Alerts

Call for packets dest 5000 or source 6000, (Tue, Mar 18th)

Latest Alerts - Tue, 03/18/2014 - 03:16

There are two events I'm interested in following up at the moment.  A few reports mentioned that scans to destination port 5000 seem to be popular at the moment. (https://isc.sans.edu/port.html?port=5000).  So if you have a few spare packets that would be great.  In this instance I'm not looking for log records only pcaps.  

Another reader mentioned scans from source port 6000 going to numerous ports on their infrastructure, but from different IP addresses. eg.  IP address A  scanning target 1089-1099.  IP address B scanning target 1100-1110, etc.  If you have log records or packets for trafic from source port 6000 to multiple ports or IP addresses in your environment I'd be interested in taking a look.  

We've seen both of these previously, but certainly like to see if it is the same or something different.  

Thanks

Mark H 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, March 18th 2014 http://isc.sans.edu/podcastdetail.html?id=3895, (Tue, Mar 18th)

Latest Alerts - Mon, 03/17/2014 - 17:04
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Scans for FCKEditor File Manager, (Mon, Mar 17th)

Latest Alerts - Mon, 03/17/2014 - 17:01

FCKEditor (now known as CKEditor [1]) is a popular full featured GUI editor many web sites use. For example, you frequently find it with blog systems like WordPress or as part of commenting/forum systems. As an additional feature, a filemanager can be added to allow users to upload images or other files. Sadly, while a very nice and functional plugin, this features if frequently not well secured and can be used to upload malicious files. We have seen some scans probing specifically for this file manager plugin:

HEAD /js/fckeditor/editor/filemanager/connectors/test.html  HEAD /admin/FCKeditor/editor/filemanager/connectors/test.html  HEAD /admin/FCKeditor/editor/fckeditor.html HEAD /include/fckeditor/_samples/default.html  HEAD /include/fckeditor/editor/filemanager/connectors/test.html   These requests did not set a user agent or a referrer. The following set did however use "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1;" and instead of a HEAD request it used a GET request, indicating that there are different distinct tools looking for the same vulnerability:   GET /editor/editor/filemanager/connectors/uploadtest.html HTTP/1.1 GET /editor/editor/filemanager/upload/test.html HTTP/1.1 GET /editor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1 GET /editor/editor/filemanager/connectors/test.html HTTP/1.1 GET /admin/fckeditor/editor/filemanager/connectors/test.html HTTP/1.1 GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 GET /Fckeditor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1 GET /admin/FCKeditor/editor/filemanager/connectors/uploadtest.html HTTP/1.1 GET /admin/FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 GET /Fckeditor/editor/filemanager/connectors/test.html HTTP/1.1 GET /admin/fckeditor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1
GET /FCKeditor/editor/filemanager/connectors/uploadtest.html HTTP/1.1

I am still looking for any samples of files these script attempt to upload. If you got any, please let use know.

[1] http://ckeditor.com

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New Apache web server release, (Mon, Mar 17th)

Latest Alerts - Mon, 03/17/2014 - 17:00

The Apache folks have released version 2.4.9 of their ubiquitous web server.  This one fixes a couple of security vulnerabilities along with some other bug fixes, one in mod_log_conifg having to do with issues with truncated cookies and one in mod_dav that was a potential denial of service.  Expect most of the Linux distros to apply the appropriate fixes shortly, but if you are building from source or running on a platform that won't push the updates to you, go grab the update.

 

References:

http://httpd.apache.org/security/vulnerabilities_24.html

http://www.apache.org/dist/httpd/CHANGES_2.4.9

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, March 17th 2014 http://isc.sans.edu/podcastdetail.html?id=3893, (Mon, Mar 17th)

Latest Alerts - Sun, 03/16/2014 - 17:21
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

NTIA begins transition of Root DNS Management, (Sat, Mar 15th)

Latest Alerts - Sat, 03/15/2014 - 09:30

The U.S. National Telecommunications and Information Administration (NTIA) has begun the final stages of privatizing the management of the Domain Name System (DNS) that powers the Internet.  This transition was begun in 1997.

