How to Describe Vulnerability Information?:
JPCERT/CC receives software vulnerability information from domestic and overseas reporters, then coordinates them in between the vendor/developer and the reporter. While there is a vulnerability reporting template, vulnerability itself is described in a free format. Reporter can describe about a vulnerability in a way they like. From a vulnerability coordinator’s perspective, the following are a few obstacles that we are facing:
1. It is necessary to “understand” the technical aspects
2. When the vulnerability description is written in your non-native language, it can be extremely difficult to comprehend
(Via JPCERT/CC Blog)
Read on for more. I support these activities, especially how to deal in multi-lingual ways.
From Security Affairs:
Google expert discovered a new stack-based overflow vulnerability in AMD CPUs that could be exploited via crafted EK certificates,
Chip manufacturers are in the tempest, while media are continues sharing news about the Meltdown and Spectre attacks, the security researcher at Google’s cloud security team Cfir Cohen disclosed a stack-based overflow vulnerability in the fTMP of AMD’s Platform Security Processor (PSP).
The vulnerability affects 64-bit x86 processors, the AMD PSP provides administrative functions similar to the Intel Management Engine.
We’re going to see a lot more investigation into hardware vulnerabilities. It won’t be pretty, I expect.
What researchers discover will not be easy or inexpensive to fix. My hope is that hardware manufacturers realize it is less expensive and better for their reputation to improve their processes in relation to secure-by-design.
If you’re looking for a solid, vetted source for information on the CPU vulnerabilities announced by Google, IBM X-Force Exchange is a great resource.
FireEye researchers have discovered a rapidly-growing class of mobile threats represented by a popular ad library affecting apps with over 200 million downloads in total. This ad library, anonymized as “Vulna,” is aggressive at collecting sensitive data and is able to perform dangerous operations such as downloading and running new components on demand. Vulna is also plagued with various classes of vulnerabilities that enable attackers to turn Vulna’s aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. Most vulnaggresive libraries are proprietary and it is hard for app developers to know their underlying security issues. Legitimate apps using vulnaggresive libraries present serious threats for enterprise customers. FireEye has informed both Google and the vendor of Vulna about the security issues and they are actively addressing it.
Recently FireEye discovered a new mobile threat from a popular ad library that no other antivirus or security vendor has reported publicly before. Mobile ad libraries are third-party software included by host apps in order to display ads. Because this library’s functionality and vulnerabilities can be used to conduct large-scale attacks on millions of users, we refer to it anonymously by the code name “Vulna” rather than revealing its identity in this blog.
via Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions | FireEye Blog.
I’m just starting to read up on this. Does anyone know of reliable secondary sources?
FireEye has discovered a campaign leveraging the recently announced zero-day CVE-2013-3893. This campaign, which we have labeled ‘Operation DeputyDog’, began as early as August 19, 2013 and appears to have targeted organizations in Japan. FireEye Labs has been continuously monitoring the activities of the threat actor responsible for this campaign. Analysis based on our Dynamic Threat Intelligence cluster shows that this current campaign leveraged command and control infrastructure that is related to the infrastructure used in the attack on Bit9.
via Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets | FireEye Blog.
FireEye did a part II as well:
Operation DeputyDog Part 2: Zero-Day Exploit Analysis (CVE-2013-3893)
In our previous blog post my colleagues Ned and Nart provided a detailed analysis on the Advanced Persistent Threat (APT) Campaign Operation DeputyDog. The campaign leveraged a zero-day vulnerability of Microsoft Internet Explorer (CVE-2013-3893). Microsoft provided an advisory and ‘Fix it’ blog post.
I am happy to announce that Xiaobo Chen, a well-known security researcher, has recently joined FireEye Labs. We worked together on the analysis of this zero-day vulnerability. In this blog, we will provide a deep dive on the exploitation part of the campaign.
Despite the targeted nature of these attacks, the exploit identifies numerous language packs (en, zh, fr, de, ja, pt, ko, ru) and software versions, which is uses to specify the correct ROP chain. Commented-out code suggests that the exploit initially targeted IE8 XP users, and IE8 and IE9 Windows 7 users who also had MS Office 2007 installed. In our tests, we observed that the exploit ran successfully on systems running both MS Office 2007 and 2010.
Recently, we have observed a new backdoor family which we’ve called BLYPT. This family is called BLYPT because of its use of binary large objects (blob) stored in the registry, as well as encryption. Currently, this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey.
Currently, this threat is primarily hitting users in the United States; however it seems that consumers (as opposed to businesses) are the most affected.
via BLYPT: A New Backdoor Family Installed via Java Exploit | Security Intelligence Blog | Trend Micro.
What can RDP intruders do? If you have administrative privileges assigned to the user they login as, they can take your computer for an unfettered spin around the block, ranging from turning it off, rebooting it, installing software (including malware), or just having a look around to find documents of files with your critical personal information in them like banking, accounting, or other information and then spirit them off across the network to their own computers for nefarious purposes.
via Remote Desktop (RDP) Hacking 101: I can see your desktop from here! – We Live Security.