2012 Issue #4
ScoutNews
The weekly Security update from
the makers of SecureScout
February 10, 2012
2012 Issue #4 | ScoutNews |
Table of Contents
Product Focus |
Apache Chunked Vulnerability Scanner - The S4 Apache Chunked Vulnerability Scanner is a free utility made by SecureScout that will scan up to 256 IP addresses at once to assess if any are vulnerable to the Apache Chunked Encoding buffer overflow.
Download Here:
http://www2.netvigilance.com/productdownloads?productname=apachechunkedvulnerabilityscanner
This Week in Review
Mastercard and Visa to support chip-technology. DDoS attacks mostly political.Hackers go after small franchise-owned businesses. PCI expert certification coming.
Enjoy reading & Stay safe.
Call or email netVigilance to get an update on SecureScout.
(503) 524 5758 or sales@netVigilance.com
Top Security News Stories this Week
• MasterCard announces product future around EMV
As expected, MasterCard has joined Visa in its support for chip-enabled technology, considered one of the most effective ways to deter counterfeit debit and credit card fraud.
Citing the need to keep pace with advances in technology and new channels from which consumers wish to make payments, particularly mobile and online, MasterCard has laid out a "roadmap," which, it said, will provide added security and control in payment choices.
"We're moving toward a world beyond plastic, where consumers will shop and pay in a way that best fits their needs and lifestyles with a simple tap, click or touch in-store, online or on a mobile device," Chris McWilton, president of U.S. markets at MasterCard, said last week in a news release.
SC Magazine
Full Story :
http://www.scmagazine.com/mastercard-announces-product-future-around-emv/article/226744/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29
• Hacktivist-led DDoS is now the most common type, study finds
For the first time, political motivation rates at the top driver behind DDoS attacks, in which the availability of websites buckle under the weight of floods of traffic, according to a study released by security firm Arbor Networks.
The findings of the seventh annual "Worldwide Infrastructure Security Report," released Tuesday, should surprise few people, considering the meteoric rise of online "hacktivist" collective Anonymous, which has been responsible for not only launching many of these ideologically propelled attacks but also in encouraging others to join in. Previously, financial fraud, with a clear organized criminal motivation, rated as the number one driver.
Now that knocking a site offline -- and then demanding a ransom to return it to its normal state -- is no longer the most likeliest scenario, more organizations than ever may be unprepared for such attacks, according to Arbor.
SC Magazine
Full Story :
http://www.scmagazine.com/hacktivist-led-ddos-is-now-the-most-common-type-study-finds/article/226978/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29
• Breaches aided by weak passwords, poor AV detection
Cyber criminals are still targeting customer data, but as larger organizations become more apt at locking down sensitive information, attackers are going after industries with franchise models, according to security firm Trustwave's annual global study.
That's what has made the food-and-beverage industry such an attractive target, with 44 percent of Trustwave's more than 300 data breach response investigations involving this market, according to the "2012 Global Security Report," released this week. That industry rated as the most targeted in 2010, as well.
Many food-and-beverage locations are owned by franchisees, but their networks all are similarly set up, which offers hackers a formulaic blueprint for fleecing a large number of victims, said Nicholas Percoco, who heads Trustwave's research arm, SpiderLabs.
SC Magazine
Full Story :
http://www.scmagazine.com/breaches-aided-by-weak-passwords-poor-av-detection/article/227150/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29
• Standards body to certify PCI end-user experts
The alphabet soup of security certifications is expected to grow this year when professionals get the chance to show off their expertise in the Payment Card Industry Data Security Standard (PCI DSS).
The PCI Security Standards Council, which manages and drives adoption of the standard, is planning to launch a certification that attests to one being qualified in preparing an organization for a PCI assessment, Bob Russo, general manager of the council, told SCMagazine.com on Thursday.
Security practitioners have expressed much interest in obtaining such a credential, Russo said. Part of the reason, admittedly, is for vanity, he said.