From the press release...

"As the first step, NTIA is asking the Internet Corporation for Assigned Names and Numbers (ICANN) to convene global stakeholders to develop a proposal to transition the current role played by NTIA in the coordination of the Internet’s domain name system (DNS). "

The NTIA, in conjunction with ICANN and Verisign,  is currently responsible for managing the root zone, including the administration of the root zone file which contains the details about the top level domains (TLDs).  The TLDs are the last part of a Full Qualified Domain Name (FQDN), such as .com, .gov, .mil, etc.

-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Word Press Shenanigans? Anyone seeing strange activity today?, (Fri, Mar 14th)

Latest Alerts - Fri, 03/14/2014 - 07:10

We are getting different activity reports (Thanks for those!) on Word Press. Beyond the ping back issue that has been happening, is anyone else seeing strange WP behavior?

 

Richard Porter

--- ISC Handler on Duty

Twitter: Packetalien

Blog: packetalien.com

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, March 14th 2014 http://isc.sans.edu/podcastdetail.html?id=3891, (Fri, Mar 14th)

Latest Alerts - Thu, 03/13/2014 - 17:43
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe Shockwave Player critical update: http://helpx.adobe.com/security/products/shockwave/apsb14-10.html, (Thu, Mar 13th)

Latest Alerts - Thu, 03/13/2014 - 09:05
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Web server logs containing RS=^ ?, (Thu, Mar 13th)

Latest Alerts - Thu, 03/13/2014 - 01:55

A SANS ISC reader sent us the following Apache log snippet earlier today

108.178.x.x - [11/Mar/2014:04:21:14 +0100] "GET /index.shtml/RK=0/RS=o_wLEbyzxJDMeXhdrhZU9KN7uD4- HTTP/1.0" 302 206
196.196.x.x - [11/Mar/2014:07:43:19 +0100] "GET /index.shtml/RS=^ADAY1N1JxWPFnnOEW3FpVC1g.n4rec- HTTP/1.0" 302 206
88.80.x.x   - [11/Mar/2014:15:02:01 +0100] "GET /index.shtml/RS=^ADAw5eOsxy0br6iGm1BZPRs2wtnyAE- HTTP/1.1" 302 206

index.shtml exists on the reader's server, but the RS= / RK= stuff is bogus. The RS= looks like it could be a regular expression for a pattern match of sorts, since it is starting with an anchor "^", but that's guessing. We don't really know. Googling for the pattern shows that this sort of thing has been around for a while, but I didn't find any definite explanation about which software or toolkit these requests are attempting to exploit, if any. If you have information on what this is, please share in the comments below, or via our contact form.


 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, March 13th 2014 http://isc.sans.edu/podcastdetail.html?id=3889, (Thu, Mar 13th)

Latest Alerts - Wed, 03/12/2014 - 17:17
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Identification and authentication are hard ... finding out intention is even harder, (Thu, Mar 13th)

Latest Alerts - Wed, 03/12/2014 - 16:09

While the drama about the lost airplane in Malaysia is still continuing, our hearts of course go out to the families of the missing. This ISC diary though is not about airplanes, or terrorism, it is rather about the related discovery that at least two passengers on the plane were using fake passports. Equally startling was the comment by Interpol that this is "common". What is the point of maintaining, for example, a no-fly list, if those listed on it anyway travel with stolen documents, and if the security checkpoint apparently fails to determine that a 19yr old doesn't look like a 40yr old, and that Italians who don't speak at least rudimentary Italian are, well, somewhat rare?

