End-of-Shift report
Timeframe: Donnerstag 13-08-2015 18:00 − Freitag 14-08-2015 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
One font vulnerability to rule them all #3: Windows 8.1 32-bit sandbox escape exploitation
This is part #3 of the "One font vulnerability to rule them all" blog post series. In the previous posts, we introduced the "blend" PostScript operator vulnerability, discussed the Charstring primitives necessary to fully control the stack contents and used them to develop a reliable user-mode Adobe Reader exploit executing arbitrary C++ code embedded in the PDF file:One font vulnerability to rule them all #1: introducing the BLEND vulnerabilityOne font vulnerability to...
http://googleprojectzero.blogspot.com/2015/08/one-font-vulnerability-to-rule-them-all_13.html
Adwind: another payload for botnet-based malspam, (Fri, Aug 14th)
Introduction Since mid-July 2015, Ive noticed an increase in malicious spam (malspam) caught by my employers spamfilters with java archive (.jar file) attachments. These .jar files are most often identified as Adwind. Adwind is a Java-based remote access tool (RAT) used by malware authors to infect computers with backdoor access. Theres no vulnerability involved. To infect a Windows computer, the user has to execute the malware by double-clicking on the .jar file. Im currently seeing enough...
https://isc.sans.edu/diary.html?storyid=20041&rss
Windows 10: Gefährlicher Zertifikats-Wirrwarr
Windows 10 sammelt fleißig Benutzerdaten und überträgt sie an Microsoft. Ausgerechnet dabei verzichtet das Betriebssystem auf einen ansonsten verwendeten Schutz vor falschen Zertifikaten - sensible Daten könnten so zur leichten Beute werden.
http://heise.de/-2776810
CaVer: Neue Technik findet Schwachstellen in C++-Code
US-Wissenschaftler haben ein Verfahren entwickelt, das fehlerhafte Typumwandlungen in C++-Programmen zur Laufzeit identifiziert. Es hat bereits mehrere inzwischen behobene Schwachstellen in der GNU-libstd++ und in Firefox aufgespürt.
http://heise.de/-2778993
Was tun bei Handy-Verlust?
Besitzer sollten Sicherheitsvorkehrungen treffen
http://derstandard.at/2000020734740
Android-Sicherheitslücke: Googles Stagefright-Patch ist fehlerhaft
Google muss einen der Stagefright-Patches überarbeiten. Der Patch schließt die Sicherheitslücke nicht, und Android-Geräte sind weiterhin angreifbar. Ein korrigierter Patch für die Nexus-Modelle wird diesen Monat aber nicht mehr erscheinen.
http://www.golem.de/news/android-sicherheitsluecke-googles-stagefright-patch-ist-fehlerhaft-1508-115769-rss.html
Auslaufendes A-Trust Root-Zertifikat "A-Trust-nQual-03"
Auslaufendes A-Trust Root-Zertifikat "A-Trust-nQual-03" | 14. August 2015 | In den diversen Certificate Stores (Browser, Windows) ist ein Root-Zertifkat von A-Trust mit Gültigkeit bis 18. August 2015: A-Trust-nQual-03 SHA-1 Fingerprint D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2 | Unseren (limitierten) Recherchen nach gibt es im Certificate Store von Windows noch andere A-Trust Root-Zertifikate (auch mit SHA256, vgl. Microsoft Root Certificate Program). In den Certificate...
http://www.cert.at/services/blog/20150814120852-1571.html
Eurocentric Ransomware Spam in Circulation
A number of spam runs are gunning for customers of various European businesses. Fake delivery messages and online bills quickly give way to Ransomware...Categories: Fraud/Scam AlertTags: emailmalwarephishransomwarespamtorrentlocker(Read more...)
https://blog.malwarebytes.org/fraud-scam/2015/08/eurocentric-ransomware-spam-in-circulation/
Lampen, Schlösser, Alarmanlagen hackbar: Wiener fanden Schwachstelle in ZigBee-Standard
Sicherheitsfirma Cognosec weist auf Sicherheitsprobleme beim "smarten" Zuhause hin
http://derstandard.at/2000020752533
Why Vulnerability Research Is A Good Thing
Earlier this week Oracle's CSO released a blog post that talked about why people should stop looking for vulnerabilities in their software products. Needless to say, this did not go down well with the security community - and the post was soon taken down with a statement from the company adding that the post "does not reflect our...
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Laorf2GvBCU/
Security, Reverse Engineering and EULAs
Like more than a few others, I experienced the infosec outrage against Mary Ann Davidson, Oracle's Chief Security Officer, before I actually read the now-redacted blog post. After taking the time to read what she actually wrote (still available through Google's web cache), I think there's more discussion to be had than I've seen so far.
http://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/security-reverse-engineering-and-eulas/
Apple Patches Critical OS X DYLD Flaw in Monster Update
Apple released hordes of patches for OS X, iOS, Safari and iOS Server, including fixes for the DYLD vulnerability disclosed in July.
http://threatpost.com/apple-patches-critical-os-x-dyld-flaw-in-monster-update/114289
Apple Security Updates
iOS 8.4.1
https://support.apple.com/kb/HT205030
OS X Yosemite 10.10.5 and Security Update 2015-006
https://support.apple.com/kb/HT205031
Safari 8.0.8, Safari 7.1.8, and Safari 6.2.8
https://support.apple.com/kb/HT205033
OS X Server v4.1.5
https://support.apple.com/kb/HT205032
Cisco Advisories
Cisco TelePresence Video Communication Server Expressway Information Disclosure Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=40441
Cisco TelePresence Video Communication Server Expressway Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=40444
Cisco TelePresence Video Communication Server Expressway Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=40443
ICS-CERT Alerts
Rockwell Automation 1769-L18ER and A LOGIX5318ER Vulnerability
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-15-225-01
Rockwell Automation 1766-L32 Series Vulnerability
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-15-225-02
KAKO HMI Hard-coded Password
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-15-224-01
Schneider Electric Modicon M340 PLC Station P34 Module Vulnerabilities
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-15-224-02
Prisma Web Vulnerabilities
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-15-224-03
Moxa ioLogik E2210 Vulnerabilities
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-15-224-04
DFN-CERT-2015-1258: Request Tracker: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1258/