Zero-day Vulnerability Database
Zero-day vulnerabilities discovered: 830
Improper input validation in PostgreSQL
CVE-2025-1094
Input validation error
The vulnerability allows a remote attacker to execute arbitrary SQL queries in the database.
The vulnerability exists due to insufficient validation of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() and within the command line utility programs when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. A remote attacker can pass specially crafted input to the application and execute arbitrary SQL queries in the database.
Note, the vulnerability is being actively exploited in the wild.
Software: PostgreSQL
Links:
Privilege escalation in Microsoft Windows ancillary function driver for WinSock
CVE-2025-21418
Heap-based buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in ancillary function driver for WinSock. A local user can trigger a heap-based buffer overflow and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21418
Arbitrary file deletion in Windows Storage
CVE-2025-21391
Link following
The vulnerability allows a local user to delete files on the system.
The vulnerability exists due to insecure link following in Windows Storage. A local user can delete arbitrary files on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21391
Security restrictions bypass in Apple iOS and iPadOS
CVE-2025-24200
Security features bypass
The vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to an authorization error. An attacker with physical access to device can disable USB Restricted Mode on a locked device and compromise the affected system.
Note, the vulnerability is being exploited in the wild in an extremely sophisticated attack against specific targeted individuals.
Software: Apple iOS
Unauthenticated SQL injection in Advantive VeraCore
CVE-2025-25181
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the PmSess1 parameter. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Note, the vulnerability is being actively exploited in the wild.
Software: VeraCore
Links:
https://intezer.com/blog/research/xe-group-exploiting-zero-days/
Multiple vulnerabilities in Google Android
CVE-2024-53104
Out-of-bounds write
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an out-of-bounds read error within the uvc_parse_format() function in drivers/media/usb/uvc/uvc_driver.c. A local user can trigger an out-of-bounds write and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Android
Links:
https://source.android.com/docs/security/bulletin/2025-02-01
Multiple vulnerabilities in Contec Health CMS8000 Patient Monitor
CVE-2025-0626
Hidden functionality
The vulnerability allows a remote attacker to compromise vulnerable system
The vulnerability exists due to hidden functionality (backdoor) is present in software. A remote attacker can use this functionality to gain full access to the application and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Software: CMS8000 Patient Monitor
Links:
Remote code execution in Trimble Cityworks
CVE-2025-0994
Deserialization of Untrusted Data
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote privileged user can send a specially crafted HTTP request to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Cityworks
Links:
https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-06-docx/0?
Remote command injection in Zyxel CPE Series
CVE-2024-40891
Command Injection
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can send specially crafted packets to the telnet interface of a device and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.Software: Zyxel CPE Series
Links:
https://www.greynoise.io/blog/active-exploitation-of-zero-day-zyxel-cpe-vulnerability-cve-2024-40891
https://www.helpnetsecurity.com/2025/01/29/zyxel-cpe-devices-under-attack-vulnerability-cve-2024-40891/
Multiple vulnerabilities in Apple iOS 18 and iPadOS 18
CVE-2025-24085
Use-after-free
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in CoreMedia. A local application can execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.Software: Apple iOS
Links:
https://support.apple.com/en-us/122066
Remote code execution in SonicWall SMA 1000
CVE-2025-23006
Deserialization of untrusted data
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). A remote non-authenticated attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: SonicWall SMA 1000
Links:
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002
Multiple privilege escalation vulnerabilities in Microsoft Windows Hyper-V NT Kernel Integration VSP
CVE-2025-21335
Use-after-free
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in Windows Hyper-V NT Kernel Integration VSP component. A local user can execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21335
Multiple privilege escalation vulnerabilities in Microsoft Windows Hyper-V NT Kernel Integration VSP
CVE-2025-21334
Use-after-free
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in Windows Hyper-V NT Kernel Integration VSP component. A local user can execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21334
Multiple privilege escalation vulnerabilities in Microsoft Windows Hyper-V NT Kernel Integration VSP
CVE-2025-21333
Heap-based buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in Windows Hyper-V NT Kernel Integration VSP component. A local user can trigger a heap-based buffer overflow and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21333
Authentication bypass in FortiOS and FortiProxy
CVE-2024-55591
Authentication bypass using an alternate path or channel
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper authentication within the Node.js websocket module in the web management interface. A remote non-authenticated attacker can bypass authentication and gain super-admin privileges on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: FortiOS
Links:
https://www.fortiguard.com/psirt/FG-IR-24-535
Multiple vulnerabilities in Ivanti Connect Secure
CVE-2025-0282
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when handling untrusted input. A remote unauthenticated attacker can send specially crafted packets to the system, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild against Ivanti Connect Secure instances.
Software: Ivanti Connect Secure (formerly Pulse Connect Secure)
Links:
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283
Remote denial of service in Palo Alto Networks PAN-OS
CVE-2024-3393
Improper Check for Unusual or Exceptional Conditions
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling in the DNS Security feature. A remote attacker can send specially crafted DNS packets through the data plane of the firewall and perform a denial of service (DoS) attack.
Note, the vulnerability is being actively exploited in the wild.
Software: Palo Alto PAN-OS
OS Command Injection in Four-Faith F3x24 and F3x36 routers
CVE-2024-12856
OS Command Injection
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when modifying the system time via apply.cgi. A remote administrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: F3x36, F3x24
Links:
https://vulncheck.com/blog/four-faith-cve-2024-12856
Remote code execution in BeyondTrust Privileged Remote Access and Remote Support software
CVE-2024-12356
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being exploited in the wild.
Software: Remote Support
Links:
OS command injection in BeyondTrust Privileged Remote Access and Remote Support software
CVE-2024-12686
OS Command Injection
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote privileged user can upload a specially crafted file on the system and execute arbitrary code as a site user.
Note, the vulnerability is being exploited in the wild.
Software: Remote Support
Links:
Privilege escalation in Microsoft Windows Common Log File System driver
CVE-2024-49138
Heap-based buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in the Windows Common Log File System driver. A local user can trigger a heap-based buffer overflow and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49138
Remote code execution in Cleo products
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote attacker can upload a malicious file and execute it on the server.
Note, the vulnerability is being actively exploited in the wild.
Software: Cleo LexiCom
Links:
https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
Multiple vulnerabilities in I-O DATA UD-LT1 and UD-LT1/EX
CVE-2024-47133
OS Command Injection
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote administrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: UD-LT1/EX, UD-LT1
Multiple vulnerabilities in I-O DATA UD-LT1 and UD-LT1/EX
CVE-2024-45841
Incorrect permission assignment for critical resource
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to incorrect permission assignment for critical resource. A remote user can access a specific file and obtain information containing credentials.
Note, the vulnerability is being actively exploited in the wild.
Software: UD-LT1/EX, UD-LT1
Inclusion of Undocumented Features or Chicken Bits in I-O DATA UD-LT1 and UD-LT1/EX
CVE-2024-52564
Inclusion of Undocumented Features or Chicken Bits
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to inclusion of undocumented features. A remote attacker can disable the firewall function on the target products.
Note, the vulnerability is being actively exploited in the wild.
Software: UD-LT1/EX, UD-LT1
Multiple vulnerabilities in macOS Sequoia
CVE-2024-44309
Universal cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of an arbitrary website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note, the vulnerability is being actively exploited in the wild against Intel-based Mac systems.
Software: macOS
Links:
https://support.apple.com/en-us/121753
Multiple vulnerabilities in macOS Sequoia
CVE-2024-44308
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input within the JavaScriptCore component in WebKit. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild against Intel-based Mac systems.
Software: macOS
Links:
https://support.apple.com/en-us/121753
Arbitrary file disclosure in Oracle Agile PLM Framework
CVE-2024-21287
Missing Authorization
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exits due to missing authorization within the Software Development Kit, Process Extension component. A remote non-authenticated attacker can send a specially crafted HTTP request and view arbitrary file on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Oracle Agile PLM Framework
Links:
https://www.oracle.com/security-alerts/alert-cve-2024-21287.html
Authentication bypass in Palo Alto Networks PAN-OS management web interface
CVE-2024-0012
Improper authentication
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper authentication in the Management Web Interface. A remote non-authenticated attacker can bypass authentication process and gain unauthorized access to the system.
Note, the vulnerability is being actively exploited in the wild in conjunction with #VU100528 (CVE-2024-9474).
Software: Palo Alto PAN-OS
Links:
https://security.paloaltonetworks.com/CVE-2024-0012
Remote code execution in GeoVision devices
CVE-2024-11120
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: GVLX 4 V3, GVLX 4 V2, GV-DSP_LPR_V3, GV-VS11, GV-VS12
Links:
https://www.twcert.org.tw/en/cp-139-8237-26d7a-2.html
Unprotected storage of credentials in FortiClient for Windows
Unprotected storage of credentials
The vulnerability allows a local user to gain access to VPN client credentials.
The vulnerability exists due to application stores user's VPN credentials in plain text in memory after establishing the VPN connection. A local user or a malicious application can retrieve these credentials from the process memory and use them later to connect to the Fortinet VPN server.
Note, the vulnerability is being actively exploited in the wild by the DEEPDATA malware.
Software: Fortinet FortiClient for Windows
Links:
https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/
Path traversal in Advantive VeraCore
CVE-2024-57968
Path traversal
The vulnerability allows a remote user to upload files to arbitrary folders on the system.
The vulnerability exists due to input validation error when processing file uploads in /VeraCore/OMS/upload.aspx. A remote authenticated user can send a specially crafted HTTP POST request and upload files to an arbitrary location on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: VeraCore
Links:
https://intezer.com/blog/research/xe-group-exploiting-zero-days/
NTLMv2 hash disclosure in Microsoft Windows MSHTML component
CVE-2024-43451
Information disclosure
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to disclosure of a user's NTLMv2 hash. A remote attacker can trick the victim into visiting a specially crafted website and obtain their NTLMv2 hash.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43451
Privilege escalation in Microsoft Windows Task Scheduler
CVE-2024-49039
Improper Authentication
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper authentication in the Windows Task Scheduler. A local user can run a specially crafted application to execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49039
Remote unauthenticated code execution in Palo Alto PAN-OS
CVE-2024-9474
OS Command Injection
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to an unspecified vulnerability related to improper input validation within the management interface. A remote user can send a specially crafted request to the system and execute arbitrary OS commands.
Note, the vulnerability is being actively exploited in the wild.
Software: Palo Alto PAN-OS
Links:
https://security.paloaltonetworks.com/PAN-SA-2024-0015
Multiple vulnerabilities in Google Android
CVE-2024-43047
Use After Free
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in DSP Service. A local application can execute arbitrary code.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Android
Links:
https://source.android.com/docs/security/bulletin/2024-11-01
Multiple vulnerabilities in CyberPanel
CVE-2024-51378
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper authentication within getresetstatus in dns/views.py. A remote non-authenticated attacker can send a specially crafted HTTP POST request to the /dns/getresetstatus or /ftp/getresetstatus endpoints, bypass authentication and execute arbitrary OS commands on the system.
Software: CyberPanel
Known/fameous malware:
PSAUX ransomware
Links:
https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
Multiple vulnerabilities in CyberPanel
CVE-2024-51567
Improper authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper authentication within upgrademysqlstatus in databases/views.py. A remote non-authenticated attacker can send a specially crafted HTTP POST request to the /dataBases/upgrademysqlstatus endpoint, bypass authentication and execute arbitrary OS commands on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: CyberPanel
Known/fameous malware:
PSAUX ransomware
Links:
https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
Denial of service and brute-force attack in Cisco ASA and FTD Remote Access VPN
CVE-2024-20481
Missing Release of Resource after Effective Lifetime
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to resource exhaustion in the Remote Access VPN (RAVPN) service. A remote attacker can perform password spraying attack, cause resource exhaustion and perform a denial of service attack against the RAVPN service.
Note, the vulnerability is being actively exploited in the wild.
Software: Cisco Adaptive Security Appliance (ASA)
Links:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-bf-dos-vDZhLqrW
Remote command execution in Fortinet FortiManager
CVE-2024-47575
Missing authentication for critical function
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authentication in FortiManager fgfmd daemon. A remote non-authenticated attacker can send specially crafted requests to the system and execute arbitrary commands, resulting in full system compromise.
Note, the vulnerability is being actively exploited in the wild.
Software: FortiManager
Links:
https://www.fortiguard.com/psirt/FG-IR-24-423
Remote code execution in Mozilla Firefox and Firefox ESR
CVE-2024-9680
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in Animation timeline. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Mozilla Firefox
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
Remote code execution in Microsoft Management Console
CVE-2024-43572
Input validation error
The vulnerability allows a remote attacker to compromise the affected system
The vulnerability exists due to insufficient validation of Microsoft Saved Console (MSC) files. A remote attacker can trick the victim into opening a specially crafted file and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43572
Spoofing attack in Microsoft Windows MSHTML Platform and Internet Explorer
CVE-2024-43573
Universal cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43573
Multiple vulnerabilities in Ivanti Cloud Services Appliance (CSA)
CVE-2024-9381
Path traversal
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild against Ivanti CSA 4.6 users, according to vendor's advisory. Vulnerability exploitation was chained with previously address vulnerability #VU97617 (CVE-2024-8963).
Software: Ivanti Cloud Services Appliance (CSA)
Links:
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381
Multiple vulnerabilities in Ivanti Cloud Services Appliance (CSA)
CVE-2024-9380
OS Command Injection
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote privileged user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Note, the vulnerability is being actively exploited in the wild against Ivanti CSA 4.6 users, according to vendor's advisory. Vulnerability exploitation was chained with previously address vulnerability #VU97617 (CVE-2024-8963).
Software: Ivanti Cloud Services Appliance (CSA)
Links:
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381
Multiple vulnerabilities in Ivanti Cloud Services Appliance (CSA)
CVE-2024-9379
SQL injection
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Note, the vulnerability is being actively exploited in the wild against Ivanti CSA 4.6 users, according to vendor's advisory. Vulnerability exploitation was chained with previously address vulnerability #VU97617 (CVE-2024-8963).
Software: Ivanti Cloud Services Appliance (CSA)
Links:
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381
Privilege escalation in Samsung Exynos
CVE-2024-44068
Use-after-free
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the mobile processor. A local application can execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Exynos 990, Exynos 9825, Exynos 9820, Exynos W920, Exynos 850, Exynos 980
Links:
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2024-44068/
Multiple vulnerabilities in Qualcomm chipsets
CVE-2024-43047
Use After Free
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in DSP Service. A local application can execute arbitrary code.
Note, the vulnerability is being actively exploited in the wild.
Software: Firmware
Remote code execution in ScienceLogic SL1 platform
CVE-2024-9537
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to an unspecified vulnerability within the third-party component used by SL1. A remote non-authenticated attacker can send a specially crafted request to the portal and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: SL1
Links:
https://community.sciencelogic.com/blog/latest-kb-articles-and-known-issues-blog-board/week-of-september-30-2024---latest-kb-articles-and-known-issues-part-1-of-2/1690
Mark-of-the-Web bypass in 7-Zip
CVE-2025-0411
Security features bypass
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to application ignores the Mark-of-the-Web identifier when extracting files from an archive. A remote attacker can trick the victim into executing files extracted by the application as no additional security warning occurs.
Note, the vulnerability is being actively exploited in the wild.
This vulnerability was used to target both the Ukrainian government and other Ukrainian organizations in a SmokeLoader campaign that was likely deployed by Russian cybercrime groups.
Software: 7-Zip
Known/fameous malware:
SmokeLoader
Links:
Path traversal in Ivanti Cloud Service Appliance
CVE-2024-8963
Path traversal
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote non-authenticated attacker can send a specially crafted HTTP request and read arbitrary files on the system.
The vulnerability can be exploited along with #VU97119 (CVE-2024-8190) to achieve remote code execution and is being exploited in the wild.
Software: Ivanti Cloud Services Appliance (CSA)
Links:
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963
Multiple vulnerabilities in Adobe Acrobat and Reader
CVE-2024-41869
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when handling PDF files. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Adobe Reader
Links:
Spoofing attack in Microsoft Windows MSHTML Platform and Internet Explorer
CVE-2024-43461
Spoofing attack
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to the way the Internet Explorer displays a user prompt after a file is downloaded. A remote attacker can create a specially crafted filename that causes the true file extension to be hidden, trick the victim into downloading it and potentially compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Remote code execution in Microsoft Publisher
CVE-2024-38226
Protection Mechanism Failure
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. An attacker can trick the victim into opening a specially crafted file, bypass Office macro policies restrictions and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Publisher
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38226
Security features bypass in Microsoft Windows Mark of the Web
CVE-2024-38217
Protection Mechanism Failure
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. An attacker can trick the victim into downloading a specially crafted file, evade Mark of the Web (MOTW) defenses and bypass security features such as SmartScreen Application Reputation security check and/or the legacy Windows Attachment Services security prompt.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38217
Privilege escalation in Microsoft Windows Installer
CVE-2024-38014
Improper privilege management
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper privilege management in Windows Installer. A local user can execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014
Remote code execution in Microsoft Windows Update
CVE-2024-43491
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in Microsoft Windows Update services. A remote attacker can send specially crafted traffic to the system, trigger a use-after-free error and execute arbitrary code.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43491
Remote code execution in Kingsoft WPS Office
CVE-2024-7263
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient path validation in promecefpluginhost.exe. A remote attacker can trick the victim into opening a specially crafted spreadsheet document and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.The vulnerability was exploited by a South Korea-aligned cyberespionage group APT-C-60.
Software: WPS Office
Known/fameous malware:
SpyGlace
The vulnerability was exploited by a South Korea-aligned cyberespionage group APT-C-60.
Links:
https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/
Remote code execution in Kingsoft WPS Office
CVE-2024-7262
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient path validation in promecefpluginhost.exe. A remote attacker can trick the victim into opening a specially crafted spreadsheet document and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was exploited by a South Korea-aligned cyberespionage group APT-C-60.
Software: WPS Office
Known/fameous malware:
SpyGlace
The vulnerability was exploited by a South Korea-aligned cyberespionage group APT-C-60.
Links:
https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/
Arbitrary file upload in Versa Networks Director
CVE-2024-39717
Arbitrary file upload
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote authenticated user can upload a malicious file and execute it on the server.
Note, the vulnerability is being actively exploited in the wild.
Software: Versa Director
Links:
https://www.cve.org/CVERecord?id=CVE-2024-39717
Multiple vulnerabilities in Google Chrome
CVE-2024-7965
Improperly implemented security check for standard
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect implementation in V8 in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Multiple vulnerabilities in Google Chrome
CVE-2024-7971
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 engine. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
Remote code execution in Microsoft Project
CVE-2024-38189
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into opening a specially crafted file and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Project
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38189
Privilege escalation in Microsoft Windows Power Dependency Coordinator
CVE-2024-38107
Use-after-free
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within Windows Power Dependency Coordinator. A local user can trigger a use-after-free error and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38107
Security features bypass in Microsoft Windows
CVE-2024-38213
Protection mechanism failure
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. An attacker can bypass Windows Mark of the Web security feature.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38213
Privilege escalation in Microsoft Windows Ancillary Function Driver for WinSock
CVE-2024-38193
Use-after-free
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the ancillary function driver for WinSock. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38193
Privilege escalation in Microsoft Windows kernel
CVE-2024-38106
Race condition
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition within the Windows kernel. A local user can exploit the race and execute arbitrary code with SYSTEM privileges.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38106
Memory corruption in Microsoft Windows Scripting Engine
CVE-2024-38178
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to open a specially crafted webpage in Microsoft Edge in Internet Explorer mode, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38178
Multiple vulnerabilities in Google Android
CVE-2024-36971
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to a use-after-free error within the xfrm_link_failure() function in net/xfrm/xfrm_policy.c, within the dst_entry ip6_dst_check() and ip6_dst_check() functions in net/ipv6/route.c, within the dst_entry ipv4_dst_check() and ip_do_redirect() functions in net/ipv4/route.c. A remote attacker can send specially crafted packets to the system and execute arbitrary code.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Android
Links:
https://source.android.com/docs/security/bulletin/2024-08-01
Privilege escalation in Microsoft Windows Hyper-V
CVE-2024-38080
Integer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow in Windows Hyper-V component. A local user can trigger an integer overflow and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38080
Spoofing attack in Windows MSHTML Platform
CVE-2024-38112
Exposure of resource to wrong sphere
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation. A remote attacker can perform spoofing attack and trick the victim to execute a specially crafted file.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38112
Privilege escalation in Cisco NX-OS Software
CVE-2024-20399
OS Command Injection
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation. A local user can execute arbitrary commands as root on the underlying operating system of an affected device.
Note, the vulnerability is being actively exploited in the wild since of April 2024.
Software: Cisco NX-OS
Multiple vulnerabilities in Google Pixel
CVE-2024-32896
Improper input validation
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Pixel Firmwire subcomponent in Pixel. A local application can execute arbitrary code.
Note, the vulnerability is being actively exploited in the wild.
Software: Pixel
Links:
https://source.android.com/docs/security/bulletin/pixel/2024-06-01
Privilege escalation in Arm Mali GPU kernel drivers
CVE-2024-4610
Use-after-free
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error caused by improper GPU memory processing operations. A local user can execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Bifrost GPU Kernel Driver, Valhall GPU Kernel Driver
Links:
https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
Information disclosure in Check Point Quantum Gateway
CVE-2024-24919
Path traversal
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The
vulnerability exists due to a insufficient validation of file path in Security Gateways
with IPSec VPN, Remote Access VPN and the Mobile Access software blade. A
remote non-authenticated attacker can send a specially crafted HTTP request and view arbitrary files on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Gaia
Links:
https://support.checkpoint.com/results/sk/sk182336
https://blog.checkpoint.com/security/enhance-your-vpn-security-posture
Backdoor in Justice AV Solutions Viewer software
CVE-2024-4978
Embedded malicious code (backdoor)
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of embedded malicious functionality in the application setup file "Justice AV Solutions Viewer Setup 8.3.7.250-1" downloaded from the official website. A remote attacker to gain unauthorized access to the system.
Note, the vulnerability is being actively exploited in the wild.
Software: JAVS Viewer
Links:
https://x.com/2RunJack2/status/1775052981966377148
https://github.com/advisories/GHSA-wf54-f8v9-v72v
https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/
Remote code execution in Google Chrome
CVE-2024-5274
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html
Multiple vulnerabilities in Google Chrome
CVE-2024-4947
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html
Remote code execution in Microsoft Windows MSHTML platform
CVE-2024-30040
Security features bypass
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation within the Windows MSHTML Platform. A remote attacker can trick the victim to open or load a specially crafted file, bypass OLE mitigations in Microsoft 365 and Microsoft Office and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-30040
Privilege escalation in Microsoft Windows DWM Core Library
CVE-2024-30051
Heap-based buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows DWM Core Library. A local user can trigger a heap-based buffer overflow and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-30051
Remote code execution in Google Chrome
CVE-2024-4761
Out-of-bounds write
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted HTML content in V8. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds write and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html
Remote code execution in Google Chrome
CVE-2024-4671
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Visuals component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html
Code execution in Cisco Adaptive Security Appliance and Firepower Threat Defense
CVE-2024-20359
Code Injection
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation in a legacy capability that allowed for the preloading of VPN clients and plug-ins. A local user can copy a crafted file to the disk0: file system of an affected device and execute arbitrary code with root privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Cisco Adaptive Security Appliance (ASA)
Denial of service in Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services
CVE-2024-20353
Infinite loop
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when parsing HTTP headers. A remote attacker can send specially crafted HTTP request to the appliance and perform a denial of service (DoS) attack.
Note, the vulnerability is being actively exploited in the wild.
Software: Cisco Adaptive Security Appliance (ASA)
Arbitrary file download in CrushFTP
CVE-2024-4040
External Control of File Name or Path
The vulnerability allows a remote user to delete arbitrary files.
The vulnerability exists due to application allows to access files outside of the virtual file system. A remote authenticated user can read arbitrary system files.
Note, the vulnerability is being exploited in the wild.
Software: CrushFTP
Links:
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
Command Injection in Palo Alto PAN-OS
CVE-2024-3400
Command Injection
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to improper input validation in the GlobalProtect feature. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Palo Alto PAN-OS
Privilege escalation in Microsoft Windows proxy driver
CVE-2024-26234
Improper access control
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions within the proxy driver. A local user can execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26234
SmartScreen prompt bypass in Microsoft Windows
CVE-2024-29988
Protection mechanism failure
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient implementation of the Mark of the Web (MotW) feature. A remote attacker can supply a malicious file inside an archive to bypass EDR/NDR detection, bypass the SmartScreen prompt and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-29988
https://www.zerodayinitiative.com/blog/2024/4/9/the-april-2024-security-updates-review
Multiple vulnerabilities in Google Pixel
CVE-2024-29748
Improper input validation
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Pixel Firmware subcomponent in Pixel. A local application can execute arbitrary code.
Note, the vulnerability is being actively exploited in the wild.
Software: Pixel
Multiple vulnerabilities in Google Pixel
CVE-2024-29745
Information exposure
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the bootloader subcomponent in Pixel. A local application can gain access to sensitive information.
Note, the vulnerability is being actively exploited in the wild.
Software: Pixel
Embedded malicious code in XZ Utils
CVE-2024-3094
Embedded malicious code (backdoor)
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the system.
Note, the vulnerability is being actively exploited in the wild.
Software: XZ Utils
Links:
https://www.openwall.com/lists/oss-security/2024/03/29/4
Privilege escalation in Microsoft Windows Error Reporting Service
CVE-2024-26169
Permissions, Privileges, and Access Controls
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in the Windows Error Reporting Service, which leads to security restrictions bypass and privilege escalation.
Software: Windows
Known/fameous malware:
Black Basta
Links:
Multiple vulnerabilities in Apple iOS 17 and iPadOS 17
CVE-2024-23296
Buffer overflow
The vulnerability allows a local application to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in RTKit. A malicious application can trigger memory corruption and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Multiple vulnerabilities in Apple iOS 16 and iPadOS 16
CVE-2024-23225
Buffer overflow
The vulnerability allows a local application to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the OS kernel. A malicious application can trigger memory corruption and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT214082
Multiple vulnerabilities in Microsoft Windows Kernel
CVE-2024-21338
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the appid.sys AppLocker driver. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Multiple vulnerabilities in ConnectWise ScreenConnect
CVE-2024-1709
Authentication bypass using an alternate path or channel
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to improper authentication. A remote non-authenticated attacker can bypass authentication process and gain full access to the system.
Note, the vulnerability is being actively exploited in the wild.
Software: ScreenConnect
Links:
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
Privilege escalation in Microsoft Exchange Server
CVE-2024-21410
Exposure of Resource to Wrong Sphere
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to an error in Microsoft Exchange Server. A remote attacker can target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Two OS command injection vulnerabilities in QNAP QTS and QuTS hero
CVE-2023-50358
OS Command Injection
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote authenticated user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: QNAP QTS
Security restrictions bypass when handling shortcuts in Microsoft Windows
CVE-2024-21412
Security features bypass
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The
vulnerability exists due to improper input validation when handling Internet shortcut files. A remote attacker can trick the victim into clicking on a specially crafted shortcut file and execute arbitrary code on the system.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21412
Security restrictions bypass in Microsoft Windows SmartScreen
CVE-2024-21351
Security features bypass
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper input validation when handling files downloaded from the Internet. A remote attacker can bypass the SmartScreen protection feature and trick the victim into launching a malicious files on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-21351
Remote code execution in FortiOS SSL-VPN
CVE-2024-21762
Out-of-bounds write
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing HTTP requests in sslvpnd. A remote attacker can send specially crafted HTTP requests to the SSL-VPN service, trigger an out-of-bounds write and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: FortiOS
Links:
https://www.fortiguard.com/psirt/FG-IR-24-015
Multiple vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways
CVE-2024-21893
Server-Side Request Forgery (SSRF)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the SAML component. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Ivanti Connect Secure (formerly Pulse Connect Secure)
Multiple vulnerabilities in Hitron Systems Security Camera DVRs
CVE-2024-23842
Use of default credentials
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to usage of default administrative credentials. A remote attacker can use default credentials to compromise the affected device.
Note, the vulnerability is being actively exploited in the wild by the Mirai botnet.Software: DVR LGUVR-16H
Known/fameous malware:
Mirai
Links:
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-04
Multiple vulnerabilities in Hitron Systems Security Camera DVRs
CVE-2024-22772
Use of default credentials
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to usage of default administrative credentials. A remote attacker can use default credentials to compromise the affected device.
Note, the vulnerability is being actively exploited in the wild by the Mirai botnet.Software: DVR LGUVR-8H
Known/fameous malware:
Mirai
Links:
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-04
Multiple vulnerabilities in Hitron Systems Security Camera DVRs
CVE-2024-22771
Use of default credentials
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to usage of default administrative credentials. A remote attacker can use default credentials to compromise the affected device.
Note, the vulnerability is being actively exploited in the wild by the Mirai botnet.Software: DVR LGUVR-4H
Known/fameous malware:
Mirai
Links:
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-04
Multiple vulnerabilities in Hitron Systems Security Camera DVRs
CVE-2024-22770
Use of default credentials
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to usage of default administrative credentials. A remote attacker can use default credentials to compromise the affected device.
Note, the vulnerability is being actively exploited in the wild by the Mirai botnet.Software: DVR HVR-16781
Known/fameous malware:
Mirai
Links:
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-04
Multiple vulnerabilities in Hitron Systems Security Camera DVRs
CVE-2024-22769
Use of default credentials
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to usage of default administrative credentials. A remote attacker can use default credentials to compromise the affected device.
Note, the vulnerability is being actively exploited in the wild by the Mirai botnet.Software: DVR HVR-8781
Known/fameous malware:
Mirai
Links:
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-04
Multiple vulnerabilities in Hitron Systems Security Camera DVRs
CVE-2024-22768
Use of default credentials
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to usage of default administrative credentials. A remote attacker can use default credentials to compromise the affected device.
Note, the vulnerability is being actively exploited in the wild by the Mirai botnet.
Software: DVR HVR-4781
Known/fameous malware:
Mirai
Links:
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-04
https://www.akamai.com/blog/security-research/2024/jan/hitron-zero-day-vulnerability-spreading-mirai-patched
Multiple vulnerabilities in Apple iOS 16 and iPadOS 16
CVE-2024-23222
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when processing HTML content. A remote attacker can trick the victim to open a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT214063
Multiple vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway
CVE-2023-6549
Buffer overflow
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error. A remote attacker can send specially crated packets to the system, trigger memory corruption and perform a denial of service (DoS) attack.
Successful exploitation of this vulnerability requires that the device is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAAvirtualserver.
Note, the vulnerability is being actively exploited in the wild.
Software: Citrix NetScaler Gateway
Multiple vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway
CVE-2023-6548
Code Injection
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the management interface. A remote authenticated user can send a specially crafted request to the application and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Citrix NetScaler Gateway
Multiple vulnerabilities in Google Chrome
CVE-2024-0519
Buffer overflow
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a boundary error in V8 in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.html
Multiple vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways
CVE-2024-21887
OS Command Injection
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote authenticated administrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system. However this vulnerability can be exploited by a non-authenticated attacker using authentication bypass vulnerability #VU85286 (CVE-2023-46805).
Note, the vulnerability is being actively exploited in the wild.
Software: Ivanti Connect Secure (formerly Pulse Connect Secure)
Links:
Multiple vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways
CVE-2023-46805
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when processing authentication requests. A remote attacker can bypass authentication process and gain unauthorized access to the application.
Note, the vulnerability is being actively exploited in the wild.
Software: Ivanti Connect Secure (formerly Pulse Connect Secure)
Links:
Remote code execution in Barracuda Email Security Gateway Appliance (ESG)
CVE-2023-7102
Exposed dangerous method or function
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation within the third-party Perl library Spreadsheet::ParseExcel used to parse Excel files. A remote attacker can send a specially crafted email with a malicious file inside and execute arbitrary code on the device.
Note, the vulnerability is being actively exploited in the wild.
It is believed that behind vulnerability exploitation is the China nexus actor tracked as UNC4841.
Software: Email Security Gateway (ESG)
Known/fameous malware:
SEASPY, SALTWATER
It is believed that behind vulnerability exploitation is the China nexus actor tracked as UNC4841.
Links:
https://www.barracuda.com/company/legal/esg-vulnerability
Remote code execution in Google Chrome
CVE-2023-7024
Heap-based buffer overflow
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted HTML content in WebRTC. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.html
Embedded malicious code in Ledger Connect Kit
Embedded malicious code (backdoor)
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to drain crypto assets from users' wallets.
Note, the vulnerability is being actively exploited in the wild.
Software: connect-kit
Links:
https://twitter.com/Ledger/status/1735291427100455293
OS Command Injection in QNAP QVR Firmware
CVE-2023-47565
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within QNAP VioStor NVR models running QVR firmware. A remote user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild by the Mirai-based botnet named InfectedSlurs.
Software: QVR
Known/fameous malware:
InfectedSlurs
Links:
OS Command Injection in FXC routers
CVE-2023-49897
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote user on the local network can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild by the Mirai-based botnet named InfectedSlurs.
Software: AE1021
Known/fameous malware:
InfectedSlurs
Links:
Multiple vulnerabilities in Apple iOS 17 and iPadOS 17
CVE-2023-42917
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Multiple vulnerabilities in Apple iOS 17 and iPadOS 17
CVE-2023-42916
Out-of-bounds read
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds read and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Multiple vulnerabilities in Google Chrome
CVE-2023-6345
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in Skia component in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html
Use of default credentials in Unitronics Vision Series PLCs and HMIs
CVE-2023-6448
Use of default credentials
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to Unitronics Vision Series PLCs and HMIs use default administrative passwords. A remote attacker with network access to a PLC or HMI can gain administrative control over the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Unitronics Vision
Links:
https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems
Privilege escalation in Microsoft Windows DWM Core Library
CVE-2023-36033
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in Windows DWM Core Library. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36033
Security restrictions bypass in Microsoft Windows SmartScreen
CVE-2023-36025
Security features bypass
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to an error in Windows SmartScreen feature. A remote attacker can trick the victim to click on a specially crafted .url file and execute arbitrary code on the system.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36025
Privilege escalation in Microsoft Windows Cloud Files Mini Filter Driver
CVE-2023-36036
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in Windows Cloud Files Mini Filter Driver. A local user trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36036
Path traversal in SysAid
CVE-2023-47246
Path traversal
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can upload and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild by the Lace Tempest (DEV-0950) actor.
The vulnerability was exploited by the Lace Tempest (DEV-0950) APT actor.
Software: SysAid
The vulnerability was exploited by the Lace Tempest (DEV-0950) APT actor.
Links:
https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
Multiple vulnerabilities in VMware vCenter Server
CVE-2023-34048
Out-of-bounds write
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error within the DCERPC protocol implementation. A remote non-authenticated attacker can send a specially crafted RPC request to the vCenter Server, trigger an out-of-bounds write and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild since late 2021.
The vulnerability was used since late 2021 by a Chinese threat actor UNC3886.
Software: vCenter Server
Known/fameous malware:
VIRTUALPITA, VIRTUALPIE
Links:
Multiple vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway
CVE-2023-4966
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote non-authenticated attacker can send specially crafted data to the device, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as AAAvirtualserver.
Note, the vulnerability is being actively exploited in the wild since August 2023.
Software: Citrix NetScaler Gateway
Links:
Multiple vulnerabilities in Cisco IOS XE Web UI software
CVE-2023-20198
Improper Privilege Management
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper privilege management in the web UI feature. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected device and create an account with privilege level 15 access.
Note, the vulnerability is being actively exploited in the wild.
Software: Cisco IOS XE
Links:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
Unauthenticated arbitrary file upload in Royal Elementor Addons plugin for WordPress
CVE-2023-5360
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote attacker can upload a malicious file and execute it on the server.
Note, the vulnerability is being actively exploited in the wild.
Software: Royal Elementor Addons
Links:
https://www.wordfence.com/blog/2023/10/psa-critical-unauthenticated-arbitrary-file-upload-vulnerability-in-royal-elementor-addons-and-templates-being-actively-exploited/
Cross-site scripting in Roundcube
CVE-2023-5631
Cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing SVG files in program/lib/Roundcube/rcube_washtml.php. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note, the vulnerability is being actively exploited in the wild.
Software: Roundcube
Disclosure of NTLM hashes in Microsoft WordPad
CVE-2023-36563
Information disclosure
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to disclosure of NTLM hashes in WordPad. A remote attacker can trick the victim to open a specially crafted file and gain access to sensitive information.
Note, the vulnerability is being exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36563
Information disclosure in Skype for Business server
CVE-2023-41763
Information disclosure
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to IP addresses or port numbers or both to the attacker.
Note, the vulnerability is being actively exploited in the wild.
Software: Skype for Business Server
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-41763
Remote code execution in Confluence Data Center and Server
CVE-2023-22515
Improper Authentication
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authentication at the "/setup/setupadministrator.action" endpoint. A remote non-authenticated attacker can send specially crafted requests to the server to create an administrative account and gain unauthorized access to the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Confluence Data Center
Links:
https://jira.atlassian.com/browse/CONFSERVER-92475
Multiple vulnerabilities in Apple iOS 17 and iPadOS 17
CVE-2023-42824
Buffer overflow
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the OS kernel. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213961
Multiple vulnerabilities in Qualcomm firmware
CVE-2023-33063
Use-after-free
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error during a remote call from HLOS to DSP. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Firmware
Multiple vulnerabilities in Qualcomm firmware
CVE-2023-33107
Integer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow while assigning shared virtual memory region during IOCTL call. A local user can trigger an integer overflow and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Firmware
Multiple vulnerabilities in Qualcomm firmware
CVE-2023-33106
Use of Out-of-range Pointer Offset
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Firmware
Multiple vulnerabilities in Google Chrome
CVE-2023-5217
Heap-based buffer overflow
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted HTML content in vp8 encoding in libvpx. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html
Remote code execution in Cisco IOS and IOS XE Software Cisco Group Encrypted Transport VPN Software
CVE-2023-20109
Out-of-bounds write
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to┬аinsufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols within the Cisco Group Encrypted Transport VPN (GET VPN) feature. A remote authenticated user with administrative control of either a group member or a key server can trigger an out-of-bounds write and execute arbitrary code on the target system.
Note, the vulnerability has been exploited in the wild.
Software: Cisco IOS
Links:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-getvpn-rce-g8qR68sx
Multiple vulnerabilities in Apple iOS 16 and iPadOS 16
CVE-2023-41992
Input validation error
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input within the OS kernel. A local application can execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213927
Privilege escalation in Trend Micro Apex One and Worry-Free Business
CVE-2023-41179
OS Command Injection
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation within the third-party AV uninstaller module shipped with the software. A local user can execute arbitrary commands with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apex One
Links:
https://success.trendmicro.com/dcx/s/solution/000294994?language=en_US
Security features bypass in Google Pixel
CVE-2023-4211
Use-after-free
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within Mali GPU Kernel Driver. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Pixel
Links:
https://source.android.com/docs/security/bulletin/pixel/2023-09-01
Privilege escalation in Microsoft Streaming Service Proxy
CVE-2023-36802
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Microsoft Streaming Service Proxy. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36802
Information disclosure in Microsoft Word
CVE-2023-36761
Information disclosure
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the application ca reveal sensitive information to a third-party. A remote attacker can trick the victim to open or preview a specially crafted file and obtain NTLM hash of the current account.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Word
Links:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36761
Remote code execution in Adobe Acrobat and Reader
CVE-2023-26369
Out-of-bounds write
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing PDF. A remote attacker can create a specially crafted PDF file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Adobe Reader
Links:
https://helpx.adobe.com/security/products/acrobat/apsb23-34.html
Remote code execution in Google Chrome
CVE-2023-4863
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing WebP images within libwebp library. A remote attacker can trick the victim to visit a malicious website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. The vulnerability affects all modern browsers that support WebP image processing.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
Multiple vulnerabilities in Apple iOS and iPadOS
CVE-2023-41061
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in Wallet. A remote attacker can trick the victim to open a specially crafted attachment and execute arbitrary code on the system.
Note, the vulnerability is being exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213905
Multiple vulnerabilities in Apple iOS and iPadOS
CVE-2023-41064
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in ImageIO subsystem. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213905
Authentication bypass using an alternate path or channel in Cisco Adaptive Security Appliance and Firepower Threat Defense
CVE-2023-20269
Authentication bypass using an alternate path or channel
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. A remote user can perform a brute-force attack and establish a clientless SSL VPN session with an unauthorized user.
Note, the vulnerability is being actively exploited in the wild.
Software: Cisco Adaptive Security Appliance (ASA)
Multiple vulnerabilities in Google Android
CVE-2023-35674
Improper input validation
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Android
API authentication bypass in Ivanti Sentry
CVE-2023-38035
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to missing authentication on certain APIs. A remote attacker can send a specially crafted HTTP request to port 8443/TCP, bypass authentication process and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: MobileIron Sentry
Links:
https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US
Path traversal in Terrasoft CRM
Path traversal
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote non-authenticated attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Note, the vulnerability is being actively exploited in the wild.
Links:
https://safe-surf.ru/specialists/news/697426/
Denial of service in ASP .NET and Visual Studio
CVE-2023-38180
Input validation error
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted input to the application and perform a denial of service (DoS) attack.
Note, the vulnerability is being actively exploited in the wild.
Software: ASP.NET Core
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-38180
File extension spoofing in WinRAR
CVE-2023-38831
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of file names inside .zip archives. A remote attacker can create a specially crafted archive that contains executable malicious files and spoof their file extension to look like .jpeg or .txt.
Note, the vulnerability is being actively exploited in the wild as of April 2023.
Software: WinRAR
Known/fameous malware:
DarkMe, GuLoader, RAT
MitM attack in MicroWorld Technologies eScan
Cleartext transmission of sensitive information
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to software uses insecure communication channel within the software update functionality. A remote attacker with ability to intercept network traffic can perform MitM attack during software update and swap the update package with malicious files.
Note, the vulnerability is being actively exploited in the wild.
Software: eScan
Known/fameous malware:
GuptiMiner
Links:
https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/
Arbitrary file overwrite in Ivanti Endpoint Manager Mobile
CVE-2023-35081
Path traversal
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote privileged user can send a specially crafted HTTP request and overwrite arbitrary files and compromise the affected system.
Note, this vulnerability is being actively exploited in the wild.
Software: Endpoint Manager Mobile (formerly MobileIron Core)
Links:
https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write?language=en_US
Authentication bypass in Ivanti Endpoint Manager Mobile (formerly MobileIron Core)
CVE-2023-35078
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an unspecified error in the authentication process. A remote attacker can bypass authentication and gain unauthorized access to the application.
Note, the vulnerability is being actively exploited in the wild as per Ivanti customers. The company at the moment did not comment on the incident and concealed all information about this vulnerability.
Software: Endpoint Manager Mobile (formerly MobileIron Core)
Links:
https://www.bleepingcomputer.com/news/security/ivanti-patches-mobileiron-zero-day-bug-exploited-in-attacks/
Multiple vulnerabilities in Apple iOS 15 and iPadOS 15
CVE-2023-41990
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in FontParser. A remote attacker can trick the victim to open a specially crafted file or visit a malicious website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Multiple vulnerabilities in Apple iOS 15 and iPadOS 15
CVE-2023-38606
Buffer overflow
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the OS kernel. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213842
Multiple vulnerabilities in Adobe ColdFusion
CVE-2023-38205
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote non-authenticated attacker can bypass implemented security restrictions and gain unauthorized access to the application.
Note, the vulnerability is being actively exploited in the wild.
Software: ColdFusion
Links:
https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html
Multiple vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway
CVE-2023-3519
Code Injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAAтАпvirtualтАпserver. A remote non-authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Citrix Netscaler ADC
Links:
https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
Reflected XSS in Zimbra Collaboration Suite
CVE-2023-37580
Cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Zimbra Classic Web Client. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note, the vulnerability is being exploited in the wild.
Software: Zimbra Collaboration
Multiple vulnerabilities in Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication modules
CVE-2023-3595
Out-of-bounds write
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing CIP messages. A remote attacker can send specially crafted CIP messages to ports 44818/TCP or 2222/UDP, trigger an out-of-bounds write and execute arbitrary code.
Note, the vulnerability is most likely being exploited in the wild.
Software: 1756-EN2T Series A
Links:
https://www.dragos.com/blog/mitigating-cves-impacting-rockwell-automation-controllogix-firmware/
https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01
https://www.bleepingcomputer.com/news/security/rockwell-warns-of-new-apt-rce-exploit-targeting-critical-infrastructure/
Remote code execution in Microsoft Office and Windows HTML
CVE-2023-36884
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when handling cross-protocol file navigation. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was exploited by the treat actor Storm-0978 (also known as DEV-0978 or RomCom) against defense and government entities in Europe and North America.
Software: Windows
The vulnerability was exploited by the treat actor Storm-0978 (also known as DEV-0978 or RomCom) against defense and government entities in Europe and North America.
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36884
https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/
Remote code execution in Microsoft Outlook
CVE-2023-35311
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim to click on a specially crafted URL, bypass the Microsoft Outlook Security Notice prompt and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Outlook
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-35311
Privilege escalation in Microsoft Windows Error Reporting Service
CVE-2023-36874
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Error Reporting Service. A local user can use a specially crafted performance trace to trigger memory corruption and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36874
Security restrictions bypass in Windows SmartScreen
CVE-2023-32049
Security features bypass
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper validation of URLs in Windows SmartScreen. A remote attacker can trick the victim to visit a specially crafted URL, bypass the Open File - Security Warning prompt and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-32049
Remote code execution in Windows MSHTML Platform
CVE-2023-32046
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in Windows MSHTML Platform. A remote attacker can trick the victim to open a specially crafted file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-32046
Remote code execution in Apple iOS 16 and iPadOS 16
CVE-2023-37450
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
http://support.apple.com/en-us/HT213823
Improper authorization in Ultimate Member plugin for WordPress
CVE-2023-3460
Improper Authorization
The vulnerability allows a remote attacker to compromise the affected website.
The vulnerability exists due to improper authorization within the registration functionality. A remote non-authenticated attacker can register a rouge administrative account and compromise the web application.
Note, the vulnerability is being actively exploited in the wild.
Software: Ultimate Member - User Profile & Membership Plugin
Links:
https://wordpress.org/support/topic/security-issue-144/#post-16859857
Multiple vulnerabilities in Apple iOS and iPadOS
CVE-2023-32435
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213811
Multiple vulnerabilities in Apple iOS and iPadOS
CVE-2023-32439
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in WebKit. A remote attacker can trick the victim to open a specially crafted web page, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213811
Multiple vulnerabilities in Apple iOS and iPadOS
CVE-2023-32434
Integer overflow
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to an integer overflow within the OS kernel. A local application can trigger an integer overflow and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213811
Multiple vulnerabilities in Google Pixel
CVE-2023-21237
Information exposure
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.
Note, the vulnerability is being actively exploited in the wild.
Software: Pixel
Links:
https://source.android.com/docs/security/bulletin/pixel/2023-06-01
Authentication bypass in VMware Tools
CVE-2023-20867
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in the vgauth module. An attacker who compromised the ESXi host can bypass authentication process and execute privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.
Note, the vulnerability is being actively exploited in the wild by the UNC3886 APT actor.
The vulnerability is known to be exploited by the UNC3886 APT actor.
Software: VMware Tools
The vulnerability is known to be exploited by the UNC3886 APT actor.
Links:
https://www.vmware.com/security/advisories/VMSA-2023-0013.html
https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass
Unauthenticated remote code execution in FortiOS and FortiProxy SSL-VPN
CVE-2023-27997
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the SSL-VPN feature. A remote non-authenticated attacker can send specially crafted requests to the SSL-VPN interface, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: FortiOS
Remote code execution in acme.sh
CVE-2023-38198
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when parsing certificates. A remote attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Note, exploitation of this vulnerability has been observed in the wild by compromised HiCA servers.
The vulnerability was exploited through the Chinese intermediary HiCA who claims to be compromised.
Software: acme.sh
The vulnerability was exploited through the Chinese intermediary HiCA who claims to be compromised.
Links:
https://twitter.com/aleksejspopovs/status/1666955050696966148
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys
https://github.com/acmesh-official/acme.sh/issues/4659
Remote code execution in Google Chrome
CVE-2023-3079
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html
SQL injection in MOVEit Transfer
CVE-2023-34362
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Note, the vulnerability is being actively exploited in the wild.
Software: MOVEit Transfer
Links:
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
Backdoor in Gigabyte UEFI firmware
Embedded malicious code (backdoor)
The vulnerability allows a remote attacker to gain unauthorized access to the system.
The vulnerability exists due to presence of embedded malicious functionality (aka backdoor) in the UEFI firmware that was downloaded from the official website using the Gigabyte's App Center. This allows a remote attacker to gain full control over the system.
Note, the vulnerability is being actively exploited in the wild.
Software: UEFI firmware
Missing authorization in Emby Server
Missing Authorization
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insecure default configuration. A remote non-authenticated attacker can send a specially crafted request to the server and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Emby Server
Links:
https://emby.media/support/articles/advisory-23-05.html
Remote code execution in Barracuda Email Security Gateway appliance (ESG)
CVE-2023-2868
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing .tar archives during email attachment screening. A remote unauthenticated attacker can send a specially crafted email with a malicious attachment to the appliance and execute arbitrary Perl commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Email Security Gateway (ESG)
Links:
https://www.barracuda.com/company/legal/esg-vulnerability
Multiple vulnerabilities in Apple iOS 16 and iPadOS 16
CVE-2023-32373
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213757
Multiple vulnerabilities in Apple iOS 16 and iPadOS 16
CVE-2023-28204
Out-of-bounds read
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in WebKit. A remote attacker can trick the victim to visit a specially crafted webpage, trigger an out-of-bounds read error and read contents of memory on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213757
Multiple vulnerabilities in Apple iOS 16 and iPadOS 16
CVE-2023-32409
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and break out of Web Content sandbox.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213757
Secure boot bypass in Microsoft Windows
CVE-2023-24932
Security features bypass
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to improper implementation of the Secure Boot feature. An attacker with physical access to the system or a local user with Administrative rights can bypass Secure Boot.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-24932
Privilege escalation in Microsoft Windows Win32k driver
CVE-2023-29336
Use-after-free
The vulnerability allows a local user to escalate privileges on the system.
The
vulnerability exists due to a boundary error within the Win32k driver. A
local user can trigger a use-after-free error and execute arbitrary code
with SYSTEM privileges.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29336
Multiple vulnerabilities in Samsung Mobile Firmware
CVE-2023-21492
Inclusion of sensitive information in log files
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to kernel pointers are printed into the log file. A local application can read the log file and use the kernel pointers to bypass ASLR protection.
Note, the vulnerability is being exploited in the wild.
Software: Samsung Mobile Firmware
Links:
https://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=05
Multiple vulnerabilities in Google Chrome
CVE-2023-2136
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in Skia component in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html
Remote code execution in Google Chrome
CVE-2023-2033
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html
Privilege escalation in Microsoft Windows Common Log File System Driver
CVE-2023-28252
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in Windows Common Log File System Driver. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
According to Kaspersky, the vulnerability has been exploited in February 2023 against small and medium-sized businesses in the Middle East, in North America, and previously in Asia regions.
Software: Windows
Known/fameous malware:
Nokoyawa ransomware
Multiple vulnerabilities in Apple iOS 16 and iPadOS 16
CVE-2023-28205
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213720
Multiple vulnerabilities in Apple iOS 16 and iPadOS 16
CVE-2023-28206
Out-of-bounds write
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error in IOSurfaceAccelerator. A local application can trigger an out-of-bounds write and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213720
Backdoor in 3CX Electron desktop app for Windows and Mac
CVE-2023-29059
Embedded malicious code (backdoor)
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the application.
Software: Electron Mac App, Electron Windows App
Links:
https://www.3cx.com/blog/news/desktopapp-security-alert/
Information disclosure in ARM Mali GPU kernel drivers
CVE-2023-26083
Memory leak
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due memory leak. A local application can force the driver to leak memory and gain access to sensitive information.
Note, this vulnerability is being actively exploited in the wild.
The vulnerability was used as part of exploitation chain against Samsung Internet Browser and targeted victims in December 2022 with one-time links sent via SMS to devices located in the United Arab Emirates (UAE).
Software: Valhall GPU Kernel Driver, Bifrost GPU Kernel Driver, Midgard GPU Kernel Driver
The vulnerability was used as part of exploitation chain against Samsung Internet Browser and targeted victims in December 2022 with one-time links sent via SMS to devices located in the United Arab Emirates (UAE).
Links:
https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/
Remote code execution in Dream Security MagicLine4NX
CVE-2023-45797
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: MagicLine4NX
Links:
https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&nttId=71023&menuNo=205020
Remote code execution in General Bytes Crypto Application Server (CAS)
Improper access control
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper access restrictions in the master service interface on port 7741/TCP. A remote attacker can send a specially crafted request to the affected server and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Crypto Application Server (CAS)
Links:
https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2885222430/Security+Incident+March+17-18th+2023
Remote code execution in General Bytes Crypto Application Server (CAS)
CVE-2023-26360
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
Note, the vulnerability is being actively exploited in the wild.
Software: ColdFusion
Multiple vulnerabilities in Adobe ColdFusion
CVE-2023-26359
Deserialization of Untrusted Data
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: ColdFusion
Net-NTLMv2 hash leak in Microsoft Outlook
CVE-2023-23397
Information disclosure
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to the application leaks the Net-NTLMv2 hash. A remote attacker can send a specially crafted email to the victim and obtain the Net-NTLMv2 hash of the Windows account. The victim does not need to open the email, as the vulnerability is triggered automatically when it is retrieved and processed by the email server, e.g. before the email is viewed in the preview pane.
The obtained NTLMv2 hash can be used in the NTLM Relay attack against another service to authenticate as the user.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Outlook
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397
SmartScreen security feature bypass in Microsoft Windows
CVE-2023-24880
Security features bypass
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect implementation of the Windows SmartScreen Security Feature. A remote attacker can trick the victim to open a specially crafted file and bypass the Mark of the Web (MOTW) defenses.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-24880
Privilege escalation in FortiOS
CVE-2022-41328
Path traversal
The vulnerability allows a local user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing certain CLI command. A local user can read and write arbitrary files on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: FortiOS
Multiple vulnerabilities in Google Android
CVE-2023-20963
Permissions, Privileges, and Access Controls
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android Framework. A local application can escalate privileges on the device.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Android
Known/fameous malware:
Pinduoduo backdoor
Links:
Privilege escalation in Microsoft Windows Graphics Component
CVE-2023-21823
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Graphics Component. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21823
Privilege escalation in Windows Common Log File System Driver
CVE-2023-23376
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in Windows Common Log File System Driver. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-23376
Remote code execution in Microsoft Publisher
CVE-2023-21715
Security features bypass
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to unspecified error when processing files. A remote attacker can trick the victim to open a specially crafted file, bypass Office macro policies used to block untrusted or malicious files and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Publisher
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21715
Multiple vulnerabilities in Apple iOS 16 and iPadOS 16
CVE-2023-23529
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when parsing web content in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Known/fameous malware:
PWNYOURHOME
Links:
https://support.apple.com/en-us/HT213635
https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/
Remote code execution in GoAnywhere MFT
CVE-2023-0669
Deserialization of Untrusted Data
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data passed to the "/goanywhere/lic/accept" HTTP endpoint of the administrative web interface. A remote attacker can send a specially crafted HTTP request to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: GoAnywhere MFT
Links:
https://infosec.exchange/@briankrebs/109795710941843934
Use-after-free in Linux kernel
CVE-2023-0266
Use-after-free
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the snd_ctl_elem_read() function in the Linux kernel sound subsystem. A local user can trigger a use-after-free error and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Linux kernel
Privilege escalation in Windows Advanced Local Procedure Call (ALPC)
CVE-2023-21674
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Advanced Local Procedure Call (ALPC). A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21674
Remote code execution in Apple iOS
CVE-2022-42856
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213516
Remote code execution in Citrix ADC and Citrix Gateway
CVE-2022-27518
Improper control of a resource through its lifetime
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper access restrictions in systems configured as a SAML SP or a SAML IdP. A remote non-authenticated attacker can gain unauthorized access to the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Citrix Access Gateway
Links:
https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/
SmartScreen MOTW bypass in Microsoft Windows
CVE-2022-44698
Security features bypass
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in Windows SmartScreen. A remote attacker can bypass Mark of the Web (MOTW) defenses and potentially compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44698
Remote code execution in FortiOS sslvpnd
CVE-2022-42475
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the sslvpnd daemon. A remote non-authenticated attacker can pass specially crafted data to the SSL-VPN interface, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: FortiOS
Links:
https://fortiguard.fortinet.com/psirt/FG-IR-22-398
Remote code execution in Google Chrome
CVE-2022-4262
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html
Remote code execution in Google Chrome
CVE-2022-4135
Heap-based buffer overflow
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted HTML content in GPU. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html
Multiple vulnerabilities in Microsoft Windows Mark of the Web
CVE-2022-41091
Security features bypass
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to security features bypass in Windows Mark of the Web functionality. A remote attacker can trick a victim to open a specially crafted file and bypass Protected View in Microsoft Office, as demonstrated using a specially crafted ZIP archive.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Privilege escalation in Microsoft Windows CNG Key Isolation Service
CVE-2022-41125
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows CNG Key Isolation Service. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41125
Remote code execution in Microsoft Windows Scripting Languages
CVE-2022-41128
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the JScript9 engine. A remote attacker can trick the victim into visiting a malicious website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was exploited by APT37 in late October 2022 against South Korea.
