Vulnerabilities were discovered in a routine security crash
March 1, 2014
PRESS RELEASE
VIENNA, February 27, 2014 /PRNewswire/ --
"SAS for Windows" is part of a software for statistical analysis, data-mining and business intelligence. The software was shipped by the manufacturer SAS Institute Inc. containing a critical vulnerability [1]. The vulnerabilities were discovered in a routine security crash test by experts of the SEC Consult Vulnerability Lab ( http://www.sec-consult.com).
The vulnerability enables state-sponsored or criminal hackers to create a malicious SAS-file, which gives an attacker full control over the attacked computer if the file gets processed with "SAS for Windows". An attacker can send phishing mails containing such a manipulated SAS-file to subsequently attack the internal corporate network via a compromised client computer.
The experts of the SEC Consult Vulnerability Lab were able to successfully exploit the vulnerability during a crash test, bypass current mitigation techniques on a standard Windows 7 installation (including firewall and anti-virus software) and control the attacked computer remotely over the Internet.
SEC Consult experts recommend immediately installing the update, released by the vendor to counter these vulnerabilities [2]. SEC Consult advises that customers of SAS products should demand from the vendor exhaustive security tests by
(European) security experts before the implementation of the respective software product.
[1] https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
[2]
SAS 9.4 TS 1M0 - http://ftp.sas.com/techsup/download/hotfix/HF2/L08.html#L08004
SAS 9.3 TS 1M2 - http://ftp.sas.com/techsup/download/hotfix/HF2/I22.html#I22069
SAS 9.2 TS 2M3 - http://ftp.sas.com/techsup/download/hotfix/HF2/B25.html#B25260
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024