A take on the security news, week 11 2015

A take on the security news, week 11 2015

Sun 15 March 2015

A take on the security news, week 11 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
Cryptowall leverage .chm files, uTorrent install unwanted software, Apple security updates, Microsoft patch tuesday, GnuPG hires second developer and a remote exploitable Android Dropbox SDK.


Cryptowall is infecting through .chm file attachments

A new variant of Cryptowall (advanced version of Cryptolocker) is now infecting systems through a malicious .chm file. CHM is a fileformat that contains compressed html, including javascript. If the user access the .chm file the content is executed and download an malicious .exe file from the attackers domain.

The problem is that .chm files are often overlooked when mailservers scans attachments, leaving the endpoins AV as the one and only protection mechanism.


Skype worm reloaded

A new Skype worm called W32/Skyper.A.Worm is now spreading through the popular Voice / Messenger client. If you get a popup in your Skype that want you to go look at some funny video or picture of yourself, dont click the link!

This is one of the oldest trick in the book, but it seems that it still works.


uTorrent installs litecoin miner

It seems that the latest version of uTorrent is bundled with unwanted software. In this case it is the Epicscale litecoin miner which use spare CPU to mine for litecoins in the background. The problem with this bundle is that is has been installed without notifying the user, and the uninstaller does not remove the software.



Apple security updates

Apple released security updates to iOS, Apple TV, Xcode and 10.8/10.9/10.10. One of the most important is probably patching for the Freak SSL vulnerability which means that some of the previously used ciphers are disabled. The iCloud keychain is also patched for a vulnerability that allowed remote code execution due to an buffer overflow.


Google exploit the DRAM rowhammer bug to gain kernel priviliges


Seagate with advice on how to secure your NAS

Seagate confirms NAS code execution flaw in ther Seagate Business Storage NAS. It will probably take some week before an patch is ready, so while waiting you should take countermeasures to protect your storage device.



Microsoft patch tuesday

This month there is a total of 14 bulletins, patching 46 vulnerabilites. I will list the bulletins that are rated as critical.

  • MS15-18 is the Internet Explorer patch which fix several vulnerabilities, one of them already publicly disclosed (but no exploits seen yet).
  • MS15-19 is remote code execution in VBScript.
  • MS15-20 is remote code execution via unsecure DLL files, which is an old vulnerability used by the Stuxnet worm.
  • MS15-21 is remote code execution via Adobe Font Drivers.
  • MS15-22 is remote code exectuion in Office.

And there is also an patch for the Freak vulnerability in SChannel (MS15-31) that means that you will get some old ciphers disabled.


Threatglass offers pcap files with exploit kit activity

If you need examples of exploit kit activity you can try search the Threatglass website.

Threatglass by Barracuda (NYSE: CUDA) is an online tool for sharing, browsing and analyzing web-based malware. Threatglass allows users to graphically browse website infections by viewing screenshots of the stages of infection, as well as by analyzing network characteristics such as host relationships and packet captures.



GnuPG project is hiring a second developer

Due to a fundraising project the GnuPG project now has enough money to run the development of the project the next 2-3 years. The inital goal was reached but donations is still flowing so a second developer is now hired to work on the project.


Remotely exploitable vulnerability in the Android Dropbox SDK

Researchers at IBM's application security team discovered a vulnerability that allows an attacker to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim’s knowledge or authorization.

The vulnerability can be exploited in two ways, using a malicious app installed on the user’s device or remotely using drive-by techniques. It cannot, however, be exploited if the Dropbox app is installed on the device.



Adobe Flash Player update

Update your Flash Player as soon as possible. This one is rated as 1 for Mac and Windows, which means there are targeted attacks already.


Mozilla introduce memory scanning utility for server security

A tool developed internally at mozilla to help protect their servers. The tool is scanning the serversmemory for vulnerable libraries and malicious code. An example scenario that the tool will help detect is where servers are patched, but the old vulnerable libararies are still present in memory if due to lack of reload / reboot.

This tool is part of a bigger project called Mozilla Investigator, a security suite aimed at servers and big server farms.