If we translate this to the virtual world, it turns into an everyday problem. How do we know that Joe using Joe's password is actually Joe, and not Jane? I probably should call them "Bob" and "Alice" to make this worthy of a scientific paper :), but the problem still stands: identification and authentication are hard, and finding out intentions is even harder. If we take from the airport physical security playbook, then it is "behavior" that makes the difference. The security checkpoint guys are (supposedly) trained to look for "clues" like nervousness, and carry-on baggage that is leaking 1,2,3-trinitroxypropane. Inevitably, there are numerous software products that claim to identify the "unusual" as well. Joe connecting from Connecticut, even though he lives in Idaho? Alert! Joe using Chrome even though he used Firefox last time? Alert! Joe typing his password faster than usual? Alert!

But like in the physical world, this kind of profiling only works well if you have a pretty homogenous and static "good guy" population, and a pretty well defined adversary. The real world, unfortunately, tends to be more diverse and complex than that. Which is why login fraud detection, just as airport security, often drowns in the "false positives", and as a result, de-tunes the sensitivity to the point where real fraud has stellar odds to just slip by. This is a fundamental issue with many security measures. Statisticians call this "base rate fallacy". If there are many many! more good guys than bad guys, finding the bad guys with a test that has a high error rate is pretty much: moot.

Checking the passports against the Interpol list of stolen passports .. wouldn't hurt though. Not doing this is akin to letting someone log in to an account that is suspended, or log in with a password that was valid two years ago.
 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Wordpress "Pingback" DDoS Attacks, (Wed, Mar 12th)

Latest Alerts - Wed, 03/12/2014 - 04:21

Sucuri detected an interesting "reflective" attack using the Wordpress Pingback feature to attack web sites [1]. Unlike other reflective attacks that use UDP services like NTP and DNS, this attacks uses the Wordpress Pingback feature.

The intend of Pingback is to notify a site that you link to about the link hoping that the site you are linking to will return the favor. Some systems automate this and maintain automated lists linking back to sites that covered their article. In order to implement pingback, Wordpress implements an XML-RPC API function. This function will then send a request to the site to which you would like to send a "pingback".

With Wordpress, the Pingback is sent as a POST request to the /xmlrpc.php request. The body of the request will look like:

<methodCall>
  <methodName>pingback.ping</methodName>
  <params>
     <param><value><string>http://victim</string></value></param>
     <param><value><string>http://reflector</string></value></param>
  </params>
</methodCall>

For the attack seen by Sucuri, the "victim" URL included a random parameter like "victim.com?123456=123456" to prevent caching.

The result of this request is that your Wordpress install will send a request to the victim's site. I don't think the attack will provide a significant traffic amplification, but it does obfuscate the actual source of the attack.

By default, this feature is enabled in all Wordpress installs, and isn't quite easy to turn off. Sucuri recommends to add the following API filter to Wordpress:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} );

Removing xmlrpc.php is not recommended as it will breack a number of other features that will use the API.

 

[1] http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Wordpress "Pingback" DDoS Attacks, (Wed, Mar 12th)

Latest Alerts - Wed, 03/12/2014 - 04:21

Sucuri detected an interesting "reflective" attack using the Wordpress Pingback feature to attack web sites [1]. Unlike other reflective attacks that use UDP services like NTP and DNS, this attacks uses the Wordpress Pingback feature.

The intend of Pingback is to notify a site that you link to about the link hoping that the site you are linking to will return the favor. Some systems automate this and maintain automated lists linking back to sites that covered their article. In order to implement pingback, Wordpress implements an XML-RPC API function. This function will then send a request to the site to which you would like to send a "pingback".

With Wordpress, the Pingback is sent as a POST request to the /xmlrpc.php request. The body of the request will look like:

<methodCall>
  <methodName>pingback.ping</methodName>
  <params>
     <param><value><string>http://victim</string></value></param>
     <param><value><string>http://reflector</string></value></param>
  </params>
</methodCall>

For the attack seen by Sucuri, the "victim" URL included a random parameter like "victim.com?123456=123456" to prevent caching.

The result of this request is that your Wordpress install will send a request to the victim's site. I don't think the attack will provide a significant traffic amplification, but it does obfuscate the actual source of the attack.