Software: Windows
Privilege escalation in Microsoft Windows Print Spooler service
CVE-2022-41073
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Print Spooler. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41073
Multiple vulnerabilities in Apple iOS 15 and iPadOS 15
CVE-2022-48618
Improper authentication
The vulnerability allows a local application to compromise the affected system.
The vulnerability exists due to an error within the OS kernel. A local application or user with arbitrary read and write capability can bypass Pointer Authentication and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild against versions of iOS released before iOS 15.7.1.
Software: Apple iOS
Remote code execution in Google Chrome
CVE-2022-3723
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html
Multiple vulnerabilities in Apple iOS 16 and iPadOS 16
CVE-2022-42827
Out-of-bounds write
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the OS kernel component. A local application can trigger an out-of-bounds write error and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213489
Privilege escalation in Microsoft Windows COM+ Event System Service
CVE-2022-41033
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows COM+ Event System Service. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41033
Arbitrary file upload in bingo!CMS
CVE-2022-42458
Missing Authorization
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authorization in the management functionality responsible for file uploads. A remote non-authenticated attacker can upload a malicious file on the server and execute it.
Successful exploitation of the vulnerability may result in full system compromise.
Note, the vulnerability is being exploited in the wild.
Software: bingo!CMS
Links:
https://www.bingo-cms.jp/information/20221011.html
Remote code execution in Microsoft Exchange Server
CVE-2022-41040
Server-Side Request Forgery (SSRF)
The disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the Exchange OWA Autodiscover service.. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Links:
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Remote code execution in Microsoft Exchange Server
CVE-2022-41082
Deserialization of Untrusted Data
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote user with access to PowerShell Remoting on vulnerable Exchange systems can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Software: Microsoft Exchange Server
Links:
https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
Remote code execution in Sophos Firewall
CVE-2022-3236
Code Injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the User Portal and Webadmin interfaces of Sophos Firewall. A remote non-authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Sophos Firewall
Links:
https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce
Privilege escalation in Microsoft Windows common log file system driver
CVE-2022-37969
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Common Log File System Driver. A local unprivileged user can run a specially crafted program to trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37969
Multiple vulnerabilities in Trend Micro Apex One
CVE-2022-40139
Insufficient verification of data authenticity
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to improper input validation within the rollback functionality. A remote authenticated user with access to the administrative console can force the agent into downloading unverified rollback components and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apex One
Links:
https://appweb.trendmicro.com/SupportNews/NewsDetail.aspx?id=4553
https://success.trendmicro.com/jp/solution/000291471
Multiple vulnerabilities in Apple macOS Monterey
CVE-2022-32917
Buffer overflow
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the OS kernel. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/en-us/HT213444
Remote code execution in WPGateway plugin for WordPress
CVE-2022-3180
Improper Authorization
The vulnerability allows a remote attacker to compromise the web application.
The vulnerability exists due to missing authorization checks. A remote non-authenticated attacker can send a specially crafted request to the affected plugin and add an administrative user account into your WordPress installation.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary PHP code on the server.
Note, the vulnerability is being actively exploited in the wild as of September 8.
Software: WPGateway
Links:
https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/
Arbitrary file read in BackupBuddy WordPress plugin
CVE-2022-31474
Improper Authorization
The vulnerability allows a remote attacker to download arbitrary files from the server.
The vulnerability exists due to missing authorization for the feature responsible for remote downloading remote backups. A remote non-authenticated attacker can download arbitrary files from the server.
Note, the vulnerability is being actively exploited in the wild.
Software: BackupBuddy
Links:
https://ithemes.com/blog/wordpress-vulnerability-report-special-edition-september-6-2022-backupbuddy/
Remote code execution in Photo Station
CVE-2022-27593
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to unspecified vulnerability. A remote non-authenticated attacker can send a specially crafted request to the affected system and execute arbitrary code.
Note, the vulnerability is being actively exploited in the wild by the DeadBolt ransomware.
Software: Photo Station
Known/fameous malware:
DeadBolt
Links:
https://www.qnap.com/en/security-advisory/qsa-22-24
Remote code execution in Google Chrome
CVE-2022-3075
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input within the Mojo component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html
Improper access control in General Bytes Crypto Application Server (CAS)
Improper access control
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper access restrictions to the default installation page. A remote attacker can connect to the default installation URL and create an administrative user account.
Note, the vulnerability is being active exploited in the wild.
Software: Crypto Application Server (CAS)
Links:
https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2785509377/Security+Incident+August+18th+2022
Multiple vulnerabilities in Apple macOS Monterey
CVE-2022-32893
Out-of-bounds write
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds write and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Multiple vulnerabilities in Apple macOS Monterey
CVE-2022-32894
Out-of-bounds write
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the OS kernel component. A local application can trigger an out-of-bounds write error and execute arbitrary code on the system with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Multiple vulnerabilities in Google Chrome
CVE-2022-2856
Input validation error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in Intents component in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
Remote code execution in Microsoft Windows Support Diagnostic Tool (MSDT)
CVE-2022-34713
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Windows Support Diagnostic Tool (MSDT) when processing files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34713
Privilege escalation in Microsoft Windows CSRSS
CVE-2022-22047
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Microsoft Windows Client/Server Runtime Subsystem (CSRSS). A local user can run a specially crafted program to execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22047
Remote code execution in Google Chrome
CVE-2022-2294
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within WebRTC implementation. A remote attacker can trick the victim ti visit a specially crafted website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was reported to Google by the Avast Threat Intelligence team on 2022-07-01.
Software: Google Chrome
The vulnerability was reported to Google by the Avast Threat Intelligence team on 2022-07-01.
Links:
https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html
Remote code execution in Mitel MiVoice Connect
CVE-2022-29499
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances тАУ SA 100, SA 400, and Virtual SA). A remote unauthenticated attacker can send a specially crafted HTTP GET request to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: MiVoice Connect
Links:
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0002
Remote code execution in Atlassian Confluence Server
CVE-2022-26134
Code Injection
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation when processing OGNL expressions. A remote non-authenticated attacker can send a specially crafted request to the Confluence Server and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.Software: Atlassian Confluence Server
Remote code execution in Microsoft Windows
CVE-2022-30190
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing URL within the Microsoft Windows Support Diagnostic Tool (MSDT). A remote unauthenticated attacker can trick the victim to open a specially crafted file, which calls the ms-msdt tool and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
UPDATED
The vulnerability resides within MSTD and not in Microsoft Word. Microsoft Word is an attack vector and not the source of vulnerability.
Software: Microsoft Word
Links:
https://twitter.com/nao_sec/status/1530196847679401984 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
Improper access restrictions in Cisco IOS XR
CVE-2022-20821
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to unrestricted access to the Redis instance running within the NOSi container, accessible via port 6379/tcp (the health check RPM opens this port by default). A remote non-authenticated attacker can connect to the Redis instance and obtain sensitive information or modify it.
Note, the vulnerability is being actively exploited in the wild.
Software: Cisco IOS XR
Spoofing attack in Microsoft Windows LSA
CVE-2022-26925
Man-in-the-Middle (MitM) attack
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists within the Windows LSA service. A remote attacker can call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. As a result, an attacker can obtain credentials and compromise the affected system via the NTLM Relay Attack.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26925
Remote code execution in Google Chrome
CVE-2022-1364
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in V8 engine in Google Chrome. A remote attacker can trick the victim to visit a specially crafted web page, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html
Privilege escalation in Microsoft Windows common log file system driver
CVE-2022-24521
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Common Log File System Driver. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24521
Multiple vulnerabilities in Apple macOS Monterey
CVE-2022-22674
Out-of-bounds read
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within Intel Graphics Driver. A local user can trigger an out-of-bounds read error and read contents of kernel memory.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/en-us/HT213220
Multiple vulnerabilities in Apple macOS Monterey
CVE-2022-22675
Out-of-bounds write
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the AppleAVD subsystem. A local user can run a specially crafted program to trigger an out-of-bounds write and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/en-us/HT213220
Remote code execution in Trend Micro Apex Central
CVE-2022-26871
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to improper access restrictions in the Trend Micro Apex Central management console. A remote non-authenticated attacker can upload arbitrary file to the system and execute it.
Note, the vulnerability is being actively exploited in the wild.
Software: Apex Central
Links:
https://success.trendmicro.com/dcx/s/solution/000290678?language=en_US
Remote code execution in Spring Framework
CVE-2022-22965
Code Injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted HTTP request to the affected application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
This vulnerability was dubbed "Spring4Shell".
Software: Pivotal Spring Framework
Links:
https://lab.wallarm.com/update-on-0-day-vulnerabilities-in-spring-spring4shell-and-cve-2022-22963/
Information disclosure in VMware vCenter Server
CVE-2022-22948
Incorrect default permissions
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to incorrect default permissions for files. A local user with access to the system can view contents of certain files.
Software: vCenter Server
Links:
Remote code execution in Sophos Firewall
CVE-2022-1040
Input validation error
The vulnerability allows a remote attacker to compromise the affected device.
The vulnerability exists due to insufficient validation of user-supplied input in the User Portal and Webadmin. A remote attacker can send specially crafted requests to the web interface and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected device.
Note, the vulnerability is being actively exploited in the wild.
Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region.
Software: Sophos Firewall
Remote code execution in Google Chrome
CVE-2022-1096
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html
Remote code execution in Mozilla Firefox
CVE-2022-26486
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing messages in the WebGPU IPC framework. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Mozilla Firefox
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/
Remote code execution in Mozilla Firefox
CVE-2022-26485
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing XSLT parameter. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Mozilla Firefox
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/
Multiple vulnerabilities in Google Chrome
CVE-2022-0609
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html
Remote code execution in Magento
CVE-2022-24086
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can send a specially crafted HTTP POST request to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Software: Adobe Commerce (formerly Magento Commerce)
Links:
https://helpx.adobe.com/security/products/magento/apsb22-12.html
Remote code execution in Apple iOS and iPadOS
CVE-2022-22620
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213093
Cross-site scripting in Zimbra
CVE-2022-24682
Cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note, the vulnerability is being actively exploited in the wild in the targeted attacks aimed to exfiltrated data.
Software: Zimbra Collaboration
Links:
https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
Multiple vulnerabilities in Apple iOS and iPadOS
CVE-2022-22587
Buffer overflow
The vulnerability allows a malicious application to execute arbitrary code with elevated privileges.
The vulnerability exists due to a boundary error within the IOMobileFrameBuffer subsystem. A malicious application can trigger buffer overflow and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213053
Multiple vulnerabilities in Microsoft Win32k
CVE-2022-21882
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Win32k.sys driver. A local user can run a specially crafted program to trigger a buffer overflow and execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Remote code execution in FreePBX Phone Apps module
CVE-2021-45461
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in the Phone Apps (restapps) module for FreePBX. A remote attacker can send specially crafted input to the application and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Phone Apps
Links:
https://community.freepbx.org/t/security-issue-potential-rest-phone-apps-rce/80109 https://wiki.freepbx.org/display/FOP/2021-12-21+SECURITY%3A+Potential+Rest+Phone+Apps+RCE https://community.freepbx.org/t/0-day-freepbx-exploit/80092
Multiple vulnerabilities in Google Chrome
CVE-2021-4102
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the V8 engine. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop_13.html
Code injection in Ivanti Endpoint Manager
CVE-2021-44529
Embedded malicious code (backdoor)
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) within the "/opt/landesk/broker/webroot/lib/csrf-magic.php" file. A remote non-authenticated attacker can set specially crafted cookies and gain unauthorized access to the application.
Note, the vulnerability patched in 2021 by Ivanti is considered a backdoor.
This entry was added only on 19.2.2024. The vulnerability was addressed by the vendor on 02.12.2021, however it was not disclosued as a backdoor or a zero-day.
Software: Endpoint Manager
Links:
Privilege escalation in Microsoft Windows
CVE-2021-43890
Permissions, Privileges, and Access Controls
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect permissions in windows installer service. A local user can run a specially crafted program to execute arbitrary code with SYSTEM privileges.
The vulnerability exists due to incomplete patch for #VU58061 (CVE-2021-41379).
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Known/fameous malware:
Emotet, Trickbot, Bazaloader
Arbitrary file upload in FatPipe WARP, MPVPN and IPVPN
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload in the web management interface. A remote attacker can upload a malicious file and execute it on the server.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability allows multiple APT actors to gain access to an unrestricted file upload function and execute arbitrary code on the system.
Software: IPVPN, MPVPN, WARP
Remote code execution in Microsoft Excel
CVE-2021-42292
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation when processing Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it and execute arbitrary code on the system.
Note, the vulnerability is being exploited in the wild.
Software: Microsoft Office
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42292
Remote code execution in Microsoft Exchange Server
CVE-2021-42321
Input validation error
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to insufficient validation of cmdlet arguments. A remote user can run a specially crafted cmdlet and execute arbitrary commands on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321
Privilege escalation in Google Android
CVE-2021-1048
Use-after-free
The vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the Android kernel component within the epoll_loop_check_proc() function. A malicious application can trigger a use-after-free error and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Android
Links:
https://source.android.com/security/bulletin/2021-11-01#2021-11-06-security-patch-level-vulnerability-details
Multiple vulnerabilities in Google Chrome
CVE-2021-38003
Improperly implemented security check for standard
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect implementation in the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html
Multiple vulnerabilities in Google Chrome
CVE-2021-38000
Exposed dangerous method or function
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insecure implementation in V8 engine in Google Chrome. A remote attacker can create a specially crafted website, trick the victim into visiting it and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html
SQL injection in BQE BillQuick Web Suite
CVE-2021-42258
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Note, the vulnerability is being actively exploited in the wild.The vulnerability allows a remote attacker to cause SQL injection, leading to remote code execution.
Software: BillQuick Web Suite
The vulnerability allows a remote attacker to cause SQL injection, leading to remote code execution.
Privilege escalation in Microsoft Windows kernel
CVE-2021-40449
Use-after-free
The vulnerability allows a local user to escalate privileges on the system.The vulnerability exists due to a boundary error within the Win32k NtGdiResetDC function in Microsoft Windows kernel. A local user can run a specially crafted program to trigger a use-after-free error, when the function ResetDC is executed a second time for the same handle during execution of its own callback, and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Known/fameous malware:
MysterySnail
Privilege escalation in Apple iOS and iPadOS
CVE-2021-30883
Integer overflow
The vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the IOMobileFrameBuffer subsystem. A malicious application can trigger integer overflow and execute arbitrary code on with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT212846
Multiple vulnerabilities in Apache HTTP Server
CVE-2021-41773
Path traversal
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.
The vulnerability can be used to execute arbitrary OS commands on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apache HTTP Server
Links:
https://httpd.apache.org/security/vulnerabilities_24.html
Multiple vulnerabilities in Google Chrome
CVE-2021-37976
Information disclosure
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in core in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page and gain access to sensitive information.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html
Multiple vulnerabilities in Google Chrome
CVE-2021-37975
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the V8 browser engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html
Remote code execution in Google Chrome
CVE-2021-37973
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content within the Portals component in Google Chrome. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html
Privilege escalation in Apple macOS Catalina
CVE-2021-30869
Type Confusion
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a type confusion error within the XNU subsystem. A local user can run a specially crafted program to trigger a type confusion error and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/en-us/HT212825
Multiple vulnerabilities in Apple macOS Big Sur
CVE-2021-31010
Deserialization of Untrusted Data
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insecure input validation when processing serialized data within the Core Telephony service. A local application can pass specially crafted data to the service and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Remote code execution in EntroLink PPX-AnyLink devices
Code Injection
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote administrator can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.The vulnerability was used by multiple ransomware gangs to remotely execute code to PPX-AnyLink devices
Software: PPX-AnyLink 6004, PPX-AnyLink 6006, PPX-AnyLink 6900F, PPX-AnyLink 6900, PPX-AnyLink 6904, PPX-AnyLink 8000
The vulnerability was used by multiple ransomware gangs to remotely execute code to PPX-AnyLink devices
Multiple vulnerabilities in Google Chrome
CVE-2021-30633
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Indexed DB API component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in-the-wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
Multiple vulnerabilities in Google Chrome
CVE-2021-30632
Out-of-bounds write
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted HTML content in V8. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds write and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in-the-wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
Remote code execution in Apple iOS
CVE-2021-30858
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in-the-wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT212807
Remote code execution in Zoho ADSelfService Plus
CVE-2021-40539
Improper access control
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper access restrictions to the "/RestAPI/LogonCustomization" and "/RestAPI/Connection" REST API endpoints. A remote non-authenticated attacker can send specially HTTP requests to the aforementioned REST API endpoints and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Zoho ManageEngine ADSelfService Plus
Links:
https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
Remote code execution in Microsoft MSHTML
CVE-2021-40444
Code Injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the MSHTML component. A remote attacker can create a specially crafted Office document with a malicious ActiveX control inside, trick the victim into opening the document and execute arbitrary code on the system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444
Remote code execution in Apple iOS
CVE-2021-30860
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow when processing PDF files within the CoreGraphics component. A remote attacker can trick the victim to open a specially crafted PDF file, trigger integer overflow and execute arbitrary code on the target system.
Note, the vulnerability is being active exploited in-the-wild via the FORCEDENTRY tool against Bahraini activists.
The vulnerability is believed to be used against Bahraini activists.
Software: Apple iOS
Known/fameous malware:
FORCEDENTRY
The vulnerability is believed to be used against Bahraini activists.
Links:
https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/
Privilege escalation in Microsoft Windows Update Medic Service
CVE-2021-36948
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Update Medic Service. A local user can run a specially crafted program to execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36948
Multiple vulnerabilities in Trend Micro Apex One
CVE-2021-36742
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error. A local user can run a specially crafted program to trigger memory corruption and execute arability code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apex One
Links:
https://success.trendmicro.com/solution/000287819
Multiple vulnerabilities in Trend Micro Apex One
CVE-2021-36741
Arbitrary file upload
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload within the productтАЩs management console . A remote user can upload a malicious file and execute it on the server.
Note, the vulnerability is being actively exploited in the wild.
Software: Apex One
Links:
https://success.trendmicro.com/solution/000287819
Privilege escalation in Apple iOS and iPadOS
CVE-2021-30807
Buffer overflow
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary within the IOMobileFrameBuffer subsystem. A local application can trigger memory corruption and execute arbitrary code on the target system with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Multiple vulnerabilities in Google Chrome
CVE-2021-30563
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html
SQL injection in WooCommerce and WooCommerce Blocks plugin
CVE-2021-32789
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was used to compromise WooCommerce plugin.
Software: WooCommerce
The vulnerability was used to compromise WooCommerce plugin.
Privilege escalation in Microsoft Windows kernel
CVE-2021-31979
Buffer overflow
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Windows kernel. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31979
Remote code execution in Microsoft Scripting Engine
CVE-2021-34448
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in Microsoft scripting engine. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34448
Privilege escalation in Microsoft Windows kernel
CVE-2021-33771
Buffer overflow
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33771
Remote code execution in SolarWinds Serv-U
CVE-2021-35211
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can send a specially crafted request to the Serv-U server, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
MicrosoftтАЩs research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor.
Software: Serv-U FTP Server
MicrosoftтАЩs research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor.
Links:
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
Remote code execution in Kaseya VSA
CVE-2021-30116
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to unspecified error. A remote attacker can compromise the affected system.
Note, the vulnerability is being actively exploited in the wild by the REvil ransomware.
Software: Kaseya VSA
Known/fameous malware:
REvil
Links:
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
Remote code execution in Microsoft Windows Print Spooler
CVE-2021-34527
Code Injection
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the RpcAddPrinterDriverEx() function. A remote user can send a specially crafted request to the Windows Print Spooler and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being considered a zero-day and dubbed PrintNightmare. This is a different vulnerability than #VU54508 (CVE-2021-1675).
The PoC-code for this vulnerability was being made publicly available by mistake before official patch release. The vulnerability is considered a zero-day.
Software: Windows Server
The PoC-code for this vulnerability was being made publicly available by mistake before official patch release. The vulnerability is considered a zero-day.
Improper access control in WD My Book Live and WD My Book Live Duo
CVE-2021-35941
Improper access control
The vulnerability allows a remote attacker to delete all data on the system.
The vulnerability exists due to improper access restrictions to the administrator API. A remote non-authenticated attacker can send a specially crafted HTTP request to the exposed API and perform a system factory restore, deleting all data on the NAS device.
Note, the vulnerability is being actively exploited in the wild along with vulnerability #VU15460.
Software: WD My Book Live Duo, WD My Book Live
Links:
https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo
Multiple vulnerabilities in Google Chrome
CVE-2021-30554
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the WebGL component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html
Multiple vulnerabilities in Apple iOS 12
CVE-2021-30762
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the WebKit component in Apple iOS. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT212548
Multiple vulnerabilities in Apple iOS 12
CVE-2021-30761
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the WebKit component in Apple iOS. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT212548
Multiple vulnerabilities in Google Chrome
CVE-2021-30551
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Privilege escalation in Microsoft Enhanced Cryptographic Provider
CVE-2021-31201
Security restrictions bypass
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Microsoft Enhanced Cryptographic Provider. A local user can bypass implemented security restrictions and read or modify otherwise restricted information.
Note, the vulnerability is being actively exploited in the wild and related to a zero-day vulnerability in Adobe Reader #VU53125 (CVE-2021-28550) patched on May 11.Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31201
Privilege escalation in Microsoft Enhanced Cryptographic Provider
CVE-2021-31199
Security restrictions bypass
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Microsoft Enhanced Cryptographic Provider. A local user can bypass implemented security restrictions and read or modify otherwise restricted information.
Note, the vulnerability is being actively exploited in the wild and related to a zero-day vulnerability in Adobe Reader #VU53125 (CVE-2021-28550) patched on May 11.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31199
Remote code execution in Microsoft DWM Core Library
CVE-2021-33739
Improper Privilege Management
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper privilege management within the Microsoft DWM Core Library. A remote attacker can trick the victim to run a specially crafted executable or script and execute arbitrary code on the system.
The vulnerability was reported by DBAPPSecurity Lieying Lab.
Software: Windows
The vulnerability was reported by DBAPPSecurity Lieying Lab.
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33739
Remote code execution in Windows MSHTML Platform
CVE-2021-33742
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within Windows MSHTML Platform. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
The vulnerability was reported by GoogleтАЩs Threat Analysis Group.
Software: Windows
The vulnerability was reported by GoogleтАЩs Threat Analysis Group.
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742
Privilege escalation in Microsoft Windows NTFS
CVE-2021-31956
Permissions, Privileges, and Access Controls
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists within the NTFS subsystem in Microsoft Windows. A local user can run a specially crafted program to execute arbitrary code with elevated privileges.
The vulnerability was reported to Microsoft by Kaspersky Lab.
Software: Windows
The vulnerability was reported to Microsoft by Kaspersky Lab.
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955
OS Kernel information disclosure Microsoft Windows
CVE-2021-31955
Improper Privilege Management
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to improper privilege management. A local unprivileged user can read contents of Kernel memory from a user mode process.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was reported to Microsoft by Kaspersky Lab.
Software: Windows
The vulnerability was reported to Microsoft by Kaspersky Lab.
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955
Arbitrary file upload in Fancy Product Designer plugin for WordPress
CVE-2021-24370
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload in "wp-admin" or "wp-content/plugins/fancy-product-designer/inc". A remote attacker can upload a malicious file and execute it on the server.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was used to upload arbitrary files on the target system.
Software: Fancy Product Designer
The vulnerability was used to upload arbitrary files on the target system.
Links:
https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/
Multiple vulnerabilities in Apple macOS Big Sur
CVE-2021-30713
Input validation error
The vulnerability allows a local user to bypass Privacy preferences.
The vulnerability exists due to insufficient validation of user-supplied input within the TCC subsystem. A malicious application can bypass Privacy preferences and gain full disk access, perform screen recording or gain other permissions without requiring user's explicit consent.
Note, the vulnerability is being actively exploited in the wild by XCSSET malware.
Software: macOS
Known/fameous malware:
XCSSET
Links:
https://support.apple.com/en-us/HT212529
https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/
Multiple vulnerabilities in Adobe Reader and Acrobat
CVE-2021-28550
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing PDF content. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Adobe Reader
Links:
https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
Multiple vulnerabilities in Google Android
CVE-2021-1906
Detection of Error Condition Without Action
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling within the Graphics component. A local user can trigger a new GPU address allocation failure and perform a denial of service attack.
Note, the vulnerability is being used in limited targeted attacks.
Software: Google Android
Links:
https://source.android.com/security/bulletin/2021-05-01
Multiple vulnerabilities in Google Android
CVE-2021-1905
Use-after-free
The vulnerability allows a local user to escalate privileges on the system
The vulnerability exists due to a use-after-free error in Graphics component when handling memory mapping of multiple processes simultaneously. A local user can escalate privileges on the system.
Note, the vulnerability is being used in limited targeted attacks.
Software: Google Android
Links:
https://source.android.com/security/bulletin/2021-05-01
Multiple vulnerabilities in Google Android
CVE-2021-28664
Buffer overflow
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Arm Mali GPU kernel driver. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r8p0 through r30p0. A local application can trigger memory corruption and execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Android
Links:
https://source.android.com/security/bulletin/2021-05-01
Multiple vulnerabilities in Google Android
CVE-2021-28663
Use-after-free
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the Arm Mali GPU kernel driver. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0. A local application can trigger a use-after-free error and execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Android
Links:
https://source.android.com/security/bulletin/2021-05-01
Multiple vulnerabilities in Apple iOS 12.x
CVE-2021-30666
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT212341
Multiple vulnerabilities in Apple macOS
CVE-2021-30663
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in WebKit. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Multiple vulnerabilities in Apple macOS
CVE-2021-30665
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Multiple vulnerabilities in macOS
CVE-2021-30661
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing web content within the WebKit Storage component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/en-us/HT212325
Multiple vulnerabilities in macOS
CVE-2021-30657
Security features bypass
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a logic issue within the Gatekeeper checks. A remote attacker can craft a specially crafted payload that is not checked by Gatekeeper and bypasses File Quarantine and Application Notarization protections as well. As a result, a malicious binary can be executed on the system.
Note, the vulnerability is being actively exploited in the wild.
The Jamf Protect detections team observed this exploit being used in the wild by a variant of the Shlayer adware dropper, as early as January 9th, 2021.
Software: macOS
Known/fameous malware:
Shlayer
Path traversal in SonicWall Email Security
CVE-2021-20023
Path traversal
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the "branding" feature. A remote authenticated user can send a specially crafted HTTP request and read arbitrary files on the system with NT AUTHORITY\SYSTEM account.
Request example:
https://<SonicWall ES host>/dload_apps?action=<any value>&path=..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2Fcalc.exe&id=update
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was used in a chained attack to compromise the vulnerable systems.
Software: SonicWall On-premise Email Security (ES)
Links:
Multiple vulnerabilities in Google Chrome
CVE-2021-21224
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 browser engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html
Remote code execution in Pulse Connect Secure
CVE-2021-22893
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process and compromise the affected device.
The vulnerability exists due to multiple issues in web interface. A remote non-authenticated attacker can bypass authentication process and gain unauthorized access to the application via license server web services.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Ivanti Connect Secure (formerly Pulse Connect Secure)
Links:
Privilege escalation in Microsoft Windows
CVE-2021-28310
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within win32k.sys driver in Microsoft Windows. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28310
Multiple vulnerabilities in SonicWall On-premise Email Security (ES) and Hosted Email Security (HES)
CVE-2021-20022
Arbitrary file upload
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload within the branding feature. A remote administrator can upload a malicious ZIP archive to the system to an arbitrary location using directory traversal sequences in the filenames inside the uploaded archive and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was used in a chained attack to compromise the affected system.
Software: SonicWall On-premise Email Security (ES)
Multiple vulnerabilities in SonicWall On-premise Email Security (ES) and Hosted Email Security (HES)
CVE-2021-20021
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests within the "/createou?data=", responsible for administration capabilities, specifically within the feature that allows application administrators to authorize an additional administrator account from a separate Microsoft Active Directory Organization Unit (AD OU). Requests to this form are not verified to require previous authentication to the appliance. A remote non-authenticated attacker can send a specially crafted XML document via HTTP GET or POST method, create a тАЬrole.ouadminтАЭ account and authenticate to the application as an administrator.
Note, the vulnerability is being actively exploited in the wild.
Software: SonicWall On-premise Email Security (ES)
Universal XSS in Apple iOS
CVE-2021-1879
Universal cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the WebKit engine. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of arbitrary website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT212256
Multiple vulnerabilities in Google Chrome
CVE-2021-21193
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within Blink component in Google Chrome. A remote attacker can create a specially crafted webpage, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, this vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html
Authentication bypass in The Plus Addons for Elementor for WordPress
CVE-2021-24175
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests. A remote attacker can bypass authentication process and gain administrative access to the application.
Note, the vulnerability is being actively exploited in the wild.
Software: The Plus Addons for Elementor Page Builder
Links:
https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/
Multiple vulnerabilities in Samsung Mobile Firmware
CVE-2021-25370
Use-after-free
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the dpu driver. A local application can trigger a use-after-free error and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Samsung Mobile Firmware
Links:
https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html
Multiple vulnerabilities in Samsung Mobile Firmware
CVE-2021-25369
Improper access control
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions to the sec_log file. A local application can read the log file and obtain sensitive system information.
Note, the vulnerability is being actively exploited in the wild.
Software: Samsung Mobile Firmware
Links:
https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html
Multiple vulnerabilities in Samsung Mobile Firmware
CVE-2021-25337
Permissions, Privileges, and Access Controls
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper access control in clipboard service. A local application can use the clipboard service to read and write arbitrary files on the device.
Note, the vulnerability is being actively exploited in the wild.
Software: Samsung Mobile Firmware
Links:
https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html
Security restrictions bypass in Supermicro X10 UP-series Denlow motherboards
Security restrictions bypass
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in BIOS firmware for X10 UP-series (H3 Single Socket тАЬDenlowтАЭ) motherboard. A local user can plant malware into motherboard firmware and establish permanent persistence on the system, even if OS is reinstalled.
Note, the vulnerability is being actively exploited in the wild by the TrickBoot malware.
Software: X10SLL-S/-SF, X10SL7-F, X10SLA-F, X10SLM+-LN4F, X10SLM+-F, X10SLL+-F, X10SLM-F, X10SLL-F, X10SLH-F
Known/fameous malware:
TrickBoot
Links:
https://www.supermicro.com/en/support/security/Trickbot
Multiple vulnerabilities in Microsoft Exchange Server
CVE-2021-26855
Server-Side Request Forgery (SSRF)
The vulnerability allows a remote attacker to execute arbitrary code on the system.The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted HTTP request to the Microsoft Exchange OWA interface, upload arbitrary file on the server and execute it.
Note, this vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Multiple vulnerabilities in Microsoft Exchange Server
CVE-2021-26857
Input validation error
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to the Exchange server and execute arbitrary code on the system.
Note, this vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Multiple vulnerabilities in Microsoft Exchange Server
CVE-2021-26858
Input validation error
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to the Exchange server and execute arbitrary code on the system.
Note, this vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Multiple vulnerabilities in Microsoft Exchange Server
CVE-2021-27065
Input validation error
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to the Exchange server and execute arbitrary code on the system.
Note, this vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Multiple vulnerabilities in Google Chrome
CVE-2021-21166
Improper control of a resource through its lifetime
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper control of object lifetime in audio in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
Multiple vulnerabilities in Adobe Reader and Acrobat
CVE-2021-21017
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing PDF files. A remote attacker can create a specially crafted PDf file, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Adobe Reader
Links:
https://helpx.adobe.com/security/products/acrobat/apsb21-09.html
Privilege escalation in Microsoft Windows
CVE-2021-1732
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when the Win32k.sys driver in Windows kernel. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732
Remote code execution in Microsoft Internet Explorer
CVE-2021-26411
Double Free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing ".mht" files. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a double free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was used by the Lazarus group to target security researchers worldwide.
Software: Microsoft Internet Explorer
The vulnerability was used by the Lazarus group to target security researchers worldwide.
Links:
https://enki.co.kr/blog/2021/02/04/ie_0day.html
https://twitter.com/dnpushme/status/1357264755333816320
Remote code execution in Google Chrome
CVE-2021-21148
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html
Multiple vulnerabilities in Apple iOS and iPadOS
CVE-2021-1870
Business Logic Errors
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to a logic issue in the WebKit component. A remote attacker can trick a victim to visit a malicious website and execute arbitrary code on the system.
Note: The vulnerability is being actively exploited in the wild.
Software: Apple iOS, iPadOS
Multiple vulnerabilities in Apple iOS and iPadOS
CVE-2021-1871
Business Logic Errors
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to a logic issue in the WebKit component. A remote attacker can trick a victim to visit a malicious website and execute arbitrary code on the system.
Note: The vulnerability is being actively exploited in the wild.
Software: Apple iOS, iPadOS
Multiple vulnerabilities in Apple iOS and iPadOS
CVE-2021-1782
Race condition
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a race condition in the Kernel component. A remote attacker can use a malicious application and escalate privileges on the system.
Note: The vulnerability is being actively exploited in the wild.
Software: Apple iOS, iPadOS
SQL injection in SonicWall SMA100
CVE-2021-20016
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote non-authenticated attacker can send a specially crafted HTTP request to the SSL-VPN appliance and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to access usernames, passwords and other session related information.
Note, the vulnerability is being actively exploited in the wild.
SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting zero-day vulnerabilities on certain SonicWall secure remote access products.
At this point both SMA 100 and NetExtender VPN Client are considered affected. Investigation of the incident is still ongoing.
Software: SMA 100
SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting zero-day vulnerabilities on certain SonicWall secure remote access products.
At this point both SMA 100 and NetExtender VPN Client are considered affected. Investigation of the incident is still ongoing.
Links:
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001
https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability-updated-jan-23-2021/210122173415410/
Remote code execution in Microsoft Defender
CVE-2021-1647
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows Defender
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647
SQL injection in Accellion FTA
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed to the web interface. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Note, the vulnerability is being actively exploited in the wild in mid-December 2020 and January 2021.
The vulnerability was used to compromise several companies worldwide, such as Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), law firm Allens, the University of Colorado, the Washington State Auditor Office, and the QIMR Berghofer Medical Research Institute and Singtel.
The attacks were detected in the mid_December 2020 and continued in January 2021.
Software: Accellion FTA
The vulnerability was used to compromise several companies worldwide, such as Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), law firm Allens, the University of Colorado, the Washington State Auditor Office, and the QIMR Berghofer Medical Research Institute and Singtel.
The attacks were detected in the mid_December 2020 and continued in January 2021.
Links:
https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/
Authentication bypass in SolarWinds Orion API
CVE-2020-10148
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests within the SolarWinds Orion API. If an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication. This vulnerability could allow a remote non-authenticated attacker to bypass
authentication and execute API commands which may result in a compromise
of the SolarWinds instance.
Note, this vulnerability is dubbed SUPERNOVA and is being exploited in the wild.
Software: Orion Platform
Known/fameous malware:
SUPERNOVA
Backdoor in SolarWinds Orion Platform
Embedded malicious code (backdoor)
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the application.
According to SolarWinds, Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1 are affected.
Note, this vulnerability is being actively exploited in the wild in a supply chain attack and is dubbed SUNBURST.
State-backed hackers are targeting government entities and private businesses all over the world in a global supply chain attack, in which they deploy a malicious SolarWinds update to compromise networks, according to a new report from the cybersecurity firm FireEye.
Known/fameous malware:
Behavior:Win32/Solorigate.C!dha
Links:
Improper access control in Easy WP SMTP plugin for WordPress
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can access the debug log after the password reset, grab the reset link and take over the admin account.
Note: The vulnerability is being actively exploited in the wild.
This vulnerability allows a remote attacker to reset admin account passwords.
Software: Easy WP SMTP
This vulnerability allows a remote attacker to reset admin account passwords.
Multiple vulnerabilities in Google Chrome
CVE-2020-16017
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the site isolation component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_11.html
Multiple vulnerabilities in Google Chrome
CVE-2020-16013
Improperly implemented security check for standard
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect implementation in V8 in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_11.html
Multiple vulnerabilities in Apple macOS
CVE-2020-27950
Out-of-bounds read
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within macOS kernel. A local user can run a specially crafted program to gain access to sensitive kernel information on the system.
Note, this vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/kb/HT211947
Multiple vulnerabilities in Apple macOS
CVE-2020-27932
Type Confusion
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a type confusion error in macOS kernel. A local user can run a specially crafted application to trigger a type confusion error and execute arbitrary code with elevated privileges.
Note, this vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/kb/HT211947
Multiple vulnerabilities in Apple macOS
CVE-2020-27930
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing fonts within the FontParser component. A remote attacker can create a specially crafted document or web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/kb/HT211947
Remote code execution in Google Chrome for Android
CVE-2020-16010
Heap-based buffer overflow
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a heap-based buffer overflow when processing untrusted HTML content in UI in Google Chrome on Android. An remote attacker, who had compromised the renderer process, can perform a sandbox escape via a crafted HTML page.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome for Android
Links:
https://chromereleases.googleblog.com/2020/11/chrome-for-android-update.html
Multiple vulnerabilities in Google Chrome
CVE-2020-16009
Improperly implemented security check for standard
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect implementation in V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.
Note, this vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html
Memory corruption in Windows kernel driver
CVE-2020-17087
Buffer overflow
The vulnerability allows a local user to escalate privilege son the system.
The vulnerability exists due to a boundary error within the Windows Kernel Cryptography Driver cng.sys, which exposes a "\Device\CNG" device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code on the system with elevated privileges.
Note, this vulnerability is being actively exploited in the wild.
This vulnerability was used in a trageted attacks along with the #VU47741 issue in FreeType library to attack users of Google Chrome.
Software: Windows
This vulnerability was used in a trageted attacks along with the #VU47741 issue in FreeType library to attack users of Google Chrome.
Multiple vulnerabilities in Oracle Solaris
CVE-2020-14871
Improper input validation
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Pluggable authentication module (PAM) component in Oracle Solaris. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
Note, this vulnerability is being actively exploited in the wild.
According to FireEye, the vulnerability is being exploited in the wild by the actor tracked as UNC1945.
Software: Oracle Solaris
Remote code execution in FreeType library
CVE-2020-15999
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in freetype library when processing TTF files. A remote attacker can pass specially crafted TTF file with PNG sbit glyphs to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability is being actively exploited in the wild.
Software: FreeType
Arbitrary file upload in File Manager plugin for WordPress
CVE-2020-25213
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload in wp-file-manager in the "lib/php/connector.minimal.php" and "lib/files/hardfork.php" files. A remote attacker can upload a malicious file and execute it on the server.
Note: The vulnerability is being actively exploited in the wild.┬а
The vulnerability exploitation was detected on September 1st, 2020. The attackers can remotely upload arbitrary files and execute arbitrary code.
Software: File Manager
Links:
https://wpvulndb.com/vulnerabilities/10389/
Denial of service in Cisco IOS XR Software
CVE-2020-3569
Resource exhaustion
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient queue management for Internet Group Management Protocol (IGMP) packets in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco┬аIOS XR Software. A remote attacker can trigger resource exhaustion by sending crafted IGMP┬а traffic to the affected device and perform a denial of service (DoS) attack.
Note: this vulnerability is being actively exploited in the wild.On August 31 Cisco has updated the original advisory to indicate the second vulnerability exploited in the wild.
Software: Cisco IOS XR
Denial of service in Cisco IOS XR Software
CVE-2020-3566
Resource exhaustion
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient queue management for Internet Group Management Protocol (IGMP) packets in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco┬аIOS XR Software. A remote attacker can trigger resource exhaustion by sending crafted IGMP┬а traffic to the affected device and perform a denial of service (DoS) attack.
Note: this vulnerability is being actively exploited in the wild.
On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild.
Software: Cisco IOS XR
On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild.
Links:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz
Remote code execution in Microsoft Internet Explorer
CVE-2020-1380
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380
Signature spoofing in Microsoft Windows
CVE-2020-1464
Cryptographic issues
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to Windows incorrectly validates file signatures. A remote attacker can create a specially crafted file to bypass implemented security restrictions and successfully load a malicious file.
Note: this vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1464
Privilege escalation in Microsoft Windows Print Spooler
CVE-2022-38028
Permissions, Privileges, and Access Controls
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in the Windows Print Spooler, which leads to security restrictions bypass and privilege escalation.
Note, the vulnerability is being exploited in the wild since at least June 2020 and possibly as early as April 2019.
Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
Software: Windows
Known/fameous malware:
GooseEgg
Stored cross-site scripting in Login/Signup Popup plugin for WordPress
Stored cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: The vulnerability is being actively exploited in the wild.
The vulnerability exploitation was detected on May 14, 2020. The authenticated attackers can inject, via the AJAX API, JavaScript code into the pluginтАЩs settings and use it to target the administrator in the backend of WordPress.
Software: Login/Signup Popup ( Inline Form + Woocommerce )
The vulnerability exploitation was detected on May 14, 2020. The authenticated attackers can inject, via the AJAX API, JavaScript code into the pluginтАЩs settings and use it to target the administrator in the backend of WordPress.
Remote code execution in Elementor Pro plugin for WordPress
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote authenticated attacker can upload a malicious file and execute it on the blog.
This vulnerability is exploitable if users have open registration, hovewer in conjunction with a vulnerability in Ultimate Addons for Elementor (SB2020051119), it is possible to be exploited, even if the site does not have user registration enabled.
Note: The vulnerability is being actively exploited in the wild.
The vulnerability exploitation was detected on May 06, 2020. The attackers can remotely execute arbitrary code.
Software: Elementor Pro
SQL injection in Sophos XG Firewall/SFOS
CVE-2020-12271
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed to the User Portal or Admin interfaces. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Note, this vulnerability is being actively exploited in the wild.
The vulnerability exploitation was detected on April 22, 2020. Malware dubbed Asnar├╢k used SQL injection vulnerability to compromise the affected devices and steal users' credentials.
Software: Sophos Firewall
Known/fameous malware:
Asnar├╢k
Remote code execution in Apple iOS
Out-of-bounds write
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing email in the iOS MobileMail. A remote attacker can send a specially crafted email message, trigger an out-of-bounds write and execute arbitrary code on the target system. No user interaction is required to execute arbitrary code.
Note, this vulnerability is being actively exploited in the wild.
According to security researchers this vulnerability is being actively exploited since January 2018.
Software: Apple iOS
According to security researchers this vulnerability is being actively exploited since January 2018.
Links:
https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/
Privilege escalation in Microsoft Windows
CVE-2020-1027
Buffer overflow
The vulnerability allows a local user to escalate privilege so the system.
The vulnerability exists due to a boundary error in the Windows Kernel when handling objects in memory. A local user can use a specially crafted application, trigger memory corruption and execute arbitrary code on the target system with elevated privileges.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027
Remote code execution in Mozilla Firefox and Firefox ESR
CVE-2020-6820
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error caused by a race condition handling ReadableStream. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, this vulnerability is being actively exploited in the wild in targeted attacks.
Software: Mozilla Firefox
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
Remote code execution in Mozilla Firefox and Firefox ESR
CVE-2020-6819
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error caused by a race condition running the nsDocShell destructor. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, this vulnerability is being actively exploited in the wild in targeted attacks.
Software: Mozilla Firefox
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
Remote code execution in Adobe Type Manager Library in Microsoft Windows
CVE-2020-0938
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Windows Adobe Type Manager Library when parsing a specially-crafted multi-master font - Adobe Type 1 PostScript format. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
Remote code execution in Adobe Type Manager Library in Microsoft Windows
CVE-2020-1020
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Windows Adobe Type Manager Library when parsing a specially-crafted multi-master font - Adobe Type 1 PostScript format. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020
Multiple vulnerabilities in Merit LILIN DVR devices
Use of hard-coded credentials
The vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Hard-coded accounts:
root/icatch99
report/8Jg0SR8K50Note, this vulnerability is being actively exploited in the wild since August 2019.
The vulnerability exploitation was uncovered by 360Netlab in August 2019. Several attack groups were using vulnerabilities in Lilin DVR firmware spread Chalubo, FBot, and Moobot botnets.
Software: DHD216A, DHD216, DHD208A, DHD208, DHD204A, DHD204, DHD304A, DHD308A, DHD316A, DHD504A, DHD508A, DHD516A
Known/fameous malware:
Chalubo, FBot, Moobot
The vulnerability exploitation was uncovered by 360Netlab in August 2019. Several attack groups were using vulnerabilities in Lilin DVR firmware spread Chalubo, FBot, and Moobot botnets.
Links:
https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
Multiple vulnerabilities in Trend Micro Apex One and OfficeScan
CVE-2020-8468
Input validation error
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a content validation escape issue. A remote authenticated attacker can pass specially crafted input to the application and manipulate certain agent client components.
Note: the vulnerability is being actively exploited in the wild.
Vendor reports in the wild exploitation of this vulnerability.
Software: Apex One
Vendor reports in the wild exploitation of this vulnerability.
Links:
https://success.trendmicro.com/solution/000245571
Multiple vulnerabilities in Trend Micro Apex One and OfficeScan
CVE-2020-8467
Code Injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the migration tool component. A remote authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: the vulnerability is being actively exploited in the wild.
Vendor reports in the wild exploitation of this vulnerability.
Software: OfficeScan
Vendor reports in the wild exploitation of this vulnerability.
Links:
https://success.trendmicro.com/solution/000245571
Improper access control in Custom Searchable Data Entry System plugin for WordPress
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application, leading to data modification and deletion, including the potential to delete the entire contents of any table in a vulnerable siteтАЩs database.
Note: the vulnerability is being actively exploited in the wild.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify and delete the pluginтАЩs data.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify and delete the pluginтАЩs data.
Stored cross-site scripting in Async JavaScript plugin for WordPress
Stored cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "wp-admin/admin-ajax.php" file with the "aj_steps" AJAX action. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability is being actively exploited in the wild.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify the pluginтАЩs settings.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify the pluginтАЩs settings.
Stored cross-site scripting in 10Web Map Builder for Google Maps plugin for WordPress
Stored cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the pluginтАЩs setup process. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability is being actively exploited in the wild.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify the pluginтАЩs settings.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify the pluginтАЩs settings.
Stored cross-site scripting in Modern Events Calendar Lite plugin for WordPress
Stored cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in several AJAX actions. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability is being actively exploited in the wild.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify the pluginтАЩs settings.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify the pluginтАЩs settings.
Improper access control in Flexible Checkout Fields for WooCommerce plugin for WordPress
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and inject new fields and scripts into the WooCommerce checkout page.
Note: the vulnerability is being actively exploited in the wild.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers downloaded Woo-Add-To-Carts plugin on the system and created administrative accounts.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers downloaded Woo-Add-To-Carts plugin on the system and created administrative accounts.
Multiple vulnerabilities in Google Chrome
CVE-2020-6418
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in V8 component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: This vulnerability is being actively exploited in the wild.
Software: Google Chrome
Remote code execution in Microsoft Internet Explorer
CVE-2020-0674
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Software: Microsoft Internet Explorer
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200001
Remote code execution in Mozilla Firefox and Firefox ESR
CVE-2019-17026
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error with StoreElementHole and FallibleStoreElement when processing HTML content in IonMonkey JIT compiler. A remote attacker can create a specially crafted webpage, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability is being actively exploited in the wild.
The vulnerability was reported by Qihoo 360 ATA researchers.
Software: Mozilla Firefox
The vulnerability was reported by Qihoo 360 ATA researchers.
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
Privilege escalation in Microsoft Windows
CVE-2019-1458
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing objects in memory within the Win32k component. A local user can create a malicious application, launch it on the system and execute arbitrary code with SYSTEM privileges.
Note, this vulnerability is being actively exploited in the wild.
This vulnerability was reported by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. This vulnerability was used in Operation WizardOpium campaign against Korean users.
Software: Windows
This vulnerability was reported by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. This vulnerability was used in Operation WizardOpium campaign against Korean users.
Remote code execution in Draytek Vigor 2960, 3900 and 300B
CVE-2020-8515
Improper Neutralization of Special Elements in Output Used by a Downstream Component
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the affected devices allow remote code execution as root (without authentication) via shell metacharacters to the "cgi-bin/mainfunction.cgi" URI.
Note, this vulnerability is being actively exploited in the wild starting from December 4, 2019.
The vulnerability in WebUI of DrayTek Vigor enterprise routers is being exploited in the wild at least from December 4, 2019. Two affected scripts are believed to be used by two different attack groups to eavesdrop on FTP and email traffic inside corporate networks.
Software: Vigor 2960
Links:
Remote code execution in Microsoft Internet Explorer
CVE-2019-1429
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Software: Microsoft Internet Explorer
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429
Remote code execution in Google Chrome
CVE-2019-13720
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content within the audio component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Note, this vulnerability is being actively exploited in the wild.
Kaspersky Lab has identified in the wild exploitation of the vulnerability. This vulnerability was used in Operation WizardOpium campaign against Korean users.
Software: Google Chrome
Kaspersky Lab has identified in the wild exploitation of the vulnerability. This vulnerability was used in Operation WizardOpium campaign against Korean users.
Links:
Remote code execution in Microsoft Internet Explorer
CVE-2019-1367
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error within the scripting engine in JScript.dll. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Privilege escalation in Microsoft Windows Winsock
CVE-2019-1215
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the ws2ifsl.sys (Winsock). A local user can run a specially crafted application, trigger memory corruption and execute arbitrary code on the target system with elevated privileges.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
Privilege escalation in Microsoft Windows CLFS
CVE-2019-1214
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Common Log File System (CLFS) driver. A local user can create a specially crafted application and execute arbitrary code on the system with elevated privileges.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
Privilege escalation in Microsoft Windows Win32k component
CVE-2019-1132
NULL pointer dereference
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a NULL pointer dereference error when processing objects in memory within the Win32k component. A local user can create a malicious application, launch it on the system and execute arbitrary code with SYSTEM privileges.
Note, this vulnerability is being actively exploited in the wild.
sha1: CBC93A9DD769DEE98FFE1F43A4F5CADAF568E321
Software: Windows
Known/fameous malware:
Win32/Exploit.CVE-2019-1132.A
VBA/TrojanDropper.Agent.ABM
VBA/TrojanDropper.Agent.AGK
Win32/Spy.Buhtrap.W
Win32/Spy.Buhtrap.AK
Win32/RiskWare.Meterpreter.G
sha1: CBC93A9DD769DEE98FFE1F43A4F5CADAF568E321
Links:
Privilege escalation in Microsoft splwow64
CVE-2019-0880
Permissions, Privileges, and Access Controls
The vulnerability allows a local to escalate privileges on the system.
The vulnerability exists due to the way splwow64.exe handles certain calls. A local user can abuse this functionality to elevate privileges on an affected system from low-integrity to medium-integrity.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
Security restrictions bypass in Mozilla Firefox and Firefox ESR
CVE-2019-11708
Permissions, Privileges, and Access Controls
The vulnerability allows a remote attacker to bypass sandbox restrictions.
The vulnerability exists due to insufficient vetting of parameters passed with the Prompt:Open
IPC message between child and parent processes. A remote attacker can create a specially crafted web page that can make the non-sandboxed parent process open web content chosen by a compromised child process.
An attacker can combine this behavior along with another vulnerability to execute arbitrary code on the system with privileges on the current user.
Note, this vulnerability is being exploited in the wild along with SB2019061805 (CVE-2019-11707)
This vulnerability was used along with CVE-2019-11707 in a targeted attack against Conbase.
Software: Mozilla Firefox
This vulnerability was used along with CVE-2019-11707 in a targeted attack against Conbase.
Remote code execution in Oracle WebLogic Server
CVE-2019-2729
Deserialization of Untrusted Data
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within XMLDecoder class. A remote non-authenticated attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Oracle has released a security alert, notifying users on in the wild exploitation of the vulnerability.
Software: Oracle WebLogic Server
Remote code execution in Mozilla Firefox and Firefox ESR
CVE-2019-11707
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when manipulating JavaScript objects due to issues in Array.pop. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild along with SB2019062002 (CVE-2019-11708).
The vulnerability was reported by Mozilla to be actively exploited in the wild.
This vulnerability as reportedly used in a targeted attack against Coinbase employees on Monday, June 17 2019.
The vulnerability was used in conjunction with another sandbox bypass issue CVE-2019-11708, patched by Mozilla on June 20, 2019.
This vulnerability was independently discovered and reported to Mozilla by a security researcher Samuel Gro├Я on April 15. It took Mozilla 64 days to issue a security fix.
Software: Mozilla Firefox
The vulnerability was reported by Mozilla to be actively exploited in the wild.
This vulnerability as reportedly used in a targeted attack against Coinbase employees on Monday, June 17 2019.
The vulnerability was used in conjunction with another sandbox bypass issue CVE-2019-11708, patched by Mozilla on June 20, 2019.
This vulnerability was independently discovered and reported to Mozilla by a security researcher Samuel Gro├Я on April 15. It took Mozilla 64 days to issue a security fix.
Links:
Privilege escalation in Windows Error Reporting
CVE-2019-0863
Input validation error
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the way Windows Error Reporting (WER) handles files. A local user can create a specially crafted WER file and execute arbitrary code on the system in kernel mode.
Note: this vulnerability is being actively exploited in the wild.
Software: Windows
Remote code execution in WhatsApp
CVE-2019-3568
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WhatsApp VOIP stack when processing SRTCP packets. A remote attacker can send a series of specially crafted SRTCP packets sent to a target phone number, trigger buffer overflow and execute arbitrary code on the target device.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was used in a targeted attack against a limited number of people. First vulnerability exploitation was detected on May 12 2019. The attackers targeted a phone of a UK-based human rights lawyer to install spyware.
Software: WhatsApp Messenger for Android
Known/fameous malware:
Pegasus
Links:
Improper access control in Yuzo Related Posts WordPress plugin
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to the website.
The vulnerability exists due to improper access restrictions when processing HTTP requests. A remote attacker can pass specially crafted configuration to the affected application and inject arbitrary JavaScript code WordPress configuration.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable application.
Note: the vulnerability is being actively exploited i the wild.
Improper access control vulnerability in the plugin allowed attacker to inject malicious JavaScript code and redirect users to phishing websites.
Software: Related Posts
Privilege escalation in Win32k.sys driver in Microsoft Windows
CVE-2019-0859
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing objects in memory within the Win32k component. A local user can create a malicious application, launch it on the system and execute arbitrary code with SYSTEM privileges.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was reported to Microsoft by Vasily Berdnikov and Boris Larin from Kaspersky Lab.
Software: Windows
Privilege escalation in Win32k.sys driver in Microsoft Windows
CVE-2019-0803
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing objects in memory within the Microsoft Graphics Win32k component. A local user can create a malicious application, launch it on the system and execute arbitrary code with SYSTEM privileges.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was reported to Microsoft by Donghai Zhu of Alibaba Cloud Intelligence Security Team.
Software: Windows
Backdoor in Asus Live Update
Hidden functionality (backdoor)
The vulnerability allows a remote attacker to compromise vulnerable system
The vulnerability exists due to hidden functionality (backdoor) is present in software. A remote attacker can use this functionality to gain full access to the application and compromise the affected system.
Note: this backdoor was implented as a result of ASUS servers compromise within the APT attack dubbed тАЬOperation ShadowHammerтАЭ. The campaign ran from June to at least November 2018.
Software: ASUS Live Update
Stored XSS in Social Warfare WordPress plugin
CVE-2019-9978
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting attacks.
The vulnerability exists due to usage of the eval() JavaScript call on data passed via the "swp_url" HTTP GET parameter to "/wp-admin/admin-post.php" script, when "swp_debug" is set to "load_options", allowing to permanently inject and execute arbitrary JavaScript code on the website. A remote unauthenticated attacker can store a specially crafted JavaScript code into database and execute it in browser of every website visitor.
Note: this vulnerability is being actively exploited in the wild.
Exploitation example:
http://[host]/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://[malicious_js_script]/
A stored XSS vulnerability in the Social Warfare plugin, used by 70 000 users, led to a mass hacking campaign of WordPress websites.
Software: WordPress Social Sharing Plugin - Social Warfare
Links:
Insecure deserialization in Easy WP SMTP plugin for WordPress
Deserialization of Untrusted Data
The vulnerability allows a remote attacker to compromise vulnerable website.
The vulnerability exists due to insecure input validation when processing serialized data passed via the "swpsmtp_import_settings" HTTP POST parameter to /easy-wp-smtp.php script. A remote unauthenticated attacker can import arbitrary wp_options and reconfigure WordPress to allow user registration with administrative privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable website.
Note: this vulnerability is being actively exploited in the wild.
WordPress websites were under attack due to vulnerability in a popular WP plugin since March 15, 2019.
Software: Easy WP SMTP
Privilege escalation in Microsoft Windows Win32k.sys driver
CVE-2019-0797
Memory corruption
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Win32k.sys driver. A local user can execute a specially crafted application, trigger memory corruption and execute arbitrary code on the target system with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Kaspersky Lab has detected and reported a zero-day vulnerability in Win32k.sys driver in Microsoft Windows.
