Monthly Archives: November 2016

Ubuntu

USN-3131-1: ImageMagick vulnerabilities

Ubuntu Security Notice USN-3131-1

21st November, 2016

imagemagick vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in ImageMagick.

Software description

  • imagemagick
    – Image manipulation programs and library

Details

It was discovered that ImageMagick incorrectly handled certain malformed
image files. If a user or automated system using ImageMagick were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
libmagick++-6.q16-5v5

8:6.8.9.9-7ubuntu8.1
imagemagick

8:6.8.9.9-7ubuntu8.1
libmagickcore-6.q16-2-extra

8:6.8.9.9-7ubuntu8.1
imagemagick-6.q16

8:6.8.9.9-7ubuntu8.1
libmagickcore-6.q16-2

8:6.8.9.9-7ubuntu8.1
Ubuntu 16.04 LTS:
libmagick++-6.q16-5v5

8:6.8.9.9-7ubuntu5.2
imagemagick

8:6.8.9.9-7ubuntu5.2
libmagickcore-6.q16-2-extra

8:6.8.9.9-7ubuntu5.2
imagemagick-6.q16

8:6.8.9.9-7ubuntu5.2
libmagickcore-6.q16-2

8:6.8.9.9-7ubuntu5.2
Ubuntu 14.04 LTS:
libmagick++5

8:6.7.7.10-6ubuntu3.2
libmagickcore5-extra

8:6.7.7.10-6ubuntu3.2
libmagickcore5

8:6.7.7.10-6ubuntu3.2
imagemagick

8:6.7.7.10-6ubuntu3.2
Ubuntu 12.04 LTS:
libmagick++4

8:6.6.9.7-5ubuntu3.5
libmagickcore4

8:6.6.9.7-5ubuntu3.5
imagemagick

8:6.6.9.7-5ubuntu3.5
libmagickcore4-extra

8:6.6.9.7-5ubuntu3.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-8354,

CVE-2014-8355,

CVE-2014-8562,

CVE-2014-8716,

CVE-2014-9805,

CVE-2014-9806,

CVE-2014-9807,

CVE-2014-9808,

CVE-2014-9809,

CVE-2014-9810,

CVE-2014-9811,

CVE-2014-9812,

CVE-2014-9813,

CVE-2014-9814,

CVE-2014-9815,

CVE-2014-9816,

CVE-2014-9817,

CVE-2014-9818,

CVE-2014-9819,

CVE-2014-9820,

CVE-2014-9821,

CVE-2014-9822,

CVE-2014-9823,

CVE-2014-9826,

CVE-2014-9828,

CVE-2014-9829,

CVE-2014-9830,

CVE-2014-9831,

CVE-2014-9833,

CVE-2014-9834,

CVE-2014-9835,

CVE-2014-9836,

CVE-2014-9837,

CVE-2014-9838,

CVE-2014-9839,

CVE-2014-9840,

CVE-2014-9841,

CVE-2014-9843,

CVE-2014-9844,

CVE-2014-9845,

CVE-2014-9846,

CVE-2014-9847,

CVE-2014-9848,

CVE-2014-9849,

CVE-2014-9850,

CVE-2014-9851,

CVE-2014-9853,

CVE-2014-9854,

CVE-2014-9907,

CVE-2015-8894,

CVE-2015-8895,

CVE-2015-8896,

CVE-2015-8897,

CVE-2015-8898,

CVE-2015-8900,

CVE-2015-8901,

CVE-2015-8902,

CVE-2015-8903,

CVE-2015-8957,

CVE-2015-8958,

CVE-2015-8959,

CVE-2016-4562,

CVE-2016-4563,

CVE-2016-4564,

CVE-2016-5010,

CVE-2016-5687,

CVE-2016-5688,

CVE-2016-5689,

CVE-2016-5690,

CVE-2016-5691,

CVE-2016-5841,

CVE-2016-5842,

CVE-2016-6491,

CVE-2016-6823,

CVE-2016-7101,

CVE-2016-7513,

CVE-2016-7514,

CVE-2016-7515,

CVE-2016-7516,

CVE-2016-7517,

CVE-2016-7518,

CVE-2016-7519,

CVE-2016-7520,

CVE-2016-7521,

CVE-2016-7522,

CVE-2016-7523,

CVE-2016-7524,

CVE-2016-7525,

CVE-2016-7526,

CVE-2016-7527,

CVE-2016-7528,

CVE-2016-7529,

CVE-2016-7530,

CVE-2016-7531,

CVE-2016-7532,

CVE-2016-7533,

CVE-2016-7534,

CVE-2016-7535,

CVE-2016-7536,

CVE-2016-7537,

CVE-2016-7538,

CVE-2016-7539,

CVE-2016-7540

Ubuntu

USN-3132-1: tar vulnerability

Ubuntu Security Notice USN-3132-1

21st November, 2016

tar vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

tar could be made to overwrite files.

Software description

  • tar
    – GNU version of the tar archiving utility

Details

Harry Sintonen discovered that tar incorrectly handled extracting files
when path names are specified on the command line. If a user or automated
system were tricked into processing a specially crafted archive, an
attacker could possibly overwrite arbitrary files.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
tar

1.29b-1ubuntu0.1
Ubuntu 16.04 LTS:
tar

1.28-2.1ubuntu0.1
Ubuntu 14.04 LTS:
tar

1.27.1-1ubuntu0.1
Ubuntu 12.04 LTS:
tar

1.26-4ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-6321

Panda Security

The Malware Plateau – Less New Malware

malware-panda-security

Back in 2008 McAfee researcher Toralv Dirro posted a blog on new malware growth slowing – admittedly from an exponential rate to straightforward linear growth – around 20,000 new malware samples each day. He then went on to say that “Now with constant, although still massive, growth there is some light at the end of the tunnel for the security industry”.

