Welcome back to this week's Security Bulletins. Let's take a deep dive into what this week has in store for us.
Hackers using documents as a mode of transfer of malware is not an uncommon thing in cyberspace. This also makes popular anti-malware solutions equipped with common document detections. Cisco Talos Intelligence has published an interesting blog post wherein they did a deep dive into the Open Document (ODT) format which is being used by programs like OpenOffice and LibreOffice. These documents are now actively being used to spread malware. As they are not the "standard" document format, they can potentially evade malware protection systems it seems.
According to Cisco Talos Intelligence, multiple malware campaigns are actively running using the ODT document format, and the reason being that most antivirus engines only view this format as standard archives and do not get processed like other Office Documents. The attacker can target an organization from the intelligence available from online resources like the LibreOffice Migration page, which gives away the facts of specific organizations that are using this software. The popular IDS/IPS software Snort can be effective in this situation with its signatures, coupled with an efficient Endpoint Security tool whereby this threat can be identified and prevented from any exploitation.
It is not that long ago popular forum bulletin board vBulletin was patched addressing a critical zero-day vulnerability. They have now released another security patch addressing three more highly severe vulnerabilities. These are found to be effective against all vBulletin versions up to 5.5.4 and could lead to exploitation of any target web server and exfiltration of sensitive data exfiltration. All three vulnerabilities were discovered by Egidio Romano, who is an application security researcher. The first one is an RCE flaw which has been designated with CVE-2019-17132 and the other two vulnerabilities, both being SQLi flaws, are assigned with CVE-2019-17271. As the flaws were reported back in late September, the project maintainers have released patches for vBulletin version 5.5.2, 5.5.3, 5.5.4 and all are requested to apply the patches.
Its that time of the month when Microsoft releases the "Patch Tuesday" updates and apparently, we do have a handful of them. A total of 59 vulnerabilities were patched, including 9 high severity ones, which is quite a lot. Fortunately, none of them were reported to be exploited before this patch. One of the critical flaws patched is the Azure App Service, an RCE vulnerability with CVE-2019-1372 which enables an attacker to escape the sandbox in the Azure stack and execute malicious code. After the BlueKeep vulnerability, another one targeting the RDP has been patched as well. But unlike BlueKeep, this one is client-side and needs aid from social engineering methods for successful exploitation. Microsoft also notified its customers running Windows 7 and Windows 2008 R2 that the extended support offered to them will conclude on 14th January 2020.
Researchers at Kaspersky has published a comprehensive study on Reductor, a malware targeting encrypted web communications. They were able to link back to the COMpfun Trojan discovered back in 2014. In their analysis, they found that "besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers". Although there haven't been any MITM attacks observed, the fact that Reductor can install digital certificates and thereby mark the target's TLS traffic, is definitely something to be concerned about.