Software: Windows
Privilege escalation in Microsoft Windows
CVE-2019-0808
NULL pointer dereference
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a NULL pointer dereference error in the win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call within the win32k.sys kernel driver. A local user can use a specially crafted application to escape sandbox and execute arbitrary code on the target system with SYSTEM privileges.
Note, this vulnerability is being actively exploited in the wild along with vulnerability in Google Chrome described in (SB2019030405).
On March 7th Google has reported in the wild exploitation of vulnerability in Microsoft Windows. During the attack the adversary used another zero-day vulnerability in Google Chrome in order to execute code on the system and vulnerability in Microsoft Windows to escalate privileges.
The initial attack was detected in late February.
Software: Windows
The initial attack was detected in late February.
Links:
Remote code execution in Google Chrome
CVE-2019-5786
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in FileReader. A remote attacker can trick the victim into opening a specially crafted file with Google Chrome, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability is being exploited in the wild.
The vulnerability in Google Chrome was used in a targeted attack along with another zero-day in Microsoft Windows.
The initial attack was detected in late February.
Software: Google Chrome
The vulnerability in Google Chrome was used in a targeted attack along with another zero-day in Microsoft Windows.
The initial attack was detected in late February.
Dangerous file upload in Adobe ColdFusion
CVE-2019-7816
Dangerous file upload
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input when processing file uploads. A remote attacker can upload and execute arbitrary code on the target system with privileges of the ColdFusion service. Successful exploitation of the vulnerability requires that the attacker has the ability to upload files.
Note, this vulnerability is being actively exploited in the wild.
Software: ColdFusion
Information disclosure via PDF files in Google Chrome
Exposed dangerous method or function
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the PDF viewer allows sending information to a third-party domain via the "this.submitForm()" PDF Javascript API.┬аA remote attacker can trick the victim into opening a specially crafted PDF file with Google Chrome and obtain sensitive information.
Note: the vulnerability is being actively exploited in the wild.
Vulnerability exploitation was spotted by EdgeSpot in late December 2018. The company detected multiple PDF samples in the wild that use dangerous JavaScript method to send information, retrieved from user's computer to a third-party domain.
Software: Google Chrome
Information Disclosure in Microsoft Internet Explorer
CVE-2019-0676
Out-of-bounds read
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to boundary error when processing HTML content. A remote attacker can trick the victim to open a specially crafted webpage, trigger out-of-bounds read and test for the presence of files on disk.
Software: Microsoft Internet Explorer
Multiple vulnerabilities in Apple iOS
CVE-2019-7287
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges.The weakness exists due to a boundary error in the IOKit component when handling malicious input. A local attacker can run a specially crafted application, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Note: according to Ben Hawkes, team leader at Project Zero, the vulnerability has been exploited in the wild as 0day.
According to Ben Hawkes, team leader at Project Zero, the vulnerability has been exploited in the wild as 0day.
Software: Apple iOS
Multiple vulnerabilities in Apple iOS
CVE-2019-7286
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges.The weakness exists due to a boundary error in the Foundation component when handling malicious input. A local attacker can run a specially crafted application, trigger memory corruption and gain elevated privileges.
Note: according to Ben Hawkes, team leader at Project Zero, the vulnerability has been exploited in the wild as 0day.
According to Ben Hawkes, team leader at Project Zero, the vulnerability has been exploited in the wild as 0day.
Software: Apple iOS
Memory Corruption in Microsoft Internet Explorer
CVE-2018-8653
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing web pages. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Privilege escalation in Windows kernel
CVE-2018-8611
Race condition
The vulnerability allows a local user to execute arbitrary code with elevated privileges.
The vulnerability exists due to a race condition within the Kernel Transaction Manager driver (ntoskrnl.exe) when processing transacted file operations in kernel mode. A local user can create a specially program, and run arbitrary code on the system n kernel mode.
Note: the vulnerability is being exploited in the wild.
This vulnerability was reported to Microsoft by Kaspersky Lab. It is believed it was used by FruityArmor and SandCat APT groups against companies in the Middle East and Africa.
Software: Windows
Links:
Multiple vulnerabilities in Adobe Flash Player
CVE-2018-15982
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing SWF files. A remote attacker can create a specially crafted .swf file, trick the victim to open it and execute arbitrary code on system with privileges of the current user.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being exploited in the wild.
Vulnerability exploitation was spotted by several security companies. The attack was detected on November 29, 2018 and seems to be executed by a Ukrainian APT group UA-APT.
360 Core Security dubbed the attack "Operation Poison Needles".
Software: Adobe Flash Player
Vulnerability exploitation was spotted by several security companies. The attack was detected on November 29, 2018 and seems to be executed by a Ukrainian APT group UA-APT.
360 Core Security dubbed the attack "Operation Poison Needles".
Links:
Privilege escalation in Windows Win32k.sys driver
CVE-2018-8589
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within Win32k.sys driver. A local user can create a specially crafted application, run it on vulnerable system and execute code withe superuser privileges.
Note: this vulnerability is being actively exploited in limited targeted attacks.
The vulnerability was privately reported to Microsoft by Kaspersky Lab.
Software: Windows
Denial of service in Suricata
CVE-2018-18956
Segmentation fault
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to segmentation fault in the ProcessMimeEntity function in util-decode-mime.c when handling malicious input. A remote attacker can supply specially crafted input to the SMTP parser, trigger segfault and cause daemon crash.
Note: according to MITRE statement, the vulnerability has been exploited in the wild in November 2018.
According to MITRE statement, the vulnerability has been exploited in the wild in November 2018.
Software: Suricata
Denial of service when processing SIP packets in Cisco ASA and Cisco Firepower Threat Defense
CVE-2018-15454
Input validation error
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of SIP traffic. A remote attacker can send specially crafted SIP packets to the affected device, cause high CPU load that may lead to denial of service conditions.
Note, this vulnerability is being actively exploited in the wild against a limited number of targets.
The vulnerability was discovered during the resolution of a Cisco TAC support case and reported by Cisco PSIRT.
Software: Cisco ASA 5500-X Series
Remote code execution in Microsoft Word
Logic error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to a logical bug is revealed when embedding a video via the 'online video' feature. A remote attacker can embed a video inside a Word document, edit the XML file named document.xml, replace the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Note: as of October 31, 2018 the vulnerability is being actively exploited in the wild.
Trend Micro has issued a report detailing in the wild exploitation of a publicly disclosed vulnerability in Microsoft Word. According to VirusTotal timestamps, the first wave of exploitation began on October 31, 2018. The vulnerability was disclosed on October 25.
Software: Microsoft Word
Known/fameous malware:
TROJ_EXPLOIT.AOOCAI
TSPY_URSNIF.OIBEAO
Links:
Arbitrary file upload in jQuery File Upload plugin
CVE-2018-9206
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists in the plugin's source code that handles file uploads to PHP servers due to software allows upload of arbitrary files to the system. A remote unauthenticated attacker can upload arbitrary .htaccess file to impose security restrictions to its upload folder and upload backdoors and web shells.
Note: The vulnerability has been actively exploited for at least 3 years.
The vulnerability is publicly known since at least 2015.
Software: jQuery File Upload
Links:
Privilege escalation in GDPR Compliance plugin for WordPress
CVE-2018-19207
Privilege escalation
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to the software fail to do capability checks when executing its internal action save_setting to make such configuration changes when processing arbitrary options and values to this endpoint. A remote attacker can set the users_can_register option to 1, and change the default_role of new users to тАЬadministratorтАЭ to simply fill out the form at /wp-login.php?action=register and immediately access a privileged account, change these options back to normal and install a malicious plugin or theme containing a web shell or other malware to further infect the victim site.
Note: this vulnerability is being actively exploited in the wild.
Vulnerability exploitation has been spotted in the wild by WordPress website owners. The initial attack was first reported on October 13. The attackers used vulnerability in plugin to gain administrative privileges on the affected websites.
Software: WP GDPR Compliance
Privilege escalation in Microsoft Windows Win32k
CVE-2018-8453
Use-after-free
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to a use-after free error in win32kfull!xxxDestroyWindow Win32k component. A local user can run a specially crafted application, trigger memory corruption and execute arbitrary code in kernel mode.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: the vulnerability has been actively exploited in the wild.
According to Kaspersky Lab, the vulnerability is being actively exploited by the FruityArmor APT actor.
Software: Windows
Known/fameous malware:
HEUR:Exploit.Win32.Generic
HEUR:Trojan.Win32.Generic
PDM:Exploit.Win32.Generic
Backdoor in Vesta Control Panel
Backdoor
VestaCP repository was compromised around May 2018 and contained malware at least until June 2018. As a result, user's credentials, generated by VestaCP, and other information were stolen by the attackers.
Software: Vesta Control Panel
Known/fameous malware:
Linux/ChachaDDoS
Spoofing attack in Apple Safari
Spoofing attack
The vulnerability allows a remote attacker to conduct spoofing attack.
The weakness exists due to the way macOS processes URI handlers with enabled "Open Safe Files" setting in Safari browser. A remote attacker can create a specially crafted web page, trick the victim into clicking on a spoof dialog box and force unauthorized downloading of malicious file (e.g. ZIP-archive). Once downloaded, the archive will be automatically extracted.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability is being exploited in the wild by the WindShift APT actor against government organizations in the Middle East.
Software: Apple Safari
Multiple vulnerabilities in Microsoft Windows SMB
CVE-2019-0703
Information disclosure
The vulnerability allows a remote authenticated attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way that the Windows SMB Server handles certain requests. A remote authenticated user can gain unauthorized access to sensitive information on the system.
Note: this vulnerability has being exploited in the wild. The exploit code was detected in the Bemstour exploit tool in September 2018 and has being used by Buckeye (APT3) APT group.
Software: Windows
Known/fameous malware:
Bemstour exploit tool
Privilege escalation in Microsoft Windows
CVE-2018-8440
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to ALPC access control flaw. A local attacker can create a hard link from a readable file on the system to a '.job' file in the 'c:\windows\tasks' directory, invoke the _SchRpcSetSecurity() method of the task scheduler service ALPC endpoint to overwrite the linked file and gain system level privileges on the target system. The vulnerability was dubbed "SendboxEscaper".
Note: the vulnerability is being exploited in the wild by the PowerPool group.
Software: Windows
Remote command execution in Windows Shell on Microsoft Windows 10 and 2016
CVE-2018-8414
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to an error when validating file paths in Windows Shell. A remote attacker can create a specially crafted file, trick the victim into opening it and execute arbitrary system commands on the vulnerable system.
Software: Windows
Remote code execution in Microsoft Internet Explorer
CVE-2018-8373
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error in VBScript when the scripting engine handles objects in memory in Internet Explorer. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: The vulnerability has been exploited in the wild.
The vulnerability was spotted in the wild by Trend Micro researcher on July 11, 2018. The exploit sample detected by the researchers was using the same obfuscation technique as exploits for CVE-2018-8174, spotted in the wild by Qihoo 360 in April 2018.
Software: Microsoft Internet Explorer
Known/fameous malware:
HTML_EXPLOIT.YYRV
The vulnerability was spotted in the wild by Trend Micro researcher on July 11, 2018. The exploit sample detected by the researchers was using the same obfuscation technique as exploits for CVE-2018-8174, spotted in the wild by Qihoo 360 in April 2018.
Links:
Multiple vulnerabilities in Adobe Flash Player
CVE-2018-5002
Stack-based buffer overflow
The vulnerability allows a remote attacker to compromise target system.
The vulnerability exists due to a stack-based buffer overflow when processing .swf files. A remote attacker can create a specially crafted .swf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow the attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The attacks exploiting this vulnerability mainly target the Middle East.
Software: Adobe Flash Player
The attacks exploiting this vulnerability mainly target the Middle East.
Remote code execution in Samsung SDS Acube ActiveX Control
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the AcubeFileCtrl.ocx ActiveX component. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code on the target system.
Note: this vulnerability is being actively exploited in the wild.
The South Korean CERT has reported in the wild exploitation of a remote code execution vulnerability in a popular ActiveX component. The group behind this attack is called Andariel Group. the group is tied to activity of a known North Korean adversary Lazarus Group.
Software: Samsung SDS Acube ActiveX Control
Links:
CSRF in multiple DrayTek routers
Cross-site request forgery
The vulnerability allows a remote attacker to perform CSRF attacks.The vulnerability exists due to insufficient validation of the HTTP request origin in DrayTek Vigor web management interface. A remote attacker can change setting of Vigor router.
Note: this vulnerability has been exploited in the wild in May 2018. The attackers changed DNS servers of victims to address: 38.134.121.95
Vulnerability exploitation was spotted by users of DrayTek routers. Attackers used CSRF vulnerability to change DNS settings of multiple routers to address: 38.134.121.95.
Software: DrayTek firmware
Links:
https://helpforum.sky.com/t5/Sky-Q/Sky-Q-and-Draytek-router/td-p/2835571
https://www.draytek.co.uk/support/security-advisories/kb-advisory-csrf-and-dns-dhcp-web-attacks
https://www.draytek.com/en/about/news/2018/notification-of-urgent-security-updates-to-draytek-router...
https://www.bleepingcomputer.com/news/security/draytek-router-zero-day-under-attack/
Multiple vulnerabilities in Adobe Reader and Acrobat
CVE-2018-4990
Double free memory error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to double free memory error when handling malicious input. A remote attacker can trick the victim into opening a specially crafted .pdf file and execute arbitrary code with privileges of the current user.
In March 2018 ESET detected attacks using two zero-day vulnerabilities in Microsoft win32k.sys driver (CVE-2018-8120) and and Adobe Acrobat.
Software: Adobe Acrobat
Known/fameous malware:
JS/Exploit.Pdfka.QNV trojan (ESET)
Privilege escalation in Microsoft Windows win32k.sys driver
CVE-2018-8120
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to boundary error in win32k.sys driver. A local user can execute arbitrary code with SYSTEM privileges.
Note: this vulnerability is being actively exploited in limited targeted attacks.The vulnerability was reported by ESET in March 2018. The attackers used this vulnerability along with double free error in Adobe Acrobat CVE-2018-4990.
Software: Windows
Known/fameous malware:
Win32/Exploit.CVE-2018-8120.A trojan (ESET)
Remote denial of service in Matrix Synapse
CVE-2018-10657
Improper input validation
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.The vulnerability exists due to an input validation error where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py. A remote attacker can send malicious messages and perform a denial of service attack.
Note: this vulnerability has been exploited in the wild in April 2018.
The attack was performed on Sunday, April 29 against #matrix:matrix.org and #matrix-dev:matrix.org that made the rooms temporarily unusable.
Software: Synapse
Integer overflow in Useless Ethereum Token (UET) implementation
CVE-2018-10468
Integer overflow
The vulnerability allows a remote attacker to steal digital assets.
The vulnerability exists due to integer overflow within the transferFrom() function of a smart contract implementation for Useless Ethereum Token (UET). A remote attacker can steal assets (e.g., transfer all victims' balances into their account) because certain computations involving _value are incorrect.
The vulnerability was dubbed "transferFlaw" and has been exploited in the wild in December 2017.
This particular vulnerability affects a publicly traded ERC20 token listed in a top exchange. According to PeckShield this vulnerability has been already exploited in the wild since 2017/12/23 in multiple transactions.
Software: Useless Ethereum Token
Integer overflow in SmartMesh ERC20 token
CVE-2018-10376
Integer overflow
The vulnerability allows a remote attacker to manipulate digital assets.
The vulnerability exists due to integer overflow in a smart contract implementation for SmartMesh (aka SMT) within Ethereum ERC20 token. A remote unauthenticated attacker can increase digital assets via crafted _fee and _value parameter.
Note: the vulnerability was actively exploited in April 2018 and was dubbed "proxyOverflow".
Vulnerability exploitation was spotted on April 24 by a blockchain security startup PeckShield. As a result, OKEx has suspended all ERC-20 tokens.
Software: SmartMesh ERC20 token
Authentication bypass in MikroTik RouterOS
CVE-2018-14847
Improper authentication
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to improper authentication in the exposed by default Winbox interface on port 8291/TCP. A remote attacker can send specially crafted packets to the affected service, bypass authentication, download local database with user accounts and gain full access to the vulnerable device.
Successful exploitation of the vulnerability may result in system compromise.
Note: this vulnerability has being exploited in the wild in April 2018.
The vulnerability was exploited against a very limited number of targets.
Software: MikroTik RouterOS
Integer overflow in multiple Ethereum-based (ERC20) smart contracts
CVE-2018-10299
Integer overflow
The vulnerability allows a remote attacker to perform unauthorized actions.The vulnerability exists due to integer overflow in the batchTransfer() function of a smart contract implementation for Beauty Ecosystem Coin (BEC). The Ethereum ERC20 token used in the Beauty Chain economic system allows attackers to accomplish an unauthorized increase of digital assets by providing two _receivers arguments in conjunction with a large _value argument.
The vulnerability is dubbed "batchOverflow". It is exploited in the wild and caused suspension of all transactions and transfers by OKEx exchange.
The vulnerability exploitation resulted in suspension of all BeautyChain (BEC) transactions.
Software: ERC-20
Remote code execution in Microsoft VBScript engine
CVE-2018-8174
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can trick the victim into visiting a specially crafted website or open a malicious Office file and execute arbitrary code on the target system.
Note: the vulnerability is being actively exploited in the wild against victims in Asia region. The vulnerability is dubbed "double play".
Vulnerability exploitation was detected by Qihoo 360. The company uncovered a zero-day vulnerability in IE, dubbed тАШdouble playтАЩ, that was triggered by weaponized MS Office documents. The experts have been observing an APT group targeting a limited number of users exploiting the zero-day flaw.
Hackers can use the тАШdouble playтАЩ flaw to implant a backdoor Trojan and take full control over the vulnerable machine.
The APT group was delivering an Office document with a malicious web page embedded, once the user opens the document, the exploit code and malicious payloads are downloaded and executed from a remote server. The later phase of this attack leverages a public UAC bypass technique and uses file steganography and memory reflection loading to avoid traffic monitoring and achieve loading with no files. This тАШdouble playтАЩ vulnerability may affect the latest versions of Internet Explorer and applications that are with IE kernel.
For now most of the victims are located in Asia.
In May 2018 the vulnerability was added into the RIG exploit kit, after the PoC code became publicly available.
Software: Windows
Known/fameous malware:
RIG exploit kit
Hackers can use the тАШdouble playтАЩ flaw to implant a backdoor Trojan and take full control over the vulnerable machine.
The APT group was delivering an Office document with a malicious web page embedded, once the user opens the document, the exploit code and malicious payloads are downloaded and executed from a remote server. The later phase of this attack leverages a public UAC bypass technique and uses file steganography and memory reflection loading to avoid traffic monitoring and achieve loading with no files. This тАШdouble playтАЩ vulnerability may affect the latest versions of Internet Explorer and applications that are with IE kernel.
For now most of the victims are located in Asia.
In May 2018 the vulnerability was added into the RIG exploit kit, after the PoC code became publicly available.
Authentication bypass in Vesta Control Panel
Improper authentication
The vulnerability allows a remote attacker to bypass authentication checks and gain full access to the affected system.The vulnerability exists due to import validation of the authentication credentials in Vesta CP management interface. A remote unauthenticated attacker can send a specially crafted HTTP request to Vesta CP management interface, bypass authentication and gain full control over the affected server.
Note: this vulnerability is being actively exploited in the wild.
The attack was reportedly performed from IP addresses, located in China. The attackers created a file "/etc/cron.hourly/gcc.sh" on infected systems. If this file is present on your server, it means that you system has been compromised.
The vulnerability was used to compromise hosting servers. The attack was reportedly performed from IP addresses, located in China.
This vulnerability triggered an outage of Digitalocean in NYC regions.
Software: Vesta Control Panel
This vulnerability triggered an outage of Digitalocean in NYC regions.
Remote code execution in PyBitmessage
Remote code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a message encoding bug. A remote attacker can send a specially crafted message, run an automated script looking in ~/.electrum/wallets, open a remote reverse shell, gain access to other files and execute arbitrary code.
Successful exploitation of the vulnerability results in system compromise.
Note: the vulnerability has been actively exploited to create a remote shell and steal bitcoins from Electrum wallets.
The vulnerability was used in the wild against PyBitmessage v0.6.2 users. According to vendor's notice, Bitmessage developer Peter ┼аurda's Bitmessage addresses were compromised as well by the attackers.
Software: PyBitmessage
Remote code execution in Adobe Flash Player
CVE-2018-4878
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to a use-after-free error when processing .swf files. A remote attacker can execute arbitrary code on the target system.
Note: this vulnerability is being actively exploited in the wild against the latest version of Adobe Flash Player.
UPDATE: The vendor has issued the fixed version on February 6, 2018.
KR-CERT reported in the wild exploitation of zero-day vulnerability in the latest version of Adobe Flash Player. According to the South Korean Computer Emergency Response Team (KR-CERT), the exploit has being used in the wild since mid-November 2017.
Security experts for FireEye linked the vulnerability to the hacking group TEMP.Reaper. The IP-addresses from which attacks were connected with the C&C-servers belong to the Internet provider Star JV - a joint venture of North Korea and Thailand.
Cisco Talos observed use of vulnerability in attacks conducted by Group 123.
According to FireEye, after successful exploitation of the vulnerability the system is infected with DOGCALL malware.
Cisco Talos specialists also reported cyberattacks using the malicious software, which they called Rokrat.
As revealed by security experts for Morphisec Labs Michael Gorelik and Assaf Kachlon the vulnerability has been used in a watering hole attack against Hong Kong Telecommunications company.
Software: Adobe Flash Player
Known/fameous malware:
DOGCALL
Rokrat
KR-CERT reported in the wild exploitation of zero-day vulnerability in the latest version of Adobe Flash Player. According to the South Korean Computer Emergency Response Team (KR-CERT), the exploit has being used in the wild since mid-November 2017.
Security experts for FireEye linked the vulnerability to the hacking group TEMP.Reaper. The IP-addresses from which attacks were connected with the C&C-servers belong to the Internet provider Star JV - a joint venture of North Korea and Thailand.
Cisco Talos observed use of vulnerability in attacks conducted by Group 123.
According to FireEye, after successful exploitation of the vulnerability the system is infected with DOGCALL malware.
Cisco Talos specialists also reported cyberattacks using the malicious software, which they called Rokrat.
As revealed by security experts for Morphisec Labs Michael Gorelik and Assaf Kachlon the vulnerability has been used in a watering hole attack against Hong Kong Telecommunications company.
Links:
https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=26998
https://www.bleepingcomputer.com/news/security/new-adobe-flash-zero-day-spotted-in-the-wild/
https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html
http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html
http://blog.morphisec.com/watering-hole-attack-hong-kong-telecom-site-flash-exploit-cve-2018-4878
Remote code execution in Microsoft Word
CVE-2018-0802
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to a boundary error when processing Microsoft Word documents. A remote attacker can create a specially crafted Word document, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.
Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software.
Note: the vulnerability is being exploited in the wild.
Software: Microsoft Word
Remote code execution in Huawei HG532 routers
CVE-2017-17215
Command injection
The vulnerability allows a remote attacker with administrator privileges to perform command injection attack on the target system.The weakness exists due to the implementation of the TR-064 (technical report standard), an application layer protocol for remote management, in the Huawei devices was exposed on the public Internet through Universal Plug and Play (UPnP) protocol at port 37215. A remote attacker can inject shell meta-characters тАЬ$()тАЭ in the NewStatusURL and NewDownloadURL, inject arbitrary commands and execute arbitrary code.
Successful exploitation of the vulnerability allows to download and execute the malicious payload on the Huawei routers and upload Satori botnet that may result in system compromise.
Note: the vulnerability is being actively exploited.
The vulnerability has been used in Satori attacks against Huawei's router model HG532. The most targeted countries include the United States, Italy, Germany, and Egypt.
Software: Huawei HG532
Known/fameous malware:
Satori botnet, Mirai malware
Information disclosure in Roundcube
CVE-2017-16651
Information disclosure
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.The weakness exists due to insufficient validation of file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. A remote attacker can modify the login form and submit it with valid credentials (username/password) of an email account, send a specially crafted HTTP request and gain unauthorized access to arbitrary files on the host's filesystem, including configuration files of Roundcube.
Note: the vulnerability is being actively exploited.
Software: Roundcube
Remote code execution in Adobe Flash Player
CVE-2017-11292
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when processing .swf files. A remote unauthenticated attacker can create a specially crafted .swf file, trick the victim into opening it and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
According to Kaspersky Lab, the vulnerability has being exploited by the BlackOasis threat actor. The recent attacks leveraging today's zero-day sent malicious Office documents to victims, which came with an embedded ActiveX object that contained the Flash CVE-2017-11292 exploit.
Software: Adobe Flash Player
Known/fameous malware:
FINSPY
Remote code execution in Microsoft Office
CVE-2017-11826
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling malicious content. A remote attacker can send a specially crafted .doc file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Note: the vulnerability is being actively exploited.
The weakness was reported to Microsoft by researchers at China-based security firm Qihoo 360. The experts said they first observed an attack exploiting this vulnerability on September 28. The attacks targeted a small number of the companyтАЩs customers and they involved malicious RTF files.
Software: Microsoft Office
Backdoor in CCleaner
Backdoor
CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 were shipped with a backdoor code from official vendorтАЩs website. The incident was detected on September 12.The malicious version was released on August 15. Users, who downloaded CCleaner between August 15 and September 12, are affected.
Avast reported a security breach, which involved compromise of one of the CCleaner distribution servers. As a result, the adversary was able to distribute a backdoored version of CCleaner application between August 15 and September 12. The compromised version of CCleaner was distributed from the official vendor's website.
Software: CCleaner
Remote code execution in Microsoft .NET Framework
CVE-2017-8759
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to uncpecified error when processing untrusted input. A remote unauthenticated attacker can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was detected by FireEye researchers. The attacker used Microsoft Office RTF document to leverage RCE in .NET Framework and deploy FINSPY malware. The malicious document тАЬ╨Я╤А╨╛╨╡╨║╤В.docтАЭ (MD5: fe5c4d6bb78e170abf5cf3741868ea4c) had Russian name and might have been used to target a Russian speaker.
Software: Microsoft .NET Framework
Known/fameous malware:
FINSPY
Backdoor in NetSarang software
Backdoor
The vulnerability allows a remote attacker to gain complete control over affected system.The weakness exists due to presence of backdoor functionality in the nssock2.dll library. After installation, the backdoor ShadowPad activates itself by sending a DNS TXT request for a specific domain. After successful activation, a remote attacker can gain full access to the affected system.
The backdoor has the ability to connect to a malicious C&C server and executed commands, sent by malicious actors.
The backdoor was discovered on August 4, 2017 by Kaspersky Labs researchers.
A backdoor code was detected in NetSarang software on August 4, 2017. Next day, on August 5 the developer has released an update to resolve the issue. As of August 15, there is an evidence, that the code has being utilized by one instance in Hong Kong.
The malicious code was delivered to the vendor's clients by compromising the software update mechanism. The backdoor was included into updates, issued on July 18, 2017. The update contained ShadowPad backdoor.
Software: Xftp
Known/fameous malware:
ShadowPad backdoor
The malicious code was delivered to the vendor's clients by compromising the software update mechanism. The backdoor was included into updates, issued on July 18, 2017. The update contained ShadowPad backdoor.
Privilege escalation in Linux kernel
CVE-2017-7533
Race condition
The vulnerability allows a local user to execute arbitrary code with escalated privileges.The vulnerability exists due to a race condition in the fsnotify implementation in the Linux kernel through 4.12.4. A local user can create an application, which leverages simultaneous execution of the inotify_handle_event and vfs_rename functions and trigger memory corruption and denials of service attack or execute arbitrary code on the target system with root privileges.
Successful exploitation of this vulnerability may allow a local user to obtain elevated privileges on the system.
Note: this vulnerability is being active exploited in the wild for 32-bit systems in August 2017.
Software: Linux kernel
Backdoor in Web Developer Google Chrome extension
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The vulnerability exists due to presence of backdoor code in Web Development Google Chrome extension 0.4.9, distributed via Google Web Store.
The browser extension for Google Chrome has been hijacked on Google Web Store.
Software: Web Developer (Chrome extension)
Backdoor in Copyfish Google Chrome extension
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The vulnerability exists due to presence of backdoor code in Copyfish Google Chrome extension 2.8.5, distributed via Google Web Store.
The browser extension has been hijacked on Google Web Store.
Software: Copyfish (Chrome extension)
Backdoor in Social Fixer Google Chrome extension
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The vulnerability exists due to presence of backdoor code in Social Fixer Google Chrome extension 20.1.1, distributed via Google Web Store.
The browser extension was hijacked on July 3, 2017 and a backdoor was distributed via Google Web Store. The attackers have published non-existing version of the extension 20.1.1.
Software: Social Fixer (Chrome extension)
Backdoor in M.E.Doc software
Backdoor
The security issue exists due to presence of backdoor code in updates, distributed from the official website. After update installation, the system becomes infected with NotPetya ransomware.Malware, present in the code, also performs various attempts to infect other systems.
The backdoor code was distributed via automatic update functionality. The infected version 10.01.189 contained backdoor code, which downloaded and installed NotPetya ransomware along with other tools, indented to distribute malware within local network. 75% of victims were located in Ukraine.
Software: M.E.Doc
Known/fameous malware:
NotPetya
The backdoor code was distributed via automatic update functionality. The infected version 10.01.189 contained backdoor code, which downloaded and installed NotPetya ransomware along with other tools, indented to distribute malware within local network. 75% of victims were located in Ukraine.
Multiple vulnerabilities in Drupal
CVE-2017-6922
Security restrictions bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to insufficient file protection. A remote attacker can bypass access restrictions and view private files that have been uploaded by an anonymous user but not permanently attached to content on the site.
Successful exploitation of the vulnerability may result in access bypass.
Note: The vulnerability was being actively exploited for spam purposes.
There are confirmed reports indicating that this vulnerability has been publicly exploited in spam campaigns. The attackers were creating accounts, uploading files with spam links to advertise or influence SEO rankings.
Software: Drupal
Backdoor in Chrometana Google Chrome extension
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The vulnerability exists due to presence of backdoor code in Chrometana Google Chrome extension 1.1.3, distributed via Google Web Store.
The browser extension was hijacked on Google Web Store. That update included alert10.js, malware that opens popups saying you have a virus.
Software: Chrometana (Chrome extension)
Remote code execution in Windows Search service
CVE-2017-8543
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when Windows Search handles objects in memory. A remote unauthenticated attacker can send specially crafted messages to the Windows Search service and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Windows
Remote code execution when processing .LNK files in Microsoft Windows
CVE-2017-8464
Improper input validation
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to an error when processing .LNK files. A remote attacker can create a specially crafted .LNK file and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability is being actively exploited in the wild.
Software: Windows
Backdoor in Infinity New Tab Google Chrome extension
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The vulnerability exists due to presence of backdoor code in Infinity New Tab Google Chrome extension 3.12.3, distributed via Google Web Store.
The browser extension was hijacked on Google Web Store. The injected script was displaying and advertisement via alert10.js script, informing victims that their PC has been infected with malware and suggesting to purchase fake antivirus.
Software: Infinity New Tab (Chrome extension)
Buffer overflow in Microsoft Windows RDP for Windows XP/2003
CVE-2017-0176
Buffer overflow
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to a boundary error in the Smart Card authentication code in gpkcsp.dll within Windows Remote Desktop services. A remote attacker can send specially crafted packets to the vulnerable system, trigger buffer overflow and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to gain complete control over the affected system.
Note: this vulnerability was publicly disclosed by the Shadow Brokers hacking team along with a fully functional exploit known as "тАЬEsteemAudit".
The vulnerability is being exploited in the wild.
The vulnerability was disclosed by the Shadow Brokers hacking team.
Software: Windows
Known/fameous malware:
EsteemAudit
Two remote code execution vulnerabilities when processing EPS files in Microsoft Office
CVE-2017-0262
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when processing EPS wiles within Microsoft Office documents. A remote unauthenticated attacker can create a specially crafted document, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current victim.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was used by APT28 team along with another zero-day CVE-2017-0263.
Software: Microsoft Office
Known/fameous malware:
GAMEFISH
Multiple vulnerabilities in Win32.sys in Microsoft Windows
CVE-2017-0263
Elevation of privilege
The vulnerability allows a local user to elevate privileges on the system.
The vulnerability exists due to boundary error in Win32k.sys driver. A local user can escalate privileges on the system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was used by APT28 team along with another zero-day CVE-2017-0262.
Software: Windows
Known/fameous malware:
GAMEFISH
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2017-0222
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Note: the vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Remote code execution in QNAP QTS
Improper access control
The vulnerability allows a remote attacker to compromise vulnerable device.
The vulnerability exists due to unknown error, which leads to QNAP device compromise. Vulnerability details are not disclosed yet.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable device.
Note: the vulnerability is being actively exploited in the wild.
QNAP reported a security issue involving unauthorized access to the QNAP devices. Several QNAP NAS devices running QTS have been injected with XMR mining programs, specifically from mineXMR.com.
Software: QNAP QTS
Remote command injection in Ghostscript
CVE-2017-8291
Type confusion
The vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on a targeted system.The weakness exists due to type confusion error when processing user-supplied parameters passed to the .rsdparams and .eqproc functions in ghostscript. A remote attacker can submit a specially crafted .eps document, execute code in the context of the ghostscript process and bypass -dSAFER protection.
Successful exploitation of the vulnerability may result in system compromise.
Note: this vulnerability is being exploited in the wild.
Software: Ghostscript
Remote code execution in IMAP server in IBM Lotus Domino
CVE-2017-1274
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing mailbox names in the EXAMINE IMAP command. A remote authenticated attacker can send an EXAMINE IMAP command containing an overly long mailbox name, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak.
The list of affected products, according to software vendor:
- IBM Domino 9.0.1 through 9.0.1 Feature Pack 8 Interim Fix 1
- IBM Domino 9.0 through 9.0 Interim Fix 7
- IBM Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 16
- IBM Domino 8.5.2 through 8.5.2 Fix Pack 4
- IBM Domino 8.5.1 through 8.5.1 Fix Pack 5
The exploit code was disclosed by the Shadow Brokers leak.
Software: IBM Domino
Known/fameous malware:
EMPHASISMINE exploit
Two remote code execution vulnerabilities when processing EPS files in Microsoft Office
CVE-2017-0261
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error when processing EPS images within Microsoft Office files. A remote attacker can create a specially crafted Office file with malicious EPS image, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was used by Turla and an unknown financially motivated actor.
Software: Microsoft Office
Known/fameous malware:
SHIRIME
NETWIRE
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/2017-2605
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261
https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
https://blogs.technet.microsoft.com/msrc/2017/05/09/coming-together-to-address-encapsulated-postscri...
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2017-0210
Cross-domain scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victimтАЩs browser in security context of another domain.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: this vulnerability is being exploited in the wild.
Software: Microsoft Internet Explorer
Remote code execution in Microsoft Office
CVE-2017-0199
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can create a specially crafted Office document, trick the victim into opening it with Microsoft Office or WordPad and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in compromise vulnerable system.
Note: the vulnerability is being actively exploited.
The detected samples are organized as Word files containing Dridex botnet ID 7500 (more specially, RTF files with тАЬ.docтАЭ extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack dates to late January, according to McAfee.
According to FireEye, the malware leveraging this vulnerability was used to target Russian-speaking victims. As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads.
This vulnerability was also used by Patya.A ransomware in malware outbreak on 27 June, 2017 as one of the attack vectors.
Software: Microsoft Office
Known/fameous malware:
Malware.Binary.Rtf
Dridex botnet
FINSPY
LATENTBOT
Petya.A
According to FireEye, the malware leveraging this vulnerability was used to target Russian-speaking victims. As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads.
This vulnerability was also used by Patya.A ransomware in malware outbreak on 27 June, 2017 as one of the attack vectors.
Links:
https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
Remote code execution in Microsoft IIS 6.0
CVE-2017-7269
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in ScStoragePathFromUrl() function in the WebDAV service when processing overly long HTTP header beginning with "If: <http://" in a PROPFIND request. A remote unauthenticated attacker can trigger buffer overflow and execute arbitrary code on the target system with privileges of the IIS service.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild in July and August 2016.
There are reports that this vulnerability is being actively exploited in the wild against legacy installations of Microsoft IIS 6.0 in July and August 2016. At the time of publication the product was no longer supported by the vendor. However Microsoft has decided to release a security patch to address this issue on June 13, 2017.
Software: Microsoft IIS
Known/fameous malware:
EXPLODINGCAN
There are reports that this vulnerability is being actively exploited in the wild against legacy installations of Microsoft IIS 6.0 in July and August 2016. At the time of publication the product was no longer supported by the vendor. However Microsoft has decided to release a security patch to address this issue on June 13, 2017.
Spoofing attack in Telegram Desktop for Windows
Spoofing attack
The vulnerability allows a remote attacker to perform spoofing attack.The vulnerability exists due to improper parsing of right-to-left override (RLO) character when processing names of the transmitted files in Telegram Desktop for Windows. A remote attacker can create a specially crafted filename with malicious content (e.g. a JavaScript file), disguise it as an image and trick the victim into opening it.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in the wild since March until October in 2017, according to Kaspersky Lab and was silently fixed by the vendor.
According to Kaspersky Lab, this vulnerability was exploited in the wild since March 2017 until October 2017. The attackers used the vulnerability to install cryptocurrency miners on victimsтАЩ computers.
Software: Telegram Desktop for Windows
According to Kaspersky Lab, this vulnerability was exploited in the wild since March 2017 until October 2017. The attackers used the vulnerability to install cryptocurrency miners on victimsтАЩ computers.
Remote code execution in Cluster Management Protocol in Cisco IOS and IOS XE
CVE-2017-3881
Improper input validation
The vulnerability allows a remote attacker to gain access to vulnerable device.
The vulnerability exists due to improper input validation in Cisco Cluster Management Protocol (CMP) implementation and failure to restrict usage of CMP-specific Telnet options only to internal, local communications between cluster members. A remote unauthenticated attacker can send specially crafted CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections and cause the affected device to reload or obtain full control over vulnerable device.
Successful exploitation of this vulnerability may allow an attacker to gain full access to vulnerable device.
Note: information about this vulnerability was publicly disclosed by WikiLeaks documents dubbed CIA Vault 7.
The vulnerability was disclosed by WikiLeaks in documents dubbed CIA Vault 7. It is believed that this vulnerability was used by CIA agents to penetrate government and corporate networks.
Software: Cisco IOS
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0145
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
Software: Windows
Known/fameous malware:
EternalSynergy exploit
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0144
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
This vulnerability was used to spread WannaCry and NotPetya ransomwere.
Software: Windows
Known/fameous malware:
EternalRomance exploit
WannaCry
NotPetya
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
This vulnerability was used to spread WannaCry and NotPetya ransomwere.
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0147
Information disclosure
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and gain access to potentially sensitive data.
Successful exploitation of this vulnerability may allow an attacker to gain access to potentially sensitive information.
Note: this vulnerability has been exploited in the wild and is publicly known as EternalChampion exploit.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
Software: Windows
Known/fameous malware:
EternalChampion exploit
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0146
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability has been exploited in the wild and is publicly known as EternalChampion exploit.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
Software: Windows
Known/fameous malware:
EternalChampion exploit
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0143
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
On May 12, 2017 the malicious team has hit over 100,000 organizations in 150 countries. The hackers encrypted files from the target system and demanded 300-600$.
Software: Windows
Known/fameous malware:
WannaCry (Wana Decryptor) malware (the hackers added .WCRY extention to the targte files). The malware is believed to be connected to Lazarus Group from North Korea.
EternalBlue exploit.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
On May 12, 2017 the malicious team has hit over 100,000 organizations in 150 countries. The hackers encrypted files from the target system and demanded 300-600$.
Multiple vulnerabilities in Microsoft Windows
CVE-2017-0005
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper handling of objects in memory by Windows Graphics Device Interface (GDI). A local attacker can run a specially crafted application, gain elevated privileges and execute arbitrary code on the affected system.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was used by Zirconium cyber-espionage group against older versions of Windows.
Software: Windows
Information disclosure in Microsoft XML Core Services
CVE-2017-0022
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to improper handling of objects in memory by Microsoft XML Core Services (MSXML). A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it and test for the presence of files on disk.
Successful exploitation of this vulnerability results in information disclosure.
Note: the vulnerability was being actively exploited.
This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. The vulnerability was reported to Microsoft in September 2016. The first malware sample, discovered in the wild, is connected with AdGholas campaign in July 2016. The exploit came back again in September 2016 with the Neutrino exploit kit.
Software: Microsoft XML Core Services
Known/fameous malware:
Neutrino exploit kit
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2017-0149
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when accessing objects in memory. A remote unauthenticated attacker can create a specially crafted web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Remote code execution in Mikrotik RouterOS HTTP server
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to a boundary error within the HTTP server component. A remote attacker can send a specially crafted HTTP POST request to the affected device and trigger stack-based buffer overflow.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the target system.
Note: this vulnerability was disclosed in the "Vault 7" leak by Wikileaks project. The codename of the exploit affecting Mikrotik RouterOS is ChimayRed.
Remote code execution exploit was revealed during Vault 7 leak. It is possible, that this vulnerability was used to compromise Mikrotik routers in Slingshot APT campaign.
Software: MikroTik RouterOS
Known/fameous malware:
ChimayRed
Backdoor in Web Paint Google Chrome extension
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The vulnerability exists due to presence of backdoor code in Web Paint Google Chrome extension 1.2.1, distributed via Google Web Store.
The browser extension was hijacked on Google Web Store. The attackers were able to distributed malware to the extension user's. The attack occurred around March 1, 2017.
Software: Web Paint (Chrome extension)
Multiple vulnerabilities in cPanel
CVE-2017-5613
Format string vulnerability
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a format string error within cgiemail and cgiecho binaries when processing template files. A remote authenticated attacker can create a specially crafted file, containing form string specifiers and execute arbitrary code on the target system.
Successful exploitation may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak. The exploit is known as ElegantEagle.
The exploit code was disclosed by the Shadow Brokers leak dubbed ElegantEagle, exploiting vulnerability in cgiemail.
Software: cPanel
Known/fameous malware:
ElegantEagle exploit
Multiple vulnerabilities in Adobe Flash Player
CVE-2016-7892
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Adobe Flash Player
Remote code execution in Mozilla Firefox
CVE-2016-9079
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when processing SVG animation in nsSMILTimeContainer::NotifyTimeChange() function. A remote attacker can create a specially crafted web page, host malicious SVG file on it and execute arbitrary code on vulnerable system.
Successful exploitation may allow an attacker to gain complete control over vulnerable system.
Note: this vulnerability is being publicly exploited against Tor Browser users.
Exploited in the wild against TOR Browser users. Exploit code was publicly disclosed as well before Mozilla released the patch.
Software: Tor Browser
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
https://www.mozilla.org/en-US/thunderbird/45.5.1/releasenotes/
http://blog.morphisec.com/tor/firefox-zero-day-prevented-by-morphisec
http://news.softpedia.com/news/mozilla-patches-svg-animation-remote-code-execution-in-firefox-and-th...
https://blog.malwarebytes.com/threat-analysis/2016/11/tor-browser-zero-day-strikes-again/
https://nakedsecurity.sophos.com/2016/12/01/firefox-and-tor-users-update-now-0-day-exploit-in-the-wi...
http://news.softpedia.com/news/mozilla-patches-svg-animation-remote-code-execution-in-firefox-and-th...
http://www.digitalriser.com/serious-firefox-tor-browser-vulnerability.html
https://www.helpnetsecurity.com/2016/12/01/firefox-tor-browser-0-day-patched/
https://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-firefox-0day-thats-under-act...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23741
http://thehackernews.com/2016/11/firefox-tor-update.html
http://www.eweek.com/security/mozilla-patches-zero-day-flaw-in-firefox.html
Remote code execution in Jenkins
CVE-2016-9299
LDAP injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to the flaw in the remoting module when handling malicious objects. A remote attacker can transfer a specially crafted serialized Java object to the Jenkins CLI, make Jenkins connect to an attacker-controlled LDAP server, bypass existing protection mechanisms and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in arbitrary code excution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Jenkins
Multiple vulnerabilities in Microsoft Graphics Component
CVE-2016-7256
Memory Corruption
A remote attacker can execute arbitrary code on the target system.
The vulnerability exists due to incorrect handling of objects in memory in Windows font library when processing Open Type fonts. A remote attacker can create a specially crafted font file and cause memory corruption.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on vulnerable system with privileges of the current user.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability started to appear on the radar in June 2016 as it was used in "low-volume attacks primarily focused on targets in South Korea". A successful attack exploited a flaw in the Windows font library to elevate privileges, and to install a backdoor on target systems called Hankray.
Software: Windows
Known/fameous malware:
Trojan Horse Exp.CVE-2016-7256.
Links:
https://technet.microsoft.com/library/security/ms16-132
https://www.symantec.com/security_response/writeup.jsp?docid=2017-011706-2200-99
http://www.securityweek.com/microsoft-patches-windows-zero-day-exploited-russian-hackers
http://www.netsec.news/patch-tuesday-sees-68-microsoft-vulnerabilities-fixed/
https://www.ghacks.net/2017/01/18/microsoft-windows-10-hardening-against-0-day-exploits/
http://www.removesoft-tips.com/exp-cve-2016-7256-removal-guide-how-do-i-remove-exp-cve-2016-7256-com...
https://hotforsecurity.bitdefender.com/blog/if-youre-going-to-use-windows-it-makes-security-sense-to...
http://www.digitaltrends.com/computing/anniversary-update-shielded-against-two-exploits/
http://www.thewindowsclub.com/windows-10-mitigate-zero-day-exploits
http://windowsreport.com/microsoft-windows-10-zero-day-exploit/
Privilege escalation in Windows 10
CVE-2016-7255
Privilege escalation
The vulnerability allows a local user to gain elevated privileges on the target system.
The weakness is due to improper handling of objects in memory by win32k.sys. By sending a specially crafted system call NtSetWindowLongPtr(), a local attacker can set index GWLP_ID to WS_CHILD value on a window handle with GWL_STYLE and execute arbitrary code with system privileges.
Successful explotation of the vulnerability results in privilege escalation.
Note: this vulnerability is being actively exploited in the wild.
The zero-day was being actively exploited by Russian hackers (APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Sofacy).
Software: Windows
Links:
https://www.symantec.com/security_response/writeup.jsp?docid=2016-110821-3527-99
https://technet.microsoft.com/library/security/ms16-135
https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
http://www.netsec.news/patch-tuesday-sees-68-microsoft-vulnerabilities-fixed/
https://securingtomorrow.mcafee.com/mcafee-labs/digging-windows-kernel-privilege-escalation-vulnerab...
http://securityaffairs.co/wordpress/53242/hacking/cve-2016-7255-zero-day.html
http://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-72...
https://cyware.com/news/one-bit-to-rule-a-system-analyzing-cve-2016-7255-exploit-in-the-wild-84cb5e1...
http://www.darkreading.com/endpoint/microsoft-november-security-updates-include-fix-for-zero-day-fla...
https://www.grahamcluley.com/pawn-storm-microsoft-zero-day/
https://nakedsecurity.sophos.com/2016/11/09/november-patch-tuesday-fixes-controversial-windows-0-day...
http://sensorstechforum.com/cve-2016-7255-67-vulnerabilities-addressed-microsoft/
Remote code execution in Adobe Flash Player
CVE-2016-7855
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when handling .swf files. A remote attacker can trick the victim to visit a website or open a file with malicious Flash file and execute arbitrary code on the target system with privileges of the current user.
Note: this vulnerability was being actively exploited in the wild.
The vulnerability was disclosed by Neel Mehta and Billy Leonard of the Google Threat Analysis Group.
The vulnerability was exploited by Russian hacker group APT28.
Software: Adobe Flash Player
The vulnerability was exploited by Russian hacker group APT28.
Links:
https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html https://helpx.adobe.com/security/products/flash-player/apsb16-36.html https://technet.microsoft.com/library/security/ms16-128
https://threatpost.com/adobe-patches-flash-zero-day-under-attack/121567/
http://securityaffairs.co/wordpress/52739/hacking/cve-2016-7855-adobe.html
http://sensorstechforum.com/cve-2016-7855-flash-bug-exploited-limited-attacks/
http://www.securityweek.com/adobe-patches-flash-vulnerability-used-targeted-attacks
http://thehackernews.com/2016/10/google-windows-zero-day.html
http://opensources.info/cve-2016-7855-flaw-in-adobe-flash-player-exploited-in-targeted-attacks/
https://www.infosecurity-magazine.com/news/flash-windows-zerodays-are-being/
https://fossbytes.com/microsoft-windows-zero-day-vulnerability-google-told-people/
https://www.theregister.co.uk/2016/10/26/adobe_patches_fresh_flash_zeroday/
https://www.symantec.com/connect/blogs/flash-zero-day-being-exploited-targeted-attacks
http://www.pcworld.com/article/3135715/security/emergency-flash-player-patch-fixes-zero-day-critical...
http://thecharlestendellshow.com/microsoft-patches-cve-2016-7255-windows-zero-day-exploited-by-fancy...
https://arstechnica.com/security/2016/11/fancy-bear-goes-all-out-to-beat-adobe-msft-zero-day-patches...
Privilege escalation in Linux kernel
CVE-2016-5195
Privilege escalation
The vulnerability allows a local user to obtain elevated privileges on the target system.The weakness is due to race condition in the kernel memory subsystem in the management of copy-on-write operations on read-only memory mappings that lets attackers to overwrite kernel memory and gain kernel-level privileges.
Successful exploitation of the vulnerability results in gaining of root privileges on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was discovered by security researcher Phil Oester and is called "DIRTY COW".
It is believed that the vulnerability was being exploited in the wild for quite some time.
Software: Linux kernel
It is believed that the vulnerability was being exploited in the wild for quite some time.
Links:
https://cdn.kernel.org/pub/linux/kernel/v4.x/testing/linux-4.9-rc2.tar.xz
https://dirtycow.ninja/
https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05352241
https://en.wikipedia.org/wiki/Dirty_COW
http://unix.stackexchange.com/questions/317981/dirty-cow-exploit-cve-2016-5195/318046
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
http://www.techinformant.in/dirty-cow-cve-2016-5195-vulnerability/
http://thehackernews.com/2016/10/linux-kernel-exploit.html
http://news.softpedia.com/news/linux-kernel-zero-day-cve-2016-5195-patched-after-being-deployed-in-l...
http://securityaffairs.co/wordpress/52521/hacking/dirty-cow-exploit.html
http://www.informationsecuritybuzz.com/expert-comments/dirty-cow-linux-vulnerability/
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2016-3298
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The vulnerablity exists due to improper handling of objects in memory by the Internet Messaging API. A remote attacker can create a specially crafted content, trick the victim into opening it, bypass security restrictions and determine the existence of arbitrary files.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
Proofpoint researchers Will Metcalf and Kafeine first detected and reported CVE-2016-3298 in April 2016 as part of a тАЬGooNkyтАЭ infection chain along with CVE-2016-3351, but the information disclosure vulnerability was most likely already in use by the AdGholas group.
CVE-2016-3298 and CVE-2016-3351 were reported to Microsoft between October and December of 2015.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit Kit: Neutrino
CVE-2016-3298 and CVE-2016-3351 were reported to Microsoft between October and December of 2015.
Links:
https://www.proofpoint.com/uk/threat-insight/post/microsoft-patches-CVE-2016-3298-second-information...
https://technet.microsoft.com/en-us/library/security/ms16-118.aspx
https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-3298-microsoft-fixes-another-ie...
http://securityaffairs.co/wordpress/52186/hacking/microsoft-zero-da.html
https://www.brokenbrowser.com/detecting-local-files-to-evade-analysts/
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
https://www.scmagazine.com/patch-tuesday-microsoft-patches-five-zero-day-vulnerabilities/article/548...
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
https://blog.malwarebytes.com/cybercrime/exploits/2016/08/browser-based-fingerprinting-implications-...
http://www.securityweek.com/attackers-use-internet-explorer-zero-day-avoid-researchers
http://news.softpedia.com/news/microsoft-patches-four-zero-days-used-in-live-attacks-509222.shtml
http://wccftech.com/zero-day-exploited-update-windows-right-away/
https://www.beencrypted.com/attackers-uses-ie-edge-zero-day-avoid-researchers/
Multiple vulnerabilities in Microsoft Windows
CVE-2016-3393
Arbitrary code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the Graphics Device Interface (GDI) component. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has been used by an APT group Kaspersky Lab call FruityArmor. Victims have been identified in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.
Software: Windows
Multiple vulnerabilities in Microsoft Edge
CVE-2016-7189
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into downloading it, trigger memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability will result in arbitrary code execution.
Note: the vulnerability was being actively exploited.
Software: Microsoft Edge
Links:
https://technet.microsoft.com/library/security/ms16-119
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
http://www.securitynewspaper.com/2016/10/12/microsoft-patches-four-zero-days-used-live-attacks/
http://www.securityweek.com/microsoft-patches-4-vulnerabilities-exploited-wild
https://www.tripwire.com/state-of-security/vulnerability-management/vert-threat-alert-october-2016-p...
http://www.slideshare.net/LANDESK/october2016-patchtuesdayshavlik
http://www.zdnet.com/article/microsoft-hackers-have-exploited-zero-days-in-windows-10s-edge-office-i...
https://www.helpnetsecurity.com/2016/10/12/october-patch-tuesday/
http://www.dailystar.co.uk/tech/news/553358/Microsoft-Windows-10-critical-flaws-security-update-fix-...
Remote code execution in Microsoft Office
CVE-2016-7193
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling of malicious RTF files by Microsoft Word. A remote attacker can create a specially crafted RTF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability will result in arbitrary code execution.
Note: the vulnerability was being actively exploited.
Software: Microsoft Word
Links:
https://technet.microsoft.com/en-us/library/security/ms16-121.aspx
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
https://www.symantec.com/security_response/vulnerability.jsp?bid=93372
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
http://www.securitynewspaper.com/2016/10/12/microsoft-patches-four-zero-days-used-live-attacks/
http://www.networkworld.com/article/3130109/security/microsoft-released-10-patches-6-rated-critical-...
https://www.scmagazine.com/patch-tuesday-microsoft-patches-five-zero-day-vulnerabilities/article/548...
http://www.zdnet.com/article/microsoft-hackers-have-exploited-zero-days-in-windows-10s-edge-office-i...
http://securityaffairs.co/wordpress/52186/hacking/microsoft-zero-da.html
https://www.helpnetsecurity.com/2016/10/12/october-patch-tuesday/
https://www.scmagazineuk.com/microsoft-bundles-security-updates--no-more-pick-and-choose/article/547...
Information disclosure when handling IKEv1 packets in Cisco products
CVE-2016-6415
Information disclosure
The vulnerability allows a remote user to access potentially sensitive information on the target system.
The weakness exists due to insufficient checks of IKE packats when handling ISAKMP requests. By sending specially crafted IKEv1 packets to the IKE service via IPv4 or IPv6 a malicious user can obtain memory contents.
Successful exploitation of the vulnerability leads to confidential information disclosure on the vulnerable system.
Note: this vulnerability was being actively exploited in the wild. It was disclosed as part of Equation Group Leak and is reffered as BENIGNCERTAIN exploit.
The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group on Saturday 13 August 2016. The exploit code was dubbed BENIGNCERTAIN and presumably was used by NSA operatives to infiltrate networks of government organizations and private companies.
Neither Cisco has developed a patch for the flaw, nor any workarounds are available.
Software: Cisco IOS
Known/fameous malware:
BENIGNCERTAIN
Neither Cisco has developed a patch for the flaw, nor any workarounds are available.
Links:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
http://thehackernews.com/2016/09/cisco-nsa-exploit.html
https://threatpost.com/cisco-warns-of-ios-flaw-vulnerable-to-shadowbrokers-attack/120668/
https://www.tecklyfe.com/ikev1-information-disclosure-vulnerability-multiple-cisco-products/
http://www.securityweek.com/cisco-finds-new-zero-day-linked-shadow-brokers-exploit
http://bestsecuritysearch.com/vulnerability-ikev1-cisco-products/
http://searchsecurity.techtarget.com/news/450304648/Shadow-Brokers-Cisco-vulnerability-exploited-in-...
https://www.grahamcluley.com/cisco-customers-targeted-hackers-using-leaked-nsa-hacking-tools/
https://www.enisa.europa.eu/publications/info-notes/the-201cshadow-brokers201d-story
http://thecharlestendellshow.com/over-840000-cisco-systems-affected-by-the-equation-groups-flaw-cve-...
https://www.scmagazine.com/cisco-warns-of-exploitation-of-new-flaws-linked-to-shadow-brokers-exploit...
https://plannedlink.co.uk/2016/09/20/cve-2016-6415-cisco-confirms-a-new-0day-linked-to-equation-grou...
http://securityaffairs.co/wordpress/51410/hacking/cve-2016-6415.html
https://motherboard.vice.com/en_us/article/hackers-hit-cisco-customers-leaked-nsa-hacking-tools-shad...
http://www.hackbusters.com/news/stories/858203-cisco-ikev1-information-disclosure-benigncertain-cve-...
http://news.softpedia.com/news/shadow-brokers-beningcertain-tool-deployed-in-live-attacks-508455.sht...
http://www.securityinform.com/2016/09/22/859-000-cisco-devices-affected-by-critical-zero-day-vulnera...
