WARNING!!! Cyber-criminals Are Looking Out For Ways To Harm You…

Cyber criminals are in a constant endeavor to discover various ways to attack IT users. They look out for opportunities to exploit technologies used by IT users and take undue advantage of the information stolen. Vulnerability-assessment-importance

The US-CERT Cyber Security Bulletin provides a summary of latest vulnerabilities that have been recorded by its research department for the week of February 23, 2015. The National Institute of Standards and Technology (NIST) has found vulnerabilities that can make a system prone to malware attacks and unauthorized access.

Some of the common vulnerabilities and their impact recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week are as mentioned below:

  • SQL injection vulnerability in videogalleryrss.php in the Apptha WordPress Video Gallery (contus-video-gallery) plugin before 2.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the vid parameter in an rss action to wp-admin/admin-ajax.php. Find out other vulnerable versions from here: http://1.usa.gov/1vSsHC9.
  • Multiple use-after-free vulnerabilities in OpenType Sanitiser, as used in Mozilla Firefox before 36.0, might allow remote attackers to trigger problematic Developer Console information or possibly have unspecified other impact by leveraging incorrect macro expansion, related to the ots::ots_gasp_parse function. Find out other vulnerable versions from here: http://1.usa.gov/1DJBKFw.
  • Double free vulnerability in the nsXMLHttpRequest::GetResponse function in Mozilla Firefox before 36.0, when a nonstandard memory allocator is used, allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via crafted JavaScript code that makes an XMLHttpRequest call with zero bytes of data. Find out other vulnerable versions from here: http://1.usa.gov/1GaR29F.
  • Moreover, multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 36.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Find out other vulnerable versions from here: http://1.usa.gov/1CihxsB.
  • SQL injection vulnerability in the ajax_survey function in settings.php in the WordPress Survey and Poll plugin 1.1.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the survey_id parameter in an ajax_survey action to wp-admin/admin-ajax.php. Find out other vulnerable versions from here: http://1.usa.gov/1AONTJs.
  • It is found that there are multiple cross-site request forgery (CSRF) vulnerabilities in the Acobot Live Chat & Contact Form plugin 2.0 for WordPress that allows remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or (2) conduct cross-site scripting (XSS) attacks via the acobot_token parameter in the acobot page to wp-admin/options-general.php. Find out other vulnerable versions from here: http://1.usa.gov/1DJCpXD.
  • Cross-site request forgery (CSRF) vulnerability in D-Link DCS-931L with firmware 1.04 and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Find out other vulnerable versions from here: http://1.usa.gov/1F0Jpir.
  • The GoogleAuthUtil.getToken method in the Google Play services SDK before 2015 sets parameters in OAuth token requests upon finding a corresponding _opt_ parameter in the Bundle extras argument, which allows attackers to bypass an intended consent dialog and retrieve tokens for arbitrary OAuth scopes including the SID and LSID scopes, and consequently obtain access to a Google account, via a crafted application, as demonstrated by setting the has_permission=1 parameter value upon finding _opt_has_permission in that argument. Find out other vulnerable versions from here: http://1.usa.gov/1FNvblh.
  • The UberFire Framework 0.3.x does not properly restrict paths, which allows remote attackers to (1) execute arbitrary code by uploading crafted content to FileUploadServlet or (2) read arbitrary files via vectors involving FileDownloadServlet. Find out other vulnerable versions from here: http://1.usa.gov/1AvAaT9.
  • Buffer overflow which is in the XnsSdkDeviceIpInstaller.ocx ActiveX control in Samsung iPOLiS Device Manager 1.12.2 allows remote attackers to execute arbitrary code via a long string in the first argument to the (1) ReadConfigValue or (2) WriteConfigValue function. Find out other vulnerable versions from here: http://1.usa.gov/1AOR9EL.
  • The Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtain sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node. Find out other vulnerable versions from here: http://1.usa.gov/1E9QeQk.

There are many such vulnerable software ranked in the division of high, medium, and low severities. To know more about these vulnerable software and the affected versions, please read the US-CERT Cyber Security Bulletin from here: http://1.usa.gov/17K9hUO.

Posted in eScan 11 | Tagged , , , , , , , , , , , | Leave a comment

Do not be a victim of growing cyber threats!!!

Have you ever been a victim of cyber-crime? If you have not been yet, then you are lucky! However, if you feel that you have so far escaped the attention of the cyber-criminals, there can be a doubt on this. Many a times, cyber-attacks may not be reflecting with immediate effect. And, there is also a possibility that you may not even realize that you have been a victim until you get to know from someone else.

The US-CERT Cyber Security Bulletin provides a summary of latest vulnerabilities that have been recorded by its research department for the week of February 16, 2015. The National Institute of Standards and Technology (NIST) have found vulnerabilities that can make a system prone to malware attacks and unauthorized access.

