Security News #0x3F
- There is a major unpatched vulnerability in Internet Explorer 8 that has been used to attack a number of high profile targets, including the US Department of Labor. Threatpost has some of the news, as does Brian Krebs. The problem is only known to affect Internet Explorer 8; for now IE 9 and 10 appear to be unaffected. The vulnerability is listed as CVE 2013-1347. Currently, there is no patch; Microsoft has announced a workaround, while CERT has pointed out that EMET protects against this attack. As you might expect, Metasploit has crafted a module to exploit this issue.
- I learned about a new way to attack Windows systems if you have physical access- even if the BIOS is locked so that you can’t boot to another OS. The attack is described over at IntelComms. The basic idea is that, when a Windows system reboots after a failed boot attempt, you have the option to repair the system. As part of that, the user is asked if they want to view the problem details, which launches a Notepad instance with the details. A Notepad instance running as SYSTEM. Ouch.
- The folks at PenTestLab have an article about a tool called FindMyHash. That tool is a Python script that sends your specified hash to a number of web sites that provide hash look-up services.
- Jim Walters shares his experience as Red Team at NCCDC. One key takeaway- Anti-virus, though not perfect (what is?) would have helped.
- Speaking of cyber defense competitions, NETRESEC now has packet captures from the 2010, 2011, and 2012 mid-Atlantic CCDC events.
- The Onion has a (serious) piece on how they were social-engineered last week by the Syrian Electronic Army. This turned out to be one of the better such articles that I have seen in some time, and is well worth reading.
- We talk about format string vulnerabilities in our application software security class. Would you like to see one in the wild? Here is an example in the game Skyrim. I don’t know if the problem is exploitable, but the game is common enough that many of us have played it.