Opening an email containing RTF in Outlook hands your computer to hackers

How many of you are using Microsoft Outlook in your office? Previewing or opening an email containing .RTF file in Microsoft Outlook will open a backdoor for remote hackers to access your machine.

Microsoft warned today that attackers are exploiting a new zero-day vulnerability in Microsoft Word that allows them to run arbitrary code in the vulnerable system.

"The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word" Security advisory reads. "or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer."

The vulnerability affects Microsoft word 2003, 2007,2010,2013, word viewer and Microsoft Office for Mac 2011.  Advisory states that the exploits it has seen so far have targeted Microsoft word 2010 users.

Microsoft is in the process of creating patch for this security flaw.  In the meantime, they have released a temporary Fix it solution which prevents opening of RTF files in Microsoft word.

Other suggestion to prevent yourself from being victim are 'configuring the outlook to read email messages in plain text format', 'using Enhanced Mitigation Experience Toolkit(EMET)'.

CVE-2013-5065: Windows XP Kernel Privilege escalation vulnerability exploited in the wild


Microsoft has issued a warning about new zero-day vulnerability affecting the Windows XP and 2003 Server operating systems.

The bug referred with CVE id "CVE-2013-5065" is a local privilege escalation vulnerability, is reportedly being exploited in the wild.

A successful exploitation allows attackers to run the arbitrary code in Kernel mode(User mode --> kernel mode).  It will get access to install software, modify data or creating accounts with admin privilege.

However, the vulnerability is not exploitable by a remote attacker.

"It does not affect customers who are using operating systems newer than Windows XP and Windows Server 2003." Microsoft security advisory reads.

Though the Microsoft is issued a workarounds for this vulnerability, it is better to switch to the latest version of Windows (7 or 8), as we aware that Microsoft is going to stop supporting Windows xp by April 2014. 

Temporary fix for new zero-day IE vulnerability (CVE-2013-1347)

 
Microsoft has issued a temporary fix the recently uncovered Internet Explorer 8 vulnerability that was exploited in the US Department of Labor hack for serving malware.

The vulnerability affects only IE8 so users running Internet explorer versions 6, 7, 9 and 10 do not need to take any action.

Microsoft is working on fixing the issue.  In the meantime, users are urged to apply the temporary fix to prevent from the attack.

To do this, visit this page "http://support.microsoft.com/kb/2847140" and click the Fix it button or link under the Enable heading.

If you are a pentester, the technical analysis and metasploit module can be found here:
https://community.rapid7.com/community/metasploit/blog/2013/05/05/department-of-labor-ie-0day-now-available-at-metasploit

New IE8 Zero-day was used in the DOL Watering Hole attack



A Few days ago Alienvault Labs reported U.S Department of Labor website was hacked and redirects to malware page.  In their report, they mentioned the exploit used in the attack was CVE-2012-4792.

After further analysis security researchers have discovered the vulnerability exploited in the cyber attack wasn't CVE-2012-4792 but a new zero-day affecting the Internet Explorer 8.

CVE identifier CVE-2013-1347 has been assigned for this new IE vulnerability. Microsoft noted that Internet Explorer 6, IE7, IE9, and IE10 are not affected by the vulnerability.

"U.S Department of Labor website wasn’t the only entity affected and we can confirm that at least 9 other websites were redirecting to the malicious server at the same time" AlienVault reports.

According to their report, the cyber attack targets the websites belong to several non-profit groups and institutes as well as a big european company that plays on the aerospace, defence and security markets.

Invincea's founder Anup Ghosh told NextGov that the "target of the attack are [Energy Department] folks in a watering hole style attack compromising one federal department to attack another".

Quick fix for IE zero-day Vulnerability (CVE-2012-4792) is available


Microsoft has released quick fix for a zero-day vulnerability in older versions of its Internet Explorer web browser that is actively being exploited by hackers.

The security flaw affects the IE 6, Internet Explorer 7 and Internet Explorer 8. Versions 9 and 10 are not affected by this vulnerability.

About CVE-2012-4792:

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.

The company said that the "Fix it solution" is not intended to be a replacement for any security update.

"We recommend that you always install the latest security updates. However, we offer this Fix it solution as a workaround option for some scenarios."

Quick fix the vulnerability is available here:
http://support.microsoft.com/kb/2794220#FixItForMe

Samsung smart Tv 0-day Vulnerability allows hackers to read attached storage devices

ReVuln Ltd has discovered a zero-day vulnerability in the Samsung Smart Tv that allows attackers to retrieve sensitive information, monitor and root the device itself remotely.

The vulnerability has been tested in Samsung TV LED 3D. But the team still not able to confirm which model TVs were affected by this zero-day.

“We have tested different Samsung televisions of the latest generations running the latest version of their firmware,” Luigi Auriemma , Security Researcher at ReVuln Ltd said.

“Unfortunately we can't disclose additional information but we can only say that almost all the people having a Samsung TV at home or in their offices are affected by this vulnerability.”

They've demonstrated the attack in a proof of concept video:

Zero-day vulnerabilities in MySQL database allows hackers to crash the service


Multiple zero-day vulnerabilities have been discovered in the popular database software MySQL that could allow hackers to crash the service,  deny access to users, privilege escalation and authentication bypass.

There are five zero-day vulnerabilities. According to report, one was recognised as a duplicate of an existing flaw and another a misconfiguration.

Common Vulnerabilities and Exposures (CVE) identifiers assigned to the issues to track them:

  • CVE-2012-5611 — MySQL (Linux) Stack based buffer overrun PoC Zeroday
  • CVE-2012-5612 — MySQL (Linux) Heap Based Overrun PoC Zeroday
  • CVE-2012-5613 — MySQL (Linux) Database Privilege Elevation Zeroday Exploit
  • CVE-2012-5614 — MySQL Denial of Service Zeroday PoC
  • CVE-2012-5615 — MySQL Remote Preauth User Enumeration Zeroday

Security researcher Eric Romang has posted a video demonstrating how misconfigured servers are vulnerable in his blog.

Similar issues were also disclosed involving SSH.com Communications' Tectia SSH Server, which was also determined to be vulnerable to authentication bypass.