Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 8 min 20 sec ago

New SANS memory forensics poster, (Wed, Mar 18th)

Tue, 03/17/2015 - 16:02

SANS Posters rule! The malware geeks Jake Williams and Alissa Torres have created a new REM poster that focuses on malware memory forensics, and covers the Volatility and Rekall frameworks, as well as important artefacts. Depending on your location, you can get a printed copy mailed to you .. or you can download and print on your own: http://www.sans.org/security-resources/posters/dfir-memory-forensics-2015-65

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Improperly issued SSL certificate for domain "live.fi" could be used in attempts to spoof content. https://technet.microsoft.com/library/security/3046310, (Tue, Mar 17th)

Tue, 03/17/2015 - 08:41
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

From PEiD To YARA, (Tue, Mar 17th)

Tue, 03/17/2015 - 06:06

Some time ago, Jim Clausing had a diary entry about PeID (a packer identifier which is no longer maintained/hosted) and since then he has a PEiD signature database on his handler page.

Now, wouldnt it be great if we could reuse these signatures? For example as YARA rules?

Thats why I wrote a Python program that converts PEiD signatures to YARA rules: peid-userdb-to-yara-rules.py

Here is an example:
PEiD signature:

[!EP (ExE Pack) V1.0 - Elite Coding Group]
signature = 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10
ep_only = true

Generated YARA rule:

rule PEiD_00001__EP__ExE_Pack__V1_0____Elite_Coding_Group_
{
meta:
description = [!EP (ExE Pack) V1.0 - Elite Coding Group]
ep_only = true
strings:
$a = {60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10}
condition:
$a
}

PEiD signatures have an ep_only property that can be true or false. This property specifies if the signature has to be found at the PE files entry point (true) or can be found anywhere (false).

Program option -p generates rules that use YARAs pe module. If a signature has ep_only property equal to true, then the YARA rules condition becomes $a at pe.entry_point instead of just $a.

Example:

import pe

rule PEiD_00001__EP__ExE_Pack__V1_0____Elite_Coding_Group_
{
meta:
description = [!EP (ExE Pack) V1.0 - Elite Coding Group]
ep_only = true
strings:
$a = {60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10}
condition:
$a at pe.entry_point
}

I produced 2 sets of YARA rules based on Jims database: peid-userdb-rules-with-pe-module.yara and peid-userdb-rules-without-pe-module.yara. As the names imply, the first one uses YARAs PE module, and the second one not. I use the second set of rules when I analyze files that are not PE files, but that can contain (partial) PE files.

You can find my YARA rules here.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, March 17th 2015 http://isc.sans.edu/podcastdetail.html?id=4399, (Tue, Mar 17th)

Mon, 03/16/2015 - 18:02
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Automatically Documenting Network Connections From New Devices Connected to Home Networks, (Mon, Mar 16th)

Mon, 03/16/2015 - 06:24

This is a guest diary submitted by Xavier Mertens.

Writing documentation is a pain for most of us but... mandatory! Pentesters and auditors dont like to write their reports once the funny stuff has been completed. It is the same for the developers. Writing code and developing new products is fun but good documentation is often missing. By documentation, I mean network" /> ">" /> ">" /> ">">But today, more and more devices are connected (think about the IoT-buzz - Internet of Things). These devices are manufactured in a way that they automatically use any available network connectivity. Configure a wireless network and they are good to go. Classic home networks are based on xDSL or cable modems which provide basic network services (DHCP, DNS). This is not the best way to protect your data. They lack of egress filters and any connected device will have a full network connectivity and potentially exfiltrate juicy data. Thats why I militate in favor of a documentation template to describe the resources required to operate such smart devices smoothly. Here is an good example. I">It">TODAY=`/bin/date +%Y%m%d">">">">">">">">">">">192.168.0.210 ">">">">" />

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, March 16th 2015 http://isc.sans.edu/podcastdetail.html?id=4397, (Mon, Mar 16th)

Sun, 03/15/2015 - 18:30
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Maldoc VBA Sandbox/Virtualization Detection, (Sat, Mar 14th)

Sat, 03/14/2015 - 04:04

As could be expected, we witness an arms race when observing the evolution of VBA malicious documents. First the VBA code was trivially simple (download and execute), then obfuscation was added (strings and code), and now we see more attempts to evade detection.

