Posts Tagged ‘vulnerability’
Tuesday, December 3, 2013 @ 03:12 PM gHale
Targeted attacks are already occurring on a new Zero Day vulnerability affecting Windows XP and Windows Server 2003, Microsoft officials said.
Just prior to November 28, Microsoft issued an advisory about the bug (CVE-2013-5065), which lies in the kernel component of Windows XP and Windows Server 2003.
Exploitation could allow an elevation of privilege that gives an attacker the ability to execute code in kernel mode, then go on to “install programs; view, change or delete data; or create new accounts with full administrative rights,” the advisory said.
An attacker would still need login credentials to logon locally to exploit the vulnerability, Microsoft said.
Attacks were occurring where the kernel vulnerability ended up used in conjunction with an Adobe Reader exploit, said FireEye researchers Xiaobo Chen and Dan Caselden in a blog post.
Those running the latest versions of Adobe Reader, however, aren’t vulnerable to the exploit, which targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and earlier versions on Windows XP Service Pack 3, FireEye said.
Over the weekend, Symantec also said a “small number” of in-the-wild attacks have occurred since early November, where attackers used malicious PDFs as an attack vector. Users in the U.S., India, Australia, Saudi Arabia and throughout Europe were the targets.
In those attacks, attackers exploiting the Windows Zero Day dropped a Trojan called “Wipbot” onto victims’ systems, Symantec found. Wipbot steals system information, which then ends up shared with attackers via their control hub.
So far, Microsoft has yet to issue a fix for the vulnerability, but Dustin Childs, a spokesman for Microsoft’s Trustworthy Computing team, said in a blog post last Wednesday users could deploy a workaround for the issue by configuring the NDProxy driver.
The NDProxy driver helps users manage Microsoft’s Telephony Application Programming Interface (TAPI) for integrated computer-telephone services.
Wednesday, November 27, 2013 @ 11:11 AM gHale
There were 700,000 new Android malware samples spotted in the third quarter with attacks against this platform having increased by over 30 percent, a new report said.
Part of the 30 percent increase is due to the discovery of the Android vulnerability that attackers can exploit to create malware that’s capable of bypassing digital signature validation, according to the McAfee third quarter 2013 threat report. Bad guys already started leveraging the flaw with a new family McAfee calls Exploit/MasterKey.A.
“The efforts to bypass code validation on mobile devices, and commandeer it altogether on PCs, both represent attempts to circumvent trust mechanisms upon which our digital ecosystems rely,” said Vincent Weafer, senior vice president of McAfee Labs.
“The industry must work harder to ensure the integrity of this digital trust infrastructure given these technologies are becoming even more pervasive in every aspect of our daily lives.”
In order to make their malware attacks more efficient, cybercriminals are turning more and more to digitally signed malware. In fact, the number of digitally signed malware samples increased by 50 percent, to over 1.5 million new samples.
When it comes to virtual currencies, experts said illegal activities end up facilitated by the emergence of new currencies that allow cybercriminals not only to make transactions, but also to launder their proceeds.
Furthermore, as Bitcoin becomes more popular and more valuable, cybercriminals are turning more and more to the use of Bitcoin-mining malware.
The threat report also showed the global volume of spam increased by 125 percent.
The basis of the study comes from information from 500 multidisciplinary researchers spread out across 30 countries. The complete “McAfee Labs Threats Report: Third Quarter 2013” is available on the company’s website.
Tuesday, October 22, 2013 @ 03:10 PM gHale
There is an update to the Alstom e-terracontrol software vulnerability where the company created a patch that mitigates improper input validation vulnerability, according to a report on ICS-CERT.
Adam Crain of Automatak and independent researcher Chris Sistrunk tested the patch to validate that it resolves the remotely exploitable vulnerability.
The following Alstom product suffers from the issue: e-terracontrol, Version 3.5, 3.6, and 3.7.
The master can end up in an infinite loop by sending a specially crafted TCP packet from the outstation on an IP-based network. If the user connects the device via a serial connection, the same attack can occur with physical access to the master station. The device must then shut down and restart to reset the loop state.
Alstom is a France-based company that maintains offices worldwide.
The affected product, Alstom e-terracontrol software, sees use in SCADA systems to monitor and control electrical energy systems. According to Alstom, e-terracontrol software sees deployment across the electric energy sector. Alstom estimated these products see use mainly in the U.S. and Europe with a small percentage in Asia.
As this vulnerability affects Internet Protocol-connected and Serial-connected devices, there are two CVSS scores.
The Alstom e-terracontrol DNP Master Driver incorrectly validates input. An attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. If the Alstom e-terracontrol settings end up configured to automatically restart, the DNP3 service will automatically restart and resume communications. Otherwise, the system must restart manually.
The following scoring is for IP-connected devices: CVE-2013-2787 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
The Alstom e-terracontrol DNP Master Driver incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. If the Alstom e terracontrol settings end up configured to automatically restart, the DNP3 service will automatically restart and resume communications. Otherwise, the system must be restart manually.
The following scoring is for serial-connected devices: CVE- 2013-2818 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.
The IP-based vulnerability could end up exploited remotely, but the serial-based vulnerability is not exploitable remotely. There must be local access to the serial-based outstation.
