News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
News
Feb
5
Another day, another zero-day – Internet Explorer's turn (CVE-2015-0072)
Posted by Jose Barajas on 05 February 2015 07:30 AM

Websense® Security Labs™ researchers are aware of a zero-day vulnerability affecting Internet Explorer that could allow a remote, unauthenticated attacker to bypass the Same-Origin Policy (SOP) to hijack the user’s session. The vulnerability is being called Universal Cross Site Scripting (XSS), as it allows the attacker to hijack the session using any third-party website, as long as the victim uses the Internet Explorer browser. 

 

The Same-Origin Policy (SOP) is a critical security measure used in web applications to ensure the confidentiality and integrity of information. Scripts running on different websites are not permitted to interact with each other, and cookies use SOP to ensure that the information for a given user's activity pertains to only one site. This mechanism allows for secure communication across multiple web properties and allows user sessions to be maintained without the need for re-authentication.

 

Exposure

 

The attacker could exploit the vulnerability by enticing the victim to visit a specially-crafted website. Successful execution via JavaScript of the proof of concept exploit code released on Jan 31, 2015 has been observed on Internet Explorer 11 running on both Windows 7 and Windows 8.1.  

Microsoft has not yet released a patch for the vulnerability, which has been assigned the identifier CVE-2015-0072.

 

Impact

 

Successful exploitation could allow an attacker to hijack the user’s session or gain access to sensitive information. The vulnerability could also be used in phishing attacks. Once the attacker has access to the user's cookies, all data normally restricted for use by the user would be available to the attacker and the attacker could impersonate the victim. The vulnerability can be easily exploited and is rated critical.

 

Mitigation

 

Websense customers are protected against attacks targeting the vulnerability (CVE-2015-0072) with ACE, our Advanced Classification Engine, which is used to prevent the malicious scripts from being downloaded to the victim’s machine.  

 

Websense researchers are not aware of active exploitation of this vulnerability at the time of publication of the blog, although, as mentioned earlier, proof of concept code is publicly available.

 

Customers are encouraged to apply the patch from Microsoft as soon as it becomes available.  You could also decide to use an alternative browser in place of the vulnerable versions of Internet Explorer.

 

Websense Security Labs will continue to monitor the situation and provide updates as needed.


Read more »



Jan
28

Websense® Security Labs™ are aware that a vulnerability has been identified in the GNU C Library that can lead to remote code execution under certain circumstances.  The GNU C Library (glibc) is a core component of GNU systems and those with the Linux kernel; thus it has potential for a very significant attack surface area.

 

The vulnerability has been assigned CVE-2015-0235 and is being referred to as "GHOST".

 

Overview


  • The issue exists within the __nss_hostname_digits_dots() function, which is used by the gethostbyname() or gethostbyname2() functions.
  • Exploitation of the vulnerability can lead to remote code execution (RCE).  This provides an attacker the capability to run code of their choosing on the affected machine.
  • glibc versions prior to 2.18 are affected.  You should be aware that later versions of glibc may not have been included in the latest versions of many distributions.  In fact, many Linux distribution vendors are now making patches available.
  • There are certain conditions which reduce the impact of this bug.  Details are provided below.

 

How is it exploited?

 

Although we have not seen web-based or email-based attacks, Qualys, the team who discovered the bug, do have evidence to show how an MTA (mail transfer agent) can be exploited by sending a specially crafted packet to trigger a buffer overflow and subsequent arbitrary code execution.

 

How do you know if your instance is vulnerable?

 

It is known that the following distributions are amongst those affected: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04.

 

Code that tests for the vulnerability has been made available on the github forum.  Of course, we extend a word of caution to use such code at your own risk.  You can also check which version of glibc you are running by executing the command ldd --version at your command prompt.

 

Mitigation Advice

The difficulty of exploitation depends on the target system implementation.  In a post to the OpenWall security forum Qualys do note that the vulnerable functions are no longer always called having been replaced by the getaddrinfo() function in  IPV6 implementations, that pre-validation of the argument sent to the function removes the potential for exploitation and that glibc itself was patched in 2013.

 

However, when these conditions do not apply the risk is deemed critical.

 

Fortunately various product vendors are rolling out updates to patch their affected distributions.  We strongly recommend that you check with your Linux distribution vendor to see if they have a patch available.  If so, you should review how to apply this patch to your environment as soon as possible in order to mitigate potential risk, not least because the bug is deemed critical.

 

Websense Security Labs will continue to investigate the implications of this vulnerability.


Read more »