Security News Letter - may 2017

CONTENT 

04 18 

19 24 

25 ‐ 41 

42 

42 

43 ‐ 45 

46 ‐ 50 

VULNERABILITY AND ATTACK SUMMARY 

CVE ID RELEASE SUMMARY 

SIGNATURE SUMMARY 

IPS SIGNATURE RELEASE SUMMARY 

ANTIVIRUS DATABASE VERSION 

MALWARE OUTBREAK 

SECURITY NEWS

AUTHOR PROFILE 

Gayathri Vigneswaran is the Cyber Security Center Manager with Savanture Softech. She has more than 9 years of 

experience in Application and Information Security. She holds a Bachelor Degree in B.Sc Computer Science & Diploma 

in Information Technologyy. She holds a MCP certification and is trained in CISSP & CEH. 

Chandru is the Security Analyst with Savanture Softech. He has knowledge in network administration. He holds a 

Bachelor Degree in Electronics & Communication Engineering from Anna University. He works as a Security Engineer 

instructing and configuring the firewalls, IDS, IPS of various organizations.

VULNERABILITY AND ATTACK SUMMARY 

Apple Revokes Certificate Used By OSX/Dok Malware 

May 01 , 201 7 

Apple revoked a legitimate developer certificate used by hackers behind malware dubbed OSX/Dok, which was 

able to eavesdrop on secure HTTPS traffic of infected systems. On Sunday, Apple also rolled out an update to its 

XProtect built‐in antimalware software to fend off existing and upcoming OSX/Dok‐type attacks. 

See more at:https://threatpost.com/apple‐revokes‐certificate‐used‐by‐osxdok‐malware/125322/ 

Flickr Vulnerability Worth $7K Bounty to Researcher 

May 01 , 201 7 

Yahoo has patched an account takeover vulnerability on its Flickr image‐hosting service that earned an 

independent security researcher a $7,000 bounty. The issue was patched April 10, eight days after Michael 

Reizelman privately disclosed it through Yahoo’s HackerOne bounty program. 

See more at: https://threatpost.com/flickr‐vulnerability‐worth‐7k‐bounty‐to‐researcher/125312/ 

Google Patches Six Critical Mediaserver Bugs in Android 

May 02, 201 7 

Google pushed out its monthly Android patches Monday, addressing 17 critical vulnerabilities, six of which are 

tied to its problematic Mediaserver component. An additional four critical vulnerabilities related to Qualcomm 

components in Android handsets including Google’s own Nexus 6P, Pixel XL and Nexus 9 devices were also 

patched. 

See more at : https://threatpost.com/google‐patches‐six‐critical‐mediaserver‐bugs‐in‐android/125347/

Fuze Patches Bug That Exposed Recordings of Private Business Meetings 

May 02, 201 7 

MFuze, an enterprise‐grade voice and video collaboration platform, has patched a vulnerability that exposed 

recordings of private meetings. 

A fix was made server‐side by Fuze, and a patch was pushed to its endpoint client apps within 11 days of being 

privately notified by researchers at Rapid7. 

See more at : https://threatpost.com/fuze‐patches‐bug‐that‐exposed‐recordings‐of‐private‐businessmeetings/125334/ 

IBM: Destroy USBs Infected with Malware Dropper 

May 02, 201 7 

USB drives shipped with some IBM’s Storwize storage products are infected with malware, and the tech giant 

advises customers destroy the devices.IBM would not comment on the source of the infection or where in the 

supply chain the interdiction happened, and instead referred Threatpost to an advisory 

See more at: https://threatpost.com/ibm‐destroy‐usbs‐infected‐with‐malware‐dropper/125377/ 

Malware Hunter Crawls Internet Looking for RAT C2s 

May 02, 201 7 

A new crawler released today by Shodan designed to find command and control servers has already unearthed 

5,800 controllers for more than 10 remote access Trojan ﴾RAT﴿ families.The crawler, called Malware Hunter, poses 

as an infected computer beaconing out to an attacker’s server waiting for additional commands or malware 

downloads. 

See more at: https://threatpost.com/malware‐hunter‐crawls‐internet‐looking‐for‐rat‐c2s/125360/

Proposed NIST Password Guidelines Soften Length, Complexity Focus 

May 03, 201 7 

A comment period has closed on NIST’s new password guidelines for federal agencies that challenge the 

effectiveness of traditional behaviors around authentication such as an insistence on complex passwords and 

scheduled resets. 

See more at: https://threatpost.com/proposed‐nist‐password‐guidelines‐soften‐length‐complexity‐focus/125393/ 

Researcher: ‘Baseless Assumptions’ Exist About Intel AMT Vulnerability 

May 03, 201 7 

Researchers at Embedi who found the critical Active Management Technology ﴾AMT﴿ flaw in Intel chips said in a 

blog published today there were “a tremendous amount of baseless assumptions” being made about the 

vulnerability. According Embedi CTO Dmitry Evdokimov, an information vacuum has predictably sparked false 

assumptions about the vulnerability, otherwise known as Intel Standard Manageability Escalation of Privilege – 

INTEL‐SA‐00075 ﴾CVE‐2017‐5689﴿. 

See more at: https://threatpost.com/researcher‐baseless‐assumptions‐exist‐about‐intel‐amt‐vulnerability/125390/ 

Google Shuts Down Docs Phishing Spree 

May 03, 201 7 

Google said it has disabled offending accounts involved in a widespread spree of phishing emails today 

impersonating Google Docs. 

The emails, at the outset, targeted journalists primarily and attempted to trick victims into granting the malicious 

application permission to access the user’s Google account. 

See more at: https://threatpost.com/google‐shuts‐down‐docs‐phishing‐spree/125414/ 

Unpatched WordPress Password Reset Vulnerability Lingers 

May 04, 201 7 

A zero‐day vulnerability exists in WordPress Core that in some instances could allow an attacker to reset a user’s 

password and gain access to their account. Researcher Dawid Golunski of Legal Hackers disclosed the vulnerability 

on Wednesday via his new ExploitBox service. All versions of WordPress, including the latest, 4.7.4, are vulnerable, 

the researcher said. 

See more at: https://threatpost.com/unpatched‐wordpress‐password‐reset‐vulnerability‐lingers/125421/

Blackmoon Banking Trojan Using New Infection Technique 

May 04, 201 7 

New clues have surfaced on how the Blackmoon banking Trojan is infecting its victims using a new framework to 

deliver the malware. 

“We noticed recent campaigns ﴾two weeks ago﴿ where Blackmoon had shifted its infection strategy and is now 

utilizing a unique and interesting technique,” said Hardik Modi, vice president of threat research at Fidelis 

Cybersecurity in an interview with Threatpost. 

See more at:https://threatpost.com/blackmoon‐banking‐trojan‐using‐new‐infection‐technique/125425/ 

1 Million Gmail Users Impacted by Google Docs Phishing Attack 

May 04, 201 7 

Google said that up to 1 million Gmail users were victimized by yesterday’s Google Docs phishing scam that 

spread quickly for a short period of time. In a statement, Google said that fewer than 0.1 percent of Gmail users 

were affected; as of last February, Google said it had one billion active Gmail users. Google took measures to 

protect its users by disabling offending accounts, and removing phony pages and malicious applications involved 

in the attacks. Other security measures were pushed out in updates to Gmail, Safe Browsing and other in‐house 

systems. 

See more at: https://threatpost.com/1‐million‐gmail‐users‐impacted‐by‐google‐docs‐phishing‐attack/125436/ 

Carbanak Attackers Devise Clever New Persistence Trick 

May 05, 201 7 

Hackers behind the Carbanak criminal gang have devised a clever way to gain persistence on targeted systems to 

more effectively pull off financially motivated crimes. The technique involves creating a bogus instance of a 

Microsoft Windows app compatibility feature. 

See more at: https://threatpost.com/carbanak‐attackers‐devise‐clever‐new‐persistence‐trick/125457/ 

Supply Chain Update Software Unknowingly Used in Attacks 

May 05, 201 7 

Microsoft said a recent attack it calls Operation WilySupply utilized the update mechanism of an unnamed 

software editing tool to infect targets in the finance and payment industries with in‐memory malware. The 

unnamed editing tool was used to send unsigned malicious updates to users in targeted attacks, according to a 

report published Thursday 

See more at: https://threatpost.com/supply‐chain‐update‐software‐unknowingly‐used‐in‐attacks/125483/

Researchers Disclose Intel AMT Flaw Research 

May 05, 201 7 

On Friday, just as Intel released additional information regarding a critical flaw found earlier this week in a subset 

of its business‐class PCs, the researchers behind the initial vulnerability discovery, Embedi, also published their 

research on the flaw. 

