19b7
VirusTotal:
https://www.virustotal.com/file/B76B843FF8E57BC0AD5B3A8C0730BA2A40DA2C99D5D3BAC20A5D5235664A3170/analysis/#additional-info
Typical Filename: au_.exe
Claimed Product: Conduit Ltd. SearchProtect
Detection Name: W32.B76B843FF8-100.SBX.VIOC

SHA 256: 54EC6309345B846CBB52F0D3942767D34D545CEAD2048A871841474612588280
MD5: 2d1225eec3c1829063d0aae4fc3c4b87
VirusTotal:
https://www.virustotal.com/file/54EC6309345B846CBB52F0D3942767D34D545CEAD2048A871841474612588280/analysis/#additional-info
Typical Filename: Unknown
Claimed Product: Conduit Ltd. SearchProtect
Detection Name: W32.54EC630934-100.SBX.VIOC

=============================================================

(c) 2014. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account