Hackin9

Richard Porter --- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle MySQL Server CVE-2015-0498 Remote Security Vulnerability
 
Oracle MySQL Server CVE-2015-2566 Remote Security Vulnerability
 
LinuxSecurity.com: Security fix for CVE-2015-4411
 
LinuxSecurity.com: Security fix for CVE-2015-4411
 
LinuxSecurity.com: Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Fixes CVE-2015-3258 & CVE-2015-3279
 
LinuxSecurity.com: Bump to openvas8 because of the issues found in previous versions. This should be the first version with scanner really working on Fedora.
 
LinuxSecurity.com: Bump to openvas8 because of the issues found in previous versions. This should be the first version with scanner really working on Fedora.
 
LinuxSecurity.com: Bump to openvas8 because of the issues found in previous versions. This should be the first version with scanner really working on Fedora.
 
LinuxSecurity.com: Bump to openvas8 because of the issues found in previous versions. This should be the first version with scanner really working on Fedora.
 
LinuxSecurity.com: Update to version 0.7.1Add patch to fix undefined symbol: ssh_forward_listen (bug #1221310)Update to version 0.7.0Security fix for CVE-2015-3146
 

The FBI and its counterparts in Europe, Brazil, and elsewhere have arrested more than 60 people suspected of carrying out hacking crimes associated with a secretive online forum known as Darkode, according to media reports.

Darkode, according to a post published in April 2013 by KrebsOnSecurity, has long acted as an online bazaar for criminals looking to buy and sell drive-by exploits, spam services, ransomware programs, botnet tools, and other illicit products and services. According to news organizations located in Brazil, the site has been under investigation since March by agents with the FBI Europol, Brazil's Federal Police, and law enforcement agencies in other countries. The operation has resulted in 62 arrests in 18 countries, including Germany, the UK, Romania, Bosnia, Serbia, India, Sweden, Denmark, and Colombia, according to the reports.

A Public information agent with the FBI didn't respond to an e-mail seeking details of the reported enforcement operation. Some of the articles detailing the arrests are here, here, and here.

Read 1 remaining paragraphs | Comments

 
NTP CVE-2015-1799 Denial of Service Vulnerability
 
Oracle Java SE CVE-2015-0458 Remote Security Vulnerability
 

Microsoft has killed at least two security bugs linked to the compromised malware developer Hacking Team, including a critical remote-code execution hole that worked against people using the latest version of Internet Explorer on Windows 7 and 8 machines.

The IE vulnerability was discovered in an e-mail a security researcher sent to Hacking Team executives, according to a blog post published Tuesday by researchers from security firm Vectra Networks. In the message, a security researcher offered to sell proof-of-concept attack code exploiting the vulnerability, which was significant because it worked against what is widely regarded as Microsoft's most secure versions of Windows and IE.

"Are you by any chance interested in a PoC (DEP violation) last update to IE11, running on Win7 and Win 8.1?" the researcher wrote, according to the Vectra Networks blog post. "Let me know."