By default, this feature is enabled in all Wordpress installs, and isn't quite easy to turn off. Sucuri recommends to add the following API filter to Wordpress:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} );

Removing xmlrpc.php is not recommended as it will breack a number of other features that will use the API.

 

[1] http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, March 12th 2014 http://isc.sans.edu/podcastdetail.html?id=3887, (Wed, Mar 12th)

Latest Alerts - Tue, 03/11/2014 - 17:15
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Introduction to Memory Analysis with Mandiant Redline, (Tue, Mar 11th)

Latest Alerts - Tue, 03/11/2014 - 10:46

In a previous diary I talked about memory acqusition with Dumpit .in this diary I will talk about how to use Mandiant Redline to analysis the memory dump.[1]

Mandiant Redline:

“Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile”.[2]

Installation:

1-Download Mandiant Redline from https://www.mandiant.com/resources/download/redline

2-Double click on Redline-1.11.msi

3-follow up the steps, then click close

Redline Usage:

To analysis a memory image :

1-Select From a Saved Memory File under Analyze Data on the home screen

2-Click Browse under Location of Saved Memory Image (for this diary I will not use an Indicators of Comporomise)

3-Click Next then OK

Depending on the size of the image and the speed of your PC, Mandiant Redline will take time to process the memory image.

4-For this example I am going to choose “I am reviewing A Full Live Response or Memory Image”

Now our Image is ready for Review:

From the left hand side you can choose which type of Data you would like to analysis in this view it’s the “Processes”

Here you can find all the process which was running on the system when the memory image was acquired . It shows the full details about the process such as the Process ID,Path ,Arguemnts ,User name ,SID …etc  .

If you would like to view the open ports on the System while the image was acquired , To view ports, click Ports under Processes on the Analysis Data window’s Host tab.



[1]http://isc.sans.edu/diary/Acquiring+Memory+Images+with+Dumpit/17216

[2] https://www.mandiant.com/resources/download/redline

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Patch Tuesday March 2014, (Tue, Mar 11th)

Latest Alerts - Tue, 03/11/2014 - 09:23

Overview of the March 2014 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS14-012 Cummulative Security Update for Internet Explorer
(ReplacesMS14-010 ) Internet Explorer
CVE-2014-0297
CVE-2014-0298
CVE-2014-0299
CVE-2014-0302
CVE-2014-0303
CVE-2014-0304
CVE-2014-0305
CVE-2014-0306
CVE-2014-0307
CVE-2014-0308
CVE-2014-0309
CVE-2014-0311
CVE-2014-0312
CVE-2014-0313
CVE-2014-0314
CVE-2014-0321
CVE-2014-0322
CVE-2014-0324 KB 2925418 Yes! Severity:Critical
Exploitability: 1 PATCH NOW! Critical MS14-013 Remote Code Execution Vulnerability in Microsoft Direct Show
(ReplacesMS13-056 ) Direct Show JPEG Library
CVE-2014-0301 KB 2929961 No. Severity:Critical
Exploitability: 1 Critical Important MS14-014 Vulnerability in Silverlight Could Allow Security Feature Bypass
(ReplacesMS13-087 ) Silverlight
CVE-2014-0319 KB 2932677 No. Severity:Important
Exploitability: 1 Important Important MS14-015 Privilege Escalation Vulnerability in Windows Kernel-Mode Driver
(ReplacesMS13-101 ) Windows Kernel-Mode Driver
CVE-2014-0300
CVE-2014-0323 KB 2930275 Yes. CVE-2014-0323 was public. Severity:Important
Exploitability: 1 Important Important MS14-016 Security Bypass Vulnerabilty in Security Account Manager Remote (SAMR)
(ReplacesMS11-095 MS13-032 ) Security Account Manager Remote
CVE-2014-0317 KB 2930275 No. Severity:Important
Exploitability: 1 Important Important We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe Updates: Flash Player, (Tue, Mar 11th)