No known public exploits specifically target this vulnerability, but an attacker with a moderate skill could craft an IP packet that would be able to exploit the vulnerability for an IP-based device.
An attacker with a high skill could exploit the serial-based vulnerability because there must be physical access to the device or some amount of social engineering.
Alstom produced a patch that is available for download from the Alstom Grid Customer Wise portal. Users should contact their Alstom representative for download information.
Thursday, October 10, 2013 @ 04:10 PM gHale
Invensys created an update that mitigates the improper input validation vulnerability in the Wonderware InTouch human-machine interface (HMI), according to a report on ICS-CERT.
Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team discovered the vulnerability in the Wonderware InTouch application. The Positive Technologies Research Team tested the update to validate that it resolves the vulnerability.
The following Invensys Wonderware products suffer from the version: InTouch HMI 2012 R2 and all previous versions.
Successful exploitation of this vulnerability could allow an attacker to affect the confidentiality and availability of the Invensys Wonderware InTouch.
Invensys is a global technology company that works with industrial, commercial, rail operators, and appliance operators, while operating in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes.
The Invensys Wonderware InTouch HMI works across several sectors including critical manufacturing, energy, food and agriculture, chemical, and water and wastewater.
Wonderware InTouch HMI allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause Wonderware InTouch HMI to send the contents of local or remote resources to the attacker’s server or cause a denial of service of the system.
CVE-2012-4709is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.
This vulnerability is not remotely exploitable and needs user interaction for any kind of exploit. The exploit triggers when a local user runs the vulnerable application and loads the malformed XML files.
No known public exploits specifically target this vulnerability and an attacker with a low skill would be able to exploit this vulnerability.
Instructions and a link to the application update are on the Invensys download page.
Any machine running InTouch 2012 R2 or earlier versions suffers from the issue, according to Invensys. Users should install the update using instructions provided in the ReadMe file for the product and component installed. Invensys recommends users:
1. Read the installation instructions provided with the patch.
2. Shut down any of the affected software products.
3. Install the update.
4. Restart the software.
Wednesday, October 9, 2013 @ 01:10 PM gHale
Alstom created a patch that mitigates an improper input validation in its e-terracontrol software vulnerability, according to a report on ICS-CERT.
Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the vulnerability, tested the patch to validate that it resolves the remotely exploitable vulnerability.
The following Alstom product suffers from the issue: e-terracontrol, Version 3.5, 3.6, and 3.7.
Successful exploitation of this vulnerability could allow an attacker to affect the availability of the Alstom e-terracontrol software.
Alstom is a France-based company that maintains offices worldwide. The affected product, Alstom e-terracontrol software, applies mainly to SCADA systems to monitor and control electrical energy systems. According to Alstom, e-terracontrol software is mainly in the electric energy sector. Alstom estimates these products are primarily in the U.S. and Europe with a small percentage in Asia.
The Alstom e-terracontrol software does not validate or incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. To clear the problem, a user would have to manually restart the system.
CVE-2013-2787 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
No known public exploits specifically target this vulnerability, but an attacker with a moderate skill level would be able to exploit this vulnerability.
Alstom produced a patch that is available for download from the Alstom Grid Customer Wise portal.
Wednesday, October 2, 2013 @ 11:10 AM gHale
While the latest Internet Explorer Zero Day does not yet have a patch, it appears the vulnerability has been suffering exploitation for a longer time than initially believed.
Microsoft did acknowledge the existence of the vulnerability and said attackers were leveraging the holes. The software giant did issue a Fix it tool to mitigate the problems until a patch can release.
Since then, FireEye researchers linked the attacks to the Chinese hacking group that hit Bit9 earlier this year, and said the campaign called “Operation DeputyDog” focused on Japanese organizations and started on August 19 at the latest.
Then, on Thursday, researchers from AlienVault and Websense released their findings regarding the exploit used.
Researcher Jaime Blasco said they spotted the exploit hosted on a subdomain of Taiwan’s Government e-Procurement System, and found users that visited the main page for the first time would instantly end up redirected to the exploit page and served with a malicious file.
Not all visitors ended up targeted as just those whose Windows XP or Windows 7 systems running in English, Chinese, French, German, Japanese, Russian, Korean, and Portuguese, and use Internet Explorer 8 or 9.
Friday, September 20, 2013 @ 07:09 PM gHale
Microsoft released a security advisory warning users about instances of active exploitation of a vulnerability found in all supported versions of Internet Explorer (6-11).
The remote code execution vulnerability “may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” and an attacker hosting a specially crafted website can exploit it.
Microsoft said the targeted attacks they detected in the wild are currently attempting to exploit this vulnerability in IE 8 and 9, and that it remains vigilant and works with partners to detect and take action against malicious sites that attempt to exploit this flaw.
In order to protect their customers as much as possible until a definitive security update fixing the flaw releases, the company has made available a Fix it solution, and has also recommended to users to:
• Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
The Fix it must end up downloaded and run by the users themselves, and the other two actions might affect the usability of the system, but this last possibility can end up mitigated by adding trusted sites to the Internet Explorer Trusted Sites zone to minimize disruption.
“In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability,” Microsoft said in the advisory.
“In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.”