See more at:https://threatpost.com/researchers‐disclose‐intel‐amt‐flaw‐research/125503/ 

Wormable Windows Zero Day Reported tosoft 

May 08, 201 7 

Google Project Zero researcher Tavis Ormandy has a long legacy of finding unknown, critical software 

vulnerabilities to his credit. So when he calls a new bug the worst in recent memory, it’s likely not hyperbole. On 

Saturday, Ormandy tweeted that he and colleague Natalie Silvanovich has found a Windows remote code 

execution vulnerability that he labeled “crazy bad.” 

See more at: https://threatpost.com/wormable‐windows‐zero‐day‐reported‐to‐microsoft/125513/ 

HandBrake for Mac Compromised with Proton Spyware 

May 08, 201 7 

The handlers of the open source HandBrake video transcoder are warning anyone who recently downloaded the 

Mac version of the software that they’re likely infected with malware 

See more at: https://threatpost.com/handbrake‐for‐mac‐compromised‐with‐proton‐spyware/125518/ 

Hikvision Patches Backdoor in IP Cameras 

May 08, 201 7 

Hikvision, a Chinese manufacturer of video surveillance equipment, recently patched a backdoor in a slew of its 

cameras that could have made it possible for a remote attacker to gain full admin access to affected devices. The 

backdoor stems from two bugs: an improper authentication bug and a password in configuration file vulnerability. 

Both bugs could have allowed an attacker to escalate privileges and access sensitive information. 

See more at: https://threatpost.com/hikvision‐patches‐backdoor‐in‐ip‐cameras/125522/

Emergency Update Patches Zero Day in Microsoft Malware Protection Engine 

May 09, 201 7 

Microsoft made quick work of what two prominent Google researchers called the worst Windows vulnerability in 

recent memory, releasing an emergency patch Monday night, 48 hours after Google’s private disclosure was made. 

The mystery Windows zero day ﴾CVE‐2017‐0290﴿ was in the Microsoft Malware Protection Engine running in most 

of Microsoft’s antimalware offerings bundled with Windows. 

See more at: https://threatpost.com/emergency‐update‐patches‐zero‐day‐in‐microsoft‐malware‐protectionengine/125529/ 

Adobe Patches Seven Critical Vulnerabilities in Flash, AEM 

May 09, 201 7 

Adobe fixed eight vulnerabilities, seven critical, in Flash Player and its Adobe Experience Manager ﴾AEM﴿ Forms 

product as part of a regularly scheduled update Tuesday morning. 

See more at: https://threatpost.com/adobe‐patches‐seven‐critical‐vulnerabilities‐in‐flash‐aem/125539/ 

Microsoft Plugs Three Zero Day Holes as Part of May Patch Tuesday 

May 09, 201 7 

Microsoft patched three zero day vulnerabilities actively under attack today as part of its May Patch Tuesday 

release. Researchers with FireEye who uncovered the three vulnerabilities said the bugs were actively being 

exploited by threat actors Turla and APT28. 

See more at: https://threatpost.com/microsoft‐plugs‐three‐zero‐day‐holes‐as‐part‐of‐may‐patchtuesday/125544/ 

Cisco Patches IOS XE Vulnerability Leaked in Vault 7 Dump 

May 1 0, 201 7 

Cisco released an update this week that addresses a vulnerability in software running in more than 300 of its 

switches. The flaw was disclosed among the WikiLeaks Vault 7 dump of alleged CIA offensive hacking tools, and 

proof‐of‐concept exploit code exists that targets the vulnerability. 

See more at: https://threatpost.com/cisco‐patches‐ios‐xe‐vulnerability‐leaked‐in‐vault‐7‐dump/125568/

Microsoft Makes it Official, Cuts off SHA1 Support in IE, Edge 

May 1 0, 201 7 

Lost in yesterday’s shuffle of emergency updates and regularly scheduled monthly patches was Microsoft’s 

announcement that it was officially cutting off SHA‐1 support in Internet Explorer 11 and Edge. Going forward, 

both browsers will block webpages signed with a SHA‐1 TLS or SSL certificate from loading and users will be 

shown a warning about an invalid certificate. 

See more at: https://threatpost.com/microsoft‐makes‐it‐official‐cuts‐off‐sha‐1‐support‐in‐ie‐edge/125579/ 

Session Hijacking, CookieStealing WordPress Malware Spotted 

May 1 0, 201 7 

Researchers have identified a strain of cookie stealing malware injected into a legitimate JavaScript file, that 

masquerades as a WordPress core domain. Cesar Anjos, a security analyst at Sucuri, a firm that specializes in 

WordPress security, came across the malware during an incident response investigation and described it in a blog 

post Tuesday. 

See more at: https://threatpost.com/session‐hijacking‐cookie‐stealing‐wordpress‐malware‐spotted/125586/ 

ASUS Patches RT Router Vulnerabilities 

May 11 , 201 7 

A recent ASUS firmware update addressed a number of vulnerabilities in 30 models of its popular RT routers. The 

flaws were privately disclosed by researchers at Baltimore consultancy Nightwatch Cybersecurity, and were patched 

starting in March, with 10 updates added Wednesday. 

See more at: https://threatpost.com/asus‐patches‐rt‐router‐vulnerabilities/125592/

Keylogger Found in Audio Drivers on Some HP Machines 

May 11 , 201 7 

An audio driver that comes installed on some HP‐manufactured computers records users’ keystrokes and stores 

them in a world‐readable plaintext file, researchers said Thursday.The culprit appears to be version 1.0.0.31 of 

MicTray64.exe, a program that comes installed with the Conexant audio driver package on select HP machines. 

See more at: https://threatpost.com/keylogger‐found‐in‐audio‐drivers‐on‐some‐hp‐machines/125600/ 

Leaked NSA Exploit Spreading Ransomware Worldwide 

May 1 2, 201 7 

A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent 

ShadowBrokers dump.Researchers at Kaspersky Lab said the attackers behind today’s outbreak of WannaCry 

ransomware are using EternalBlue, the codename for an exploit made public by the mysterious group that is in 

possession of offensive hacking tools allegedly developed by the NSA. 

See more at: https://threatpost.com/leaked‐nsa‐exploit‐spreading‐ransomware‐worldwide/125654/ 

New Jaff Ransomware Part Of Active Necurs Spam Blitz 

May 1 2, 201 7 

A new malware family called Jaff has been identified by researchers who say they are currently tracking multiple 

massive spam campaigns distributing the malware via the Necurs botnet. “It came out of nowhere with a huge 

bang,” Cisco Talos researchers said Friday 

See more at: https://threatpost.com/new‐jaff‐ransomware‐part‐of‐active‐necurs‐spam‐blitz/125648/

Microsoft Releases XP Patch for WannaCry Ransomware 

May 1 3, 201 7 

Microsoft has taken the extraordinary step of providing an emergency update for unsupported Windows XP and 

Windows 8 machines in the wake of Friday’s WannaCry ransomware outbreak.Unknown attackers were using the 

EternalBlue exploit leaked by the ShadowBrokers in April to spread WannaCry, a variant of the WCry malware, 

which surfaced in February. 

See more at: https://threatpost.com/microsoft‐releases‐xp‐patch‐for‐wannacry‐ransomware/125671/ 

WannaCry Variants Pick Up Where Original Left Off 

May 1 5 , 201 7 

The inevitable wave of WannaCry ransomware variants began in earnest over the weekend after bit of sleuthing 

from a U.K. researcher slowed down the initial global outbreak.At least five new takes on the first attack, all still 

leveraging the NSA’s EternalBlue exploit and DoublePulsar rootkit, are spreading WannaCry. 

See more at: https://threatpost.com/wannacry‐variants‐pick‐up‐where‐original‐left‐off/125681/ 

Matthew Hickey on WannaCry Ransomware Outbreak 

May 1 5, 201 7 

Matthew Hickey, founder of HackerHouse and @hackerfantastic on Twitter, talks to Mike Mimoso about Friday’s 

WannaCry ransomware outbreak, what the upcoming week bodes for businesses and the dangers of governments 

weaponizing attacks without sharing vulnerability information. 

See more at: https://threatpost.com/matthew‐hickey‐on‐wannacry‐ransomware‐outbreak/125674/ 

OpenVPN Audits Yield Mixed Bag 

May 1 5, 201 7 

Two security audits of OpenVPN were recently carried out to look for bugs, backdoors, and other defects in the 

open source software; one found the software was cryptographically sound, while another found two legitimate 

vulnerabilities. 

See more at: https://threatpost.com/openvpn‐audits‐yield‐mixed‐bag/125694/

WikiLeaks Reveals Two CIA Malware Frameworks 

May 1 6, 201 7 

WikiLeaks released details on what it claims are two frameworks for malware samples dubbed AfterMindnight and 

Assassin, both allegedly developed by the U.S. Central Intelligence Agency. The revelations come amid worldwide 

efforts to squelch variants of the WannaCry ransomware, an offensive hacking tool allegedly developed by the 

National Security Agency. 