Read 3 remaining paragraphs | Comments

 
Adobe Reader CVE-2015-3095 Out Of Bounds Read Memory Corruption Vulnerability
 
Adobe Reader and Acrobat CVE-2014-0566 Remote Code Execution Vulnerability
 

Overview of the July 2015 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS15-058 Remote Code Execution Vulnerabilities in SQL Server
(This bulletin was supposed to be part of the June 2015 patch Tuesday, but got delayed until today)
SQL Server
CVE-2015-1761
CVE-2015-1762
CVE-2015-1763
KB 3065718 no. Severity:Important
Exploitability: 2
N/A Important
MS15-065 Internet Explorer Rollup Patch (Replaces MS15-056 )
Internet Explorer
CVE-2015-1729
CVE-2015-1733
CVE-2015-1738
CVE-2015-1767
CVE-2015-2372
CVE-2015-2383
CVE-2015-2384
CVE-2015-2385
CVE-2015-2388
CVE-2015-2389
CVE-2015-2390
CVE-2015-2391
CVE-2015-2397
CVE-2015-2398
CVE-2015-2401
CVE-2015-2403
CVE-2015-2404
CVE-2015-2405
CVE-2015-2406
CVE-2015-2408
CVE-2015-2410
CVE-2015-2411
CVE-2015-2412
CVE-2015-2413
CVE-2015-2414
CVE-2015-2419
CVE-2015-2421
CVE-2015-2422
CVE-2015-2425
KB 3076321 CVE-2015-2398 has been publicly disclosed.. Severity:Critical
Exploitability: 0
Critical Important
MS15-066 Remote Code Execution Vulnerability in VBScript Scripting Engine (Replaces MS15-019 )
VBScript
CVE-2015-2372
KB 3072604 no. Severity:Critical
Exploitability: 1
Critical Important
MS15-067 Remote Code Execution Vulnerability in RDP (Replaces MS15-030 )
RDP
CVE-2015-2373
KB 3073094 no. Severity:Critical
Exploitability: 3
Critical Critical
MS15-068 Remote Code Execution Vulnerabilities in Hyper-V
Hyper-V
CVE-2015-2361
CVE-2015-2362
KB 3072000 no. Severity:Critical
Exploitability: 2
N/A Critical
MS15-069 Remote Code Execution Vulnerabilities in Windows
Windows and Windows Media Device Manager
CVE-2015-2368
CVE-2015-2369
KB 3072631 unauthorized DLL loading is an ongoing issue. Severity:Important
Exploitability: 1
Critical Important
MS15-070 Remote Code Execution Vulnerabilities in Office (Replaces MS13-084 MS15-022 MS15-033 MS15-046 )
Microsoft Office (including Mac and Sharepoint)
CVE-2015-2376
CVE-2015-2377
CVE-2015-2379
CVE-2015-2380
CVE-2015-2415
CVE-2015-2424
CVE-2015-2375
CVE-2015-2378
KB 3072620 CVE-2015-2424 has been used in exploits.. Severity:Important
Exploitability: 1
Critical Important
MS15-071 Spoofing Vulnerability in Netlogon (Replaces MS15-027 )
Netlogon
CVE-2015-2374
KB 3068457 no. Severity:Important
Exploitability: 3
Important Important
MS15-072 Elevation of Privilege Vulnerability in Windows Graphics Component (Replaces MS15-035 )
Windows Graphics component
CVE-2015-2364
KB 3069392 no. Severity:Important
Exploitability: 1
Important Important
MS15-073 Elevation of Privilege Vulnerability in Kernel Mode Drivers (Replaces MS15-061 )
Kernel Mode Drivers
CVE-2015-2363
CVE-2015-2365
CVE-2015-2366
CVE-2015-2367
CVE-2015-2381
CVE-2015-2382
KB 3070102 no. Severity:Important
Exploitability: 2
Important Important
MS15-074 Elevation of Privilege Vulnerability in Windows Installer Service (Replaces MS49-049 )
Windows Installer Service
CVE-2015-2371
KB 3072630 no. Severity:Important
Exploitability: 1
Important Important
MS15-075 Elevation of Privilege Vulnerability in OLE (Replaces MS13-070 )
OLE
CVE-2015-2416
CVE-2015-2417
KB 3072633 no. Severity:Important
Exploitability: 1
Critical Important
MS15-076 Elevation of Privilege in Windows RPC (Replaces MS15-055 )
Windows RPC
CVE-2015-2370
KB 3067505 no. Severity:Important
Exploitability: 2
Important Important
MS15-077 Elevationof Privilege Vulnerability in ATM Font Driver (Replaces MS15-021 )
ATM Font Driver (ATMFD.DLL)
CVE-2015-2387
KB 3077657 Exploits Detected. Severity:Important
Exploitability: 0
Important Important
e issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become interesting">Less Important patchesfor servers that donot useoutlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threats.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Adobe Systems has issued an emergency update for its Flash media player to patch two critical zero-day vulnerabilities that allow attackers to surreptitiously install malware on end-user computers.

The previously unknown vulnerabilities were unearthed in the 400-gigabyte data dump hackers published nine days ago after rooting the servers of Hacking Team, the Italy-based company that sold spyware and exploits to governments around the world. As previously reported, Hacking Team was itself hacked by unknown individuals, who then published e-mails, sales invoices, and marketing material that appeared to contradict long-standing assurances from company executives that they operated ethically and didn't do business with repressive governments.

