Vulnerability News

Alert (TA13-288A)
Microsoft Updates for Multiple Vulnerabilities

Systems Affected

  • Windows Operating System and Components
  • Microsoft .NET Framework
  • Microsoft Server Software
  • Microsoft Office
  • Microsoft Silverlight
  • Internet Explorer

Overview
Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description
The Microsoft Security Bulletin Summary for October 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.

Impact
These vulnerabilities could allow remote code execution or information disclosure.

Solution
Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for October 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revisions
October 15, 2013: Initial Release

Source: www.us-cert.gov


Alert (TA13-253A)
Microsoft Updates for Multiple Vulnerabilities

Systems Affected

  • Windows Operating System and Components
  • Microsoft Server Software
  • Microsoft Office
  • Internet Explorer

Overview
Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description
The Microsoft Security Bulletin Summary for September 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.

Impact
These vulnerabilities could allow remote code execution, elevation of privilege, denial of service, or information disclosure.

Solution
Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for September 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revisions
September 10, 2013: Initial Release

Source: www.us-cert.gov


Alert (TA13-190A)
Microsoft Updates for Multiple Vulnerabilities

Systems Affected

  • Microsoft Windows
  • Microsoft .NET Framework
  • Microsoft Silverlight
  • Microsoft Office
  • Microsoft Visual Studio
  • Microsoft Lync
  • Internet Explorer
  • Windows Defender

Overview
Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description
The Microsoft Security Bulletin Summary for July 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.

Impact
These vulnerabilities could allow remote code execution or elevation of privilege.

Solution
Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for July 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revisions
Initial Release

Source: www.us-cert.gov


Alert (TA13-175A)
Risks of Default Passwords on the Internet

Systems Affected
Any system using password authentication accessible from the internet may be affected. Critical infrastructure and other important embedded systems, appliances, and devices are of particular concern.

Overview
Attackers can easily identify and access internet-connected systems that use shared default passwords. It is imperative to change default manufacturer passwords and restrict network access to critical and important systems.

Description
What Are Default Passwords?

Factory default software configurations for embedded systems, devices, and appliances often include simple, publicly documented passwords. These systems usually do not provide a full operating system interface for user management, and the default passwords are typically identical (shared) among all systems from a vendor or within product lines. Default passwords are intended for initial testing, installation, and configuration operations, and many vendors recommend changing the default password before deploying the system in a production environment.

What Is the Risk?
Attackers can easily obtain default passwords and identify internet-connected target systems. Passwords can be found in product documentation and compiled lists available on the internet. It is possible to identify exposed systems using search engines like Shodan, and it is feasible to scan the entire IPv4 internet, as demonstrated by such research as

Attempting to log in with blank, default, and common passwords is a widely used attack technique.

Impact
An attacker with knowledge of the password and network access to a system can log in, usually with root or administrative privileges. Further consequences depend on the type and use of the compromised system. Examples of incident activity involving unchanged default passwords include

  • Internet Census 2012 Carna Botnet distributed scanning
  • Fake Emergency Alert System (EAS) warnings about zombies
  • Stuxnet and Siemens SIMATIC WinCC software
  • Kaiten malware and older versions of Microsoft SQL Server
  • SSH access to jailbroken Apple iPhones
  • Cisco router default Telnet and enable passwords
  • SNMP community strings

Solution
Change Default Passwords

Change default passwords as soon as possible and absolutely before deploying the system on an untrusted network such as the internet. Use a sufficiently strong and unique password. See US-CERT Security Tip ST04-002 and Password Security, Protection, and Management for more information on password security.

Use Unique Default Passwords
Vendors can design systems that use unique default passwords. Such passwords may be based on some inherent characteristic of the system, like a MAC address, and the password may be physically printed on the system.

Use Alternative Authentication Mechanisms
When possible, use alternative authentication mechanisms like Kerberos, x.509 certificates, public keys, or multi-factor authentication. Embedded systems may not support these authentication mechanisms and the associated infrastructure.

Force Default Password Changes
Vendors can design systems to require password changes the first time a default password is used. Recent versions of DD-WRT wireless router firmware operate this way.

