(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning.

The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to a Microsoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.

While the advisory makes reference to vulnerabilities targeting Windows servers, the vulnerability is rated critical for client and server versions of Windows alike, an indication the remote-code bug may also threaten Windows desktops and laptop users as well. Amol Sarwate, director of engineering at Qualys, told Ars the flaw leaves client machines open if users run software that monitors Internet ports and accepts encrypted connections.

Read 4 remaining paragraphs | Comments


The Stuxnet computer worm that attacked Iran's nuclear development program was first seeded to a handful of carefully selected targets before finally taking hold in uranium enrichment facilities, according to a book published Tuesday.

The new account, included in Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Wired reporter Kim Zetter, is at odds with the now-popular narrative that the malware first penetrated Iran's Natanz enrichment facility and later unexpectedly broke loose to infect hundreds of thousands of other sites across the globe. That earlier account, provided by New York Times journalist David Sanger, characterized the escape outside of Natanz as a programming error that was never intended by engineers in the US and Israel, the two countries Sanger and Zetter said devised and unleashed Stuxnet. According to Zetter, the world's first known cyber weapon first infected Iranian companies with close ties to Iranian nuclear facilities and only later found its way to Natanz.

"To get their weapon into the plant, the attackers launched an offensive against four companies," Zetter wrote. "All of the companies were involved in industrial control processing of some sort, either manufacturing products or assembling components or installing industrial control systems. They were likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees."

Read 6 remaining paragraphs | Comments


Adobe today released a patch for Flash/Adobe Air which fixes 18 different vulnerabilities [1]. The Flash update is rated with a priority of 1 for Windows and OS X, indicating that limited exploitation has been observed. Please consult the advisory for details.

[1] http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Important: Please note that Microsoft released EMET 5.1 yesterday to address conflicts between EMET5.0 / IE 11 and the patches released here (likely MS14-065)

We are aware that bulletin numbers are skipped below. Not sure if they will come later. It is possible that I used a version of the bulletin page that wasn">MS14-065 Cumulative Security Update for Internet Explorer
(ReplacesMS14-056 ) Microsoft Windows, Internet Explorer
, CVE-2014-4143, CVE-2014-6323, CVE-2014-6337, CVE-2014-6339, CVE-2014-6340, CVE-2014-6341, CVE-2014-6342, CVE-2014-6343, CVE-2014-6344, CVE-2014-6345, CVE-2014-6346, CVE-2014-6347, CVE-2014-6348, CVE-2014-6349, CVE-2014-6350, CVE-2014-6351, CVE-2014-6353 KB 3003057 ">MS14-066 Vulnerability in Schannel Could Allow Remote Code Execution
(ReplacesMS10-085 MS12-049 ) Microsoft Windows

CVE-2014-6321 KB 2992611 ">MS14-069 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
(ReplacesMS14-017 MS14-061 ) Microsoft Office

CVE-2014-6335 KB 3009710 ">MS14-071 Vulnerability in Windows Audio Service Could Allow Elevation of Privilege Microsoft Windows

CVE-2014-6322 KB 3005607 ">MS14-072 Vulnerability in .NET Framework Could Allow Elevation of Privilege
(ReplacesMS14-026 ) Microsoft Windows, Microsoft .NET Framework

CVE-2014-4149 KB 3005210 ">MS14-073 Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege
(ReplacesMS13-084 ) Microsoft Server Software

CVE-2014-4116 KB 3000431 ">MS14-074 Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass
(ReplacesMS10-085 MS14-030 ) Microsoft Windows

CVE-2014-6318 KB 3003743 ">MS14-076 Vulnerability in Internet Information Services Microsoft Windows

CVE-2014-4078 KB 2982998 ">MS14-077 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure Microsoft Windows

CVE-2014-6331 KB 3003381 ">MS14-079 Vulnerability in Kernel Mode Driver Could Allow Denial of Service
(ReplacesMS14-058 ) Microsoft Windows

CVE-2014-6317 KB 3002885 ">Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

  • ---
    Johannes B. Ullrich, Ph.D.

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

    Cisco Unified Communications Manager TLS Certificate Validation Security Bypass Vulnerability
    There he goes again, just giving ammunition to DDoS attacks.

    Akamai has issued a security bulletin (PDF) about a new form of Domain Name Service-based distributed denial of service (DDoS) attacks that emerged in October, attacks that can significantly boost the volume of data flung at a targeted server. The method builds upon the well-worn DNS reflection attack method used frequently in past DDoS attacks, exploiting part of the DNS record returned by domain queries to increase the amount of data sent to the target—by stuffing it full of information from President Barack Obama’s press office.

