Ends Today! iPad Pro w/ Smart Keyboard, $400 Off, or ASUS Chromebook w/ Online Training!

Newsletters: @RISK


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

November 16, 2017

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                    November 16, 2017 - Vol. 17, Num. 46


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES 2017-11-07 - 2017-11-14

============================================================


TOP VULNERABILITY THIS WEEK: Microsoft Released Security Updates for November 2017


******************** Sponsored By SANS  ********************


Join the SANS Institute in Boston at the SOC Briefing for the Cybersecurity Community where vendors will present sessions demonstrating their tools and capabilities to support threat hunting, or incorporate the results of threat hunting. This half- day event is free to the Cybersecurity Community. Networking lunch following. Not in Boston? Attend via simulcast. More info at: http://www.sans.org/info/199765


============================================================

TRAINING UPDATE


-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | http://www.sans.org/u/vNd


-- SANS San Francisco Winter 2017 | November 27-December 2 | http://www.sans.org/u/wgE


-- SANS London November 2017 | November 27-December 2 | http://www.sans.org/u/wgJ


-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | http://www.sans.org/u/wKk


-- SANS Security East 2018 | New Orleans, LA | January 8-13 | http://www.sans.org/u/xmN


-- SANS Amsterdam January 2018 | January 15-20 | http://www.sans.org/u/wUT


-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | http://www.sans.org/u/xTH


-- SANS Secure Japan 2018 | February 19-March 3 | http://www.sans.org/u/wUY


-- SANS Secure Singapore 2018 | March 12-24 | http://www.sans.org/u/xTM


-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Receive a 12.9" iPad Pro, Surface Pro 4 or take $400 Off your OnDemand or vLive course when you register by November 22nd. http://www.sans.org/u/xTR


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcast - http://www.sans.org/u/WK


-- Evening training 2x per week for 6 weeks with vLive - http://www.sans.org/u/WZ 


-- Anywhere, Anytime access for 4 months with OnDemand format - http://www.sans.org/u/rEw


-- Multi-week Live SANS training

Mentor - http://www.sans.org/u/X9

Contact mentor@sans.org


-- Looking for training in your own community?

Community - http://www.sans.org/u/Xo


-- Plus Austin, Munich, Frankfurt, Miami, and Bangalore all in the next 90 days.

-- For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN


********************** Sponsored Links: ********************


1) Join Lance Spitzner and Brian Honan for the GDPR: What to Train Your Workforce Webcast:  http://www.sans.org/info/199770


2) Intezer Analyze and SANS' Jake Williams demonstrate how finding code reuse of known malware enables you to improve and accelerate incident response plans. http://www.sans.org/info/199780


3) In case you missed it: "Breaking Down the Data: How Secure Are You and Your Supply Chain?" Register: http://www.sans.org/info/199785


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft Released Security Updates for November 2017

Description: Microsoft has released its monthly set of security updates to address vulnerabilities that have been identified in Windows, Office, and other supported software. This month's release addresses 53 new vulnerabilities with 19 of them rated critical, 31 of them rated important and 3 of them rated moderate. These vulnerabilities impact Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, and more.

Reference: https://portal.msrc.microsoft.com/en-us/security-guidance/summary

Snort SID: 44809-44834, 44838-44839, 44843-44846


Title: Adobe Releases Security Updates for Flash Player, Reader, and more

Description: Adobe has released security updates for Flash Player, Shockwave Player, Acrobat, Reader, Photoshop, and more. This month's Flash Player update address five critical vulnerabilities that could be exploited by an attacker to acheive remote code execution. The Acrobat and Reader security update addressed 62 vulnerabilities with the vast majority of them being critical arbitrary code execution vulnerabilities.

Reference: https://helpx.adobe.com/security.html

Snort SID: 43120-43121; Detection pending for other vulnerabilities


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Guidance on Mitigating Microsoft Office DDE Attacks

https://technet.microsoft.com/en-us/library/security/4053440


A penetration testers guide to sub-domain enumeration

https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6


2017 ACM Conference on Computer and Communications Security - Accepted Papers

https://acmccs.github.io/papers/


Apple iPhone X Face ID Fooled by a Mask

https://threatpost.com/apple-iphone-x-face-id-fooled-by-a-mask/128865/


#AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine

https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/


=========================================================


RECENT

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

 

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:     CVE-2017-8759

Title:

Microsoft published a .NET security update to address this issue.

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:     CVE-2017-9805

Title:

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:     CVE-2017-0037

Title:

CVSS v2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)


ID:     CVE-2017-0145

Title:

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:     CVE-2017-0290 

Title:

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:     CVE-2017-3881

Title:

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:     CVE-2017-5638

Title:

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:     CVE-2016-7892

Title:

CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


=========================================================


MOST PREVALENT MALWARE FILES 2017-11-07 - 2017-11-14

:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4

MD5: bea381c0fbd24f1503018b3b9089e358

VirusTotal: https://www.virustotal.com/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/#additional-info

Typical Filename: InvoiceED3539939.doc

Claimed Product: N/A

Detection Name: W32.323CB1D2F3-95.SBX.TG


SHA 256: 6b7b11077b2bcdbce94eff73722a4f78103d2e87bd4331654bc65c0daeb176dd

MD5: 71aad93dfbd1c4b2854a697405675c51

VirusTotal: https://www.virustotal.com/file/6b7b11077b2bcdbce94eff73722a4f78103d2e87bd4331654bc65c0daeb176dd/analysis/#additional-info

Typical Filename: InvoiceMP8820239.doc

Claimed Product: N/A

Detection Name: W32.6B7B11077B-95.SBX.TG


SHA 256: 8d9c2dd4e7941453d61b490144ad1875e935b88a00231b885c839c43346aa5ab

MD5: 628272a0cc32eb514dc58572d761684a

VirusTotal: https://www.virustotal.com/file/8d9c2dd4e7941453d61b490144ad1875e935b88a00231b885c839c43346aa5ab/analysis/#additional-info

Typical Filename: InvoiceMC4260854.doc

Claimed Product: N/A

Detection Name: W32.8D9C2DD4E7-95.SBX.TG


SHA 256: 131d8ad5cbddb8edd6800788d138eda1ace570c1a0c97afd71cc7f03c1bb2d07

MD5: 9c7fc4c27fd3eb3dfe96db99bcabb00f

VirusTotal: https://www.virustotal.com/file/131d8ad5cbddb8edd6800788d138eda1ace570c1a0c97afd71cc7f03c1bb2d07/analysis/#additional-info

Typical Filename: InvoiceYS6763243.doc

Claimed Product: N/A

Detection Name: W32.131D8AD5CB-95.SBX.TG


SHA 256: 23d5dbfaaf5258aaac2ccc4159027885cf6f48b692d0b3617610858c21cc7f58

MD5: c2e98913d325dbd42dc56c5bef0601e0

VirusTotal: https://www.virustotal.com/file/23d5dbfaaf5258aaac2ccc4159027885cf6f48b692d0b3617610858c21cc7f58/analysis/#additional-info

Typical Filename: c2e98913d325dbd42dc56c5bef0601e0.doc

Claimed Product: N/A

Detection Name: W32.23D5DBFAAF-95.SBX.TG


=============================================================


(c) 2017.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743