I analyzed a maldoc sample (.xls 77f3949c2130b268bb18061bcb483d16) that tries to detect sandboxes and virtualization (and aborts if found).

Here">If IsVirtualPCPresent = True Then End

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Malware targets home networks, (Fri, Mar 13th)

Fri, 03/13/2015 - 02:59

Malware researchers at Trend Micro have analyzed a malware that connects to the home routers and scan the home network then send the gathered information to CC before deleting it self .

TROJ_VICEPASS.A pretends to be an Adobe Flash update, once its run it will attempt to connect to the home router admin council using a predefined list of user names and passwords. If its succeed, the malware will scan the network for connected devices.

The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, this IP range is hard-coded

Once the scans is finish it will encode the result using Base64 and encrypt it using a self-made encryption method. The encrypted result will be sent to a CC server via HTTP protocol.

After sending the results to the Command and Control server (CC) , it will delete itself from the victims computer. It uses the following command to do so:

  • exe /C ping 1.1.1.1 -n 1 -w 3000 Nul Del %s

Such type of malware infection can be avoided using a very basic security techniques such as downloading updated and software from a trusted sources only and changing the default password of your equipments.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft EMET 5.2 is available, (Fri, Mar 13th)

Fri, 03/13/2015 - 01:20

Microsoft has announced a new release of the Enhanced Mitigation Experience Toolkit (EMET) 5.2.

The main the main changes and improvements as the following:

  • Control Flow Guard:EMETs native DLLs have been compiled with Control Flow Guard(CFG). CFG is a new feature introduced in Visual Studio 2015 (and supported by Windows 8.1 and Windows 10) that helps detect and stop attempts of code hijacking. EMET native DLLs (i.e. EMET.DLL) are injected into the application process EMET protects. Since we strongly encourage 3rdparty developers to recompile their application to take advantage of this very latest security technology, we have compiled EMET with CFG.
  • Enhanced Protected Mode/Modern IE:EMET now fully supports alerting and reporting from Modern Internet Explorer, or Desktop IE with Enhanced Protected Mode mode enabled.
  • VBScript in Attack Surface Reduction:the configuration for the Attack Surface Reduction (ASR) mitigation has been improved to stop attempts to run the VBScript extension when loaded in the Internet Explorers Internet Zone. This would mitigate the exploitation techniqueknown as VBScript God Mode observed in recent attacks

========================================================================

1- http://blogs.technet.com/b/srd/archive/2015/03/12/emet-5-2-is-available.aspx

2-https://technet.microsoft.com/en-us/security/jj653751

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, March 13th 2015 http://isc.sans.edu/podcastdetail.html?id=4395, (Fri, Mar 13th)

Thu, 03/12/2015 - 19:16
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, March 13th 2015 http://isc.sans.edu/podcastdetail.html?id=4395, (Fri, Mar 13th)

Thu, 03/12/2015 - 19:16
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Blind SQL Injection against WordPress SEO by Yoast, (Fri, Mar 13th)

Thu, 03/12/2015 - 16:34

WordPress has released an advisory for the WordPress plugin SEO by Yoast. Version up to and including 1.7.3.3 can be exploited with a blind SQL injection. According to WordPress, this plugin has more than one million downloads. A description of the SQL injection with proof of concept is described here and the latest update is available here.

[1] https://wordpress.org/plugins/wordpress-seo/
[2] https://downloads.wordpress.org/plugin/wordpress-seo.1.7.4.zip
[3] https://wpvulndb.com/vulnerabilities/7841

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Who got the bad SSL Certificate? Using tshark to analyze the SSL handshake., (Thu, Mar 12th)

Thu, 03/12/2015 - 07:10

Ever wonder if any of your users connect to sites with bad SSL certificates? I ran into this issue recently when debugging some SSL issues, and ended up with thisquick tshark and shell script trickto extract the necessary information from a packet capture.

First, you may want to compare the host name your clients connect to, to the host name returned as part of the certificate. While the Host header is encrypted and not accessible, modern SSL libraries use Server Name Indication (SNI) as part of the SSL Client Hello to indicate to the server which site they are trying to connect to. The SNI option is sent in the clear to allow for name virtual hosting with SSL.