    DNS reflection attacks (also known as DNS amplification attacks) use forged requests to a DNS server for the Internet Protocol address and other information about a specific host and domain name. For example, a response from Google’s DNS server typically returns something like this—a simple response with the canonical name (CNAME) of the DNS address sent in the request and an IPv4 or IPv6 address for that name:

    DNS requests are usually sent using the User Datagram Protocol (UDP), which is “connectionless." It doesn’t require that a connection be negotiated between the requester and the server before data is sent to make sure it’s going to the right place. By forging the return address on the DNS request sent to make it look like it came from the target, an attacker can get a significant boost in the size of a DDoS attack because the amount of data sent in response to the DNS request is significantly larger.

    Read 4 remaining paragraphs | Comments

    Allomani Weblinks Multiple SQL Injection and Multiple Cross Site Scripting Vulnerabilities
    WordPress Download Manager Plugin 'file_download.php' Arbitrary File Download Vulnerabilitiy
    WordPress CP Multi View Event Calendar Plugin 'calid' Parameter SQL Injection Vulnerability

    Security researchers have warned of a security hole in Apple's iOS devices that could allow attackers to replace legitimate apps with booby-trapped ones, an exploit that could expose passwords, e-mails, or other sensitive user data.

    The "Masque" attack, as described by researchers from security firm FireEye, relies on enterprise provisioning to replace banking, e-mail, or other types of legitimate apps already installed on a targeted phone with a malicious one created by the adversary. From there, the attacker can use the malicious app to access sent e-mails, login credential tokens, or other data that belonged to the legitimate app.

    "Masque Attacks can replace authentic apps, such as banking and e-mail apps, using attacker's malware through the Internet," FireEye researchers wrote in a blog post published Monday. "That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached e-mails or even login-tokens which the malware can use to log into the user's account directly."

    Read 5 remaining paragraphs | Comments


    Microsoft yesterday release EMET 5.1 . One particular sentence in Microsofts blog post suggests that you should apply this update (if you are using EMET) BEFORE you apply the Interent Explorer patch Microsoft is going to release in a couple of hours:

    ">If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation.

    For full details, and features added in EMET 5.1, see Microsofts blog post [1]

    [1] http://blogs.technet.com/b/srd/archive/2014/11/10/emet-5-1-is-available.aspx

    Johannes B. Ullrich, Ph.D.

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    LinuxSecurity.com: KDE workspace could be made to crash or run programs as an administrator.
    LinuxSecurity.com: Konversation could be made to crash if it received specially craftednetwork traffic.
    LinuxSecurity.com: LibreOffice could be made to embed sensitive information into documents.
    LinuxSecurity.com: curl could expose sensitive information over the network.
    IBM Tivoli Integrated Portal CVE-2014-6152 Unspecified Cross Site Scripting Vulnerability
    IBM Tivoli Integrated Portal CVE-2014-6151 HTTP Response Splitting Vulnerability

    Posted by InfoSec News on Nov 11


    By Michael Moore
    Tech Week Europe
    10 Nov 2014

    High-powered executives staying in luxury foreign hotels are being
    targeted by a new security threat which looks to spy into their devices, a
    report has revealed.

    Following a four year-long investigation, web security firm Kaspersky has
    revealed that the “Darkhotel” APT (Advanced Persistent Threat) is able...

    Posted by InfoSec News on Nov 11


    By Dan Goodin
    Ars Technica
    Nov 9 2014

    Domestic Internet traffic traveling inside the borders of Russia has
    repeatedly been rerouted outside of the country under an unexplained
    series of events that degrades performance and could compromise the
    security of Russian communications.

    The finding, reported Thursday in a blog post...

    Posted by InfoSec News on Nov 11


    The New York Times
    NOV. 10, 2014

    ARAD, Romania — He reveled in tormenting members of the Bush family, Colin
    L. Powell and a host of other prominent Americans, and also in outfoxing
    the F.B.I. and the Secret Service, foiling their efforts to discover even
    his nationality, never mind his identity. Early this year, however, the...

    Posted by InfoSec News on Nov 11


    By Ellen Nakashima
    The Washington Post
    November 10, 2014

    Chinese government hackers are suspected of breaching the computer
    networks of the United States Postal Service, compromising the data of
    more than 800,000 employees — including the postmaster general’s.

    The intrusion was discovered in mid-September, said...
    Internet Storm Center Infocon Status