Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe Premiere Clip CVE-2015-8051 Unspecified Security Vulnerability
 
Adobe ColdFusion APSB15-29 Multiple Unspecified Cross Site Scripting Vulnerabilities
 

(credit: CyberHades)

Today, Microsoft issued three new security advisories and a dozen new patches in the company’s monthly round of security updates. And one of the advisories was apparently the result of a security fumble by Microsoft's internal IT team: the inadvertent disclosure of the private encryption keys for a wildcard SSL/TLS certificate.

The certificate, which was used for Microsoft's xboxlive.com domain, has been revoked on Microsoft's Certificate Trust list, but it could potentially be used to attack systems that haven't been updated in man-in-the-middle attacks that "spoof" the Xbox Live network. Microsoft isn't saying how the certificate was "inadvertently disclosed," but it's likely that the "wildcard" certificate was accidentally shared with a partner. It's unlikely that the certificate will be used for an attack now that it's been revoked, but systems that don't regularly get their certificate trust lists updated might still be vulnerable.

System administrators have a bigger headache to deal with: an update issued today for Microsoft Windows DNS that patches a remote code execution vulnerability. Rated "critical" by Microsoft, the bug in DNS affects Windows Server 2008 and later. It could allow an attacker to send a "specially-crafted" Domain Name Service request to a Windows DNS server that can run commands on the server with the permissions of the Local System account—giving the attackers a wide range of access to the server that could easily be escalated.

Read 1 remaining paragraphs | Comments

 
IBM WebSphere Application Server CVE-2015-7450 Remote Code Execution Vulnerability
 
OpenSSL CVE-2015-1789 Out of Bounds Read Denial of Service Vulnerability
 
HP LoadRunner Virtual Table Server CVE-2015-6857 Local Code Execution Vulnerability
 

Best of New Zealand InfoSec recognised at 2015 iSANZ Awards
Scoop.co.nz (press release)
Over 200 people from New Zealand's close-knit information security (InfoSec) community gathered last night in Wellington to formally celebrate the achievements of those working on the frontlines of cyber security. The 2015 iSANZ Awards were handed out ...

and more »
 

Best of NZ InfoSec recognised at 2015 iSANZ Awards
Voxy
Over 200 people from New Zealand's close-knit information security (InfoSec) community gathered last night in Wellington to formally celebrate the achievements of those working on the frontlines of cyber security. The 2015 iSANZ Awards were handed out ...

 

Enlarge (credit: Aurich Lawson and Getty)

Getting a Linux server hacked and made part of a botnet is easier than some people may think. As two unrelated blog posts published in the past week demonstrate, running a vulnerable piece of software is often all that's required.

Witness, for example, a critical vulnerability disclosed earlier this year in Elasticsearch, an open source server application for searching large amounts of data. In February, the company that maintains it warned it contained a vulnerability that allowed hackers to execute commands on the server running it. Within a month, a hacking forum catering to Chinese speakers provided all the source code and tutorials needed for people with only moderate technical skills to fully identify and exploit susceptible servers.

A post published Tuesday by security firm Recorded Future deconstructs that hacker forum from last March. It showed how to scan search services such as Shodan and ZoomEye to find vulnerable machines. It includes an attack script written in Python that was used to exploit one of them and a separate Perl script used to make the newly compromised machine part of a botnet of other zombie servers. It also included screenshots showing the script being used against the server. The tutorial underscores the growing ease of hacking production servers and the risk of being complacent about patching.

Read 5 remaining paragraphs | Comments

 

And to not be outdone by Microsoft and Adobe, Apple just released patches for:

iOS 9.2

A total of 50 vulnerabilities (CVE IDs) are addressed. About 10 of them affect WebKit and may lead to arbitrary code execution by visiting a malicious website. There are a large number of additional remote code execution vulnerabilities in various iOS components that are patched.

watchOS 2.1

A lot of overlap with patches released for iOS, but no WebKit issues as watchOS does not include a browser.

XCode 7.2

Updates to git, otools and IDE SCM. The git update fixes a number of vulnerablities that have been known (and fixed) in the open source software for a while.

OS X 10.11.2 (and Security Update 2015-008 for Mavericks and Yosemite)

updates to various open sources packages (libressl, OpenSSH, libxml2 and others). Also improvements to some hardware drivers (e.g. thunderbolt)

Safari 9.0.2

fixes webkit issues for Yosemite, Mavericks and Ell Capitan

tvOS

This affects the just released 4th generation Apple TV and addresses similar vulnerabilities as the new version of iOS.

Details can be found as usual here:https://support.apple.com/en-us/HT201222

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

As usual, Adobe is joining Microsoft on Patch Tuesday. So far there is only one bulletin, APSB15-32 with a patch for Adobe Flash Player. It fixes a total of 77 vulnerabilities (if I counted right...) .

[1]https://helpx.adobe.com/security/products/flash-player/apsb15-32.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: Aurich Lawson)

The head of the FBI's science and technology division has admitted what no other agency official has acknowledged before—the FBI sometimes exploits zero-day vulnerabilities to catch bad guys.