SC Magazine
Full Story :
http://www.scmagazine.com/standards-body-to-certify-pci-end-user-experts/article/227170/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29
New Vulnerabilities Tested in SecureScout
• 19756 Microsoft Windows SafeSEH security bypassr vulnerability (CVE-2012-0001)
The kernel in Microsoft Windows XP SP2, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 SP1 does not properly load structured exception handling tables, which allows context-dependent attackers to bypass the SafeSEH security feature by leveraging a Visual C++ .NET 2003 application, aka "Windows Kernel SafeSEH Bypass Vulnerability."
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High
References:
* MS: MS11-098
http://technet.microsoft.com/security/bulletin/MS11-098
* OVAL: oval:org.mitre.oval:def:14635
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:14635
* BID: 51296
http://www.securityfocus.com/bid/51296
CVE Reference:
CVE-2012-0001 (cve.mitre.org, nvd.nist.gov)
• 19757 Microsoft Windows Local privilege escalation vulnerability (CVE-2012-0005)
The Client/Server Run-time Subsystem in the Win32 subsystem in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2, when a Chinese, Japanese, or Korean system locale is used, can access uninitialized memory during the processing of Unicode characters, which allows local users to gain privileges via a crafted application.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High
References:
* MS: MS12-001
http://technet.microsoft.com/security/bulletin/MS12-001
* BID: 51296
http://www.securityfocus.com/bid/51296
* OVAL: oval:org.mitre.oval:def:14758
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:14758
* SECTRACK: 1026493
http://www.securitytracker.com/id?1026493
* SECUNIA: 47356
http://secunia.com/advisories/47356
CVE Reference:
CVE-2012-0005 (cve.mitre.org, nvd.nist.gov)
• 19758 Microsoft Windows Media Player 'winmm.dll' MIDI file vulnerability (CVE-2012-0003)
Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High
References:
* MS: MS12-004
http://technet.microsoft.com/security/bulletin/MS12-004
* BID: 51292
http://www.securityfocus.com/bid/51292
* OVAL: oval:org.mitre.oval:def:14337
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:14337
* SECTRACK: 1026492
http://www.securitytracker.com/id?1026492
* SECUNIA: 47485
http://secunia.com/advisories/47485
CVE Reference:
CVE-2012-0003 (cve.mitre.org, nvd.nist.gov)
• 19759 Microsoft DirectX directShow filters remote code execution vulnerability (CVE-2012-0004)
Unspecified vulnerability in DirectShow in DirectX in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted media file, related to Quartz.dll, Qdvd.dll.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High
References:
* MS: MS12-004
http://technet.microsoft.com/security/bulletin/MS12-004
* BID: 51295
http://www.securityfocus.com/bid/51295
* OVAL: oval:org.mitre.oval:def:14832
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:14832
* SECTRACK: 1026492
http://www.securitytracker.com/id?1026492
* SECUNIA: 47485
http://secunia.com/advisories/47485
CVE Reference:
CVE-2012-0004 (cve.mitre.org, nvd.nist.gov)
• 19760 Microsoft Windows ClickOnce application installer remote code execution vulnerability (CVE-2012-0013)
Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted ClickOnce application in a Microsoft Office document, related to .application files.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High
References:
* MS: MS12-005
http://technet.microsoft.com/security/bulletin/MS12-005
* BID: 51284
http://www.securityfocus.com/bid/51284
* SECTRACK: 1026497
http://www.securitytracker.com/id?1026497
* SECUNIA: 47480
http://secunia.com/advisories/47480
CVE Reference:
CVE-2012-0013 (cve.mitre.org, nvd.nist.gov)
• 19761 SSL/TLS Protocol initialization vector implementation information disclosure vulnerability (CVE-2011-3389)
The SSL protocol, as used in certain configurations in Microsoft Windows encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High
References:
NULL
CVE Reference:
CVE-2011-3389 (cve.mitre.org, nvd.nist.gov)
• 19762 Mozilla Firefox Multiple memory corruption vulnerability (CVE-2012-0442)
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.26 and 4.x through 9.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High
References:
