Vulnerabilities

Vulnerabilities in software products

Older versions of Internet Explorer and Windows 8 OS receive their last patch update. Microsoft has delivered its last Patch Tuesday for users of the Windows 8 operating system, and older versions of Internet Explorer (8, 9 and 10), issuing nine bulletins – six of which are rated as critical. “The first Patch Tuesday of 2016 turns out to be low in numbers, but broad and packing quite a punch: six of the nine bulletins are rated critical, including the Windows Kernel and Office bulletins,” blogged Qualys CTO Wolfgang Kandek.

Read more

A zero-day vulnerability affecting all Microsoft supported versions of Windows Operating system, including Windows Server has been identified. Also we are seen reports from iSight identifying a cyber espionage campaign already in progress to compromise exposed system

The vulnerability Exploitation is identified by CVE-2014-4114, and also known as Sandworm. It was been reportedly discovered in the wild in connection with a cyber espionage campaign that iSIGHT Partners has attributed to Russia. The zero-day vulnerability is reported as been used in early September  to infect victims with malicious attachments, primarily PowerPoint files. Although the attackers used PowerPoint as its attack vector.

 

The vulnerability exists in the OLE package manager in Microsoft Windows and Server. The OLE packager (packager .dll) is able to download and execute external files like INF, allowing the attacker to execute commands.

 

Risk Level

The Risk level appears high, because if one group could design a worm to exploit the hole, then someone will try to recode the worm and make it wide spread.

Impact – we are only at the early stage of trying to understand what we are looking at. But the if the vulnerability allows the possibility to download and execute a file that the potential impact is extremely High

 

http://www.tripwire.com/state-of-security/incident-detection/microsoft-windows-zero-day-exploit-sandworm-used-in-cyber-espionage-cve-2014-4114/

 

iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign – See more at: http://www.isightpartners.com/2014/10/cve-2014-4114/#sthash.mDSsxZ8j.dpuf

http://www.isightpartners.com/2014/10/cve-2014-4114/

.

 

http://www.theregister.co.uk/2014/10/14/isight_microsoft_announce_windows_and_windows_server_0day/


.

.
Russian Hackers Target EU, NATO

Shellshock bash Code Injection Vulnerability, what do you need to do? what is the Risk?

 

Report from SAMS ISC

 

Bash Code Injection (Shellshock) Vulnerability (CVE 2014-6271)

 

 

Cento OS Bash vulnerability that had been announced in 2014/09/24 How to FIX

 

 

How to fix bash code injection flaw on CentOS/RedHat 6x Server

 

 

HackerKast Shellshock- September 25, 2014 – WhiteHat Security

 

iPhone Skype XSS Vulnerability Lets Hackers Steal Phonebook

iPhone Skype app XSS Vulnerability. Is claimed to allow Hackers to Steal the contnet of your Phonebook. This bug in the latest version of Skype for iPhone and iPod touch makes users vulnerable to having their address book stolen just by viewing a specially crafted message, says AppSec Consulting security researcher Phil Purviance.

 

WordPress WP-DBManager Plugin Vulnerabilities

level: critical

Impact: Cross Site Scripting

Risk: Exposure of system information and Exposure of sensitive information, 

Solution: Vendor Patch

Software: WordPress WP-DBManager Plugin 2.x

Description: Two vulnerabilities have been identified in the WP-DBManager plugin for WordPress (Blog Software), which can be exploited to conduct cross-site attacks, resulting in the disclose sensitive information.

Solution: Update to version 2.62.