See more at: https://threatpost.com/wikileaks‐reveals‐two‐cia‐malware‐frameworks/125701/ 

ShadowBrokers Planning Monthly Exploit, Data Dump Service 

May 1 6, 201 7 

Popcorn in hand, the ShadowBrokers say they’re taking in the WannaCry outbreak from the sidelines before 

starting in June a subscription service for new exploits and stolen data akin to a wine of the month club. 

See more at: https://threatpost.com/shadowbrokers‐planning‐monthly‐exploit‐data‐dump‐service/125710/ 

Shrome Browser Hack Opens Door to Credential Theft 

May 1 6, 201 7 

A vulnerability in Google’s Chrome browser allows hackers to automatically download a malicious file onto a 

victim’s PC that could be used to steal credentials and launch SMB relay attacks. 

See more at: https://threatpost.com/chrome‐browser‐hack‐opens‐door‐to‐credential‐theft/125686/ 

Next Payload Could be Much Worse Than WannaCry 

May 1 7, 201 7 

No one should be letting their guard down now that the WannaCry ransomware attacks have been relatively 

contained. Experts intimately involved with analyzing the malware and worldwide attacks urge quite the opposite, 

warning today that there’s nothing stopping attackers from using the available NSA exploits to drop more 

destructive malware. 

See more at: https://threatpost.com/next‐nsa‐exploit‐payload‐could‐be‐much‐worse‐than‐wannacry/125743/

APT3 Linked to Chinese Ministry of State Security 

May 1 7, 201 7 

Researchers claim that APT3, widely believed to be a China‐based threat actor, is directly connected to the 

Chinese Ministry of State Security ﴾MSS﴿. The allegations come from Recorded Future which released a report 

Wednesday that claims it has found conclusive ties that link APT3 with MSS, China’s equivalent of the National 

Security Agency. 

See more at: https://threatpost.com/apt3‐linked‐to‐chinese‐ministry‐of‐state‐security/125750/ 

Patches Pending for Medical Devices Hit By WannaCry 

May 1 8, 201 7 

It was initially thought just Windows machines were vulnerable but it probably shouldn’t come as a surprise that 

medical devices and industrial control systems were subjected to the perils of this weekend’s WannaCry 

ransomware outburst as well. 

See more at: https://threatpost.com/patches‐pending‐for‐medical‐devices‐hit‐by‐wannacry/125758/ 

WordPress Fixes CSRF, XSS Bugs, Announces Bug Bounty Program 

May 1 8, 201 7 

WordPress is urging webmasters to update to the latest version of its content management system to mitigate 

several issues, including a pair of cross‐site scripting ﴾XSS﴿ bugs and a cross‐site request forgery ﴾CSRF﴿ bug that’s 

existed for 10 months. 

See more at: https://threatpost.com/wordpress‐fixes‐csrf‐xss‐bugs‐announces‐bug‐bounty‐program/125777/ 

PATCH Act Calls for VEP Review Board 

May 1 8, 201 7 

The U.S. government took the first steps toward codifying the Vulnerabilities Equities Process into law yesterday 

through the introduction of the Protecting Our Ability to Counter Hacking ﴾PATCH﴿ Act of 2017. 

See more at: https://threatpost.com/patch‐act‐calls‐for‐vep‐review‐board/125783/

Threatpost News Wrap, May 1 9, 201 7 

May 1 9, 201 7 

Mike Mimoso and Chris Brook discuss WannaCry, Microsoft’s response, the killswitches, a potential link with 

Lazarus Group, and what the future holds for the ShadowBrokers. 

See more at: https://threatpost.com/threatpost‐news‐wrap‐may‐19‐2017/125796/ 

VMware Patches Multiple Security Issues in Workstation 

May 1 9, 201 7 

VMware fixed two bugs in its VMware Workstation late Thursday night, including an insecure library loading 

vulnerability and a NULL pointer dereference vulnerability.The virtualization software company warned of the 

issues Thursday night in a security advisory VMSA‐2017‐0009. 

See more at: https://threatpost.com/vmware‐patches‐multiple‐security‐issues‐in‐workstation/125805/ 

Available Tools Making Dent in WannaCry Encryption 

May 1 9, 201 7 

Tools are beginning to emerge that can be used to start the process of recovering files encrypted by WannaCry on 

some Windows systems. This takes on extra urgency because today marks one week from the initial outbreak, and 

files encrypted during that first wave are on the clock and close to being lost forever. 

See more at: https://threatpost.com/available‐tools‐making‐dent‐in‐wannacry‐encryption/125806/ 

EternalRocks Worm Spreads Seven NSA SMB Exploits 

May 22, 201 7 

Someone has stitched together seven of the Windows SMB exploits leaked by the ShadowBrokers, creating a 

worm that has been spreading through networks since at least the first week of May. 

See more at: https://threatpost.com/eternalrocks‐worm‐spreads‐seven‐nsa‐smb‐exploits/125825/

Verizon Patches XSS Issues in its Messaging Client 

May 22, 201 7 

Someone has stitched together seven of the Windows SMB exploits leaked by the ShadowBrokers, creating a 

worm that has been spreading through networks since at least the first week of May.Verizon late last year patched 

a vulnerability in its Message+ messaging client that could have allowed an attacker to take over a session and 

possibly extend their reach into a user’s account management settings 

See more at: https://threatpost.com/verizon‐patches‐xss‐issues‐in‐its‐messaging‐client/125829/ 

Apple Receives First National Security Letter, Reports Spike in Requests for Data 

May 23, 201 7 

SApple revealed this week that it received a National Security Letter during the last six months of 2016. The news, 

which came as part of the company’s latest biannual transparency report, marks the first NSL Apple has reported 

receiving. The iPhone manufacturer released the report via a portal on its website late Monday. 

See more at: https://threatpost.com/apple‐receives‐first‐national‐security‐letter‐reports‐spike‐in‐requests‐fordata/125856/ 

Yahoo Retires ImageMagick After Bugs Leak Server Memory 

May 23, 201 7 

Yahoo has exorcised itself of the troublesome ImageMagick image processing software after it learned of 

vulnerabilities in an outdated version of the open source tool it was running could be exploited to steal secrets 

from Yahoo servers. 

See more at: https://threatpost.com/yahoo‐retires‐imagemagick‐after‐bugs‐leak‐server‐memory/125862/

Malware Network Communication Provides Better Early Warning Signal 

May 24, 201 7 

Research is expected to be unveiled today that challenges the industry’s current reliance on dynamic malware 

analysis as the best means of early detection of infections. 

See more at: https://threatpost.com/malware‐network‐communication‐provides‐better‐early‐warningsignal/125874/ 

Password Breaches Fueling Booming Credential Stuffing Business 

May 24, 201 7 

The market for credential stuffing software and services is thriving thanks in large part to an epidemic of breaches 

of usernames and passwords.Digital Shadows said today in a new report that credential leaks, such as this past 

month’s Anti Public Combo List and others, have buoyed the market for credential stuffing and made it a lucrative 

part of the black market economy. 

See more at: https://threatpost.com/password‐breaches‐fueling‐booming‐credential‐stuffing‐business/125900/ 

Samba Patches Wormable Bug Exploitable With One Line Of Code 

May 25, 201 7 

A patch for a critical vulnerability impacting the free networking software Samba was issued Wednesday. The flaw 

poses a severe threat to users, with approximately 104,000 Samba installations vulnerable to remote takeover. 

More troubling, experts say, the vulnerability can be exploited with just one line of code. 

See more at: https://threatpost.com/samba‐patches‐wormable‐bug‐exploitable‐with‐one‐line‐of‐code/125915/ 

Keybase Extension Brings EndtoEnd Encrypted Chat To Twitter, Reddit, GitHub 

May 25, 201 7 

A recently released Chrome extension, developed by the public key crypto database Keybase, brought end‐to‐end 

encrypted messaging to several apps this week. 

See more at: https://threatpost.com/keybase‐extension‐brings‐end‐to‐end‐encrypted‐chat‐to‐twitter‐redditgithub/125921/

Rash Of Phishing Attacks Use HTTPS To Con Victims 

May 26, 201 7 

Scammers are increasingly abusing consumer awareness of sites that encrypt data sent over the internet using 

HTTPS, particularly through a spike in phishing attacks that hope to win the confidence of victims by using the 

protocol on spoofed sites. 