To extract the SNI fields, I use:

tshark -r file.pcap-Y ssl.handshake.type==1 -T fields -e ip.dst -e tcp.srcport -e ssl.handshake.extensions_server_name | sed s/\t/:/ /tmp/ssi

The tshark command extracts all the SSL Client Hello messages (ssl.handshake.type==1) and then pulls out the destination IP, the destination port as well as the SNI field. I remove the first tab and replace it with a : to receive output like:

173.194.219.108:61879 imap.gmail.com

Your sed command will look a bit different if you are using OS X.

Next, we need to extract the host names advertised by the certificate that the server returns. This is a bit tricky as a certificate may either use a distinguished name (DN) or a subject alternative name if more then one hostname is included in the certificate.

tshark -r file.pcap-Y ssl.handshake.type==11 -T fields -e ip.src -e tcp.dstport -e x509sat.uTF8String -e x509ce.dNSName | sed s/\t/:/ /tmp/in

Just like before, we now filter for certificate messages (type 11) and extract the source ip and the destination port, so we can match up connections with what we extracted above. The output should look like:

173.194.219.109:61898 California,Mountain View,Google Inc,imap.gmail.com imap.gmail.com
173.252.101.48:61897 *.facebook.com *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,fbcdn23dssr3jqnq.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com

Note how it is quite common to include a large list of hostnames.

Next, we need to link the two files. The join command is pretty useful here:

join -1 1 -2 1 -e empty /tmp/in /tmp/out | tr \t

This will join the two files, pretty much how a SQL join would combine two tables, using the first column in each file as index. The output looks now like:

17.172.208.83:61878 *.icloud.com,icloud.com p02-mailws.icloud.com
17.172.208.8:61881 *.icloud.com,management:idms.group.506364,Apple Inc.,California *.icloud.com p02-ckdatabase.icloud.com
173.252.101.48:61897 *.facebook.com *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,fbcdn23dssr3jqnq.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com -) )

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, March 12th 2015 http://isc.sans.edu/podcastdetail.html?id=4393, (Thu, Mar 12th)

Wed, 03/11/2015 - 18:17
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Apple iTunes Store is seeing an extended outage - watch https://www.apple.com/support/systemstatus/ for status changes., (Wed, Mar 11th)

Wed, 03/11/2015 - 06:13

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Syslog Skeet Shooting - Targetting Real Problems in Event Logs, (Wed, Mar 11th)

Wed, 03/11/2015 - 03:56


A common bit of advice that we tend to offer up frequently is monitor your logs or review your logs periodically. However, with daily syslogs - even in a small environment - ranging from 300mb to 5GB, thats no easy task. Weve discussed parsing logs out using grep and similar tools in the past, but that assumes that nothing drastic ever happens - youre banking on the fact that anything being logged can wait until you have time to check your logs.

And face it - with the volume of real project work that faces us each day, how many of us actually have time to manually review our logs, and get meaningful information out of them that we can take action on?

So, can we automate this task? Since theres a rather large number of for-sale products that do this (google SIEM to see just how many), the answer is a resounding yes. But can you take a simpler approach, and send email alerts on specific things you know you want to watch for? And can you do this on a budget of zero or close to it? The answer to this is also yes" />

Before we get to the how though, lets define the what - or at least start that task. What exactly do you want to monitor for? Ill focus on network gear in these examples - routers, switches, firewalls and so on. The list of conditions for alerting is fairly short, and network conditions affect *everything*. Plus Im a network person most days. You can certainly expand this to include storage arrays, Windows and Linux hosts, Active Directory and so on.

Let">

fan
batter
temp

Of course alarms on any of these needs almost immediate action.

Note that Im looking for temp, to include temp or temperature

Similarly, batter covers battery and batteries

Youll also get these same keywords cropping up in logs for your SAN and for host hardware if you have proper logging set up for them.

You definitely want to alert on routing or redundancy Protocols - for the most part these only kick out a message when things are re-negotiating, which should never happen unless there is a problem:

BGP, EIGRP, OSPF. ISIS (or add your routing protocol here. Hopefully RIP isnt in your list). Monitoring for these will in lots of cases catch short outages with WAN providers or ISPs, which traditional polling will often miss.
HSRP, VRRP covers off most interface redundancy issues. If you see an event on either of these, it usually means youve seen a failure.

