(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Developers with both Mozilla and Tor have published browser updates that patch a critical Firefox vulnerability being actively exploited to deanonymize people using the privacy service.

"The security flaw responsible for this urgent release is already actively exploited on Windows systems," a Tor official wrote in an advisory published Wednesday afternoon. "Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately."

The Tor browser is based on the open-source Firefox browser developed by the Mozilla Foundation. Shortly after this post went live, Mozilla security official Daniel Veditz published a blog post that said the vulnerability has also been fixed in a just-released version of Firefox for mainstream users. On early Wednesday, Veditz said, his team received a copy of the attack code that exploited a previously unknown vulnerability in Firefox.

Read 7 remaining paragraphs | Comments

IBM BigFix Remote Control CVE-2016-2950 Unspecified SQL Injection Vulnerability
IBM BigFix Remote Control CVE-2016-2949 Local Information Disclosure Vulnerability
[security bulletin] HPSBGN03677 rev.1 - HPE Network Automation using RPCServlet and Java Deserialization, Remote Code Execution
IBM iNotes and Domino CVE-2016-5882 Cross Site Scripting Vulnerability
IBM iNotes and Domino CVE-2016-5880 Cross Site Scripting Vulnerability
IBM iNotes and Domino CVE-2016-2939 Cross Site Scripting Vulnerability

Update: Mozilla now released Firefox 50.0.2 to fix this issue, and the tor project released the corresponding tor browser 6.0.7.

Tor Browser, an easy to use package of Firefox and Tor is currently being attacked using a so far unpatched vulnerability. The Javascript-basedexploit was first described on the Tormailing list [1]. With the exploit being public now, it is likely only a matter of time to see this exploit used against Firefox outside of Tor.

Mozillais working on a patch. And Tor Browser 6.0.7 which will hopefully be released later today is scheduled to include the fix.

Until then: Best not to use Firefox if you can help it. The current version of Firefox, 50.0.1, which was released on Monday, is still vulnerable. While the exploit hasnt been spotted yet outside of Tor, expect it to show up by the time you read this.

An analysis of the shell code used in the exploit by Wack0 concluded that the code is very similar to an exploit used by law enforcement in 2013 against an older version of Firefox/Tor Browser. [2]


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[security bulletin] HPSBHF03682 rev.1 - HPE Comware 7 Network Products using SSL/TLS, Local Gain Privileged Access
[FOXMOLE SA 2016-05-02] e107 Content Management System (CMS) - Multiple Issues
Multiple I-O DATA DEVICE Products Buffer Overflow and Command Injection Vulnerabilities
Lenovo System Interface Foundation CVE-2016-8223 Local Privilege Escalation Vulnerability

Got a couple of reports recently about an increase in port 1434 scanning for the infamous Slammer (aka Saphire) MS-SQL Server vulnerability. Sad to say: It looks like it never went away... There appears to be still a background of about 50 source IPs/day that scan for port 1434. Now this is way down from the numbers we had in 2003/2004 (20-30,000 sources per day). But to put it in perspective: This was still about an order of magnitude lower than what we see for Mirai now. So let" />

If you want a list of yesterdays sources, check here:https://isc.sans.edu/dailysources.html?mintargetport=1434maxtargetport=1434

After removing some of the research scanners (Shodan, Shadowserver, Quadmetrics), I am left with this list:

ASN     | IP Address       | CT | Network Name278     |   | MX | Universidad Nacional Autonoma de Mexico, MX3462    |    | TW | HINET Data Communication Business Group, TW3786    |  | KR | LGDACOM LG DACOM Corporation, KR4134    |  | CN | CHINANET-BACKBONE No.31,Jin-rong Street, CN4816    |    | CN | CHINANET-IDC-GD China Telecom (Group), CN4837    |   | CN | CHINA169-BACKBONE CNCGROUP China169 Backbone, CN5650    |   | US | FRONTIER-FRTR - Frontier Communications of America, Inc., US6739    |   | ES | ONO-AS Cableuropa - ONO, ES7018    |     | US | ATT-INTERNET4 - ATT Services, Inc., US7029    |     | US | WINDSTREAM - Windstream Communications Inc, US7162    |    | BR | Universo Online S.A., BR7418    |   | CL | TELEFNICA CHILE S.A., CL7470    |     | TH | TRUEINTERNET-AS-AP TRUE INTERNET Co.,Ltd., TH7643    |  | VN | VNPT-AS-VN Vietnam Posts and Telecommunications (VNPT), VN7922    |    | US | COMCAST-7922 - Comcast Cable Communications, LLC, US8342    |    | RU | RTCOMM-AS , RU8560    |     | US | ONEANDONE-AS Brauerstrasse 48, DE9808    |   | CN | CMNET-GD Guangdong Mobile Communication Co.Ltd., CN11014   |   | AR | CPS, AR11650   |   | US | PLDI - Pioneer Long Distance Inc., US15311   |   | CL | Telefonica Empresas, CL16276   |     | FR | OVH , FR16509   |   | US | AMAZON-02 - Amazon.com, Inc., US17676   |    | JP | GIGAINFRA Softbank BB Corp., JP19108   |    | US | SUDDENLINK-COMMUNICATIONS - Suddenlink Communications, US27892   |  | VE | Universidad del Zulia, VE29073   |   | NL | QUASINETWORKS , NL60781   |     | NL | LEASEWEB-NL Netherlands, NL

No idea if these are actually infected systems, or if these systems are just scanning for various research projects as well. Right now, none of the systems appears up.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
IBM BigFix Remote Control CVE-2016-2952 Information Disclosure Vulnerability
HDF5 CVE-2016-4331 Local Heap Buffer Overflow Vulnerability

(credit: Ron Amadeo)

Researchers say they've uncovered a family of Android-based malware that has compromised more than 1 million Google accounts, hundreds of them associated with enterprise users.

Gooligan, as researchers from security firm Check Point Software Technologies have dubbed the malware, has been found in at least 86 apps available in third-party marketplaces. Once installed, it uses a process known as rooting to gain highly privileged system access to devices running version 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and version 5 (Lollipop) of Google's Android operating system. Together, the vulnerable versions account for about 74 percent of users.

The rooted devices then download and install software that steals the authentication tokens that allow the phones to access the owner's Google-related accounts without having to enter a password. The tokens work for a variety of Google properties, including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite. In a blog post published Wednesday morning, Check Point researchers wrote:

Read 5 remaining paragraphs | Comments



The number of reported webcam blackmail cases has more than doubled in the past year, and at least four suicides in the UK have been connected to this form of sextortion, says the National Crime Agency.

The NCA's Anti-Kidnap and Extortion unit has seen 864 cases of financially motivated webcam blackmail so far this year, up from 385 for the whole of 2015. The NCA believes the true number is a lot higher, though, due to significant under-reporting. Most victims (95 percent) were men or boys; men between 21 and 30 represent the largest group, but boys between 11 and 20 were also a "substantial portion."

The four sextortion-linked suicides have all been men and boys—and again, that figure could be under-reported.

Read 6 remaining paragraphs | Comments

OpenJPEG CVE-2016-9675 Incomplete Fix Multiple Remote Heap Based Buffer Overflow Vulnerabilities
[RT-SA-2016-003] Less.js: Compilation of Untrusted LESS Files May Lead to Code Execution through the JavaScript Less Compiler
Apache Subversion CVE-2016-8734 XML External Entity Denial of Service Vulnerability
Internet Storm Center Infocon Status