Towerwall Information/Vulnerability Alert Vol 13.69: Cisco Security Notice

Cisco Security Notice

Cisco WebEx Business Suite HTTP GET Parameters Include Sensitive Information

CVE ID: CVE-2014-0708
Release Date: 2014 March 18 19:07  UTC (GMT)
Last Updated: 2014 March 19 17:58  UTC (GMT)SummaryA vulnerability in Cisco WebEx Business Suite could allow an unauthenticated, remote attacker to view sensitive information transmitted in GET parameters of URL requests.


The vulnerability is due to inclusion of sensitive information in URLs as GET parameters. An attacker could exploit this vulnerability by viewing application URL requests that contain the sensitive information in GET parameters.


This vulnerability was reported to Cisco by Jim LaValley.

Affected Products

Product More Information CVSS
Cisco WebEx Meeting Center CSCul98272 5.0/4.8

What Is a Cisco Security Notice?

The Cisco Product Security Incident Response Team (PSIRT) publishes Cisco Security Notices to inform customers of low- to mid-level severity security issues involving Cisco products.

Customers who wish to upgrade to a software version that includes fixes for these issues should contact their normal support channels. Free software updates will not be provided for issues that are disclosed through a Cisco Security Notice.

For additional information about Cisco PSIRT publications, see the Cisco Security Vulnerability Policy at

Customers Using Third-Party Support Organizations

Customers may have Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers. For these products, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.


Web applications have become common targets for attackers. Attackers can leverage relatively simple vulnerabilities to gain access to confidential information most likely containing personally identifiable information.

While traditional firewalls and other network security controls are an important layer of any Information Security Program, they can’t defend or alert against many of the attack vectors specific to web applications. It is critical for an organization to ensure that its web applications are not susceptible to common types of attack.

Best Practice suggests that an organization should perform a web application test in addition to regular security assessments in order to ensure the security of its web applications.

Towerwall Web Application Testing methodology is based on the Open Web Application Security Project (OWASP) methodology.   Call us for more information: 774 204 0700.

This is an opt in security alert list to be removed reply with remove.

Successful Breakfast Event: From Zero to Data Governance Hero

TWVaronisEventThanks for all that joined Towerwall at the From Zero to Data Governance Hero breakfast event! Towerwall and Varonis experts gave first-rate information on the importance of pressing data concerns of 2014. Also, Varonis’ speaker gave a great live demonstration on the Data Governance Suite! It was an event well spent!

“Towerwall is always looking for ways to provide updated information on data security issues affecting our customers.  Helping protect our customers “crown jewels” is our mantra.”

– Michelle Drolet, Founder and CEO, Towerwall

We are excited to host our next event, the 2nd Annual Information Security Summit! Please join us on May 22 and discover new ways to lead the creation of the secure digital enterprise!

Click here for more information on the 2nd Annual Information Security Summit.


Patch Tuesday wrap-up, March 2014 – critical fixes from Microsoft and Adobe

by Paul Ducklin on March 12, 2014

We already wrote about Microsoft’s March 2014 patches, noting that, as usually happens, there was an All-Points Bulletin for Internet Explorer coming up.

Microsoft doesn’t call them APBs, of course – they are Cumulative Security Updates, with one bulletin covering all the numerous versions, bitnesses and CPU flavors of Redmond’s IE browser.

What we weren’t able to tell you in advance was whether the widely-publicized (but fortunately not widely-exploited) CVE-2014-0322 hole would be closed.

Good news – the fix made it into this month’s update.

As we mentioned before, there wasn’t actually a terrible urgency for the CVE-2014-0322 fix, because a number of workarounds and mitigations were available.

But a permanent fix is a permanent fix, so apply it as soon as you can, if you haven’t let Windows Update apply it for you already.

Adobe Flash has another critical fix to add to its two recent between-Patch-Tuesday updates.

Flash Player goes to on Windows and Macintosh; Linux users are stuck on an older flavor of version 11 forever, and go to; other users who have stayed with version 11 out of choice or necessity get 11.7.700.272.

Google Chrome, Microsoft IE 10 and Microsoft IE 11 include and manage their own Flash player code – Adobe has confirmed that both Google and Microsoft have published the necessary patches.

The Microsoft flavor of Adobe’s security fix isn’t listed amongst Microsoft’s own Patch Tuesday bulletins, but Microsoft’s updating tools should take care of it for you.

If you prefer the manual approach, KB2938527 has the details and the downloads.

Of course, those are just the top-of-mind patches.

Don’t forget the other four Microsoft bulletins.