The two Flash vulnerabilities unearthed this past weekend are in addition to a third one found earlier in the Hacking Team dump, which Adobe patched last week, a few days after it was discovered. All three critical vulnerabilities were present in Flash versions for Windows, Mac OS X, and Linux. At least one of them was potent enough to pierce the vaunted Google Chrome security sandbox, most likely because it was combined with a separate privilege-escalation exploit for Windows.

Read 2 remaining paragraphs | Comments

 
[CVE-2015-2862/2863 / CERT VU#919604] Kaseya VSA arbitrary file download / open redirect
 
LinuxSecurity.com: New upstream - Firefox 39.0
 
LinuxSecurity.com: Security fix for CVE-2015-1793 high severity issue.
 
LinuxSecurity.com: This release fixes two heap buffer overflows when compiling certain regular expressions: CVE-2015-3210 and CVE-2015-5073.
 
LinuxSecurity.com: Latest upstream.http://www.openwall.com/lists/oss-security/2015/06/25/2http://www.openwall.com/lists/oss-security/2015/06/25/2
 
LinuxSecurity.com: Security fix for CVE-2015-1793 high severity issue.
 
LinuxSecurity.com: Latest upstream.http://www.openwall.com/lists/oss-security/2015/06/25/2http://www.openwall.com/lists/oss-security/2015/06/25/2
 
LinuxSecurity.com: Security fix for CVE-2015-3218, CVE-2015-3255, CVE-2015-3256, CVE-2015-4625
 
LinuxSecurity.com: New upstream - Firefox 39.0
 

In a warm up to patch Tuesday, it looks like we have a new version for Adobe Flash Player, Shockwave Player and PDF Reader. Given that some of the exploits against the vulnerabilities patchedare public, you may want to expedite patching and review your Flash Player and browser configuration.

the latest (patched) versions are (thanks Dave!):

- FlashPlayer 18.0.0.209
- Flash Player EST 13.0.0.305
- Reader 10.1.15
- Reader 11.0.12
- Shockwave Player">12.1.9.159

Bulletins:

https://helpx.adobe.com/security/products/shockwave/apsb15-17.html
https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
https://helpx.adobe.com/security/products/reader/apsb15-15.html

You can get the latest version here:https://get.adobe.com/flashplayer/

Also note that many browsers now allow you to disable Flash by default. You can re-enable it for sites that require Flash. Here is a nice page that will explain how to have your browser ask for permission before running plugins:

http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

There's some drama going down in the Flash camp. Yesterday, because of two unpatched Hacking Team zero-day vulnerabilities, Mozilla blacklisted Adobe Flash Player 18.0.0.203, meaning Flash was disabled by default in Firefox. This morning, just a few moments ago, Adobe rushed out version 18.0.0.209, plugging the two vulnerabilities.

Meanwhile, over at Facebook, the company's new chief security officer called for Adobe to "announce an end-of-life date for Flash," so that we can finally "disentangle the dependencies and upgrade the whole ecosystem."

And if two Web giants weren't enough, Google recently announced that the next stable version of Chrome would "intelligently" block auto-playing Flash elements.

Read 3 remaining paragraphs | Comments

 

Turns out, going after someone’s Bitcoin transactions is much easier than you might think. After all, as the saying goes, once you’re pwned, you’re pwned.

After Hacking Team, the Italian spyware vendor, was hacked earlier this month, and 400GB of its internal data was released, Ars reviewed many internal e-mails from the company. These documents clearly illustrate how simply Hacking Team's "Money Module" worked, and they provide a small glimpse into which customers were particularly interested in it.

In general, the Italian spyware company sold (and hopes to continue to sell) software that allowed targets to be surreptitiously surveilled as they used computers or smartphones, and its clientele included law enforcement agencies worldwide. Back in January 2014, Hacking Team internally announced a new feature as part of its version 9.2 upgrade to its Remote Control System suite, and the new iteration would include a way to "track cryptocurrencies, such as BitCoin [sic], and all the related information."

Read 13 remaining paragraphs | Comments

 
Internet Storm Center Infocon Status