New Windows Vulnerability

The Microsoft Security Advisory (found here) describes a new, un-patched vulnerability in all currently supported versions of Windows except Server 2003. Successful exploitation of this vulnerability would allow an attacker to gain the same rights on the machine as the current user.

Exploitation of this vulnerability requires the user to open a specially crafted Microsoft Office document. Researchers are seeing targeting attacks utilizing this attack.

Prevention: standard behavior rules apply:

  • Don’t open attachments from unknown sources
  • Don’t click on suspicious links in email

New Phishing Campaign Discovered.

A CIS Cyber Alert (see below) has been published detailing a Phishing campaign that utilizes a weaponized PDF document that exploits a vulnerability in Adobe Reader(CVE-2013-2729). This campaign attempts to entice users to open the attached file by referring to an “Unpaid invoic”(sic)

This campaign is utilizing the Dyre Banking Trojan, focused on stealing banking credentials.

Recommendations:

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not open email attachments from unknown or untrusted sources.
  • Limit user account privileges to those required only.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.
  • Ensure that systems are hardened with industry-accepted guidelines.
  • Make sure all AV products are up-to-date with their signatures.
  • Implement filters at your email gateway for filtering out emails with subject line “Unpaid invoic”. [Note the typo]

REFERENCES:

PhishLabs:

http://blog.phishlabs.com/enhancements-to-dyre-banking-trojan

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729

New SSLv3 Vulnerability

Also known as “Poodle”, this vulnerability could allow an attacker to steal web site login information or payment data.

“A vulnerability exists within the SSL version 3.0 protocol… allowing an attacker to hijack and decrypt session cookies that are utilized between a user’s web browser and the web site. This could lead to attackers obtaining enough information to temporarily impersonate web site visitor account logins and/or online payment systems.”

REFERENCES:

Google:

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

WIRED:

http://www.wired.com/2014/10/poodle-explained/

SANS:

https://isc.sans.edu/forums/diary/OpenSSL+SSLv3+POODLE+Vulnerability+Official+Release/18827

Multiple Vulnerabilities Released Today.

Several important vulnerabilities in Microsoft products, including Windows, Office, .NET, Internet Explorer, were released today along with patch information. They are:

  • Vulnerabilities in .NET Framework Could Allow Remote Code Execution (MS14-057)
  • Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (MS14-058)
  • Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (MS14-061)
  • Cumulative Security Update for Internet Explorer (MS14-056)
  • Vulnerability in OLE Could Allow Remote Code Execution (MS14-060)
  • Multiple vulnerabilities found in Adobe Flash Player and Adobe AIR could allow an attacker to execute code remotely. (APSB14-22)
  • Critical Oracle Patches (http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html)

These Security Advisories will affect many users; student, staff and faculty; so it is important to update your instances of the software mentioned.

“BadUSB” Exploit

There is a new exploit that has hit the internet called BadUSB that poses a Security threat based on USB devices.  Instructions and applications to create infected USB devices are available on the internet.  The exploit allows installation into the USB’s firmware where it is run automatically when plugged into a computer system.  The firmware is the set of “instructions” used by the usb device to start up and be read by your computer.  Current anti-malware software does not read this area of devices and is unable to protect from this exploit.  If the anti-malware may be able to recognize the malware activity once it starts and be able to protect the computer and data; Keep your anti-malware up-to-date.

Since this exploit requires a user to  insert a USB that has been created to allow this exploit, Be careful of free USB drives, USB drives found, USB devices from unknown or suspicious sources and Always Lock Your Computer when you leave your desk.

Additional information on BadUSB can be found at http://mashable.com/2014/10/03/how-can-you-avoid-badusb/ or https://srlabs.de/badusb/