[Owasp-cuiaba] Fwd: @RISK: The Consensus Security Vulnerability Alert: Vol. 12, Num. 27

Kembolle Amilkar haxorcoding em gmail.com
Sábado Julho 7 02:16:11 UTC 2012


encaminhando.....

*Att. Kembolle Amilkar *
#/[ kembolle.com.br <http://www.kembolle.com.br> ] - Consultoria Segurança
da Informação.
#/ [ samurayconsultoria.com.br ] - Chief Security Officer - Samuray
Consultoria.
#/ Systems Analyst | Esp. Information Security | Computer Forensic Expert |
#/ Owasp Chapter Lider Cuiabá - https://www.owasp.org/index.php/Cuiaba
#/ Mobile: [65] 9979-2925  && contato[at]kembolle.com.br.
**


In partnership with SANS and Sourcefire, Qualys is pleased to provide you
with the @RISK Newsletter. This is a weekly newsletter that provides
in-depth analysis of the latest vulnerabilities with straight forward
remediation advice. Qualys supplies a large part of the newly-discovered
vulnerability content used in this newsletter.

______________________________________________________________________

@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 27

Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked.

=============================================================

CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 6/27/2012 - 7/3/20122
============================================================

Platform                                   Number of Updates and
Vulnerabilities
- -------------------------
 -------------------------------------

Cross Platform                            4 (#2,#3,#5,#7)
Web Application - Cross Site Scripting    1 (#6)
Web Application - SQL Injection           1 (#4)
Mac OS X                                  1 (#1)
Denial of Service                         1 (#8)

============================================================

TOP VULNERABILITY THIS WEEK: CVE-2012-2695, SQL injection in Ruby on
Rails. Patched in June, this issue impacts such a large number of web
applications that extensive exploitation is likely going forward,
especially as developers frequently fail to patch the languages in which
their programs are written.

============================================================


NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

#1
Title: Targeted attacks on Macs using new backdoor
Description: A wave of targeted emails was recently detected dropping a
Mac-specific backdoor. The malicious binary, which are installed after
users fall victim to social engineering techniques, is related to
previously observed Mac backdoors which were distributed by way of Java
exploits. As Mac attacks continue to grow in popularity, users are urged
to patch frequently and exercise caution in running binaries from
untrusted sources.
Reference:
http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks<http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>
http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/<http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>
ClamAV: Trojan.MAC.Backdoor

#2
Title: Trojan uses new C&C obfuscation technique
Description: The Polish CERT has observed a new trojan spreading in the
wild via a number of different social media techniques. While not
particularly novel in that regard, this particular piece of malware is
interesting in the way that it contacts its command and control servers.
Instead of using the address provided in a DNS query response, the
malware takes that value and transforms it into a different IP address,
which is then used to contact the C&C. This technique, if it becomes
widespread, has interesting implications for malware detection at the
network level.
Reference:
http://www.cert.pl/news/5587/langswitch_lang/en<http://www.cert.pl/news/5587/langswitch_lang/en?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>
Snort SID: 23261
ClamAV: Worm.Agent-394

#3
Title: Banking trojan spreading via phishing attacks
Description: The Sourcefire VRT has discovered a new trojan being
dropped on users via a large-scale UPS-themed phishing attack. The
trojan, which attempts to steal credentials for several major financial
institutions, also drops other malicious binaries on the infected
system. Its C&C communications are of particular interest, as its
authors chose to use the hexadecimal string "0xDEADBEEF" - which is
commonly used by attackers and researchers alike as a way to follow user
input through system memory - as a protocol marker of sorts.
Reference:
http://vrt-blog.snort.org/2012/07/banking-trojan-spread-via-ups-phish.html<http://vrt-blog.snort.org/2012/07/banking-trojan-spread-via-ups-phish.html?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>
Snort SID: 23262
ClamAV: Trojan.Banker-8376

#4
Title: CVE-2012-2695 Ruby on Rails SQL Injection
Description: The Active Record component of Ruby on Rails does not
properly sanitize certain types of nested input, which allows for SQL
injection into applications using this component even when developers
believe they have sanitized input. Given the widespread use of this
component, attacks in the wild are extremely likely, if not already
occurring.
Reference:
https://groups.google.com/forum/?fromgroups#!msg/rubyonrails-security/l4L0TEVAz1k/Vr84sD9B464J<https://groups.google.com/forum/?fromgroups&elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292#%21msg/rubyonrails-security/l4L0TEVAz1k/Vr84sD9B464J>
Snort SID: 23213
ClamAV: N/A

============================================================

USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

#5
Blackhole exploit kit gets an upgrade: pseudo-random domains:
http://www.symantec.com/connect/blogs/blackhole-exploit-kit-gets-upgrade-pseudo-random-domains<http://www.symantec.com/connect/blogs/blackhole-exploit-kit-gets-upgrade-pseudo-random-domains?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>

#6
Google Mail hacking - Gmail Stored XSS:
http://benhayak.blogspot.co.il/2012/06/google-mail-hacking-gmail-stored-xss.html<http://benhayak.blogspot.co.il/2012/06/google-mail-hacking-gmail-stored-xss.html?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>