Multiple vulnerabilities in Microsoft Internet Explorer and Edge
CVE-2016-3351
Memory corruption
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to boundary error when handling of malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and gain access to arbitrary data.
Note: the vulnerability was being actively exploited.
Microsoft has known about CVE-2016-3351 since 2015.
Exploited By AdGholas and GooNky Malvertising Groups.
Software: Microsoft Internet Explorer
Exploited By AdGholas and GooNky Malvertising Groups.
Links:
https://www.proofpoint.com/us/threat-insight/post/Microsoft-Patches-Zero-Day-Exploited-By-AdGholas-G...
https://technet.microsoft.com/library/security/ms16-104
https://technet.microsoft.com/library/security/MS16-105
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=29628
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-3298-microsoft-fixes-another-ie-...
http://securityaffairs.co/wordpress/51494/hacking/internet-explorer-exploits.html
http://wccftech.com/zero-day-exploited-update-windows-right-away/
https://www.brokenbrowser.com/detecting-local-files-to-evade-analysts/
http://www.securityweek.com/microsoft-patches-browser-vulnerability-exploited-attacks
https://www.scmagazineuk.com/microsoft-bundles-security-updates--no-more-pick-and-choose/article/547...
http://www.securingcomputer.com/news/microsoft-patches-browser-vulnerability-exploited-attacks
http://www.zdnet.com/article/microsoft-patches-critical-ie-bug-that-was-under-attack-for-nearly-thre...
http://techgenix.com/microsoft-patches-ie-malvertising-vulnerability/
Remote code execution in InPage
CVE-2017-12824
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists within text processor when parsing .inp files. A remote attacker can create a specially crafted .inp file, trick the victim to open it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in full system compromise.
Note: this vulnerability is being actively exploited in the wild against financial institutions in Asia. The latest attack report is dated November 3, 2017.
Exploit code was used in targeted attacks against financial institutions in Asia. Victims of these attacks have been observed in U.K., U.S, Myanmar, Sri-Lanka and Uganda. The sector for the victims include both financial and governmental institutions.
Attacks are similar to attacks exploiting vulnerabilities in the Hangul Word Processor against government targets in South Korea.
UPDATE
Researchers from Palo Alto Networks published a write-up on November 2 2017, describing 3 latest exploits, leveraging this particular vulnerability.
The decoy documents used by the InPage exploits in the latest attacks suggest that the targets are likely to be politically or militarily motivated. They contained subjects such as intelligence reports and political situations related to India, the Kashmir region, or terrorism being used as lure documents.
Software: InPage
Known/fameous malware:
Zeus-type malware
CONFUCIUS_B
Attacks are similar to attacks exploiting vulnerabilities in the Hangul Word Processor against government targets in South Korea.
UPDATE
Researchers from Palo Alto Networks published a write-up on November 2 2017, describing 3 latest exploits, leveraging this particular vulnerability.
The decoy documents used by the InPage exploits in the latest attacks suggest that the targets are likely to be politically or militarily motivated. They contained subjects such as intelligence reports and political situations related to India, the Kashmir region, or terrorism being used as lure documents.
Links:
https://securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institut...
https://threatpost.com/inpage-zero-day-used-in-attacks-against-banks/122112/
http://www.securityweek.com/organizations-asia-targeted-inpage-zero-day
http://securityaffairs.co/wordpress/53725/intelligence/inpage-zero-day.html
http://techgenix.com/banks-hacked-via-inpage/
https://www.theregister.co.uk/2016/11/24/attackers_use_yearsold_software_zero_day_to_pop_asia_pac_ba...
http://www.itnewsafrica.com/2016/11/asian-and-african-banks-are-attacked-using-a-zero-day-vulnerabil...
https://cyware.com/news/organizations-in-asia-targeted-with-inpage-zero-day-37293662
https://frederickdamasus.com/2016/11/zero-day-attacks-african-asian-banks.html/
https://thetechportal.com/2016/11/24/banks-attacked-zero-day-kaspersky/
http://technewsdir.com/asian-and-african-banks-attacked-using-a-zero-day-vulnerability-kaspersky
https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malw...
Multiple vulnerabilities in Apple iOS
CVE-2016-4657
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in WebKit. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: the vulnerability was being actively exploited.
The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by тАЬPegasusтАЭ, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).
Software: Apple iOS
Known/fameous malware:
Trident exploit.
Links:
http://www.securityweek.com/apple-issues-emergency-fix-ios-zero-days-what-you-need-know
https://www.symantec.com/connect/blogs/trident-trio-ios-zero-days-being-exploited-wild
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://jndok.github.io/2016/10/04/pegasus-writeup/
https://blog.lookout.com/blog/2016/08/25/trident-pegasus/
http://securityaffairs.co/wordpress/50788/mobile-2/ios-9-3-4-trident-exploit.html
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://en.wikipedia.org/wiki/Pegasus_(spyware)
http://indianexpress.com/article/technology/tech-news-technology/apple-ios-trident-exploit-all-you-n...
http://www.technewsworld.com/story/83845.html
http://www.eweek.com/security/apple-rushes-out-patch-for-new-ios-zero-day-flaws.html
http://www.darkreading.com/vulnerabilities---threats/apple-releases-patch-for-trident-a-trio-of-ios-...
Multiple vulnerabilities in Apple iOS
CVE-2016-4656
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to a boundary error when processing a malicious application. A local attacker can run a specially crafted application, trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability was being actively exploited.
The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by тАЬPegasusтАЭ, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).
Software: Apple iOS
Known/fameous malware:
Trident exploit.
Links:
http://www.securityweek.com/apple-issues-emergency-fix-ios-zero-days-what-you-need-know
https://www.symantec.com/connect/blogs/trident-trio-ios-zero-days-being-exploited-wild
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://jndok.github.io/2016/10/04/pegasus-writeup/
https://blog.lookout.com/blog/2016/08/25/trident-pegasus/
http://securityaffairs.co/wordpress/50788/mobile-2/ios-9-3-4-trident-exploit.html
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://en.wikipedia.org/wiki/Pegasus_(spyware)
http://indianexpress.com/article/technology/tech-news-technology/apple-ios-trident-exploit-all-you-n...
http://www.technewsworld.com/story/83845.html
http://www.eweek.com/security/apple-rushes-out-patch-for-new-ios-zero-day-flaws.html
http://www.darkreading.com/vulnerabilities---threats/apple-releases-patch-for-trident-a-trio-of-ios-...
Multiple vulnerabilities in Apple iOS
CVE-2016-4655
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to improper input validation. A remote attacker can run a specially crafted application, bypass security restrictions and obtain portions of kernel memory.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.Note: the vulnerability was being actively exploited.
The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by тАЬPegasusтАЭ, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).
Software: Apple iOS
Known/fameous malware:
Trident exploit.
Links:
https://support.apple.com/en-us/HT207107
http://www.securityweek.com/apple-issues-emergency-fix-ios-zero-days-what-you-need-know
https://www.symantec.com/connect/blogs/trident-trio-ios-zero-days-being-exploited-wild
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://jndok.github.io/2016/10/04/pegasus-writeup/
https://blog.lookout.com/blog/2016/08/25/trident-pegasus/
http://securityaffairs.co/wordpress/50788/mobile-2/ios-9-3-4-trident-exploit.html
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://en.wikipedia.org/wiki/Pegasus_(spyware)
http://indianexpress.com/article/technology/tech-news-technology/apple-ios-trident-exploit-all-you-n...
http://www.technewsworld.com/story/83845.html
http://www.eweek.com/security/apple-rushes-out-patch-for-new-ios-zero-day-flaws.html
http://www.darkreading.com/vulnerabilities---threats/apple-releases-patch-for-trident-a-trio-of-ios-...
Local buffer overflow in CLI parser in Cisco ASA Appliances
CVE-2016-6367
CLI parser buffer overflow
The vulnerability allows a local user to cause denial of service or execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the command-line interface (CLI) parser. A local authenticated user can trigger buffer overflow and reload the affected device or execute arbitrary code on the target system.
Successful exploitation of this vulnerability will allow a local user to execute arbitrary code on vulnerable system.
The following models of CISCO ASA appliances are affected:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco PIX Firewalls
- Cisco Firewall Services Module (FWSM)
Note: this is a zero-day vulnerability, discovered after security breach of The Equation Group. The exploit code for this vulnerability was publicly exposed and is referred as EPICBANANA Exploit.
The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group in 2013. The exploit code was dubbed BENIGNCERTAIN and presumably was used by NSA operatives to infiltrate networks of government organizations and private companies
Neither Cisco has developed a patch for the flaw, nor any workarounds are available.
Firstly the vulnerability received a patch back in 2011.
Software: Cisco PIX Firewall
Known/fameous malware:
EPICBANANA.
Neither Cisco has developed a patch for the flaw, nor any workarounds are available.
Firstly the vulnerability received a patch back in 2011.
Links:
https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56516
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-cli
https://blogs.cisco.com/security/shadow-brokers
http://www.thesecurityblogger.com/the-shadow-brokers-epicbananas-and-extrabacon-exploits/
https://www.tripwire.com/state-of-security/latest-security-news/cisco-confirms-two-exploits-found-in...
https://www.bleepingcomputer.com/news/security/researchers-find-strong-connection-between-nsa-hacker...
http://thehackernews.com/2016/08/nsa-hack-exploit.html
http://news.softpedia.com/news/cisco-patches-zero-day-exposed-in-shadow-brokers-leak-507410.shtml
https://arstechnica.com/security/2016/08/cisco-confirms-nsa-linked-zeroday-targeted-its-firewalls-fo...
https://www.symantec.com/connect/blogs/equation-has-secretive-cyberespionage-group-been-breached
https://www.helpnetsecurity.com/2016/08/18/cisco-fortinet-exploits-leaked/
http://techgenix.com/nsa-hack-cisco-releases-patches/
https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equatio...
http://www.eweek.com/security/shadow-brokers-flaw-poses-zero-day-risks-cisco-and-fortinet-warn.html
https://duo.com/blog/newly-released-exploits-affect-cisco-juniper-and-other-vendors
Remote code execution in Cisco ASA Appliances
CVE-2016-6366
SNMP remote code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when handling SNMP packets. A remote attacker with knowledge of SNMP community string can cause buffer overflow and cause the target device to reload or execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in full compromise of affected system.
The following models of CISCO ASA appliances are affected:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco PIX Firewalls
- Cisco Firewall Services Module (FWSM)
Note: this is a zero-day vulnerability, discovered after security breach of The Equation Group. The exploit code for this vulnerability was publicly exposed and is referred as EXTRABACON Exploit.
The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group in 2013. The exploit code was dubbed ExtraBacon and presumably used by NSA operatives to infiltrate networks of government organizations and private companies.
Software: Cisco ASA Series
Known/fameous malware:
ExtraBacon.
Links:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
https://www.surecloud.com/security-bulletins/cisco-asa-pix-firewall-zero-day-vulnerability-cve-2016-...
http://securityaffairs.co/wordpress/51410/hacking/cve-2016-6415.html
https://threatpost.com/cisco-begins-patching-equation-group-asa-zero-day/120124/
http://www.bankinfosecurity.com/cisco-patches-asa-devices-against-extrabacon-a-9360
http://news.softpedia.com/news/cisco-patches-zero-day-exposed-in-shadow-brokers-leak-507410.shtml
https://threatpost.com/leaked-shadowbrokers-attack-upgraded-to-target-current-versions-of-cisco-asa/...
https://arstechnica.com/security/2016/08/cisco-confirms-nsa-linked-zeroday-targeted-its-firewalls-fo...
ttps://thehackernews.com/2016/08/nsa-hack-exploit.html
https://duo.com/blog/newly-released-exploits-affect-cisco-juniper-and-other-vendors
http://www.securityweek.com/cisco-finds-new-zero-day-linked-shadow-brokers-exploit
https://www.symantec.com/connect/blogs/equation-has-secretive-cyberespionage-group-been-breached
https://www.helpnetsecurity.com/2016/08/18/cisco-fortinet-exploits-leaked/
Remote code execution in Fortinet FortiOS and FortiSwitch
CVE-2016-6909
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exist due to a boundary error within cookie parser. A remote attacker can send a specially crafted HTTP request, cause memory corruption and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to vulnerable system.
Note:the vulnerability was being actively exploited.
Information about zero-day vulnerabilities in Cisco and FortiOS products was exposed after NSA data leak in August 2016. The tools bear digital signatures that match those used by the Equation Group, a group that has alleged links to the NSA. The incident highlights the risk of hoarding zero-day vulnerabilities.
EGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and exploits disclosed on 2016/08/14 by a group known as the Shadow Brokers.
Software: FortiOS
EGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and exploits disclosed on 2016/08/14 by a group known as the Shadow Brokers.
Links:
http://fortiguard.com/advisory/FG-IR-16-023
http://www.computerworld.com/article/3109307/security/cisco-and-fortinet-issue-patches-against-nsa-m...
https://www.sans.org/newsletters/newsbites/xviii/66#201
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/7381/fortinet-fortigate-cookie...
http://netformation.com/level-3-pov/shadow-brokers-hit-the-light-of-day
https://vulners.com/nessus/FORTIOS_COOKIE_PARSING_BOF.NASL
https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equatio...
https://tools.cisco.com/security/center/viewAlert.x?alertId=48526
https://www.tenable.com/plugins/index.php?view=single&id=93196
Security bypass in Mozilla Firefox
CVE-2015-4495
Security bypass
The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to improper input validation. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, bypass same-origin policy and inject arbitrary JavaScript into the built-in PDF Viewer to gain access to arbitrary files on the system.
Successful exploitation of this vulnerability may result in access to local files and privilege escalation, leading to system compromise.
Note: the vulnerability was being actively exploited.
In August 2016 Mozilla bug-tracking service was hacked. Hackers were able to steal information about not yet patched vulnerabilities in Mozilla Firefox and use one of them in a targeted attack against users of Russian news website.
The malicious exfiltration server, hosted in Ukraine, has been online since July 27, 2015.
The vulnerability was reported by researcher Cody Crews.
Software: Mozilla Firefox
Known/fameous malware:
JS/Exploit.CVE-2015-4495 (ESET).
The malicious exfiltration server, hosted in Ukraine, has been online since July 27, 2015.
The vulnerability was reported by researcher Cody Crews.
Links:
http://www.computerworld.com/article/2980745/web-browsers/mozilla-admits-bug-tracker-breach-led-to-a...
https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
http://www.welivesecurity.com/2015/08/11/firefox-under-fire-anatomy-of-latest-0-day-attack/
http://www.securityweek.com/mozilla-patches-firefox-zero-day-exploited-wild
https://www.redpacketsecurity.com/firefox-0day-cve-2015-4495/
https://access.redhat.com/articles/1563163
https://www.symantec.com/connect/blogs/firefox-vulnerability-could-allow-attackers-steal-documents
http://securityaffairs.co/wordpress/39198/cyber-crime/0-day-firefox.html
https://www.hedgehogsecurity.co.uk/firefox-users-should-update-immediately/
https://www.eset.com/int/about/newsroom/company/firefox-0-day-attack/
Remote code execution in Adobe Flash Player
CVE-2016-4171
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported by Anton Ivanovn of Kaspersky.
Used by ScarCruft hacking team in Operation Daybreak and Operation Erebus as suggested by Kaspersky Lab.
It has been used in targeted attacks carried out by a new ScarCruft APT group operating primarily against high-profile victims in China, South Korea, India, Russia, Nepal, Romania, and Kuwait.
Software: Adobe Flash Player
Used by ScarCruft hacking team in Operation Daybreak and Operation Erebus as suggested by Kaspersky Lab.
It has been used in targeted attacks carried out by a new ScarCruft APT group operating primarily against high-profile victims in China, South Korea, India, Russia, Nepal, Romania, and Kuwait.
Links:
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
https://helpx.adobe.com/security/products/flash-player/apsa16-03.html
https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attac...
http://securityaffairs.co/wordpress/48400/hacking/cve-2016-4171-flash-0-day.html
http://www.securityweek.com/flash-zero-day-exploited-targeted-attacks
https://community.norton.com/en/blogs/security-covered-norton/critical-adobe-flash-player-vulnerabil...
https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/
http://zerosecurity.org/2016/06/flash-zero-day-cve-2016-4171
http://neurogadget.net/2016/06/21/hackers-exploiting-critical-adobe-flash-player-vulnerability/33701
https://www.scmagazine.com/adobe-patches-critical-zero-day-vulnerability-in-flash-player/article/529...
http://activecypher.com/cve-2016-4171-another-flash-zero-day-exploited-in-targeted-attacks/
https://nakedsecurity.sophos.com/2016/06/15/critical-flash-vulnerability-is-being-exploited-in-the-w...
https://www.beyondtrust.com/blog/critical-zero-day-vulnerability-cve-2016-4171-basic-mitigation/
https://arstechnica.com/security/2016/06/critical-adobe-flash-bug-under-active-attack-currently-has-...
http://wccftech.com/flash-zero-day-vulnerability-exploited-in-the-wild/
http://www.digitaltrends.com/computing/adobe-exploit-scarcruft/
http://www.theinquirer.net/inquirer/news/2461612/new-threat-uses-flash-zero-day-to-attack-big-busine...
http://thecharlestendellshow.com/scarcruft-apt-group-exploited-flash-zero-day-in-high-profile-attack...
https://www.intego.com/mac-security-blog/adobe-flash-alert-0-day-exploit-for-vulnerability-in-the-wi...
http://www.bankinfosecurity.com/adobe-flings-flash-fix-for-fresh-apt-target-a-9207
Arbitrary file upload in WP Mobile detector
Arbitrary file upload
The vulnerability allows a remote attacker to upload arbitrary files to compromise the target system.The weakness exists due to the failure to validate and sanitize input. A remote attacker can send a request toresize.php or timthumb.php inside the plugin directory with the backdoor URL that contains a PHP code.
Successful exploitation of the vulnerability may result in malicious files uploading and vulnerable system compromising.
Note: the vulnerability was being actively exploited.
Researchers at Sucuri said that attacks against WordPress sites running the plugin started on May 26.
Software: WP Mobile detector
Links:
https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-d...
https://threatpost.com/wordpress-patches-zero-day-in-wp-mobile-detector-plugin/118458/ https://www.recoverwp.com/en/arbitrary-file-upload-vulnerability-in-wp-mobile-detector/
https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-exploited-in-the-wild.html
http://news.softpedia.com/news/wordpress-sites-under-attack-from-new-zero-day-in-wp-mobile-detector-...
https://vulners.com/threatpost/WORDPRESS-PATCHES-ZERO-DAY-IN-WP-MOBILE-DETECTOR-PLUGIN/118458
http://www.spamfighter.com/News-20313-WordPress-Websites-Being-Assaulted-Through-Fresh-0-Day-within-...
http://www.builditdigital.com/blog/wp-mobile-detector-plugin-makes-over-10-000-wordpress-sites-vulne...
http://www.zdnet.com/article/over-10000-wordpress-sites-vulnerable-to-exploit/
Remote denial of service in Cisco IOS
CVE-2016-1409
Improper input validation
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a logic error when parsing IPv6 Neighbor Discovery (ND) packets, sent directly to the device. A remote attacker can send specially crafted IPv6 traffic to the affected device and cause the device to stop processing IPv6 traffic.
Successful exploitation of the vulnerability will result in denial of service attack.
Note: according to Cisco, this vulnerability is being exploited in the wild.
Software: Cisco IOS XR
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2016-0189
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Used to target South Korean organizations.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit kit: Magnitude, Neutrino, RIG, Sundown.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.
Links:
http://theori.io/research/cve-2016-0189
https://github.com/theori-io/cve-2016-0189
https://technet.microsoft.com/library/security/MS16-053
https://technet.microsoft.com/library/security/ms16-051
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189
http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
https://www.symantec.com/security_response/writeup.jsp?docid=2016-061306-3604-99
https://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-sout...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70147
http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
http://blog.trendmicro.com/trendlabs-security-intelligence/may-2016-patch-tuesday-fixes-browser-scri...
https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html
https://www.virusbulletin.com/blog/2017/01/paper-journey-and-evolution-god-mode-2016-cve-2016-0189/
http://www.securityweek.com/microsoft-patches-flaws-exploited-targeted-attacks
http://sensorstechforum.com/may-2016-patch-tuesday-cve-2016-0189-kb3155533-kb3156764/
http://securityaffairs.co/wordpress/54093/intelligence/cnacom-campaign.html
https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise
http://forensicblogs.com/tag/cve-2016-0189/
https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/
http://securityaffairs.co/wordpress/49383/cyber-crime/neutrino-ek-ie-flaw.html
http://www.securityweek.com/ie-exploit-added-neutrino-after-experts-publish-poc
http://www.cybersecurity-review.com/internet-explorer-zero-day-exploit-used-in-targeted-attacks-in-s...
http://www.zdnet.com/article/south-korea-victim-of-internet-explorer-zero-day-vulnerability/
http://thecharlestendellshow.com/experts-published-ie-exploit-code-and-crooks-added-it-to-neutrino-e...
https://cybernewsgroup.co.uk/ie-exploit-added-to-neutrino-after-experts-publish-poc/
http://www.networkworld.com/article/3068505/microsoft-fixes-actively-attacked-ie-flaw-and-50-other-v...
https://www.scmagazine.com/patch-tuesday-microsoft-rolls-out-16-bulletins-eight-rated-critical/artic...
http://news.redpiranha.net/Landing-Page-Containing-CVE-2016-0189-Exploit-Code-Used-to-Target-Taiwane...
http://www.darkreading.com/attacks-breaches/windows-0-day-exploit-used-in-recent-wave-of-pos-attacks...
https://securityintelligence.com/news/proof-of-compromise-new-neutrino-exploit-runs-on-research/
https://www.grahamcluley.com/neutrino-exploit-kit-adds-zero-day-flaw-arsenal/
Remote code execution in Adobe Flash Player
CVE-2016-4117
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Note: the vulnerability was being actively exploited.
The vulnerability was reported by Genwei Jiang.
The zero-day was used by the Pawn Storm and APT3 cyber espionage groups in Operation Erebus campaign and seen in payloads included with CryptXXX, Cerber and DMA Locker ransomware, as well as the Gootkit Trojan.
Software: Adobe Flash Player
Known/fameous malware:
Exploit kit: Angler, Magnitude, Neutrino, RIG.
The zero-day was used by the Pawn Storm and APT3 cyber espionage groups in Operation Erebus campaign and seen in payloads included with CryptXXX, Cerber and DMA Locker ransomware, as well as the Gootkit Trojan.
Links:
https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html
https://helpx.adobe.com/security/products/flash-player/apsa16-02.html
https://helpx.adobe.com/security/products/flash-player/apsb16-15.html
http://securityaffairs.co/wordpress/47197/hacking/cve-2016-4117-adobe-flash-zero.html
https://security.berkeley.edu/news/vulnerable-adobe-flash-player-allows-remote-code-execution-cve-20...
http://news.softpedia.com/news/nine-days-later-flash-zero-day-cve-2016-4117-already-added-to-exploit...
https://www.helpnetsecurity.com/2016/05/16/flash-0day-exploit-booby-trapped-office-file/
http://securityaffairs.co/wordpress/47379/cyber-crime/cve-2016-4117-exploit-chain.html
https://andreafortuna.org/cve-2016-4117-a-new-adobe-flash-0-day-in-the-wild-56e78d519bf5#.9ogjnryxb
http://www.pcworld.com/article/3073561/security/a-recently-patched-flash-player-exploit-is-being-use...
https://www.peerlyst.com/posts/cve-2016-4117-fireeye-revealed-the-exploit-chain-of-recent-attacks-he...
https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-8-adds-support-for-flash-v...
http://neurogadget.net/2016/05/29/adobe-flash-player-exploit-used-hackers-attack-users/31733
http://www.bankinfosecurity.com/zero-day-attacks-pummel-ie-flash-a-9093
Remote code execution in ImageMagick
CVE-2016-3714
Input validation error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to insufficient filtering for filename passed to delegate's command. A remote attacker can create a specially crafted image containing shell metacharacters, trick the victim into opening it via application using ImageMagick, will trigger an input validation flaw and execute arbitrary shell commands with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Code execution vulnerability in ImageMagick was found by Nikolay Ermishkin from Mail.Ru Security Team while researching original report.
Security researcher Behrouz Sadeghipour discovered that the vulnerability was present in the web domain belonging to Polyvore.
The vulnerabilily is dubbed "ImageTragick".
Software: ImageMagick
Security researcher Behrouz Sadeghipour discovered that the vulnerability was present in the web domain belonging to Polyvore.
The vulnerabilily is dubbed "ImageTragick".
Links:
https://imagetragick.com/
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.440568
http://blog.trendmicro.com/trendlabs-security-intelligence/imagemagick-vulnerability-allows-remote-c...
http://www.darknet.org.uk/2016/05/multiple-serious-imagemagick-zero-day-vulnerabilities/
http://www.zdnet.com/article/yahoos-polyvore-vulnerable-to-imagemagick-flaw-researcher-receives-litt...
http://www.securityweek.com/yahoo-rewards-researcher-imagemagick-hack
http://sec.sangfor.com.cn:88/vulns/290.html
https://www.helpnetsecurity.com/2016/05/04/imagemagick-zero-day-flaw/
http://www.sangfor.com/source/blog-network-security/696.html
https://arstechnica.com/security/2016/05/exploits-gone-wild-hackers-target-critical-image-processing...
http://www.nickhammond.com/fixing-imagemagick-cve-20163714-with-ansible/
http://www.securityweek.com/attackers-exploit-critical-imagemagick-vulnerability
Multiple vulnerabilities in Microsoft Windows
CVE-2016-0167
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Used to compromise organizations in the USA and Canada. First attacks were detected in 08.03.2016.
Software: Windows
Known/fameous malware:
PUNCHBABY or PUNCHTRACK Trojan.
Links:
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:Win64/CVE-2016...
https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html
https://technet.microsoft.com/library/security/ms16-039 http://www.securitytracker.com/id/1035532
http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-april-11-2016/
http://blog.cybersheath.com/adobe-and-windows-zero-day-exploits-in-the-wild
https://threatpost.com/microsoft-zero-day-exposes-100-companies-to-pos-attack/118026/
https://arstechnica.com/security/2016/05/beware-of-in-the-wild-0day-attacks-exploiting-windows-and-f...
http://sensorstechforum.com/windows-zero-day-exploited-to-steal-credit-card-data-from-us-companies/
http://www.securityweek.com/windows-zero-day-leveraged-financial-attacks
http://www.zdnet.com/article/microsoft-windows-zero-day-exposes-companies-to-crippling-cyberattacks/
Multiple vulnerabilities in Microsoft Windows
CVE-2016-0165
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The Badlock vulnerability.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms16-039.aspx
https://threatpost.com/fruityarmor-apt-group-used-recently-patched-windows-zero-day/121398/
http://www.networkworld.com/article/3054645/security/microsoft-rated-6-of-13-security-updates-as-cri...
https://securelist.com/blog/research/76396/windows-zero-day-exploit-used-in-targeted-attacks-by-frui...
http://www.infoworld.com/article/3055572/security/dont-let-badlock-distract-you-from-real-vulnerabil...
http://news.softpedia.com/news/microsoft-releases-critical-windows-edge-browser-office-security-upda...
https://www.infosecurity-magazine.com/news/patch-tuesday-badlock-bulletin/
Microsoft Security Update for Adobe Flash Player
CVE-2016-1019
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion error when handling .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Note: the vulnerability was being actively exploited.
The weakness was presented by Kafeine (EmergingThreats/Proofpoint), Genwei Jiang (FireEye, Inc.) and Clement Lecigne (Google).
According to FireEye, on April 2, Kafeine provided details on a version of the Magnitude Exploit Kit that was originally believed to be exploiting known Adobe Flash vulnerabilities.
Software: Adobe Flash Player
Known/fameous malware:
Magnitude, Neutrino and Nuclear Pack Exploit Kit.
Cerber and DMA Locker ransomware.
According to FireEye, on April 2, Kafeine provided details on a version of the Magnitude Exploit Kit that was originally believed to be exploiting known Adobe Flash vulnerabilities.
Links:
https://helpx.adobe.com/security/products/flash-player/apsa16-01.html
https://www.fireeye.com/blog/threat-research/2016/04/cve-2016-1019_a_new.html
http://blog.trendmicro.com/trendlabs-security-intelligence/look-adobe-flash-player-cve-2016-1019-zer...
https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg
http://securityaffairs.co/wordpress/46107/malware/adobe-fixes-cve-2016-1019.html
https://www.bleepingcomputer.com/news/security/adobe-releases-security-advisory-on-critical-vulnerab...
http://www.zdnet.com/article/cyberattackers-botch-integration-of-adobe-flash-zero-day-vulnerability-...
http://www.eweek.com/security/adobe-patches-zero-day-flaw-used-by-exploit-kit.html
https://www.grahamcluley.com/adobe-flash-responsible-six-top-10-bugs-used-exploit-kits-2016/
http://hub-apac.insight.com/h/i/236881036-zero-day-attack-discovered-in-magnitude-exploit-kit-target...
https://trushieldinc.com/adobe-flash-player-zero-day-exploit/
https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016/04/botched-flash-0day-ge...
http://www.symantec.com/connect/blogs/new-flash-zero-day-exploited-attackers-wild
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-1019-zero-day-integrated-in-expl...
https://threatpost.com/emergency-update-coming-for-flash-vulnerability-under-attack/117219/
http://www.ecommercetimes.com/story/83348.html
Multiple vulnerabilities in Adobe Flash Player
CVE-2016-1010
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to integer overflow. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Note: the vulnerability was being actively exploited.
The vulnerability was reported by Anton Ivanov from Kaspersky Lab. The vulnerability was used by the ScarCruft group in Operation Daybreak campaign.
Software: Adobe Flash Player
Known/fameous malware:
Used in Angler Exploit Kit.
Links:
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
http://blog.trendmicro.com/trendlabs-security-intelligence/root-cause-analysis-recent-flash-zero-day...
http://blog.trendmicro.com/trendlabs-security-intelligence/adobe-issues-emergency-patch-flash-zero-d...
ttp://blog.trendmicro.com/trendlabs-security-intelligence/tag/cve-2016-1010/
https://security.berkeley.edu/news/adobe-flash-player-multiple-zero-day-vulnerabilities-cve-2016-101...
https://technet.microsoft.com/en-us/library/security/MS16-036
http://securityaffairs.co/wordpress/45226/breaking-news/adobe-emergency-out-of-band-update.html
https://news.ycombinator.com/item?id=11262403
https://www.slashgear.com/adobe-flash-player-update-fixes-critical-vulnerabilities-11431218/
https://securify.co.in/adobe-flash-player/zero-day-adobe-flash-player-vulnerability-cve-2016-1010-2/
https://arstechnica.com/security/2016/03/adobe-issues-emergency-patch-for-actively-exploited-code-ex...
https://nakedsecurity.sophos.com/2016/03/11/flash-zero-day-prompts-emergency-update-from-adobe/
https://www.scmagazine.com/adobe-patches-active-flash-player-flaw/article/528925/
https://hotforsecurity.bitdefender.com/blog/update-flash-now-targeted-attacks-exploiting-security-ho...
http://www.securityweek.com/adobe-patches-flash-zero-day-under-attack
http://www.spamfighter.com/News-20163-Security-Bug-Used-in-Live-Attacks-is-Fixed-by-Releasing-Adobe-...
http://www.pcworld.com/article/3043055/security/emergency-flash-player-patch-fixes-actively-exploite...
http://wccftech.com/adobe-patches-yet-another-critical-flash-exploit/
https://www.infosecurity-magazine.com/news/adobe-issues-patch-for-23-flash/
http://www.eweek.com/blogs/security-watch/adobe-updates-flash-to-patch-zero-day-flaw.html
Multiple vulnerabilities in Adobe Flash Player
CVE-2016-0984
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.
According to Kasperksy Lab report, this vulnerability has bein actively exploited in the wild by BlackOasis APT actor.
According to Kaspersky Lab, this vulnerability has being exploited in the wild by BlackOasis actor in June 2015.
Software: Adobe Flash Player
Privilege escalation in Linux kernel
CVE-2016-0728
Use-after-free error
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to use-after-free error in the join_session_keyring() function in security/keys/process_keys.c when handling keyring object reference counting by Linux kernel's key management subsystem. A local attacker can overflow the usage field via a specially crafted object and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The critical Linux kernel flaw (CVE-2016-0728) has been identified by a group of researchers at a startup named Perception Point.
The vulnerability has existed since 2012, but was disclosed in January, 2016.
Software: Linux kernel
The vulnerability has existed since 2012, but was disclosed in January, 2016.
Links:
http://thehackernews.com/2016/01/linux-kernel-hacker.html
http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-...
https://www.cyberciti.biz/faq/linux-cve-2016-0728-0-day-local-privilege-escalation-vulnerability-fix...
http://williamdurand.fr/2016/01/21/patching-linux-kernel-raspbian/
http://securityaffairs.co/wordpress/43758/hacking/linux-kernel-vulnerability-fixed.html
http://www.pcworld.com/article/3023870/security/linux-kernel-flaw-endangers-millions-of-pcs-servers-...
https://syslint.com/blog/tutorial/new-linux-kernel-zero-day-exploit-vulnerability-cve-2016-0728/
https://l3net.wordpress.com/2016/01/20/firejail-target-practice-cve-2016-0728/
https://threatpost.com/serious-linux-kernel-vulnerability-patched/115923/
http://www.securityweek.com/linux-kernel-flaw-puts-millions-devices-risk
Remote code execution in Microsoft Silverlight
CVE-2016-0034
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to an error when parsing strings with a malicious decoder that can return negative offsets. A remote attacker can create a specially crafted content, trick the victim into opening it, replace unsafe object headers with contents provided by an attacker and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
On July 5, 2015, a large amount of data from one company was leaked to the Internet with a hacker known as тАЬPhineas FisherтАЭ claiming responsibility for the breach.
Software: Microsoft Silverlight
Known/fameous malware:
Used in Angler, Hunter, RIG and Sundown Exploit Kit.
Links:
https://technet.microsoft.com/en-us/library/security/MS16-006
https://securelist.com/blog/research/73255/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-micro...
https://www.symantec.com/security_response/writeup.jsp?docid=2016-011507-1032-99
http://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-in-us-leads-to-angl...
http://www.broadanalysis.com/2016/03/21/silverlight-exploit-leads-to-teslacrypt-cve-2016-0034/
http://sensorstechforum.com/attack-involves-silverlight-exploit-cve-2016-0034-angler-ek-and-teslacry...
http://www.securityweek.com/hacking-team-leak-leads-discovery-silverlight-zero-day
http://www.securityweek.com/exploit-recently-patched-silverlight-flaw-added-angler
https://www.trustwave.com/Resources/SpiderLabs-Blog/Sundown-EK-%E2%80%93-Stealing-Its-Way-to-the-Top...
http://securityaffairs.co/wordpress/44774/cyber-crime/angler-ek-silverlight-exploit.html
https://blog.qualys.com/securitylabs/2016/01/14/hunting-for-vulnerable-functions-in-microsoft-silver...
http://www.zdnet.com/article/microsoft-silverlight-exploit-spotted-in-angler-kit/
http://www.zdnet.com/article/kaspersky-lab-discovers-silverlight-zero-day-vulnerability/
http://news.softpedia.com/news/hackers-wasted-their-time-adding-a-silverlight-exploit-to-the-angler-...
https://www.scmagazine.com/as-kaspersky-labs-researchers-predicted-exploits-of-silverlight-vulnerabi...
http://blog.morphisec.com/javascript-in-ie-overtakes-flash-as-number-one-target-for-angler-exploit-k...
https://threatpost.com/new-silverlight-attacks-appear-in-angler-exploit-kit/116409/
https://arstechnica.com/security/2016/02/malicious-websites-exploit-silverlight-bug-that-can-pwn-mac...
http://www.darkreading.com/vulnerabilities---threats/kaspersky-caught-scent-of-silverlight-zero-day-...
Multiple vulnerabilities in Adobe Flash Player
CVE-2015-8651
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to integer overflow. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Adobe Flash Player
Known/fameous malware:
Exploit kits: Angler, Neutrino, Nuclear Pack and RIG
Links:
https://helpx.adobe.com/security/products/flash-player/apsb16-01.html
https://blogs.forcepoint.com/security-labs/popular-site-leads-angler-ek-cve-2015-8651-flash-player-e...
https://www.symantec.com/security_response/writeup.jsp?docid=2015-122818-3536-99&tabid=2
https://blogs.forcepoint.com/security-labs/popular-site-leads-angler-ek-cve-2015-8651-flash-player-e...
https://krebsonsecurity.com/tag/cve-2015-8651/
https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exp...
https://krebsonsecurity.com/tag/cve-2015-8651/
https://www.scmagazine.com/adobe-issues-critical-flash-player-patch/article/533434/
http://vulnerablespace.blogspot.com/2016/06/malware-analysing-and-repurposing-rigs.html
https://blog.qualys.com/laws-of-vulnerabilities/2015/12/28/last-adobe-0-day-patched-for-the-year
https://www.reddit.com/r/ReverseEngineering/comments/43a1i5/an_analysis_on_the_principle_of_cve20158...
http://www.securityweek.com/adobe-issues-emergency-patch-flash-zero-day-under-attack
http://securityaffairs.co/wordpress/43131/cyber-crime/adobe-flash-zero-day.html
http://securityaffairs.co/wordpress/54120/reports/exploit-kits-top-flaws.html
https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016/07/a-look-into-some-rig-...
http://www.darkreading.com/vulnerabilities---threats/here-are-4-vulnerabilities-ransomware-attacks-a...
https://www.recordedfuture.com/recent-ransomware-vulnerabilities/
http://resources.infosecinstitute.com/most-exploited-vulnerabilities-by-whom-when-and-how/#gref
http://neurogadget.net/2016/12/08/adobe-flash-player-bugs-issues-exploits-computers/48666
http://thehackernews.com/2015/12/adobe-flash-security-update.html
http://www.theregister.co.uk/2015/12/28/adobe_flash_security_update/
https://www.solutionary.com/resource-center/blog/2015/12/adobe-flash-player-vulnerability/
http://wccftech.com/flash-player-receives-emergency-security-patch/
http://news.softpedia.com/news/adobe-fixes-flash-zero-day-bug-discovered-by-huawei-498184.shtml
Two backdoors in Juniper ScreenOS
CVE-2015-7756
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to usage of insecure encryption keys. A remote attacker can with ability to monitor VPN traffic can intercept and decrypt it.
Successful exploitation of the vulnerability results in information disclosure on the target system.
Note: the vulnerability was disclosed as part of two backdoors during internal source code audit.
Revealed during source code review by the vendor.
Software: Juniper ScreenOS
Links:
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST
https://blog.cryptographyengineering.com/2015/12/22/on-juniper-backdoor/
http://securityaffairs.co/wordpress/42983/hacking/juniper-backdoor-attacks-honeypot.html
https://adamcaudill.com/2015/12/17/much-ado-about-juniper/
http://www.dmnews.com/news-bytes/juniper-warns-of-two-attacks-of-unauthorised-code-on-its-routers/ar...
http://resources.infosecinstitute.com/infosec-year-end-highlights/#gref
https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-n...
https://thehackernews2.blogspot.com/2016/12/backdoor-found-in-sonys-ip-security.html
http://blogs.splunk.com/2016/01/05/discover-and-monitor-juniper-vulnerability-cve-2015-7755-exploits...
http://www.securityweek.com/juniper-firewall-backdoor-password-found-6-hours
http://www.theregister.co.uk/2015/12/20/juniper_details_two_attacks_from_unauthorised_code/
Two backdoors in Juniper ScreenOS
CVE-2015-7755
Authentication bypass
The vulnerability allows a remote attacker to bypass authentication on the target system.The weakness exists due to presence of backdoor in Juniper ScreenOS code. A remote attacker can enter a password "<<< %s(un='%s') = %u" during a SSH or TELNET session and obtain administrative access to the device.
Successful exploitation of the vulnerability results in unauthorized access to the vulnerable system.
Note: the vulnerability was being actively exploited.
Revealed during source code review by the vendor.
Software: Juniper ScreenOS
Links:
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST
https://blog.cryptographyengineering.com/2015/12/22/on-juniper-backdoor/
http://securityaffairs.co/wordpress/42983/hacking/juniper-backdoor-attacks-honeypot.html
https://adamcaudill.com/2015/12/17/much-ado-about-juniper/
http://www.dmnews.com/news-bytes/juniper-warns-of-two-attacks-of-unauthorised-code-on-its-routers/ar...
http://resources.infosecinstitute.com/infosec-year-end-highlights/#gref
https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-n...
https://thehackernews2.blogspot.com/2016/12/backdoor-found-in-sonys-ip-security.html
http://blogs.splunk.com/2016/01/05/discover-and-monitor-juniper-vulnerability-cve-2015-7755-exploits...
http://www.securityweek.com/juniper-firewall-backdoor-password-found-6-hours
http://www.theregister.co.uk/2015/12/20/juniper_details_two_attacks_from_unauthorised_code/
Remote PHP code execution in Joomla!
CVE-2015-8562
Remote PHP code execution
The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.
The vulnerability exists due to insufficient filtration of HTTP User-Agent header and filter-search HTTP POST parameter before storing them into database. A remote unauthenticated attacker can permanently inject and execute arbitrary PHP code on the target system with privileges of the web server.
Successful exploitation of this vulnerability will allow a remote attacker to gain complete control over the vulnerable web application and execute arbitrary PHP code on the target system.
Note: this is a zero-day vulnerability and it is being exploited in the wild.
The vulnerability was used to compromise vulnerable websites for 16000 (sometimes - 20000) times per day.
Software: Joomla!
Links:
https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.h...
https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-0-Day-Exploited-In-the-Wild-(CVE-2015-856...
https://www.masergy.com/blog/joomla-remote-code-execution-vulnerability-cve-2015-8562
http://securityaffairs.co/wordpress/43108/cyber-crime/cve-2015-8562-joomla-flaw.html
https://www.liquidweb.com/kb/protecting-joomla-sites-against-cve-2015-8562/
https://security.berkeley.edu/news/joomla-core-150-345-remote-code-execution-cve-2015-8562
http://www.webhostingtalk.com/showthread.php?t=1536679
http://jaitsec.blogspot.com/2015/12/testing-joomla-for-cve-2015-8562.html
http://www.securityweek.com/vulnerable-joomla-servers-see-16000-daily-attacks
http://blogs.quickheal.com/joomla-exploit-cve-2015-8562-still-at-large/
http://news.softpedia.com/news/latest-joomla-vulnerability-targeted-by-attackers-16-600-times-per-da...
Multiple vulnerabilities in Microsoft Windows
CVE-2015-6175
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to boundary error when handling of objects in kernel memory. A local attacker can execute a specially crafted program, trigger memory corruption and gain SYSTEM privileges.
Successful exploitation of this vulnerability results in privilege escalation on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Links:
https://www2.trustwave.com/rs/815-RFM-693/images/2016%20Trustwave%20Global%20Security%20Report.pdf
https://technet.microsoft.com/library/security/ms15-135
https://www.symantec.com/security_response/vulnerability.jsp?bid=78514
http://www.securityweek.com/microsoft-patches-windows-office-flaws-exploited-wild
Security bypass Oracle Java SE
CVE-2015-4902
Security bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to unknown error related to the Java SE Deployment component. A remote attacker can bypass the click-to-play protection in Java.
Successful exploitation of the vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
Exploited by the Fancy Bear APT.
This was quite useful in Pawn Storm, as it used exploits targeting these vulnerabilities to carry out targeted attacks against North Atlantic Treaty Organization (NATO) members and the White House earlier this year.
Software: Oracle Java SE
This was quite useful in Pawn Storm, as it used exploits targeting these vulnerabilities to carry out targeted attacks against North Atlantic Treaty Organization (NATO) members and the White House earlier this year.
Links:
http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day...
https://blog.qualys.com/laws-of-vulnerabilities/2015/10/21/oracle-critical-patch-update-october-2015
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
Remote code execution in Adobe Flash Player
CVE-2015-7645
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Was used in Pawn Storm Campaign Targeting Foreign Affairs Ministries. Exploited by the Fancy Bear APT.
The vulnerability was reported by Peter Pi of Trend Micro.
Software: Adobe Flash Player
Known/fameous malware:
Exploit Kits: Angler, Hunter, Magnitude, Neutrino, Nuclear Pack, RIG, Spartan.
The vulnerability was reported by Peter Pi of Trend Micro.
Links:
https://helpx.adobe.com/security/products/flash-player/apsa15-05.html
https://helpx.adobe.com/security/products/flash-player/apsb15-27.html
http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-sto...
http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28924
https://www.symantec.com/security_response/writeup.jsp?docid=2015-101903-5534-99
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=869
http://www.theregister.co.uk/2016/12/08/need_xmas_ideas_try_cve20157645_a_flash_gift_that_keeps_on_g...
http://www.securityweek.com/adobe-patches-flash-zero-day-exploited-pawn-storm
http://vulnerablespace.blogspot.com/2016/04/malware-analysing-and-repurposing.html
https://blog.malwarebytes.com/threat-analysis/2015/10/new-flash-player-zero-day-in-the-wild/
https://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-patched-adobe-flash/
http://securityaffairs.co/wordpress/41123/cyber-crime/flash-zero-day-exploit.html
http://www.infoworld.com/article/3046531/security/ransomware-targets-flash-and-silverlight-vulnerabi...
https://www.tripwire.com/state-of-security/latest-security-news/flash-player-zero-day-patched-by-ado...
http://www.welivesecurity.com/2015/10/15/adobe-flash-zero-day/
https://threatpost.com/emergency-adobe-flash-zero-day-patch-arrives-ahead-of-schedule/115073/
http://thehackernews.com/2015/10/flash-patch-update.html
https://www.scmagazine.com/adobe-addresses-latest-flash-player-zero-day-vulnerability/article/533522...
Remote code execution in Microsoft Windows Media Center
CVE-2015-2509
Arbitrary code execution
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper handling of Media Center link (.mcl) files. A remote attacker can create a specially crafted Media Center link (.mcl) file that references malicious code, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in system compromise.Note: the vulnerability was being actively exploited.
This vulnerability is related to a previously unreported zero-day exploit discovered in the Hacking Team leaked emails. Trend Micro researchers (Aaron Luo, Kenney Lu, and Ziv Chang) discovered the exploit and subsequently reported their findings to Microsoft.
Software: Windows Media Center
Links:
https://www2.trustwave.com/rs/815-RFM-693/images/2016%20Trustwave%20Global%20Security%20Report.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/windows-media-center-hacking-team-bug-fix...
https://technet.microsoft.com/library/security/ms15-100
http://www.cio.com/article/2982358/microsoft-patches-yet-another-hacking-team-zero-day-exploit.html
http://blog.trendmicro.com/trendlabs-security-intelligence/windows-media-center-hacking-team-bug-fix...
http://resources.infosecinstitute.com/exploiting-ms15-100-cve-2015-2509/#gref
http://www.csoonline.com/article/2982487/vulnerabilities/microsoft-patches-yet-another-hacking-team-...
http://securityaffairs.co/wordpress/40019/hacking/windows-media-center-ht-bug.html
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS15_100_MCL_EXE
https://www.symantec.com/security_response/vulnerability.jsp?bid=76594
http://www.pcworld.com/article/2982361/microsoft-patches-yet-another-hacking-team-zero-day-exploit.h...
Multiple vulnerabilities in Microsoft Windows
CVE-2015-2546
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to boundary error in ATMFD.dll in Win32k.sys. A local attacker can execute a specially crafted program, trigger memory corruption and gain SYSTEM privileges.
Successful exploitation of the vulnerability may result in full control of the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported by FireEye researcher Wang Yu.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms15-097
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf
https://www.symantec.com/security_response/vulnerability.jsp?bid=76608
https://krebsonsecurity.com/2015/09/microsoft-pushes-a-dozen-security-updates/
http://www.securityweek.com/microsoft-patches-windows-vulnerability-exploited-wild
https://www.scmagazine.com/microsoft-fixes-several-bugs-on-patch-tuesday-two-being-actively-exploite...
https://www.helpnetsecurity.com/2015/09/09/microsoft-pushes-out-security-updates-plugs-holes-activel...
https://threatpost.com/microsoft-patches-graphics-component-flaw-under-attack/114575/
http://www.securitynewspaper.com/2015/09/09/microsoft-patches-graphics-component-flaw-under-attack/
Multiple vulnerabilities in Microsoft Office
CVE-2015-2545
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when parsing malformed images. A remote attacker can create a file containing a specially crafted image file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
CVE-2015-2545 fuels around 17% of attacks in Microsoft Office.
Used to target organisations in China.
Software: Microsoft Office
Used to target organisations in China.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-099
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf
http://pwc.blogs.com/cyber_security_updates/2016/05/exploring-cve-2015-2545-and-its-users.html
https://threatpost.com/apt-groups-finding-success-with-patched-microsoft-flaw/118298/
http://www.securityweek.com/year-old-office-vulnerabilities-most-popular-current-attacks
https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/
https://www.symantec.com/security_response/vulnerability.jsp?bid=76667
https://blogs.sophos.com/2016/07/18/cybercriminals-shift-their-tactics-for-microsoft-office-document...
https://www.threatconnect.com/blog/word-document-trojan-exploiting-cve/
http://www.itworldcanada.com/article/exploit-kits-now-adopting-recent-office-vulnerabilities-report/...
https://www.scmagazine.com/microsoft-fixes-several-bugs-on-patch-tuesday-two-being-actively-exploite...
http://blog.morphisec.com/exploit-bypass-emet-cve-2015-2545
http://news.softpedia.com/news/one-microsoft-office-exploit-has-become-very-popular-with-cyber-espio...
http://news.softpedia.com/news/ke3chang-is-back-and-it-s-targeting-indian-embassies-around-the-globe...
Remote code execution in Hangul Word Processor
CVE-2015-6585
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to type confusion error. A remote attacker can create a specially crafted HWPX file containing a set of directories and XML files, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: this vulnerability is being actively exploited.
Trojan.Volgmer.B. Attackers from North Korea exploited the vulnerability HANGMAN in a word processor popular with the South Korea's government to steal the documents and upload them to a C&C server.
North Korea attack in June dubbed "Macktruck".
Software: Hancom Office
North Korea attack in June dubbed "Macktruck".
Links:
https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.p...
https://www.fireeye.com/blog/threat-research/2015/09/zero-day_hwp_exploit.html
http://www.pcworld.com/article/2982577/north-korea-is-likely-behind-attacks-exploiting-a-korean-word...
http://www.hancom.com/index.jsp
http://securityaffairs.co/wordpress/40029/hacking/north-kore-0-day-hangul.html
https://c0deman.wordpress.com/2015/11/02/hangul-word-processor-hwp-zero-day-possible-ties-to-north-k...
http://www.securityweek.com/north-korea-suspected-using-zero-day-attack-south
http://www.theregister.co.uk/2015/09/10/north_korea_exploits_zero_day_in_seouls_favourite_word_doc/
http://www.spamfighter.com/News-19851-North-Korea-Probably-Main-Architect-of-Cyberattacks-in-South-K...
http://www.ehackingnews.com/2015/09/researchers-say-north-korea-behind.html
Remote code execution in Microsoft Internet Explorer
CVE-2015-2502
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling Javascript and HTML tables within the layout cache. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has been exploited in watering hole attacks against compromised website belonging to an evangelical church in Hong Kong to deliver Korplug malware.
Software: Microsoft Internet Explorer
Known/fameous malware:
Korplug malware.
Links:
https://technet.microsoft.com/library/security/MS15-093
http://www.securityweek.com/microsoft-issues-emergency-patch-critical-ie-flaw-exploited-wild
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28195
https://www.alienvault.com/blogs/security-essentials/internet-explorer-memory-corruption-vulnerabili...
https://www.tripwire.com/state-of-security/vulnerability-management/ie-under-attack-microsoft-releas...
https://krebsonsecurity.com/2015/08/microsoft-pushes-emergency-patch-for-ie/
https://www.redpacketsecurity.com/cve-2015-2502-microsoft-issues-emergency-patch-for-all-versions-of...
https://blog.qualys.com/laws-of-vulnerabilities/2015/08/18/ms15-093--oob-fix-for-internet-explorer
https://arstechnica.com/security/2015/08/microsoft-issues-emergency-patch-for-critical-ie-bug-under-...
https://www.scmagazine.com/microsoft-patches-critical-remote-code-execution-bug-in-internet-explorer...
https://www.symantec.com/connect/tr/blogs/new-internet-explorer-zero-day-exploited-hong-kong-attacks
https://malwarelist.net/tag/zero-day-vulnerability/
http://www.darkreading.com/attacks-breaches/ie-bug-exploited-in-wild-after-microsoft-releases-out-of...
http://thehackernews.com/2015/08/microsoft-emergency-patch-zero-day-internet-explorer.html
Multiple vulnerabilities in Microsoft Office
CVE-2015-1642
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing Microsoft Office documents. A remote unauthenticated attacker can create a specially crafted Office document, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was discovered by Yong Chuan, Koh of MWR Labs.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/ms15-081.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=76200
https://www.nccgroup.trust/uk/our-research/understanding-microsoft-word-ole-exploit-primitives/
https://labs.mwrinfosecurity.com/advisories/microsoft-office-ctasksymbol-use-after-free-vulnerabilit...
http://blog.trendmicro.com/trendlabs-security-intelligence/august-patch-tuesday-includes-update-for-....
Privilege escalation in Microsoft Windows
CVE-2015-1769
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper processing of symbolic links by Mount Manager. By inserting a specially crafted USB device into the system, an attacker can create arbitrary files and execute malicious code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Attackers used USB to infect computers with the malware at the Natanz uranium enrichment facility in Iran.
The .LNK vulnerability was also exploited by the Equation Group, uncovered by researchers at Kaspersky Lab.
Software: Windows
Known/fameous malware:
Fanny
The .LNK vulnerability was also exploited by the Equation Group, uncovered by researchers at Kaspersky Lab.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-085.aspx https://blogs.technet.microsoft.com/srd/2015/08/11/defending-against-cve-2015-1769-a-logical-issue-e...
https://cdn4.esetstatic.com/eset/US/resources/docs/white-papers/Windows_Exploitation_in_2015.pdf
https://threatpost.com/microsoft-patches-usb-related-flaw-used-in-targeted-attacks/114240/
https://threats.kaspersky.com/en/vulnerability/KLA10646/
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000786.aspx
http://www.securityweek.com/microsoft-adobe-patch-dozens-security-vulnerabilities
Remote code execution in Microsoft Windows
CVE-2015-2426
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to buffer overflow in Windows Adobe Type Manager library when processing OpenType fonts. A remote attacker can create a specially crafted document or website with embedded malicious OpenType font, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: the vulnerability was being actively exploited.
The exploit code was revealed after Hacking Team data leak.
The vulnerability was reported by FireEye's Genwei Jiang and Google Project Zero's Mateusz Jurczyk.
The vulnerability has being exploited by Eugene Ching of Qavar Security on the January 2015.
Software: Windows
The vulnerability was reported by FireEye's Genwei Jiang and Google Project Zero's Mateusz Jurczyk.
The vulnerability has being exploited by Eugene Ching of Qavar Security on the January 2015.
Links:
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-leak-uncovers-another-window...
https://www.host-stage.net/blog/security-issue-adobe-type-manager-cve-2015-2426-patched/
https://ae.norton.com/security_response/print_writeup.jsp?docid=2015-072114-5203-99
https://www.carbonblack.com/2015/07/24/using-bit9-to-mitigate-ms15-078cve-2015-2426/
https://www.nccgroup.trust/uk/our-research/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-...
https://www.tripwire.com/state-of-security/vulnerability-management/vert-threat-alert-july-20-2015/
http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vuln...
https://www.symantec.com/connect/blogs/leaked-hacking-team-windows-vulnerability-could-facilitate-re...
http://www.computerworld.com/article/2949589/malware-vulnerabilities/microsoft-patches-windows-zero-...
https://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html
https://www.beyondtrust.com/blog/microsoft-patches-a-critical-vulnerability-in-adobe-type-manager-fo...
Remote code execution in Oracle Java SE
CVE-2015-2590
Remote code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to unknown error in Libraries component. A remote attacker can execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in full control of the vulnerable system.
Note: the vulnerability was being actively exploited.
The attacks were launched by a cyberespionage group known as Pawn Storm or APT28 targeting the White House and members of the North Atlantic Treaty Organization (NATO) back in April 2015.
The group has been active since 2007 and typically targets military, government and media organizations.
Software: Oracle Java SE
The group has been active since 2007 and typically targets military, government and media organizations.
Links:
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/7033/oracle-java-se-remote-code...
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html http://www.pcworld.com/article/2948592/security/oracle-fixes-zeroday-java-flaw-and-over-190-other-vu...
http://www.computerworld.com/article/2947216/security/cyberespionage-group-pawn-storm-uses-exploit-f...
http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
https://www.tripwire.com/state-of-security/latest-security-news/java-zero-day-bug-192-other-security...
http://www.securityweek.com/oracle-patches-java-zero-day-exploited-pawn-storm-attackers
http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day...
https://duo.com/blog/update-flash-and-java-emergency-zero-day-patches
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2015-2425
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The exploit code was revealed after Hacking Team data leak.
