Wild Exploit, AutoCAD Malware, and a Hacking Demo
Did you apply Microsoft’s patches and Fixit last week? If not, this week’s news (and attack demo) ought to convince you to jump on those important updates right away.
Today’s episode warns of attackers actively targeting two of Microsoft’s vulnerabilities from last week, a new malware sample that specifically steals AutoCAD diagrams and blueprints, and a trio of Cisco security advisories fixing vulnerabilities in their security and VPN products. For the curious and technically inclined, I’ve even included an attack demo showing how easy it is for script kiddies to exploit the Microsoft XML Core Services vulnerability using Metasploit. If you want to see a drive-by download in action, and get a few Metasploit tips along the way, check out this week’s episode below.
If video’s not your thing, you can also find links to all this week’s stories in the Reference section. Don’t forget to leave feedback, suggestions, or questions in the comment section if you have anything to share. See you next week and have a great weekend.
(Episode Runtime: 13:00)
Direct YouTube Link: http://www.youtube.com/watch?v=rWGE7i-AIU4
Episode References:
- Attackers exploit XML Core Services and IE SameID flaws – PCWorld
- Malware targets AutoCAD – The Register
- Cisco Security Advisories
- Tool Tip: Microsoft EMET
— Corey Nachreiner, CISSP (@SecAdept)
Does the WatchGuard IPS protect against the XML vulnerability?
Rob,
Yes. We have signatures for both the XML Core Services vulns, and for the IE Same_ID vuln. We got the signatures shortly after Patch Day. If you have updated to signature set 4.208, you can go to FSM, and show signatures, then search for MSXML or for “Same ID”, and you will find the signatures in question.
Also, though I didn’t have time before the weekly video, I have since done that same Metasploit attack with an XTMv appliance between the attacker and victim. Our XTM appliance blocks the attack multiple ways. First we catch the malicious Javascript metasploit uses with GAV. But also, our IPS triggers for Malicious Javascript too… We don’t even really need the XML signature necessarily, since we detect the evel Javascript used to launch this web-based attack.
When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get several emails with
the same comment. Is there any way you can remove people from that service?
Thanks a lot!