See more at: https://threatpost.com/rash‐of‐phishing‐attacks‐use‐https‐to‐con‐victims/125937/ 

Pacemaker Ecosystem Fails its Cybersecurity Checkup 

May 26, 201 7 

Pacemakers continue to be the front line of medical device security debates after a research paper published this 

week described a frightening list of cybersecurity issues plaguing devices built by leading manufacturers, including 

a lack of authentication and encryption, and the use of third‐party software libraries ravaged by thousands of 

vulnerabilities. 

See more at: https://threatpost.com/pacemaker‐ecosystem‐fails‐its‐cybersecurity‐checkup/125942/ 

Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw 

May 28, 201 7 

Microsoft quietly patched a critical vulnerability Wednesday in its Malware Protection Engine. The vulnerability 

was found May 12 by Google’s Project Zero team, which said an attacker could have crafted an executable that 

when processed by the Malware Protection Engine’s emulator could enable remote code execution. 

See more at: https://threatpost.com/microsoft‐quietly‐patches‐another‐critical‐malware‐protection‐engineflaw/125951/

CVE ID RELEASE SUMMARY 

1 CVE‐2017‐8377 GeniXCMS 1.0.2 has SQL Injection in 

Remote Low 2017‐05‐10 

inc/lib/Control/Backend/menus.control.php via the menuid 

Sql 

parameter. 

2 CVE‐2017‐8393 The Binary File Descriptor ﴾BFD﴿ library ﴾aka libbfd﴿, as 

distributed in GNU Binutils 2.28, is vulnerable to a global buffer 


over‐read error because of an assumption made by code that 

Overflow 

runs for objcopy and strip, that SHT! REL/SHR! RELA sections are 

always named starting with a .rel/.rela prefix. This vulnerability 

causes programs that conduct an analysis of binary programs 

using the libbfd library, such as objcopy and strip, to crash. 

3 CVE‐2017‐8086 Memory leak in the v9fs! list! xattr function in hw/9pfs/9p‐xattr.c 

in QEMU ﴾aka Quick Emulator﴿ allows local guest OS privileged 

users to cause a denial of service ﴾memory consumption﴿ via 

vectors involving the orig! value variable. 

DoS 


4 

CVE‐2017‐8453 

Foxit Reader before 8.2.1 and PhantomPDF before 8.2.1 have an 

out‐of‐bounds read that allows remote attackers to obtain 

Exec Code +Info 

Remote Medium 2017‐05‐12 

sensitive information or possibly execute arbitrary code via a 

crafted font in a PDF document. 

5 CVE‐2017‐8762 

VGeniXCMS 1.0.2 has XSS triggered by an authenticated user 

who submits a page, as demonstrated by a crafted oncut 

XSS 

Remote 

Medium 

2017‐05‐12 

attribute in a B element. 

6 CVE‐2017‐7487 The ipxitf! ioctl function in net/ipx/af! ipx.c in the Linux kernel 

through 4.11.1 mishandles reference counts, which allows local 

DoS 

Remote 

Low 


users to cause a denial of service ﴾use‐after‐free﴿ or possibly 

have unspecified other impact via a failed SIOCGIFADDR ioctl 

call for an IPX interface.

7 CVE‐2017‐7887 Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the 


sall parameter. 

XSS 


Symphony 2 2.6.11 has XSS in the meta!navigation! group! 

parameter to content/content.blueprintssections.php. 

Remote 

Medium 


XSS 

9 


The htmlParseTryOrFinish function in HTMLparser.c in libxml2 

2.9.4 allows attackers to cause a denial of service ﴾buffer over‐ 

DoS 


read﴿ or information disclosure.. 

10 


Invision Power Services ﴾IPS﴿ Community Suite 4.1.19.2 and 

earlier has a composite of Stored XSS and Information 

XSS 


Disclosure issues in the attachments feature found in User CP. 

This can be triggered by any Invision Power Board user and can 

be used to gain access to moderator/admin accounts. The 

primary cause is the ability to upload an SVG document with a 

crafted attribute such an onload; however, full path disclosure is 

required for exploitation. 


ASUS RT‐AC! and RT‐N! devices with firmware before 

3.0.0.4.380.7378 allow remote authenticated users to discover 

the Wi‐Fi password via WPS! info.xml. 

+Info 

Remote 

Low 


12 CVE‐2017‐8789 An issue was discovered on Accellion FTA devices before 

FTA! 9! 12! 180. A report! error.php! year! 'payload SQL injection 

Sql 

Remote 

Low 


vector exists.

13 CVE‐2017‐5909 The Electronic Funds Source ﴾EFS﴿ Mobile Driver Source app 2.5 for iOS 


does not verify X.509 certificates from SSL servers, which allows manin‐the‐middle 

attackers to spoof servers and obtain sensitive 

+Info 

information via a crafted certificate. 

14 CVE‐2017‐ 

6557 

SQL injection vulnerability in ArrayOS before AG 9.4.0.135, when the 

portal bookmark function is enabled, allows remote authenticated 

SQL Inject 

Remote 

Low 


users to execute arbitrary SQL commands via unspecified vectors 

15 


An Uncontrolled Search Path Element issue was discovered in BLF‐Tech 

Remote High 2017‐05‐18 

LLC VisualView HMI Version 9.9.14.0 and prior. The uncontrolled search 

Exec Code 

path element vulnerability has been identified, which may allow an 

attacker to run a malicious DLL file within the search path resulting in 

execution of arbitrary code. 

16 CVE‐2017‐7927 A Use of Password Hash Instead of Password for Authentication issue 


was discovered in Dahua DH‐IPC‐HDBW23A0RN‐ZS, DH‐IPC‐ 

Bypass 

HDBW13A0SN, DH‐IPC‐HDW1XXX, DH‐IPC‐HDW2XXX, DH‐IPC‐ 

HDW4XXX, DH‐IPC‐HFW1XXX, DH‐IPC‐HFW2XXX, DH‐IPC‐HFW4XXX, 

DH‐SD6CXX, DH‐NVR1XXX, DH‐HCVR4XXX, DH‐HCVR5XXX, DHI‐ 

HCVR51A04HE‐S3, DHI‐HCVR51A08HE‐S3, and DHI‐HCVR58A32S‐S2 

devices. The use of password hash instead of password for 

authentication vulnerability was identified, which could allow a 

malicious user to bypass authentication without obtaining the actual 

password. 


An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. 

OxygenOS and HydrogenOS are vulnerable to downgrade attacks. This 

is due to a lenient 'updater‐script' in OTAs that does not check that the 

MITM 

Remote 

Medium 


current version is lower than or equal to the given image's. 

Downgrades can occur even on locked bootloaders and without 

triggering a factory reset, allowing for exploitation of now‐patched 

vulnerabilities with access to user data. This vulnerability can be 

exploited by a Man‐in‐the‐Middle ﴾MiTM﴿ attacker targeting the 

update process 


This vulnerability can be exploited by Man‐in‐the‐Middle ﴾MiTM﴿ 

attackers targeting the update process. This is possible because the 

update transaction does not occur over TLS ﴾CVE‐2016‐10370﴿. In 

DoS 

Remote 

Medium 


addition, physical attackers can reboot the phone into recovery, and 

then use 'adb sideload' to push the OTA.

19 


A vulnerability was discovered in Siemens SIMATIC WinCC ﴾V7.3 


before Upd 11 and V7.4 before SP1﴿, SIMATIC WinCC Runtime 

Professional ﴾V13 before SP2 and V14 before SP1﴿, SIMATIC 

DOS 

WinCC ﴾TIA Portal﴿ Professional ﴾V13 before SP2 and V14 before 

SP1﴿ that could allow an authenticated, remote attacker who is 

member of the "administrators" group to crash services by 

sending specially crafted messages to the DCOM interface. 

20 CVE‐2017‐5461 Mozilla Network Security Services ﴾NSS﴿ before 3.21.4, 3.22.x 

through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x 

before 3.30.1 allows remote attackers to cause a denial of service 

﴾out‐of‐bounds write﴿ or possibly have unspecified other impact 

by leveraging incorrect base64 operations. 

DoS 


21 CVE‐2017‐2681 Siemens SIMATIC S7‐300 incl. F and T ﴾All versions before 

Local 

Low 2017‐05‐22 

V3.X.14﴿, SIMATIC S7‐400 incl. F and H ﴾All versions﴿, SIMATIC 

DOS 

Network 

HMI Comfort Panels, HMI Multi Panels, HMI Mobile Panels ﴾All 

versions﴿ could be affected by a Denial‐of‐Service condition 

induced by a specially crafted PROFINET DCP ﴾Layer 2 ‐ Ethernet﴿ 

packet sent to an affected product. 

22 CVE‐2017‐7213 Zoho ManageEngine Desktop Central before build 100082 allows 


remote attackers to obtain control over all connected active 

Priviledge 

desktops via unspecified vectors. 

