AusCERT Week in Review for 17th August 2012
Date: 17 August 2012
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=16225
With a lovely warm sunny mid-20s Friday afternoon here in Brisbane winding to a close (apologies to those in the southern states), here are a few items that you may find of interest from the week.
First up is Gauss which has been described as "... a nation state sponsored banking Trojan which carries a warhead of unknown designation". Discovered by Kaspersky labs, Gauss is believed to be built on the same platform as the "Flame" trojan and also believed to have been created by the same actors. It was actually found through an analysis of the Flame trojan and according to Kaspersky apparently began distribution sometime around August-September 2011. While Guass has a special payload which as yet has not been successfully decrypted, we will no doubt hear more soon.
This week also featured heavy patching from Adobe, with Reader, Acrobat, Shockwave and Flash all receiving updates, and in the case of Flash there have been reports of active exploitation of the vulnerability patched. It is interesting to note however that according to Google engineers who reported the issues, "dozens of vulnerabilities" in Adobe Reader remain unpatched. According to Google engineers Mateusz Jurcyzk and GynDream Coldwind, sixteen vulnerabilities remain unpatched in the Windows and OS X versions and thirty-one critical and "trivially exploitable" vulnerabilities still remain unpatched in the Linux version of Reader.
And finally, here are my picks for the week's top 5 bulletins:
1) ESB-2012.0762 - [Win] Microsoft Windows: Multiple vulnerabilities
Microsoft rated this advisory as "critical", due to the four vulnerabilities which could be exploited remotely without authentication to allow for code execution or denial of service in all currently supported versions of Windows. The most severe of the vulnerabilities allows code execution through specially crafted responses sent to the Windows print spooler.
2) ESB-2012.0761 - [Win] Windows XP: Execute arbitrary code/commands - Remote/unauthenticated
Microsoft also rated this advisory as "critical", while this vulnerability only affects Windows XP it is still very nasty. The vulnerability can be exploited by sending specially crafted RDP packets to an affected Windows XP system with RDP enabled, and could allow for code execution on affected systems.
3) ESB-2012.0771 - ALERT [Win][Linux][Mac][OSX] Adobe Flash Player: Execute arbitrary code/commands - Remote with user interaction
Adobe released security updates for Flash on Windows, OS X and Linux to correct a vulnerability that could potentially crash or allow code execution on affected systems. It is important to note that there have been reports of this particular vulnerability being exploited in the wild.
4) ESB-2012.0769 - [Win][Mac][OSX] Adobe Reader & Acrobat: Multiple vulnerabilities
Adobe patched twenty separate vulnerabilities in Adobe Reader and Acrobat which could potentially allow for denial of service or code execution on affected systems. As mentioned previously however, Adobe have yet to patch a substantial number of vulnerabilities in Reader reported to Adobe by Google engineers.
5) ESB-2012.0770 - [Win][Mac][OSX] Adobe Shockwave Player: Execute arbitrary code/commands - Remote with user interaction
Adobe also released updates for Shockwave to correct five vulnerabilities. These vulnerabilities could allow for code execution when opening malicious Shockwave content.
Have a great weekend!