The admission came in a profile published Tuesday of Amy Hess, the FBI's executive assistant director for science and technology who oversees the bureau's Operational Technology Division. Besides touching on the use of zero-days—that is, attack code that exploits vulnerabilities that remain unpatched, and in most cases are unknown by the company or organization that designs the product—Tuesday's Washington Post article also makes passing mention of another hot-button controversy: the FBI's use of stingrays. As reporter Ellen Nakashima wrote:

One area of controversy is the bureau’s use of cell site simulators, or Stingrays, which mimic cellphone towers to elicit signals from cellphones in an area, including from innocent bystanders. The FBI has long been secretive about the tool’s use, and has even made state and local law enforcement sign nondisclosure agreements.

Though the agreements typically state that the local agency “will not­ . . . disclose any information concerning” the equipment, Hess insists that the FBI has never imposed a gag on local police. For the record, she said, the bureau does not object to revealing the use of the device. It’s the “engineering schematics,” details on exactly how the tool works, that the FBI wants shielded, she said.

Another group that remains shrouded is OTD’s Remote Operations Unit. There, technicians with a warrant hack computers to identify suspects. Euphemistically called “network investigative techniques,” that activity has stirred concerns similar to those raised with the use of Stingrays.

For one thing, the warrant applications do not describe the technique’s use in detail. So judges may not really understand what they are authorizing. Hess said that agents can describe the process more fully to a judge in closed chambers. That’s if the judge knows to ask.

Privacy advocates also worry that to carry out its hacks, the FBI is using “zero-day” exploits that take advantage of software flaws that have not been disclosed to the software maker. That practice makes consumers who use the software vulnerable, they argue.

Hess acknowledged that the bureau uses zero-days—the first time an official has done so. She said the trade-off is one the bureau wrestles with. “What is the greater good—to be able to identify a person who is threatening public safety?” Or to alert software makers to bugs that, if unpatched, could leave consumers vulnerable?

“How do we balance that?” she said. “That is a constant challenge for us.”

She added that hacking computers is not a favored FBI technique. “It’s frail,” she said. As soon as a tech firm updates its software, the tool vanishes. “It clearly is not reliable” in the way a traditional wiretap is, she said.

The Post also includes counterpoint from privacy advocate and American Civil Liberties Union Principal Technologist Christopher Soghoian. He referred to Hess as the "queen of domestic surveillance" and opines: "if it's high-tech and creepy, it's happening in the Operational Technology Division."

Read 1 remaining paragraphs | Comments

 

Special Note: MS15-127 looks particularly nasty. A remote code execution vulnerability in Microsofts DNS server. Microsoft rates the exploitability as 2, but doesn">MS15-124 Cumulative Security Update for Internet Explorer (Replaces MS15-124 ) Internet Explorer
CVE-2015-6083,CVE-2015-6134,CVE-2015-6135,CVE-2015-6136,CVE-2015-6138,CVE-2015-6139,CVE-2015-6140,CVE-2015-6141,CVE-2015-6142,CVE-2015-6143,CVE-2015-6144,CVE-2015-6145,CVE-2015-6146,CVE-2015-6147,CVE-2015-6148,CVE-2015-6149,CVE-2015-6150,CVE-2015-6151,CVE-2015-6152,CVE-2015-6153,CVE-2015-6154,CVE-2015-6155,CVE-2015-6156,CVE-2015-6157,CVE-2015-6158,CVE-2015-6159,CVE-2015-6160,CVE-2015-6161,CVE-2015-6162,">Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.
  • ---
    Johannes B. Ullrich, Ph.D.
    STI|Twitter|LinkedIn

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

     

    As we are waiting for the Microsoft Santa to slide down our Data Center air conditioning duct later today to deliver a delicious package of patches (did you leave some floppy disks and a can of red bull out for him?), we got a couple other announcements from Microsoft that should not be overlooked:

    - January will be the last month Microsoft will provide updates for any Internet Explorer version other than Internet Explorer 11! Even Internet Explorer 10 will no longer be supported after January patch Tuesday (January 12th, 2016).

    - Support will also end for Windows XP Embedded. This will also make it more difficult for other Windows XP left-overs that tricked their version to use the Embedded updates. But nobody should be running XP anyway (right?).

    - Still running Windows 7 or 8.1(sure way to stay on MSFT Santas naughty list)? Rumor has it that with todays patch Tuesday, Microsoft may re-enable the auto-upgrade to Windows 10. You may flip the switch back to not update, but it will set itself to on once a day.

    [1]https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support
    [2]https://support.microsoft.com/en-us/lifecycle/search/default.aspx?=alpha=Windows%20XP
    [3]http://www.computerworld.com/article/3012278/microsoft-windows/microsoft-sets-stage-for-massive-windows-10-upgrade-strategy.html#tk.rss_all

    ---
    Johannes B. Ullrich, Ph.D.
    STI|Twitter|LinkedIn

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
     
    Executable installers are vulnerable^WEVIL (case 5): JRSoft InnoSetup
     
    Internet Storm Center Infocon Status