Restrict Network Access
Restrict network access to trusted hosts and networks. Only allow internet access to required network services, and unless absolutely necessary, do not deploy systems that can be directly accessed from the internet. If remote access is required, consider using VPN, SSH, or other secure access methods and be sure to change default passwords.
Vendors can design systems to only allow default or recovery password use on local interfaces, such as a serial console, or when the system is in maintenance mode and only accessible from a local network.

Identify Affected Products
It is important to identify software and systems that are likely to use default passwords. The following list includes software, systems, and services that commonly use default passwords:

  • Routers, access points, switches, firewalls, and other network equipment
  • Databases
  • Web applications
  • Industrial Control Systems (ICS) systems
  • Other embedded systems and devices
  • Remote terminal interfaces like Telnet and SSH
  • Administrative web interfaces

Running a vulnerability scanner on your network can identify systems and services using default passwords. Freely available scanners include Metasploit and OpenVAS.

References

Revisions
Initial release

Source: www.us-cert.gov


US-CERT Alert (TA13-064A)
Oracle Java Contains Multiple Vulnerabilities

Original release date:             March 05, 2013

Systems Affected
Any system using Oracle Java 7, 6, 5 (1.7, 1.6, 1.5) including

  • Java Platform Standard Edition 7 (Java SE 7)
  • Java Platform Standard Edition 6 (Java SE 6)
  • Java Platform Standard Edition 6 (Java SE 5)
  • Java SE Development Kit (JDK 7)
  • Java SE Development Kit (JDK 6)
  • Java SE Development Kit (JDK 5)
  • Java SE Runtime Environment (JRE 7)
  • Java SE Runtime Environment (JRE 6)
  • Java SE Runtime Environment (JRE 5)
  • OpenJDK 6 and 6u
  • IcedTea 1.x (IcedTea6 1.x)

All versions of Java 7 through update 15, Java 6 through update 41, and Java 5.0 through update 40 are affected. Web browsers using the Java 5, 6 or 7 plug-in are at high risk.

Overview
Oracle Java 7 update 15, Java 6 update 41, Java 5.0 update 40, and earlier versions of Java contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description
An arbitrary memory read and write vulnerability in the Java JVM process could allow an attacker to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate website and upload a malicious Java applet (a "drive-by download" attack).
Any web browser using the Java 5, 6, or 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.
Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available.
Further technical details are available in Vulnerability Note VU#688246.

Impact
By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process. Note that applications that use the Internet Explorer web-content-rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for these vulnerabilities.

Solution
Update Java

Oracle Security Alert for CVE-2013-1493 states that Java 7 Update 17 (7u17) and and Java 6 Update 43 address this vulnerability (CVE-2013-1493) and a different but equally severe vulnerability (CVE-2013-0809).
Java 7 Update 17 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Disable Java in Web Browsers
Bu This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against these vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.
Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. According to Setting the Security Level of the Java Client,

For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.

If you are unable to update to Java 7 Update 10, see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis.

References
Vulnerability Note VU#688246
Setting the Security Level of the Java Client
The Security Manager
How to disable the Java web plug-in in Safari
How to turn off Java applets
NoScript
Securing Your Web Browser
Oracle Security Alert for CVE-2013-1493
FireEye Malware Intelligence Lab Blog Post
JDK 7u17 Release Notes
Security Alert for CVE-2013-1493 Released
IcedTea6 1.11.9 and 1.12.4 Released

Source: www.us-cert.gov



Execution of arbitrary code in PHP

Date of publication: 02/03/2012
Modification date: 02/06/2012
Danger: High
Availability of fix: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:P/RL:O/RC:C) = Base:10/Temporal:7.8
CVE ID: CVE-2012-0830
The vector operation: Remote
Impact: Compromise of system
CWE ID: No Data
Be exploited: PoC code
Affected products: PHP 5.3.x

Affected versions: PHP 5.3.9

Description:
The vulnerability allows a remote user to execute arbitrary code on the target system.

Manufacturer URL: www.php.net

Solution: Install the latest version 5.3.10 from the manufacturer.

