(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The basement of the Democratic National Committee's Washington, DC, headquarters holds one of the most fitting images to come out of the hacks that dogged Democrats in the 2016 presidential election. On the left: a 1960s era file cabinet that was jimmied open during the 1972 Watergate break-in. On the right: a DNC server that was hacked by what the US intelligence community says were Russian operatives.

That image is from an 8,300-word New York Times article about how two separate Russian government groups hacked the DNC. The hacks first came to light in June, and the rough outline is well known. For months, the intruders had free reign over the DNC's computers. Over time, the Russians extended their reach into the Gmail accounts of Clinton campaign chairman John Podesta, former secretary of State Colin Powell, and others. The series of DNC blunders, bordering on ineptitude, that allowed the attacks to succeed has been well documented. Those blunders are now coming into sharper focus.

Like the feeble filing cabinet, the shortcomings exposed in the New York Times' blow-by-blow account show just how ineffective and doomed the DNCs's defenses were against a much-better organized adversary. Equally important, the report reveals how a "series of missed signals, slow responses, and a continuing underestimation of the seriousness of the cyberattack"—apportioned in almost equal parts by members of the FBI, the DNC, and the Clinton campaign—allowed the hacking drama to play out.

Read 3 remaining paragraphs | Comments

Apache ActiveMQ CVE-2016-6810 HTML Injection Vulnerability
XFINITY Gateway Technicolor CVE-2016-7454 Cross Site Request Forgery Vulnerability
Microsoft Office CVE-2016-7263 Memory Corruption Vulnerability
Microsoft Office CVE-2016-7266 Remote Code Execution Vulnerability
Microsoft Windows Graphics Component CVE-2016-7259 Local Privilege Escalation Vulnerability
Microsoft Edge CVE-2016-7206 Information Disclosure Vulnerability
Microsoft Edge CVE-2016-7296 Remote Memory Corruption Vulnerability
Microsoft Internet Explorer and Edge CVE-2016-7281 Security Bypass Vulnerability

Dozens of low-cost Android phone models come preinstalled with apps that covertly download and install adware and other unwanted programs, researchers said.

At least 26 phone models come preinstalled with a downloader dubbed Android.DownLoader.473.origin, according to a blog post published Monday by antivirus provider Doctor Web. Doctor Web researchers described the app as a downloader trojan that can download not only benign applications but also malicious and unwanted ones. One such app, known as H5GameCenter, displays ads on top of running applications. The image can't be removed, and infected users report that when they uninstall the app, Android.DownLoader.473.origin quickly downloads and installs it again.

Another preinstalled downloader Doctor Web detected is known as Android.Sprovider.7 and comes encrypted inside another app. It has the ability to automatically download Android application files and install them when users click on a confirmation button, make phone calls to certain numbers, and show ads on top of apps.

Read 3 remaining paragraphs | Comments

Microsoft Edge CVE-2016-7202 Scripting Engine Remote Memory Corruption Vulnerability
Adobe Digital Editions CVE-2016-7888 Information Disclosure Vulnerability
Adobe Flash Player APSB16-39 Unspecified Use After Free Remote Code Execution Vulnerability
EpubCheck CVE-2016-9487 XML External Entity Injection Vulnerability

December Patch Tuesday ISC Link:https://isc.sans.edu/mspatchdays.html?viewday=2016-12-13


Woha, patch now on clients! Servers might need emergency procedures (depending upon internal governance). There are known exploits and anytime we read Scripting Engine? that just does not bode well, for Internet Explorer.


Another patch now for clients, scripting engines seem to not be getting a break here. Similar in nature it seems, Edge also has some vulnerabilities in memory handling that could possibly lead to code execution. Lets patch those browsers!


Pictures, Images, JPGs oh my Another reason to scramble, it seems the graphics engine is exploitable and again with known and reported exploits. This one is also a patch now for clients. Servers hopefully dont browse the internet *cough cough* but should be patched according to internal critical governance, or in other words Dont forget your servers!


Well, had to go look this one up *asks what Uniscribe is* and it had API + Scripting in the function description [1]. There are not any know or published exploits that we are aware of on this one, however the dreaded Remote Code Execution is in the bulletin, so patch


Office 2007 2016, again, no published exploits that we are aware of, however a broad spectrum of Office suites on this one. The bulletins do include Remote Code Execution in the for some of this roll-up. Patch.. Interestingly this handler was met with requests to patch on his home systems J


This one is correcting crypto handling and preventing privilege escalation. Compared to the above this one might be able to take a back set temporarily.


More privilege escalationcorrection, this patchupdates kernel handling. It looks like this one would need a specially crafted application local on the system, so a bit further down the attack cycle.


Getting a sense of entitlement here as MS16-151 is another privilege escalation patch. Anytime drivers are involved this handler always takes a deeper look, however again, it seems an attacker would need a specially crafted program to hit on this vulnerability.


Here we are presented with possible information disclosure from the kernel. Listed as important and no known or published exploits. Correcting the way the kernel handles memory objects is always a good thing in this handlers book.


Logging information disclosure but with an interesting nugget at the top of the brief? font-family: Segoe UI, Lucida Grande">In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to bypass security measures on the affected system allowing further exploitation.[2] font-family: Segoe UI, Lucida Grande font-family: Segoe UI, Lucida Grande">Patch for Adobe Flash, critical, flash is everywhere... so goes without saying but we will say it anyway Patch as a critical update!


Read up on this one, it is .Net related. Seems isolated to a specific version, 4.6.2, however limited to information disclosure. It should be noted that known exploits exist.

We will update this diary as issues or more information is sent in. If anyone experiences any issues patching, let us know!

[1] https://msdn.microsoft.com/en-us/library/windows/desktop/dd374091(v=vs.85).aspx


Richard Porter

@packetalien, @packetmonk

--- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Adobe Experience Manager Multiple Cross Site Scripting Vulnerabilities
Adobe Experience Manager and LiveCycle Multiple Cross Site Scripting Vulnerabilities
Adobe Flash Player APSB16-39 Multiple Unspecified Buffer Overflow Vulnerabilities


== Update

Thank you to our reader who caught the incorrect link. We at the ISC do not have a time machine. Summary out shortly.


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Adobe Animate CVE-2016-7866 Memory Corruption Vulnerability
GNOME libgsf 'gsf-infile-tar.c' Denial of Service Vulnerability
MapServer CVE-2016-9839 Remote Denial of Service Vulnerability
Apple iOS/tvOS/watchOS Remote memory corruption through certificate
[slackware-security] php (SSA:2016-347-03)
[slackware-security] kernel (SSA:2016-347-01)
Internet Storm Center Infocon Status