Software: Microsoft Internet Explorer
Links:
http://blog.trendmicro.com/trendlabs-security-intelligence/gifts-from-hacking-team-continue-ie-zero-...
https://arstechnica.com/security/2015/07/ms-kills-critical-ie-11-bug-after-exploit-was-shopped-to-ha...
http://blog.vectranetworks.com/blog/microsoft-internet-explorer-11-zero-day
http://www.eweek.com/security/adobe-microsoft-and-oracle-patch-for-hacking-team-flaws.html
https://www.symantec.com/security_response/writeup.jsp?docid=2015-072010-0655-99&tabid=2
Two remote code execution vulnerabilities in Adobe Flash Player
CVE-2015-5123
тАЬUse-after-freeтАЭ error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in the ActionScript 3 BitmapData class. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The exploit code was revealed after Hacking Team data leak.
Software: Adobe Flash Player
Known/fameous malware:
SWF_EKSPLOYT.EDF. (TrendMicro).
Links:
https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
https://www.symantec.com/connect/blogs/third-adobe-flash-zero-day-exploit-cve-2015-5123-leaked-hacki...
http://blog.trendmicro.com/trendlabs-security-intelligence/new-zero-day-vulnerability-cve-2015-5123-...
https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
http://blog.trendmicro.com/trendlabs-security-intelligence/new-zero-day-vulnerability-cve-2015-5123-...
http://securityaffairs.co/wordpress/38574/cyber-crime/hacking-team-cve-2015-5123.html
https://www.tripwire.com/state-of-security/vulnerability-management/another-zero-day-flash-exploit-r...
https://www.scmagazine.com/researchers-report-flash-player-zero-day-bugs-after-hacking-team-leaks/ar...
http://www.securityweek.com/two-new-flash-player-zero-day-bugs-found-hacking-team-leak
https://threatpost.com/flash-player-update-patches-two-hacking-team-zero-days/113776/ https://www.zscaler.com/blogs/research/hacking-team-leak-flash-0day-exploit-payloads-and-more
http://www.zdnet.com/article/adobe-promises-patch-for-latest-wave-of-critical-hacking-team-zero-day-...
http://securityaffairs.co/wordpress/38518/cyber-crime/hacking-team-new-0zero.html
Two remote code execution vulnerabilities in Adobe Flash Player
CVE-2015-5122
тАЬUse-after-freeтАЭ error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in the ActionScript 3 opaqueBackground class. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The exploit code was revealed after Hacking Team data leak. The exploit was used against Japanese organizations.
The vulnerability was reported by Dhanesh Kizhakkinan of FireEye as well as Peter Pi of TrendMicro.
Software: Adobe Flash Player
Known/fameous malware:
Exploit kits: Angler EK - 2015-07-11 Neutrino - 2015-07-13 Nuclear Pack - 2015-07-14 RIG - 2015-07-14 Magnitude - 2015-07-15 NullHole - 2015-07-22 Spartan - 2015-09-11
The vulnerability was reported by Dhanesh Kizhakkinan of FireEye as well as Peter Pi of TrendMicro.
Links:
https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28060
http://blog.trendmicro.com/trendlabs-security-intelligence/another-zero-day-vulnerability-arises-fro...
https://krebsonsecurity.com/2015/07/adobe-to-fix-another-hacking-team-zero-day/
https://packetstormsecurity.com/files/132663/Adobe-Flash-opaqueBackground-Use-After-Free.html
http://www.hackingtutorials.org/metasploit-tutorials/metasploit-cve-2015-5122-flash-exploit-tutorial...
http://securityaffairs.co/wordpress/38531/cyber-crime/hacking-team-2-flash-0day.html
http://www.theregister.co.uk/2015/07/12/adobe_flash_zero_day_cve_2015_5122/
http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerospace-firm-exploits-c...
https://arstechnica.com/security/2015/07/two-new-flash-exploits-surface-from-hacking-team-combine-wi...
https://www.tripwire.com/state-of-security/vulnerability-management/another-zero-day-flash-exploit-r...
https://www.scmagazine.com/researchers-report-flash-player-zero-day-bugs-after-hacking-team-leaks/ar...
http://www.zdnet.com/article/adobe-promises-patch-for-latest-wave-of-critical-hacking-team-zero-day-...
Arbitrary code execution in Microsoft Windows
CVE-2015-2387
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to boundary error in the Adobe Type Manager module (ATMFD.dll). A local attacker can execute a specially crafted application, trigger memory corruption, bypass OS-level sandboxing and execute arbitrary code with SYSTEM privileges.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.The exploit code was revealed after Hacking Team data leak.
Public exploit code for this vulnerability became available as part of the Hacking Team leaks on July 5, 2015.
Software: Windows
Public exploit code for this vulnerability became available as part of the Hacking Team leaks on July 5, 2015.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-077.aspx http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vuln...
http://www.securityweek.com/microsoft-patches-hacking-team-zero-days-other-vulnerabilities
https://countuponsecurity.com/2015/07/24/hacking-team-arsenal-of-cyber-weapons/
https://securingtomorrow.mcafee.com/business/security-connected/microsoft-patch-tuesday-july-2015/
http://www.bankinfosecurity.com/hacking-team-dump-windows-zero-day-a-8404
https://www.secureworks.com/blog/targeted-exploit-and-escalation
Remote code execution in Adobe Flash Player
CVE-2015-5119
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The exploit code was revealed after Hacking Team data leak. Was also used in phishing campaigns conducted by two Chinese advanced persistent threat (APT) groups: APT3 and APT18.
The vulnerability was reported by Google Project Zero and Morgan Marquis-Boire.
Software: Adobe Flash Player
The vulnerability was reported by Google Project Zero and Morgan Marquis-Boire.
Links:
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
http://securityaffairs.co/wordpress/38707/cyber-crime/phishing-cve-2015-5119.html
https://www.zscaler.com/blogs/research/adobe-flash-vulnerability-cve-2015-5119-analysis
https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html
http://www.bankinfosecurity.com/zero-day-exploit-alert-flash-java-a-8396
https://www.zscaler.com/blogs/research/adobe-flash-vulnerability-cve-2015-5119-analysis
https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Flash-Exploit-(CVE-2015-5119)-From-the-Hacking...
http://null-byte.wonderhowto.com/how-to/hack-like-pro-use-hacking-teams-adobe-flash-exploit-0163051/
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-in...
https://krebsonsecurity.com/2015/07/adobe-to-patch-hacking-teams-flash-zero-day/#more-31458
https://blog.malwarebytes.com/threat-analysis/2015/07/hacking-team-leak-exposes-new-flash-zero-day/
https://www.scmagazine.com/adobe-fixes-flash-player-zero-day-bug-identified-in-hacking-team-leak/art...
Remote code execution in Microsoft Office
CVE-2015-2424
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to heap-based buffer overflow when processing Office files. A remote attacker can create a specially crafted Office file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability reffers to the APT28 and Operation Pawn Storm and was used in cyber espionage campaign by Tsar Team.
Software: Microsoft Office
Known/fameous malware:
Trojan.Win32.Sofacy.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-070.aspx
http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
https://www.trustwave.com/Resources/SpiderLabs-Blog/Tsar-Team-Microsoft-Office-Zero-Day-CVE-2015-242...
https://www.symantec.com/security_response/vulnerability.jsp?bid=75744
http://www.securityweek.com/microsoft-patches-office-zero-day-bug-used-apt-group
Remote code execution in Adobe Flash Player
CVE-2015-3113
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-based buffer overflow when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Exploited by a China-based cyberespionage group. Operation Clandestine Wolf тАУ Adobe Flash Zero-Day in APT3 Phishing Campaign.
Software: Adobe Flash Player
Known/fameous malware:
Magnitude exploit kit.
Links:
https://helpx.adobe.com/security/products/flash-player/apsb15-14.html
https://hitmanpro.wordpress.com/2015/07/02/how-apt3-evaded-anti-exploits-with-cve-2015-3113/
https://nakedsecurity.sophos.com/2015/06/29/latest-flash-hole-already-exploited-ransomware/
http://securityaffairs.co/wordpress/38044/cyber-crime/adobe-fixed-cve-2015-3113.html
http://www.securityweek.com/adobe-flash-player-zero-day-exploited-attack-campaign
http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause...
http://www.computerweekly.com/news/4500248673/Adobe-patches-Flash-Player-vulnerability-CVE-2015-3113
http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days...
https://arstechnica.com/security/2015/06/patch-early-patch-often-adobe-pushes-emergency-fix-for-acti...
http://www.pcworld.com/article/2939552/adobe-patches-zeroday-flash-player-flaw-used-in-targeted-atta...
http://www.techtimes.com/articles/63254/20150624/adobe-releases-patch-to-plug-flash-players-zero-day...
https://www.recordedfuture.com/use-cases/vulnerability-identification/
http://www.theregister.co.uk/2015/06/29/ransomware_exploit_kit_slinger_exploits_flash_remote_code_ex...
http://www.computerworlduk.com/security/cybercriminals-pounce-on-serious-flash-zero-day-flaw-3618019..
Multiple vulnerabilities in Microsoft Windows
CVE-2015-2360
Memory corruption
The vulnerability allows a local attacker to obtain elevated privileges on the target system.The weakness exists due to boundary error. A local attacker can run a specially crafted program to trigger memory corruption and acquire administrative privileges.
Successful exploitation of the vulnerability results in privilege escalation on the vulnerable system.
Note: the vulnerability was being actively exploited.
Expoited by Duqu 2.0 and used in attack against the Kaspersky Lab to hack their internal networks in early spring 2015.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms15-061.aspx
https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-ac...
http://securityaffairs.co/wordpress/37714/cyber-crime/duqu-2-0-hit-kaspersky.html
http://blog.trendmicro.com/trendlabs-security-intelligence/analysis-of-cve-2015-2360-duqu-2-0-zero-d...
https://www.symantec.com/security_response/vulnerability.jsp?bid=75025
http://blog.ensilo.com/ms-patch-tuesday-a-look-into-4-vulnerabilities-in-the-windows-kernel
https://www.virusbulletin.com/conference/vb2015/abstracts/duqu-2-0-win32k-exploit-analysis/
http://usa.kaspersky.com/about-us/press-center/press-releases/2015/duqu-back-kaspersky-lab-reveals-c..
https://blogs.bromium.com/2015/06/16/duqu-2-0-whos-the-lord-of-ring0/
PHP code execution in H-fj Mt-phpincgi
CVE-2015-2945
Arbitrary PHP code execution
The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.The weakness exists due to improper validation of input when performing an unserialize() call. A remote attacker can send a specially crafted URL request, inject and execute arbitrary PHP code on the system.
Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Mt-phpincgi
Multiple vulnerabilities in Microsoft Windows
CVE-2015-1701
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to improper access control. A local attacker can create a specially crafted application, execute a callback in userspace and use data from the System token to execute arbitrary code on the system with root privileges.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.The vulnerability was combined with CVE-2015-3043 to perform Operation "Russian Doll".
Exploited by RussiaтАЩs APT28 (Fancy Bear APT) in cyber espionage campaign on the U.S defense contractors, European security companies and Eastern European government entities.
Software: Windows
Exploited by RussiaтАЩs APT28 (Fancy Bear APT) in cyber espionage campaign on the U.S defense contractors, European security companies and Eastern European government entities.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-051
https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-cve-2015-1701-a-win32k-elevatio...
https://www.symantec.com/security_response/vulnerability.jsp?bid=74245
https://www.reddit.com/r/microsoft/comments/334zyo/russia_use_unpatched_cve20151701_in/
https://thehacktimes.com/cyber-espionage-operation-russian-doll/
http://www.eweek.com/security/russian-based-attackers-use-two-zero-days-in-one-attack.html
Multiple vulnerabilities in Microsoft Office
CVE-2015-1641
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling rich text format files. A remote attacker can create a specially crafted RTF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability accounts for nearly 66% of attacks using Office Word.
APT attacks, targeting Tibetans, Uyghurs, human rights groups in Taiwan and Hong Kong, and journalists.
Software: Microsoft Office
APT attacks, targeting Tibetans, Uyghurs, human rights groups in Taiwan and Hong Kong, and journalists.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-033.aspx
http://www.securityweek.com/year-old-office-vulnerabilities-most-popular-current-attacks
https://degsew.wordpress.com/2016/03/28/new-microst-office-word-2007-2013-exploit-cve-2015-1641-anal...
http://news.softpedia.com/news/cve-2015-1641-and-cve-2015-2545-are-today-s-most-popular-microsoft-wo...
http://www.securityweek.com/spear-phishing-attacks-target-industrial-firms-kaspersky-lab-ics-cert
http://www.securitynewspaper.com/2016/07/19/cve-2015-1641-cve-2015-2545-todays-popular-microsoft-wor...
Multiple vulnerabilities in Adobe Flash Player
CVE-2015-3043
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Attackers exploited the vulnerabilities together to attack a government entity to and steal politically sensitive data that is a known target of the Russian group (APT campaign).
Software: Adobe Flash Player
Links:
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
https://krebsonsecurity.com/2015/04/critical-updates-for-windows-flash-java/#more-30672
http://www.securityweek.com/russia-linked-hackers-used-two-zero-days-recent-targeted-attack-fireeye
http://www.zdnet.com/article/russian-hackers-exploit-flash-windows-flaws-to-spy-on-diplomat-targets/
https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
http://www.eweek.com/security/russian-based-attackers-use-two-zero-days-in-one-attack.html
http://securityaffairs.co/wordpress/36105/cyber-crime/apt28-russian-hackers.html
https://www.advancedbusinesssolutions.com/blog/curated-content/russian-hackers-use-flash-windows-zer...
https://www.infosecurity-magazine.com/news/apt28-back-russiandoll-attack/
Two remote code execution vulnerabilities in Microsoft Windows
CVE-2015-0096
Insecure dll. library loading
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the way Microsoft Windows parses shortcuts. A remote attacker can place a specially crafted .dll file along with an icon file on a remote SMB or WebDav share, trick the victim into opening that document and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability was being actively exploited.
According to Trustwave it is a zero-day.
Vulnerability CVE-2015-0096 is a continuation of CVE-2010-2568, which was believed to have been patched by MS10-046. However, it was not completely and we see this with MS15-018. At the time of the patch release there were fully functional exploits for this particular vulnerability.
Software: Windows
Vulnerability CVE-2015-0096 is a continuation of CVE-2010-2568, which was believed to have been patched by MS10-046. However, it was not completely and we see this with MS15-018. At the time of the patch release there were fully functional exploits for this particular vulnerability.
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2015-0071
Security bypass
The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to failure to use Address Space Layout Randomization (ASLR). A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass ASLR mechanism and predict memory locations that if connected with another vulnerability allows to execute arbitrary code.
Successful exploitation of this vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
Allegedly, Chinese hackers combined it with a remote-code execution vulnerability in Adobe Flash to infect visitors to the Forbes website with malware since November, 2014.
Software: Microsoft Internet Explorer
Known/fameous malware:
JS:CVE-2015-0071-A.
Links:
https://technet.microsoft.com/library/security/ms15-009
https://cdn4.esetstatic.com/eset/US/resources/docs/white-papers/Windows_Exploitation_in_2015.pdf
https://www.symantec.com/security_response/vulnerability.jsp?bid=72455
http://blog.trendmicro.com/trendlabs-security-intelligence/bypassing-aslr-with-cve-2015-0071-an-out-...
https://www.invincea.com/2015/02/chinese-espionage-campaign-compromises-forbes/
http://www.theregister.co.uk/2015/02/10/patch_tuesday_release_fixes_unprecedented_zeroday_design_fla...
https://www.hackread.com/hackers-use-flash-and-ie-to-target-forbes-visitors/
https://arstechnica.com/security/2015/02/pwned-in-7-seconds-hackers-use-flash-and-ie-to-target-forbe...
http://www.securityweek.com/microsoft-patches-critical-windows-internet-explorer-vulnerabilities-pat...
http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html
https://www.scmagazine.com/forbescom-attackers-exploited-zero-days-in-flash-ie/article/536348/
https://arstechnica.com/security/2015/02/pwned-in-7-seconds-hackers-use-flash-and-ie-to-target-forbe...
Stored cross-site scripting in FancyBox for WordPress
CVE-2015-1494
Stored cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-input. A remote attacker can send a specially crafted HTTP request to vulnerable website and permanently store arbitrary HTML and JavaScript code on it. The code will be executed in browser of every website visitor.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability was being actively exploited.
The vulnerability was notified by Konstantin Kovshenin and Gennady Kovshenin.
Software: FancyBox
Multiple vulnerabilities in Adobe Flash Player
CVE-2015-0313
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error when processing .swf content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was used during malwertising campaign against visitors of dailymotion.com.
Software: Adobe Flash Player
Known/fameous malware:
SWF_EXPLOIT.MJST
Hanjuan Exploit Kit
Links:
https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-new-adobe-flash-zer...
http://www.securityweek.com/adobe-prepares-patch-another-critical-flash-player-vulnerability
https://krebsonsecurity.com/2015/02/yet-another-flash-patch-fixes-zero-day-flaw/#more-29724
http://www.greatsoftline.com/another-critical-zero-day-vulnerability-in-adobe-flash-player/
https://nakedsecurity.sophos.com/2015/02/03/news-flash-3rd-time-newunlucky-0-day-hits-adobes-browser...
https://www.recordedfuture.com/top-vulnerabilities-2015/
http://www.networkworld.com/article/3003176/security/8-of-top-10-vulnerabilities-used-by-exploit-kit...
http://www.itnews.com.au/news/hackers-target-third-new-zero-day-for-adobe-flash-399960
http://researchcenter.paloaltonetworks.com/2015/02/palo-alto-networks-traps-protects-enterprises-zer...
http://www.fin24.com/Tech/News/Hackers-target-Adobe-Flash-again-20150205
https://arstechnica.com/security/2015/02/as-flash-0day-exploits-reach-new-level-of-meanness-what-are...
http://www.techtimes.com/articles/30925/20150206/adobe-releases-patch-for-dangerous-flash-player-zer...
http://www.darkreading.com/new-adobe-flash-0-day-used-in-malvertising-campaign/d/d-id/1318900
https://philipcao.com/2015/02/04/palo-alto-networks-traps-protects-enterprises-from-zero-day-cve-201...
https://betanews.com/2015/02/02/surprise-adobe-flash-has-a-security-flaw-on-windows-mac-and-linux/
Cross-site scripting in Microsoft Internet Explorer
CVE-2015-0072
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.The vulnerability exists due to insufficient sanitization of user-input passed via vectors involving an IFRAME element. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in userтАЩs browser in context of another website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability was being actively exploited.
CVE-2015-0072 was apparently reported to Microsoft on Oct. 13, 2014, however David Leo disclosed the details of this vulnerability to the popular Full Disclosure security mailing list on Jan. 31, 2015.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit: HTML/CVE-2015-0072.A
Links:
https://technet.microsoft.com/library/security/ms15-018
http://www.pcworld.com/article/2879372/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-at...
https://nakedsecurity.sophos.com/2015/02/04/internet-explorer-has-a-cross-site-scripting-zero-day-bu...
https://blogs.forcepoint.com/security-labs/another-day-another-zero-day-%E2%80%93-internet-explorers...
http://22by7.helpserve.com/News/NewsItem/View/5773/another-day-another-zero-day--internet-explorers-...
Remote code execution in Adobe Flash Player
CVE-2015-0311
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was discovered by French security researcher тАЬKafeineтАЭ.
It was actively being exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. It was used by Angler EK and infected at least 1,800 known domains.
Software: Adobe Flash Player
Known/fameous malware:
SWF/Exploit.CVE-2015-0311.N(2)
Trojan.Swifi (Symantec)
Angler EK
It was actively being exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. It was used by Angler EK and infected at least 1,800 known domains.
Links:
https://helpx.adobe.com/security/products/flash-player/apsb15-03.html
http://blog.trendmicro.com/trendlabs-security-intelligence/os-x-zero-days-on-the-rise-a-2015-midyear...
http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0311-flash-zero-day-vu...
http://researchcenter.paloaltonetworks.com/2015/01/unpatched-flash-vulnerability-cve-2015-0311-block...
http://securityaffairs.co/wordpress/32687/security/adobe-fix-cve-2015-0311-0day.html
http://www.kamnet.com/adobe-flash-player-vulnerability-cve-2015-0311/
http://www.criticalwatch.com/faqs/zero-day-vulnerability-in-adobe-flash/
http://www.free-remove-spyware.com/post/Cannot-Remove-SWFExploit.CVE-2015-0311.N2-SWFExploit.CVE-201...
http://www.securityweek.com/adobe-fixes-second-flash-player-zero-day-vulnerability
http://www.pcworld.com/article/2878792/flash-player-plagued-by-third-zeroday-flaw-in-a-month-updates...
Security bypass in Adobe Flash Player
CVE-2015-0310
Security bypass
The vulnerability allows a remote attacker to circumvent memory address randomization on the target system.
The weakness exists due to memory leak error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption, bypass memory address randomization on the Windows platform and obtain sensitive information.
Note: the vulnerability was being actively exploited.
The vulnerability was discovered and reported by security researcher Kafeine.
The vulnerability was used in attacks against older versions of Flash Player.
Software: Adobe Flash Player
Known/fameous malware:
Angler EK.
The vulnerability was used in attacks against older versions of Flash Player.
Links:
https://helpx.adobe.com/security/products/flash-player/apsb15-02.html
https://ae.norton.com/security_response/writeup.jsp?docid=2015-021009-2659-99
https://www.beyondtrust.com/blog/adobe-patches-zero-day-flaw-being-exploited-in-the-wild/
https://www.intego.com/mac-security-blog/flash-player-0day-vulnerability-jolts-rushed-update/
http://www.pcworld.com/article/2874172/adobe-fixes-just-one-of-two-actively-exploited-zeroday-vulner...
http://www.eweek.com/security/new-zero-day-exploit-adds-to-adobe-flash-security-woes.html
Privilege escalation in Microsoft Windows
CVE-2015-0016
Path traversal
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to insufficient validation of user-supplied input within TS WebProxy Windows component. A remote attacker can trick the victim into downloading a specially crafted file and execute it with privileges of the current user.
Successful exploitation of the vulnerability may result in full control of the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was being used in CNACOM campaign targeting government organization in Taiwan.
Software: Windows
Known/fameous malware:
Exploit.Win32.CVE-2015-0016.
Links:
https://technet.microsoft.com/library/security/ms15-004
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explo...
https://www.symantec.com/security_response/vulnerability.jsp?bid=71965
http://www.securityweek.com/china-linked-spies-target-taiwan-ie-exploit
http://securityaffairs.co/wordpress/33153/cyber-crime/fessleak-malvertising-campaign.html
http://securityaffairs.co/wordpress/54093/intelligence/cnacom-campaign.html
Multiple vulnerabilities in Adobe Flash Player
CVE-2014-9163
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was discovered by the researcher тАШbilouтАЩ, who reported the bug through HPтАЩs Zero Day Initiative (ZDI).
Has been used in a watering hole attack against US Defense and Financial Services firms, where it was hosted on the compromised Forbes.com website.
Software: Adobe Flash Player
Known/fameous malware:
Trojan.Win32.Bergard.A.
Has been used in a watering hole attack against US Defense and Financial Services firms, where it was hosted on the compromised Forbes.com website.
Links:
https://helpx.adobe.com/security/products/flash-player/apsb14-27.html
https://www.symantec.com/security_response/writeup.jsp?docid=2015-011509-4745-99
http://www.securityweek.com/adobe-patches-flash-player-vulnerability-exploited-wild
http://news.softpedia.com/news/Chinese-Hackers-Target-Forbes-com-In-Watering-Hole-Attack-472871.shtm...
http://www.cso.com.au/article/562228/adobe-patches-flash-zero-day-under-attack/
http://blog.malcovery.com/forbes.com-adobe-flash-player-and-your-email
http://securityaffairs.co/wordpress/33417/cyber-crime/chinese-hackers-hit-forbes.html
https://arstechnica.com/security/2015/02/pwned-in-7-seconds-hackers-use-flash-and-ie-to-target-forbe...
Two vulnerabilities in Siemens SIMATIC WinCC
CVE-2014-8551
Improper input validation
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to improper input validation when processing packets sent to the WinCC server. A remote unauthenticated attacker can send a specially crafted packet and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in targeted attacks.
The vulnerability has been exploited in targeted attacks involving BlackEnergy Trojan.
Software: Siemens SIMATIC WinCC
Known/fameous malware:
BlackEnergy
Privilege escalation in Microsoft Windows
CVE-2014-6324
Privilege escalation
The vulnerability allows a remote authenticated attacker to obtain elevated privileges on the target system.The weakness exists due to the failure to properly validate signatures in the Kerberos ticket by the Microsoft Kerberos KDC implementation. A remote attacker can forge a ticket and elevate an unprivileged domain user account to a domain administrator account.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Exploited by Duqu.
The vulnerability was reported by Qualcomm Information Security & Risk Management team.
Software: Windows
The vulnerability was reported by Qualcomm Information Security & Risk Management team.
Links:
https://technet.microsoft.com/library/security/MS14-068
https://blogs.technet.microsoft.com/srd/2014/11/18/additional-information-about-cve-2014-6324/
http://securityaffairs.co/wordpress/30320/security/microsoft-patch-kerberos-bug.html
https://www.symantec.com/security_response/vulnerability.jsp?bid=70958
https://www.netiq.com/communities/cool-solutions/detecting-windows-kerberos-implementation-elevation...
Remote code execution in JustSystems Ichitaro
CVE-2014-7247
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when processing documents. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
According TrendMicro and Symantec this is a zero-day.
Backdoors Emdivi, Korplug and ZXshell were used in the cyberespionage campaign,тАЬOperation CloudyOmega,тАЭ to target Japanese organisations.
Software: Ichitaro
Known/fameous malware:
Emdivi
Korplug
ZXshell
Backdoors Emdivi, Korplug and ZXshell were used in the cyberespionage campaign,тАЬOperation CloudyOmega,тАЭ to target Japanese organisations.
Links:
http://www.justsystems.com/jp/info/js14003.html
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-magnified-losses-a...
https://www.symantec.com/connect/tr/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cybere...
https://malwerewolf.com/2014/11/cool-news-story-bro-week-11-21-2014/
Privilege escalation in Microsoft Windows
CVE-2014-4077
Privilege escalation
The vulnerability allows a remote authenticated attacker to obtain elevated privileges on the target system.The weakness exists due to improper access control in Microsoft implementation of Input Method Editor (IME) for Japanese language. A remote attacker can create a specially crafted file designed to invoke a vulnerable sandboxed application, trick the victim into opening it, gain elevated privileges and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
CVE-2014-4077 used in targeted attack in the wild to bypass Adobe Reader Sandbox via binary hijacking using malicious DIC file.
Software: Windows
Remote code execution in Microsoft Windows
CVE-2014-6352
Code injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to an error when handling malicious Office files. A remote attacker can create a specially crafted Microsoft Office file containing the malicious OLE object, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Microsoft first received information about this vulnerability through coordinated vulnerability disclosure. Zero-day was initially found and reported to McAfee by James Forshaw of Google Project Zero.
The vulnerability is publicly known as "Sandworm" and has been exploited by the Chinese against Taiwan.
Software: Windows
Known/fameous malware:
Trojan.Mdropper. (Symantec).
The vulnerability is publicly known as "Sandworm" and has been exploited by the Chinese against Taiwan.
Links:
https://technet.microsoft.com/en-us/library/security/ms14-064
http://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-windows-hit-by-new-zero-day-att...
https://malwarelist.net/2014/10/22/cve-2014-6352-critical-vulnerability-in-microsoft-windows/
https://www.symantec.com/connect/blogs/attackers-circumvent-patch-windows-sandworm-vulnerability
http://www.theregister.co.uk/2014/10/22/powerpoint_attacks_exploit_ms_0day/
http://www.computerworld.com/article/2837084/microsoft-misses-windows-bug-hackers-slip-past-patch.ht...
https://nakedsecurity.sophos.com/2014/10/24/has-the-sandworm-exploit-burrowed-back/
http://www.eweek.com/security/microsoft-patches-33-vulnerabilities-in-november-patch-tuesday-update....
https://techtalk.gfi.com/the-lesson-of-sandworm-patched-but-not-protected/
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2014-4123
Privilege escalation
The vulnerability allows a remote attacker to obtain elevated privileges on the target system.The weakness exists due to the failure to properly validate permissions. A remote attacker can gain elevated privileges and execute arbitrary code on the affected system.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
CrowdStrike first detected the attacks in spring.
The zero-day reported by CrowdStrike was also reported by FireEye.
The issue has been introduced in 07/27/2005.
The vulnerability was handled as a non-public zero-day exploit for at least 3366 days.
Exploited by Hurricane Panda.
Software: Microsoft Internet Explorer
The zero-day reported by CrowdStrike was also reported by FireEye.
The issue has been introduced in 07/27/2005.
The vulnerability was handled as a non-public zero-day exploit for at least 3366 days.
Exploited by Hurricane Panda.
Links:
https://blogs.technet.microsoft.com/srd/2014/10/14/assessing-risk-for-the-october-2014-security-upda...
https://technet.microsoft.com/library/security/ms14-056
https://blog.qualys.com/laws-of-vulnerabilities/2014/10/14/october-2014-patch-tuesday
https://www.symantec.com/security_response/vulnerability.jsp?bid=70326
http://www.darkreading.com/attacks-breaches/hurricane-panda-cyberspies-used-windows-zero-day-for-mon...
https://computerobz.wordpress.com/2014/10/22/october-2014-patch-tuesday-addresses-four-active-zero-d...
Multiple vulnerabilities in OpenSSL
CVE-2014-3566
Information disclosure
The vulnerability allows a remote attacker to perform MitM attack.The vulnerability exists due to usage of insecure SSLv3 protocol in OpenSSL. A remote attacker can force the current connection between user and server to be downgraded to SSLv3 protocol and then use padding-oracle attack on Cypher-block chaining (CBC) mode to decrypt encrypted communication.
Successful exploitation of the vulnerability may allow an attacker to read encrypted communications in clear text.
Note: The vulnerability is known as POODLE.
The vulnerability was used in the attack called Poodle against Docker.
Software: OpenSSL
Links:
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://security.googleblog.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-magnified-losses-a...
https://www.appsecconsulting.com/blog/zero-day-attacks-in-2014
https://technet.microsoft.com/en-us/library/security/3009008.aspx
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory11.asc
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc
https://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
https://www.tripwire.com/state-of-security/vulnerability-management/ssl-v3-poodle-vulnerability-reve...
https://security.googleblog.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.entrust.com/get-support/ssl-certificate-support/poodle-security-vulnerability/
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/poodle-sslv3-vulnerability-t...
Multiple vulnerabilities in Adobe Flash Player
CVE-2014-8439
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
An Adobe Flash vulnerability was discovered in October and promptly patched. The exploits in the Nuclear and Angler kits were detected by the French researcher Kafeine shortly after the company released an update on Oct.14. Despite a patch on 14, October 2014, the vulnerability was not completely mitigated. The vulnerability was patched again in November, 25.
Software: Adobe Flash Player
Known/fameous malware:
Troj/SWFExp-CD.
Exploit kits: Angler, Nuclear, and Astrum.
Links:
https://helpx.adobe.com/security/products/flash-player/apsb14-22.html
https://helpx.adobe.com/security/products/flash-player/apsb14-26.html
https://blogs.technet.microsoft.com/mmpc/2014/12/02/an-interesting-case-of-the-cve-2014-8439-exploit...
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2014-8439-vulnerability-trend-micro-s...
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2014-8439-vulnerability-trend-micro-s...
https://www.fireeye.com/blog/threat-research/2015/01/a_different_exploit.html
https://nakedsecurity.sophos.com/2014/11/28/adobe-publishes-out-of-band-flash-update-booster-dose-fo...
http://www.pcworld.com/article/2852412/adobe-tries-again-to-fix-flash-vulnerability.html
http://www.techtimes.com/articles/20976/20141126/adobe-releases-patch-to-re-fix-flash-player-vulnera...
Remote code execution in Microsoft Windows
CVE-2014-4148
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to improper input validation when processing TrueType fonts in kernel-mode driver (win32k.sys). A remote attacker can create a specially crafted font file, place it on a web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was highly exploited by advanced adversary group named HURRICANE PANDA.
Software: Windows
Links:
https://www.fireeye.com/blog/threat-research/2014/10/two-targeted-attacks-two-new-zero-days.html
https://technet.microsoft.com/en-us/library/security/ms14-058.aspx
http://security.stackexchange.com/questions/92164/the-way-vulnerabilities-like-cve-2014-4148-are-dis...
https://www.scmagazine.com/zero-day-attackers-exploit-windows-kernel-patch-tuesday-brings-fix/articl...
http://www.securityweek.com/multiple-patch-tuesday-vulnerabilities-under-attack
http://www.capitalcomputercentre.com/best-way-to-remove-s3traypd-exeexp-cve-2014-4148-exp-cve-2014-4...
Remote code execution in Microsoft Windows
CVE-2014-4114
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to an error when processing OLE objects. A remote attacker can create a specially crafted OLE object, attach it to a document (e.g. PowerPoint file), trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The zero-day vulnerability is being claimed to have been used in early September in possible campaigns against NATO, Ukrainian government
organizations, Western European government organization, Energy Sector firms (specifically in Poland), European telecommunications firms, United States academic organizations.
Files in the SandWorm exploit hilighted by iSIGHT Partners include a malicious executable from a known malware family, namely the BlackEnergy Trojan.
Software: Windows
Known/fameous malware:
Dyreza Trojan.
SandWorm
BlackEnergy Trojan.
Files in the SandWorm exploit hilighted by iSIGHT Partners include a malicious executable from a known malware family, namely the BlackEnergy Trojan.
Links:
https://technet.microsoft.com/en-us/library/security/ms14-060
http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerabi...
https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-...
http://security.stackexchange.com/questions/70894/windows-ole-vulnerability-cve-2014-4114-sandworm
http://thehackernews.com/2014/10/microsoft-windows-zero-day_13.html
https://www.cyphort.com/cve-2014-4114-sandworm-worm/
https://www.symantec.com/security_response/writeup.jsp?docid=2014-102322-3150-99
https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploi...
https://threatpost.com/dyreza-banker-trojan-attackers-exploiting-cve-2014-4114-windows-flaw/109071/
Privilege escalation in Microsoft Windows
CVE-2014-4113
Privilege escalation
The vulnerability allows a local attacker to obtain elevated privileges on the target system.The weakness exists due to improper handling of objects in memory by kernel-mode driver (win32k.sys). A local attacker can run a specially crafted application to gain elevated privileges and take complete control of the system.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was apparently found and reported to Microsoft by both ╨бrowdStrike and FireEye.
The vulnerability has been actively exploited in the wild for at least five month by highly advanced adversary group named HURRICANE PANDA.
Software: Windows
Known/fameous malware:
Nuclear Exploit Kit.
The vulnerability has been actively exploited in the wild for at least five month by highly advanced adversary group named HURRICANE PANDA.
Links:
https://technet.microsoft.com/en-us/library/security/ms14-058
https://dl.packetstormsecurity.net/papers/attack/CVE-2014-4113.pdf
https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-expl...
https://www.fireeye.com/blog/threat-research/2014/10/two-targeted-attacks-two-new-zero-days.html
http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vuln...
http://securityaffairs.co/wordpress/29270/security/microsoft-fixes-3-zero-day.html
http://www.securityweek.com/multiple-patch-tuesday-vulnerabilities-under-attack
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf
Remote code execution in FreePBX
CVE-2014-7235
Code injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error in the legacy FreePBX ARI Framework module/Asterisk Recording Interface (ARI). A remote attacker can bypass the authentication process and execute arbitrary code with administrative privileges.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: FreePBX
Multiple RCE vulnerabilities in GNU Bash aka Shellshock
CVE-2014-6271
Command injection
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to incorrect parsing of environment variables. A remote attacker can execute arbitrary code on the target system as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Successful exploitation may allow an attacker to gain complete control over vulnerable system.
Exploitation example:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Note: this vulnerability was being actively exploited in the wild.
Shellshock is a variety of vulnerabilities in GNU Bash implementation caused by incomplete patches after official release of the fix and public disclosure of the vulnerability. There were 5 failed attempts in total to fix this Shellshock bugs until it was finally patched in version bash43-027, released on October 1, 2014.
Some of these vulnerabilities were exploited in the wild before the patch, which makes them zero-days. These vulnerabilities are covered under the following CVEs:
CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
Giving the nature of the vulnerabilities and attack vectors we have decided to cover these vulnerabilities under one description and count them as one zero-day vulnerability.
Software: Bash
Shellshock is a variety of vulnerabilities in GNU Bash implementation caused by incomplete patches after official release of the fix and public disclosure of the vulnerability. There were 5 failed attempts in total to fix this Shellshock bugs until it was finally patched in version bash43-027, released on October 1, 2014.
Some of these vulnerabilities were exploited in the wild before the patch, which makes them zero-days. These vulnerabilities are covered under the following CVEs:
CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
Giving the nature of the vulnerabilities and attack vectors we have decided to cover these vulnerabilities under one description and count them as one zero-day vulnerability.
Links:
http://lcamtuf.blogspot.cz/2014/09/quick-notes-about-bash-bug-its-impact.html
http://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introd...
http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-ho...
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/6033/bash-vulnerability-shellsh...
https://www.tripwire.com/state-of-security/off-topic/shell-shocked-bash-bug-detection-tools-cve-2014...
http://security.stackexchange.com/questions/100388/avast-performing-an-attack
http://community.ispyconnect.com/ispybb2/viewtopic.php?t=1360
https://securelist.com/blog/research/66673/bash-cve-2014-6271-vulnerability-qa-2/
http://resources.infosecinstitute.com/bash-bug-cve-2014-6271-critical-vulnerability-scaring-internet...
https://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
https://www.alienvault.com/blogs/labs-research/attackers-exploiting-shell-shock-cve-2014-6271-in-the...
Information disclosure in Microsoft Internet Explorer
CVE-2013-7331
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to information disclosure vulnerability in Microsoft XMLDOM ActiveX component. A remote attacker can create a specially crafted Web page, trick the victim into visiting it and check for the presence of local drive letters, directory names, files, as well as internal network addresses or websites.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
PoC-code for this vulnerability was available since at least April 25, 2013.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit kits: Angler, Rig, Nuclear, Styx.
Links:
https://technet.microsoft.com/en-us/library/security/ms14-052.aspx
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70103
http://www.securityweek.com/microsoft-patches-internet-explorer-vulnerability-targeted-attackers
http://www.pcworld.com/article/2604688/internet-explorer-steals-the-patch-tuesday-spotlight-again.ht...
http://www.csoonline.com/article/2607297/data-protection/microsoft-patch-fixed-ie-flaw-used-against-...
https://securelist.com/blog/software/66474/microsoft-updates-september-2014-apt-loses-a-trick-remini...
https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-...
https://labs.bromium.com/2014/09/16/pirates-of-the-internetz-the-curse-of-the-waterhole/
https://www.scmagazine.com/watering-hole-attack-targets-website-visitors-of-oil-and-gas-start-up/art...
http://www.scmagazineuk.com/rsa-2016-fingerprinting-the-latest-twist-used-for-malvertising-attacks/a...
Privilege escalation in Microsoft Internet Explorer
CVE-2014-2817
Privelege escalation
The vulnerability allows a remote attacker to obtain elevated privileges on the target system.The weakness exists due to the failure to properly validate permissions. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, gain elevated privileges and execute arbitrary code on the affected system.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Internet Explorer
Remote code execution in Adobe Acrobat and Adobe Reader
CVE-2014-0546
Security bypass
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to improper input validation when processing .pdf files. A remote attacker can create a specially crafted file, trick the victim into opening it, bypass sandbox restrictions and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was discovered by Costin Raiu and Vitaly Kamluk of Kaspersky Labs.
Exploited by Animal Farm group.
Software: Adobe Reader
Exploited by Animal Farm group.
Links:
https://helpx.adobe.com/security/products/reader/apsb14-19.html
https://www.symantec.com/security_response/vulnerability.jsp?bid=69193
https://www.symantec.com/security_response/writeup.jsp?docid=2014-082218-1438-99
http://securityaffairs.co/wordpress/27535/cyber-crime/cve-2014-0546-adobe-flaw.html
http://zerosecurity.org/2014/08/cve-2014-0546-found-utilized-small-targeted-attacks
http://www.securityweek.com/adobe-patches-security-flaw-leveraged-targeted-attacks
https://heatsoftware.com/blog/9286/urgent-adobe-users-told-to-patch-reader-and-acrobat-against-zero-...
http://www.burningflameinteractive.com/aj-burning-flame-blog/adobe-patches-zero-day-vulnerability
Security bypass in Microsoft Office
CVE-2014-1809
Security bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to improper implementation of Address Space Layout Randomization (ASLR) features in MSCOMCTL. By persuading a victim to visit a specially-crafted Web site or open an application or Office document with a specially-crafted ActiveX control embedded within it, an attacker could exploit this vulnerability to bypass ASLR and execute another attack that otherwise would have been blocked by ASLR.
Successful exploitation of the vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
The issue has been introduced in 01/30/2007.
Software: Microsoft Office
Privilege escalation in Microsoft Windows
CVE-2014-1812
Privilege escalation
The vulnerability allows a remote authenticated attacker to obtain elevated privileges on the target system.The weakness exists due to the method passwords are distributed when configured using group policy preference. A remote authenticated attacker can obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms14-025
https://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-20...
https://www.tripwire.com/state-of-security/vulnerability-management/vert-alert-may-2014-microsoft-pa...
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000604.aspx
Two remote code execution vulnerabilities in Microsoft Internet Explorer
CVE-2014-1815
тАЬUse-after-freeтАЭ error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
CVE-2014-1815 was reported to Microsoft by Clement Lecigne, a security engineer who works for Google in its Swiss office.
The vulnerability was used in the phishing campaign started on or about July 21, 2014 and primarily targeting the energy industry.
Software: Microsoft Internet Explorer
The vulnerability was used in the phishing campaign started on or about July 21, 2014 and primarily targeting the energy industry.
Links:
https://technet.microsoft.com/en-us/library/security/ms14-029
https://www.symantec.com/security_response/writeup.jsp?docid=2014-051503-4437-99
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=721
http://researchcenter.paloaltonetworks.com/2014/07/beginning-end-use-free-exploitation/
http://blog.trendmicro.com/trendlabs-security-intelligence/may-2014-patch-tuesday-rolls-out-8-bullet...
http://www.securityweek.com/microsoft-adobe-patch-critical-security-vulnerabilities
Privilege escalation in Microsoft Windows
CVE-2014-1807
Privilege escalation
The vulnerability allows a local attacker to obtain elevated privileges on the target system.The weakness exists due to improper use of the ShellExecute API function. A local attacker can run a specially crafted application within the context of the Local System account and gain elevated privileges.
Successful exploitation of the vulnerability results in privilege escalation on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Remote code execution in Adobe Flash Player
CVE-2014-0515
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow, caused by improper bounds checking by the pixel bender component. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
A sample of the first exploit was detected on April 14, while a sample of the second came on April 16. The first exploit was initially recorded by KSN on April 9, when it was detected by a generic heuristic signature.
The disclosed vulnerability was actively exploited and relates to attack via the website of Syrian Ministry of Justice in September, 2013.
Software: Adobe Flash Player
Known/fameous malware:
Exploit:SWF/CVE-2014-0515
The disclosed vulnerability was actively exploited and relates to attack via the website of Syrian Ministry of Justice in September, 2013.
Links:
https://helpx.adobe.com/security/products/flash-player/apsb14-13.html
https://securelist.com/blog/incidents/59399/new-flash-player-0-day-cve-2014-0515-used-in-watering-ho...
http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2014-0515-the-recent-flash-...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27555
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27552
https://www.zscaler.com/blogs/research/nuclear-exploit-kit-and-flash-cve-2014-0515
http://54.204.81.18/news/stories/39397-blog-new-flash-player-0-day-cve-2014-0515-used-in-watering-ho...
http://www.securityweek.com/adobe-patches-flash-player-zero-day-used-watering-hole-attacks
https://krebsonsecurity.com/2014/04/adobe-update-nixes-flash-player-zero-day/#more-25786
Remote code execution in Microsoft Internet Explorer
CVE-2014-1776
тАЬUse-after-freeтАЭ error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability uses a heap-spray technique. Used in Pawn Storm campaign.
Used by APT groups.
Software: Microsoft Internet Explorer
Used by APT groups.
Links:
https://technet.microsoft.com/en-US/library/security/2963983
https://technet.microsoft.com/en-us/library/security/ms14-021.aspx
https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explore...
https://blog.fortinet.com/2014/05/27/a-technical-analysis-of-cve-2014-1776
https://www.symantec.com/connect/blogs/emerging-threat-microsoft-internet-explorer-zero-day-cve-2014...
https://support.norton.com/sp/en/us/home/current/solutions/v98738922_EndUserProfile_en_us
https://www.trustwave.com/Resources/SpiderLabs-Blog/Microsoft-Internet-Explorer-0-Day-(CVE-2014-1776...
https://www.cyphort.com/dig-deeper-ie-vulnerability-cve-2014-1776-exploit/
http://researchcenter.paloaltonetworks.com/2014/05/tale-3-vulnerabilities-cve-2014-1776-exploit-link...
http://blog.trendmicro.com/trendlabs-security-intelligence/internet-explorer-zero-day-hits-all-versi...
https://www.beyondtrust.com/blog/internet-explorer-0day-cve-2014-1776/
http://thehackernews.com/2014/04/new-zero-day-vulnerability-cve-2014.html
https://krebsonsecurity.com/tag/cve-2014-1776/
Multiple vulnerabilities in Microsoft Word and Office Web Apps
CVE-2014-1761
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling RTF-formatted data. A remote attacker can create a specially crafted RTF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Used in Pawn Storm campaign, attacks against government agencies in Taiwan.
Software: Microsoft Office
Known/fameous malware:
Trojans like Dridex or Dyreza and ransomware like cryptolocker or Teslacrypt.
Links:
https://technet.microsoft.com/en-us/library/security/2953095.aspx
https://technet.microsoft.com/en-us/library/security/ms14-017
https://securingtomorrow.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-s...
https://community.hpe.com/t5/Security-Research/Technical-Analysis-of-CVE-2014-1761-RTF-Vulnerability...
https://www.trustwave.com/Resources/SpiderLabs-Blog/Microsoft-Word-RTF-0-Day-(CVE-2014-1761)/
http://stopmalvertising.com/malware-reports/a-closer-look-at-cve-2014-1761.html
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/june/extracting-the-payload-fr...
https://blog.cylance.com/infinity-vs-the-real-world-ms-word-vulnerability-cve-2014-1761
https://myonlinesecurity.co.uk/reswift-copy-word-doc-malware-cve-2014-1761-exploit/
https://www.symantec.com/connect/blogs/emerging-threat-microsoft-word-zero-day-cve-2014-1761-remote-...
https://avstrike.wordpress.com/2015/05/05/exploit-cve-2014-1761-gen-removal-guide-2/
http://www.securityweek.com/new-microsoft-word-zero-day-used-targeted-attacks
https://blog.yoocare.com/remove-exploit-cve-2014-1761-gen/
https://www.crowdstrike.com/blog/cve-2014-1761-alley-compromise/
http://arstechnica.com/security/2014/03/zero-day-vulnerability-in-microsoft-word-under-active-attack...
Remote code execution in Microsoft Internet Explorer
CVE-2014-0324
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
On Feb. 11, FireEye researchers identified a zero-day exploit in Internet Explorer 10.
The exploit was being used in Operation SnowMan that compromised the U.S. Veterans of Foreign Wars website.
Software: Microsoft Internet Explorer
Known/fameous malware:
Elderwood exploit kit.
The exploit was being used in Operation SnowMan that compromised the U.S. Veterans of Foreign Wars website.
Links:
https://technet.microsoft.com/en-us/library/security/ms14-012.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=66040
http://researchcenter.paloaltonetworks.com/2014/07/beginning-end-use-free-exploitation/
http://www.computerworld.com/article/2489451/malware-vulnerabilities/-elderwood--hackers-still-setti...
http://www.darkreading.com/researchers-recent-zero-day-attacks-linked-via-common-exploit-package/d/d...
https://ae.norton.com/security_response/print_writeup.jsp?docid=2014-031311-2821-99
https://hackermedicine.com/how-the-elderwood-platform-is-fueling-2014s-zero-day-attacks/
http://104.239.158.70/elderwood-attack-platform-linked-multiple-internet-explorer-zero-day-attacks-s...
http://www.cio.com/article/2376236/security0/-elderwood--hackers-continue-to-set-pace-for-zero-day-e...
https://www.symantec.com/connect/blogs/attackers-targeting-other-ie-zero-day-vulnerability-covered-m...
https://www.symantec.com/connect/blogs/operation-backdoor-cut-targeted-basketball-community-ie-zero-...
Remote code execution in Microsoft Internet Explorer
CVE-2014-0307
тАЬUse-after-freeтАЭ error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free when accessing an object in memory. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The flaw was most likely introduced in August 2013. The vulnerability was reported to vendor - 2014-02-04.
Private fully functional exploit code existed long before the vendor released security patch. We consider this vulnerability a zero-day.
Software: Microsoft Internet Explorer
Known/fameous malware:
JS/Exploit.CVE-2014-0307.
Private fully functional exploit code existed long before the vendor released security patch. We consider this vulnerability a zero-day.
Links:
https://technet.microsoft.com/library/security/ms14-012
https://www.symantec.com/security_response/vulnerability.jsp?bid=66032
http://ec2-75-101-158-109.compute-1.amazonaws.com/news/stories/33351-microsoft-internet-explorer-mem...
http://www.csoonline.com/article/2888040/cyber-attacks-espionage/the-top-software-exploit-of-2014-th...
http://www.techcentral.ie/top-exploit-2014-stuxnet-2010/
https://github.com/CCrashBandicot/helpful/blob/master/CVE-2014-0307.rb
Multiple vulnerabilities in Adobe Flash Player
CVE-2014-0502
Double free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to double free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Wen Guanxing of Venustech, The Google Security Team and FireEye were working at the vulnerability.
FireEye dubbed the attack exploiting the vulnerability "Operation GreedyWonk".
The vulnerability was exploited to compromise sites of:
- Peterson Institute for International
- Economics American Research Center in Egypt
- Smith Richardson Foundation
Software: Adobe Flash Player
Known/fameous malware:
Elderwood exploit kit.
FireEye dubbed the attack exploiting the vulnerability "Operation GreedyWonk".
The vulnerability was exploited to compromise sites of:
- Peterson Institute for International
- Economics American Research Center in Egypt
- Smith Richardson Foundation
Links:
https://helpx.adobe.com/security/products/flash-player/apsb14-07.html
https://www.alienvault.com/blogs/labs-research/analysis-of-an-attack-exploiting-the-adobe-zero-day-c...
https://www.trustwave.com/Resources/SpiderLabs-Blog/Deep-Analysis-of-CVE-2014-0502-%E2%80%93-A-Doubl...
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=655
https://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html
https://blog.threattrack.com/adobe-exploit-cve-2014-0502/
http://www.benhayak.com/2014/05/deep-analysis-of-cve-2014-0502-double.html
http://www.welivesecurity.com/2014/10/31/two-recently-patched-adobe-flash-vulnerabilities-now-used-e...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27443
http://www.theregister.co.uk/2014/02/20/flash_adobe_posts_emergency_fix/
https://nakedsecurity.sophos.com/2014/02/21/adobe-pushes-out-critical-flash-update-second-zero-day-h...
http://dailyleet.com/how-the-elderwood-platform-is-fueling-2014s-zero-day-attacks/
https://www.scmagazineuk.com/chinese-spies-launch-new-adobe-zero-day-attack/article/541288/
http://arstechnica.com/security/2014/02/adobe-releases-emergency-flash-update-amid-new-zero-day-driv...
Remote code execution in Microsoft Internet Explorer
CVE-2014-0322
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error related to GIFAS. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
A zero-day exploit hosted on a breached website based in the U.S Military. The vulnerability was used in the wild as part of "Operation SnowMan".
Software: Microsoft Internet Explorer
Known/fameous malware:
Trojan.Malscript
Trojan.Swifi.
Backdoor.Moudoor
Elderwood exploit kit.
Links:
https://technet.microsoft.com/library/security/2934088
https://www.fireeye.com/blog/threat-research/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2...
http://securityaffairs.co/wordpress/25002/hacking/elderwood-platform-still-active.html
https://technet.microsoft.com/en-us/library/security/ms14-012.aspx
https://www.symantec.com/connect/blogs/emerging-threat-ms-ie-10-zero-day-cve-2014-0322-use-after-fre...
https://labs.bromium.com/2014/02/25/dissecting-the-newest-ie10-0-day-exploit-cve-2014-0322/
http://thehackernews.com/2014/02/cve-2014-0322-internet-explorer-zero.html
https://blogs.forcepoint.com/security-labs/cyber-criminals-expand-use-cve-2014-0322-patch-tuesday
http://securityaffairs.co/wordpress/22224/cyber-crime/fireeye-watering-hole-attack.html
http://www.zdnet.com/article/new-internet-explorer-10-zero-day-exploit-targets-u-s-military/
http://www.eweek.com/blogs/security-watch/microsoft-ie-zero-day-exploited-in-the-wild.html
http://54.204.81.18/news/stories/269204-cyber-criminals-expand-use-of-cve-2014-0322-before-patch-tue...
Multiple vulnerabilities in TYPO3
CVE-2014-6293
SQL Injection
The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable website and execute arbitrary SQL commands in web application database.
Successful exploitation may allow an attacker to gain unauthorized access to the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: TYPO3
Known/fameous malware:
Multiple vulnerabilities in Microsoft .NET Framework
CVE-2014-0295
ASLR bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to missing Address Space Layout Randomization (ASLR) features in certain components. A remote attacker can create a specially crafted Web site, trick the victim into opening it, bypass security restrictions and execute another attack.
Successful exploitation of the vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft .NET Framework
Information disclosure in Microsoft XML Core Services
CVE-2014-0266
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to improper enforcement of cross-domain policies. A remote attacker can create a specially crafted Web page, trick the victim into visiting it using Internet Explorer, bypass cross-domain security restrictions and read local files or content from web domains the victim is authenticated with.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
Microsoft and FireEye first discussed this issue in November, 2013.
Software: Microsoft XML Core Services
Denial of service in Apache Struts
CVE-2014-0050
Infinite loop
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to boundary error when handling Content-Type HTTP header for multipart requests. By sending a specially crafted Content-Type header, containing 4092 characters in "boundary" field, a remote attacker can cause the application to enter into an infinite loop.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
On April 24, 2014, the Apache Software Foundation (ASF) released an advisory warning that a patch issued in March, 2 for a zero-day vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerabilities (CVE-2014-0094 or CVE-2014-0050).
Software: Apache Struts
Links:
http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E
https://www.symantec.com/connect/blogs/emerging-threat-apache-struts-zero-day-cve-2014-0050-0094-dos...
https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-wi...
http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000017.html
https://www.symantec.com/connect/blogs/emerging-threat-apache-struts-zero-day-cve-2014-0050-0094-dos-and-remote-code-execution-vulner
http://www.ehackingnews.com/2014/02/cve-2014-0050-apache-tomcat-vulnerable.html
http://telussecuritylabs.com/threats/show/TSL20140206-02
http://www.javaworld.com/article/2097428/enterprise-java/denial-of-service-vulnerability-puts-apache...
Remote code execution in Adobe Flash Player
CVE-2014-0497
Integer underflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to integer underflow when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Exploited by DarkHotel APT.
The vulnerability survived for 84 days after update in November 2013.
Software: Adobe Flash Player
The vulnerability survived for 84 days after update in November 2013.
Links:
https://helpx.adobe.com/security/products/flash-player/apsb14-04.html
https://securingtomorrow.mcafee.com/mcafee-labs/flash-zero-day-vulnerability-cve-2014-0497-lasts-84-...
https://blogs.technet.microsoft.com/mmpc/2014/02/17/a-journey-to-cve-2014-0497-exploit/
https://www.fireeye.com/blog/threat-research/2015/03/flash_in_2015.html
http://securityaffairs.co/wordpress/21937/cyber-crime/adobe-flash-player-fixed.html
https://business.kaspersky.com/darkhotel-hackingteam/4357/
Remote code execution in JustSystems Sanshiro
CVE-2014-0810
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a boundary error when processing office documents. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Sanshiro
Remote code execution in GE Proficy CIMPLICITY HMI
CVE-2014-0751
Improper access control
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to improper access control and incorrect validation of the szScreen field when processing file uploads within the CimWebServer component. A remote unauthenticated attacker can upload and execute arbitrary file on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in targeted attacks.
According to ICS-CERT, the vulnerability has been exploited in the wild since at least since January 2012. The vulnerability has been exploited in Sandworm campaign.