Latest Alerts - Tue, 03/11/2014 - 06:40

Adobe released a new version of Flash Player as part of today's patch Tuesday. No details are available yet. We will update this diary once the details become available. Note that this will also affect browsers like Chrome that include an embeded version of Flash.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, March 11th 2014 http://isc.sans.edu/podcastdetail.html?id=3885, (Tue, Mar 11th)

Latest Alerts - Mon, 03/10/2014 - 18:06
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Apple iOS 7.1, (Mon, Mar 10th)

Latest Alerts - Mon, 03/10/2014 - 11:33

Here is detailed information on today's Apple releases - both iOS and Apple TV were updated

APPLE-SA-2014-03-10-1 iOS 7.1

iOS 7.1 is now available and addresses the following:

Backup
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A maliciously crafted backup can alter the filesystem
Description:  A symbolic link in a backup would be restored, allowing
subsequent operations during the restore to write to the rest of the
filesystem. This issue was addressed by checking for symbolic links
during the restore process.
CVE-ID
CVE-2013-5133 : evad3rs

Certificate Trust Policy
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Root certificates have been updated
Description:  Several certificates were added to or removed from the
list of system roots.

Configuration Profiles
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Profile expiration dates were not honored
Description:  Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267

CoreCapture
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application can cause an unexpected system
termination
Description:  A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella

Crash Reporting
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to change permissions on arbitrary
files
Description:  CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs

dyld
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Code signing requirements may be bypassed
Description:  Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs

FaceTime
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
access FaceTime contacts from the lock screen
Description:  FaceTime contacts on a locked device could be exposed
by making a failed FaceTime call from the lock screen. This issue was
addressed through improved handling of FaceTime calls.
CVE-ID
CVE-2014-1274

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description:  An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski

IOKit HID Event
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may monitor on user actions in other
apps
Description:  An interface in IOKit framework allowed malicious apps
to monitor on user actions in other apps. This issue was addressed
through improved access control policies in the framework.
CVE-ID
CVE-2014-1276 : Min Zheng, Hui Xue, and Dr. Tao (Lenx) Wei of FireEye

iTunes Store
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A man-in-the-middle attacker may entice a user into
downloading a malicious app via Enterprise App Download
Description:  An attacker with a privileged network position could
spoof network communications to entice a user into downloading a
malicious app. This issue was mitigated by using SSL and prompting
the user during URL redirects.
CVE-ID
CVE-2014-1277 : Stefan Esser

Kernel
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description:  An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs

Office Viewer
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Opening a maliciously crafted Microsoft Word document may
lead to an unexpected application termination or arbitrary code
execution
Description:  A double free issue existed in the handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team

Photos Backend
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Deleted images may still appear in the Photos app underneath
transparent images
Description:  Deleting an image from the asset library did not delete
cached versions of the image. This issue was addressed through
improved cache management.
CVE-ID
CVE-2014-1281 : Walter Hoelblinger of Hoelblinger.com, Morgan Adams,
Tom Pennington

Profiles
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A configuration profile may be hidden from the user
Description:  A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure

Safari
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  User credentials may be disclosed to an unexpected site via
autofill
Description:  Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB

Settings - Accounts
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
disable Find My iPhone without entering an iCloud password
Description:  A state management issue existed in the handling of the
Find My iPhone state. This issue was addressed through improved
handling of Find My iPhone state.
CVE-ID
CVE-2014-1284

Springboard
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
see the home screen of the device even if the device has not been
activated
Description:  An unexpected application termination during activation
could cause the phone to show the home screen. The issue was
addressed through improved error handling during activation.
CVE-ID
CVE-2014-1285 : Roboboi99

SpringBoard Lock Screen
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A remote attacker may be able to cause the lock screen to
become unresponsive
Description:  A state management issue existed in the lock screen.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-1286 : Bogdan Alecu of M-sec.net

TelephonyUI Framework
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A webpage could trigger a FaceTime audio call without user
interaction
Description:  Safari did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross

USB Host
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description:  A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group

Video Driver
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description:  A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd

WebKit
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts
Syndicate content