We’ve written them up with our assessment of their likely risk, if you like to do a risk/benefit check before you go live with updates, as follows:


Microsoft ID Sophos ID Description and KB number
MS14-013 VET585 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2929961)
MS14-014 VET587 Vulnerability in Silverlight Could Allow Security Feature Bypass (2932677)
MS14-015 VET586 Vulnerabilities in Windows Kernel Mode Driver Could Allow Elevation of Privilege (2930275)
MS14-016 VET588 Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418)



Towerwall Information Security/Malware Alert Vol 13.67 – Notorious “Gameover” malware gets itself a kernel-mode rootkit…

Zeus, also known as Zbot, is a malware family that we have written about many times on Naked Security.

We’ve covered it as plain old Zbot.

We’ve covered the Citadel variant, which appeared when the original Zbot code was leaked online.

We’ve even written about the time it pretended to be a Microsoft fix for CryptoLocker, a completely different strain of malware.

Currently, the most widespread Zbot derivative is the Gameover bot, also known as Zeus P2P because of its use of peer-to-peer network connectivity for command and control.

The Gameover gang has been trying new techniques recently: hot on the heels of code to target logged-in users of cloud-based CRM Salesforce.comcomes the introduction of a kernel-mode rootkit.

The code for this rootkit comes from another notorious malware family known as Necurs.

A brief history of Zbot/Zeus

Malware in the Zbot family is built to steal information, primarily login credentials, and it is good at its job.

Early Zbot versions employed a user-mode rootkit that would hide the Zbot directory and registry entries from user-land tools.

However, by Version 2 of the malware, this rootkit had been dropped as it was largely ineffective.

Instead Zbot began to inject its code into system processes and browsers, hooking important software functions in order to snoop on the data passing through the system.

In the latest Gameover development, the Necurs rootkit has been added to protect the malware files on disk and in memory, making it harder to find and remove once the malware is active.

How does this variant reach your computer?

This particular strain of Gameover is being delivered through spam messages containing fake invoices.

The attachments don’t contain the malware itself; instead, they contain downloader malware known as Upatre.

Downloaders do exactly what their name suggests: they call home and fetch the latest malware version that the crooks want to distribute.

Fake invoice emails are similarly straightforward but effective: they claim to contain some sort of payment advice for a purchase you know you didn’t make; the crooks hope you will open the attachment as the first step in contesting the payment.

Here is an example message:

In this case the campaign is targeted at French speakers and purports to be from HSBC France.

The Upatre downloader is attached as an EXE file (a Windows program) inside a ZIP file named

What happens if you open the fake invoice?

If you launch the file, it downloads an unstructured lump of data – known to programmers as a BLOB, short for “binary large object” – which is actually an obfuscated and compressed copy of the Gameover malware:

The downloader then unscrambles and launches Gameover.

When it launches, Gameover installs into your Application Data directory, tagging itself with a short block of system-specific binary data.

This “tagging” serves two purposes: the installed copy is tied to your computer, so it won’t run anywhere else if it is taken away for analysis; and your copy of the malware is unique, so that simple checksum-based file matching can’t be used to detect it.

Normally, Gameover then injects itself into other processes and exits.

This is where the new variant drops and installs the Necurs rootkit, which is implemented as a kernel driver.

Two drivers – a 32-bit and a 64-bit version – are decrypted using different RC4 keys:

Then, further shellcode is decrypted and executed to setup and load the appropriate driver.

We can see that the code first checks to see if the Necurs device objectNtSecureSys already exists:

If it does not, the appropriate driver will be loaded.

If the system is 32-bit and you do not have administrator rights, the malware tries to exploit an aging vulnerability known as CVE-2010-4398 to elevate its privilege so it can load the driver.

The exploit relies on a specially-crafted registry entry and, somewhat curiously, the use of a system function associated with End-User Defined Characters (EUDCs), as seen here:

If you are patched against this vulnerability, then the loading of the rootkit will trigger a User Account Control (UAC) prompt – an immediately-suspicious side effect, considering that the file you just opened was supposed to be an invoice.

If you are running XP, which doesn’t have UAC, and you aren’t an administrator, the rootkit can’t prompt for permission to load, ironically making you very slightly safer.

The 64-bit driver is digitally signed, but with an unsigned and obviously bogus certificate:

64-bit versions of Windows usually insist that drivers are signed with verified certificates, so the malware tries to reconfigure your system so that it will accept unverified drivers.

The malware uses the BCEDIT Boot Configuration Editor utility to set theTESTSIGNING boot option, allowing the malicious driver to be loaded:

What does the rootkit do?

Once active, the rootkit protects the Gameover malware so that you can’t delete it:

It also stops you killing off the Gameover process:

The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet.

What next?

What does this apparent collaboration between the Gameover and Necurs gangs mean?

We don’t know for sure – perhaps the the two groups are joining forces, or perhaps the Necurs source code has been acquired by the Gameover gang.

Whatever the reason, the addition of the Necurs rootkit to an already-dangerous piece of malware is an unwelcome development.

Learning more about bots and botnets

Gameover is just one of many bots and botnets that are currently at large on the internet.


by James Wyke