Software: CIMPLICITY
Known/fameous malware:
BlackEnergy
Links:
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B
https://ics-cert.us-cert.gov/advisories/ICSA-14-023-01
https://ge-ip.force.com/communities/servlet/fileField?retURL=%2Fcommunities%2Fapex%2FKnowledgeDetail...
https://ge-ip.force.com/communities/servlet/fileField?retURL=%2Fcommunities%2Fapex%2FKnowledgeDetail...
http://www.zerodayinitiative.com/advisories/ZDI-14-016/
SQL Injection in OpenX Source Revive Adserver
CVE-2013-7149
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to the XML-RPC script using the "what" parameter and view, add, modify or delete information in the back-end database.
Successful exploitation may allow an attacker to gain unauthorized access to the vulnerable system.
Note: this vulnerability was being actively exploited.
The vulnerability was discovered and reported to Revive Adserver team by Florian Sander.
The vulnerability is considered to be connected with attacks on web site centralpark[.]com and high-traffic site clipconverter[.]cc
Software: Revive Adserver
The vulnerability is considered to be connected with attacks on web site centralpark[.]com and high-traffic site clipconverter[.]cc
Two remote code execution vulnerabilities in Adobe Flash Player
CVE-2013-5331
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to type confusion error. A remote attacker can create a specially crafted Web site or . swf file, trick the victim into visiting it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported by Adobe as being exploited in the wild. The attackers used Microsoft Word documents with embedded malicious Flash (.swf) content.
Software: Adobe Flash Player
Known/fameous malware:
Troj/SWFExp-CH (Sophos)
Trojan horse Exploit_c.YZX (AVG)
Exploit.Win32.CVE-2013 (Ikarus)
HEUR:Exploit.SWF.CVE-2013-5331.a (Kaspersky)
Exploit:Win32/CVE-2013-5331 (Microsoft)
SWF/Exploit.CVE-2013-5331.A trojan (Eset)
Trojan.Mdropper (Symantec)
Links:
https://helpx.adobe.com/security/products/flash-player/apsb13-28.html
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27558
http://eromang.zataz.com/2015/12/24/cve-2013-5331-adobe-flash-player-type-confusion-remote-code-exec...
http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html
http://eromang.zataz.com/2015/12/24/cve-2013-5331-adobe-flash-player-type-confusion-remote-code-exec...
http://freerepairwindowserrors.com/spytips/Guide-to-Remove-SWFExploit.CVE-2013-5331.A_16_203811.html
ASLR bypass in Microsoft Office
CVE-2013-5057
ASLR bypass
The vulnerability allows a remote attacker to bypass certain security restrictions.The weakness exists due to improper implementation of Address Space Layout Randomization (ASLR) within HXDS Office shared component. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and bypass the ASLR security feature.
Successful exploitation of the vulnerability may result in attacker's access to the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Office
Signature validation bypass in Microsoft Windows
CVE-2013-3900
Sugnature verification bypass
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to improper validation of PE file digests during Authenticode signature verification within WinVerifyTrust function. A remote attacker can create specially crafted signed PE file, trick the victim into executing it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Links:
https://blogs.technet.microsoft.com/srd/2013/12/10/ms13-098-update-to-enhance-the-security-of-authen...
https://technet.microsoft.com/en-us/library/security/ms13-098.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=64079
http://blog.talosintel.com/2013/12/microsoft-update-tuesday-december-2013.html
http://blog.trendmicro.com/trendlabs-security-intelligence/december-patch-tuesday-addresses-tiff-vul...
http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
https://www.corero.com/resources/files/security_advisories/advisory_CNS_IPS_Microsoft_nVerifyTrust_C...
https://www.symantec.com/connect/blogs/microsoft-patch-tuesday-december-2013
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000559.aspx
Information disclosure in Microsoft Office
CVE-2013-5054
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to an error in handling of a specially crafted response when opening a malicious Office file. A remote attacker can create a specially crafted file using, host it on remote website, trick the victim into opening it and gain access to tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was discovered by the Adallom company and the attack was dubbed "Ice Dagger". The attackers used the vulnerability to steal Microsoft Office 365 authentication token. The victim of the unnamed company received an email with a link to attachment, located on a hidden server within TOR network. The vulnerability was reported to Microsoft in late May 2013.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/ms13-104.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=64092
http://blog.talosintel.com/2013/12/microsoft-update-tuesday-december-2013.html
https://www.scmagazine.com/patch-tuesday-update-addresses-24-bugs-including-exploited-tiff-zero-day/...
http://news.softpedia.com/news/Newly-Patched-Office-365-Vulnerability-Used-in-Ice-Dagger-Targeted-At...
http://it.toolbox.com/blogs/securitymonkey/flaw-in-microsoft-office-365-allows-perfect-crime-58421
Privilege escalation in Microsoft Windows
CVE-2013-5065
Privilege escalation
The vulnerability allows a local attacker to obtain elevated privileges on the target system.The weakness exists due to improper validation of input by the NDProxy.sys kernel component. A local attacker with valid login credentials can use a malicious application to gain kernel privileges and execute arbitrary code on the system.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the Reader sandbox.
Kaspersky Lab revealed the vulnerability was used in Epic Turla (cyber-espionage campaigns).
Software: Windows
Known/fameous malware:
PDF:Exploit.CVE-2013-5065.A
Gen:Trojan.Heur.FU.ku3@aSHWAmji
Kaspersky Lab revealed the vulnerability was used in Epic Turla (cyber-espionage campaigns).
Links:
https://www.fireeye.com/blog/threat-research/2013/12/cve-2013-33465065-technical-analysis.html
https://www.fireeye.com/blog/threat-research/2013/11/ms-windows-local-privilege-escalation-zero-day-...
https://technet.microsoft.com/en-us/library/security/2914486.aspx
https://blogs.technet.microsoft.com/msrc/2013/11/27/microsoft-releases-security-advisory-2914486/
https://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/
https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Kernel-is-calling-a-zero(day)-pointer-%E2%80...
https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
http://securityaffairs.co/wordpress/20092/hacking/windows-xp-zero-day.html
https://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerabilit...
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attac...
https://www.scmagazine.com/windows-xp-zero-day-under-active-attack/article/543166/
https://www.fireeye.jp/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-zero-day-attacks-in...
https://securingtomorrow.mcafee.com/mcafee-labs/product-coverage-and-mitigation-for-cve-2013-5065/
Remote code execution in Microsoft Windows
CVE-2013-3918
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to out-of-bounds memory access within InformationCardSigninHelper Class ActiveX control (icardie.dll). A remote attacker can create specially crafted Web page that passes an overly long string argument to vulnerable ActiveX component, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerabilty was introduced on 07.27.2005, but publically disclosed later by Xiaobo Chen and Dan Caselden of FireEye.
The vulnerability has been exploited by the APTgroup behind the 2009 Aurora attack. The exploit uses a technique ROP (return-oriented-programming). According to FireEye, the attack has a link to the infrastructure used in Operation DeputyDog and Operation Ephemeral Hydra, which began in August and targeted organizations in Japan.
Software: InformationCardSigninHelper Class ActiveX control
The vulnerability has been exploited by the APTgroup behind the 2009 Aurora attack. The exploit uses a technique ROP (return-oriented-programming). According to FireEye, the attack has a link to the infrastructure used in Operation DeputyDog and Operation Ephemeral Hydra, which began in August and targeted organizations in Japan.
Links:
https://technet.microsoft.com/en-us/library/security/ms13-090.aspx
https://www.fireeye.com/blog/threat-research/2013/11/new-ie-zero-day-found-in-watering-hole-attack.h...
https://blogs.technet.microsoft.com/msrc/2013/11/11/activex-control-issue-being-addressed-in-update-...
https://blogs.technet.microsoft.com/srd/2013/11/12/technical-details-of-the-targeted-attack-using-ie...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27146
http://eromang.zataz.com/2015/12/23/cve-2013-3918-cardspaceclaimcollection-activex-integer-underflow...
http://www.darkreading.com/new-ie-vulnerability-found-in-the-wild-sophisticated-web-exploit-follows/...?
http://www.securityweek.com/microsoft-patches-vulnerability-attackers-used-target-ie-users
https://blog.threattrack.com/a-look-inside-a-cve-2013-3918-exploit/
https://www.fireeye.jp/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-zero-day-attacks-in...
http://www.zdnet.com/article/ie-zero-day-used-by-cyber-arms-dealers-and-chinese-hackers/
https://support.ixiacom.com/about-us/news-events/corporate-blog/completing-deputydog-apt
http://www.darkreading.com/vulnerabilities---threats/fireeye-releases-2013-lab-performance-stats/d/d...
Remote code execution in Microsoft Graphics Component
CVE-2013-3906
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling malicious images. A remote attacker can create specially crafted TIFF image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The meta date of the files were set to October 17, 2013, which may suggest a creation time of this exploit.
Attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan. The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.
Software: Microsoft Office
Attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan. The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.
Links:
https://technet.microsoft.com/en-us/library/security/2896666.aspx
https://technet.microsoft.com/en-us/library/security/ms13-096
https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-micro...
https://securingtomorrow.mcafee.com/business/security-connected/updates-and-mitigation-to-cve-2013-3...
https://blogs.technet.microsoft.com/srd/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-...
https://www.fireeye.com/blog/threat-research/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both...
https://www.crowdstrike.com/blog/analysis-cve-2013-3906-exploit/
http://www.primalsecurity.net/analysis-of-malicious-document-using-cve-2013-3906/
http://blog.trendmicro.com/trendlabs-security-intelligence/how-to-avoid-the-latest-microsoft-office-...
http://securityaffairs.co/wordpress/19460/hacking/microsoft-cve-2013-3906-zero-day.html
https://www.symantec.com/connect/forums/if-sep-daily-definition-covers-exploit-cve-2013-3906
Privilege escalation in Google Android
CVE-2013-6282
Privilege escalation
The vulnerability allows a local attacker to obtain elevated privileges on the target system.The weakness exists due to an error in the put_user/get_user kernel API. A local attacker can use a malicious application to read and write kernel memory and gain kernel privileges on the system.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was exploited against Android devices in October and November 2013. The vulnerability is originally in SE Linux kernel.
Software: Google Android
Known/fameous malware:
Gooligan.
Links:
https://www.codeaurora.org/projects/security-advisories/missing-access-checks-putusergetuser-kernel-...
http://www.openwall.com/lists/oss-security/2013/11/14/11
http://www.helix-os.com/the-huge-disappointment-of-se-android/
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/arm/include/asm/uaccess....
https://arstechnica.com/security/2016/11/1-million-android-accounts-compromised-by-android-malware-c...
Backdoor in D-Link routers
CVE-2013-6026
Security bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to an error in the alpha_auth_check() function. By setting the user agent string to xmlset_roodkcableoj28840ybtide, an attacker can send an HTTP request to bypass authentication and obtain administrative access to the device.
Successful exploitation of the vulnerability results in full access to the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Dir-100
Links:
http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
https://packetstormsecurity.com/files/123848/D-Link-Backdoor-Czechr.html
http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.103810
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27130
https://krebsonsecurity.com/2013/12/important-security-update-for-d-link-routers/
Remote code execution in Microsoft Internet Explorer
CVE-2013-3897
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to user-after-free vulnerability in the CDisplayPointer object. A remote attacker can create a specially crafted Web page containing, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Used in Pawn Storm campaign.
A zero-day was used in highly targeted, low-volume attacks in Korea,
Hong Kong, and the United States, as early as September 18th, 2013.
Software: Microsoft Internet Explorer
A zero-day was used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013.
Links:
https://technet.microsoft.com/en-us/library/security/ms13-080.aspx
https://blogs.technet.microsoft.com/srd/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limi... https://technet.microsoft.com/library/security/ms13-080 http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-pawn-storm-fast-facts
https://blogs.forcepoint.com/security-labs/zero-day-attack-internet-explorer-cve-2013-3897-goes-high...
http://blog.talosintel.com/2013/10/ie-zero-day-cve-2013-3897-youve-been.html
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=607
https://www.symantec.com/security_response/vulnerability.jsp?bid=62811
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27102
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-3897-analysis-of-yet-another-i...
http://eromang.zataz.com/2015/12/23/cve-2013-3897-microsoft-internet-explorer-cdisplaypointer-use-af...
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/MS13_080_CDISPLAYPOINTER
https://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-targeted-attacks-against-korea...
http://www.benhayak.com/2013_11_01_archive.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Technical-Aspects-of-Exploiting-IE-Zero-Day-...
https://krebsonsecurity.com/2013/10/adobe-microsoft-push-critical-security-fixes-3/#more-23010
Remote code execution in Microsoft Internet Explorer
CVE-2013-3893
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in SetMouseCapture implementation. A remote attacker can create specially crafted JavaScript, place it on a Web page, trick the victim into visiting it using Internet Explorer, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability used ROP-chain technique and was exploited in Campaign Operation DeputyDog.
The vulnerability was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.
Software: Microsoft Internet Explorer
The vulnerability was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.
Links:
https://technet.microsoft.com/en-us/library/security/2887505
https://technet.microsoft.com/en-us/library/security/ms13-080
https://blogs.technet.microsoft.com/srd/2013/09/17/cve-2013-3893-fix-it-workaround-available/
https://blogs.technet.microsoft.com/srd/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limi...
https://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/
https://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-...
https://www.f-secure.com/en/web/labs_global/cve-2013-3893
https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-...
https://www.symantec.com/security_response/vulnerability.jsp?bid=62453
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70073
http://eromang.zataz.com/2015/12/22/cve-2013-3893-microsoft-internet-explorer-setmousecapture-uaf/
https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-part-2-zero-day-exploit-ana...
https://sgros-students.blogspot.com/2014/01/exploiting-and-analysing-cve-2013-3893.html
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/product-coverage-and-mitigation...
https://securityintelligence.com/trusteers-exploit-prevention-stops-attacks-targeting-new-ie-zero-da...
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-3893-analysis-of-the-new-ie-0-...
http://tipstrickshack.blogspot.com/2013/10/exploit-for-all-ie-versioncve-2013-3893.html
Security bypass in vBulletin
CVE-2013-6129
Security bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to an error in the upgrade.php script. By using the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, a remote attacker can create administrative accounts.
Successful exploitation of the vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: vBulletin
Known/fameous malware:
PHP/Exploit.CVE-2013-6129.A virus.
Security bypass in Google Android
CVE-2013-7372
Security bypass
The vulnerability allows a renote attacker to bypass security restriction on the target system.The weakness is due to the use of an incorrect offset value by the engineNextBytes function in Apache Harmony, as used in the Java Cryptography Architecture (JCA) in Android . A remote attacker can leverage the resulting PRNG predictability, defeat cryptographic protection mechanisms and launch further attacks on the system.
Successful exploitation of the vulnerablity results in security bypass on the vulnerable system.
The vulnerability in Android's component Apache Harmony led to multiple compromises of a bitcoin transactions.
Software: Google Android
PHP code execution in OpenX Revive Adserver
CVE-2013-4211
Arbitrary PHP code execution
The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.The weakness exists due to compromise of the source code package. A remote attacker can create a specially crafted request with a rot13'd and reversed payload and send it to the target system to execute arbitrary PHP code.
Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has been exploited from November 2012 till August 2013.
Software: Revive Adserver
Denial of service in ISC BIND
CVE-2013-4854
Denial of service
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to an error in the RFC 5011 implementation in rdata.c when parsing RDATA within a DNS query. By using a query with a malformed RDATA section that is not properly handled during construction of a log message, a remote attacker can cause an assertion failure and named daemon exit.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
We are aware of in the wild exploitation of this vulnerability before official patch release.
This vulnerability was discovered by Maxim Shudrak.
Software: ISC BIND
This vulnerability was discovered by Maxim Shudrak.
Arbitrary file upload in Joomla!
CVE-2013-5576
Arbitrary file upload
The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.The weakness exists due to improper validation of file extensions by the media.php and index.php scripts. A remote attacker can create a specially crafted HTTP request, upload a malicious PHP script and execute arbitrary PHP code.
Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The weakness was disclosed 08/01/2013 by Jens Hinrichsen.
Software: Joomla!
Links:
https://developer.joomla.org/security/563-20130801-core-unauthorised-uploads.html
http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_...
http://www.kb.cert.org/vuls/id/639620
http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/
https://blog.sucuri.net/2013/08/joomla-media-manager-attacks-in-the-wild.html
http://holisticinfosec.blogspot.com/2013/10/joomla-vulnerabilities-responsible.htm
Remote code execution in Microsoft Internet Explorer
CVE-2013-3163
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in CBlockContainerBlock. A remote attacker can create specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability reffers to "Waterring hole attack".
Software: Microsoft Internet Explorer
Links:
https://h41382.www4.hpe.com/gfs-shared/downloads-226.pdf
https://technet.microsoft.com/en-us/library/security/ms13-055.aspx
https://www.fireeye.com/blog/threat-research/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-explo...
https://www.symantec.com/security_response/vulnerability.jsp?bid=60975
http://www.zdnet.com/article/microsoft-admits-internet-explorer-flaw-targeted-by-hackers/
https://securingtomorrow.mcafee.com/mcafee-labs/new-zero-day-attack-copies-earlier-flash-exploitatio...
http://www.computerworld.com/article/2483926/microsoft-windows/targeted-attacks-exploit-now-patched-...
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-3163-internet-explorer-vulnera...
https://blogs.technet.microsoft.com/srd/2013/07/10/running-in-the-wild-not-for-so-long/
Remote code execution in JustSystems Ichitaro
CVE-2013-3644
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when processing office documents. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code on the vulnerable system.
Note: the vulnerability was being actively exploited.
Symantec has seen the exploitation being used in targeted attacks since May, but it has been limited to users in Japan and the volume of attacks has been minimal.
Software: Ichitaro
Known/fameous malware:
Trojan.Tarodrop.M.
Links:
http://www.justsystems.com/jp/info/js13002.html
http://jvn.jp/en/jp/JVN98712361/index.html
http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000058.html
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061907-5714-99
https://www.symantec.com/connect/blogs/targeted-attack-exploits-ichitaro-vulnerability-0
https://www.symantec.com/connect/nl/blogs/targeted-attack-exploits-ichitaro-vulnerability?page=1
Remote code execution in Oracle Java SE
CVE-2013-2465
Array indexing error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to an array indexing error in the storeImageArray() function in awt.dll. A remote attacker can execute arbitrary code with privileges of the current user or targeted application process.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The exploit was released by security research group Packet Storm Security.
Software: Oracle Java SE
Known/fameous malware:
Styx exploit kit, previously known as Kein
Fiesta EK
Links:
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26978
https://www.zscaler.com/blogs/research/exploring-java-vulnerability-cve-2013-2465-used-fiesta-ek
http://infosecdailydigest.com/2013/08/24/metasploit-module-demo-for-cve-2013-2465-java-storeimagearr...
https://sgros-students.blogspot.com/2014/01/java-cve-2013-2465-vulnerability-and.html
http://www.pcworld.com/article/2046821/cybercriminals-add-new-exploit-for-recently-patched-java-vuln...
Denial of service in ntp.org ntp
CVE-2013-5211
Denial of service
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to an error in the monlist feature in ntp_request.c. By sending a specially crafted REQ_MON_GETLIST or REQ_MON_GETLIST_1 request, a remote attacker can consume available CPU resources and cause the server to crash.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
This vulnerability was the cause of a record-sized NTP reflection attack in late 2013 and early 2014. We consider this a zero-day vulnerability as it was exploited in the wild before the official patch release.
Software: ntp
Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211
http://www.vmware.com/security/advisories/VMSA-2014-0002.html
https://packetstormsecurity.com/files/125774
http://www.kb.cert.org/vuls/id/348126
https://www.us-cert.gov/ncas/alerts/TA13-088A
http://christian-rossow.de/articles/Amplification_DDoS.php
https://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-refle...
http://www.kb.cert.org/vuls/id/348126
http://christian-rossow.de/articles/Amplification_DDoS.php
http://bugs.ntp.org/show_bug.cgi?id=1532
Remote code execution in Microsoft Office
CVE-2013-1331
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when processing malicious PNG files. A remote attacker can create specially crafted file, trick the victim into opening it using an affected version of Microsoft Office, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported by Andrew Lyons and Neel Mehta of Google Inc.
Using the samples provided by Microsoft, Romang scoured GoogleтАЩs cache and found the earliest document that attempted to fetch the exploit dated from February, 2013. The document referenced territory disputes between China and the Philippines.
However, Romang uncovered another Word document created in 2009 that, according to GoogleтАЩs Virus Total service, would also exploit the flaw Microsoft patched. The fileтАЩs title тАЬThe corruption of MahathirтАЭ referred to a Malaysian politician, fitting MicrosoftтАЩs list of possible targets. Both documents to a Bridging Links URL.
The vulnerability might have been spotted in the wild, with campaigns starting as early as 2009. Microsoft believe attacks were limited to Indonesia and Malaysia.
Software: Microsoft Office
Known/fameous malware:
Trojan.Mdropper.
Using the samples provided by Microsoft, Romang scoured GoogleтАЩs cache and found the earliest document that attempted to fetch the exploit dated from February, 2013. The document referenced territory disputes between China and the Philippines.
However, Romang uncovered another Word document created in 2009 that, according to GoogleтАЩs Virus Total service, would also exploit the flaw Microsoft patched. The fileтАЩs title тАЬThe corruption of MahathirтАЭ referred to a Malaysian politician, fitting MicrosoftтАЩs list of possible targets. Both documents to a Bridging Links URL.
The vulnerability might have been spotted in the wild, with campaigns starting as early as 2009. Microsoft believe attacks were limited to Indonesia and Malaysia.
Links:
https://technet.microsoft.com/en-us/library/security/ms13-051.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=60408
https://www.symantec.com/connect/blogs/microsoft-office-cve-2013-1331-coverage
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-1331-a-zero-day-disclosed.html
http://eromang.zataz.com/2013/06/13/ms13-051-cve-2013-1331-what-we-know-about-microsoft-office-zero-...
https://threatpost.com/important-office-2003-zero-day-deserves-second-look/100990/
https://blogs.technet.microsoft.com/srd/2013/06/11/ms13-051-get-out-of-my-office/
http://dataprotectioncenter.com/general/microsoft-office-cve-2013-1331-coverage/
http://blog.trendmicro.com/trendlabs-security-intelligence/light-june-2013-patch-tuesday-is-no-reaso...
Privilege escalation in Microsoft Windows
CVE-2013-3660
Privilege escalation
The vulnerability allows a local attacker to obtain elevated privileges on the target system.The weakness exists due to the failure to properly initialize a pointer for the next object in a certain list by the EPATHOBJ::pprFlattenRec function within kernel-mode driver (win32k.sys). A local attacker can use multiple FlattenPath function calls to obtain write access to the PATHRECORD chain and execute arbitrary code on the system with elevated privileges.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Tavis Ormandy, a Google security engineer, reported a critical bug to Microsoft only five days before going public.
The vulnerability has being used by Carbanak group.
Software: Windows
Known/fameous malware:
Cidox/Rovnix Bootkit
PowerLoader
The vulnerability has being used by Carbanak group.
Directory traversal in Adobe ColdFusion
CVE-2013-3336
Directory traversal
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to improper validation of the user-supplied input. A remote attacker can create specially crafted HTTP request containing "dot dot" sequences (/../) and view contents of arbitrary files on vulnerable system.
Successful exploitation of the vulnerability may allow an attacker to obtain potentially sensitive information and compromise vulnerable system.
Note: the vulnerability was being actively exploited.
Software: ColdFusion
Links:
http://www.adobe.com/support/security/advisories/apsa13-03.html
http://www.computerworld.com/article/2497237/security0/adobe-warns-of-unpatched-critical-flaw-in-col...
http://mac-security.blogspot.com/2013/05/new-critical-adobe-security-updates.html
http://www.infosecurity-magazine.com/news/anonymous-said-to-be-exploiting-coldfusion-in/
https://www.corero.com/resources/files/security_advisories/advisory_CNS_IPS_Microsoft_Adobe_ColdFusi...
http://www.securityweek.com/server-washington-state-courts-office-hacked-sensitive-data-exposed
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000492.aspx
Remote code execution in Microsoft Internet Explorer
CVE-2013-1347
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in the CGenericElement object. A remote attacker can create specially crafted Web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has been exploited in watering hole attack against Department of Labor (DoL). Used in Pawn Storm campaign.
Software: Microsoft Internet Explorer
Links:
https://www.fireeye.com/blog/threat-research/2013/05/ie-zero-day-is-used-in-dol-watering-hole-attack...
https://technet.microsoft.com/en-us/library/security/2847140.aspx
https://technet.microsoft.com/en-us/library/security/ms13-may.aspx
https://technet.microsoft.com/en-us/library/security/ms13-038
https://nakedsecurity.sophos.com/2013/05/09/microsoft-rushes-out-cve-2013-1347-fix-it-for-the-latest...
https://securityintelligence.com/cve-2013-1347-microsoft-internet-explorer-cgenericelement-object-us...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26721
http://stopmalvertising.com/malware-reports/cve-2013-1347-new-internet-explorer-8-0-day-used-in-wate...
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF
https://krebsonsecurity.com/2013/05/zero-day-exploit-published-for-ie8/
https://blogs.forcepoint.com/security-labs/internet-explorer-zero-day-vulnerability-cve-2013-1347-up...
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000479.aspx
https://blog.qualys.com/laws-of-vulnerabilities/2013/05/04/new-0-day-in-microsoft-internet-explorer-...
https://www.threatconnect.com/blog/threatconnect-gets-root-targeted-exploitation-campaigns/
Cross-site scripting in Microsoft SharePoint Server
CVE-2013-1289
Cross-site scripting
The vulnerability allows a remote attacker to obtain elevated privileges on the target system.The weakness exists due to an error related to the way HTML strings are sanitized by HTML Sanitization components. A remote attacker can create a specially crafted URL, trick the victim into opening it, take actions on the targeted site or read restricted content and obtain sensitive information with elevated privileges.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft SharePoint Server
PHP inlcuding in Roundcube Webmail
CVE-2013-1904
PHP including
The vulnerability allows a remote attacker to include arbitrary files on the target system.The weakness exists due to improper sanitization of user-supplied data within "steps/mail/sendmail.inc" script when parsing "generic_message_footer" HTTP parameter passed to "/index.php" script. A remote attacker can send a specially crafted HTTP request to the "index.php" script, include and execute arbitrary PHP script on the affected server.
Successful exploitation of the vulnerability may lead to system compromise.
Note: the vulnerability was being actively exploited.
Software: Roundcube
Known/fameous malware:
Exploit-FHV!CVE2013-1493 (McAfee)
Exp/20131493-G (Sophos)
Exp/20131493-A (Sophos)
Exploit.Java.CVE-2013-1493.gen (Kaspersky)
Java/CVE_2013_1493.NT!exploit
Remote code execution in Microsoft Silverlight
CVE-2013-0074
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when rendering an HTML object. A remote attacker can create a specially crafted Web site containing a malicious Silverlight applicationt, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Silverlight
Known/fameous malware:
Exploit kits: Angler, Archie, Astrum, Fiesta, Hanjuan, Infinity (Exploit kit), Neutrino, Nuclear Pack, RIG.
Links:
https://technet.microsoft.com/en-us/library/security/ms13-022.aspx
https://www.zscaler.com/blogs/research/exploit-kits-anatomy-silverlight-exploit
https://www.checkpoint.com/downloads/partners/TCC-Silverlight-Jan2015.pdf
https://www.symantec.com/security_response/vulnerability.jsp?bid=58327
http://journeyintoir.blogspot.com/2014/05/cve-2013-0074-3896-silverlight-exploit.html
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27612
http://www.vxsecurity.sg/2014/06/18/technical-tear-down-fiesta-exploit-kit-silverlight-exploit-cve-2...
http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-a-silverlight-exploit/
https://blog.malwarebytes.com/threat-analysis/2014/05/malvertising-campaign-on-popular-site-leads-to...
http://blogs.cisco.com/security/angling-for-silverlight-exploits
https://www.scmagazine.com/more-exploits-including-silverlight-attack-packed-in-nuclear-kit/article/...
http://arstechnica.com/security/2014/05/move-over-java-drive-by-attacks-exploiting-microsoft-silverl...
Remote code execution in Oracle Java SE
CVE-2013-1493
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to multiple integer and buffer overflows in the color management (CMM) functionality within the 2D component. A remote attacker can create specially crafted Web page, trick the victim into visiting it, trigger memory corruption using an image with crafted raster parameters and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability allows a remote user to execute arbitrary code on the target system via MC Rat (Trojan). The vulnerability was found with the help of Malware Protection Cloud (MPC).
The vulnerability turned out to have been exploited in Sun Shop Campaign and related to breach at security firm Bit9.
Software: Oracle Java SE
Known/fameous malware:
Trojan.Naid, Trojan.Dropper (Symantec).
The vulnerability turned out to have been exploited in Sun Shop Campaign and related to breach at security firm Bit9.
Links:
https://www.fireeye.com/blog/threat-research/2013/02/yaj0-yet-another-java-zero-day-2.html
https://twitter.com/jduck/status/307629902574800897
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html
http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1915099.xml
https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493
https://www.symantec.com/connect/blogs/latest-java-zero-day-shares-connections-bit9-security-inciden...
https://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/
Multiple vulnerabilities in Adobe Flash Player
CVE-2013-0648
Arbitrary code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to an error in the ExternalInterface ActionScript feature. A remote attacker can create specially crafted Web site serving malicious Flash (SWF) content, trick the victim into visiting it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Adobe Flash Player
Links:
https://www.adobe.com/support/security/bulletins/apsb13-08.html
https://www.intego.com/mac-security-blog/adobe-squashes-two-exploits-in-the-wild-designed-to-target-...
http://www.computerworlduk.com/it-vendors/new-emergency-flash-update-as-hackers-hit-firefox-3428746/
https://blog.basefarm.com/blog/security-updates-available-for-adobe-flash-player-apsb13-08/
http://doa.alaska.gov/ets/security/S_Advisory/sa2013-023.pdf
http://www.macworld.co.uk/news/apple/adobe-springs-emergency-flash-update-says-hackers-hitting-firef...
https://www.auscert.org.au/render.html?it=17093
http://www.totalsofttech.com.ph/adobe-springs-emergency-flash-update-says-hackers-hitting-firefox/
http://krebsonsecurity.com/tag/cve-2013-0648/
http://www.theregister.co.uk/2013/02/27/adobe_issues_two_critical_flash_vuln_patches/
Multiple vulnerabilities in Adobe Flash Player
CVE-2013-0643
Arbitrary code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to an error when handling permissions of the Flash Player Firefox sandbox. A remote attacker can create specially crafted Web site serving malicious Flash (SWF) content, trick the victim into visiting it, bypass the sandbox restrictions and execute arbitrary code outside the sandbox with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Adobe Flash Player
Links:
http://www.adobe.com/support/security/bulletins/apsb13-08.html
http://doa.alaska.gov/ets/security/S_Advisory/sa2013-023.pdf
https://krebsonsecurity.com/2013/02/flash-player-update-fixes-zero-day-flaws/#more-19186
http://www.techworld.com/news/security/adobe-pushes-out-emergency-flash-update-as-hackers-hit-firefo...
https://www.scmagazine.com/adobe-hurries-update-to-fix-flash-zero-day-vulnerabilities/article/542241...
http://www.computerworld.com/article/2495576/malware-vulnerabilities/adobe-springs-emergency-flash-u...
http://www.theregister.co.uk/2013/02/27/adobe_issues_two_critical_flash_vuln_patches/
https://blog.qualys.com/laws-of-vulnerabilities/2013/02
Two remote code execution vulnerabilities in Adobe Acrobat and Adobe Reader
CVE-2013-0641
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when handling malicious files. A remote attacker can create specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The sandbox vulnerability was dubbed as "666" by FireEye. CVE-2013-0640 and CVE-2013-0641 have been exploited in MiniDuke, Zegost, PlugX Malware Campaign attacks.
Software: Adobe Reader
Links:
https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html
http://www.adobe.com/support/security/advisories/apsa13-02.html
http://www.adobe.com/support/security/bulletins/apsb13-07.html
http://blog.trendmicro.com/trendlabs-security-intelligence/zero-day-vulnerability-hits-adobe-reader/
https://www.symantec.com/security_response/vulnerability.jsp?bid=57947
http://blog.opensecurityresearch.com/2013/10/analysis-of-malware-rop-chain.html
http://hooked-on-mnemonics.blogspot.com/2013/02/detecting-pdf-js-obfuscation-using.html
https://nakedsecurity.sophos.com/2013/02/14/no-patch-yet-for-pdf-exploits/
https://access.redhat.com/security/cve/cve-2013-0641
http://www.securityweek.com/latest-adobe-zero-day-serious-business-attackers-escape-adobe-reader-san...
https://www.slashgear.com/adobe-says-acrobat-and-reader-vulnerabilities-exploited-with-malicious-pdf...
http://www.pcworld.com/article/2028603/adobe-readies-emergency-patches-for-reader-acrobat.html
http://www.eweek.com/security/adobe-issues-reader-acrobat-security-updates-to-stave-off-attacks
https://securingtomorrow.mcafee.com/mcafee-labs/emerging-stack-pivoting-exploits-bypass-common-secur...
https://www.fireeye.jp/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-zero-day-attacks-in...
Two remote code execution vulnerabilities in Adobe Acrobat and Adobe Reader
CVE-2013-0640
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling malicious files. A remote attacker can create specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The sandbox vulnerability was dubbed as "666" by FireEye. CVE-2013-0640 and CVE-2013-0641 have been exploited in MiniDuke, Zegost, PlugX Malware Campaign attacks.
Software: Adobe Reader
Links:
https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html
http://www.adobe.com/support/security/advisories/apsa13-02.html
http://www.adobe.com/support/security/bulletins/apsb13-07.html
http://www.kb.cert.org/vuls/id/422807
https://labs.portcullis.co.uk/blog/cve-2013-0640-adobe-reader-xfa-oneofchild-un-initialized-memory-v...
http://www.enigmasoftware.com/pdf-cve20130640-vulnerability-exploited-miniduke-zegost-plugx/
http://blog.trendmicro.com/trendlabs-security-intelligence/zero-day-vulnerability-hits-adobe-reader/
http://blog.opensecurityresearch.com/2013/10/analysis-of-malware-rop-chain.html
https://securelist.com/blog/incidents/31112/the-miniduke-mystery-pdf-0-day-government-spy-assembler-...
http://vinsula.com/2013/04/17/cve-2013-0640-adobe-pdf-zero-day-malware/
Two remote code execution vulnerabilities in Adobe Flash Player
CVE-2013-0634
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in Flash Player for Firefox. A remote attacker can create specially crafted .swf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was discovered by Shadowserver Foundation.
The exploit was used in a cyber espionage campaign dubbed тАЬLadyBoyle".
Software: Adobe Flash Player
The exploit was used in a cyber espionage campaign dubbed тАЬLadyBoyle".
Links:
http://www.adobe.com/support/security/bulletins/apsb13-04.html
https://www.invincea.com/2013/02/exploit-down-analysis-and-protection-against-adobe-flash-exploit-cv...
http://blog.malwaremustdie.org/2013/02/cve-2013-0634-this-ladyboyle-is-not.html
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26455
http://www.enigmasoftware.com/exploitswfcve20130634a-removal/
https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.htm...
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLASH_REGEX_VALUE
https://www.intego.com/mac-security-blog/adobe-resolves-flash-player-flaws-being-exploited-in-the-wi...
http://www.spywareremove.com/removeexploitswfcve20130634a.html
https://eromang.zataz.com/2013/02/26/gong-da-gondad-exploit-pack-add-flash-cve-2013-0634-support/
https://krebsonsecurity.com/tag/cve-2013-0634/
http://www.infoworld.com/article/2613576/security/adobe-blames-na-ve-office-users-for-latest-flash-p...
https://nakedsecurity.sophos.com/2013/02/08/adobe-patches-flash-heads-off-attacks-on-windows-and-app...
https://www.intego.com/mac-security-blog/two-adobe-vulnerabilities-attacked-in-the-wild-now-patched/
https://www.invincea.com/2013/02/exploit-down-analysis-and-protection-against-adobe-flash-exploit-cv...
http://www.securityweek.com/adobe-patches-flash-player-against-active-attacks
https://www.fireeye.jp/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-zero-day-attacks-in...
Two remote code execution vulnerabilities in Adobe Flash Player
CVE-2013-0633
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow in ActiveX version of Flash Player. A remote attacker can create specially crafted .swf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported to Adobe by Sergey Golovanov and Alexander Polyakov of Kaspersky.
The vulnerability was being used in a series of targeted attacks mostly against human rights activists and political dissidents from Africa and the Middle East.
Software: Adobe Flash Player
Known/fameous malware:
Exploit: SWF/CVE-2013-0633.
The vulnerability was being used in a series of targeted attacks mostly against human rights activists and political dissidents from Africa and the Middle East.
Links:
http://www.adobe.com/support/security/bulletins/apsb13-04.html
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26453
https://www.symantec.com/security_response/vulnerability.jsp?bid=57788
http://krebsonsecurity.com/tag/cve-2013-0633/
https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.htm...
https://eromang.zataz.com/2013/02/26/gong-da-gondad-exploit-pack-add-flash-cve-2013-0634-support/
http://www.kaspersky.com/au/about/news/virus/2013/Kaspersky_Lab_Experts_Credited_for_Identifying_and...
https://securelist.com/blog/research/64215/adobe-flash-player-0-day-and-hackingteams-remote-control-...
http://www.pcworld.com/article/2027916/researchers-surveillance-malware-distributed-via-flash-player-exploit.html
http://www.infoworld.com/article/2613576/security/adobe-blames-na-ve-office-users-for-latest-flash-p...
https://securityledger.com/2013/02/adobe-pushes-fix-for-flash-player-cites-attacks-on-windows-mac-an...
https://www.intego.com/mac-security-blog/two-adobe-vulnerabilities-attacked-in-the-wild-now-patched/
http://www.pcadvisor.co.uk/feature/security/adobe-releases-emergency-flash-fixes-for-two-zero-day-bu...
Remote code execution in JustSystems Ichitaro
CVE-2013-0707
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when processing office documents. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Ichitaro
Remote code execution in Oracle Java SE
CVE-2013-0422
Arbitrary code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to errors involving Java Management Extensions (JMX) MBean components. A remote attacker can create specially crafted Web site containing a malicious Java applet, trick the victim into opening it, invoke the setSecurityManager() function and execute arbitrary code outside the sandbox with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The CVE-2013-0422 exploit has also been identified as distributing GameHack and Banki malicious code. The vulnerability was used by Blackhole, Cool Exploit, and Nuclear exploit kits.
Software: Oracle Java SE
Known/fameous malware:
TROJ_REVETON.RJ
TROJ_REVETON.RG.
Links:
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
http://www.kb.cert.org/vuls/id/625617
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
https://www.ibm.com/blogs/psirt/oracle-java-7-security-manager-bypass-vulnerability-cve-2013-0422/
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-verbose-1896885.html
http://www.ampliasecurity.com/blog/2013/01/10/java_7_update_10_0-day_vulnerability_CVE-2013-0422/
http://www.zdnet.com/article/targeted-attack-against-uae-activist-utilizes-cve-2013-0422-drops-malwa...
http://www.welivesecurity.com/2013/01/11/java-0-day-exploit-cve-2013-0422/
http://www.cparequirements.com/2013/05/apple-facebook-and-microsoft-all-victims-of-java-cve-2013-042...
http://global.ahnlab.com/global/upload/download/documents/1401223631614158.pdf
Multiple vulnerabilities in Adobe ColdFusion
CVE-2013-0625
Authentication bypass
The vulnerability allows a remote attacker to bypass authentication and execute arbitrary code on the target system.
The vulnerability exists due to improper authentication, when password is not configured. A remote unauthenticated attacker can bypass authentication process and execute arbitrary code on the target system.
Note: the vulnerability was being actively exploited.
Software: ColdFusion
Links:
http://www.adobe.com/support/security/bulletins/apsb13-03.html
http://www.adobe.com/support/security/advisories/apsa13-01.html
http://eyeonforensics.blogspot.com/2013/03/a-cold-day-in-e-commerce-guest-post.html
http://doa.alaska.gov/ets/security/S_Advisory/SA2013-093.pdf
http://blogs.coldfusion.com/assets/content/security/Security%20Best%20Practices%20for%20ColdFusion.p...
http://www.securityweek.com/adobe-warns-attacks-exploiting-coldfusion-vulnerabilities-fix-coming
http://www.livehacking.com/category/vulnerability/adobe/
http://www.pcworld.com/article/2025406/adobe-patches-actively-exploited-coldfusion-vulnerabilities.h...
http://www.itworld.com/article/2714589/security/adobe-warns-of-actively-exploited-coldfusion-flaws.h...
http://www.computerworld.com/article/2494475/malware-vulnerabilities/adobe-warns-of-actively-exploit...
http://www.mis-asia.com/tech/security/adobe-warns-of-actively-exploited-coldfusion-flaws/
Multiple vulnerabilities in Adobe ColdFusion
CVE-2013-0629
Authentication bypass
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to an error in authentication process, when a password is not configured. A remote unauthenticated attacker can gain unauthorized access to restricted directories.
Successful exploitation of this vulnerability results in unauthorized gaining access to the directories.
Note: the vulnerability was being actively exploited.Software: ColdFusion
Links:
http://www.adobe.com/support/security/bulletins/apsb13-03.html
http://www.adobe.com/support/security/advisories/apsa13-01.html
https://www.acunetix.com/vulnerabilities/web/adobe-coldfusion-9-administrative-login-bypass
http://eyeonforensics.blogspot.com/2013/03/a-cold-day-in-e-commerce-guest-post.html
http://doa.alaska.gov/ets/security/S_Advisory/SA2013-093.pdf
http://blogs.coldfusion.com/assets/content/security/Security%20Best%20Practices%20for%20ColdFusion.pdf
http://www.securityweek.com/adobe-warns-attacks-exploiting-coldfusion-vulnerabilities-fix-coming
http://www.livehacking.com/category/vulnerability/adobe/
http://www.pcworld.com/article/2025406/adobe-patches-actively-exploited-coldfusion-vulnerabilities.html
http://www.itworld.com/article/2714589/security/adobe-warns-of-actively-exploited-coldfusion-flaws.html
http://www.computerworld.com/article/2494475/malware-vulnerabilities/adobe-warns-of-actively-exploited-coldfusion-flaws.html
http://www.mis-asia.com/tech/security/adobe-warns-of-actively-exploited-coldfusion-flaws/
https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module--Pr...
http://blogs.elis.org/isa/attackers-exploited-coldfusion-vulnerability-to-install-microsoft-iis-malw...
Multiple vulnerabilities in Adobe ColdFusion
CVE-2013-0631
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to improper access control. A remote attacker can gain access to important data.
Note: the vulnerability was being actively exploited.
Software: ColdFusion
Links:
http://www.adobe.com/support/security/bulletins/apsb13-03.html
http://www.adobe.com/support/security/advisories/apsa13-01.html
https://www.acunetix.com/vulnerabilities/web/adobe-coldfusion-9-administrative-login-bypass
http://eyeonforensics.blogspot.com/2013/03/a-cold-day-in-e-commerce-guest-post.html
http://doa.alaska.gov/ets/security/S_Advisory/SA2013-093.pdf
http://www.securityweek.com/adobe-warns-attacks-exploiting-coldfusion-vulnerabilities-fix-coming
http://www.livehacking.com/category/vulnerability/adobe/
http://www.pcworld.com/article/2025406/adobe-patches-actively-exploited-coldfusion-vulnerabilities.h...
http://www.itworld.com/article/2714589/security/adobe-warns-of-actively-exploited-coldfusion-flaws.h...
http://www.computerworld.com/article/2494475/malware-vulnerabilities/adobe-warns-of-actively-exploit...
http://www.mis-asia.com/tech/security/adobe-warns-of-actively-exploited-coldfusion-flaws/
http://energy.gov/cio/articles/v-063-adobe-coldfusion-bugs-let-remote-users-gain-access-and-obtain-i...
Multiple vulnerabilities in Adobe ColdFusion
CVE-2013-0632
Authentication bypass
The vulnerability allows a remote attacker to bypass authentication and gain unauthorized access to vulnerable system.
The vulnerability exists due to an error within administrator.cfc. A remote unauthenticated attacker can access Adobe ColdFusion application using a default empty password, login to the RDS component and leverage this session to access administrative web interface.
Successful exploitation of this vulnerability results in unauthorized access to Adobe ColdFusion.
Note: the vulnerability was being actively exploited.The vulnerability was used to compromise website of the Washington state Administrative Office of the Courts (AOC).
Software: ColdFusion
Links:
http://www.adobe.com/support/security/advisories/apsa13-01.html
http://www.adobe.com/support/security/bulletins/apsb13-03.html
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27201
https://www.acunetix.com/vulnerabilities/web/adobe-coldfusion-9-administrative-login-bypass
https://vulners.com/metasploit/MSF:EXPLOIT/MULTI/HTTP/COLDFUSION_RDS
http://www.livehacking.com/category/vulnerability/adobe/
http://www.pcworld.com/article/2025406/adobe-patches-actively-exploited-coldfusion-vulnerabilities.h...
http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_security_threat
https://www.scmagazine.com/weakness-in-adobe-coldfusion-allowed-court-hackers-access-to-160k-ssns/ar...
http://www.itnews.com.au/news/a-million-drivers-licenses-possibly-stolen-via-coldfusion-hole-342953
http://krebsonsecurity.com/tag/amcrin/
Arbitrary file upload in SugarCRM
CVE-2023-22952
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote attacker bypass implemented authentication process, upload a malicious file and execute it on the server.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Software: SugarCRM
Remote code execution in Microsoft Internet Explorer
CVE-2012-4792
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error when handling the CDwnBindInfo object and attempting to access an object in memory that has not been initialized or has been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This vulnerability was described by Eric Romang and FireEye through Malware Protection Cloud.
The vulnerability has been exploited in watering hole attacks against Council on Foreign Relations (CFR) website 26.12.2012. The attack appears to be closely related to attacks in June 2012 that were targeting visitors of a major hotel chain and other attacks associated with the Elderwood Project.
Software: Microsoft Internet Explorer
The vulnerability has been exploited in watering hole attacks against Council on Foreign Relations (CFR) website 26.12.2012. The attack appears to be closely related to attacks in June 2012 that were targeting visitors of a major hotel chain and other attacks associated with the Elderwood Project.
Links:
https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-det...
https://technet.microsoft.com/library/security/ms13-008
https://technet.microsoft.com/library/security/2794220
http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-...
https://blogs.technet.microsoft.com/srd/2012/12/31/microsoft-fix-it-available-for-internet-explorer-...
https://blogs.technet.microsoft.com/srd/2012/12/29/new-vulnerability-affecting-internet-explorer-8-u...
https://www.alienvault.com/blogs/labs-research/new-internet-explorer-zeroday-was-used-in-the-dol-wat...
http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-...
https://nakedsecurity.sophos.com/2012/12/31/zero-day-vulnerability-in-internet-explorer-being-used-i...
Phishing attack in Opera browser
CVE-2012-6467
Improper input validation
The vulnerability allows a remote attacker to perform phishing attacks.The vulnerability exists due to improper input validation when processing Internet shortcuts, referenced by IMG or other inline elements. A remote attacker can create a specially crafted web page, trick the victim into visiting it and perform a phishing attack.
Note: the vulnerability was being actively exploited.
Software: Opera
Arbitrary file upload in Atomymaxsite
CVE-2012-6498
Arbitrary file upload
The vulnerability allows a remote attacker to cause arbitrary code execution on the original server.The weakness exists due to improper validation of file extensions in "index.php" script when uploading files. A remote attacker can upload arbitrary file with .php extension and execute it on the system with privileges of the web server.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported by ThaiCERT as a zero-day targeting websites across the country.
Software: Atomymaxsite
XSS in HTML Sanitization Component in Microsoft Office products
CVE-2012-2520
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks and gain elevated privileges.The vulnerability exists due to insufficient sanitization of user-input within HTML Sanitization Component. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in userтАЩs browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability was being actively exploited.
Software: Microsoft Office InfoPath
Links:
https://technet.microsoft.com/en-us/library/security/ms12-066.aspx
http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_10_10_2012.pdf
http://www.securityweek.com/recently-patched-html-sanitization-flaw-linked-hotmail-xss-vulnerability
http://www.trendmicro.com.ru/vinfo/ru/threat-encyclopedia/vulnerability/2293/microsoft-windows-html-...
http://www.tripwire.com/vert/vert-alert/vert-alert-october-9-2012/
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000380.aspx
Remote code execution in Microsoft Internet Explorer
CVE-2012-4969
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in the CMshtmlEd::Exec function in mshtml.dll. A remote attacker can create a specially crafted Web site, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was found exploited in the wild and discovered by Eric Romang.
A real-world attack using the vulnerability first appeared in a blog post in Sep.14, 2012. The vulnerability was used by "Nitro" hacking group.
Software: Microsoft Internet Explorer
A real-world attack using the vulnerability first appeared in a blog post in Sep.14, 2012. The vulnerability was used by "Nitro" hacking group.
Links:
https://technet.microsoft.com/library/security/2757760
https://technet.microsoft.com/en-us/library/security/ms12-063
https://blogs.technet.microsoft.com/mmpc/2012/09/21/what-you-need-to-know-about-cve-2012-4969/
http://www.sevenforums.com/system-security/260613-should-i-remove-cve-2012-4969-a.html
http://krebsonsecurity.com/tag/cve-2012-4969/
https://www.f-secure.com/en/web/labs_global/cve-2012-4969
https://barracudalabs.com/2012/09/internet-explorer-0day-exploit-cve20124969-its-what-you-cant-see-t...
http://security.stackexchange.com/questions/21237/need-help-on-understanding-obfuscated-code-in-cve-...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25947
http://contagiodump.blogspot.com/2012/09/cve-2012-4969-internet-explorer-0day.html
http://www.antiy.net/p/sample-of-cve-2012-4969/
https://www.securestate.com/blog/2012/09/21/threat-alert-internet-explorer-zero-day-cve-2012-4969
https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2012-4969-and-the-Unnamed-Admin-Panel/
Remote code execution in Oracle Java SE
CVE-2012-4681
Error Handling
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to improper handling of Rhino Javascript errors. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and bypass sandbox restrictions to download and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The researchers of FireEye began investigation of the vulnerability after Twitter post made by Joshua J. Drake on August, 26.
Software: Oracle Java SE
Links:
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
http://rhn.redhat.com/errata/RHSA-2012-1225.html
https://www.fireeye.com/blog/threat-research/2012/08/java-zero-day-first-outbreak.html
https://www.fireeye.com/blog/threat-research/2012/08/zero-day-season-is-not-over-yet.html
https://www.alienvault.com/blogs/labs-research/new-year-new-java-zeroday
https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-jav...
https://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html
Remote code execution in Windows Common Controls
CVE-2012-1856
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in MSCOMCTL.OCX ActiveX control. A remote attacker can create a specially crafted Web page that passes an overly long string argument, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Favorite hackers' vulnerability for years has been exploited along with CVE-2012-1856, CVE-2015-1641, CVE-2015-1770 in an APT campaign against journalists and human rights workers in Tibet, Hong Kong and Taiwan.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/ms12-060
https://blog.ropchain.com/2015/07/27/analyzing-vupens-cve-2012-1856/
http://www.securityweek.com/cve-2012-0158-exploited-attacks-targeting-government-agencies-europe-asi...
http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-rat-uwarrior/
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25966
https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
https://threatpost.com/apt-targeting-tibetans-packs-four-vulnerabilities-in-one-compromise/117493/
https://www.hackread.com/skype-malware-saves-screenshots-records-conversations/
https://www.grahamcluley.com/advanced-malware-logs-skype-calls-steals-files-removable-drives/
https://securingtomorrow.mcafee.com/mcafee-labs/threat-actors-use-encrypted-office-binary-format-eva...
https://www.symantec.com/security_response/vulnerability.jsp?bid=54948
https://blogs.technet.microsoft.com/srd/2012/08/14/ms12-060-addressing-a-vulnerability-in-mscomctl-o...
http://varzia.com/blog/keyboy-malware-used-in-targeted-attacks-in-asia/
Remote code execution in Adobe Flash Player
CVE-2012-1535
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when parsing malicious files. A remote attacker can create a specially crafted Flash (.swf) file embedded in a Microsoft Word (.doc) file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported by Alexander Gavrun. The exploit was used by Aurora Group.
Software: Adobe Flash Player
Known/fameous malware:
Exploit:SWF/CVE-2012-1535.A.
Links:
https://lists.opensuse.org/opensuse-security-announce/2012-08/msg00010.html
http://www.adobe.com/support/security/bulletins/apsb12-18.html
https://blogs.technet.microsoft.com/mmpc/2012/08/28/a-technical-analysis-on-cve-2012-1535-adobe-flas...
https://www.symantec.com/connect/blogs/cve-2012-1535-adobe-flash-player-vulnerability-exploited-mult...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25878
https://www.f-secure.com/en/web/labs_global/cve-2012-1535
http://contagiodump.blogspot.co.uk/2012/08/cve-2012-1535-samples-and-info.html
https://securingtomorrow.mcafee.com/mcafee-labs/adobe-flash-update-counters-cve-2012-1535/
http://blog.talosintel.com/2012/08/cve-2012-1535-flash-0-day-in-wild.html
http://www.digital4rensics.com/blog/2012/08/brief-osint-review-for-cve-2012-1535-attacks/
https://www.alienvault.com/blogs/labs-research/cve-2012-1535-adobe-flash-being-exploited-in-the-wild
http://www.ehackingnews.com/2012/08/cve-2012-1535-adobe-flash-player-exploit.html
http://thehackernews.com/2012/09/operation-aurora-other-zero-day-attacks.html
Arbitrary file upload in MoinMoin
CVE-2012-6081
Arbitrary file upload
The vulnerability allows a remote authenticated attacker to compromise system.The weakness exists due to insufficient validation of the filename extension when uploading files twikidraw (action/twikidraw.py) and anywikidraw (action/anywikidraw.py) actions. A remote authenticated attacker with write permissions can upload and execute arbitrary file with executable extension.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was exploited to compromise Debian's wiki and Python documentation website in December, 2012. The exploitation's method used is based on an exploit from Pastebin.
Software: MoinMoin
Links:
http://hg.moinmo.in/moin/1.9/rev/7e7e1cbb9d3f
https://moinmo.in/SecurityFixes/AdvisoryForDistributors
https://moinmo.in/SecurityFixes/Installation
https://moinmo.in/SecurityFixes/CVE-2012-6081
https://pentesterlab.com/exercises/cve-2012-6081/course
https://community.rapid7.com/community/metasploit/blog/2013/06/27/from-the-wild-to-metasploit
Insecure DLL loading in SIMATIC STEP 7 and PCS 7
CVE-2012-3015
DDL hijacking
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insecure DDL loading mechanism when processing STEP 7 files in SIMATIC STEP 7 and SIMATIC PCS 7 software. A remote attacker can trick the victim into opening a SETP 7 file from a remote SMB or WebDAV share, which hosts malicious .dll file, and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability has been exploited in the wild by Stuxnet malware in 2010.
The vulnerability was used by Stuxnet along with CVE-2010-2772.
Software: SIMATIC STEP 7
Known/fameous malware:
Stuxnet
Remote code execution in Microsoft Office
CVE-2012-1854
Untrusted Search Path
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to the way Microsoft Office loads .dll libraries when opening Office documents (such as a .docx file). A remote attacker can place a specially crafted .dll file along with Microsoft Office document on a remote SMB or WebDAV share, trick the victim into opening that document and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was being actively exploited since mid-March, 2012. The targeted attacks were focusing on Japanese organizations.
Software: Microsoft Office
Links:
https://technet.microsoft.com/library/security/ms12-046
https://www.symantec.com/connect/blogs/microsoft-patch-tuesday-july-2012
https://www.trustwave.com/Resources/SpiderLabs-Blog/Microsoft-Patch-Tuesday-July-2012-%E2%80%93-TLS-...
https://www.symantec.com/connect/blogs/targeted-attacks-exploit-vba-vulnerability-july-ms-tuesday
Remote code execution in Oracle Java SE
CVE-2012-1723
Improper Input Validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to an error in the HotSpot bytecode verifier. By using untrusted Java Web Start applications and untrusted Java applets in a client deployment, a remote attacker can execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was exploited by BlackHole Exploit Toolkit after official patch.
The vulnerability was made public by Michael тАШmihiтАЩ Schierl.
According to Brian Krebs, the exploit was used in targeted attacks before official patch from Oracle.
Software: Oracle Java SE
Known/fameous malware:
Trojan.Maljava.
The vulnerability was made public by Michael тАШmihiтАЩ Schierl.
According to Brian Krebs, the exploit was used in targeted attacks before official patch from Oracle.
Links:
http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-June/019076.html
https://www.symantec.com/connect/blogs/examination-java-vulnerability-cve-2012-1723
http://www.welivesecurity.com/2012/07/10/java-the-hutt-meets-cve-2012-1723-the-evil-empire-strikes-b...
https://threatpost.com/volume-malware-targeting-java-cve-2012-1723-flaw-spikes-080312/76878/
http://blog.crysys.hu/2012/07/on-the-cve-2012-1723-based-java-exploit-and-malware-sample/
http://krebsonsecurity.com/2012/07/new-java-exploit-to-debut-in-blackhole-exploit-kits/
https://wraithhacker.com/last-years-java-exploit-cve-2012-1723/
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2012-1875
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a use-after-free error related to same id property when attempting to access objects that have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
A functional exploit with shellcode appeared on PasteBin on 8.06.12 - four days before the Microsoft patch release.
