OS X Trojan

Posted on by
Reply

A new OS X Trojan has been spotted in the wild. The Trojan has been given the identifier “TheOSX/Hovdy-A”, and can perform somewhat advanced attacks against an infected machine. The Trojan takes advantage of a recent escalation exploit within applescript to gain root access to the machine. Once root, the Trojan can manipulate the firewall, steal passwords, and disable security settings. As OS X becomes more popular, we can expect to see more malicious software aimed it. Don’t assume that you’re safe just because you’re on a Mac, follow all of the precautions that your would with any other OS and practice safe surfing!

CA ARCserve DoS, Multiple CMS Vulns

Posted on by
Reply

Computer Associates ARCserve Backup 12.0.5454.0 and earlier can be Denial of Serviced by sending a specially crafted packet to port 41523. For more specific information please see CVE-2008-1979.

Several Content Management Systems are vulnerable to Remote File Inclusion (RFI) and SQL injection. As Adam said in a previous post, it appears that application developers are still not embracing the proper coding procedures that allow for these exploits to be developed. If you are an admin of a CMS please make sure that your application is tested regulary for any injection vulnerabilities.

Expect More Worms

Posted on by
Reply

The team at PandaLabs has discovered an application that converts any given executable into a worm. Apparently originating in Spain the tool allows a user to wrap any executable in worm code using a simple GUI interface. There are options for enabling Mutex, UPX compression, and disabling various operating system components. We will continue to see these types of tools lower the technical threshold of attackers and increase the number of malicious agents increase in the wild.

Security practitioners need to continue to assist their clients in developing defense in depth strategies that will reduce risk and exposure to these threats. Key elements to address would be identifying key at risk assests, moving towards enclave computing and adding more rigorous security testing of Internet facing applications (slowing their deployment if necessary). The need for security awareness training that is both engaging and current will continue to increase.

For more details on the tool itself you can visit:  http://pandalabs.pandasecurity.com/archive/T2W-_2D002D003E00_-Trojan-to-Worm.aspx

Cisco IPS Denial of Service

Posted on by
Reply

Cisco has released an advisory for IPS platforms, they are susceptible to denial of service attacks. The vulnerability is in the handling of jumbo ethernet frames. A specially crafted packet can cause the device to kernel panic, a power cycle is required to reset the device. However, if the device is deployed in promiscous mode, or does not have a gigabit interface, it is not vulnerable. For vulnerable devices, Cisco has released updates and a workaround. Install the updates, or disable support for jumbo Ethernet to mitigate this issue.

SNMP Scans

Posted on by
Reply

We have noticed, and noticed around the net that there has been a sharp increase in SNMP port scans. No doubt this is due to the recent vulnerability and exploit code released. If you happen to be running SNMP exposed on your external network (something that should be discouraged), it would be a very good idea to update those devices, and also block those ports or restrict access if they do not absolutely need to be exposed.

Web App Security

Posted on by
Reply

Over the past few days more than 30 exploits have been released focusing on web applications. The exploits focus on SQL injection attacks, which are a major vulnerability lately, and that’s just for published web applications. Many more are being discovered in privately developed websites. It still seems that some developers out there are still not embracing secure coding practices.

Bot activity has still been seen spreading through websites also using these vulnerabilities. Causing normally trustable websites to deliver malware to unsuspecting users. Until all developers change their coding processes, we can expect these exploits and bot activity to keep increasing. In the mean time, we recommend that any applications you are developing undergo testing, and any web applications (such as CMS) you are using stay patched.

SNMP v3 Vulnerability and Exploit

Posted on by
Reply

A vulnerability was identified in many implementations of SNMPv3 which allows an attacker to bypass SNMP authentication. In just a few days a working exploit was released into the wild. With the exploit remote attackers may be able to access and modify any SNMP on an affected system.This could affect many devices, and firmware will need to be updated across the board. The extent of affected systems is not completely known yet, but assume that all devices that implement SNMPv3 are vulnerable.

June Virtual Event Announced – Social Engineering Assessments Primer

Posted on by
Reply

We are proud to announce our June Virtual Event topic for the month. Please join us as we cover a primer for social engineering assessments and how they can assist you in securing your organization. As always, our virtual events are long on information and short on sales and spin. They are also FREE!

Abstract:

This presentation will cover the reasons why your organization should consider a social engineering assessment as a part of their routine security auditing processes. Examples of test scenarios will be given, along with ideas on scoping such tests. Further, ways to appropriately use the results and tips on presenting the identified issues to upper management will be discussed.

Date: Tuesday, June 26th at 4pm Eastern

To register for the presentation and to receive the PDF of the slides as well as the dial in number, please send email to info@microsolved.com with “June Virtual Event” or the like in the subject line.


Editors note: Sorry for the need to create a subject clarification, but we are holding several events this month including live and virtual versions of our State of the Threat presentations. If you need more info about those presentations, just ask. Thanks!

Microsoft Patch Tuesday details

Posted on by
Reply

MS08-030
Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376)
Performing a large number of SDP requests could allow for code execution.

MS08-031
Cumulative Security Update for Internet Explorer (950759)
Vulnerabilities in MSIE allow code execution and cross domain information leaks.
Should be patched immediately as details on exploiting are publically available.
Rated:Critical
Replaces MS08-024.

MS08-032
Cumulative Security Update of ActiveX Kill Bits (950760)
A vulnerability in the Speech API could allows for remote execution in the context of the user viewing a specially crafted webpage. Speech recognition must be enabled.
Rated: Moderate
Replaces MS08-023.

MS08-033
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
Input validation vulnerabilities may allow code execution via DirectX.
Rated: Critical
Replaces MS07-064.

MS08-034
Vulnerability in WINS Could Allow Elevation of Privilege (948745)
A privilege escalation vulnerability in WINS could allows an attacker to compromise a vulnerable system.
Rated: Important
Replaces MS04-045.

MS08-035
Vulnerability in Active Directory Could Allow Denial of Service (953235)
Input validation failure in the LDAP can lead to a Denial of Service.
Rated: Important
Replaces MS08-003.

MS08-036
Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)
Input validation vulnerabilities in PGM packets can be leveraged to cause a Denial of Service.

Rated:Important

Replaces MS06-052.