Escalation 


Embedding Script ﴾XSS﴿ in HTTP Headers vulnerability in the 

server in McAfee Network Data Loss Prevention ﴾NDLP﴿ 9.3.x 

XSS Remote Medium 


allows remote attackers to get session/cookie information via 

modification of the HTTP request. 

24 CVE‐2017‐4016 Web Server method disclosure in the server in McAfee Network 

Data Loss Prevention ﴾NDLP﴿ 9.3.x allows remote attackers to 

+Info 

Remote 

Low 


exploit and find another hole via HTTP response header.

25 CVE‐2017‐9147 LibTIFF 4.0.7 has an invalid read in the ! TIFFVGetField 


function in tif! dir.c, which might allow remote attackers to 

cause a denial of service ﴾crash﴿ via a crafted TIFF file. 

DoS 

26 CVE‐2017‐9090 reg.php in Allen Disk 1.6 doesn't check if 

isset﴾$! SESSION!'captcha'!!'code'!﴿! ! 1, which makes it 


possible to bypass the CAPTCHA via an empty 

Bypass 

$! POST!'captcha'!. 

27 CVE‐2017‐8942 The YottaMark ShopWell ‐ Healthy Diet & Grocery Food 

Scanner app 5.3.7 through 5.4.2 for iOS does not verify 


X.509 certificates from SSL servers, which allows man‐in‐ 

+Info 

the‐middle attackers to spoof servers and obtain sensitive 

information via a crafted certificate. 

28 


Multiple cross‐site request forgery ﴾CSRF﴿ vulnerabilities in 

Simple Invoices 2013.1.beta.8 allow remote attackers to 

CSRF 


hijack the authentication of admins for requests that can ﴾1﴿ 

create new administrator user accounts and take over the 

entire application, ﴾2﴿ create regular user accounts, or ﴾3﴿ 

change configuration parameters such as tax rates and the 

enable/disable status of PayPal payment modules. 


Remote 


LightDM through 1.22.0, when systemd is used in Ubuntu 

Bypass 

Low 

16.10 and 17.x, allows physically proximate attackers to 

bypass intended AppArmor restrictions and visit the home 

directories of arbitrary users by establishing a guest session. 

30 CVE‐2017‐9030 The Codextrous B2J Contact ﴾aka b2j! contact﴿ extension 

before 2.1.13 for Joomla! allows a directory traversal attack 

Dir. Trav. Bypass 

Remote 

Low 


that bypasses a uniqid protection mechanism, and makes it 

easier to read arbitrary uploaded files.

31 CVE‐2017‐9031 The WebUI component in Deluge before 1.3.15 contains a 


directory traversal vulnerability involving a request in which 

the name of the render file is not associated with any 

Dir. Trav 

template file. 


An issue was discovered in certain Apple products. iOS 

before 10.3.2 is affected. macOS before 10.12.5 is affected. 

Remote 

Low 


tvOS before 10.2.1 is affected. watchOS before 3.2.2 is 

DoS Exec Code 

affected. The issue involves the "SQLite" component. A useafter‐free 

vulnerability allows remote attackers to execute 

arbitrary code or cause a denial of service ﴾application crash﴿ 

via a crafted SQL statement. 

33 


libautotrace.a in AutoTrace 0.31.1 has a heap‐based buffer 

overflow in the ReadImage function in input‐bmp.c:496:29. 


Overflow 

34 CVE‐2017‐9175 libautotrace.a in AutoTrace 0.31.1 allows remote attackers to 


cause a denial of service ﴾invalid write and SEGV﴿, related to 

DoS 

the ReadImage function in input‐bmp.c:353:25.

SIGNATURE SUMMARY 

Cisco 

2017 May 03 High Cisco Firepower Management Console Rule Import Acce 

2017 May 03 High Adobe Flash Player Use After Free Attempt 

2017 May 03 High Adobe Acrobat and Reader Code Execution 

2017 May 03 High Cisco TelePresence ICMP Denial of Service 

2017 May 03 High Adobe Flash Player Arbitrary Code Execution 

2017 May 03 High Cisco Aironet Mobility Express Arbitrary Code Execution 

2017 May 03 High Adobe Flash Player Memory Corruption 

High 

Adobe Flash Player Heap Overflow 

2017 May 09 

High 

Adobe Flash Player Use After Free 


High 

Microsoft Internet Explorer Mixed Content Warnings Bypa 


High 

Microsoft Edge Use After Free 


High 

Microsoft Edge Memory Corruption 


High 

Microsoft Edge Type Confusion 


2017 May 09 High Microsoft Internet Explorer and Edge Scripting Engine Me 

High 


Microsoft Edge Remote Code Execution

Cisco 


High 

Microsoft Windows SMB Remote Code Execution 

2017 May 18 High Trend Micro Smart Protection Command Injection 

2017 May 18 High Apache Struts Remote Code Execution 

2017 May 18 High EyesOfNetwork Command Injection 

2017 May 18 Medium EyesOfNetwork Module Command Injection 

2017 May 18 High 

IIntel AMT Remote Administration Tool Authentication Bypass 

2017 May 18 High 

Trend Micro Threat Discovery Appliance Command Injection 

High 

Trend Micro SafeSync Command Injection 


High 

Adobe Reader Information Disclosure 


High 

Trend Micro Deep Discovery Inspector Command Injection 


High 


Microsoft Windows SMB Remote Code Execution

CHECKPOINT 

1 May 2017 Medium Adobe Acrobat and Reader Information Disclosure ﴾APSB17‐11: CVE‐2017‐3052﴿ 

1 May 2017 Critical Adobe Acrobat and Reader Memory Corruption ﴾APSB17‐11: CVE‐2017‐3044﴿ 

3 May 2017 High Microsoft Windows SMB2 Tree Connect Response Denial of Service ﴾MS17‐012: CVE‐2017‐0016﴿ 


3 May 2017 Critical Adobe Acrobat and Reader Memory Corruption ﴾APSB17‐11: CVE‐2017‐3051﴿ 

4 May 2017 Medium Microsoft Edge Security Feature Bypass ﴾MS17‐007: CVE‐2017‐0066﴿ 

4 May 2017 Critical Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow ﴾CVE‐2017‐7269﴿ 

4 May 2017 Critical KaiXin Exploit Kit 

Critical 

4 May 2017 

Adobe Acrobat and Reader Memory Corruption ﴾APSB17‐11: CVE‐2017‐3037﴿ 

4 May 2017 Medium HPE Intelligent Management Center FileDownloadServlet fileName Directory Traversal ﴾CVE‐2017‐5795﴿ 

High 


ALLPlayer M3U File Stack Buffer Overflow ﴾CVE‐2013‐7409﴿﴿ 

Critical 


Popcorn Time Subtitles Remote Code Execution 

High 


Microsoft Scripting Engine Memory Corruption ﴾MS17‐007: CVE‐2017‐0070﴿

CHECKPOINT 

7 May 2017 Medium OpenSSL Encrypt‐Then‐Mac Renegotiation Denial of Service ﴾CVE‐2017‐3733﴿ 


7 May 2017 Critical Adobe Acrobat and Reader Use After Free ﴾APSB17‐11: CVE‐2017‐3047﴿ 

7 May 2017 High Microsoft Edge asm.js Type Confusion ﴾CVE‐2017‐0093﴿ 

7 May 2017 Medium ManageEngine Applications Manager Apache Commons Collections Insecure Deserialization ﴾CVE‐2016‐9498﴿ 

8 May 2017 High URSoft W32Dasm Disassembler Function Buffer Overflow ﴾CVE‐2005‐0308﴿ 

8 May 2017 Critical Zinf Audio Player PLS File Stack Buffer Overflow ﴾CVE‐2004‐0964﴿ 

Medium 


Digium Asterisk CDR ast! cdr! setuserfield Buffer Overflow ﴾CVE‐2017‐7617﴿ 

High 


ManageEngine Applications Manager MenuHandlerServlet SQL Injection ﴾CVE‐2016‐9488﴿ 

