Microsoft Edge CVE-2016-7204 Information Disclosure Vulnerability
Microsoft Office CVE-2016-7234 Memory Corruption Vulnerability
Microsoft Office CVE-2016-7233 Information Disclosure Vulnerability
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.


Google has shut down an operation that combined malicious AdSense advertisements with a zero-day attack exploiting Chrome for Android to force devices to download banking fraud malware.

Over a two-month span, the campaign downloaded the Banker.AndroidOS.Svpeng banking trojan on about 318,000 devices monitored by Kaspersky Lab, researchers from the Moscow-based anti-malware provider reported in a blog post published Monday. While the malicious installation files weren't automatically executed, they carried names such as last-browser-update.apk and WhatsApp.apk that were designed to trick targets into manually installing them. Kaspersky privately reported the scam to Google, and engineers from the search company put an end to the campaign, although the timing of those two events wasn't immediately clear.

"So far, those behind Svpeng have limited their attacks to smartphone users in Russia," Kaspersky Lab researchers Nikita Buchka and Anton Kivva wrote in Monday's post. "However, next time they push their 'adverts' on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past. After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?"

Read 4 remaining paragraphs | Comments

Microsoft Office CVE-2016-7235 Memory Corruption Vulnerability
Microsoft Office CVE-2016-7244 Denial of Service Vulnerability
Microsoft Office CVE-2016-7236 Memory Corruption Vulnerability
Microsoft Office CVE-2016-7213 Memory Corruption Vulnerability
Microsoft Office CVE-2016-7230 Memory Corruption Vulnerability
Microsoft Windows CVE-2016-7226 Local Privilege Escalation Vulnerability
Microsoft Windows CVE-2016-7184 Local Privilege Escalation Vulnerability
Microsoft Internet Explorer and Edge CVE-2016-7241 Remote Memory Corruption Vulnerability

Enlarge / The Madison County courthouse has been shut down since last week by ransomware. (credit: Nyttend)

Madison County, Indiana, suffered a widespread ransomware attack that shut down virtually all county services last week. Over the weekend, the county government leadership decided to pay the ransom demands of the ring running the malware, which has not yet been identified publicly.

“We’re following the directions of our insurance carrier,” Madison County Commissioner John Richwine told the Herald-Bulletin this morning. He did not reveal the amount of the ransom but said that it was not as much as residents might have thought it would be—and is being covered by the county's cyber-insurance with Travelers, minus a deductible.

While the ransomware did not apparently affect emergency services or voting systems, an Indiana State Police captain told a local television station that the rest of the county's business had been knocked out. Courts and some county offices were closed, and employees were given the option of taking personal or vacation time in other offices where no work was possible.

Read 2 remaining paragraphs | Comments

IBM Tivoli Storage Manager CVE-2016-0371 Local Information Disclosure Vulnerability
Adobe Flash Player APSB16-37 Multiple Remote Code Execution Vulnerabilities
Adobe Flash Player Type Confusion Multiple Remote Code Execution Vulnerabilities
Adobe Connect CVE-2016-7851 Cross Site Scripting Vulnerability
Cross-Site Scripting in Calendar WordPress Plugin
Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress Plugin
Cross-Site Scripting vulnerability in Quotes Collection WordPress Plugin
Cross Site Scripting Vulnerability In Verint Impact 360

Microsoft today released 13 bulletins (plus one bulletin from Adobe for Flash). 5 of the Microsoft bulletins, and the Adobe Flash bulletin are rated critical. There are a number of vulnerabilities that have either already been known, or have already been exploited:

MS16-129 andMS16-142(Internet Explorer): An informationdisclosure(%%cve:2016-7199%%) has already been publicly disclosed, but not been exploited yet. The vulnerability canleak information cross-origin. In addition there is a spoofing vulnerability that only affects Microsoft Edge that has been publicly disclosed ( %%cve:2016-7209%%).

MS16-132 (Microsoft Graphics Component): This is yet another open type font issue (%%cve:2016-7256%%). IT has already been exploited and I labeled this bulletin as Patch Now . The vulnerability can be used for remote code execution.

MS16-135 (Kernel Mode Drivers): A Win32kpriviledge escalation vulnerability (%%cve:2016-7255%%) has already been publicly disclosed and exploited. This one is a bit odd in that it sounds like what Google released as %%CVE:2016-7855%%. Trying to clarify if this is a typo.

Full details:

Note that Microsoft didnt use the first two bulletins for the usual Internet Explorer and Edge cumulative updates. Instead, the first bulletin (MS16-129) is used for Edge, and the last one (MS16-142) is used for Internet Explorer. The Flash update uses the next to last bulletin (MS16-141).

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Multiple IBM Rational Products CVE-2016-2926 Cross Site Scripting Vulnerability
Linux Kernel CVE-2016-9178 Local Information Disclosure Vulnerability
[SECURITY] [DSA 3707-1] openjdk-7 security update
[CVE-2016-6563 / VU#677427]: Dlink DIR routers HNAP Login stack buffer overflow
[security bulletin] HPSBGN03643 rev.1 - HPE KeyView using Filter SDK, Remote Code Execution
Schoolhos CMS v2.29 - (kelas) Data Siswa SQL Injection Vulnerability
Edusson (Robotdon) - Client Side Cross Site Scripting Vulnerability
Faraznet Cms Cross-Site Scripting Vulnerability
Terminology CVE-2015-8971 Arbitrary Command Execution Vulnerability
Edusson (Robotdon) BB - Filter Bypass & Persistent Vulnerability
Faraznet Cms Cross-Site Scripting Vulnerability
WinaXe v7.7 FTP 'Server Ready' CMD Remote Buffer Overflow
Axessh 4.2.2 Denial Of Service
Rapid PHP Editor CSRF Remote Command Execution
[security bulletin] HPSBGN03656 rev.1 - HPE Network Node Manager i (NNMi) Software using Java Deserialization, Remote Arbitrary Code Execution and Cross-Site Scripting

(credit: Ron Amadeo)

Android users waiting for a fix for a newly discovered flaw that allows apps to bypass key operating-system security protections will have to wait at least another month. The just released patch batch for November, inexplicably, won't include it.

The so-called escalation-of-privilege vulnerability, dubbed Dirty Cow, was introduced into the core of the Linux kernel in 2007, shortly before Google engineers incorporated the open source operating system into Android. That means the bug, formally indexed as CVE-2016-5195, affects every version of Android since its inception. The flaw remained hidden from public view until October 19, when it was disclosed under a coordinated release that was designed to ensure a fix was ready before most people knew about it. The Android Security Bulletin scheduled to be automatically pushed to select handsets sometime this month, however, won't fix the flaw.

"It's a pretty big deal because it's very easy to exploit," Daniel Micay, a developer of the Android-based CopperheadOS for mobile phones, told Ars. "Unlike a memory corruption bug, there are not really any mitigations for it. [Google] can't claim that mitigations stand in the way of easy exploitation for this bug (that's a dubious claim when they do make it, but for this they can't do it)."

Read 5 remaining paragraphs | Comments

Internet Storm Center Infocon Status