Oracle Fusion Middleware CVE-2016-3455 Remote Security Vulnerability
 
Mozilla Network Security Services Use After Free CVE-2016-1978 Remote Code Execution Vulnerability
 
OpenSSL CVE-2016-0799 Remote Format String Vulnerability
 
IBM Security Privileged Identity Manager CVE-2016-0357 Click Jacking Vulnerability
 
OpenSSL 'crypto/bio/b_print.c' Denial of Service Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google Chrome Prior to 50.0.2661.102 Multiple Security Vulnerabilities
 
NTP CVE-2015-5219 Denial of Service Vulnerability
 
Google Nexus Qualcomm Components Multiple Privilege Escalation Vulnerabilities
 

(credit: Wikimedia)

Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites.

Shard, as the command-line tool has been dubbed, is designed to allow end users to test if a password they use for one site is also used on Facebook, LinkedIn, Reddit, Twitter, or Instagram, its creator, Philip O'Keefe, told Ars. The security researcher said he developed the tool after discovering that the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May.

"I used that password as a general password for many services," he wrote in an e-mail. "It was a pain to remember which sites it was shared and to change them all. I use a password manager now."

Read 4 remaining paragraphs | Comments

 
NTP CVE-2015-7973 Security Bypass Vulnerability
 
NTP CVE-2015-7974 Symmetric Key Encryption Authentication Security Bypass Vulnerability
 

If you sign into Pokémon Go on iOS, you may be giving it more access than it needs. (credit: Andrew Cunningham)

Update: Niantic has confirmed in a statement that the Pokémon Go app requests more permissions than it needs, but that it has not accessed any user information. Google will automatically push a fix on its end to reduce the app's permissions, and Niantic will release an update to the app to make it request fewer permissions in the first place. The full statement:

"We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.

Original story: A word of warning if you're playing Pokémon Go on iOS: signing into the app through Google currently gives the game full access to your Google account (hat tip to Adam Reeve for discovering the issue). External apps that you sign into with Google often ask for a small subset of permissions based on what they need to do—view your contacts, view and send e-mail, view and delete Google Drive documents, and so on. But Niantic's Pokémon Go iOS app doesn't ask, and with full account access, it can theoretically do all of those things and more. You can check on and revoke permissions for Pokémon Go and any other external app on this page.

We've independently verified that the game requests full account access on iOS, but the Android version doesn't appear to have the same problem; you can sign in with Google but the app doesn't show up on the permissions page. And, of course, you don't need to use a Google account to play Pokémon Goan account created through the Pokémon site will also work. However, that site is currently having server problems and you may not be able to create an account right now if you don't already have one.

Read 1 remaining paragraphs | Comments

 
NTP CVE-2015-7979 Denial of Service Vulnerability
 

This is a guest diary by Yaser Mansour. Due to the extensive use of images, please note that all the images are clickable to view them at full size. A PDF version of this diary is available here

Malicious macros in Office documents are not new, and several samples have been analyzed here at the ISC Diary website. Usually, the macro script is used to drop the second stage malware either by reaching to the internet or by extracting a binary embedded in the Office document itself. In this post, we will examine two similar malicious documents that were observed separately with each dropping a different malware sample, namely, NetWiredRC and iSpy.

There are several interesting facts about the samples we are going to analyze today:

  1. The macro embedded in the Office document does not reach to the internet. Instead, it extracts a binary embedded in the Word document itself in ASCII hex format and writes it to disk.
  2. Both malicious Word documents were observed separately. However, both use the same technique to extract the embedded binary as well as the same decoy message enticing the end user to enabled macros.
  3. During network forensics of the NetWiredRC malware, a new CC command was observed which was not reported by [1][2]. This also resulted in a total of 9 custom Snort signatures being submitted and published in Snort Community Ruleset [3][4].
  4. The iSpy sample generated new network traffic patterns than what were observed previously. More about this in the following sections.

Brief History of NetWiredRC and iSpy Malware Samples

NetWiredRC RAT family has been extensively discussed by security researchers [1][2], and recently TALOS released Snort signatures to detect NetWiredRC over the network [3], and a new signature for the new NetWiredRC command[4].

iSpy was first observed by the author during January 2016 with the sample b33c5ba388f8a32006133cb8888a9370. This sample performed its CC over HTTP as seen in the below screenshot and Snort signatures were released [4].