The vulnerability was reported by adept with nickname Dark Son and researcher Yichong Lin.
Software: Microsoft Internet Explorer
Known/fameous malware:
Trojan.Naid.
The vulnerability was reported by adept with nickname Dark Son and researcher Yichong Lin.
Links:
https://technet.microsoft.com/en-us/library/security/ms12-037
https://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid
https://www.alienvault.com/blogs/labs-research/ongoing-attacks-exploiting-cve-2012-1875
https://threatpost.com/exploit-code-surfaces-cve-2012-1875-internet-explorer-bug-061812/76702/
http://breakthesecurity.cysecurity.org/2012/06/cve-2012-1875-hacking-windows-using-ms12-037-internet...
http://www.ehackingnews.com/2012/06/cve-2012-1875-exploit-for-remote-code.html
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/MS12_037_SAME_ID
http://eromang.zataz.com/2012/06/13/ms12-037-internet-explorer-same-id-vulnerability-metasploit-demo...
http://www.cio.com/article/2394927/security0/attack-code-published-for-two-actively-exploited-vulner...
http://www.infosecisland.com/blogview/21670-Symantec-Internet-Explorer-Zero-Day-Exploit-in-the-Wild....
Remote code execution in Microsoft XML Core Services
CVE-2012-1889
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in XML Core Services (MSXML) when attempting to access an object in memory that has not been initialized. A remote attacker can create a specially crafted Web site, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
One of the vulnerabilities used by Aurora group.
The attackers used the CVE-2010-2884 and CVE-2012-1889 0-day exploits to specifically target visitors to Amnesty International Hong Kong site
20.06.2012 SophosLabs determined that the website of a European aeronautical parts supplier had been hacked and delivered exploit for CVE-2012-1889.
TrendMicro observed the vulnerability targeting Chinese high school webpage.
Software: Microsoft XML Core Services
The attackers used the CVE-2010-2884 and CVE-2012-1889 0-day exploits to specifically target visitors to Amnesty International Hong Kong site
20.06.2012 SophosLabs determined that the website of a European aeronautical parts supplier had been hacked and delivered exploit for CVE-2012-1889.
TrendMicro observed the vulnerability targeting Chinese high school webpage.
Links:
https://technet.microsoft.com/library/security/2719615
https://technet.microsoft.com/library/security/ms12-043
https://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsored-exploit/
https://www.symantec.com/connect/blogs/cve-2012-1889-action
http://blog.trendmicro.com/trendlabs-security-intelligence/technical-analysis-of-cve-2012-1889-explo...
http://blog.trendmicro.com/trendlabs-security-intelligence/technical-analysis-of-cve-2012-1889-explo...
http://blog.trendmicro.com/trendlabs-security-intelligence/technical-analysis-of-cve-2012-1889-explo...
http://www.welivesecurity.com/2012/06/20/cve2012-1889-msxml-use-after-free-vulnerability/
https://www.experts-exchange.com/questions/27793137/After-Friday's-Rounds-of-Patches-from-Microsoft-...
http://contagiodump.blogspot.com/2012/07/brian-mariani-high-tech-bridge-htbridge.html
http://www.darknet.org.uk/2012/06/windows-xml-core-services-exploit-attacked-in-the-wild-cve-2012-18...
http://www.infoworld.com/article/2617287/malware/widely-used-web-attack-toolkit-exploits-unpatched-m...
https://nakedsecurity.sophos.com/2012/06/29/zero-day-xml-core-services-vulnerability-included-in-bla...
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000352.aspx
https://nakedsecurity.sophos.com/2012/06/29/zero-day-xml-core-services-vulnerability-included-in-bla...
http://thehackernews.com/2012/09/operation-aurora-other-zero-day-attacks.html
Remote code execution in PHP
CVE-2012-2376
Buffer overflow
The vulnerability allows a remote attacker to cause DoS conditions or execute arbitrary code on the target system.The weakness exists due to buffer overflow in the com_print_typeinfo function. A remote attacker can send a specially crafted arguments, trigger incorrect handling of COM object VARIANT types and cause the target application to crash or execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Bug with Variant type parsing was originally discovered by Condis. There is evidence this vulnerability was being exploited in the wild before official patch release.
Software: PHP
Known/fameous malware:
Trojan.Filecoder
Arbitrary code execution in Linux kernel
CVE-2012-2319
Buffer overflow
The vulnerability allows a local attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow in the driver within HFS plus filesystem. By using a specially crafted Hierarchical File System (HFS) filesystem, a local attacker can trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This is a zero-day according to Trustwave.
CVE-2012-2319 is a follow-up to CVE-2009-4020; issues in the HFS file system were detailed and patched on Dec. 3, 2009, but HFSPlus was left vulnerable until May 4, 2012.
Software: Linux kernel
CVE-2012-2319 is a follow-up to CVE-2009-4020; issues in the HFS file system were detailed and patched on Dec. 3, 2009, but HFSPlus was left vulnerable until May 4, 2012.
Links:
http://www.zdnet.com/article/linux-trailed-windows-in-patching-zero-days-in-2012-report-says/
https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-Security-Report/?dl=1
https://lwn.net/Articles/538898/
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6f24f892871acc47b40dd594c6...
Remote code execution in Adobe Flash Player
CVE-2012-0779
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to object type confusion error when processing .swf files. A remote attacker can create a specially crafted .swf file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This vulnerability has been exploited in the wild as part of the "World Uyghur Congress Invitation.doc" e-mail attack.
Software: Adobe Flash Player
Known/fameous malware:
TROJ_SCRIPBRID.A; backdoor BKDR_INJECT.EVL.
Links:
https://www.adobe.com/support/security/bulletins/apsb12-09.html
http://contagiodump.blogspot.com/2012/05/may-3-cve-2012-0779-world-uyghur.html
https://www.symantec.com/connect/blogs/targeted-attacks-using-confusion-cve-2012-0779
http://blog.trendmicro.com/trendlabs-security-intelligence/recent-threats-highlight-vulnerabilities-...
https://krebsonsecurity.com/2012/05/critical-flash-update-fixes-zero-day-flaw/
https://www.alienvault.com/blogs/labs-research/several-targeted-attacks-exploiting-adobe-flash-playe...
https://blogs.technet.microsoft.com/mmpc/2012/05/24/a-technical-analysis-of-adobe-flash-player-cve-2...
http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-s...
https://www.reddit.com/r/netsec/comments/ta12k/several_targeted_attacks_exploiting_adobe_flash/
http://thehackernews.com/2012/09/operation-aurora-other-zero-day-attacks.html
http://www.securityweek.com/adobe-patches-zero-day-vulnerability-used-targeted-attacks
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25718
Remote command injection in PHP
CVE-2012-2311
OS command injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to error when parsing QUERY_STRING parameters within PHP-CGI-based application (sapi/cgi/cgi_main.c). A remote attacker can send specially crafted HTTP request with query string, contain a %3D sequence but no = (equals sign) character, inject and execute arbitrary OS commands on vulnerable system with privileges of the web server.
Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.
This vulnerability is a result of an incomplete fix for SB2012050301.
Note: the vulnerability was being actively exploited.
Also known as CVE-2012-1823.The patch for the original vulnerability CVE-2012-1823 was accidentally disclosed before the official release however did not fix the issue. The vulnerability became widely discussed in the public and used in real-world attacks. It took several days for the developers to issue a proper security patch.
The vulnerability was being exploited by Linux worm (Linux.Darlloz) in 2013 to target the Internet of things (IoT) devices.
Software: PHP
Known/fameous malware:
Linux.Darlloz
The vulnerability was being exploited by Linux worm (Linux.Darlloz) in 2013 to target the Internet of things (IoT) devices.
Links:
https://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.computerworld.com/article/2504068/malware-vulnerabilities/php-patches-actively-exploited-...
https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/76537/
http://www.php.net/ChangeLog-5.php#5.4.2
https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-Security-Report/?dl=1
http://www.php.net/archive/2012.php#id2012-05-03-1
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27798
https://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices
http://www.primalsecurity.net/0xe-python-tutorials-use-case-cve-2012-1823/
http://eromang.zataz.com/2012/05/06/cve-2012-1823-php-cgi-argument-injection-metasploit-demo/
http://websec.ca/blog/view/detecting-and-exploiting-php-cgi
https://pen-testing.sans.org/blog/2012/06/04/tips-for-pen-testers-on-exploiting-the-php-remote-execu...
https://isc.sans.edu/diary/PHP+vulnerability+CVE-2012-1823+being+exploited+in+the+wild/13312#__utma=...
http://commandline.ninja/2012/05/08/php-updated-cve-2012-1823-cve-2012-2311/
https://bobcares.com/blog/php-cgi-severe-vulnerability-cve-2012-1823/
https://blog.cloudpassage.com/2013/10/31/cve-2012-1823-apache-php5-x-remote-code-execution-exploit/
https://www.symantec.com/security_response/writeup.jsp?docid=2013-112710-1612-99&tabid=2
http://www.pcworld.idg.com.au/article/424083/php_patches_actively_exploited_cgi_vulnerability/
TNS Listener Poisoning Attack in Oracle Database
CVE-2012-1675
Spoofing attack
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error in the TNS listener service. A remote attacker can register an existing instance or service name, use man-in-the-middle techniques and read, inject or modify transmitted data.
Successful exploitation of this vulnerability may result in unauthorized access to entire database.
Note: the vulnerability was being actively exploited.
Joxean Koret discovered this vulnerability in 2008 and publicly disclosed in 2012.
The vulnerability was used in "TNS Listener Poison Attack"
Software: Oracle Database Server
The vulnerability was used in "TNS Listener Poison Attack"
Links:
http://seclists.org/fulldisclosure/2012/Apr/343
http://thetechnologygeek.org/oracle-zero-day-vulnerability-still-not-patched/
https://blogs.oracle.com/security/entry/security_alert_for_cve_2012
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00018.html
http://www.informationsecuritybuzz.com/articles/oracle-tns-listener-poison-attack/
http://www.teamshatter.com/topics/general/team-shatter-exclusive/oracle-0-day-tns-listener-poison-at...
https://support.symantec.com/en_US/article.TECH219444.html
https://blog.qualys.com/laws-of-vulnerabilities/2012/05/01/oracle-adresses-0-day-tns-poison
http://pfierens.blogspot.com/2014/10/cve-2012-1675-listener-poisoning.html
http://searchsecurity.techtarget.com/tip/Using-the-network-to-prevent-an-Oracle-TNS-Listener-poison-...
Remote code execution in MSCOMCTL.OCX ActiveX control in Microsoft Office
CVE-2012-0158
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in MSCOMCTL.OCX ActiveX control. A remote attacker can create a specially crafted Web page that passes an overly long string argument, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Researchers based in Asia noticed these malicious documents in Japan and Taiwan before they started showing up/targeting USA companies.
The vulnerability appeared to operate in 2014 in the Western Australian time zone. Examples of such groups include the 'Shiqiang Gang' (as reported by McAfee), 'PLEAD' (as reported by Trend Micro), 'NetTraveler' (as reported by Kaspersky) and 'APT12' (as reported by FireEye).
The vulnerability has been exploited in Red October attacks in 2012 and attacks targeting Chinese media organizations, personnel at government agencies in Europe, Middle East and Central Asia in 2013. The exploit was successfully used in breach attack against NewYork Times in August of 2013. The vulnerability was still exploited in 2016. Exploit for this vulnerability was used in Pawn Storm campaign as well.
Software: Microsoft Office
Known/fameous malware:
TROJ_DROPPER.IK
BKDR_HGDER.IK.
The vulnerability appeared to operate in 2014 in the Western Australian time zone. Examples of such groups include the 'Shiqiang Gang' (as reported by McAfee), 'PLEAD' (as reported by Trend Micro), 'NetTraveler' (as reported by Kaspersky) and 'APT12' (as reported by FireEye).
The vulnerability has been exploited in Red October attacks in 2012 and attacks targeting Chinese media organizations, personnel at government agencies in Europe, Middle East and Central Asia in 2013. The exploit was successfully used in breach attack against NewYork Times in August of 2013. The vulnerability was still exploited in 2016. Exploit for this vulnerability was used in Pawn Storm campaign as well.
Links:
https://technet.microsoft.com/library/security/ms12-027
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/CVE-2012-0158-An-Anatomy-of-a-Prol...
https://securingtomorrow.mcafee.com/mcafee-labs/cve-2012-0158-exploit-in-the-wild/
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-exploitation-seen-in-variou...
https://sentinelone.com/item-news/cve-2012-0158-allocated-2011-patched-2012-still-actively-exploited...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25656
https://www.virusbulletin.com/blog/2014/10/cve-2012-0158-continues-be-used-targeted-attacks/
https://www.alienvault.com/blogs/security-essentials/cmstar-apt-malware-cve-2012-0158
http://contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html
http://blog.9bplus.com/same-cve-2012-0158-different-builder/
http://blog.malwaretracker.com/2013/08/cve-2012-0158-exploit-evades-av-in-mime.html
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-now-being-used-in-more-tibe...
https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
https://blogs.sophos.com/2016/07/01/the-word-bug-that-just-wont-die-cve-2012-0158-the-cybercrime-gif...
Command injection in WebGlimpse
CVE-2012-1795
Command injection
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The weakness exists due to insufficient sanitization of user-supplied data passed via the "query" HTTP GET parameter to "/webglimpse.cgi" script. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary OS commands on vulnerable system.
Exploitation example:
http://[host]/webglimpse.cgi?query=%27%26command+and+arguments+go+here%26%27
Successful exploitation may allow an attacker to gain complete control over vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was reported by Kevin Perry.
Software: Webglimpse
SQL injection in Parallels Plesk Panel
CVE-2012-1557
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in the back-end database.
Successful exploitation may allow an attacker to gain unauthorized access to the vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability may be tied to the DarkLeech attack campaign.
Software: Plesk
Links:
http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-windows-updates-release-notes.htm...
https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2012/haavoittuvuus-2012-035.html
https://kb.plesk.com/en/113321
http://www.h-online.com/security/news/item/Bug-in-Plesk-administration-software-is-being-actively-ex...
http://cwcsstatus.co.uk/security-notifications/2012/11/07/plesk-sql-injection-vulnerability-part-4.h...
http://blogs.cisco.com/security/possible-exploit-vector-for-darkleech-compromises
http://www.darkreading.com/attacks-breaches/possible-exploit-avenue-discovered-for-darkleech-web-server-attacks/d/d-id/1139631?
Multiple vulnerabilities in Adobe Flash Player
CVE-2012-0767
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.The vulnerability exists due to insufficient sanitization of user-input.A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in userтАЩs browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability was being actively exploited.
The vulnerability was used to target Webmail accounts.
Software: Adobe Flash Player
Links:
https://lists.opensuse.org/opensuse-security-announce/2012-02/msg00014.html
http://www.adobe.com/support/security/bulletins/apsb12-03.html
https://blog.fortinet.com/2012/02/17/fortinet-researchers-detect-eight-critical-adobe-flaws
https://www.cnet.com/forums/discussions/security-update-available-for-adobe-flash-player-apsb12-03-5...
http://www.zdnet.com/article/adobe-flash-player-xss-flaw-under-active-attack/
http://www.darkreading.com/attacks-breaches/flash-zero-day-used-in-targeted-email-attacks/d/d-id/113...
http://cert.europa.eu/static/SecurityAdvisories/CERT-EU-SA2012-0019.txt
SQL Injection in TYPO3
CVE-2012-1071
SQL Injection
The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in the back-end database.
Successful exploitation may allow an attacker to gain complete control over vulnerable system.
Note: this vulnerability is being actively exploited.
Raphael Noailles discovered and reported this issue.
Software: TYPO3
Remote code execution in Oracle Java SE
CVE-2012-3213
Error Handling
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to improper handling of Rhino Javascript errors. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and execute arbitrary code with privileges of the current user via untrusted Java Web Start applications and untrusted Java applets.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was disclosed by James Forsha.
Exploited by Wild Neutron.
Software: Oracle Java SE
Known/fameous malware:
Exploit.Java.CVE-2012-3213.b.
Exploited by Wild Neutron.
Remote code execution in FreeBSD
CVE-2011-4862
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow in the encrypt_keyid() function of telnetd. A remote attacker can send a very large encryption key to telnetd daemon, trigger buffer overflow and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: FreeBSD
Links:
https://lists.freebsd.org/pipermail/freebsd-security/2011-December/006117.html
https://lists.freebsd.org/pipermail/freebsd-security/2011-December/006119.html
https://www.freebsd.org/security/advisories/FreeBSD-SA-11:08.telnetd.asc
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-008.txt
http://eromang.zataz.com/2012/01/16/cve-2011-4862-freebsd-telnet-buffer-overflow-metasploit-demo/
https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/TELNET/TELNET_ENCRYPT_OVERFLOW
Remote code execution in Adobe Acrobat and Adobe Reader
CVE-2011-4369
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the PRC component. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Adobe Reader
Known/fameous malware:
EvilBunny
Links:
http://www.adobe.com/support/security/bulletins/apsb11-30.html
http://www.adobe.com/support/security/bulletins/apsb12-01.html
http://blog.9bplus.com/analyzing-cve-2011-4369-part-one/
https://www.redhat.com/archives/rhsa-announce/2012-January/msg00003.html
http://www.computerworld.com/article/2499997/security0/symantec-confirms-reader-exploits-targeted-de...
http://www.pcworld.com/article/246390/adobe_patches_two_actively_exploited_vulnerabilities_in_reader...
http://technology.ky.gov/COT%20Alerts/Adobe%20Remote%20Code%20Execution%20Vulnerabilities.pdf
http://www.theregister.co.uk/2011/12/17/adobe_reader_critical_update/
http://www.infosecurity-magazine.com/news/adobe-patches-critical-security-holes-in-reader/
http://www.hawaii.edu/technews/notice.php?id=187891
https://msisac.cisecurity.org/advisories/2011/2011-072b.cfm
Remote code execution in Adobe Acrobat and Adobe Reader
тАЛCVE-2011-2462
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling Universal 3D (U3D) data. A remote attacker can create a specially crafted .pdf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This 0-day vulnerability was discovered by Lockheed MartinтАЩs Computer Incident Response Team and was found that it is part of a targeted attack. The sample of the exploit analyzed by the researchers appears to come from BarclayтАЩs bank in New York City.
Software: Adobe Reader
Known/fameous malware:
Trojan Sykipot.
Links:
http://www.adobe.com/support/security/advisories/apsa11-04.html
https://www.adobe.com/support/security/bulletins/apsb11-30.html
http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html
https://securingtomorrow.mcafee.com/mcafee-labs/inside-adobe-reader-zero-day-exploit-cve-2011-2462/
https://eternal-todo.com/blog/cve-2011-2462-exploit-analysis-peepdf
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/2366/vulnerability-in-u3d-compo...
http://blog.9bplus.com/analyzing-cve-2011-2462/
https://blogs.forcepoint.com/security-labs/adobe-reader-and-acrobat-vulnerability-cve-2011-2462
https://www.totaldefense.com/security-blog/new-zero-day-attack-in-adobe-products-cve-2011-2462
http://www.threatgeek.com/2011/12/adobe-reader-0-day-notes-cve-2011-2462.html
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_READER_U3D
https://www.fireeye.com/blog/threat-research/2013/02/threat-actors-mandiant-apt1-report-spear-phishi...
https://nakedsecurity.sophos.com/2011/12/10/targeted-emails-exploit-new-acrobat-reader-vulnerability...
https://www.totaldefense.com/security-blog/new-zero-day-attack-in-adobe-products-cve-2011-2462
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=398
http://securityresponse.symantec.com/threatreport/topic.jsp?id=vulnerability_trends&aid=notable_zero...
http://www.securityweek.com/adobe-warns-critical-zero-day-vulnerability-reader-and-acrobat-products
Remote code execution in Microsoft Windows
CVE-2011-3402
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers. A remote attacker can create a specially crafted Word document or web page containing font data, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This vulnerability was being actively exploited by the Stuxnet in Duqu attack.
Software: Windows
Known/fameous malware:
Win32/Exploit.CVE-2011-3402.G
W32.Duqu
Links:
https://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25272
https://media.ccc.de/v/29c3-5417-en-cve_2011_3402_analysis_h264
https://securelist.com/blog/incidents/31445/the-mystery-of-duqu-part-two-23/
https://securingtomorrow.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%e2%80%93-further-tales...
https://technet.microsoft.com/library/security/2639658
https://technet.microsoft.com/library/security/ms11-087
https://blogs.technet.microsoft.com/msrc/2011/11/03/microsoft-releases-security-advisory-2639658/
https://www.f-secure.com/v-descs/exploit_w32_cve_2011_3402_a.shtml
https://krebsonsecurity.com/tag/cve-2011-3402/
http://yomuds.blogspot.com/2012/11/cve-2011-3402-and-cool-exploit-kit_28.html
http://blog.crysys.hu/2013/01/encryption-related-to-duqu-font-expoit-cve-2011-3402/
https://blogs.forcepoint.com/security-labs/cve-2011-3402-vulnerability-truetype-font-parsing
https://www.totaldefense.com/security-blog/tag/cve-2011-3402
Multiple vulnerabilities in Adobe Flash Player
CVE-2011-2444
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-input passed via a crafted URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in userтАЩs browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability was being actively exploited in click-jacking campaigns.
Reported by Huzaifa S. Sidhpurwala.
That vulnerability shares some traits with an earlier Flash flaw that was used to target Gmail accounts in June.
Software: Adobe Flash Player
That vulnerability shares some traits with an earlier Flash flaw that was used to target Gmail accounts in June.
Links:
https://googlechromereleases.blogspot.com/2011/09/stable-channel-update_20.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
http://www.techcentral.ie/adobe-patches-critical-flash-bug/
http://energy.gov/cio/articles/t-723adobe-flash-player-multiple-bugs-let-remote-users-obtain-informa...
http://www.macworld.co.uk/news/mac-software/adobe-patches-flash-bug-hackers-are-already-exploiting-3...
http://www.infosecisland.com/blogview/16669-Adobe-Issues-Patch-for-Flash-Zero-Day-Vulnerability.html
http://www.simmtester.com/page/news/shownews.asp?num=14190
http://blogs.utpa.edu/infosecurity/2011/09/23/cross-site-scripting-xss-vulnerability-in-adobe-flash-...
http://blog.trendmicro.com/trendlabs-security-intelligence/adobe-releases-out-of-band-patch/
https://www.intego.com/mac-security-blog/zero-day-flash-vulnerability-prompts-rushed-update/
http://www.its.ms.gov/Services/SecurityAlerts/2011_9_21-Multiple-Vulnerabilities-in-Adobe-Flash-Play...
Remote code execution in Oracle Java SE
CVE-2011-3544
Error Handling
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to improper handling of Rhino Javascript errors. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and execute arbitrary code with privileges of the current user via untrusted Java Web Start applications and untrusted Java applets.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
According to Trend Micro, this is a zero-day .The vulnerability was discovered by Michael Schierl.
Software: Oracle Java SE
Known/fameous malware:
Exploit:Java/CVE-2011-3544.
Links:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
http://digcert.com/docs/symantec/symantec_report_2012.htm
http://blog.trendmicro.com/trendlabs-security-intelligence/2011-in-review-exploits-and-vulnerabiliti...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24700
http://repairinfectedpc.com/Exploit-Java-CVE-2011-3544-Removal/
https://krebsonsecurity.com/2011/12/amnesty-international-site-serving-java-exploit/#more-13070
https://krebsonsecurity.com/2011/11/public-java-exploit-amps-up-threat-level/#more-12679
https://www.cnet.com/forums/discussions/exploit-java-cve-2011-3544-583664/
Denial of service in Apache HTTP Server
CVE-2011-3192
Resource exhaustion
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to an error in the ByteRange filter when processing malicious requests in Apache HTTP server. A remote attacker can send a specially crafted HTTP request containing an overly large Range header, exhaust all available memory resources and trigger the application to crash.
Successful exploitation of the vulnerability results in denial service on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability is known as "Apache Killer".
Software: Apache HTTP Server
Links:
http://httpd.apache.org/security/CVE-2011-3192.txt
https://lists.opensuse.org/opensuse-security-announce/2011-09/msg00006.html
http://www.gossamer-threads.com/lists/apache/dev/401638
http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110824161640.122D387DD@mino...
http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110826103531.998348F82@mino...
http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html
https://blogs.oracle.com/security/entry/security_alert_for_cve_2011
https://wiki.apache.org/httpd/CVE-2011-3192
http://dino.ciuffetti.info/2011/08/cve-2011-3192-apachekiller/
Denial of service in Microsoft RDP
CVE-2011-1968
Denial of service
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to an error in the Remote Desktop Protocol when processing a sequence of malicious packets. A remote attacker can send a specially crafted RDP packets, gain access to an object that was not properly initialized or is deleted and cause the system to stop responding and restart.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Remote code execution in Valenok Mongoose
CVE-2011-2900
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow, caused by improper bounds checking by the put_dir() function when processing malicious requests. A remote attacker can send a specially crafted HTTP PUT request, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability is being exploited in the wild against Ubiquisys routers. Fully functional exploit code was made publicly available on August 2, 2011.
Software: Mongoose
Links:
https://lists.fedoraproject.org/pipermail/package-announce/2011-September/065273.html
http://www.openwall.com/lists/oss-security/2011/08/03/5
https://cxsecurity.com/issue/WLB-2011080230
http://plugins.openvas.org/nasl.php?oid=802139
http://w.infosecisland.com/alertsview/15722-CVE-2011-2900-mongoose-shttpd-yasslews.html
http://nion.modprobe.de/blog/archives/704-Exploiting-the-UbiquisysSFR-femtocell-webserver-wsalshttpd...
Arbitrary file upload Binarymoon TimThumb
CVE-2011-4106
Arbitrary file upload
The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.
The vulnerability exists due to improper storing of content in the cache directory when processing input. A remote attacker can send a specially crafted HTTP request containing a white-listed domain in the src parameter, upload a malicious PHP script and execute arbitrary PHP code.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary PHP code on the vulnerable system.
Note: the vulnerability was being actively exploited.
The exploit was announced by Mark Maunder.
Software: TimThumb
Links:
http://www.openwall.com/lists/oss-security/2011/11/03/4
https://www.binarymoon.co.uk/2011/08/timthumb-2/
http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/
http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
https://www.binarymoon.co.uk/2011/08/timthumb-2/
https://www.heise.de/security/meldung/Tausende-WordPress-Blogs-zur-Verbreitung-von-Schadcode-genutzt...
https://www.malwareremovalservice.com/cve-2011-4106/
Multiple vulnerabilities in Apple iOS
CVE-2011-0226
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow when handling of Type 1 fonts by FreeType. A remote attacker can send a specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: the vulnerability was being actively exploited.
Exploited in the wild via malicious PDF files.
Software: Apple iOS
Remote code execution in JustSystems Ichitaro
CVE-2011-1331
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to heap-based buffer overflow when handling malformed files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
According to Symantec the first exploitation of the vulnerability was discovered on 2009-03-19.
Software: Ichitaro
Known/fameous malware:
Trojan.Tarodrop.L
Links:
http://jvn.jp/en/jp/JVN87239473/index.html
http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000043.html
https://www.symantec.com/connect/blogs/targeted-attacks-2011-using-ichitaro-zero-day-vulnerability
http://www.justsystems.com/jp/info/js11001.html
https://www.symantec.com/security_response/writeup.jsp?docid=2011-061507-2634-99
https://www.symantec.com/security_response/writeup.jsp?docid=2011-061507-2634-99&tabid=3
https://co.norton.com/security_response/print_writeup.jsp?docid=2011-061507-2634-99
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Privilege escalation in Microsoft Windows
CVE-2011-1249
Privilege escalation
The vulnerability allows a local user to gain elevated privileges on the target system.
The vulnerability exists due to improper validation of input passed from user mode to the kernel in the Ancillary Function Driver (afd.sys). By running a malicious application, a local attacker with valid login credentials can execute arbitrary code with system privileges.
Successful exploitation of this vulnerability will allow the local attacker to obtain elevated privileges on vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms11-046.aspx
https://www.fireeye.com/blog/threat-research/2014/10/two-targeted-attacks-two-new-zero-days.html
https://www.manageengine.com/products/desktop-central/patch-management/Windows-7-Ultimate-Edition/Wi...
http://www.hackingtutorials.org/exploit-tutorials/mingw-w64-how-to-compile-windows-exploits-on-kali-...
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2011-1255
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error related to time element when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: According to experts from M86, the vulnerability was exploited in targeted attacks before the official patch release from Microsoft.
According to experts from M86, this vulnerability was exploited in targeted attacks before the official patch release from Microsoft.
Software: Microsoft Internet Explorer
Links:
http://news.softpedia.com/news/Recently-Patched-IE-Flaw-Exploited-as-Zero-Day-208646.shtml
http://digcert.com/docs/symantec/symantec_report_2012.htm
http://securityaffairs.co/wordpress/44749/cyber-crime/operation-dust-storm.html
https://technet.microsoft.com/en-us/library/security/ms11-050.aspx
Remote code execution in Adobe Flash Player
CVE-2011-2110
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to an array indexing error in the ActionScript3 AVM2 verification logic. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This is the same vulnerability that was used for attacks against Korean based organizations.
The vulnerability wasd exploited to compromise legitimate websites
(including an Indian government site, a US airport site, and an
aerospace site).
Software: Adobe Flash Player
The vulnerability wasd exploited to compromise legitimate websites (including an Indian government site, a US airport site, and an aerospace site).
Links:
http://www.adobe.com/support/security/bulletins/apsb11-18.html
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24336
https://www.zscaler.com/blogs/research/patching-flash-cve-2011-2110-post-mortem
http://zscaler-research.blogspot.com/2011/06/oh-flash-cve-2011-2110-0-day.html
https://www.rapid7.com/db/modules/exploit/windows/browser/adobe_flashplayer_arrayindexing
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617
https://blogs.technet.microsoft.com/mmpc/2011/07/01/a-technical-analysis-on-the-exploit-for-cve-2011...
http://www.infoworld.com/article/2621840/patch-management/adobe-patches-second-flash-zero-day-in-9-d...
Cross-site scripting in Adobe Flash Player
CVE-2011-2107
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-input. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in userтАЩs browser in context of website hosting an .swf file.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability was being actively exploited.The pay for an exploit might be around $5k-$10k at the moment.
Software: Adobe Flash Player
Links:
http://www.adobe.com/support/security/bulletins/apsb11-13.html
https://googlechromereleases.blogspot.com/2011/06/stable-channel-update.html
http://support.blackberry.com/kb/articleDetail?ArticleNumber=000027240
https://devcentral.f5.com/articles/flash-player-universal-xss-vulnerability-cve-2011-2107
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24302
http://support.blackberry.com/kb/articleDetail?ArticleNumber=000027240
http://www.macworld.co.uk/news/mac-software/adobe-flash-patched-after-zero-day-attacks-3284214/
https://devcentral.f5.com/Portals/0/Cache/Pdfs/2807/flash-player-universal-xss-vulnerability--cve-20...
http://news.softpedia.com/news/Adobe-Fixes-Actively-Exploited-Flash-Player-XSS-Flaw-204376.shtml
http://www.infoworld.com/article/2621874/hacking/hackers-exploit-flash-bug-in-new-attacks-against-gm...
http://www.eweek.com/c/a/Security/Adobe-Patches-XSS-ZeroDay-Flaw-in-Flash-Used-in-Google-Gmail-Attac...
https://www.cnet.com/au/news/adobe-issues-fix-for-flash-hole-being-used-in-attacks/
http://www.computerdealernews.com/news/adobe-flash-patched-after-zero-day-attacks/7323
Denial of service in Apache Subversion
CVE-2011-1752
Null pointer dereference
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to NULL pointer dereference in the mod_dav_svn module when processing baselined WebDAV resources. A remote attacker can create a specially crafted request, send it to the victim and cause the Subversion server to crash.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was discovered by Joe Schaefer.
Software: Subversion
Links:
http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
https://lists.fedoraproject.org/pipermail/package-announce/2011-June/061913.html
https://www.ubuntu.com/usn/USN-1144-1/
https://lwn.net/Articles/446888/
http://ovaldb.altx-soft.ru/Definition.aspx?id=oval:com.altx-soft.nix:def:2140
https://groups.google.com/forum/#!topic/visualsvn/K6IsJpMWaA8
Security bypass in Plone
CVE-2011-1950
Security bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to improper checking for authorization by plone.app.user. A remote attacker can modify the properties of arbitrary accounts.
Successful exploitation of the vulnerability may result in attacker's access to the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Plone
Multiple vulnerabilities in Adobe Flash Player
CVE-2011-0627
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the Flash Player authplay.dll component. A remote attacker can create a specially crafted Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability is being actively exploited.
There are reports of malware attempting to exploit this vulnerability via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform.
Software: Adobe Flash Player
Multiple vulnerabilities in Adobe Flash Player
CVE-2011-0618
Integer Overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
According to Symantec the first exploitation of the vulnerability was discovered on 2010-01-03.
Software: Adobe Flash Player
Known/fameous malware:
Bloodhound.Exploit.412
Links:
https://www.symantec.com/security_response/vulnerability.jsp?bid=47815
https://ae.norton.com/security_response/print_writeup.jsp?docid=2011-062402-3901-99
http://www.adobe.com/support/security/bulletins/apsb11-12.html
https://novasecure.neonova.net/threats/details.cgi?id=513314
http://freecode.com/articles/red-hat-an-updated-adobe-flash-player-package-fixes-multiple-security-i...
http://support.blackberry.com/kb/articleDetail?ArticleNumber=000027365
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple vulnerabilities in Microsoft Windows
CVE-2012-0181
Improper input validation
The vulnerability allows a local user to obtain elevated privileges on the target system.
The vulnerability exists due to improper managing of Keyboard Layout files by the kernel-mode driver (win32k.sys). A local attacker can execute arbitrary code on vulnerable system with SYSTEM privileges.
Successful exploitation of this vulnerability will allow the local attacker to obtain elevated privileges on vulnerable system.
Note: the vulnerability was being actively exploited.
According to Trustwave this is a zero-day.
A private exploit has been developed by Cr4sh and been published 2 weeks after the advisory.
CVE-2012-0181 fixes an issue alluded to on exploitdb site on Nov. 21, 2011, fixed July 10, 2012.
Software: Windows
A private exploit has been developed by Cr4sh and been published 2 weeks after the advisory.
CVE-2012-0181 fixes an issue alluded to on exploitdb site on Nov. 21, 2011, fixed July 10, 2012.
Links:
https://technet.microsoft.com/en-us/library/security/ms12-034
https://blogs.technet.microsoft.com/srd/2012/05/08/ms12-034-duqu-ten-cves-and-removing-keyboard-layo...
https://www.symantec.com/security_response/vulnerability.jsp?bid=53326
http://www.zdnet.com/article/linux-trailed-windows-in-patching-zero-days-in-2012-report-says/
https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-Security-Report/?dl=1
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2011-0094
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error when handling layout objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This vulnerability was reported to iDefense by anonymous. NSS was ready to pay for exploit for this vulnerability $100-500.
The vulnerability was used to compromise Philippines human rights website.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit:Win32/CVE-2011-0094.A
The vulnerability was used to compromise Philippines human rights website.
Links:
https://technet.microsoft.com/en-us/library/security/ms11-018.aspx
http://www.verisign.com/en_US/security-services/security-intelligence/vulnerability-reports/articles...
http://krebsonsecurity.com/tag/cve-2011-0094/
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/1971/layouts-handling-memory-co...
http://telussecuritylabs.com/threats/show/TSL20110414-01
https://www.symantec.com/connect/tr/blogs/government-and-human-rights-websites-fall-victim-targeted-...
http://www.infoworld.com/article/2620728/security/nss-labs-offers-reward-money-for-fresh-exploits.ht...
Remote code execution in Adobe Flash Player
CVE-2011-0611
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in authplay.dll component. A remote attacker can create a specially Flash (.swf) file embedded in a Microsoft Word (.doc) file, trick the victim into opening it, trigger memory corruption, and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has being used during 1 month before disclosure. The campaign started with spam emails enticing users to open its attachment, typically a Microsoft Word document (or a zip file of a Microsoft Word document), which contained inside the malicious Flash exploit.
Software: Adobe Flash Player
Known/fameous malware:
Microsoft - Exploit:SWF/CVE-2011-0611.C, NOD32 - JS/Exploit.Pdfka.OXL.Gen, Symantec - Trojan.Pidief, Ikarus - Exploit.JS.ShellCode.
Links:
https://www.fireeye.com/blog/threat-research/2013/02/operation-beebus.html
https://secunia.com/?action=fetch&filename=Secunia_Whitepaper_CVE-2011-0611.pdf
https://support.symantec.com/en_US/article.TECH157906.html
http://www.adobe.com/support/security/advisories/apsa11-02.html
http://www.adobe.com/support/security/bulletins/apsb11-07.html
http://www.adobe.com/support/security/bulletins/apsb11-08.html
https://blogs.technet.microsoft.com/mmpc/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player...
http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html
https://blog.qualys.com/securitylabs/2011/04/15/placeholder
http://www.kahusecurity.com/2011/flash-0day-found-in-drive-by/
http://www.securitytube.net/video/1747
http://poc-hack.blogspot.com/2011/04/adobe-flash-player-cve-2011-0611-swf.html
http://securityaffairs.co/wordpress/27224/cyber-crime/kaspersky-report-energetic-bear.html
SQL injection in Webempoweredchurch Wec Discussion
CVE-2011-1722
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.
The vulnerability exists due to insufficient sanitization of user-supplied data passed editpost.php script. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in the back-end database.
Successful exploitation may allow an attacker to gain complete control over vulnerable website.
Note: this vulnerability is being actively exploited.
The vulnerability was disclosed by Helmut Hummel.
Matthias Hunstock discovered and reported the issue.
Software: Wec Discussion
Matthias Hunstock discovered and reported the issue.
Remote code execution Adobe Flash Player
CVE-2011-0609
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in authplay.dll component. A remote attacker can create a specially Flash (.swf) file embedded in a Microsoft Excel (.xls) file, trick the victim into opening it, trigger memory corruption, and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was used o target RSA. Two phishing emails with Microsoft Excel document with exploit were sent to two different groups of employees. The document with exploit code was named "2011 Recruitment plan.xls".
Software: Adobe Flash Player
Known/fameous malware:
Exploit:SWF/CVE-2011-0609
Kaspersky Lab products detected the variants as тАЬTrojan-ropper.MSExcel.SWFDropтАЭ.
Links:
http://www.adobe.com/support/security/advisories/apsa11-01.html
http://www.adobe.com/support/security/bulletins/apsb11-06.html
http://www.kb.cert.org/vuls/id/192052
http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html
http://blogs.adobe.com/security/2011/03/background-on-apsa11-01-patch-schedule.html
https://cxsecurity.com/issue/WLB-2011030180
https://vimeo.com/22160459
http://m.2cto.com/Article/201104/87463.html
https://www.cnet.com/forums/discussions/security-advisory-for-adobe-flash-player-reader-acrobat-5204...
http://remove-malware-removal.com/post/How-to-Remove-SWFExploit.CVE-2011-0609.A-Instantly_14_214388....
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLASHPLAYER_AVM
https://blogs.rsa.com/anatomy-of-an-attack/
Security bypass in Pivot
CVE-2011-1035
Security bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to an error in the Reset my password feature. A remote attacker can guess the username and modify the victim's password.
Successful exploitation of the vulnerability may result in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported by Hans F. Nordhaug.
Software: PivotX
Information disclosure in MHTML in Microsoft Windows
CVE-2011-0096
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.The vulnerability exists due to insufficient sanitization of user-input passed via MIME-formatted requests for content blocks within a document. A remote attacker can trick the victim to follow a specially crafted "MHTML:" link and execute arbitrary HTML and script code in userтАЩs browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
The vulnerability was originally disclosed on the WooYun website.
Software: Windows
Known/fameous malware:
exploit:win32/cve-2011-0096 trojan horse.
Links:
https://technet.microsoft.com/library/security/ms11-026
https://blogs.technet.microsoft.com/srd/2011/01/28/more-information-about-the-mhtml-script-injection...
https://blogs.technet.microsoft.com/msrc/2011/01/28/microsoft-releases-security-advisory-2501696/
http://blog.qisupport.com/exploitwin32cve-2011-0096-trojan-virus-how-to-remove/
https://www.removemalwaretip.com/windows-8/clear-exploitwin32cve-2011-0096-trojan-from-your-windows-...
http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=62646
https://blog.qualys.com/laws-of-vulnerabilities/2011/01/27/microsoft-advisory-on-client-side-xss-250...
https://blogs.forcepoint.com/security-labs/month-threat-webscape-march-2011
Remote code execution in Microsoft Internet Explorer
CVE-2011-1345
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling onPropertyChange function calls. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was firstly disclosed by VUPEN in January 22, 2011.
This issue was disclosed as part of the Pwn2Own 2011 contest.
Using this vulnerability Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win CanSecWest hacker challenge ($15,000 cash prize and a new Windows laptop) in March 9-11 in Vancouver, British Columbia.
The issue has been introduced in 03/05/2008.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit:JS/CVE-2011-1345.
This issue was disclosed as part of the Pwn2Own 2011 contest.
Using this vulnerability Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win CanSecWest hacker challenge ($15,000 cash prize and a new Windows laptop) in March 9-11 in Vancouver, British Columbia.
The issue has been introduced in 03/05/2008.
Links:
https://technet.microsoft.com/en-us/library/security/ms11-018
http://www.computerworld.com/article/2506697/cybercrime-hacking/safari--ie-hacked-first-at-pwn2own.h...
https://twitter.com/aaronportnoy/statuses/45642180118855680
http://www.zdnet.com/article/pwn2own-2011-ie8-on-windows-7-hijacked-with-3-vulnerabilities/
https://archive.cert.uni-stuttgart.de/bugtraq/2011/04/msg00159.html
https://packetstormsecurity.com/files/100469/Microsoft-Internet-Explorer-Property-Change-Memory-Corr...
Remote code execution in Microsoft Internet Explorer
CVE-2010-3971
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when parsing CSS styles. A remote attacker can create a specially crafted web page containing Cascading Style Sheet that refers to itself recursively, cause memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability appears to be connected to the group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits in 2012. After examining of the geographical location of the targets for CVE-2010-3971, these attack attempts bear a close resemblance to those targeting CVE-2010-3962, another Internet Explorer issue that was dubbed as the Weekend Warrior.
Software: Microsoft Internet Explorer
Known/fameous malware:
Virus HTML:CVE-2010-3971-A
Links:
https://technet.microsoft.com/library/security/2488013
https://technet.microsoft.com/library/security/ms11-003
https://blogs.technet.microsoft.com/srd/2011/01/07/assessing-the-risk-of-public-issues-currently-bei...
https://blogs.technet.microsoft.com/msrc/2010/12/22/microsoft-releases-security-advisory-2488013/
https://blogs.technet.microsoft.com/mmpc/2011/02/08/cve-2010-3971-not-quite-the-weekend-warrior/
https://krebsonsecurity.com/2012/10/in-a-zero-day-world-its-active-attacks-that-matter/#more-16949
Privilege escalation in Windows Task Scheduler
CVE-2010-3338
Privilege escalation
The vulnerability allows a local user obtain elevated privileges on vulnerable system.
The vulnerability exists in Windows Task Scheduler when running scheduled tasks within the intended security context. A local user can create a specially crafted task and execute arbitrary code on vulnerable system with privileges of the local system account.
Successful exploitation of this vulnerability may allow a local user to obtain full access to vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was used by Stuxnet.
Software: Windows
Known/fameous malware:
W32.Stuxnet TDL-4 rootkit (TDSS) Trojan.Generic.KDV.128306
Links:
https://technet.microsoft.com/library/security/ms10-092
http://news.softpedia.com/news/Fake-YouTube-Pages-Serve-Trojan-via-Malicious-Java-Applets-186033.sht...
https://securelist.com/analysis/monthly-malware-statistics/36338/monthly-malware-statistics-december...
https://hotforsecurity.bitdefender.com/blog/java-badware-posing-as-youtube-plugin-1025.html
Directory traversal in nBill
CVE-2010-4270
Directory traversal
The vulnerability allows a remote attacker to view contents of arbitrary files on the server.The vulnerability exists due to insufficient filtration of user-supplied input in "/administrator/components/com_nbill/admin.nbill.php" and "/components/com_nbill/nbill.php" scripts. A remote attacker can send specially crafted HTTP request, containing directory traversal sequences (e.g. тАЬ../тАЭ) and view contents of arbitrary file on vulnerable server.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to potentially sensitive information.
Note: this vulnerability is being actively exploited against Joomla! installations.
Software: nBill
Two remote code execution vulnerabilities in JustSystems Ichitaro
CVE-2010-3916
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to unknown error when handling specially crafted office documents. A remote attacker can create a specially crafted document, trick the victim into opening it, cause unspecified error and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
According to Trend Micro, a pair of vulnerabilities of the code execution type namely CVE-2010-3916 and CVE-2010-3915 was uncovered during September 2010 as 0-day flaws.
Software: Ichitaro
Known/fameous malware:
Trojan.Tarodrop.
Links:
http://jvndb.jvn.jp/en/contents/2010/JVNDB-2010-000053.html
http://jvn.jp/en/jp/JVN01948274/index.html
http://blog.trendmicro.com/trendlabs-security-intelligence/arbitrary-code-execution-vulnerabilities-...
http://www.justsystems.com/jp/info/js10003.html
http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.801642
http://archive.feedblitz.com/174203/~3913467
http://news.softpedia.com/news/Vulnerability-in-Japanese-Word-Processor-Exploited-to-Infected-Comput...
Two remote code execution vulnerabilities in JustSystems Ichitaro
CVE-2010-3915
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling specially crafted office documents. A remote attacker can create a specially crafted document, trick the victim into opening it, cause buffer overflow and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
According to Trend Micro, a pair of vulnerabilities of the code execution type namely CVE-2010-3916 and CVE-2010-3915 was uncovered during September 2010 as 0-day flaws.
Software: Ichitaro
Known/fameous malware:
TROJ_DROPPER.QVA
Links:
http://www.justsystems.com/jp/info/js10003.html
http://blog.trendmicro.com/trendlabs-security-intelligence/arbitrary-code-execution-vulnerabilities-...
https://www.symantec.com/connect/blogs/new-ichitaro-vulnerability-confirmed
http://www.spamfighter.com/News-15406-Vulnerabilities-in-Ichitaro-Word-Processor-Abused.htm
http://news.softpedia.com/news/Vulnerability-in-Japanese-Word-Processor-Exploited-to-Infected-Comput...
Use-after-free when parsing CSS in Internet Explorer
CVE-2010-3962
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when processing CSS token sequences and the clip attribute. A remote attacker can create a specially crafted HTML page, trick the victim into visiting it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability refers to cyberattacks, linked to the Nobel Peace Prize ceremony and G20-related malicious spam campaign reported in October 2010.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit: Win32/CVE-2010-3962.A.
Links:
https://technet.microsoft.com/library/security/ms10-090 https://technet.microsoft.com/library/security/2458511
https://blogs.technet.microsoft.com/msrc/2010/11/02/microsoft-releases-security-advisory-2458511/
https://blogs.technet.microsoft.com/srd/2010/11/03/dep-emet-protect-against-attacks-on-the-latest-in...
https://www.symantec.com/security_response/writeup.jsp?docid=2010-110314-3703-99
https://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/79/cve20103962-yet-another-zeroday...
https://www.zscaler.com/blogs/research/obfuscated-exploits-continue-target-cve-2010-0806-and-cve-201...
http://security.bkav.com/home/-/blogs/new-ie-zero-day-vulnerability-cve-2010-3962-/normal
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=301764
https://blogs.technet.microsoft.com/mmpc/2010/12/09/cve-2010-3962-the-weekend-warrior/
https://www.malwaredomainlist.com/forums/index.php?topic=4399.0
http://global.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.11_Eng.pdf
Remote code execution in Adobe Flash Player
CVE-2010-3654
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary when processing .swf files in Adobe Flash Player. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited via specially crafted .pdf files.
The vulnerability has been exploited during Sykipot campaigns and Luckycat attacks.
Software: Adobe Flash Player
Links:
http://www.adobe.com/support/security/advisories/apsa10-05.htm
http://www.adobe.com/support/security/bulletins/apsb10-28.html
http://www.adobe.com/support/security/bulletins/apsb10-26.html?sdid=XKMMHJ2P
http://contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html
https://www.google.com.ua/url?sa=t&rct=j&q=&esrc=s&source=web&cd=19&cad=rja&...
https://blogs.technet.microsoft.com/mmpc/2010/11/16/explore-the-cve-2010-3654-matryoshka/
http://www.eweek.com/c/a/Security/Adobe-Flash-Vulnerability-Advisory-Appears-Alongside-Shockwave-Pat...
http://blog.shavlik.com/new-version-of-adobe-flash-available/
https://blogs.forcepoint.com/security-labs/adobe-flash-player-adobe-reader-and-acrobat-0-day-cve-201...
http://www.rationallyparanoid.com/articles/consistently-vulnerable-systems.html
http://www.pctools.com/security-news/adobe-flash-0day-vulnerability/
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_FLASHPLAYER_BUTTON
Remote code execution in Mozilla Firefox
CVE-2010-3765
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error within nsCSSFrameConstructor::ContentAppended. A remote attacker can create a specially crafted web page containing specially crafted document.write and appendChild calls, cause heap-based buffer overflow and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was reported by Morten Kr├еkvik of Telenor SOC (a Norwegian security vendor). The Nobel Peace Prize website was serving on October 25, 2010 a zero-day exploit against Firefox users. When people accessed the Nobel Peace Prize site they were diverted onto an attack server located in Taiwan which delivered a JavaScript exploit.
Software: Mozilla Firefox
Known/fameous malware:
Exploit: Belmoo Trojan.
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2010-73/
http://kodu.ut.ee/~mroos/turve/2010/referaadid/atr_ik.pdf
https://krebsonsecurity.com/2010/10/nobel-peace-prize-site-serves-firefox-0day/ https://blog.mozilla.org/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/
https://lists.fedoraproject.org/pipermail/package-announce/2010-October/050061.html
http://blog.shavlik.com/patch-tuesday-meet-patch-thursday/
http://www.spamfighter.com/News-15349-Mozilla-Patches-Critical-0-Day-Flaw-Inside-Firefox-Within-48-H...
http://kodu.ut.ee/~mroos/turve/2010/referaadid/atr_ik.pdf
Multiple vulnerabilities in Adobe Shockwave Player
CVE-2010-3653
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing Adobe Director file with a specific value in an "rcsL" field causing an array-indexing error. A remote attacker can create a specially crafted Adobe Director file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Shockwave Player
Known/fameous malware:
Win32/Exploit.CVE-2010-3653.A
Links:
http://www.adobe.com/support/security/advisories/apsa10-04.html
http://www.adobe.com/support/security/bulletins/apsb10-25.html
https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2010/av10-047-eng.aspx
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24011
https://threatpost.com/attack-code-published-adobe-shockwave-zero-day-102110/74599/
Multiple privilege escalation vulnerabilities in Win32k.sys in Microsoft Windows
CVE-2010-2743
Improper validation of array index
The vulnerability allows a local user to execute arbitrary code with elevated privileges.
The vulnerability exists due to an error in Win32k.sys driver when handling keyboard layouts as the Windows kernel fails to validate that an array index is within the bounds of the array. A local user can load a specially crafted keyboard layout and execute arbitrary code on the target system with privileges of SYSTEM account.
Successful exploitation of this vulnerability may allow an attacker to escalate privileges on vulnerable system.
Note: this vulnerability is being actively exploited by Stuxnet.The vulnerability was discovered by Sergey Golovanov from Kaspersky Lab. The vulnerability was exploited by Stuxnet.
Software: Windows
Known/fameous malware:
W32.Stuxnet
Links:
https://technet.microsoft.com/en-us/library/security/ms10-073.aspx
https://blogs.technet.microsoft.com/srd/2010/10/12/assessing-the-risk-of-the-october-security-update...
https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-the-recent-windows-zero-day-escalation-of-...
http://news.softpedia.com/news/Microsoft-Patches-One-of-Two-Stuxnet-EoP-Vulnerabilities-160840.shtml
http://link.springer.com/chapter/10.1007%2F978-3-642-35211-9_81#page-1
http://www.welivesecurity.com/2010/10/15/win32k-sys-about-the-patched-stuxnet-exploit/
https://www.beyondtrust.com/blog/microsoft-patch-tuesday-october-2010/
http://www.welivesecurity.com/2010/10/15/win32k-sys-about-the-patched-stuxnet-exploit/
http://www.welivesecurity.com/2010/10/15/stuxnet-paper-revision/
Information disclosure in ASP.NET
CVE-2010-3332
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to improper handling of errors during encryption padding verification. A remote attacker can gain access to potentially sensitive encrypted information, such as view state, read files and possibly forge cookies.
Successful exploitation of the vulnerability may allow an attacker to gain access to sensitive information and potentially compromise vulnerable web application.
Note: this vulnerability is being publicly exploited.
Software: Microsoft .NET Framework
Links:
https://technet.microsoft.com/library/security/2416728
https://technet.microsoft.com/library/security/ms10-070
https://blogs.technet.microsoft.com/srd/2010/09/17/understanding-the-asp-net-vulnerability/
https://weblogs.asp.net/scottgu/important-asp-net-security-vulnerability
http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-secur...
https://trustfoundry.net/exploiting-net-padding-oracle-attack-ms10-070-cve-2010-3332-and-bypassing-m...
Remote code execution in Print Spooler service in Microsoft Windows
CVE-2010-2729
Improper access control
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to Windows Print Spooler service does not correctly restricts access permissions to create files for anonymous users. A remote attacker can send specially crafted RPC request to vulnerable service and upload malicious file to arbitrary location on the system.
This is a remote code execution vulnerability on Windows XP, since the guest account is enabled by default. On other operating systems this is a privilege escalation vulnerability, as only authenticated users have access to Print Spooler shares.
Successful exploitation of the vulnerability may result in remote code execution.
Note: this vulnerability is being actively exploited.
Two more CVEs refer to this vulnerability as well: CVE-2010-3888 and CVE-2010-3889. However since the vendor has issued advisory with different CVE number, we will use the one issued by Microsoft.
The vulnerability has been exploited in тАЬprint-bombтАЭ attack as Stuxnet worm.
Software: Windows
The vulnerability has been exploited in тАЬprint-bombтАЭ attack as Stuxnet worm.
Links:
https://technet.microsoft.com/en-us/library/security/ms10-061.aspx
https://securelist.com/analysis/kaspersky-security-bulletin/36345/kaspersky-security-bulletin-2010-s...
https://eatitorwearit.wordpress.com/tag/internal-attack/
https://svn.nmap.org/nmap-exp/sophron/nse-support/scripts/smb-vuln-ms10-061.nse
https://securelist.com/blog/incidents/29747/myrtus-and-guava-episode-ms10-061/ https://www.virusbulletin.com/conference/vb2010/abstracts/indepth-look-stuxnet
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23897
http://seclists.org/metasploit/2010/q3/385
http://link.springer.com/chapter/10.1007%2F978-3-642-35211-9_81#page-1
https://securingtomorrow.mcafee.com/mcafee-labs/stuxnet-update/
http://www.enigmasoftware.com/w32printlove-removal/
http://researchcenter.paloaltonetworks.com/2010/10/stuxnet-scada-malware/
Multiple vulnerabilities in Adobe Reader and Acrobat
CVE-2010-2884
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing malicious SWF files. A remote attacker can create a specially crafted .swf document, trick the victim into opening it, cause memory corruption and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Was used to compromise Amnesty Hong Kong website. The vulnerability in Adobe Flash Player was patched on September, 20 in Adobe Reader and Acrobat on October, 5. The vulnerability was disclosed by Mila Parkour.
Software: Adobe Flash Player
Known/fameous malware:
The exploit:swf/cve-2010-2884.c
Links:
http://www.adobe.com/support/security/advisories/apsa10-03.html
http://www.adobe.com/support/security/bulletins/apsb10-22.html
http://www.adobe.com/support/security/bulletins/apsb10-21.html
https://www.nartv.org/2010/11/12/nobel-peace-prize-amnesty-hk-and-malware/
https://blogs.forcepoint.com/security-labs/second-adobe-0-day-vulnerability-just-one-week-cve-2010-2...
https://security.googleblog.com/2010/09/stay-safe-while-browsing.html
http://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_flash_player_unspecified_code_exe...
http://news.softpedia.com/news/Actively-Exploited-Flash-Player-Vulnerability-Patched-in-Chrome-15696...
http://news.softpedia.com/news/Flash-Zero-Day-Actively-Exploited-in-the-Wild-156238.shtml
Privilege escalation in Linux kernel
CVE-2010-3081
Privilege escalation
The vulnerability allows a local user to escalate privileges.The vulnerability exists due to improper allocation of userspace memory required for the 32-bit compatibility layer within compat_alloc_user_space() function in include/asm/compat.h file on on 64-bit platforms. A local user can call compat_mc_getsockopt() function and gain control over vulnerable system.
Successful exploitation of the vulnerability allows a local non-privileged user to gain root privileges.
Based on the sophisticated and fully functional exploits this vulnerability was exploited in the wild for quite some time before the patch was issued.