Another common, common, common thing that you really have to filter on:
duplex
nuff said. I just had a client engage me for 5 days to nail down a high WAN traffic / performance issue. They didnt have a syslog server, but I started by looking at logs in memory (over their objection). And yes, their WAN provider had changed one of their routers from auto/auto to 100/full, of course without telling them. Even in a well managed, controlled environment, you cant control the VOIP contractor who hard-sets their PBX to 100/full without telling anyone else, the ISP that does that to their routers instead of using rate limiting, or the server admin who thinks that setting their NIC to 1000/full is somehow safer than letting it negotiate to that same setting (the way the RFC recommends). And face it, the only things you get ever speed/duplex errors on are the most catastrophic things you could pick to have that error! Once you start looking, you are almost guaranteed to find a number of these in your logs in almost any shop.

Monitoring for vendor-specific text in a syslog message (Both Cisco in this case, though the first works for COMWARE as well):
DUPLICATE_IPADDR_DETECT - yes, lots of this too. I had a client stand up a new DHCP server without conflict detection. Ever wonder what happens when you have a busy workstation with the same IP as the local firewall?

ERR-DISABLE or ERR_DISABLE - as youd expect, this is a switch port thats been disabled due to an error. What kind of error? Often its a BPDUGUARD trigger, port channel config issues, link-flap, late collisions incorrect SFP or GBIC inserted, ARP inspection issues - this port state and syslog message cuts a wide swath.

BPDUGUARD - if you configure a switch port with BPDUGUARD, youre telling it that this is a workstation or server port, so if it sees a BPDU (Bridge Protocol Datagram Unit) frame, that indicates that theres an unauthorized switch attached to that port. (see ERRDISABLE above). A messing involving BPDUGUARD will generally also involve a shut down port. In Cisco and Comware, itll be in an ERRDISABLE state. In Procurve networks though, itll just be shut down, and if you dont check your logs you might be left wondering why it keeps shutting down.

Youll likely also want to monitor for config changes. If you dont have a formal change control process, its something you really want to consider. If a router or switch configuration changes outside of a change window - or worse yet, if a config changes and it wasnt you, thats something you want to know about!

Monitor in real time for config changes, look for SYS-5-CONFIG_I">login on-failure log
login on-success log

Then you can filter syslog for: SEC_LOGIN-4-LOGIN_FAILED and / or SEC_LOGIN-5-LOGIN_SUCCESS - or more simply, to catch both, watch for SEC_LOGIN

Really, youre looking for logins outside of approved windows, login failures (worst case, followed by success). Or if you are the only network admin, any login attempts that arent you!

If you dont have those two lines in your configuration, Id suggest that you add them, then review the Cisco Hardening Guides at the Center for Internet Security (https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.network.cisco). Other vendors will have similar guidance, either on their own sites or at CIS.

You get my point. In a perfect situation, you would take your logs and discard everything you DONT want to be alerted on, which should leave the real problems, and new messages that are not problems which you can add to your filter out list. Back in the day, we had a project where we did exactly this for an AS400 - we discarded known good and known innocuous, over time we were just left with just the bad news messages we wanted to see. However, networks and log messages are so varied as you add new devices, and change so much even from version to version, that this traditional approach might not be so viable anymore. Alerting on specific messages, as well as regular manual log parsing to see what else you might want to add to the list, is a nice, low interaction approach that gets you there (or close to it) in the end. This has worked for lots of customers that I have, until they get a proper SIEM or IPS that is.

So back to the how - how do you configure alerts now that we know what we want to alert on? That will depend on your logging solution. If you use Solarwinds Syslog (used to be Kiwi), its built into the GUI. You can trigger on various AND / OR situations - be sure that your seach are case-insensitive. As you can see from the example below, I EXCLUDE the string URL Accessed" />

In Linux, youd think it would be easier. But as so many things in Linux, there are dozens of ways to do this - and theyre all at least marginally more complicated. Its semi-easy to configure email alerts based on severity, as long as the local system mail is tied to a real email system (which is almost never). To trigger on keywords and support real email though requires some gymnastics. You can use logwatch, logcheck (youll generally use logcheck with cron), also OSSEC also does a good job monitoring logs (amongst other things) and on cofigured inputs or conditions, alerting in any of several methods. If you want to do it all with stock tools, you can used named pipes as show here: http://serverfault.com/questions/32360/how-can-i-make-syslogd-email-certain-log-messages-to-me.

