End-of-Shift report
Timeframe: Freitag 17-04-2015 18:00 − Montag 20-04-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
Handling Special PDF Compression Methods, (Sun, Apr 19th)
Maarten Van Horenbeeck posted a diary entry (July 2008) explaining how scripts and data are stored in PDF documents (using streams), and demonstrated a Perl script to decompress streams. A couple of months before, I had started developing my pdf-parser tool, and Maartens diary entry motivated me to continue adding features to pdf-parser. Extracting and decompressing a stream (for example containing a JavaScript script) is easy with pdf-parser. You select the object that contains the stream...
https://isc.sans.edu/diary.html?storyid=19597&rss
Taking Down Fraud Sites is Whac-a-Mole
I've been doing quite a bit of public speaking lately - usually about cybercrime and underground activity - and there's one question that nearly always comes from the audience: "Why are these fraud Web sites allowed to operate, and not simply taken down?" This post is intended to serve as the go-to spot for answering...
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/Da3rhmEIBt0/
An Analysis Of MS15-034
By now you've undoubtedly heard about MS15-034. The following is a collection of my cursory research and thoughts on this vulnerability.
http://www.securitysift.com/an-analysis-of-ms15-034/
How to use a malicious JPEG to hack corporate networks
Security researcher Marcus Murray discovered a method to exploit a malicious JPEG to compromise modern Windows servers inside corporate networks. Security expert and penetration tester Marcus Murray discovered a way to use a malicious JPEG to compromise modern Windows servers and elevate privileges over targeted networks. The researcher has demonstrated the attack a few days....
http://securityaffairs.co/wordpress/36130/hacking/malicious-jpeg-hack-corporate-networks.html
Fiesta Exploit Kit Spreading Crypto-Ransomware - Who Is Affected?
Exploits kits have long been used to deliver threats to users, but they seem to have gone retro: it was recently being used to deliver fake antivirus malware. We closely monitor exploit kit activity because of their widespread use (we discussed their use in malvertising recently), so it was no great surprise to see the Fiesta...
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/F_yFw0VwfG8/
"Rootpipe"-Lücke in OS X besteht offenbar weiter
Trotz Patch in der letzten Yosemite-Version scheint die Rechteausweitung nicht behoben zu sein. Schadcode soll die Lücke schon 2014 ausgenutzt haben. Ein Blogger zeigt unterdessen eine Möglichkeit auf, den Bug auch in früheren OS-X-Versionen zu fixen.
http://heise.de/-2612346
Bypassing Same Origin Policy, Part 3: Clickjacking, Cursorjacking & Filejacking
Same origin bypasses using clickjacking Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web...
http://resources.infosecinstitute.com/bypassing-same-origin-policy-part-3-clickjacking-cursorjacking-filejacking/
Bypassing Packet Filters with IP Fragmentation Overlapping
1. Introduction The process of IP fragmentation occurs when the data of the network layer is too large to be transmitted over the data link layer in one piece. Then the data of the network layer is split into several pieces (fragments), and this process is called IP fragmentation. The intention of this article is...
http://resources.infosecinstitute.com/bypassing-packet-filters-with-ip-fragmentation-overlapping/
Threats From Within: The Out of Office Reply
As the guy who sends out the marketing emails at Cyveillance (yes, I'm THAT guy) I see a lot of Out-of-Office auto-responders in any given month. Having worked in cybersecurity for more than seven years, I've developed an appreciation for both information and physical security. With the RSA Conference coming up in a few days, and awaiting my barrage of Out of Office emails, I think now is the perfect time to discuss this seemingly innocuous topic. Why? Amazingly, even in the security...
https://blog.cyveillance.com/threats-from-within-the-out-of-office-reply/
Upatre malware gets full SSL comms encryption
The extremely popular Upatre Trojan downloader has undergone considerable changes that will make it and its communication more difficult to spot and block. The changes were implemented in the new v...
http://feedproxy.google.com/~r/HelpNetSecurity/~3/qIIbd4nwtHA/malware_news.php
Critical Magento Shoplift Vulnerability (SUPEE-5344) - Patch Immediately!
The Magento team released a critical security patch (SUPEE-5344) to address a remote command execution (RCE) vulnerability back in February. It's been more than two months since the release and still more than 50% of all the Magento installations have not been patched, leaving them open to attacks. This means hundreds of thousands of websites are...
http://feedproxy.google.com/~r/sucuri/blog/~3/lfn2WVKTfWo/critical-magento-shoplift-vulnerability-supee-5344-patch-immediately.html
DSA-3228 ppp - security update
Emanuele Rocca discovered that ppp, a daemon implementing thePoint-to-Point Protocol, was subject to a buffer overflow whencommunicating with a RADIUS server. This would allow unauthenticatedusers to cause a denial-of-service by crashing the daemon.
https://www.debian.org/security/2015/dsa-3228
GnuTLS RSA PKCS security bypass
http://xforce.iss.net/xforce/xfdb/102423
Zenworks Architecture ZDI Vulnerability - See TID 7016431
Abstract: Fix for ZDI-CAN-2491: ZENworks Preboot Policy Service Stack Buffer Overflow Remote Code Execution Vulnerability Document ID: 5206350Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:ZCM_11.3.2_FRU1_Patch_921190.zip (3.53 MB)ZCM_11.2.4_MU1_Patch_921190.zip (1.63 MB)Products:ZENworks Configuration Management 11.3.2ZENworks Configuration Management 11.2.4ZENworks Configuration Management 11.3.1ZENworks Configuration Management 11 SP3Superceded Patches: None
https://download.novell.com/Download?buildid=BJbybNUmQRQ~
Invoice - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-085
Advisory ID: DRUPAL-SA-CONTRIB-2015-085Project: Invoice (third-party module)Version: 6.x, 7.xDate: 2015-March-25 Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Scripting, Cross Site Request ForgeryDescriptionInvoice module allows you to create invoices in Drupal.The module doesnt sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.Additionally, some URLs were not
https://www.drupal.org/node/2459337
DSA-3229 mysql-5.5 - security update
Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by upgrading MySQL to the new upstreamversion 5.5.43. Please see the MySQL 5.5 Release Notes and OraclesCritical Patch Update advisory for further details:
https://www.debian.org/security/2015/dsa-3229
IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288)
http://www.ibm.com/support/docview.wss?uid=swg21883028
IBM Security Bulletin: Vulnerabilities in OpenSSL affect Rational Tau (CVE-2015-0208, CVE-2015-0286, CVE-2015-0292)
http://www.ibm.com/support/docview.wss?uid=swg21713653
IBM Security Bulletin: RC4 stream cipher vulnerability and HTTP request smuggling vulnerability affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2015-2808, CVE-2014-0227)
http://www.ibm.com/support/docview.wss?uid=swg21882717
Bugtraq: CVE-2014-7953 Android backup agent code execution
http://www.securityfocus.com/archive/1/535296
Android 4.4 MTP Path Traversal
Topic: Android 4.4 MTP Path Traversal Risk: Medium Text:MTP path traversal vulnerability in Android 4.4 -- doSendObjectInfo() method of the MtpServer class implemen...
http://cxsecurity.com/issue/WLB-2015040116