The purpose of this page is to provide awareness to individuals and organizations that are leaking information and the information of their customers. The entities listed on this site are verified to be leaking personal information sometimes without the company even being aware. SLC Security is now owned and operated by Jigsaw Security Enterprise. We are currently in process and as such this blog will eventually be taken offline and merged with Jigsaw Security resources.
Wednesday, October 22, 2014
NEWS: Don't say we didn't warn you about this one
Security researchers have been talking behind the scenes with Microsoft concerning the recent patching efforts on CVE-2014-4114. Apparently we are not the only ones that noticed the problem with the patch last week. McAfee apparently had warned Microsoft that the patch was not 100% effective in stopping attacks that were being seen in the wild.
We noticed that hackers were largely still performing the attack with a slightly different payload method (as indicated by our distributed IDS system and honeypot indicators). We had several VM images attacked but the exploit still required that an end user to take an action before the payload was delivered.
At no time were our customers vulnerable to this attack as our SLC Security appliances had signatures to detect the issue last week when we first discovered the problem.
Code appeared on a popular hacker website last Weds concerning the OLE issue and an updated script was uploaded the following day.
While the issue we reported on is slightly different the premise is the same except that the variant we are seeing only activates during a reboot and not by an infected email attachment. The actual exploit we report on is still exploitable on Windows but is not able to be patched because in order to do so would require individual vendors to patch their products. Utilizing similar vectors allows a malicious attacker to run code through an undisclosed Windows service flaw that is not easily fixable and has been exploitable for several years now. This issue remains unpatched and vulnerable although we have only seen it used by a select few security firms during penetration testing.