Common vulnerabilities and their impact recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week are:

  • Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of (1) file descriptors or (2) integer values. Find out other vulnerable versions from here: http://1.usa.gov/1B7rVls.
  • LG On-Screen Phone (OSP) before 4.3.010 allows remote attackers to bypass authorization via a crafted request. Find out other vulnerable versions from here: http://1.usa.gov/1A2rQtR.
  • The ActiveMQ Broker in Samsung Security Manager (SSM) before 1.31 allows remote attackers to delete arbitrary files, and consequently cause a denial of service, via a DELETE request. Find out other vulnerable versions from here: http://1.usa.gov/17t2m2b.
  • Multiple cross-site scripting (XSS) vulnerabilities in Adminsystems CMS before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter to index.php or (2) id parameter in a users_users action to asys/site/system.php. Find out other vulnerable versions from here: http://1.usa.gov/1vugh2Y.
  • The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the mfbfw parameter in an update action to wp-admin/admin-post.php, as exploited in the wild in February 2015. Find out other vulnerable versions from here: http://1.usa.gov/1AF0oWA.
  • The Google Email application 4.2.2.0200 for Android allows remote attackers to cause a denial of service (persistent application crash) via a “Content-Disposition: ;” header in an e-mail message. Find out other vulnerable versions from here: http://1.usa.gov/1FRVMRx.
  • Curam Universal Access in IBM Curam Social Program Management 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4.5 before iFix007, 6.0.5.4 before iFix005, and 6.0.5.5 before iFix003, when SPI inclusion is enabled, allows remote attackers to obtain sensitive user data by visiting an unspecified page. Find out other vulnerable versions from here: http://1.usa.gov/1zBKdXo.
  • Cross-site scripting (XSS) vulnerability in the Google Doc Embedder plugin before 2.5.19 for WordPress allows remote attackers to inject arbitrary web script or HTML via the profile parameter in an edit action in the gde-settings page to wp-admin/options-general.php. Find out other vulnerable versions from here: http://1.usa.gov/1vuhNlD.
  • The senddocument.php in Zarafa WebApp before 2.0 beta 3 and WebAccess in Zarafa Collaboration Platform (ZCP) 7.x before 7.1.12 beta 1 and 7.2.x before 7.2.0 beta 1 allows remote attackers to cause a denial of service (/tmp disk consumption) by uploading a large number of files. Find out other vulnerable versions from here: http://1.usa.gov/1A2u3Fv.
  • CRLF injection vulnerability in Squid before 3.1.10 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted header in a response. Find out other vulnerable versions from here: http://1.usa.gov/1JFQNq2.

There are many such vulnerable software ranked in the division of high, medium, and low severities. To know more about these vulnerable software and the affected versions, please read the US-CERT Cyber Security Bulletin from here: http://1.usa.gov/1DNHH5r.

Posted in eScan 11 | Tagged , , , , , , , , , , | Leave a comment

How To Spot A Tax Scam?

As the tax season rolls in, cyber criminals are ready with their tricky scams to play on tax payers as well as the preparers. These criminals take advantage of tax-payer’s fear of not filing properly or getting as much return as one can.

223261-taxscam_original

eScan warns the tax-return payers, preparers and other tax professionals to be aware of illegitimate emails making rounds, seeking for updated personal or professional information that in reality are phishing schemes. It is advised not to click on strange emails and websites, which seem to look as a legitimate site, and are specifically designed to lure in potential victims and prompt them to provide valuable personal and financial information. Using this information, cyber criminals can commit identity theft.

eScan suggests you few points as mentioned below that would help spot a tax scam;

Phone Calls and Emails: It is our duty to pay tax as a duty towards our country. Income Tax Department would never call you to remind to pay tax or file for your returns. Such notices are sent by emails or letters. So if you get a phone call, don’t take it seriously.

Moreover, as originally these notices are sent via emails, cyber criminals take benefit of this opportunity and send phishing scams. Beware of them. The email sent to you will claim that the Income Tax Department owes you a bigger refund and so you need to send your details to a random, unnamed site. Don’t ever click the link mentioned as it probably may be a link to download malware onto your computer.

Never click on any attachments or links in a suspicious email send from an unknown sender, delete the email and blacklist the sender’s email address and report the phishing scam to the genuine company using verified contact information. Many scammers go event take lot of trouble to build fake websites.

Logos: Whenever we see the logo of Income Tax Department, we get nervous and scammers love to take advantage of this fear as a tool to prey.

Incorrect Grammar: If you observe carefully, you will find a few other grammatical errors, broken English or poor sentence formations that would help you to distinguish between a legitimate and a spam mail. Moreover, the language used in a usual phishing email is quite unprofessional. Such emails are not addressed properly. In addition, the sender usually uses his/her personal email address to send phishing email.

