Microsoft warns on security flaws in Power Point Slides

Microsoft has warned Windows users about a zero-day security issue with malicious PowerPoint documents being emailed to recipients. The software giant is working on a patch for the problem.

Another Microsoft OLE security issue revealed...

The bad news is that the vulnerability affects all versions of Windows from Server 2003 to Windows 8.1. Perhaps worse, the flaw is buried in the code that handles OLE (object linking and embedding) calls, allowing one Microsoft application to directly call another.

Some researchers have pointed out that this zero-day is similar to one patched last week, when Microsoft issued no less than eight updates, including one (Sandworm) known to have been exploited in the wild, pending an update.  

Whilst it creates a patch, Microsoft has created an interim Fixit tool that, when applied, blocks the attacks seen so far. The tool can be downloaded on Microsoft's support pages.

Microsoft has also asked Windows users to pay attention to the User Account Control (UAC) pop-ups, the small alerts that require authorisation before the OS is allowed to perform certain tasks, such as downloading files or running software.

According to Steve Armstrong, technical security director with pen testing specialist Logically Secure, whilst the impact of a MS Zero day is bad, looking at the published workarounds suggests that users who enable UAC by default - and who do not have users with highly privileged accounts - can minimise the risks involved.

08 elements of Patch Tuesday

Open-Source Bugs Affect to Web Applications

An average of eight severe security flaws from open-source and third-party code can be found in each web application, according to new findings from Veracode.

If the Heartbleed and Shellshock vulnerability scares didn't drive home the increasing risk that open-source software poses to today's applications, consider this: Open-source and third-party code brings an average of 24 known security bugs to every web application, according to new data.

Open-source and third-party software components also introduced an average of eight "very high severity" or "high severity" security flaws to applications, according to Veracode, which today released findings from an analysis it conducted of more than 5,300 enterprise web applications uploaded to its code-scanning service over the past two months.

"The use of open source has increased heavily over time. Enterprises have become more comfortable using it," says Chris Wysopal, CTO at Veracode. "At the same time, the researcher community and attacker communities have woken up to this, too… That's why you're seeing Heartbleed and Shellshock, because people are looking at it and scrutinizing it. In the last year or two, all that code has been reviewed and made better. But it's probably only going to get worse" as researchers find more bugs and attackers start using them.

Dennis Chu, senior product manager at Coverity, which discovered 688 OWASP Top 10 security issues in 37 open-source projects it recently studied, says open-source bugs are often the cause of stealthy attacks. "A lot of times open-source bugs manifest themselves in very invisible security breaches."

It's not that open-source and third-party code is necessarily inherently more or less secure than commercial software, security experts say. Some open-source projects have been strapped for resources to keep the code clean -- leading to problems like Heartbleed, for instance -- but the real issue now is that more enterprises use open-source code, and researchers, as well as attackers, are taking notice.


Read More: http://www.darkreading.com/application-security/open-source-software-brings-bugs-to-web-applications/d/d-id/1316878?_mc=NL_DR_EDT_DR_weekly_20141023&cid=NL_DR_EDT_DR_weekly_20141023&elq=39da7f9fc52a4cd6ada82d9d5e34a2e9&elqCampaignId=9872 

Malvertising campaigns hit US military industry to steal secrets and intellectual property

A new wave of malvertising attacks finalized to cyber espionage is targeting military contractors to military secrets and intellectual property.

Security experts at security company Invincea have uncovered a new malvertisingcampaign used as a attack vector for highly-targeted cyber espionage operations against at least three firms in the US military industry.

The malvertising is becoming even more popular in the criminal underground, many cases were spotted recently which exploited the ad network of IT giants like Googleand Yahoo.

According the experts at Invincea, malvertising campaign allowed threat actors to steal military secrets or intellectual property rather than click-fraud or financial frauds( e.g. Phishing). The circumstance is alarming because many of the targeted companies are providing technology for use in combat zones.

“In the past, we have seen organized cyber crime learn attack techniques from advanced nation state actors,” Invincea Chief Executive Anup Ghosh said, using industry parlance for cyber spies. “This is a case where advanced state actors would be learning from cyber crime in terms of methods and tactics.”

The researchers discovered that using high targeted online advertising threat actors hit major U.S. military contractors in the past few weeks, Invincea declined to name the victims of the malvertising campaigns.

Data security breaches now regularly hit high-profile businesses such asbanks and retailers, leaving millions of consumers vulnerable to identity theft and financial fraud. But research into malvertising has revealed how cyber-criminals and spies can use the marketing industry’s latest tools to pinpoint high-value targets.” reports the Reuters Agency.

The experts at Invincea spotted up to six malvertising attacks that targeted one aerospace contractor and other military contractors in the last weeks of September.

The experts haven’t provided any information on the alleged source of the malvertising attacks, instead they confirmed that attackers used demographic targeting toolsavailable to any online marketer to exploit advertising bidding networks.


“Perpetrators can set up a corporate front to deliver normal ads, then swap landing pages from time to time for malicious code. They place these ads on advertising exchanges and bid up prices for placement on sites that its targets are known to visit, based on what they glean from these intended victims’ advertising profiles.” states the Reuters.

Malvertising website are difficult to be localized, the majority of them belong to the category of One Day Wonders, so the stay online just for the time of the attack, typically for less than four hours. A study conducted by Blue Coat on 660 million unique hostnames reports that 470 Million websites are One Day Wonders and 22 Percent are malicious.

The analysis conducted by experts at Invincea firm confirms the presence of serious flaw in most online advertising networks that could be easily exploited by threat actors.

“Any real-time ad bidding service that allows for automatic redirection is inherently insecure,” said Pat Belcher, who heads Invincea’s security analytics team, which conducted the forensic research. “It is across the board.”

Unfortunately, cyber criminals are winning the fight against the online advertising industry, recent cases demonstrate that the web ad industry is still vulnerable to malvertising campaigns.

Ad networks are too easy to compromise and unaware users haven’t necessary skills and tools to protect their machines.

The major advertising organizations in the US will collaborate to monitor and prevent illegal activities.

“Criminal activity threatens to erode trust in the digital ecosystem,” Randall Rothenberg, chief executive of the Interactive Advertising Bureau said. “It is time that publishers, marketers and agencies stand together to combat these dangerous forces as a unified entity.”

Unfortunately as explained by Invincea malversting is a common practice that is not properly addressed by Advertising industry, it’s time to consider security an indispensable investment and not a cost to reduce.