Critical 


Moodle Remote Code Execution ﴾CVE‐2017‐2641﴿ 

9 May 2017 High Check‐Host Website Monitoring Service 

9 May 2017 High Microsoft Windows COM Elevation of Privilege ﴾CVE‐2017‐0214﴿ 

9 May 2017 Critical Adobe Flash Player Memory Corruption ﴾APSB17‐15: CVE‐2017‐3069﴿

CHECKPOINT 

9 May 2017 Critical Microsoft Edge Memory Corruption ﴾CVE‐2017‐0227﴿ 

9 May 2017 Critical Microsoft Browser Scripting Engine Memory Corruption ﴾CVE‐2017‐0228﴿ 

9 May 2017 Critical Adobe Flash Player Memory Corruption ﴾APSB17‐15: CVE‐2017‐3073﴿ 

9 May 2017 Critical Suspicious Microsoft Office File Archive Mail Attachment 


High 

Ghostscript Type Confusion Arbitrary Command Execution ﴾CVE‐2017‐8291﴿ 

9 May 2017 High Check‐Host Website Monitoring Service 

9 May 2017 High Microsoft Windows COM Elevation of Privilege ﴾CVE‐2017‐0214﴿ 

9 May 2017 High Microsoft Office Remote Code Execution ﴾CVE‐2017‐0243﴿ 

9 May 2017 High Microsoft Windows Kernel Information Disclosure ﴾CVE‐2017‐0175﴿ 

9 May 2017 High Microsoft Win32k Elevation of Privilege ﴾CVE‐2017‐0246﴿ 

9 May 2017 High Microsoft Win32k Information Disclosure ﴾CVE‐2017‐0077﴿ 

9 May 2017 High Microsoft Windows DNS Server Denial of Service ﴾CVE‐2017‐0171﴿ 

9 May 2017 High Microsoft Win32k Information Disclosure ﴾CVE‐2017‐0245﴿ 

9 May 2017 High Microsoft Windows Kernel Information Disclosure ﴾CVE‐2017‐0259﴿ 

9 May 2017 High Microsoft Win32k Elevation of Privilege ﴾CVE‐2017‐0263﴿

CHECKPOINT 

10 May 2017 Critical Kodi Open Subtitles Addon Remote Code Execution 

10 May 2017 High SAP GUI regsvr32.exe Rule Security Policy Bypass ﴾CVE‐2017‐6950﴿ 

10 May 2017 Critical HPE Intelligent Management Center FileUploadServlet Directory Traversal ﴾CVE‐2017‐5794﴿ 

10 May 2017 Critical Intel AMT Framework Unauthorized Admin Entry ﴾CVE‐2017‐5689﴿ 


10 May 2017 High Apple Safari WebKit JSString Use After Free Code Execution ﴾CVE‐2017‐2491﴿ 

10 May 2017 Critical HPE Intelligent Management Center CommonUtils ZIP Directory Traversal ﴾CVE‐2017‐5793﴿ 

10 May 2017 Critical Microsoft Office Multiple Remote Code Execution ﴾CVE‐2017‐0261﴿ 

10 May 2017 Critical Adobe Flash Player Memory Corruption ﴾APSB17‐15: CVE‐2017‐3074﴿ 

10 May 2017 Critical Microsoft Office EPS Remote Code Execution ﴾CVE‐2017‐0262﴿ 

14 May 2017 Critical Flash File Malicious Code Execution 

High 


Terror Exploit Kit URL Pattern 

High 


Microsoft Windows SMB Information Disclosure ﴾MS17‐010: CVE‐2017‐0147﴿

CHECKPOINT 

16 May 2017 Critical Microsoft Windows SMB Remote Code Execution ﴾MS17‐010: CVE‐2017‐0143﴿ 

16 May 2017 Critical Microsoft Windows SMB Remote Code Execution ﴾MS17‐010: CVE‐2017‐0148﴿ 

18 May 2017 Critical Microsoft Windows EternalBlue SMB Remote Code Execution 

18 May 2017 Critical Microsoft Windows Eternalromance SMB Remote Code Execution 

18 May 2017 Critical Microsoft Windows DoublePulsar SMB Remote Code Execution 

18 May 2017 Critical Microsoft Windows EsteemAudit RDP Remote Code Execution 

21 May 2017 Critical Microsoft Windows Eternalchampion SMB Remote Code Execution 

21 May 2017 Critical VLC ParseJSS Null Skip Subtitle Remote Code Execution 

Critical 


Joomla com! fields Component SQL Injection ﴾CVE‐2017‐8917﴿ 

24 May 2017 Critical Microsoft Windows SMBTouch Scanner 

Critical 


Microsoft Windows EternalSynergy SMB Remote Code Execution 

Critical 


PDF File Containing Ransomware Downloader 

Critical 


Linux EternalRed Samba Remote Code Execution ﴾CVE‐2017‐7494﴿

JUNIPER 

05/02/2017 

HIGH 

HTTP:STC:CHROME:PDF‐MC‐DOS 

05/04/2017 MEDIUM APP:WIRESHARK‐CAPWAP 

05/04/2017 HIGH SCADA:ATVISE‐WEBMI‐SHUTDOWN 

05/04/2017 HIGH HTTP:STC:MOZILLA:JS‐INJCTN 

05/04/2017 HIGH HTTP:STC:MOZILLA:INDEX‐FMT‐OOB 

05/09/2017 HIGH HTTP:STC:IE:CVE‐2017‐0234‐RCE 

05/09/2017 HIGH HTTP:SQL:EXPONENT‐CMS‐INJ 

05/09/2017 HIGH HTTP:STC:ADOBE:ACROBAT‐OOB 

05/09/2017 HIGH HTTP:STC:DL:CVE‐2017‐0175‐PE 

05/09/2017 MEDIUM HTTP:STC:DL:CVE‐2017‐0245‐ID 

05/09/2017 HIGH HTTP:STC:IE:CVE‐2017‐0266‐CE 

05/09/2017 HIGH HTTP:STC:QUICKTIME‐FLI‐RCE 

05/09/2017 HIGH HTTP:STC:ADOBE:CVE‐2017‐3070‐CE 



05/09/2017 HIGH HTTP:DOS:APACHE‐CXF

JUNIPER 


HIGH 

HTTP:STC:CHROME:CVE‐2014‐7927 

05/09/2017 HIGH HTTP:STC:CHROME:CVE‐2014‐7928 

05/09/2017 HIGH HTTP:STC:DL:CVE‐2017‐0263‐EOP 



05/09/2017 MEDIUM HTTP:MISC:SPLUNK‐CSRF 



05/09/2017 HIGH DB:MYSQL:AUTH‐INT‐OF 

05/09/2017 HIGH HTTP:STC:DL:DOUBLE‐FETCH‐PRIV 

05/09/2017 HIGH HTTP:STC:DL:CVE‐2017‐0243‐RCE 

05/09/2017 HIGH HTTP:STC:DL:CVE‐2017‐0077‐DOS 

05/09/2017 HIGH HTTP:STC:IE:CVE‐2017‐0236‐UAF 


05/09/2017 HIGH HTTP:STC:IE:CVE‐2017‐0064‐SB 

05/09/2017 HIGH HTTP:STC:IE:CVE‐2017‐0238‐RCE

JUNIPER 


HIGH 

HTTP:STC:IE:CVE‐2017‐0228‐RCE 


05/09/2017 HIGH HTTP:STC:IE:CVE‐2017‐0227‐AV 


05/10/2017 HIGH DB:ORACLE:TNS:REMOTE‐LISTNR‐MC 

05/10/2017 HIGH APP:ISC‐BIND‐RNDC‐DOS 


05/10/2017 HIGH SSL:TREND‐MICRO‐COMM‐INJ 






05/11/2017 MEDIUM HTTP:MAL‐REDIRECT‐EXP‐142 


05/12/2017 HIGH HTTP:STC:CHROME:CVE‐2016‐1646

JUNIPER 


HIGH 




05/12/2017 MEDIUM HTTP:STC:CHROME:CVE‐2016‐1677 

05/12/2017 HIGH VOIP:SIP:DIGIUM‐ASTERSK‐BO 