No / Less Paperwork: If the mail or an advertisement related to tax-return promises refund without looking at all your information or not much documentation is required, then they are probably running a scam. We suggest having knowledge of list of documents a legit tax preparer should ask to file return.

Tax Preparers that ‘Work From Home’: Many scammers tend to work from home and in such situations, it is harder to trace them. Tax related software are easily available in the market of which they may take advantage.

Charity Deductions: It is understood that everyone wants more deductions. However, if someone tells you that you don’t have to pay your taxes because you are part of some religious or ethnic group, then it’s probably some scam. Moreover, if a tax preparer suggests you to show higher amount for charitable deductions and asking for a percentage or cut of your refund, avoid it.

Twisting Old Tax Laws: Many a times, scammers use old tax laws that anyone would hardly know about in order to dupe their victims. They may come out with some esoteric form and say that you need to fill it out. This is basically to trap you in a scam.

Posted in Security | Tagged , , , | 4 Comments

Narrow the window of opportunity for cyber criminals

Be it any segment – Home, SMB or Corporate / Enterprise, IT users are facing cyber-attacks increasingly. The fact is that new vulnerabilities are being created constantly, thus creating a window of opportunity for cyber criminals. The US-CERT Cyber Security Bulletin provides a summary of latest vulnerabilities that have been recorded by its research department for the week of February 09, 2015.

The National Institute of Standards and Technology (NIST) have found vulnerabilities that can make a system prone to malware attacks and unauthorized access.

Common vulnerabilities and their impact recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week are:

  • Use-after-free vulnerability in Microsoft Office 2007 SP3, 2010 SP2, and 2013 Gold and SP1 allows remote attackers to bypass the ASLR protection mechanism via a crafted document, aka “Microsoft Office Component Use After Free Vulnerability.” Find out other vulnerable versions from here: http://1.usa.gov/1CHN4z2
  • Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. Find out other vulnerable versions from here: http://1.usa.gov/1vgdvyc
  • The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. Find out other vulnerable versions from here: http://1.usa.gov/1zNs8EL
  • Two SQL injection vulnerabilities have been found in Zerocms <= v. 1.3.3. The first SQL injection vulnerability is located in the article_id parameter used in zero_view_article.php and can be exploited even by unauthenticated attackers. The second vulnerability is a Blind SQL injection and is located in the user_id parameter used in a POST request in zero_transact_user.php. Find out other vulnerable versions from here: http://1.usa.gov/1FrB3nr
  • Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication. Find out other vulnerable versions from here: http://1.usa.gov/1AR9JMC
  • The rftpcom.dll ActiveX control in Attachmate Reflection FTP Client before 14.1.429 allows remote attackers to cause a denial of service (memory corruption) and execute arbitrary code via vectors related to the (1) GetGlobalSettings or (2) GetSiteProperties3 methods, which triggers a dereference of an arbitrary memory address. NOTE: this issue was MERGED with CVE-2014-0606 because it is the same type of vulnerability, affecting the same set of versions, and discovered by the same researcher. Find out other vulnerable versions from here: http://1.usa.gov/1L9W04O
  • Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android allow attackers to cause a denial of service or possibly have other impact via unknown vectors. Find out other vulnerable versions from here: http://1.usa.gov/17RA0Q5
  • Unrestricted file upload vulnerability in admin/upload-file.php in the Holding Pattern theme (aka holding_pattern) 0.6 and earlier for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in an unspecified directory. Find out other vulnerable versions from here: http://1.usa.gov/1yVVMY8
  • The UNC implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not include authentication from the server to the client, which allows remote attackers to execute arbitrary code by making crafted data available on a UNC share, as demonstrated by Group Policy data from a spoofed domain controller, aka “Group Policy Remote Code Execution Vulnerability.” Find out other vulnerable versions from here: http://1.usa.gov/1vVyp6q
  • Microsoft Word 2007 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka “OneTableDocumentStream Remote Code Execution Vulnerability.” Find out other vulnerable versions from here: http://1.usa.gov/1yVWeWz
  •  The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, when the CRYPTPROTECTMEMORY_SAME_LOGON option is used, does not check an impersonation token’s level, which allows local users to bypass intended decryption restrictions by leveraging a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data, aka “CNG Security Feature Bypass Vulnerability” or MSRC ID 20707. Find out other vulnerable versions from here: http://1.usa.gov/1MwBChF

There are many such vulnerable software ranked in the division of high, medium, and low severities. To know more about these vulnerable software and the affected versions read the US-CERT Cyber Security Bulletin from here: http://1.usa.gov/19p1fSk.

Posted in eScan 11, Security | Tagged , , , | Leave a comment