Microsoft announced the first-ever major update to its Microsoft Active Protections Program (MAPP) this week, dramatically expanding the list of potential members and providing several new levels of service in the process. The information-sharing program has been instrumental to high-quality detection for security vendors for years, and incident responders are the primary beneficiaries of the expansion.
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Microsoft announces major expansion of MAPP program
Description: For the first time since the inception of the Microsoft Active Protections Program (MAPP) in 2008, the firm is dramatically increasing its scope, with two new sub-programs designed to increase the number of people who can benefit from MAPP’s information-sharing regime.
The first, MAPP for Responders, will bring incident responders into the fold, with data focused on identifying and remediating live exploitation in the wild. The second, MAPP Scanner, is a cloud-based tool that will allow an even broader range of organizations to submit files they suspect might be exploiting a vulnerability in Microsoft software, with both information on known vulnerabilities and details of suspicious information being supplied in return. In addition, program benefits are being expanded for current MAPP members, which will be re-branded as MAPP for Security Vendors. This expansion of the program comes on the heels of its dramatic success over the last several years, helping to validate the strategy of open information-sharing among network defenders worldwide.
Reference:
http://blogs.technet.com/b/bluehat/archive/2013/07/29/new-mapp-initiatives.aspx
Snort SID: N/A
ClamAV: N/A
Title: Dovecot + Exim remote code execution attack spotted in the wild
Description: A trivially exploitable remote code execution vulnerability in the Dovecot mail server, when paired with Exim as a local delivery agent, was announced in May, with only a workaround being released to date. Recent notes from the ISC Storm Center show that the attack, which has several publicly available proofs of concept, is now being exploited in the wild.
Administrators of these systems are urged to check their configurations and take appropriate mitigation immediately.
Reference:
https://isc.sans.edu/diary/Dovecot++Exim+Exploit+Detects/16243
http://osvdb.org/show/osvdb/93004
Snort SID: 27532
ClamAV: N/A
Title: Internet Explorer 9/10 information disclosure vulnerability
Description: In a post to the popular Full-Disclosure mailing list on Monday, an independent researcher provided information around a potential new Internet Explorer information disclosure vulnerability, which he claimed would be useful in bypassing ASLR. While confirmation of the vulnerability was pending as of the time of publication, and no signs of exploitation in the wild are available at this time, security researchers and incident responders should be paying close attention to systems they monitor until further information is released.
Reference:
http://seclists.org/fulldisclosure/2013/Jul/267
Snort SID: 27531
ClamAV: N/A
Title: Package using Android “Extra Field” vulnerability spotted in the wild
Description: Independent researcher Zhuowei Zang recently began distributing an APK on his Github site that used the recently disclosed “Extra Field”
vulnerability in APK file parsing in order to gain root access on the Kobo Arc tablet. While his particular package contained no malicious code, and simply took advantage of system package permissions to install a superuser account, it shows how easy live exploitation of the vulnerability is, likely setting the stage for further use of it in the coming weeks.
Reference:
http://vrt-blog.snort.org/2013/07/android-extra-field-vulnerability_30.html
Snort SID:
ClamAV: BC.Exploit.Andr.Extra_Field
============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Windows RT ARMv7-based shellcode development:
http://www.exploit-monday.com/2013/07/WinRT-ARM-Shellcode.html
Styx cool exploit kit: one applet to exploit all vulnerabilities:
http://security-obscurity.blogspot.com/2013/07/styxy-cool-exploit-kit-one-applet-to.html
Spy agencies ban Lenovo PCs on security concerns:
http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_on_security_HVgcKTHp4bIA4ulCPqC7SL
MSI: the case of the invalid signature:
http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/
Security vendors: do no harm, heal thyself:
http://krebsonsecurity.com/2013/07/security-vendors-do-no-harm-heal-thyself/
The evolution of Rovnix: private TCP/IP stacks:
Verizon announces Veris database – raw incident data:
http://www.verizonenterprise.com/security/blog/index.xml?postid=4642
Flush + Reload: a high resolution, low noise L3 cache side-channel attack:
http://eprint.iacr.org/2013/448.pdf
Big poker player loses high-stakes Android scam game:
http://www.symantec.com/connect/blogs/big-poker-player-loses-high-stakes-android-scam-game
Haunted by the ghosts of ZeuS and DNSChanger:
http://krebsonsecurity.com/2013/07/haunted-by-the-ghosts-of-zeus-dnschanger/
Vulnerability disclosed all passwords of Barracuda Networks employees:
http://securityaffairs.co/wordpress/16584/hacking/vulnerability-in-baracuda-network.html
Advanced exploitation of Windows kernel privilege escalation /
CVE-2013-3660:
http://www.vupen.com/blog/20130723.Advanced_Exploitation_Windows_Kernel_Win32k_EoP_MS13-053.php
How I found my way into Instagram’s Ganglia, and a bug with Facebook likes:
http://josipfranjkovic.blogspot.com/2013/07/how-i-found-my-way-into-instagrams.html
Dissecting a WordPress brute force attack:
http://blog.sucuri.net/2013/07/dissecting-a-wordpress-brute-force-attack.htm
Deja un comentario