References:
http://www.php.net/archive/2012.php # id2012-02-02-1
https://gist.github.com/1725489

Source: www.securitylab.ru



Multiple vulnerabilities in FreeBSD

Date of publication: 12/26/2011
Modification date: 28/12/2011
Danger: High
Availability of fix: Yes
Number of vulnerabilities: 5
CVSSv2 Rating:  (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C) = Base:9.3/Temporal:8.1
 (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:H/RL:O/RC:C) = Base:7.1/Temporal:6.2
 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:O/RC:C) = Base:9/Temporal:6.7
 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:O/RC:C) = Base:9/Temporal:6.7
 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:O/RC:C) = Base:7.5/Temporal:5.5
CVE ID:     CVE-2011-4862
 CVE-2011-4313
 CVE-2011-4122

The vector operation: Remote
Impact: Denial of service
  Elevation of Privilege
  Security Bypass
  Compromise of system
CWE ID: No Data
Be exploited: No Data
Affected products: FreeBSD 7.2
FreeBSD 7.4
FreeBSD 8.1
FreeBSD 8.2
FreeBSD 9.0

Program:
FreeBSD 7.3
FreeBSD 7.4
FreeBSD 8.1
FreeBSD 8.2
FreeBSD 9.0

Which can be exploited by malicious people to bypass certain security restrictions, cause a denial of service, escalated privileges or compromise a vulnerable system.

Manufacturer URL: http://www.freebsd.org/

Solution: To install the patch eliminate the vulnerability from the manufacturer.

References:
FreeBSD-SA-11:10.pam: pam_start() does not validate service names
FreeBSD-SA-11:09.pam_ssh: pam_ssh improperly grants access when user account has unencrypted SSH private keys
FreeBSD-SA-11:08.telnetd: telnetd code execution vulnerability
FreeBSD-SA-11:07.chroot: Code execution via chrooted ftpd
FreeBSD-SA-11:06.bind: Remote packet Denial of Service against named(8) servers

Source: www.securitylab.ru



Execution of arbitrary code in Adobe Reader / Acrobat

Date of publication: 07/12/2011
Modification date: 01/11/2012
Danger: Critical
Availability of fix: Yes
Number of vulnerabilities: 2
CVSSv2 rating:         (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C) = Base:10/Temporal:8.7
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C) = Base:10/Temporal:8.7
CVE ID:     CVE-2011-2462
CVE-2011-4369
CVE-2011-2445
CVE-2011-2450
CVE-2011-2451
CVE-2011-2452
CVE-2011-2453
CVE-2011-2454
CVE-2011-2455
CVE-2011-2456
CVE-2011-2457
CVE-2011-2458
CVE-2011-2459
CVE-2011-2490
The vector operation: Remote
Impact: Compromise of
CWE ID: No Data
Be exploited by active exploitation of vulnerabilities
Affected Products: Adobe Acrobat 9.x
Adobe Acrobat X 10.x
Adobe Reader 9.x
Adobe Reader X 10.x

Vulnerable versions:
Adobe Reader X 10.1.1 and earlier versions for Windows and Macintosh
Adobe Reader 9.4.6 and earlier versions for Windows, Macintosh and UNIX
Adobe Acrobat X 10.1.1 and earlier versions for Windows and Macintosh
Adobe Acrobat 9.4.6 and earlier versions for Windows and Macintosh

Description:
1. An unspecified error when handling U3D data. This can be exploited to corrupt memory and execute arbitrary code on the target system.

Note: The vulnerability is actively exploited right now.

2. An error in a component of RPC. This can be exploited to corrupt memory and execute arbitrary code on the target system.

Note: The vulnerability is actively exploited right now.

3. The application uses a vulnerable version of Adobe Flash Player.

A detailed description of the vulnerabilities in Adobe Flash Player can be found here:

http://www.securitylab.ru/vulnerability/409995.php

Manufacturer URL: http://www.adobe.com/products/reader.html

Solution: To fix a vulnerability in Windows install version 9.4.7 from the manufacturer. Fix Adobe Reader / Acrobat X and Adobe Reader for Unix 9.x will be available January 10, 2012.

References:
APSA11-04:Security Advisory for Adobe Reader and Acrobat
APSB11-30: Security updates available for Adobe Reader and Acrobat 9.x for Windows
APSB12-01: Security updates available for Adobe Reader and Acrobat

Source: www.securitylab.ru



 Contacts:
 Phone: (994 12) 5104253
 E-mail: info at sciencecert dot az
2013 ©  Institute of Information Technology of ANAS
All rights reserved. Any use of information in the website should be accompanied by an acknowledgement of sciencecert.az as the source.