Unfortunately this 2008 malware plateau was a temporary respite – by 2010 new malware creation had tripled to 63,000 and in 2015 the quantity received by PandaLabs topped out at 230,000 new samples every day.

Over the last 12 months PandaLabs have seen a levelling-out of new malware at around 200,000 samples per day. This trend is verified by statistics from malware lab AV-Test, and it would appear for the first time in forever the amount of new malware samples released this year will be lower than the previous year.

av-test

 

 

 

 

 

 

For 2016 the red section shows current new malware registered by AV-Test up to 16th Nov and the blue section projects this malware to year end – less than last year.

 

 

 

 

 

 

 

 

So we’re all safer now, right?

Wrong. There are still 200,000 new malware samples every day and cyber-attacks are showing they are more dangerous than ever – with cybercrime making up more than 50% of crimes committed in some countries.

This new malware creation plateau can be attributed to:

  • Less traditional malware – Viruses and worms are being dropped in favour of Trojans, especially ransomware.
  • Highly targeted malware attacks – Upwards of 90% of malware is unique to a specific endpoint rendering signature and heuristic detection useless, and the samples less likely to reach malware labs.
  • Self-destruct malware – we are seeing examples of Ransomware and APTs that once successful in their mission delete themselves, as if antivirus vendors can’t identify the malware it can be used again.

Also attackers are using alternative techniques to gain access:

  • Social engineering – the amount of data freely available on for businesses and endusers online means compromising their systems can be done without malware.
  • File-less attacks – there has been an increase of threats that instead of using malware files they abuse legitimate system tools (such as PowerShell) in conjuction with registry entries, allowing to exfiltrate data from a business – with no exploits used, no malicious URLs and no malware ever touching the system.
  • The rise of the Internet of Things – Routers, IP cameras and even thermostats and baby monitors, with poor security design and often default settings, are giving easy access to work and home networks. Once in the crooks have easy access to your data or can use your devices to conduct Distributed Denial of Service (DDoS) attacks on others.

To combat the evolving threat landscape Gartner recommend that businesses improve their existing security with Endpoint Detection and Response solutions, such as Panda Adaptive Defense.

Written by Neil Martin, Marketing Manager at Panda UK.

 

The post The Malware Plateau – Less New Malware appeared first on Panda Security Mediacenter.

Full Disclosure

[ERPSCAN-16-034] SAP NetWeaver AS JAVA – XXE vulnerability in BC-BMT-BPM-DSK component

Posted by ERPScan inc on Nov 22

Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.4

Vendor URL: http://SAP.com

Bug: XXE

Sent: 09.03.2016

Reported: 10.03.2016

Vendor response: 10.03.2016

Date of Public Advisory: 09.08.2016

Reference: SAP Security Note 2296909

Author: Vahagn Vardanyan (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-034] SAP NetWeaver AS JAVA – XXE vulnerability in
BC-BMT-BPM-DSK component

Advisory…

Full Disclosure

[CVE-2016-7434] ntpd remote pre-auth DoS

Posted by Magnus Stubman on Nov 22

CVE-2016-7434 ntpd remote pre-auth Denial of Service

+———————————————————————————————-+
Affected: ntp-4.2.7p22, up to but not including ntp-4.2.8p9,
and ntp-4.3.0 up to, but not including ntp-4.3.94
Credit: Magnus Klaaborg Stubman (@magnusstubman)
Bug report: http://bugs.ntp.org/show_bug.cgi?id=3082

The vulnerability allow unauthenticated users to crash ntpd with
a single…

Full Disclosure

PHDays VII Call for Papers: How to Stand Up at the Standoff

Posted by Alexander Lashkov on Nov 22

November 15 marks the start of the call for papers for Positive Hack Days VII, an international digital security forum
that will be held at the World Trade Center in Moscow, Russia, on May 23-24, 2017. Potential presenters must apply by
sending an application form (https://cfp.phdays.com/en/phd7/cfp/open_soon) before January 30, 2017. Both established
experts and up-and-coming specialists are encouraged to apply.

At the event, we plan to…

Full Disclosure

MSIE8 MSHTML Ptls5::Ls­Find­Span­Visual­Boundaries memory corruption

Posted by Berend-Jan Wever on Nov 22

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I’ve not released before. This is the
fifteenth entry in that series. Unfortunately I won’t be able to
publish everything within one month at the current rate, so I may
continue to publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161121001.html.

Follow me…

Full Disclosure

[x33fcon] Call for Papers (and Trainers)

Posted by x33fcon.office on Nov 22

Howdy all!

We have just opened call for papers and trainers for new security event, called
x33fcon (pronounced /ˈziːf-kɒn/) taking place in Poland between April 24-28,
2017.

Yet another security con? Nope.

The idea behind x33fcon is to focus on a very specific need of the security
industry: collaboration between blue and red teams (sometimes referred to as
purple teaming). We know from our professional experience how hard it can be to…