Picture 1

Other samples were observed during March and April 2016 (65ee535f0efcb30626ce5c8e7763e782 and cd3a43d3504925a396183b467b0980cb, respectively). Both of these samples also used HTTP for their CC communication. One of the latest samples observed was extracted from the embedded payload in the Word document discussed in the remaining of this article. This recent sample performs its C" />

Interestingly each document consisted of a large number of empty" />

" />

Continuing to inspect the script, it becomes apparent how the second stage binary is dropped to the local disk. The script leverages the Word Object Model [8] to access the Paragraph Object Members [9]. More about this later. On order to understand why the script would access paragraphs from the document itself, the document was opened while macros are disabled prevent the script from executing.

Scrolling through the document to inspect what these 232 pages contain showed only empty pages containing nothing, or did they? To verify, the document was zip extracted since it is an OOXML document. Extracting the document will also help in getting access to the internal structures of the document. " />

A birds-eye view of this segment of script suggests that the script loops through the paragraphs available within the document and the embedded text within until it reaches to paragraph 24. From its text, the script grabs 2 letters (or 1 sting hex byte, see below 2 screen shots), un-hexifies it o get the decimal/numerical representation using the Type Character H (hS variable value) Hexadecimal Literal [13], and then hex xor it with hexadecimal key HEE (0xEE) to produce hexadecimal bytes that serve a specific purpose." />

Lets take the first two bytes from the below screenshot to test this logic. The first 2 string hex bytes are A3 B4. The below table breaks down the conversions performed by the script snippet above. Do you see anything familiar in the table? The two bytes 4D 5A or MZ" width="516"> Raw String Hex Byte Decimal Representation (H) Decimal Representation (Xor 0xEE) Hex Representation A3 163 77 0x4D B4 180 90 0x5A

To automate this the above algorithm, the following python script was created." />

The below screenshot represents the same ParagraphRemove() (beautified and commented ) from the second malicious Word, which dropped iSpy malware sample. An interesting note from both malicious Word documents is the Startincex misspell." />

References:

[1] https://www.circl.lu/pub/tr-23/
[2] http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/
[3] http://blog.snort.org/2016/03/snort-subscriber-rule-set-update-for_29.html
[4] http://blog.snort.org/2016/05/snort-subscriber-rule-set-update-for_31.html
[5] https://blog.didierstevens.com/programs/oledump-py/
[6] http://www.decalage.info/vba_tools
[7] https://remnux.org/
[8] https://msdn.microsoft.com/en-us/library/kw65a0we.aspx
[9] https://msdn.microsoft.com/en-us/library/office/ff839491.aspx
[10] http://officeopenxml.com/WPparagraph.php
[11] http://www.ecma-international.org/publications/standards/Ecma-376.htm
[12] https://msdn.microsoft.com/en-us/library/office/gg607163(v=office.14).aspx
[13] https://msdn.microsoft.com/en-us/library/s9cz43ek.aspx
[14] https://msdn.microsoft.com/en-us/library/xe736fyk(v=vs.90).aspx

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Persistent Cross-Site Scripting in WP Live Chat Support plugin
 

People seem Grover-levels of excitement about some "S" sweeping the Web.

We're in the midst of a major change sweeping the Web: the familiar HTTP prefix is rapidly being replaced by HTTPS. That extra "S" in an HTTPS URL means your connection is secure and that it's much harder for anyone else to see what you're doing. And on today's Web, everyone wants to see what you're doing.

HTTPS has been around nearly as long as the Web, but it has been primarily used by sites that handle money—your bank's website, shopping carts, social networks, and webmail services like Gmail. But these days Google, Mozilla, the EFF, and others want every website to adopt HTTPS. The push for HTTPS everywhere is about to get a big boost from Mozilla and Google when both companies' Web browsers begin to actively call out sites that still use HTTP.

The plan is for browsers to start labeling HTTP connections as insecure. In other words, instead of the green lock icon that indicates a connection is secure today, there will be a red icon to indicate when a connection is insecure. Eventually secure connections would not be labeled at all, they would be the assumed default.

Read 46 remaining paragraphs | Comments

 
Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin
 
Internet Storm Center Infocon Status