Home > Uncategorized > Security News #0x3F

Security News #0x3F

  • There is a major unpatched vulnerability in Internet Explorer 8 that has been used to attack a number of high profile targets, including the US Department of Labor. Threatpost has some of the news, as does Brian Krebs. The problem is only known to affect Internet Explorer 8; for now IE 9 and 10 appear to be unaffected. The vulnerability is listed as CVE 2013-1347. Currently, there is no patch; Microsoft has announced a workaround, while CERT has pointed out that EMET protects against this attack. As you might expect, Metasploit has crafted a module to exploit this issue.
  • I learned about a new way to attack Windows systems if you have physical access- even if the BIOS is locked so that you can’t boot to another OS. The attack is described over at IntelComms. The basic idea is that, when a Windows system reboots after a failed boot attempt, you have the option to repair the system. As part of that, the user is asked if they want to view the problem details, which launches a Notepad instance with the details. A Notepad instance running as SYSTEM. Ouch.
  • The folks at PenTestLab have an article about a tool called FindMyHash. That tool is a Python script that sends your specified hash to a number of web sites that provide hash look-up services.
  • Jim Walters shares his experience as Red Team at NCCDC. One key takeaway- Anti-virus, though not perfect (what is?) would have helped.
  • Speaking of cyber defense competitions, NETRESEC now has packet captures from the 2010, 2011, and 2012 mid-Atlantic CCDC events.
  • The Onion has a (serious) piece on how they were social-engineered last week by the Syrian Electronic Army. This turned out to be one of the better such articles that I have seen in some time, and is well worth reading.
  • We talk about format string vulnerabilities in our application software security class. Would you like to see one in the wild? Here is an example in the game Skyrim. I don’t know if the problem is exploitable, but the game is common enough that many of us have played it.
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: