Poodle – CVE-2014-3566

Time for the next big security flaw! This time Googles Security Team have discovered a vulenerability in SSL 3.0 and the list of targets is huge. All implementations of SSL 3.0 is vulnerable for attacks and the recommended to disable SSL 3.0 as soon as possible. (As a mather of fact, SSL 3.0 is over 15 years old, and for obvious reasons already outdated. But it´s still widely spread for compability reasons.)

But there is a lot of factors that makes an attack less likely. For example a “man-in-the-middle” to exploit, in most cases Java have to be enabled on the client side and if someone tries to attack you the can take control of your sessions, but not steal your password.

A test to see if your browser is vulnerable can be done here: https://www.poodletest.com/

More info:

http://googleonlinesecurity.blogspot.se/2014/10/this-poodle-bites-exploiting-ssl-30.html

https://technet.microsoft.com/en-us/library/security/3009008.aspx

http://blog.erratasec.com/2014/10/some-poodle-notes.html#.VD4xhPl_u-4

Sandworm – CVE-2014-4114

A newly discovered zero-day vulnerability called Sandworm have been published today by iSight (http://www.isightpartners.com/2014/10/cve-2014-4114/). The vulnerability affects all supported versions of Windows and is set to critical.

Attacks using the vulnerability have been seen on Nato, Power and Telecom companies, Western European governments and US academic organizations. All discovered attacks have been traced back to cyber-espionage out of Russia.

A short summary:

  • An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server
  • Impacting all versions of the Windows operating system from Vista SP2 to Windows 8.1
  • Impacting Windows Server versions 2008 and 2012
  • When exploited, the vulnerability allows an attacker to remotely execute arbitrary code
  • The vulnerability exists because Windows allows the OLE packager (packager.dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.
  • This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands
  • An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it

The properties of the effected file from Windows 8.1

packager

According to information, Microsoft will release a patch for this vulnerability today (MS14-060). And as a part of the security bulletin Microsoft will describe a list of workarounds to the vulnerability. These workarounds should help mitigate the risk of exploitation while the patching process unfolds.

More information can be found at Isights web site: http://www.isightpartners.com/2014/10/cve-2014-4114/