* CONFIRM:
http://www.mozilla.org/security/announce/2012/mfsa2012-01.html
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=693399
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=705347
CVE Reference:
CVE-2012-0442 (cve.mitre.org, nvd.nist.gov)
• 19763 Mozilla Firefox Ogg vorbis files memory corruption vulnerability (CVE-2012-0444)
Mozilla Firefox before 3.6.26 and 4.x through 9.0 do not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High
References:
* CONFIRM:
http://www.mozilla.org/security/announce/2012/mfsa2012-07.html
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=719612
* BID: 51753
http://www.securityfocus.com/bid/51753
CVE Reference:
CVE-2012-0444 (cve.mitre.org, nvd.nist.gov)
• 19764 Mozilla Firefox nsDOMAttribute use after free memory corruption vulnerability (CVE-2011-3659)
Use-after-free vulnerability in Mozilla Firefox before 3.6.26 and 4.x through 9.0 might allow remote attackers to execute arbitrary code via vectors related to incorrect AttributeChildRemoved notifications that affect access to removed nsDOMAttribute child nodes.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High
References:
* CONFIRM:
http://www.mozilla.org/security/announce/2012/mfsa2012-04.html
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=708198
* BID: 51755
http://www.securityfocus.com/bid/51755
CVE Reference:
CVE-2011-3659 (cve.mitre.org, nvd.nist.gov)
• 19765 Mozilla Firefox nsDOMAttribute use after free memory corruption vulnerability (CVE-2011-0443)
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 9.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High
References:
* CONFIRM:
http://www.mozilla.org/security/announce/2012/mfsa2012-04.html
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=708198
* BID: 51756
http://www.securityfocus.com/bid/51756
CVE Reference:
CVE-2012-0443 (cve.mitre.org, nvd.nist.gov)
New Vulnerabilities found this Week
• CVE-2012-1007 Apache CVSS 2.0 Score = 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do.
Test Case Impact: Vulnerability Impact: Risk: Medium
References:
MISC: http://secpod.org/blog/?p=450
MISC: http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt
CVE Reference: CVE-2012-1007
• CVE-2012-1006 Apache CVSS 2.0 Score = 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders.
Test Case Impact: Vulnerability Impact: Risk: Medium
References:
MISC: http://secpod.org/blog/?p=450
MISC: http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt
CVE Reference: CVE-2012-1006
• CVE-2012-0290 Symantec CVSS 2.0 Score = 10.0
Symantec pcAnywhere through 12.5.3, Altiris IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), Altiris Client Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), and Altiris Deployment Solution Remote pcAnywhere Solution 7.1 (aka 12.5.x and 12.6.x) do not properly handle the client state after abnormal termination of a remote session, which allows remote attackers to obtain access to the client by leveraging an "open client session."
Test Case Impact: Vulnerability Impact: Risk: High
References:
CONFIRM: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120124_00
BID: http://www.securityfocus.com/bid/51862
CVE Reference: CVE-2012-0290
• CVE-2012-0194 IBM CVSS 2.0 Score = 7.1
The TCP implementation in IBM AIX 5.3, 6.1, and 7.1, when the Large Send Offload option is enabled, allows remote attackers to cause a denial of service (assertion failure and panic) via an unspecified series of packets.
Test Case Impact: Vulnerability Impact: Risk: High
References:
CONFIRM: http://aix.software.ibm.com/aix/efixes/security/large_send_advisory.asc
XF: http://xforce.iss.net/xforce/xfdb/72562
BID: http://www.securityfocus.com/bid/51864
AIXAPAR: http://www.ibm.com/support/docview.wss?uid=isg1IV14211
AIXAPAR: http://www.ibm.com/support/docview.wss?uid=isg1IV14210
AIXAPAR: http://www.ibm.com/support/docview.wss?uid=isg1IV14209
AIXAPAR: http://www.ibm.com/support/docview.wss?uid=isg1IV13827
AIXAPAR: http://www.ibm.com/support/docview.wss?uid=isg1IV13820
AIXAPAR: http://www.ibm.com/support/docview.wss?uid=isg1IV13751
SECTRACK: http://securitytracker.com/id?1026640
SECUNIA: http://secunia.com/advisories/47865
CVE Reference: CVE-2012-0194
• CVE-2012-0830 PHP CVSS 2.0 Score = 7.5
The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.
Test Case Impact: Vulnerability Impact: Risk: High
References:
MISC: https://gist.github.com/1725489
XF: http://xforce.iss.net/xforce/xfdb/72911
BID: http://www.securityfocus.com/bid/51830
CONFIRM: http://www.php.net/ChangeLog-5.php#5.3.10
OSVDB: http://www.osvdb.org/78819
MISC: http://www.h-online.com/security/news/item/Critical-PHP-vulnerability-being-fixed-1427316.html
MISC: http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
CONFIRM: http://svn.php.net/viewvc?view=revision&revision=323007
SECTRACK: http://securitytracker.com/id?1026631
SECUNIA: http://secunia.com/advisories/47806
MLIST: http://openwall.com/lists/oss-security/2012/02/03/1
MLIST: http://openwall.com/lists/oss-security/2012/02/02/12
CVE Reference: CVE-2012-0830
• CVE-2011-5078 Sybase CVSS 2.0 Score = 6.5
The web administration interface in the server in Sybase M-Business Anywhere 6.7 before ESD# 3 and 7.0 before ESD# 7 does not require admin authentication for unspecified scripts, which allows remote authenticated users to list or delete user accounts, modify passwords, or read log files via HTTP requests, aka Bug IDs 678497 and 678499.
Test Case Impact: Vulnerability Impact: Risk: Medium
References:
IDEFENSE: http://www.verisigninc.com/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=952
CONFIRM: http://www.sybase.com/detail?id=1095200
CVE Reference: CVE-2011-5078
• CVE-2012-0927 RealNetworks CVSS 2.0 Score = 9.3
Unspecified vulnerability in RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and RealPlayer SP 1.0 through 1.1.5, allows remote attackers to execute arbitrary code via vectors involving the coded_frame_size value in a RealAudio audio stream.
Test Case Impact: Vulnerability Impact: Risk: High
References:
CONFIRM: http://service.real.com/realplayer/security/02062012_player/en/
CVE Reference: CVE-2012-0927
• CVE-2012-0928 RealNetworks CVSS 2.0 Score = 9.3
The ATRAC codec in RealNetworks RealPlayer 11.x and 14.x through 14.0.7, RealPlayer SP 1.0 through 1.1.5, and Mac RealPlayer 12.x before 12.0.0.1703 does not properly decode samples, which allows remote attackers to execute arbitrary code via a crafted ATRAC audio file.
Test Case Impact: Vulnerability Impact: Risk: High
References:
CONFIRM: http://service.real.com/realplayer/security/02062012_player/en/
CVE Reference: CVE-2012-0928
Vulnerability Resource
Check out this compendium of links and up-to-the minute information about network security issues.
Their claim to be the 'security portal for information system security professionals' is well founded.
http://www.infosyssec.org/infosyssec/
Thank You
Thanks for sifting through another great edition of the ScoutNews. We hope we captured a flavor for the week and gave you
just enough information on newly found vulnerabilities to keep you up-to-date. To subscribe or unsubscribe, contact us at
ScoutNews@netVigilance.com
About SecureScout
SecureScout is a leading vulnerability scanner and management tool developed and marketed worldwide by NexantiS Corporation.
SecureScout is a trademark of NexantiS Corporation.
netVigilance, Inc. is a partner of NexantiS and an authorized distributor of SecureScout.
For any inquiry about SecureScout by:
Customers in America and Northern Europe contact us at info@netVigilance.com
Customers in France, Italy, Spain, Portugal, Greece, Turkey, Eastern Europe, Middle East, Africa and Asia/Pacific, contact NexantiS at
info-scanner@securescout.net