End-of-Shift report
Timeframe: Montag 04-05-2015 18:00 − Dienstag 05-05-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
In-Console-Able
Posted by James Forshaw, giving the security community a shoulder to cry on.TL;DR; this blog post describes an unfixed bug in Windows 8.1 which allows you to escape restrictive job objects in order to help to develop a sandbox escape chain in Chrome or similar sandboxes. If you're trying to develop a secure application sandbox in user-mode you're at the mercies of the underlying operating system. While you can try and use every available security feature, sometimes the OS developer...
http://googleprojectzero.blogspot.com/2015/05/in-console-able.html
Upatre/Dyre - the daily grind of botnet-based malspam, (Tue, May 5th)
Malicious spam (malspam) delivering Upatre/Dyre has been an ongoing issue for quite some time. Many organizations have posted articles about this malware. Ive read good information on Dyre last year [1, 2] and this year [3]. Upatre is the malware downloader that retrieves Dyre (Dyreza), an information stealer described as a Zeus-like banking Trojan [4]. Earlier this year, EmergingThreats reported Upatre and Dyre are under constant development [5], while SecureWorks told us banking botnets...
https://isc.sans.edu/diary.html?storyid=19657&rss
Analogue modems allow UNSTOPPABLE Android attack ... at 13bps
Yes its slow, but its enough to leak data to another Android The better your Android smartphones audio, the worse its security - the audio channel is the latest path for "low and slow" data leak attacks.
http://go.theregister.com/feed/www.theregister.co.uk/2015/05/05/boffins_revive_analogue_modems_for_unblockable_android_attack/
Rombertik malware kills host computers if you attempt a cure
Say goodbye to your master boot record and home directory if you try to stop it Cisco researchers Ben Baker and Alex Chiu have found new malware that destroys a machines Master Boot Record and home directories if it detects meddling white hats.
http://go.theregister.com/feed/www.theregister.co.uk/2015/05/05/rombertik_malware/
Macro Malware: When Old Tricks Still Work, Part 1
Now comes a time when we are reminded of why this security warning prompt in Microsoft Word matters: Figure 1. Microsoft Word security warning for macros I went around my peers this afternoon and asked, "On the top of your head, can you give me a name of an effective macro malware? Better if its...
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/LjTF4yhzWt8/
Introducing FIDO: Automated Security Incident Response
Were excited to announce the open source release of FIDO (Fully Integrated Defense Operation - apologies to the FIDO Alliance for acronym collision), our system for automatically analyzing security events and responding to security incidents.
http://techblog.netflix.com/2015/05/introducing-fido-automated-security.html
Revealing the Secrets: Advances in Android and iOS Attacks
In recent months, Unit 42, the cyber threat intelligence team at Palo Alto Networks, has encountered several game-changing advances in mobile malware for both iOS and Android. For example, WireLurker employed a multistage infection that...
http://researchcenter.paloaltonetworks.com/2015/05/revealing-secrets-advances-android-ios-attacks/
Steganography and Malware: Why and How
Threats that can evade detection are among the most dangerous kind we're facing today. We see these characteristics in the most challenging security issues like targeted attacks and zero-day exploits. Being able to stay hidden can determine the success of an attack, making it something that attackers continuously want to achieve. In this series of blog posts, we...
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/G-eR3GU5L3Y/
ICU Project Overflow Vulnerabilities Patched
Buffer and integer overflow vulnerabilities have been patched in the ICU Project ICU4C library, used in hundreds of open source and enterprise software packages.
http://threatpost.com/icu-project-overflow-vulnerabilities-patched/112623
Usbkill Script Can Render Computers Useless
The idea of needing to disable a computer quickly as the police - or another potential adversary - comes through the door typically has been the concern of criminals. But in today's climate activists, journalists, and others may find themselves wanting to make their laptops unusable in short order, and that's where usbkill comes in. The new tool is a...
http://threatpost.com/usbkill-script-can-render-computers-useless/112622
VU#978652: Bomgar Remote Support Portal deserializes untrusted data
Vulnerability Note VU#978652 Bomgar Remote Support Portal deserializes untrusted data Original Release date: 05 May 2015 | Last revised: 05 May 2015 Overview Bomgar Remote Support version 14.3.1 and possibly earlier versions deserialize untrusted data without sufficient validation, allowing an attacker to potentially execute arbitrary PHP code. Description CWE-502: Deserialization of Untrusted DataBomgar Remote Support version 14.3.1 and possibly earlier versions deserialize untrusted data...
http://www.kb.cert.org/vuls/id/978652
IBM Security Bulletins
IBM Security Bulletin: Vulnerability in RC4 stream cipher affects IBM OS Images for Red Hat Linux Systems and AIX. (CVE-2015-2808)
http://www.ibm.com/support/docview.wss?uid=swg21883879
IBM Security Bulletin: Vulnerability in RC4 stream cipher affects IBM FlashSystem 840 and IBM FlashSystem V840, -AE1 models. (CVE-2015-2808)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005217
IBM Security Bulletin: IBM FlashSystem 840 and IBM FlashSystem V840, -AE1 models nodes are affected by vulnerabilities in Apache's Struts library (CVE-2014-7809)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005078
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor (CVE-2014-6585, CVE-2014-6591, CVE-2014-6593, CVE-2015-0383, CVE-2015-0410)
http://www.ibm.com/support/docview.wss?uid=swg21883285
DSA-3250 wordpress - security update
Multiple security issues have been discovered in Wordpress, a weblogmanager, that could allow remote attackers to upload files with invalidor unsafe names, mount social engineering attacks or compromise a sitevia cross-site scripting, and inject SQL commands.
https://www.debian.org/security/2015/dsa-3250