HTTP:XSS:IBM‐WEBSPHERE‐XSS 

MEDIUM 



05/16/2017 MEDIUM HTTP:IBM‐ACLM‐PD 

05/16/2017 HIGH HTTP:MISC:JENKINS‐CI‐CSRF 

05/16/2017 HIGH DNS:ISC‐BIND‐CNAME‐DNAME‐DOS 

05/16/2017 HIGH SMB:EMARALDTHREAD 

05/16/2017 HIGH SMB:CVE‐2008‐4250‐BO 

05/16/2017 HIGH SMB:ERRATICGOPHER 

05/16/2017 HIGH IMAP:EMPHASISMINE 

05/16/2017 HIGH HTTP:STC:CVE‐2017‐0290‐RCE

JUNIPER 


INFO 

SMB:SMBV1‐REQ 

05/16/2017 HIGH SMB:EXPLOIT:ANOMALOUS‐SMB 

05/16/2017 HIGH SMB:EXPLOIT:EDUCATEDSCHOLAR‐RCE 

05/18/2017 HIGH IMAP:OUTLOOK‐RCE 

05/18/2017 HIGH APP:MISC:ESKIMOROLL‐KERBEROS‐PE 

05/18/2017 HIGH MS‐RPC:RPC‐OVF 

05/18/2017 HIGH HTTP:STC:MOZILLA:CVE‐2014‐1513 

05/18/2017 HIGH HTTP:STC:SAFARI:CVE‐2017‐2446 

05/18/2017 HIGH HTTP:MISC:GENERIC‐DIR‐TRAVERSAL 

05/18/2017 CRITICAL APP:REMOTE:ESTEEMAUDIT‐RCE 

05/18/2017 HIGH HTTP:HPE‐INTELLIGENT‐CENTER‐ID 

05/18/2017 MEDIUM DNS:CVE‐2017‐0171‐DOS 

05/18/2017 HIGH HTTP:STC:MANTIS‐PASS‐RESET 


05/18/2017 HIGH IHTTP:STC:ADOBE:CVE‐2017‐3068‐CE 

05/18/2017 HIGH HTTP:STC:CHROME:CVE‐2017‐5030

JUNIPER 


HIGH 




05/18/2017 HIGH IHTTP:INTEL‐AMT‐PE 

05/18/2017 HIGH HTTP:STC:APPLE‐SAFARI‐PARAM‐UAF 

05/18/2017 HIGH HTTP:STC:APPLE‐CVE‐2016‐4622‐CE 

05/18/2017 HIGH HTTP:STC:APPLE‐TYPARRAY‐BUF‐NEU 

05/18/2017 HIGH HTTP:STC:APPLE‐SAFARI‐OOB 

05/18/2017 HIGH HTTP:STC:CVE‐2017‐2464‐MC 

05/20/2017 HIGH HTTP:MISC:JENKINS‐CI‐CSRF 

05/20/2017 MEDIUM FTP:OVERFLOW:WINFTP‐DATA‐OF 

05/23/2017 HIGH APP:MISC:ZABBIX‐PROXY‐CI 

05/23/2017 HIGH HTTP:STC:DL:MS‐CVE‐2017‐0262‐TC 

05/24/2017 HIGH HTTP:IIS:CVE‐2017‐7269‐RCE 

05/25/2017 INFO CHAT:MSN:HTTP:CHAT 

05/28/2017 MEDIUM HTTP:SUSP‐HDR‐REDRCT‐EXP‐143

FORTIGATE 

May 02, 2017 High Vulnerability: Mozilla.Firefox.CreateImageBitmap.Integer.Overflow 

May 02, 2017 Critical Vulnerability:WePresent.WiPG1000.Command.Injection 

May 02, 2017 Critical Vulnerability:Backdoor.DoublePulsar 

May 02, 2017 Medium Vulnerability: Apache.Tomcat.HTTP2.GOAWAY.Frame.DoS 

May 03, 2017 Medium Vulnerability: Backdoor.Redleaves 

May 04, 2017 Critical Vulnerability: Mozilla.Firefox.Table.Selection.Range.Handling.Use.After.Free 

May 05, 2017 High Vulnerability: MS.Edge.Asm.JS.Type.Confusion 

May 09, 2017 Critical Vulnerability: Microsoft.Edge.AudioContext.Memory.Corruption 

May 09, 2017 Critical Vulnerability: MS.Browser.Scripting.Engine.Array.SetUint32.Memory.Corruption 

May 09, 2017 High Vulnerability: MS.Windows.Kernel.TCPIP.SYS.Double.Fetch.Information.Disclosure 

May 09, 2017 High Vulnerability: MS.Windows.COM.Search.Service.Privilege.Escalation 

May 09, 2017 High Vulnerability:HPE.LoadRunner.Performance.Center.XDR.Strings.Buffer.Overflow 

May 09, 2017 High Vulnerability: MISC.BIND.DNS.Amplification.Root.DNAME.Query.Response.DoS 

May 09, 2017 Critical Vulnerability: MS.Browser.Scripting.Engine.Array.JIT.Handle.Memory.Corruption 

May 09, 2017 High Vulnerability: MS.Windows.TCPIP.Sys.Information.Disclosure 

May 10, 2017 Critical Vulnerability: Adobe.Flash.Multiple.Display.Objects.Mask.Memory.Corruption

FORTIGATE 

May 10, 2017 Medium Vulnerability: HPE.Intelligent.Management.ZIP.Directory.Traversal 

May 10, 2017 Critical Vulnerability: Ghostscript.Type.Confusion.Arbitrary.Command.Execution 

May 10, 2017 Critical Vulnerability:Intel.AMT.ISM.Web.Interface.Authorization.Privilege.Escalation 

May 10, 2017 Critical Vulnerability:Adobe.Flash.Gradient.Fill.Memory.Corruption 

May 10, 2017 Critical Vulnerability:Adobe.Flash.DisplayObject.BlendMode.Memory.Corruption 

May 10, 2017 Medium Vulnerability:Magento.Vimeo.Invalid.Image.CSRF 

May 11, 2017 Medium Vulnerability: Exponent.CMS.EaasController.API.Function.SQL.Injection 

May 11, 2017 High Vulnerability: Oracle.Fusion.Middleware.MapViewer.Directory.Traversal 

May 11, 2017 Medium Vulnerability:Mozilla.Firefox.HTTP.Index.Format.File.Information.Disclosure 

May 11, 2017 Critical Vulnerability: MS.Windows.MsMpEng.Type.Confusion.Code.Execution 

May 12, 2017 High Vulnerability: Schneider.Electric.VAMPSET.Memory.Corruption 

May 15, 2017 High Vulnerability :MS.SMB.Server.Trans.Peeking.Data.Information.Disclosure 

May 16, 2017 Critical Vulnerability: Crypttech.CryptoLog.Remote.Code.Injection 

May 17, 2017 Critical Vulnerability:MS.SMB.Server.SMB1.MID.FID.Parsing.Remote.Code.Execution 

May 18, 2017 High Vulnerability: ISC.BIND.CName.Record.Incorrect.Order.DoS 

May 18, 2017 Criticals Vulnerability : MS.SMB.Server.SMB1.Trans2.Secondary.Query.Path.Code.Execution

FORTIGATE 

May 19, 2017 High Vulnerability: Splunk.Enterprise.Alerts.ID.Server.CSRF 

May 24, 2017 Critical Vulnerability:Quest.Privilege.Manager.pmmasterd.Buffer.Overflow 

May 24, 2017 Critical Vulnerability:3S‐Smart.GmbH.CODESYS.Web.Server.Buffer.Overflow 

May 24, 2017 High Vulnerability: VLC.Player.VOB.File.Parsing.Heap.Corruption 

May 25, 2017 Moderate Vulnerability: MDaemon.Mail.Server.EasyBee.Command.Injection 

May 25, 2017 Critical Vulnerability: Joomla.Component.ComFields.SQL.Injection 

May 25, 2017 Critical Vulnerability: Avaya.ShadowBroker.EPICHERO.Remote.Code.Execution 