Me, I use swatch http://sourceforge.net/projects/swatch/ - mostly because its simple and it works well. Life is too short to complicate a simple process like logging. For an example of using swatch for real - check my very first SANS Gold Paper - all those years ago - http://www.sans.org/reading-room/whitepapers/auditing/vpnscan-extending-audit-compliance-perimeter-1711. I used swatch to trigger policy audits of users VPN-ing in at the time, and I still use swatch for that, along with loads of other things.

What messages or strings would you add to this (short) list of things to alert on? Were looking mainly for network type alerts on routers, switches, firewalls, load balancers and so on. What situations would your list entry prevent or diagnose? Do you have a simpler or more elegant method of triggering on syslog entries in Linux? Please, use our comment form and let us know how you approach this issue!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, March 11th 2015 http://isc.sans.edu/podcastdetail.html?id=4391, (Wed, Mar 11th)

Tue, 03/10/2015 - 19:46
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Threatglass has pcap files with exploit kit activity, (Tue, Mar 10th)

Tue, 03/10/2015 - 10:13

Threatglassis a one way to find up-to-date examples of exploit kit traffic. Not all of it is exploit kit traffic, but all of it represents some sort of malicious activity. Threatglassdoesnt explain what type of traffic youre looking at from the pcaps the site provides. Letslook at a page from last week on Thursday, March 5th 2015 [1]. This one isexploit kit activity. In the image below, youll find a link to the packet capture in the lower right-hand corner" />

Download the pcap and open it in Wireshark. User http.request as the filter, and make sure youre showing the host name in the column display. " />

For most exploit kits, the pattern oftraffic is: Landing page -- Exploit (Java, Flash, Silverlight, IE, etc) -- Malware payload if the exploit is successful

Lets look at this example by following a few TCP streams in the pcap. " />

When the Flash exploit works, a malware payload is sent. Currently, Nuclear Exploit Kit obfuscates the malware payload with an ASCII string. In this case, the binary was XOR-ed with the ASCII string:" />

The Virus Total results indicate the malware is a Tofsee variant -https://www.virustotal.com/en/file/7659b2be203a34b7491c7101c0275b9e20e8d801d236817a5285c2e63e0ad0e5/analysis/

If you want a sample of the deobfuscated payload, you can get it from malwr.com at:https://malwr.com/analysis/N2U3NDUwMjQ5MWViNGZkNWFlMTBkMjkxMzExZGQxNTM/

If you have the time, review some of the other entries on Threatglass to figure out which ones are exploit kit activity, and which ones are other activity, like fake flash installer pop-up windows. This is one of many resources on line thataspiring analystscan use to build their skills.

---

Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1]http://threatglass.com/malicious_urls/geospotrima-com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft March Patch Tuesday, (Tue, Mar 10th)

