Leaderboard

Not to be outdone by Microsoft's and Adobe's Patch Tuesday releases, Mozilla pushed out its latest browser and email client updates today. The Firefox browser goes to 21.0, on Android as well as on desktops. (You don't install browsers on your servers, do you?) The Thunderbird email client is only available in an Extended Support Release these days, meaning it gets regular security patches but infrequent product enhancements; it hits 17.0.6. Microsoft's May 2013 Internet Explorer updates included two patches for which the world was waiting with bated breath - one to fix a vulnerability exposed at the 2013 PWN2OWN competition, and a second to close a much-publicised zero-day briefly found on a US government website at the end of April. Mozilla, on the other hand, fixed its own PWN2OWN-found flaws within 24 hours, so its last two updates, 20.0 and 21.0, have been largely proactive on the security front. This time round, there are 681 listed bug fixes, with eight separately-documented security advisories. Three of those close multiple holes that Mozilla admits "are potentially exploitable, allowing for remote code execution." "Memory corruption problems, where software incorrectly writes over its own or another program's code or data structures, are not always exploitable for malicious purposes. But they are always wrong, and often dangerous, especially in browsers and email clients, which spend most of their time processing content from untrusted external sources." Mozilla, very creditably, tends not to mince its words when dealing with bugs of this sort. For example, in Mozilla Foundation Security Advisory 2013-41, no exploits were immediately obvious for any of the bugs fixed, leading the team to report nothing worse that than "we presume that with enough effort at least some of these could be exploited to run arbitrary code." Nevertheless, this advisory was rated Critical. Many users will have Firefox set to grab and deploy updates automatically; if you're one of those who don't, it's Make Your Mind Up Time! If it helps you to decide, I just published this story in Firefox 21.0 on OS X, immediately after updating. That's a very minor and entirely unrepresentative "test", but I'm pleased to say my plugins (including the Firebug debugger) have all behaved themselves, and I haven't had any problems. Sursa : Mozilla pushes out new Firefox and Thunderbird: 8 security advisories, 3 critical fixes | Naked Security

In a recent spearphish campaign, a malicious Word document was used to infect the email recipient. I was able to find an interesting tool and used it to recreate the Word document. Before we get to that, let’s do a quick analysis on the document… Here we see the Word document with an embedded object: Viewing the file with Notepad, we can see that this is an RTF file and definitely looks suspicious. A little ways down, we can see a NOP sled. Let’s use OfficeMalScanner to extract the objects and confirm our suspicions. Looks like we have to use RTFScan instead. RTFScan tell us that there are matching shellcode signatures in the OBJDATA section. Then it dumps a single OLE object and suggests that we run OfficeMalScanner again. The OLE object is rather small considering the original “file.doc” file is 791KB. Something is wrong. Here’s what the OLE file looks like: Let’s have a look at the original Word file again. This time we notice the magic for Word in hexcode. What if we strip away the original RTF headers and make this file look like a Word document? Maybe then OfficeMalScanner can extract the hidden binaries. With a hex editor, we do just that. Since this is hex, we need to convert it to binary and write it out to a file. We can open this file called “file.doc_” which has the Word magic at the beginning. Now we copy the rest of the binary code from the original “file.doc” file and paste it to the bottom. Now let’s run OfficeMalScanner on this modified file using its scan and brute options…and hope this actually works. Great it does! OfficeMalScanner finds the XOR key and is able to extract two embedded files. The first file appears to be a Word document. And opens in Word with a warning. The other file is an executable. You can actually do this the long way and carve out the embedded objects from the Word document manually but this would take more time than what’s necessary. Thanks to Frank Boldewin’s tool and a little tweaking, we can get the job done fast! The exploit used is CVE-2012-0158 and seems to have very good coverage on VirusTotal (31 / 46). Here is the tool I used to recreate the malicious Word document. Actually I found two. It would be irresponsible to share these files so don’t bother asking. Sorry! Filename: Word-2013.1.8.exe MD5: ea7084ef5faa8c7721ab163cb6cb58d2 Filename: MS10-087.exe MD5: 2898479123b90278cfc7b30ddd9c4bd6 Sursa: Dissecting a Malicious Word Document | Kahu Security

Microsoft va emite o actualizare de securitate pentru a remedia o vulnerabilitate zero-day in Internet Explorer 8, la doar o saptamana dupa ce a lansat un consultativ de securitate pe aceasta tema. Patch-uul va fi inclus in cele zece buletine care vor fi emise la data de 21 mai, in cadrul actualizarii lunare de securitate Microsoft Patch Tuesday. Potrivit Advance Notification, cinci buletine de securitate vor acoperi vulnerabilitati care pot permite executarea codurilor de la distanta (RCE), a declarat Wolfgang Kandek, CTO in cadrul firmei de securitate Qualys. Buletinul 2 este destinat celei mai recente vulnerabilitati IE8 zero-day si este evaluat ca fiind "critic". "Acesta ar trebui sa fie in fruntea prioritatilor dvs. in situatia in care utilizati IE8, care, potrivit statisticilor BrowserCheck, reprezinta inca 43% dintre utilizatori", a declarat Kandek. Buletinul 1 este destinat, de asemenea, IE si se adreseaza versiunilor cuprinse intre 6 si 10 pe toate sistemele de operare Windows, de la XP la 8, precum si RT, incluzand patch-uri pentru vulnerabilitatile descoperite in cadrul competitiei PWN2OWN, desfasurate in cadrul CanSecWest, in luna martie a acestui an. Restul vulnerabilitatilor de tip RCE se concentreaza pe Microsoft Office. Instalat pe scara larga va fi, probabil, buletinul 7, care se adreseaza Word 2003 si Word Viewer. Buletinul 6 acopera Microsoft Publisher, inclus in Office 2003, 2007 si 2010, iar buletinul 5 se adreseaza modulelor Microsoft instant messaging - Communicator 2007 si Lync 2010. De asemenea, exista alte trei buletine de securitate (3,4 si 10) pentru Windows insusi, care remediaza vulnerabilitatile denial-of-service, spoofing si elevation of privilege, toate acestea fiind evaluate ca "importante". La randul sau, Adobe va lansa o actualizare de securitate la data de 21 mai, care va include o noua versiune a Adobe Reader si va remedia o noua vulnerabilitate zero-day in ColdFusion. Source