InfoSec News

A researcher has bypassed Microsoft's temporary fix for a zero-day Internet Explorer browser vulnerability that hackers have been exploiting for a month.

On the 1 Jan 2013, Johannes posted a diary on a Microsoft FixIt made available for IE as a way of mitigating the CVE-2012-4792 zero day attack. Researchers at Exodus Intelligence reported today they have developed a new attack that bypasses the FixIt issued by Microsoft. They were able to bypass and compromised a fully-patched system using some variation of the exploit published this week.

You might want to take a second look at the diary published this week that is using EMET 3.5 as another tool to help defend your Windows systems against various attacks.

[1] https://isc.sans.edu/diary.html?storyid=14788

[2] http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-cve-2012-4792/

[3] https://isc.sans.edu/diary.html?storyid=14797


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Advantech Studio 'NTWebServer.exe' Directory Traversal Vulnerability

BankInfoSecurity.com (blog)

3% Unemployment Among Infosec Pros?
BankInfoSecurity.com (blog)
After seven straight quarters of recording no joblessness among IT security professionals, an unpublished U.S. Bureau of Labor Statistics report suggests a small number of information security experts are out of work and looking for jobs in the field ...

and more »
The patent injunction portion of Google's antitrust settlement with the U.S. Federal Trade Commission this week won't mean an end to patent disputes between Google and mobile device makers, but it does take away one major threat Google has used against competitors, some patent experts said.
Turktrust, the Turkish certificate authority (CA) responsible for issuing an intermediate CA certificate that was later used to generate an unauthorized certificate for google.com, claims that the bad Google certificate was not used for dishonest purposes.
As 2013 begins, the SaaS (software as a service) market is set to heat up even more, as well as potentially undergo a number of key shifts. Here's a look at a series of key SaaS vendors and trends to watch as the year unfolds.
An elite hacker group credited last year with having an inexhaustible supply of zero-day vulnerabilities was responsible for digging up and first using the newest unpatched bug in Internet Explorer (IE), a Symantec manager today.
Microsoft's Internet Explorer posted an annual usage share gain in 2012 for the first time in eight years, according to data by a Web analytics firm Net Applications.
In this edition: collective Trojan cracking, Windows server protection, a zero day gang, testing EMET, a hacker movie from Bollywood, and Hack.me

TomatoCart 1.x | Unrestricted File Creation
Employers in Illinois and California cannot ask for usernames and passwords to the personal social media accounts of employees and job seekers under laws that took effect on Jan. 1.
RPM CVE-2012-6088 Signature Verification Security Bypass Vulnerability
Enterasys Network Management Suite 'nssyslogd.exe' Component Stack Buffer Overflow Vulnerability
Qualcomm Atheros is rolling out StreamBoost, a technology that will be used in Wi-Fi routers and gateways to improve the performance of movies and games streamed over wireless home networks.
SWI-Prolog Multiple Stack Buffer Overflow Vulnerabilities
Apache Tomcat CVE-2012-3546 Security Bypass Vulnerability
Symfony Double-URL-Encoded Path Security Bypass Vulnerability
CVE-2012-6494 - Nexpose Security Console - Session Hijacking
CVE-2012-6493 - Nexpose Security Console - Cross-Site Request Forgery (CSRF)
Two certificates, which could be used to issue certificates for arbitrary domains, were issued to customers. One of the two was used to issue a certificate for google.com domains

Drupal Nodewords: D6 Meta Tags Module Information Disclosure Vulnerability
Drupal Context Module Information Disclosure Vulnerability

Tuesday will bring seven patches from Microsoft, as well as a set of fixes from Adobe to address critical vulnerabilities in Adobe Reader and Adobe Acrobat.



(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Ruby on Rails Multiple SQL Injection Vulnerabilities
Cisco Systems and NXP Semiconductors have both invested in connected car equipment vendor Cohda Wireless, as they look to make the Internet of things a reality and take a piece of a quickly growing market.
China has punished six companies, including Samsung and LG, for manipulating LCD panel prices in the country, and ordered them to pay a total of $56 million in fines.
The U.S. Department of State has described the timing of a proposed visit by Google's executive chairman Eric Schmidt and others to North Korea as not "particularly helpful" in view of the Asian country's recent launch of a long-range rocket.
New York's state pension fund sued Qualcomm on Thursday in a bid to force the chipmaker to disclose its political contributions, which the fund argued is needed to ensure the contributions are in its shareholders' interests.
The U.S. International Trade Commission is investigating Samsung for possible trade violations in response to a complaint filed by Swedish network equipment vendor Ericsson.
Microsoft and Adobe have both issued advisories on the critical flaws they plan to fix next Tuesday, but neither company will have fixes for recently discovered critical flaws in Internet Explorer and ColdFusion

Microsoft won't have its signature mega-booth at International CES 2013 starting next week in Las Vegas, but that's not expected to lessen the trade show's impact, or largesse.
Brett Goldstein brings a deep background and big plans for the city's IT.
After sparring for users' attention and wallets, PCs and mobile devices are starting to converge in size, style and how we use them.

The Guardian (blog)

An infosec manager's new year email dilemma
The Guardian (blog)
Option one: does the infosec manager risk their career prospects by saying an outright "no you can't"? Option two: do they attempt a re-education of the risks, knowing full well the response will be: "I know all that but this is important for my ...

Roughly four months after being reported, a vulnerability in Facebook's video upload feature has now apparently been closed. The two security researchers who discovered the problem were pleasantly surprised at the size of their reward

WordPress Cimy User Manager Plugin Arbitrary File Disclosure Vulnerability
Internet Storm Center Infocon Status