Tue, 03/10/2015 - 10:04

Overview of the March 2015 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS15-018 Cumulative Security Update For Internet Explorer (Replaces MS15-009 ) (note that for IE8 and later, the VBScript vulnerability CVE-2015-0032 is addressed by MS15-019) Internet Explorer
CVE-2015-0032
CVE-2015-0056
CVE-2015-0072
CVE-2015-0099
CVE-2015-0100
CVE-2015-1622
CVE-2015-1623
CVE-2015-1624
CVE-2015-1625
CVE-2015-1626
CVE-2015-1627
CVE-2015-1634 KB 3040297 CVE-2015-1625 has been disclosed in public, but no exploits seen yet.. Severity:Critical
Exploitability: 1 Critical Critical MS15-019 Remote Code Execution Vulnerability in VBScript Scripting Engine (Replaces MS14-084 ) VBScript
CVE-2015-0032 KB 3040297 no known exploits. Severity:Critical
Exploitability: 1 Critical Important MS15-020 Remote Code Execution Via Loading Untrusted DLLs and Windows Text Service Memory Corruption (Replaces MS14-027 ) Windows Text Services
CVE-2015-0081
CVE-2015-0096 KB 3041836 no known exploits. Severity:Critical
Exploitability: 2 Critical Critical MS15-021 Remote Code Execution Vulnerability in Adobe Font Drivers (Replaces MS13-081 ) Adobe Font Drivers
CVE-2015-0074
CVE-2015-0087
CVE-2015-0088
CVE-2015-0089
CVE-2015-0090
CVE-2015-0091
CVE-2015-0092
CVE-2015-0093 KB 3032323 no known exploits. Severity:Critical
Exploitability: 2 Critical Important MS15-022 Remote Code Execution Vulnerability in Microsoft Office (Replaces MS13-072 MS14-022 MS14-023 MS14-050 MS14-073 MS15-012 ) Microsoft Office
CVE-2015-0085
CVE-2015-0086
CVE-2015-0097
CVE-2015-1633
CVE-2015-1636 KB 3038999 no known exploits. Severity:Critical
Exploitability: 1 Critical Important MS15-023 Elevation of Privilege Vulnerability in Kernel Mode Drivers (Replaces MS15-010 ) Kernel Mode Drivers
CVE-2015-0077
CVE-2015-0078
CVE-2015-0094
CVE-2015-0095 KB 3034344 no known exploits. Severity:Important
Exploitability: 2 Important Important MS15-024 Information Disclosure Vulnerability in PNG Processing (Replaces MS15-016 ) Windows
CVE-2015-0080 KB 3035132 no known exploits. Severity:Important
Exploitability: 3 Important Important MS15-025 Elevation of Privilege / Impersonation Vulnerability in Windows Kernel (Replaces MS13-031 MS15-010 MS15-015 ) Windows Kernel
CVE-2015-0073
CVE-2015-0075 KB 3038680 no known exploits. Severity:Important
Exploitability: 2 Important Important MS15-026 Cross Site Scripting Vulnerabilities in Microsoft Exchange Server Microsoft Exchange Server
CVE-2015-1628
CVE-2015-1629
CVE-2015-1630
CVE-2015-1631
CVE-2015-1632 KB 3040856 no known exploits. Severity:Important
Exploitability: 2 Important Important MS15-027 Spoofing Vulnerability in NETLOGON (Replaces MS10-101 ) Windows
CVE-2015-0005 KB 3002657 no known exploits. Severity:Important
Exploitability: 2 Important Important MS15-028 Access Control List Bypass via Windows Task Scheduler Windows
CVE-2015-0084 KB 3030377 no known exploits. Severity:Important
Exploitability: 2 Important Important MS15-029 Information Disclosure in Windows Photo Decoder Windows Photo Decoder
CVE-2015-0076 KB 3035126 no known exploits. Severity:Important
Exploitability: 2 Important Important MS15-030 Denial of Service Vulnerability in RDP (Replaces MS14-030 ) Remote Desktop Protocol
CVE-2015-0079 KB 3039976 no known exploits. Severity:Important
Exploitability: 3 Important Important MS15-031 Schannel Patch for FREAK Schannel
CVE-2015-1637 KB 3046049 yes. Severity:Important
Exploitability: 1 Important Important We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Apple Patches for iOS, OS X and Apple TV, (Tue, Mar 10th)

Tue, 03/10/2015 - 04:46

With yesterdays updates for iOS, OS X and Apple TV, Apple also addressed a number of security vulnerabilities, most notably the Freak vulnerability. After updating, the affected operating systems no longer support export quality ciphers. However, Apple browsers continue to support SSLv3 and as a result, continue to be vulnerable to POODLE.

Quick Summary of the security content of Apples updates:

XCode 6.2: This update addresses 4 vulnerabilities in subversion and 1 in git.

OS X: 5 vulnerabilities. The most serious of which is likely a code execution vulnerability in Keychain.

Apple TV: 3 vulnerabilities. One of which would allow an attacker to write files to the system if the user mounts a corrupt disk image.

iOS: 6 vulnerabilities. In addition to FREAK and the above mentioned Keychain problem, a vulnerability that allows an attacker with physical access to the device to see the home screen on a locked devices is patched.

For details from Apple, seehttps://support.apple.com/en-us/HT1222

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts