Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe said Wednesday it is investigating the release of 230 names, email addresses and encrypted passwords claimed to have been stolen from a company database.
 

Hack Update: Inspector General Releases Preliminary Report
Patch.com
The Office of Inspector General (OIG) fully endorses the Governor's executive order 2012-10 and requesting a “holistic” review of information security (INFOSEC) policy and procedures to minimize the risk of cyber-attacks and protect the personal ...

 
Microsoft issued six bulletins in November's Patch Tuesday, including fixes in Internet Explorer, Windows Kernel and the .NET Framework.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The U.S. and China are likely to resolve the conflict over potential security threats from Huawei Technologies' network equipment without a trade war, Cisco Systems chairman and CEO John Chambers said on Tuesday.
 
Cisco Systems plans to build small cellular base stations, building upon its fast-growing business in Wi-Fi base stations for mobile operator networks, Chairman and CEO John Chambers said on Tuesday.
 
Hong Kong Exchanges and Clearing (HKEx) is the nervous system of the city's financial industry. It operates the Hong Kong Stock Exchange and is one of the world's premier exchange-owners based on market capitalization of its shares.
 
A U.S. district judge has approved a request for class action in a lawsuit against pizza maker Papa John's International for allegedly sending hundreds of thousands of text spam messages.
 
Advanced Micro Devices is denying reports that executives have taken steps that could lead to the company's sale.
 
"Is that Charlie?" booms a voice. "It's been years. Man, great to see you!"
 
Traditional news media on the eve of the United States Presidential election was reporting a closely-contested election and there were many polls indicating that it might be a photo-finish. However, one thing has become clear from this election: not all polls are created equal. The pollsters using the latest data processing and analysis techniques were the most successful in predicting the outcome of the elections. For those who had the stamina to watch the election campaign unfold over 22 long months, it became not just a battle of ideologies and campaign issues, but also a rivalry between old media pundits and new media analysts.
 
Some very techie words have been very popular this year, according to the Oxford American Dictionaries.
 
A 16-year-old security researcher from India plans to present a malware application for Windows Phone 8 at the upcoming MalCon security conference in New Delhi, India, on Nov. 24.
 
AT&T announced general availability of its Enhanced Push-to-Talk service on Tuesday, taking on Sprint's Direct Connect Now app as the carriers vie to attract users of the fading Nextel network.
 
Western Digital introduced a new My Book Studio desktop drive for Macs that offers USB 3.0 connectivity as well as 4TB of storage capacity in a single drive.
 
At a time when cyberattacks on America's critical infrastructure have increased 17-fold (between 2009 and 2011), the need for highly trained cybersecurity professionals is acute. However, 83% of federal hiring managers in a recent survey said it was extremely difficult to find well-trained cybersecurity professionals and a projected shortfall of 20,000 to more than 40,000 people is expected in the years to come.
 
Microsoft today patched 19 vulnerabilities in Windows, Internet Explorer 9, Excel and the .Net development framework, including four flaws in the just-released Windows 8 and its tablet spin-off Windows RT.
 
Cloud storage company Dropbox announced it has passed the 100 million-user mark and has customers in 200 countries.
 
Studies show that employees are engaging in rogue use of the cloud, even when IT organizations say they have clear formal cloud policies and penalties for violation of the policies.
 
Despite a recent Windows 8 zero-day vulnerability, security experts say the new Microsoft platform is the most secure OS on the market.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
More than half of mobile-device security decision makers surveyed say that BYOD challenges remain.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Less than one in five enterprises have requested code-level security tests from at least one vendor, but the volume of assessments is growing.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Extreme Networks this week unveiled 100G and 40G Ethernet modules as well as SDN application support for its BlackDiamond X8 core switch.
 
ESA-2012-055: RSA® Data Protection Manager Multiple Vulnerabilities
 
Steven Sinofsky, Microsoft's top Windows executive, abruptly left the company Monday, prompting a flurry reaction from long-time Microsoft watchers about why Sinofsky is gone and what happens now.
 
AT&T will start offering the first Windows RT tablet with LTE capabilities on Friday with prices beginning at US$499, the U.S. wireless carrier said on Tuesday.
 
With the commercial release of version 5 of its self-named reporting and analysis suite, Jaspersoft has revamped the software's visualization engine, doing away with an Adobe Flash-based visualization engine in favor of one using HTML5 Web standards.
 

NOTE: Several of these patches apply to Windows 8 and Windows RT that were just released last month.

Overview of the November 2012 Microsoft patches and their status.






#

Affected

Contra Indications - KB

Known Exploits

Microsoft rating(**)

ISC rating(*)



clients

servers






MS12-071

Cumulative Security Update for Internet Explorer

(Replaces MS12-063 )



Internet Explorer 9

CVE-2012-1538

CVE-2012-1539

CVE-2012-4775

KB 2761451

no known exploit.

Severity:Critical

Exploitability: 1,1,1

Critical

Important




MS12-072

Vulnerabilities in Windows Shell Could Allow Remote Code Execution

(Replaces )



Remote Code Execution

CVE-2012-1527

CVE-2012-1528

KB 2727528

no known exploit.

Severity:Critical

Exploitability: 1,1

Critical

Critical




MS12-073

Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure

(Replaces MS11-004 )



IIS

CVE-2012-2531

CVE-2012-2532

KB 2733829

PoC code may exist.

Severity:Moderate

Exploitability: ?,?

Less urgent

Important




MS12-074

Vulnerabilities in .NET Framework Could Allow Remote Code Execution

(Replaces MS11-078 MS11-100 MS12-016 MS12-034 )



.NET Framework 1.0 SP3, .NET Framework 1.1 SP1, .NET Framework 2.0 SP2, .NET Framework 3.5, .NET Framework 3.5.1, .NET Framework 4, .NET Framework 4.5

CVE-2012-1895

CVE-2012-1896

CVE-2012-2519

CVE-2012-4776

CVE-2012-4777

KB 2745030

no known exploit

Severity:Critical

Exploitability: 1,3,1,1,1

Critical

Critical




MS12-075

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

(Replaces MS12-055 )



Windows Vista, Windows 7, Windows 8, Windows RT, Windows Server 2003, Windows Server 2008, Windows Server 2012

CVE-2012-2530

CVE-2012-2553

CVE-2012-2897

KB 2761226

no known exploit

Severity:Critical

Exploitability: 1,1,2

Critical

Critical




MS12-076

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (Replaces MS12-030 MS12-051 )



Excel 2003, Excel 2007, Excel 2010, Excel 2008 on Mac

CVE-2012-1885

CVE-2012-1886

CVE-2012-1887

CVE-2012-2543

KB 2720184

no known exploit

Severity:Important

Exploitability: 1,1,1,1

Critical

Important





We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY


(*): ISC rating


We use 4 levels:


PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.

Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.

Important: Things where more testing and other measures can help.

Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.



The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.

Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.

All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.


(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


------

Post suggestions or comments in the section below or send us any questions or comments in the contact form

---------------

Jim Clausing, GIAC GSE #26

jclausing --at-- isc [dot] sans (dot) edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Nokia plans an ambitious expansion of its mapping and location-based services platform beyond its own smartphones to competing devices running OSes other than Windows Phone 8, it said Tuesday.
 
Microsoft has started to adopt some key software development practices from Yammer, the ESN (enterprise social networking) vendor it acquired several months ago.
 
HTC and Verizon Wireless on Tuesday announced the Droid DNA smartphone, which comes with Android 4.1 and a 5-inch high-definition display that the company said is the most advanced in the market today.
 
Re: [OVSA20121112] OpenVAS Manager Vulnerable To Command Injection
 
Reflective XSS in uk cookie plugin
 
When a program is ineffective, the problem is usually that the training wasn't designed in a way that would result in changes in behavior. (Insider; registration required)
 
SAP said Tuesday that it plans to roll out a series of mobile applications for Windows 8, a move that underscores the companies' deep partnership at a time when many observers believe Microsoft's new OS is in for a tough ride.
 
Intel is in final negotiations to invest up to US$500 million in struggling Sharp of Japan, Kyodo News agency reported Tuesday.
 
Mobile card payments startup iZettle has settled its payments dispute with Visa Europe and can now accept Visa payments in Norway, Finland and Denmark, the company announced on Tuesday.
 
[OVSA20121112] OpenVAS Manager Vulnerable To Command Injection
 
Weak password encryption on Huawei products
 
Zoner Photo Studio v15 b3 - Buffer Overflow Vulnerabilities
 
Eventy CMS v1.8 Plus - Multiple Web Vulnerablities
 
Cloud storage and content sharing service SugarSync released a complete revamp of its management interface with new file-sharing and search features.
 
Oracle has taken a minority stake in Engine Yard, maker of a PaaS (platform as a service) for Ruby, PHP and Node.js applications, the company announced Tuesday. Financial terms were not disclosed.
 
Bank of America will extend its mobile payments service to small retailers in December, allowing them to use smartphones and tablets as point-of-sale terminals.
 
IBM, Good Technology and several other mobile device and app management software vendors today separately announced a variety of new or enhanced products.
 
Hacker "Cosmo", who headed a hactivist group calling itself "UGNazi", has been sentenced by a youth court in California's Long Beach. The sentence includes a six year probation during which he will only be allowed to access the internet under supervision


 
To test its own recommendations for protecting Windows systems, Germany's Federal Office for Information Security (BSI) used two different computers to visit a total of 100 web sites hosting malicious code. The results speak volumes


 
SAP is tying the HANA in-memory database to its CRM software and other applications, creating a package that will "allow organizations to revolutionize the way they engage with their customers," the company announced Tuesday during the Sapphire and Tech Ed conferences in Madrid.
 
Honda will begin tests next year of a small electric vehicle that uses a driver's tablet for displaying dashboard readings, audio, navigation and images from its rearview camera, it said Tuesday.
 
SAP on Tuesday is expected to showcase how it will tie together its business applications with the cloud-based business network it gained through the acquisition of Ariba during the Sapphire and Tech Ed conferences in Madrid.
 
Hewlett-Packard has twice revised its message to customers about downgrading new PCs equipped with Windows 8 to the older Windows 7 in an attempt to clarify its position.
 
HTC's fast and well-designed Windows Phone 8X is one of the first to use Microsoft's new Windows Phone 8 smartphone operating system.
 
Google's services have been riding a bit of a rollercoaster in China over the last several days. A one-hour or even 12-hour blockage wouldn't hurt the company. It's the potential for a much longer blockage that could be problematic for Google, says one analyst.
 
A 28-year old man has been sentenced for carrying out DoS attacks on a Hong Kong stock exchange web site and then penetrating their servers with the aim of documenting his attacks and using them to market his company


 
GEGL CVE-2012-4433 Integer Overflow Vulnerability
 

Posted by InfoSec News on Nov 13

http://www.wired.com/threatlevel/2012/11/threatlevel_1112_mcafee/

By Joshua Davis
Threat Level
Wired.com
11.12.12

As Belizean police combed the property of expat antivirus pioneer John
McAfee Sunday afternoon, McAfee was closer than they could have known.
He’d seen them coming, and says he hid — burying himself in the sand
with a cardboard box over his head so he could breathe. “It was
extraordinarily uncomfortable,” he says, in an...
 

Posted by InfoSec News on Nov 13

http://www.mirror.co.uk/news/uk-news/tower-of-london-locks-have-to-be-changed-after-1431862

By Agency staff
Mirror Online
12 Nov 2012

The locks at the Tower of London, home to the Crown Jewels, had to be
changed after a burglar broke in and stole keys.

The intruder scaled gates and took the keys from a sentry post.

Guards spotted him but couldn't give chase as they are not allowed to
leave their posts.

The keys included ones to unlock...
 

Posted by InfoSec News on Nov 13

http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240115353/the-globalization-of-cyberespionage.html

By Kelly Jackson Higgins
Dark Reading
Nov 12, 2012

A recently discovered targeted cyberespionage campaign targeting Israeli
and Palestinian organizations in operation for more than a year serves
as chilling evidence that cyberspying is a global phenomenon and no
longer mostly the domain of massive nation-states...
 

Posted by InfoSec News on Nov 13

http://arstechnica.com/tech-policy/2012/11/petraeus-affair-offers-unintentional-lesson-on-password-reuse/

By Nate Anderson
Ars Technica
Nov 12 2012

Paula Broadwell, the biographer and reported mistress of CIA director
David Petraeus, appears to have been a subscriber to the "private
intelligence" firm Stratfor—and that means that her Stratfor login
account and its hashed password were hacked and released last year by
Anonymous....
 

Posted by InfoSec News on Nov 13

http://www.csoonline.com/article/721278/social-engineering-big-data-top-security-priorities-for-2013-gartner

By Hamish Barwick
IDG News Servic
November 09, 2012

The technique of using deception and manipulation to gain sufficient
knowledge to dupe an unwary individual, employee or company into
revealing personal information has the potential to be one of the
biggest security threats in 2013 according to a security expert.

Gartner Australia...
 

Naked Security

Even a CHILD can make a Trojan to pillage Windows Phone 8
Register
Gawde, who is a member of the Indian government-backed National Security Database program of infosec professionals, last year at the age of 15 created malware that attacked Microsoft's Xbox Kinect. Documents posted on the MalCon website ahead of the ...
Windows 8 Malware Proof-Of Concept Code RevealedOneStopClick

all 3 news articles »
 
Steven Sinofsky, the executive in charge of Microsoft's Windows 8 operating system and the driving force behind its new OS, is leaving the company, Microsoft announced late Monday.
 
WeeChat Color Decoding Heap Buffer Overflow Vulnerability
 
Oracle Solaris CVE-2012-3209 Local Security Vulnerability
 
Oracle Solaris CVE-2012-3187 Local Security Vulnerability
 
Oracle Solaris CVE-2012-3211 Local Security Vulnerability
 
Internet Storm Center Infocon Status