(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Jose-PHP CVE-2016-5430 remote security Vulnerability
 

While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaignto deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The tool Publisher is less known thanWord or Excel. Thisdesktop publishing toolwas released in 1991 (version 1.0) but it is still alive and included in the newest Office suite. It is not surprising that it support also macros.

By using .pub files, attackers make one step forward because potential victims dont know the extension .pub (which can be interpreted as public or publicity and make the document less suspicious), Spam filters do not block this type of file extension. Finally, researchers are also impacted becausetheir sandbox environments donot have Publisher installed by default, making the sample impossible to analyze!

Asample of a malicious .pub file is already available on VT[4] with a low detection score (5/55).

Stay safe!

[1]https://isc.sans.edu/forums/diary/Voice+Message+Notifications+Deliver+Ransomware/21397/
[2]https://isc.sans.edu/forums/diary/Todays+Locky+Variant+Arrives+as+a+Windows+Script+File/21423/
[3]https://products.office.com/en/publisher
[4]https://www.virustotal.com/en/file/24441d0573c255852f28e558001883a00bc2f18816f48653d63429065d1f37fd/analysis/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Inspircd SSL Certificate Spoofing Vulnerability
 
BMC BladeLogic Server Automation CVE-2016-4322 Information Disclosure Vulnerability
 
PHP 'ext/session/session.c' Remote Code Injection Vulnerability
 
PHP 'ext/exif/exif.c' Information Disclosure Vulnerability
 
Google Nexus 5X Bootloader Unauthorized Memory Dumping via USB
 
[SECURITY] [DSA 3659-1] linux security update
 
Unauthenticated Arbitrary Directory Dump in BMC BladeLogic Server Automation
 
Internet Storm Center Infocon Status