#7
Cybercriminals launch managed SMS flooding services:
http://blog.webroot.com/2012/07/02/cyberciminals-launch-managed-sms-flooding-services/<http://blog.webroot.com/2012/07/02/cyberciminals-launch-managed-sms-flooding-services/?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>

#8
BoNeSi - the DDoS Botnet Simulator:
http://code.google.com/p/bonesi/<http://code.google.com/p/bonesi/?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>

==========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: CVE-2012-0124
Title: HP Data Protector Create New Folder Buffer Overflow
Vendor: HP
Description: Unspecified vulnerability in HP Data Protector Express (aka
DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows
remote attackers to execute arbitrary code or cause a denial of service
via unknown vectors.
CVSS v2 Base Score :10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2011-3478
Title: Symantec PcAnywhere 12.5.0 Login and Password Field Buffer Overflow
Vendor: Symantec
Description: The host-services component in Symantec pcAnywhere 12.5.x
through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka
12.5.x) and 7.1 (aka 12.6.x), does not properly filter login and
authentication data, which allows remote attackers to execute arbitrary
code via a crafted session on TCP port 5631.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2012-0469
Title: Mozilla Use-after-free vulnerability in the "IDBKeyRange"
Vendor: Mozilla
Description: Use-after-free vulnerability in the
mozilla::dom::indexedDB::IDBKeyRange::cycleCollection::Trace function
in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4,
Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and
SeaMonkey before 2.9 allows remote attackers to execute arbitrary code
via vectors related to crafted IndexedDB data.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2012-1493
Title: F5 BIG-IP SSH Private Key Exposure
Vendor: F5 Networks Inc
Description: Remote exploitation of a configuration error vulnerability
in multiple F5 Networks Inc. products could allow an attacker to gain
escalated "root" privileges.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2012-0677
Title: Apple iTunes 10 Extended M3U Stack Buffer Overflow
Vendor: Apple
Description: Heap-based buffer overflow in Apple iTunes before 10.6.3
allows remote attackers to execute arbitrary code or cause a denial of
service (application crash) via a crafted .m3u playlist.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

=========================================================

MOST POPULAR MALWARE FILES 6/27/2012 - 7/3/2012:
COMPILED BY SOURCEFIRE


SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal:
https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/<https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>
Malwr:http://malwr.com/analysis/bb74024a1d4e4808562c090980151653<http://malwr.com/analysis/bb74024a1d4e4808562c090980151653?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>
Typical Filename: smona131831195112461260022
Claimed Product: -
Claimed Publisher: -


SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal:
https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/<https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>
Malwr: http://malwr.com/analysis/7961a56c11ba303f20f6a59a506693ff<http://malwr.com/analysis/7961a56c11ba303f20f6a59a506693ff?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>

Typical Filename: m3SrchMn.exe
Claimed Product: My Web Search Bar
Claimed Publisher: MyWebSearch.com


SHA 256: A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03
MD5: 8ac1e580cf274b3ca98124580e790706
VirusTotal:
https://www.virustotal.com/file/A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03/analysis/<https://www.virustotal.com/file/A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03/analysis/?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>
Malwr: http://malwr.com/analysis/8ac1e580cf274b3ca98124580e790706<http://malwr.com/analysis/8ac1e580cf274b3ca98124580e790706?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>

Typical Filename: lpkjnn.sys
Claimed Product: -
Claimed Publisher: -


SHA 256: E2C3896C24FD45DD8092AF10DE84B1A4FAF4FC37A1E9772C56148FE982B44181
MD5: cce8aeb6b86e89280e703608eb252e62
VirusTotal:
https://www.virustotal.com/file/E2C3896C24FD45DD8092AF10DE84B1A4FAF4FC37A1E9772C56148FE982B44181/analysis/<https://www.virustotal.com/file/E2C3896C24FD45DD8092AF10DE84B1A4FAF4FC37A1E9772C56148FE982B44181/analysis/?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>
Malwr: http://malwr.com/analysis/cce8aeb6b86e89280e703608eb252e62<http://malwr.com/analysis/cce8aeb6b86e89280e703608eb252e62?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>

Typical Filename: M3SKPLAY.EXE
Claimed Product: My Web Search Skin Tools
Claimed Publisher: MyWebSearch.com


SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal:
https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/<https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>
Malwr: http://malwr.com/analysis/bf31a8d79f704f488e3dbcb6eea3b3e3<http://malwr.com/analysis/bf31a8d79f704f488e3dbcb6eea3b3e3?elq=3d5eb6937ed247f390f64ac9e73205a7&elqCampaignId=292>

Typical Filename: pspprn.sys
Claimed Product: -
Claimed Publisher: -

_________________________________________________________** __________

(c) 2012. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.

--END--

You are receiving this email because you indicated that you wanted to
receive information from
Qualys about industry news, product updates, security alerts and other
information that may be of
interest to you.

To manage your subscriptions, visit our communication preferences
page<http://www.qualys.com/company/compref/[email protected]>
.
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://lists.owasp.org/pipermail/owasp-cuiaba/attachments/20120706/45799acf/attachment-0001.html>


More information about the Owasp-cuiaba mailing list