A take on the security news, week 03 / 2015

Thu 15 January 2015

A take on the security news, week 03 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.

USB Attack library, Microsoft and Adobe patch tuesday, Search Github for sensitive information, Use powershell to create malicious excel spreadsheets and a critical ASUS router vulnerability.

  • Monday

OSX Spotlight feature loads remote content from Mail

Its discovered that the Spotlight search function in Yosemite can leak data when used to search emails. As a part of previewing the searchresults it loads external content (i.e images) even if you have told Mail.app to not load remote content.

This loading of external content can tell the sender that someone has viewed the mail, their IP-address, current OS version, some browser details and the version of Quicklook (Spotlights previewer).

To mitigate the issue, go to preferences for Spotlight and disable "Mail & Messages" in the search.

http://www.infoworld.com/article/2866940/security/glitch-in-os-x-search-can-expose-private-details-of-apple-mail-users.html

USB Attack library

Paensy is a attack library targeted for development on the Teensy USB board. There is already some example payloads you can play with, and probably more to come in the future.

http://malware.cat/?p=89

Automatically Create Malicious Excel Spreadsheets

A script written in Powershell that help you generate malicious spreadsheet. You can choose between three types of attack which all includes the Meterpreter shell with persistense.

Nice tool if you are a penetrationtester and want to test your defences. The tool is also included in Metasploit framework.

https://github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1

  • Tuesday

Google no longer provides patches for Jellybean and earlier

Google has decided that they will no longer produce patches for Jellybean and eaerlier versions of Android OS. This makes 60% of installed Android OS base "legacy" without security updates from Google.

https://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-longer-provides-patches-for-webview-jelly-bean-and-prior

Microsoft patch tuesday

This months we got 8 bulletins with only 1 of them rated critical, MS15-002, which is a vulnerability in the Windows Telnet service that could allow for remote code execution. Telnet has not been installed as default since 2003 so the impact of this might not be that big of a deal. 2 of the 8 bulletins have been publicly disclosed by Google beforehand (MS15-001 and MS15-003).

This is also the last month that Windows 7 gets normal updates. Its now out of general support, but will continue to get security updates for a few more years.

https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+January+2015+Really+Telnet/19179/

Adobe patch tuesday

One bulletin related to Flash Player, also affecting Adobe Air and Browserplugins (Chrome, IE, ++).

http://helpx.adobe.com/security/products/flash-player/apsb15-01.html

  • Wednesday

Skeleton Key Malware Analysis

Dell has discovered malware that let attackers bypass authentication on Active Directory system that implements one-factor (password only) authentication.

The malware is deployed as an in-memory patch on the domain controller, allowing the attacker to authenticate as any user. Known malware samples lacks persistence so they will not survive a reboot.

A domain administrator's credentials must be used for deploying the malware.

http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/

Malware sites offering Oracle 'patches'

Don't install Oracle patches that you find on non-oracle sites.

https://blogs.oracle.com/soaproactive/entry/malware_sites_offering_oracle_patches

  • Thursday

Search Github for sensitive information with Gitrob

A ruby gem that let you search through an organization on Github, looking for sensitive data like private keys, passwords and similar. You point it to an organization you want to pentest and it inspect all the members and their individual repositories.

If your organization is on Github you should consider running this to verify that you dont share anything you shouldnt.

http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/

Critical ASUS router vulnerability

A service called infosrv that listen on UDP 9999 (LAN/WLAN) is found to be vulnerable. The service is running with root priviliges and is subject to unauthenticated command execution.

Currently, all known firmware versions for applicable routers (RT-AC66U, RT-N66U, etc.) are assumed vulnerable.

Asus has released new firmware releases that is not vulnerable to this problem.

Upgrade to the newest firmware release if you can. If you are not able to upgrade, consider shutdown the vulnerable service after each reboot.

https://github.com/jduck/asus-cmd/blob/master/README.md

http://www.asus.com/microsite/2014/networks/routerfirmware_update/

  • Friday

Spam migrates to WhatsApp

Not surprisingly spam on WhatsApp is increasing. The last weeks there has been a wave of constant spam attacks on WhatsApp users in Europe. The current most reported attack on social media has been the fake handbag/luxury goods spam.

Further breakdown of spam on WhatsApp can be found in the source article linked to below.

http://www.adaptivemobile.com/blog/headsup-for-whatsapp

New DANE validation service

Check the existence and validity of DNS Security Extensions (DSSEC) and Transport Layer Security Assosiations (TLSA) records for a given domain.

https://dane.sys4.de

Comments