Microsoft Office CVE-2013-1331 Coverage

The time between discovery of a vulnerability and the emergence of an exploit keeps getting shorter—sometimes a matter of only hours. This increases pressure on IT managers to rapidly patch production systems in conflict with configuration management and best practices for quality assurance. Many organizations struggle to keep up with the constant release of new patches and updates.

Last Tuesday, June 11, 2013, Microsoft released a security bulletin (MS13-051) which covers a number of vulnerabilities. One of the vulnerabilities has reportedly been exploited in targeted attacks. Attackers can leverage this vulnerability by sending a specially crafted attachment as part of a spear phishing campaign.

Microsoft Office PNG File CVE-2013-1331 Buffer Overflow Vulnerability (CVE-2013-1331)—a remote stack-based buffer overflow vulnerability in Microsoft Office that allows remote code execution. It is confirmed to affect Microsoft Office 2011 for Mac and Microsoft Office 2003 for all Windows platforms.

Symantec currently has the following detections in place for this vulnerability:

Antivirus Signature

Intrusion Prevention Signature

  • Web Attack: Microsoft Office CVE-2013-1331 2
  • System Infected: Trojan Backdoor Activity 12

We continue to monitor this threat to improve coverage and will provide any relevant updates when possible. Symantec strongly advise users to update their antivirus definitions regularly and ensure the latest Microsoft patches are installed: Running Outdated and Insecure Version of WordPress

In the recent past we have mentioned that the websites of the White House, Department of Homeland Security, and FEMA are failing to take the basic security step of keeping the software powering their websites up to date. It then should not come as too much surprise to see this: is Running WordPress 3.4.2 is the website of the U.S. Chief Information Officer and the Federal CIO Council and on the website it is described as “serving as a central resource for information on Federal IT”and “identifying best practices”.

Since the website is running WordPress 3.4.2 they failed to update WordPress for seven months and more importantly they failed to update when a security release was put out back in January.

With the US government’s and CIO Council’s claimed focus on cybersecurity it is troubling that they are failing to do something so basic. It also begs the questions about one of the CIO Council’s areas of cybersecurity focus, “Continuous Monitoring“:

Continuous monitoring is a risk management approach to cybersecurity that maintains an accurate picture of an agency’s security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status.

In today’s environment of widespread cyber-intrusions, advanced persistent threats, and insider threats, it is essential for agencies to have real-time accurate knowledge of their enterprise IT overall security posture. Agencies need to constantly know and remain aware of their enterprise security status so that responses to external and internal threats can be made swiftly.

If continuous monitoring is being used for their own website it isn’t working. If it isn’t being used, you have wonder why it is one of their focuses when they haven’t even started using it themselves.

“Sakura” Site App on the Apple App Store

Japanese one-click fraud apps on Google Play made their debut at the beginning of the year and have now become a regular on the market as new variants appear on an almost daily basis. I was curious to see whether the scammers had attempted to target other mobile platforms, so I did some investigative work. The result of which was I didn’t find any one-click fraud on other platforms, but I did came across a dodgy app in the Apple App Store that uses a strategy that is similar to one-click fraud apps.

Once opened, the app accesses certain URLs and displays content from them within the app. The app itself pretty much acts as a frame for the fraudulent site. The particular app leads to fake dating services, called “sakura” sites in Japan, rather than one-click fraud apps that attempt to fool users into paying for an adult video service.

The app was introduced on the App Store as a game and certainly does not look like it is related to a dating service on the English page.


Figure 1. English version on the App Store

However, the introduction on the Japanese page suggests that the app may have something to do with pornography. The page also states that users need to be over 18 years of age and that the app is available for a free download for a limited time only.


Figure 2. Japanese version on the App Store

Once installed and launched, the app’s appearance resembles the App Store.

image3_2.png image4_0.png image5_1.png

Figure 3. Supposedly downloadable apps

By turning off the network connection on the device and then reopening the app, no content is displayed in the app because it could not download it from the Internet.


Figure 4. Result of no network connection on the device

When the non-existent apps within the app are opened, the default browser on the device opens various dating service sites that are all hosted on the same domain. Interestingly, the domain has been known to host the Android version of the same dating scam as well.


Figure 5. “Sakura” dating site used in the scam

Once users sign-up for the service, they will soon be bombarded with messages from non-existent people interested in meeting them. The messages are actually sent from people hired by the operators of the dating service; this type of person is known colloquially in Japan as a “sakura.” The ultimate goal of the sites is to trick users into purchasing points to continue the online conversations. There is little chance that the users will ever be able to physically meet anyone on the site. Hence, this type of site is generally known as a “sakura” site in Japan. The email accounts the victims used to sign up to the site may also end up receiving spam from various dating services.

The offending app is clearly in violation of the App Store policy for various reasons and has been removed from the store. How could the app have been approved in the beginning? Because the app simply acts as a frame, different content, perhaps game related, could have been used during the approval process. As this is big business for the scammers, they devise various strategies to spread their scam. Users need to be vigilant wherever they may be downloading their apps from.

The following video shows how this scam works (note that an Android device was used to capture the video):

Default Chromeless Player


Vast array of medical devices vulnerable to serious hacks, feds warn

A vast array of heart defibrillators, drug infusion pumps, and other medical devices contain backdoors that make them vulnerable to potentially life-threatening hacks, federal officials have warned.

The devices, which also include ventilators, patient monitors, and surgical and anesthesia devices, contain hard-coded password vulnerabilities, according to an advisory issued Thursday by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a liaison group between the US Department of Homeland Security and private industry. Attackers who know the default passwords of the devices can exploit these backdoors and change critical settings or replace the authorized firmware altogether.

The advisory came the same day that the Food and Drug Administration released its own notice on the same topic. Both warnings said there was no indication attacks were being carried out in the wild, and neither warning disclosed the affected device models or the manufacturers. But Terry McCorkle, one of the researchers who uncovered the vulnerabilities, said few if any are immune.

Read 4 remaining paragraphs | Comments