May 26, 2017 Critical Vulnerability: Samba.Writable.Share.Code.Execution 

May 26, 2017 High Vulnerability: Jenkins.CI.Server.Multiple.CSRF

IPS SIGNATURE RELEASE SUMMARY 

VENDOR 

DESCRIPTION 

RELEASE 

Fortigate Latest IPS Database version for Fortigate 11.148 

Cisco 

Latest IPS Database version for Cisco 

S983 

Juniper Latest IPS Database version for Juniper 2873 

Snort Latest IPS Database version for Snort 3.0 

Suricata Latest IPS Database version for Suricata 3.2.1 

Cyberoam Latest IPS Database version for Cyberoam 5.13.61 

ANTIVIRUS DATABASE VERSION 

VENDOR 

DESCRIPTION 

RELEASE 

Fortigate Latest Antivitus version for Fortigate 47.133 

ClamAv Latest Antivirus version for ClamAv 0.99.2 

NOD32 Latest Antivirus version for NOD32 15493 

McAfee Latest Antivirus version for McAfee 8543 

Comodo Latest Antivirus version for Comodo 27180 

AVG Latest Antivirus version for AVG 14512 

Cyberoam Latest Antivirus version for Cyberoam 10.06.3.719﴾vX to vX﴿

MALWARE OUTBREAK 

05/08/2017 Threat Name Type Severity Affected Products Posted Date 

1 SONAR.Luminrat!g1 Trojan, Virus, Worm Low 

Windows 


2 SONAR.SuspScript!g10 Trojan, Virus, Worm Low 

Windows 


3 SONAR.SuspScript!g9 Trojan, Virus, Worm Low Windows 05/02/2017 

4 Trojan.Destfallen.B Trojan, Low 

5 Python.Bellabot Trojan Low 

6 OSX.Turla Trojan Low 

7 Backdoor.Noknef Trojan Low 

8 Backdoor.Noknef!gm Trojan Low 

9 VBS.Halabake Trojan Low 

Windows 

Mac 

Mac 

Windows 

Windows 

Windows 







10 Trojan.Cassowar Trojan Low 

Windows 


11 JS.Netrepser Trojan Low 

Windows 


12 OSX.Proton Trojan Low 

Mac 


13 W32.Cridex!gen16 Worm Low 

Windows 


14 SONAR.Cryptlck!g146 Trojan, Virus, Worm Low 

Windows 


15 Trojan.Reblight!gen1 Trojan Low 

Windows 


16 Trojan.Halabake Trojan Low 

Windows 

05/08/2017

SNO Threat Name Type Severity Affected Products Posted Date 

17 VBS.Halabake!lnk Trojan Low Windows 05/08/2017 

18 Ransom.Cerber!g23 Trojan Low 

Windows 



Windows 


20 SONAR.SuspBeh!gen609 Trojan, Virus, Worm Low 

Windows 



Windows 


22 SONAR.SuspJAR!gen3 Trojan, Virus, Worm Low 

Windows 


23 Trojan.Boyapki Trojan Low 

Windows 


24 Ransom.Wannacry Trojan, Worm Medium 

Windows 


25 Ransom.Wannacry!gen2 Trojan, Worm Medium 

Windows 



Windows 



Windows 


28 Trojan.Adylkuzz Trojan Low 

Windows 


29 Hacktool.Seasharpee Trojan Low 

Windows 


SNO Threat Name Type Severity Affected Products Posted Date 

17 SONAR.Hacktool!gen3 Trojan, Virus, Worm Low Windows 05/17/2017 

18 Trojan.Sosopod Trojan Low 

Windows 


19 Trojan.Adylkuzz!gen1 Trojan Low 

Windows 


20 Ransom.Uiwix Trojan Low 

Windows 


21 Exp.CVE‐2017‐0261 Trojan Low 

Windows 


22 Trojan.Bravonc Trojan Low 

Windows 


23 Trojan.Alphanc Trojan Low 

Windows 


24 Trojan.Bravonc!gm Trojan Low 

Windows 


25 W32.Eternalrocks Worm Low 

Windows 


26 Ransom.Cerber!g25 Trojan Low 

Windows 


27 SONAR.SuspBeh!gen93 Trojan, Virus, Worm Low 

Windows 


28 Packed.Vmpbad!gen40 Trojan Low 

Windows 


29 Trojan.Agentemis!gen1 Trojan Low 

Windows 


SECURITY NEWS 

Intel Firmware Vulnerability 

May 01 , 201 7 

Intel has released recommendations to address a vulnerability in the firmware of the following Intel products: 

Active Management Technology, Standard Manageability, and Small Business Technology, firmware versions 6.x, 

7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6. This vulnerability does not affect Intel‐based consumer PCs. An attacker could 

exploit this vulnerability to take control of an affected system. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/01/Intel‐Firmware‐Vulnerability 

Google Releases Security Updates for Chrome 

May 02, 201 7 

Google has released Chrome version 58.0.3029.96 for Windows, Mac, and Linux. This version addresses a 

vulnerability that an attacker could exploit to cause a denial‐of‐service condition. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/02/Google‐Releases‐Security‐Updates‐Chrome 

Cisco Releases Security Updates 

May 03, 201 7 

Cisco has released updates to address vulnerabilities affecting multiple products. A remote attacker could exploit 

some of these vulnerabilities to take control of an affected system. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/03/Cisco‐Releases‐Security‐Updates 

Microsoft Ending Security Updates for Windows 1 0 version 1 507 

May 04, 201 7 

After May 9, 2017, devices running Windows 10 version 1507 will no longer receive security updates.. 

Read more :https://www.us‐cert.gov/ncas/current‐activity/2017/05/04/Microsoft‐Ending‐Security‐Updates‐ 

Windows‐10‐version‐1507

IC3 Warns of Increase in BEC/EAC Schemes 

May 04, 201 7 

The Internet Crime Complaint Center ﴾IC3﴿ has issued an alert describing a growing number of scams targeting 

businesses working with foreign suppliers or businesses that regularly perform wire transfer payments. These 

sophisticated scams are classified as business email compromise ﴾BEC﴿ or email account compromise ﴾EAC﴿ and use 

social engineering techniques to defraud businesses. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/04/IC3‐Warns‐Increase‐BECEAC‐Schemes 

Mozilla Releases Security Updates 

May 05, 201 7 

Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit 

this vulnerability to take control of an affected system. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/05/Mozilla‐Releases‐Security‐Updates 

Intel Firmware Vulnerability 

May 07, 201 7 

Intel has released recommendations to address a vulnerability in the firmware of the following Intel products: Active 

Management Technology, Standard Manageability, and Small Business Technology firmware versions 6.x, 7.x, 8.x, 

9.x, 10.x, 11.0, 11.5, and 11.6. This vulnerability does not affect Intel‐based consumer PCs. An attacker could exploit 

this vulnerability to take control of an affected system. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/07/Intel‐Firmware‐Vulnerability

Microsoft Releases Critical Security Update 

May 08, 201 7 

Microsoft has released a critical out‐of‐band security update addressing a vulnerability in the Microsoft Malware 

Protection Engine. A remote attacker could exploit this vulnerability to take control of an affected system. 

Read more :https://www.us‐cert.gov/ncas/current‐activity/2017/05/08/Microsoft‐Releases‐Critical‐Security‐Update 

Adobe Releases Security Updates 

May 09, 201 7 

Adobe has released security updates to address vulnerabilities in Adobe Flash Player and Adobe Experience 

Manager Forms. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an 

affected system. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/09/Adobe‐Releases‐Security‐Updates 

FTC Announces Resource for Small Business Owners 

May 09, 201 7 

The Federal Trade Commission ﴾FTC﴿ has released an announcement about its new website devoted to protecting 

small businesses. This resource aims to help business owners avoid scams, protect their computers and networks, 

and keep their customers' and employees' data safe. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/09/FTC‐Announces‐Resources‐Small‐ 

Businesses

Cisco Releases Security Update 

May 1 0, 201 7 

Cisco has released a security update to address a vulnerability in its WebEx Meetings Server which could allow a 

remote attacker to obtain sensitive information. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/10/Cisco‐Releases‐Security‐Update 

Multiple Ransomware Infections Reported 

May 1 2, 201 7 

Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is 

paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee 

access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of 

cybersecurity threats, such as ransomware. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/12/Multiple‐Ransomware‐Infections‐Reported 

Apple Releases Security Updates 

May 1 5, 201 7 

Apple has released security updates to address vulnerabilities in multiple products. A remote attacker may exploit 

some of these vulnerabilities to take control of an affected system. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/15/Apple‐Releases‐Security‐Updates 

FTC Releases Alert on Fraudulent Emails 

May 1 6, 201 7 

The Federal Trade Commission ﴾FTC﴿ has released an alert about scammers sending out fake emails that look 

authentic to trick you into sending money to them. Users should be suspicious of unsolicited phone calls or email 

messages from individuals asking about your information. If an unknown individual claims to be from a legitimate 

organization, try to verify his or her identity directly with the company. 

https://www.us‐cert.gov/ncas/current‐activity/2017/05/16/FTC‐Releases‐Alert‐Fraudulent‐Emails 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/16/FTC‐Releases‐Alert‐Fraudulent‐Emails

WordPress Releases Security Update 

May 1 7, 201 7 

WordPress versions prior to 4.7.5 are affected by multiple vulnerabilities. A remote attacker could exploit some of 

these vulnerabilities to take control of an affected website. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/17/WordPress‐Releases‐Security‐Update 

ICSCERT Releases WannaCry Fact Sheet 

May 1 7, 201 7 

The Industrial Control Systems Cyber Emergency Response Team ﴾ICS‐CERT﴿ has released a short overview of the 

WannaCry ransomware infections. This fact sheet provides information on how the WannaCry program spreads, 

what users should do if they have been infected, and how to protect against similar attacks in the future. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/17/ICS‐CERT‐Releases‐WannaCry‐Fact‐Sheet 

Samba Releases Security Updates 

May 24, 201 7 

The Samba Team has released security updates that address a vulnerability in all versions of Samba from 3.5.0 

onward. A remote attacker could exploit this vulnerability to take control of an affected system.. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/24/Samba‐Releases‐Security‐Updates 

FTC Releases Alert on Identity Theft 

May 25, 201 7 

The Federal Trade Commission ﴾FTC﴿ has released an alert about how quickly criminals begin using your personal 

information once it is posted to a hacker site by an identity thief. FTC researchers found that it can take as few as 

9 minutes for crooks to access stolen personal information posted to hacker sites. To prevent identity theft, a 

user should follow password security best practices, such as multi‐factor authentication, which requires a user to 

simultaneously present multiple pieces of information to verify their identity. 

Read more : https://www.us‐cert.gov/ncas/current‐activity/2017/05/25/FTC‐Releases‐Alert‐Identity‐Theft

Security News Letter - may 2017

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?