Software: Linux kernel
Known/fameous malware:
Linux/Exploit.CVE-2010-3081.B
Links:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c41d68a513c71e35a14f66d717...
https://access.redhat.com/articles/40258
https://blogs.oracle.com/ksplice/entry/anatomy_of_an_exploit_cve
http://ryanuber.com/09-25-2010/cve-2010-3081.html
https://blog.nelhage.com/2010/11/exploiting-cve-2010-3081/
http://www.thushanfernando.com/index.php/2010/09/20/cve-2010-3081-64bit-linux-kernel-root-exploit/
https://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-3081.html
https://www.dshield.org/diary/CVE-2010-3081%2Bkernel%3A%2B64-bit%2BCompatibility%2BMode%2BStack%2BPo...
http://www.kdawebservices.com/blog/2010/09/linux-vulnerability-cve-2010-3081-local-but-serious//cve20103081_see_whether_youve_been_hacked_and/
https://xorl.wordpress.com/2010/10/06/cve-2010-3081-cve-2010-3301-linux-kernel-compat-privilege-esca...
http://www.thehostingnews.com/ksplice-launches-free-security-tool-for-high-profile-cve-2010-3081-lin...
https://www.mnxsolutions.com/security/ksplice-provides-patch-for-linux-kernel-exploit-cve-2010-3081....
http://www.pcworld.com/article/205867/linux_kernel_exploit_gives_hackers_a_back_door.html
https://linux.slashdot.org/story/10/09/20/0217204/linux-kernel-exploit-busily-rooting-64-bit-machine...
Remote code execution in Adobe Reader
CVE-2010-2883
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling specially crafted fonts within PDF document. A remote attacker can create a specially crafted PDF document, trick the victim into opening it, cause stack-based buffer overflow and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
According to Symantec the first exploitation of the vulnerability was detected on 2008-12-14.
Software: Adobe Reader
Known/fameous malware:
Exploit:Win32/CVE-2010-2883.A
Trojan horse Exploit_c.JLU (AVG)
Exploit.PDF.1533 (Dr.Web)
Exploit.PDF-JS.Gen(Sunbelt Software)
Bloodhound.Exploit.357 (Symantec).
Links:
http://www.adobe.com/support/security/bulletins/apsb10-21.html
http://www.adobe.com/support/security/advisories/apsa10-02.html
https://blogs.forcepoint.com/security-labs/adobe-reader-0-day-vulnerability-cve-2010-2883
/Adobe+SING+table+parsing+exploit+CVE20102883+in+the+wild/9541/
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23889
https://pentestn00b.wordpress.com/2010/09/15/new-adobe-0day-cve-2010-2883/
http://developers-club.com/posts/104137/
https://nakedsecurity.sophos.com/2010/09/08/adobe-advises-reader-acrobat-vulnerability/
https://forum.kaspersky.com/index.php?showtopic=184980
https://quequero.org/2014/09/pdf-analysis-of-nuclear-pack-ek-and-cve-2010-0188-cve-2013-2883/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Two vulnerabilities in Adobe Reader and Acrobat
CVE-2010-2862
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to integer overflow in CoolType.dll when processing TrueType fonts with a large maxCompositePoints value in a Maximum Profile (maxp) table within PDF files. A remote attacker can create a specially crafted PDF file, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was presented by the researcher Charlie Miller at the Black Hat USA 2010 security conference on July, 25 in Las Vegas.
Adobe credits Google security engineer Tavis Ormandy with its discovery. Apparently this is one of the relatively rare cases where two security researchers discover the same vulnerability independently of each other. In this case Mr. Ormandy reported it to Adobe first and in private.
According to Symantec the first exploitation of the vulnerability was discovered on 2009-03-05.
Software: Adobe Reader
Known/fameous malware:
Exploit: Boodhound.Exploit.353
Adobe credits Google security engineer Tavis Ormandy with its discovery. Apparently this is one of the relatively rare cases where two security researchers discover the same vulnerability independently of each other. In this case Mr. Ormandy reported it to Adobe first and in private.
According to Symantec the first exploitation of the vulnerability was discovered on 2009-03-05.
Links:
http://www.adobe.com/support/security/bulletins/apsb10-17.html
https://threatpost.com/demo-cve-2010-2862-adobe-reader-flaw-exploit-090210/74418/
http://www.zdnet.com/article/adobe-confirms-pdf-security-hole-in-reader/
https://www.suse.com/fr-fr/security/cve/CVE-2010-2862
https://www.cnet.com/forums/discussions/out-of-band-security-updates-for-adobe-reader-and-acrobat-40...
http://news.softpedia.com/news/Out-of-Band-Critical-Security-Updates-for-Reader-and-Acrobat-Released...
http://www.itprofessionalservices.net/ARPatch1017.shtml
http://securitygarden.blogspot.com/2010/08/adobe-reader-and-acrobat-critical.html
ttp://www.zdnet.com/article/adobe-readies-emergency-fix-for-critical-pdf-reader-security-hole/
https://www.youtube.com/watch?v=4OL8Kwz5b6Y
http://blog.shavlik.com/new-adobe-security-advisory-released/
https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2010/av10-033-eng.aspx
http://beqiraj.de/post/Adobe-Reader-and-Acrobat-8-2-4-update-available
http://www.planetpdf.com/enterprise/article.asp?ContentID=Adobe_releases_patch_for_Reader_and_Acroba...
http://www.bleepingcomputer.com/forums/t/340741/adobe-reader-out-of-band-security-updates-on-august-...
http://www.itproportal.com/2010/08/06/adobe-prepares-patch-zero-day-pdf-flaw/
http://www.theregister.co.uk/2010/08/05/emergency_adobe_reader_patch/
http://www.pcworld.com/article/203692/patch_critical_security_flaws_in_adobe_reader_and_acrobat.html
https://community.landesk.com/docs/DOC-14222
http://windowssecrets.com/forums/showthread.php/131549-Patch-Watch-update-Critical-Adobe-Reader-patc...
http://www.divinge.com/news/Adobe-readies-emergency-fix-for-critical-PDF-Reader-security-hole/
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Hardcoded credentials in Siemens SIMATIC WinCC and PSC 7 SCADA systems
CVE-2010-2772
Hardcoded credentials
The vulnerability allows a local user to obtain hardcoded credentials.The vulnerability exists due to usage of hardcoded password to access back-end database. A local user can obtain password and gain unaithorized access SCADA system.
Successful exploitation of the vulnerability may allow an attacker to gain complete control over the industrial process.
Note: this vulnerability is being actively exploited by the Stuxnet malware.
The vulnerabiilty was used by Stuxnet malware together with CVE-2012-3015.
Software: Siemens SIMATIC WinCC
Remote code execution in Microsoft Windows
CVE-2010-2568
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing icons to .lnk and .pif files within Windows Explorer. A remote attacker can create a specially crafted icon file, trick the victim into clicking on it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was used by Stuxnet worm. According to Symantec the first exploitation of the vulnerability was discovered on 2008-02-13.
Software: Windows
Known/fameous malware:
Bloodhound.Exploit.343
W32.Stuxnet
W32.Changeup.C
W32.Ramnit
Links:
https://technet.microsoft.com/library/security/ms10-046
https://technet.microsoft.com/library/security/2286198
https://www.f-secure.com/weblog/archives/00001986.html
https://www.scmagazine.com/lnkexploitcve-2010-2568/article/558054/
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23801
http://www.welivesecurity.com/2010/07/22/a-few-facts-about-win32stuxnet-cve-2010-2568/
http://blogs.quickheal.com/stuxnet-cve-2010-2568-misconceptions-and-facts/
http://www.welivesecurity.com/2010/07/22/a-few-facts-about-win32stuxnet-cve-2010-2568/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Remote code execution when parsing URLs in Microsoft Windows
CVE-2010-1885
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing URLs within Microsoft Help and Support Center. A remote attacker can create a specially crafted hcp:// URL, trick the victim into clicking on it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was reported to Microsoft on July, 5th by Google security researcher Tavis Ormandy.
The vulnerability was used to compromise Federal Financial Institutions Examination Council via тАЬinform@ffiec.govтАЭ mailbox.
Software: Windows
Known/fameous malware:
Mal/HcpExpl-A
The vulnerability was used to compromise Federal Financial Institutions Examination Council via тАЬinform@ffiec.govтАЭ mailbox.
Links:
https://www.sans.org/newsletters/newsbites/xii/46
https://technet.microsoft.com/library/security/2219475
https://technet.microsoft.com/library/security/ms10-042
https://blogs.technet.microsoft.com/srd/2010/06/10/help-and-support-center-vulnerability-full-disclo...
http://seclists.org/fulldisclosure/2010/Jun/205
http://www.theregister.co.uk/2010/06/10/windows_help_bug/
http://contagiodump.blogspot.com/2010/06/jun-17-win-xp-sp2-sp3-0-day-cve-2010.html
http://journeyintoir.blogspot.com/2010/12/cve-2010-1885-windows-help-center-url.html
https://nakedsecurity.sophos.com/2010/06/15/cve-20101885-exploited-wild/
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=50268
http://blog.talosintel.com/2010/07/increase-in-attacks-on-cve-2010-1885.html
https://www.zscaler.com/blogs/research/help-center-url-validation-vulnerability-cve-2010-1885-campai...
https://www.edgewave.com/spam-filters/cve-2010-1885-subpoena-threat-and-targeted-attack-against-us-c...
Multiple vulnerabilities in Adobe Flash Player
CVE-2010-1297
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing .swf files. A remote attacker can create a specially crafted .swf file, trick the victim into opening it, cause heap-based buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability is called "endless zero-day".
The vulnerability was exploited in Taidoor campaign primarily targeting government organizations located in Taiwan.
Software: Adobe Flash Player
Known/fameous malware:
Trojan.Pidief.J
The vulnerability was exploited in Taidoor campaign primarily targeting government organizations located in Taiwan.
Links:
http://www.adobe.com/support/security/advisories/apsa10-01.html
http://www.adobe.com/support/security/bulletins/apsb10-15.html
https://www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader
https://www.symantec.com/connect/blogs/zero-day-attack-wild-adobe-flash-reader-and-acrobat
https://success.trendmicro.com/solution/1055909
https://nakedsecurity.sophos.com/2010/06/08/mitigations-flash-vulnerability-cve20101297/
https://access.redhat.com/security/cve/cve-2010-1297
http://stopmalvertising.com/malware-reports/analysis-of-budget.pdf-exploit.swf.cve-2010-1297.a.html
http://seclists.org/metasploit/2010/q2/416
https://blogs.forcepoint.com/security-labs/adobe-0-day-vulnerability-flash-adobe-reader-and-acrobat-...
https://www.greyhathacker.net/?p=201
http://www.topitvideos.com/adobe-cve-2010-1297-pdf-exploit-demonstation/
http://developers-club.com/posts/96879/
https://blogs.forcepoint.com/security-labs/month-threat-webscape-june-2010
http://calhoun.nps.edu/bitstream/handle/10945/5016/10Dec_Post.pdf?sequence=1
http://www.pandasecurity.com/mediacenter/security/cloud-av-free-blocks-adobe-0-day/
Remote code execution in JustSystems Ichitaro
CVE-2010-2152
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling specially crafted characters within office documents. A remote attacker can create a specially crafted document, trick the victim into opening it, cause buffer overflow and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Ichitaro
Known/fameous malware:
Trojan.Tarodrop.J
Remote code execution in Java
CVE-2010-0886
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing URL to a Java Networking Launching Protocol (.jnlp) file. A remote attacker can create a specially crafted link, trick the victim into clicking on it and execute arbitrary commands on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy.
The vulnerability was used in Willysy attack. Users who visit the songlyrics.dot.com website were redirected to Russian attack server.
Software: Oracle Java SE
The vulnerability was used in Willysy attack. Users who visit the songlyrics.dot.com website were redirected to Russian attack server.
Links:
https://www.sans.org/newsletters/newsbites/xii/30
http://www.computerworld.com/article/2517237/security0/hackers-exploit-new-java-zero-day-bug.html
http://www.theregister.co.uk/2010/04/15/emergency_java_patch/
http://www.oracle.com/technetwork/java/javase/6u20-142805.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-0886-094541.html
https://www.sans.org/newsletters/newsbites/xii/32
https://access.redhat.com/security/cve/cve-2010-0886
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=50263
http://www.javaworld.com/article/2073334/java--oracle-security-alert-cve-2010-0886.html
https://www.stopthehacker.com/2011/12/01/willysy-injection-attacks/
Multiple XSS vulnerabilities in JIRA
CVE-2010-1164
Stored cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via "element" and "defaultColor" HTTP GET parameters to colorpicker.jsp script. A remote attacker can send a specially crafted HTTP request, containing XSS exploit and permanently store arbitrary HTML and script code. The code will be executed in victimтАЩs browser in context of vulnerable website every time the victim visits vulnerable interface.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive data.
The XSS vulnerability CVE-2010-1164 was used along with privileges escalation vulnerability CVE-2010-1165 to compromise JIRA instances. Apache.org services were taken down due to these vulnerabilities.
Software: Jira Software
Multiple XSS vulnerabilities in JIRA
CVE-2010-1165
Improper access control
The vulnerability allows a remote authenticated JIRA administrator to escalate his privileges.
The vulnerability exists due to an error, which allows a remote authenticated JIRA administrator to set the attachment path to a location within the JIRA web application directory and upload malicious code that can execute in the context of the user running the application server in which JIRA is deployed.
Successful exploitation of the vulnerability may allow an attacker to modify JIRA's files and capture user credentials.
The XSS vulnerability CVE-2010-1164 was used along with privileges escalation vulnerability CVE-2010-1165 to compromise JIRA instances. Apache.org services were taken down due to these vulnerabilities.
Software: Jira Software
Buffer overflow in MPEG layer-3 codecs in Microsoft Windows
CVE-2010-0480
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to multiple boundary errors within Microsoft MPEG Layer-3 codecs when parsing AVI files. A remote unauthenticated attacker can create a specially crafted AVI file, trick the victim into opening it, trigger stack-based buffer overflow and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: the vulnerability was being actively exploited.
According to Symantec the first exploitation of the vulnerability was discovered on 26.03.2010.
Software: Windows
Known/fameous malware:
Bloodhound.Exploit.324
Links:
https://technet.microsoft.com/en-us/library/security/ms10-026.aspx
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24330
https://www.youtube.com/watch?v=aDhAAF19KUo
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/1901/microsoft-mpeg-layer3-audi...
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
Multiple vulnerabilities in Adobe Reader and Acrobat
CVE-2010-1241
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in the custom heap management system in Adobe Reader and Acrobat. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
According to Symantec the first exploitation of the vulnerability was discovered on 2008-11-29.
Software: Adobe Reader
Known/fameous malware:
Bloodhound.Exploit.293
Remote code execution in JustSystems Ichitaro
CVE-2010-1424
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling specially crafted font files. A remote attacker can create a specially crafted document, trick the victim into opening it, cause buffer overflow and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Ichitaro
Multiple vulnerabilities in Microsoft SharePoint
CVE-2010-0817
Cross-site scripting
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability exists due to insufficient sanitization of user-supplied input data passed to Help.aspx script. A remote attacker can trick the victim into following a specially crafted link and execute arbitrary HTML and script code in victimтАЩs browser in context of vulnerable SharePoint website.
Successful exploitation may allow an attacker to conduct phishing and drive-by-download attacks.
Note: this vulnerability is being publicly exploited.
Software: Microsoft SharePoint Server
Known/fameous malware:
Exploit: Win32/CVE-2010-0817
Remote code execution in Microsoft Internet Explorer
CVE-2010-0806
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error in the Peer Objects component within iepeers.dll library. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability is declared as functional and was handled as a non-public zero-day exploit for at least 3274 days. The story of CVE-2010-0806 bears a certain similarity to the developments in the case of the targeted 'Aurora' attack where the exploit techniques were quickly adopted by the authors of web exploit kits for the use in massive web attacks. The country that suffered a huge loss by malware in April 2010 was China, with 22% of malware attacks. It was followed by Russia (17%), USA (10%), India (4%) and Germany (4%).
Software: Microsoft Internet Explorer
Known/fameous malware:
Some of the variants: Trojan:Win32/Wisp, TrojanDropper:Win32/Lisiu, TrojanDropper:Win32/Agent.gen!I, TrojanDownloader:Win32/Small.gen!AZ, Backdoor:Win32/Agent.FS, TrojanDropper:Win32/Frethog.
Links:
https://blogs.technet.microsoft.com/msrc/2010/03/09/security-advisory-981374-released/
https://blogs.technet.microsoft.com/mmpc/2010/03/30/active-exploitation-of-cve-2010-0806/
http://blog.trendmicro.com/trendlabs-security-intelligence/new-ie-zero-day-exploit-cve-2010-0806/
https://www.zscaler.com/blogs/research/cve-2010-0806-exploit-wild
https://securingtomorrow.mcafee.com/mcafee-labs/targeted-internet-explorer-0day-attack-announced-cve...
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/MS10_018_IE_BEHAVIORS
http://techblog.omidfarhang.com/en-us/2010/04/09/singers-exploit-kit-version-cve-2010-0806/
https://blog.c22.cc/tag/cve-2010-0806/
http://www.spamfighter.com/News-14383-Kido-Still-Manages-to-be-the-Leading-Malware-Producer-in-April...
Integer overflow in Microsoft Paint
CVE-2010-0028
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
he vulnerability exists due to integer overflow when processing JPEG files using Microsoft Paint. A remote attacker can create a specially crafted JPEG file, trick the victim into opening it using Microsoft Pain application, trigger integer overflow and execute arbitrary code on the target system with privileges of the current user.Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.The first attack using exploit for this vulnerability was detected in October 14, 2008 by Symantec. The attackers targeted 102 hosts using 127 malware variants.
Software: Paint
Known/fameous malware:
Bloodhound.Exploit.314
Remote code execution in Microsoft Internet Explorer
CVE-2010-0249
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error in Microsoft Internet Explorer. A remote attacker can execute arbitrary code by accessing a pointer associated with a deleted object.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Aurora exploit was used in targeted attacks ("Aurora") on Google and other U.S. companies, and which Google claims originated in China. Source code was stolen from some of the more than 30 Silicon Valley companies targeted in the attack.
Software: Microsoft Internet Explorer
Links:
https://blogs.technet.microsoft.com/msrc/2010/01/14/security-advisory-979352-released/
https://technet.microsoft.com/library/security/979352
https://technet.microsoft.com/en-us/library/security/ms10-002.aspx
http://www.computerworld.com/article/2522723/government-it/microsoft-to-patch-bug-used-in-google-hac...
http://www.theregister.co.uk/2010/01/15/ie_zero_day_exploit_goes_wild/
https://www.cnet.com/news/new-ie-hole-exploited-in-attacks-on-u-s-firms/
https://www.zscaler.com/blogs/research/ie-0-day-govcn
https://www.nsslabs.com/blog/protecting-vulnerability-cve-2010-0249/
https://www.zscaler.com/blogs/research/aurora-exploit-still-floating
http://www.geoffchappell.com/notes/security/aurora/
https://googleblog.blogspot.com/2010/01/new-approach-to-china.html
http://indiatoday.intoday.in/story/Chinese+hackers+target+PMO/1/79215.html
https://www.wired.com/2010/01/operation-aurora/
http://developers-club.com/posts/81142/
https://blog.fortinet.com/2010/01/21/ms10-002-get-it-while-it-s-hot
Multiple vulnerabilities in Adobe Reader and Adobe Acrobat
CVE-2009-3953
Improper validation of array index
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to array indexing error in U3D support. A remote attacker can create a specially crafted .pdf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was used in spear-phishing attacks in December, 2009.
Software: Adobe Reader
Remote code execution in Adobe Acrobat and Adobe Reader
CVE-2009-4324
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in the Doc.media.newPlayer method in Multimedia.api. A remote attacker can create a specially crafted .pdf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Adobe Reader
Known/fameous malware:
Trojan.Pidief.H
Links:
http://www.adobe.com/support/security/advisories/apsa09-07.html
http://www.adobe.com/support/security/bulletins/apsb10-02.html
https://www.symantec.com/connect/blogs/zero-day-xmas-present
https://www.symantec.com/security_response/writeup.jsp?docid=2009-121511-4614-99
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20091214
http://contagiodump.blogspot.com/2009/12/virustotal-httpwww.html
http://blogs.adobe.com/psirt/?p=74
https://isc.sans.edu/diary/Sophisticated%2C+targeted+malicious+PDF+documents+exploiting+CVE-2009-432...
http://www.welivesecurity.com/2010/01/04/adobe-javascript-and-the-cve-2009-4324-exploit/http://temer...
http://www.bitdefender.com/news/critical-zero-day-exploits-hit-internet-explorer-and-adobe-reader-12...
https://www.decalage.info/exefilter_pdf_exploits
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-vulnerability-again/
Two remote code execution vulnerabilities in Microsoft Windows
CVE-2009-0555
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when processing malformed Advanced Systems Format (ASF) files. A remote attacker can create a specially crafted audio file that uses the Windows Media Speech code, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows Media Format Runtime
Multiple vulnerabilities in Microsoft Windows
CVE-2009-3126
Integer Overflow or Wraparound
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow in GDI+ when handling PNG image file. A remote attacker can create a specially crafted PNG image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
According to Symantec the first exploitation of the vulnerability was discovered on 2009-01-27.
Software: Windows
Known/fameous malware:
Bloodhound.Exploit.278.
Links:
https://technet.microsoft.com/en-us/library/security/ms09-062.aspx
https://nakedsecurity.sophos.com/2009/10/14/microsoft-adobes-october-2009-security-updates/
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2009-101906-3351-99
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple vulnerabilities in Microsoft Windows
CVE-2009-2501
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to heap-based buffer overflow in GDI+ when handling PNG image file. A remote attacker can create a specially crafted PNG image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
According to Symantec the first exploitation of the vulnerability was discovered on 2009-01-07.
Software: Windows
Known/fameous malware:
Bloodhoud.Exploit.277
Links:
http://www.its.ms.gov/Services/SecurityAlerts/2009-10-14-multiple_vulnerabilities_in_gdi_could_allow...
https://technet.microsoft.com/en-us/library/security/ms09-062.aspx
https://nakedsecurity.sophos.com/2009/10/14/microsoft-adobes-october-2009-security-updates/
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Remote code execution in Adobe Acrobat and Adobe Reader
CVE-2009-3459
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to heap-based buffer overflow when processing a malformed PDF file. A remote attacker can create a specially crafted .pdf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Software: Adobe Reader
Known/fameous malware:
PDF/Exploit.CVE-2009-3459.A
Links:
http://www.adobe.com/support/security/bulletins/apsb09-15.html
https://isc.sans.edu/diary/New+Adobe+Vulnerability+Exploited+in+Targeted+Attacks/7300
http://www.enigmasoftware.com/adobe-reader-vulnerability-cve-2009-3459-allows-hackers-insert-backdoo...
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLATEDECODE_PREDICTOR02
http://temerc.com/forums/viewtopic.php?t=7821
http://www.rationallyparanoid.com/articles/emet-testing.html
https://media.blackhat.com/bh-eu-10/presentations/Li_Lovet/BlackHat-EU-2010-Li-Lovet-Adobe-Heap-slid...
https://blog.didierstevens.com/2009/10/13/update-pdfid-version-0-0-9-to-detect-another-adobe-0day/
http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-exploit/
https://blog.fortinet.com/2009/10/19/on-the-recent-pdf-exploit
Two vulnerabilities in Microsoft IIS FTP server
CVE-2009-3023
Stack-based buffer overflow
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in FTP server. A remote authenticated attacker can send a specially crafted FTP NLST command containing a wildcard that references a subdirectory, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The issue has been introduced in 06/02/1998. The weakness was publicly disclosed on August 31, 2009 by Kingcope. The vulnerability was handled as a non-public zero-day exploit.
Software: Microsoft IIS
Denial of service in Microsoft .NET Framework
CVE-2009-1536
Denial of service
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to incorrect managing of request scheduling by ASP.NET. By sending multiple HTTP requests, a remote attacker can trigger the Web server to crash.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft .NET Framework
Improper access control in SPIP
CVE-2009-3041
Improper access control
The vulnerability allows a remote attacker to gain access to the target system.The weakness exists due to improper access control related to installations and backups. A remote attacker can bypass implemented security control and compromise vulnerable website.
Successful exploitation of the vulnerability results in access to the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported by vendor after successful compromise of vendor's website. The attackers hacked the website and were spreading malware.
Software: SPIP
Remote denial of service in ISC BIND
CVE-2009-0696
Assertion failure
The vulnerability allows a remote attacker to perform denial of service attack.The vulnerability exists due to assertion failure in dns_db_findrdataset() function within db.c when named is configured as a master server. A remote unauthenticated attacker can send an ANY record in the prerequisite section of a crafted dynamic update message and trigger assertion failure and daemon exit.
Successful exploitation of this vulnerability may allow an attacker to perform denial of service (DoS) attack.
Note: this vulnerability is being actively exploited.
Software: ISC BIND
Remote code execution in Microsoft Windows
CVE-2009-2493
Improper initialization
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to improper initialization in the Microsoft Active Template Library (ATL) when handling objects from data streams related to unsafe usage of OleLoadFromStream() function. A remote attacker can create a specially crafted Web site that instantiates a vulnerable component or control using the IE browser, trick the victim into viewing it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Active Template Library
Links:
https://technet.microsoft.com/library/security/973882
http://www.adobe.com/support/security/advisories/apsa09-04.html
https://technet.microsoft.com/en-us/library/security/ms09-055.aspx
http://www.itsecdb.com/oval/definition/oval/org.mitre.oval/def/6621/ATL-COM-Initialization-Vulnerabi...
http://blogs.adobe.com/psirt/?p=52
Remote code execution in Adobe Flash Player
CVE-2009-1862
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when parsing malformed files. A remote attacker can create a specially .pdf file or .swf file, related to authplay.dll, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Adobe Flash Player
Known/fameous malware:
Trojan.Pidief.G
Troj/SWFExp-M
Troj/SWFExp-N
Links:
http://www.adobe.com/support/security/advisories/apsa09-03.html
http://www.adobe.com/support/security/bulletins/apsb09-10.html
https://www.symantec.com/security_response/writeup.jsp?docid=2009-072209-2512-99
https://www.symantec.com/connect/blogs/next-generation-flash-vulnerability
https://www.cnet.com/news/adobe-investigating-zero-day-bug-in-flash/
https://isc.sans.edu/diary/YA0D+%28Yet+Another+0-Day%29+in+Adobe+Flash+player/6847
http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html
http://www.nobunkum.ru/analytics/en-flash
http://idp.cyberoam.com/signatures/2090727071.html
Remote code execution in Microsoft Office Web Components
CVE-2009-1136
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in Office Web Components ActiveX Control when handling parameter values. A remote attacker can create a specially crafted Web page, trick the victim into viewing it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Office
Links:
https://technet.microsoft.com/library/security/973472
https://isc.sans.edu/diary/Vulnerability+in+Microsoft+Office+Web+Components+Control+Could+Allow+Remo...
https://blogs.technet.microsoft.com/msrc/2009/07/13/microsoft-security-advisory-973472-released/
https://technet.microsoft.com/en-us/library/security/ms09-043.aspx
http://www.zerodayinitiative.com/advisories/ZDI-09-054/
http://www.securiteam.com/cves/2009/CVE-2009-1136.html
http://stateofsecurity.com/wp-content/uploads/2009/07/ExploitRA071409.pdf
Remote code execution in Microsoft Video ActiveX Control
CVE-2008-0015
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in the Microsoft Video ActiveX Control, msvidctl.dll. By persuading a victim to visit a specially crafted Web page, a remote attacker can trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has been exploited in the wild since June 11, 2009 (as discovered by X-Force) and was touted by the media and by SANS as being exploited in the wild on July 6, 2009.
According to Symantec research first exploitation of the vulnerability was detected on 2008-12-28.
Software: Microsoft Video ActiveX Control
Known/fameous malware:
HTML/CVE-2008-0015
Bloodhoud.Exploit.259
According to Symantec research first exploitation of the vulnerability was detected on 2008-12-28.
Links:
https://technet.microsoft.com/en-us/library/security/972890
https://technet.microsoft.com/en-us/library/security/ms09-032.aspx
https://isc.sans.edu/diary/0-day+in+Microsoft+DirectShow+%28msvidctl.dll%29+used+in+drive-by+attacks...
https://blogs.technet.microsoft.com/srd/2009/08/11/ms09-037-why-we-are-using-cves-already-used-in-ms...
https://www.symantec.com/security_response/writeup.jsp?docid=2009-070605-3347-99
http://www.pandasecurity.com/mediacenter/malware/social-engineering-pdfs-and-banking-trojans/
http://tpmitigation.sourceforge.net/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple vulnerabilities in Microsoft Excel
CVE-2009-0561
Integer Overflow or Wraparound
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow when parsing the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing a malformed object record, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
According to Symantec the first exploitation of the vulnerability was discovered on 11.01.2009.
Software: Microsoft Excel
Known/fameous malware:
Bloodhound.Exploit.251
Links:
https://technet.microsoft.com/en-us/library/security/ms09-021.aspx
https://www.symantec.com/security_response/writeup.jsp?docid=2009-061802-2317-99&tabid=2
https://www.symantec.com/security_response/writeup.jsp?docid=2009-061802-2317-99
http://telussecuritylabs.com/threats/show/TSL20090609-22
https://www.youtube.com/watch?v=-X51L07fk48
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple vulnerabilities in Microsoft Excel
CVE-2009-1134
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when parsing the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing a malformed record pointer, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
The vulnerability has been exploited over a year and was reported to vendor on 2009-03-26.
According
to Symantec the first exploitation of the vulnerability was discovered on 2008-07-25.
Software: Microsoft Excel
Known/fameous malware:
Bloodhound.Exploit.254.
According to Symantec the first exploitation of the vulnerability was discovered on 2008-07-25.
Links:
https://downloads.avaya.com/css/P8/documents/100062475
http://www.securityfocus.com/archive/1/archive/1/504213/100/0/threaded
https://technet.microsoft.com/en-us/library/security/ms09-021.aspx
https://books.google.com.ua/books?id=1E0SCAAAQBAJ&pg=PA275&lpg=PA275&dq=CVE-2009-1134&source=bl&ots=...
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple priviledge escalation vulnerabilities in Microsoft Windows
CVE-2009-1123
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper validation of changes in certain kernel objects. By running a malicious application, a local attacker can submit malformed calls to the Windows Kernel and execute arbitrary code in kernel mode.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
This vulnerability was used by Equation group in attacks, which involved Fanny malware. The exploit is later added to Stuxnet malware. Initially discovered by Kaspersky Lab in December 2008.
Microsoft bulletin describing 4 vulnerabilities is not clear on which vulnerability was used during the attacks. We are aware of at least two publicly disclosed exploits from this bulletin used by different malware in targeted attacks during Operation Pawn Storm and Turla.
The CVEs covered in this bulletin: CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126. At least one of them has being exploited in the wild before official security patch.
Software: Windows
Known/fameous malware:
Exploit kits: Fanny, Stuxnet, Turla.
Microsoft bulletin describing 4 vulnerabilities is not clear on which vulnerability was used during the attacks. We are aware of at least two publicly disclosed exploits from this bulletin used by different malware in targeted attacks during Operation Pawn Storm and Turla.
The CVEs covered in this bulletin: CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126. At least one of them has being exploited in the wild before official security patch.
Remote code execution in Compress::Raw::Zlib Perl module
CVE-2009-1391
Off-by-one error
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to off-by-one error in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017 when processing specially crafted zlib archives. A remote attacker can pass a specially crafted zlib archive to vulnerable application, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild against AMaViS and SpamAssassin, which use vulnerable Perl module.
The vulnerability was exploited in the wild against AMaViS and SpamAssassin using email messages with malicious attachments.
Software: Compress::Raw::Zlib
Known/fameous malware:
Win-Trojan/Downloader.32768.QT
TR/Crypt.XPACK.Gen
Trojan.Downloader-71014
Trojan.DownLoad.37569
Trojan-Downloader.Win32.Agent.cdir
TrojanDownloader:Win32/Cbeplay.gen!A
Mal/EncPk-FO
TROJ_CBEPLAY.A
Remote code execution in Microsoft DirectX
CVE-2009-1537
Null byte interaction error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to NULL byte error in DirectX. A remote attacker can create a specially crafted QuickTime media file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft DirectX
Known/fameous malware:
Exploit:JS/Mult.BM
Exploit:Win32/CVE-2009-1537
Links:
https://blogs.technet.microsoft.com/srd/2009/05/28/new-vulnerability-in-quartz-dll-quicktime-parsing...
https://blogs.technet.microsoft.com/msrc/2009/05/28/microsoft-security-advisory-971778-vulnerability...
https://technet.microsoft.com/en-us/library/security/ms09-028.aspx
https://isc.sans.edu/forums/diary/Microsoft+DirectShow+vulnerability/6481/
https://technet.microsoft.com/library/security/971778
https://www.security-database.com/detail.php?alert=CVE-2009-1537
http://www.marketwired.com/press-release/skyrecon-identifies-two-vulnerabilities-in-windows-directsh...
http://doa.alaska.gov/ets/security/S_Advisory/SA2009-028.pdf
https://technet.microsoft.com/library/security/ms09-028
Multiple vulnerabilities in Microsoft Powerpoint
CVE-2009-0556
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling malformed PowerPoint files. A remote attacker can create a specially crafted PowerPoint file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft PowerPoint
Links:
https://technet.microsoft.com/en-us/library/security/ms09-017.aspx
http://www.zerodayinitiative.com/advisories/ZDI-09-019/
http://contagiodump.blogspot.com/2010/07/jul-8-cve-2009-0556-china-and-cheonan.html
https://blog.qualys.com/laws-of-vulnerabilities/2009/05
https://www.lexsi.com/securityhub/1-2-3-patch-day-2/?lang=en
https://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/663/index.html
http://www.welivesecurity.com/2014/10/31/two-recently-patched-adobe-flash-vulnerabilities-now-used-e...
https://www.auscert.org.au/render.html?it=10978
https://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/663/index.html
https://www.symantec.com/connect/blogs/microsoft-patch-tuesday-may-2009
https://blogs.technet.microsoft.com/msrc/2009/05/12/may-2009-bulletin-release/
https://blogs.technet.microsoft.com/srd/2009/05/12/ms09-017-an-out-of-the-ordinary-powerpoint-securi...
Remote code execution in Chinagames IGame ActiveX control
CVE-2009-1800
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in CGAgent ActiveX control (CGAgent.dll). A remote attacker can create a specially crafted Web page that passes an overly long string to the CreateChinagames() method, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Exploited in the wild in April and May 2009.
Software: Igame
Known/fameous malware:
Mdropper.H Trojan
Remote code execution in Baofeng Storm ActiveX control
CVE-2009-1807
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in ActiveX control (Config.dll). A remote attacker can create a specially crafted Web page that passes an overly long string to the SetAttributeValue() method, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The zero-day was exploited in April and May in 2009. It is unclear if vendor has ever issued a patch.
Software: Storm
Remote code execution in Baofeng Storm ActiveX control
CVE-2009-1612
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in Storm ActiveX control (mps.dll)). A remote attacker can create a specially crafted Web page that passes an overly long string to the OnBeforeVideoDownload() method, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Exploited in April and May 2009.
Software: Storm
Known/fameous malware:
The attack using the vulnerability was traced to the far east; specifically, China and Taiwan.
SQL injection in PJHome PJBlog3
CVE-2009-1481
SQL injection
The vulnerability allows a remote attacker to inject SQL commands on the target system.The weakness exists in the checkAlias action when processing malformed data passed via "cname" parameter. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL queries in web application database..
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability was being actively exploited.
Software: PJBlog3
Remote code execution in ModPlug libmodplug
CVE-2009-1438
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to heap-based buffer overflow, caused by an integer overflow in the CSoundFile::ReadMed() function. A remote attacker can create MED file containing a specially crafted song comment or name, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Exploited in the wild in August 2008.
Software: libmodplug
Multiple vulnerabilities in Microsoft Windows
CVE-2009-0080
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to incorrect placing of access control lists (ACLs) on threads in the current ThreadPool. By leveraging incorrect thread ACLs an attacker can access NetworkService or LocalService account, obtain elevated privileges and execute code with privileges of SYSTEM account.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: this vulnerability was being actively exploited.
Known as "Token Kidnapping".
Software: Windows
Multiple vulnerabilities in Microsoft Windows
CVE-2009-0079
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper isolation of processes in the RPCSS service. Accessing the computer under the context of a NetworkService or LocalService account an attacker can obtain privileged security tokens and execute code with privileges of SYSTEM account.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: this vulnerability was being actively exploited.
Known as "Token Kidnapping".
Software: Windows
Multiple vulnerabilities in Microsoft Windows
CVE-2009-0078
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to insufficient security protections in Windows Management Instrumentation (WMI) providers. Accessing the computer under the context of a NetworkService or LocalService account an attacker can obtain privileged security tokens and execute code with privileges of SYSTEM account.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control over the affected system.
Note: this vulnerability was being actively exploited.
Knows as Token Kidnapping.
Software: Windows
Multiple vulnerabilities in Microsoft Windows
CVE-2009-0087
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when process documents in Microsoft WordPad and Microsoft Office converter. A remote attacker can create a specially crafted Word file containing a malformed data, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was handled as a non-public zero-day exploit for at least 3344 days. The issue has been introduced in 02/17/2000.
The vulnerability was firstly disclosed in June 17, 2008.
Software: Windows
The vulnerability was firstly disclosed in June 17, 2008.
Remote code execution in Microsoft Windows
CVE-2009-0084
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error when processing a malformed JPEG file. A remote attacker can create a specially crafted JPEG file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability is being actively exploited.
According to Symantec the first exploitation of the vulnerability was discovered on 2008-10-23.
Software: Microsoft DirectX
Two vulnerabilities in Microsoft IIS FTP server
CVE-2009-2521
Improper input validation
The vulnerability allows a remote authenticated attacker to cause DoS conditions on the target system.The weakness exists due to an error when processing recursive directory listing commands by the FTP Service. By sending a specially crafted LIST command containing wildcard characters, a remote attacker can trigger the FTP service to crash.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
The issue has been introduced in 02/17/2000. The weakness was disclosed on 09/04/2009 by Kingcope.
Software: Microsoft IIS
Multiple vulnerabilities in Adobe Reader and Adobe Acrobat
CVE-2009-0927
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in the getIcon() function. A remote attacker can create a specially crafted .pdf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was fixed at first in Adobe Reader 8.x branch, leaving vulnerable Adobe Reader 9.x. It is unclear, if this vulnerability was exploited before Adobe issued patch for Adobe Reader 8.x.
According to Symantec, they have spotted active exploitation of this vulnerability on April 6, 2009.
According to Trustwave report, this vulnerability was exploited in targeted attacks as a zero-day exploit targeting the aviation defense Industry. Given the confusion regarding exploitation we have considered to treat this vulnerability as a zero-day.
Software: Adobe Reader
Known/fameous malware:
TROJ_PIDIEF.OE
The vulnerability was fixed at first in Adobe Reader 8.x branch, leaving vulnerable Adobe Reader 9.x. It is unclear, if this vulnerability was exploited before Adobe issued patch for Adobe Reader 8.x.
According to Symantec, they have spotted active exploitation of this vulnerability on April 6, 2009.
According to Trustwave report, this vulnerability was exploited in targeted attacks as a zero-day exploit targeting the aviation defense Industry. Given the confusion regarding exploitation we have considered to treat this vulnerability as a zero-day.
Links:
http://www.adobe.com/support/security/bulletins/apsb09-04.html
http://blog.trendmicro.com/trendlabs-security-intelligence/adobe-acrobatreader-geticon-vuln-exploit-...
https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-Security-Report/?dl=1
http://www.ehackingnews.com/2012/09/pdf-exploits-targets-defense-industry.html
Remote code execution in JustSystems Ichitaro
CVE-2009-1054
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when parsing a malformed file. A remote attacker can create a specially crafted file or document using Web PURAGUINBYUA, trick the victim into opening it, trigger memory corruption, run a malicious program and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Ichitaro
Known/fameous malware:
Trojan.Tarodrop.H
Remote code execution in JustSystems Ichitaro
CVE-2009-4737
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling malformed files. A remote attacker can create a specially crafted RTF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Ichitaro
XSS in Mozilla Firefox
CVE-2009-1308
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient validation of user-supplied input when processing XBL bindings. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in userтАЩs browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability was being actively exploited.The vulnerability was exploited against eBay customers in March 2009.
Software: Mozilla Firefox
Remote code execution in Microsoft Excel
CVE-2009-0238
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when parsing the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing a malformed object, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Excel
Known/fameous malware:
TROJ_MDROPPER.XR (TrendMicro)
Exploit - MSExcel.r (McAfee)
Trojan.Mdropper.AC (Symantec)
Links:
https://technet.microsoft.com/en-us/library/security/968272.aspx
https://technet.microsoft.com/en-us/library/security/ms09-009.aspx
https://www.symantec.com/security_response/writeup.jsp?docid=2009-022310-4202-99
https://www.secureworks.com/blog/research-20953
https://www.us-cert.gov/ncas/alerts/TA09-104A
http://blog.trendmicro.co.jp/archives/2596
https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2009/av09-018-eng.aspx
https://downloads.avaya.com/css/P8/documents/100063922
https://www.paulstechtalk.com/2009/04/microsoft-released-april-patch-list-for-patch-tuesday/
Remote code execution in Adobe Acrobat and Adobe Reader
CVE-2009-0658
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when parsing a malformed JBIG2 image stream. A remote attacker can create a specially crafted .pdf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
According to Symantec the first exploitation of the vulnerability was discovered on 2008-09-02.
Software: Adobe Reader
Known/fameous malware:
Trojan.Pidief.E
Links:
http://www.adobe.com/support/security/advisories/apsa09-01.html
http://www.adobe.com/support/security/bulletins/apsb09-04.html
https://www.symantec.com/security_response/writeup.jsp?docid=2009-021212-5523-99&tabid=2
http://www.kb.cert.org/vuls/id/905281https://isc.sans.edu/diary/AdobeAcrobat+0-day+in+the+wild%3F/59...
http://blog.talosintel.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html
https://www.secureworks.com/blog/research-20947
http://blog.securityactive.co.uk/2009/02/23/adobe-reader-and-acrobat-buffer-overflow-cve-2009-0658/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Remote code execution in Apache OpenOffice
CVE-2009-0259
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the Word processor. A remote attacker can create a specially crafted .doc, .wri, or .rtf Word 97 file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was discovered by Jan Lieskovsky.
Exploited in the wild in December 2008.
Software: OpenOffice
Exploited in the wild in December 2008.
Remote code execution in Microsoft Windows
CVE-2008-4844
Use-after-free
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer. A remote attacker can construct a specially crafted Web page, trick the victim into viewing it, trigger memory corruption and execute arbitrary code via DSO bindings involving an XML Island, XML DSOs, or Tabular Data Control (TDC) in a crafted HTML or XML document.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Internet Explorer
Links:
https://technet.microsoft.com/library/security/ms08-078
https://technet.microsoft.com/library/security/961051
https://secunia.com/advisories/33089
http://marc.info/?l=bugtraq&m=123015308222620&w=2
http://www.kb.cert.org/vuls/id/493881
https://securityandthe.net/2008/12/17/its-official-ms08-78-fixing-critical-ie-bug/
Remote code execution in Microsoft Word
CVE-2008-4841
Stack-based buffer overflow
The vulnerability alows a remote authenticated attacker to execute arbitrary code on the target system.The weakness exists due to stack overflow when parsing a malicious document. A remote attacker can create a specially crafted Word file containing a malformed list structure, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft WordPad
Known/fameous malware:
Exploit: Win32/CVE-2008-4841
Links:
https://technet.microsoft.com/library/security/960906
https://technet.microsoft.com/en-us/library/security/ms09-010.aspx
https://www.us-cert.gov/ncas/alerts/TA09-104A
http://www.openwall.com/lists/oss-security/2009/01/21/9
https://www.suse.com/security/cve/CVE-2008-4841
http://contagiodump.blogspot.com/2010/04/cve-2008-4841-wordpad-text-converter.html
Two remote code execution vulnerabilities in Microsoft Windows
CVE-2008-2249
Integer Overflow or Wraparound
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow when processing malformed WMF image file. By persuading the victim to open a specially crafted WMF image file containing a malformed header, a remote attacker can cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
Software: Windows
Known/fameous malware:
Bloodhound.Exploit.214.
Links:
https://technet.microsoft.com/en-us/library/security/ms08-071.aspx
http://seclists.org/fulldisclosure/2008/Dec/283
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://ae.norton.com/security_response/print_writeup.jsp?docid=2008-121611-4833-99
https://www.cnet.com/news/microsoft-fixes-28-flaws-6-are-critical/
https://www.qualys.com/research/security-alerts/2008-12-09/microsoft/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Remote PHP including in PHPCow
CVE-2008-5227
Remote PHP including
The vulnerability allows a remote attacker to execute arbitrary PHP code on the target application.The weakness exists due to improper validation of input passed via the "skin_file" HTTP parameter to "templateie_install.class.php" script. A remote attacker can send a specially-crafted HTTP request to vulnerable script, specify a malicious file from a remote system and execute arbitrary PHP code on the system.
Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable application.
Note: the vulnerability was being actively exploited.
Software: PHPCow
Remote code execution in Microsoft Windows
CVE-2008-4250
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow during path canonicalization in Windows Server service. By sending a specially crafted RCP request, a remote attacker can cause memory corruption and execute arbitrary code with privileges of system account.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Windows
Known/fameous malware:
Trojan (Gimmiv.A) and a Trojan searching for non-patched machines on LAN (Arpoc.A)
W32.Downadup aka ConямБcker
W32.Downadup.B
W32.Fujacks.CE
W32.Neeris.C
W32.Wapomi.B
Links:
http://marc.info/?l=bugtraq&m=122703006921213&w=2
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23179
http://blog.disects.com/2014/05/metasploit-gaining-access-using-ms08.html
http://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_server_service_allows_code_execut...
http://www.bleepingcomputer.com/forums/t/401254/norton-blocked-an-attack-by-os-attack-ms-windows-ser...
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Remote code execution in JustSystems Ichitaro
CVE-2008-3919
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when processing a malformed file. A remote attacker can create a specially crafted JTD document, trick the victim into loading it, trigger memory corruption and execute arbitrary code or cause denial of service on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Ichitaro
Known/fameous malware:
TROJ_TARODROP.AM
Code injection in Adobe Flash Player
CVE-2008-3873
Code injection
The vulnerability allows a remote attacker to hijack the clipboard on the target system.The weakness exists due to error in the setClipboard() function. By persuading a victim view a specially crafted shockwave file, an attacker could exploit this vulnerability to insert persistent data into the clipboard.
Successful exploitation of the vulnerability results in modification of data on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Adobe Flash Player
Remote code execution in Microsoft Windows
CVE-2008-3704
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a buffer overflow in the Masked Edit ActiveX Control. A remote attacker can construct a specially crafted Web page, trick the victim into viewing it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Masked Edit ActiveX Control
Remote code execution in Microsoft Word
CVE-2008-2244
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when handling malformed Word files. A remote attacker can create a specially crafted Word file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was being used in a 2008 Summer Olympics-themed attack.
Software: Microsoft Word
Links:
https://technet.microsoft.com/en-us/library/security/ms08-042.aspx
https://technet.microsoft.com/library/security/953635
https://isc.sans.edu/diary/Unpatched+Word+Vulnerability/4696
https://blogs.technet.microsoft.com/msrc/2008/07/08/msrc-blog-microsoft-security-advisory-953635/
https://www.cnet.com/news/microsoft-fixes-26-flaws-with-11-patches-six-are-critical/
http://blog.trendmicro.com/trendlabs-security-intelligence/let-the-games-begin/
http://cnii.cybersecurity.my/main/resources/vdb/VDB-1-NWS_JULY_07081.pdf
https://www.mycert.org.my/en/services/advisories/mycert/2008/main/detail/591/index.html
Remote code execution in Microsoft Access
CVE-2008-2463
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow in the ActiveX control for the Snapshot Viewer for Microsoft Access. A remote attacker can construct a specially crafted Web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Office
Known/fameous malware:
JS/Exploit.CVE-2008-2463.A
Exploit kits using this vulnerability: Eleonore and Siberia.
Links:
https://technet.microsoft.com/en-us/library/security/ms08-041.aspx
https://www.botnets.fr/wiki/CVE-2008-2463
https://blogs.technet.microsoft.com/msrc/2008/07/07/snapshot-viewer-activex-control-vulnerability/
http://www.kb.cert.org/vuls/id/837785
https://cve.circl.lu/cve/CVE-2008-2463
https://www.cnet.com/news/microsoft-fixes-26-flaws-with-11-patches-six-are-critical/
Remote code execution in UUSee UUUpgrade.ocx ActiveX control
CVE-2008-7168
Unsafe ActiveX method
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to insufficient validation of arguments passed to the "Update()" method in UUUpgrade.ocx ActiveX control. A remote attacker can trick the victim to visit a specially crafted website and upload malicious file into arbitrary location on victim's computer.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability was being actively exploited in the wild.
The vulnerability exploitation was detected in the wild by Symantec team via Honeypot Analysis.
Software: UUSee UUUpgrade ActiveX control
Two remote code execution vulnerabilities in Ourgame GLWorld
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in ActiveX control. By persuading a victim to visit a specially Web page that passes an overly long argument to the IEStart() method or a second argument to the IEStartNative() method, a remote attacker can trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The exploitation of this issue was detected by the DeepSight honeypot.
Software: GLWorld
Two remote code execution vulnerabilities in Ourgame GLWorld
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow in GlobalLink ActiveX control when handling values for the ServerList property. By persuading a victim to visit a malicious Web site that passes specially-crafted values to the insecure ServerList method, a remote attacker can trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The exploitation of this issue was detected by the DeepSight honeypot.
Software: GLWorld
Remote code execution in Microsoft Windows Internet Printing Service
CVE-2008-1446
Integer overflow
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow in Windows Internet Printing Protocol (IPP) implementation. By sending a specially crafted HTTP POST request, a remote authenticated attacker can cause memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
According to US CERT, the targeted attacks were spotted on May 2, 2008.
Software: Windows
Privilege escalation in Microsoft Windows
CVE-2008-1436
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper security restrictions on security tokens in the Microsoft Distributed Transaction Coordinator (MSDTC) service. By sending a specially crafted request to the MSDTC service, an attacker can access privileged security tokens and execute code with privileges of SYSTEM account.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: this vulnerability was being actively exploited.
The vulnerability was used in Operation Iron Tiger, a cyber espionage campaign carried out by Chinese hackers on United States Defense Contractors.
Software: Windows
Links:
https://technet.microsoft.com/library/security/951306
http://www.securityfocus.com/archive/1/archive/1/497168/100/0/threaded
http://www.securityfocus.com/archive/1/archive/...
https://technet.microsoft.com/en-us/library/security/ms09-012.aspx
http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html
https://blogs.technet.microsoft.com/msrc/2008/04/17/msrc-blog-microsoft-security-advisory-951306/
https://www.erai.com/CustomUploads/ca/wp/2015_12_wp_operation_iron_tiger.pdf
SQL injection in Coppermine Photo Gallery
CVE-2008-1841
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.The vulnerability exists due to insufficient sanitization of user-supplied data passed via cookies to "coppermine.inc.php" script. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL queries in backend database.
Successful exploitation of the vulnerability may result in website compromise.
Note: this vulnerability was being actively exploited.
The vulnerability was produced by inefficient patch for CVE-2008-1840
Software: Coppermine Photo Gallery
Links:
https://secur1ty.com/cve/CVE-2008-1841/
http://www.securityfocus.com/bid/28767
http://www.xatrix.org/cve-vulns/CVE-2008-1841-c40321/
https://www.vulnerabilitycenter.com/#!vul=18228
http://cve.scap.org.cn/CVE-2008-1841.html
https://www.security-database.com/detail.php?alert=CVE-2008-1841
http://forum.coppermine-gallery.net/index.php/topic,51882.0.html
Remote code execution in Microsoft Jet
CVE-2007-6026
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in Jet database engine when parsing .mdb files. A remote attacker can create a specially crafted .mdb file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is publicly disclosed since 2005, however an attack vector was introduced only in 2008. The vulnerability is being actively exploited.The vulnerability initially had three CVEs: CVE-2005-0944, CVE-2007-6026 and CVE-2008-1092.
The issue has been introduced on 02/17/2000. The vulnerability was handled as a non-public zero-day exploit for at least 2832 days.
Software: Microsoft Jet
Known/fameous malware:
Trojan.Acdropper.C
The issue has been introduced on 02/17/2000. The vulnerability was handled as a non-public zero-day exploit for at least 2832 days.
Links:
http://news.softpedia.com/news/Latest-Vulnerability-Attacks-Steer-Clear-of-Vista-SP1-but-Not-XP-SP3-...
https://www.symantec.com/security_response/writeup.jsp?docid=2008-032803-4407-99
https://co.norton.com/security_response/print_writeup.jsp?docid=2008-032619-5301-99
https://technet.microsoft.com/library/security/950627
https://technet.microsoft.com/library/security/ms08-028
Multiple vulnerabilities in Adobe Reader and Adobe Acrobat
CVE-2007-5659
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a boundary error within Javascript method. A remote attacker can create a specially .pdf file, trick the victim into opening it, trigger stack-based buffer overflow and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vendor was notified of this vulnerability on 10/10/2007, however the patched was issued only 7 month later.
Software: Adobe Reader
Known/fameous malware:
Exploit kits: Impact, Incognito, Phoenix, Siberia, Styx.
Links:
https://www.adobe.com/support/security/bulletins/apsb08-13.html
http://www.adobe.com/support/security/advisories/apsa08-01.html
https://www.symantec.com/security_response/writeup.jsp?docid=2009-121708-1022-99
https://zeltser.com/pdf-stream-dumper-malicious-file-analysis/
http://infosec-summit.issa-balt.org/assets/Presentations/Jeremy_Conway_-_A_Look_Inside_the_PDF_Attac...
Remote code execution in Ourgame GLWorld
CVE-2008-0647
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in the ActiveX control (HanGamePluginCn18.dll). A remote attacker can create a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: GLWorld
Known/fameous malware:
Infostealer.Gampass
Trojan.Exploit.SSX (Trojan.Exploit.ANNZ )
Multiple vulnerabilities in Microsoft Excel
CVE-2008-0081
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a boundary error when handling macros in Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Excel
Known/fameous malware:
mx97:cve-2008-0081 virus
Exploit-MSExcel.p
Remote code execution in QVOD Technology QVOD Player
CVE-2008-4664
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to heap-based buffer overflow in QVOD Player ActiveX control (QvodInsert.dll). A remote attacker can create a specially crafted Web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The QVOD Player exploit was used against visitors during the CA.com website hack. Hackers were able to redirect users to uc8010.com domain. The incident became known on January 5, 2008.
Software: QVOD Player
The QVOD Player exploit was used against visitors during the CA.com website hack. Hackers were able to redirect users to uc8010.com domain. The incident became known on January 5, 2008.
Buffer overflow in JustSystems Ichitaro
CVE-2007-6436
Stack-based buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in JSGCI.DLL library when processing malicious documents. A remote attacker can create a specially crafted document file, trick the victim into opening it, cause stack-based buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Ichitaro
Known/fameous malware:
Trojan.Tarodrop.F
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2007-5347
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when handling certain DHTML object methods. A remote attacker can create a specially crafted HTML page, trick the victim into visiting it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Remote code execution in Apple QuickTime
CVE-2007-6166
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling specially crafted overly long RTSP (Real Time Streaming Protocol) Response Content-Type header. A remote attacker can create a specially crafted web page, trick the victim into opening it, cause buffer overflow and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Software: Apple QuickTime
Known/fameous malware:
Trojan.Quimkit
Links:
https://www.symantec.com/connect/blogs/zero-day-exploit-apple-quicktime-vulnerability
https://ch-fr.norton.com/security_response/writeup.jsp?docid=2007-112605-2410-99
https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
https://www.virusbulletin.com/virusbulletin/2010/11/exploit-identification/
http://www.kb.cert.org/vuls/id/659761
https://www.symantec.com/connect/blogs/apple-quicktime-exploit-twist
Remote code execution in Xunlei Thunder
CVE-2007-6144
Heap-based buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in PPlayer.XPPlayer.1 ActiveX control when handling long strings passed via FlvPlayerUrl property value. A remote attacker can create a specially crafted web page, trick the victim into visiting it, cause a heap-based buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability was being actively exploited.
This vulnerability was first reported on SEBUG.net. This vulnerability was used in mass SQL injection attack against Chinese websites in May 2008.
Software: Xunlei Thunder
Known/fameous malware:
Exploit:HTML/IESlice.BK.
Links:
http://betanews.com/2008/05/19/ten-thousand-servers-hit-in-sql-injection-hack/
http://www.pcworld.com/article/146048/article.html
https://forums.whatthetech.com/index.php?showtopic=91131
https://isc.sans.edu/diary/The+10.000+web+sites+infection+mystery+solved/4294
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=50081
Remote code execution in SSReader
CVE-2007-5892
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in SSReader Pdg2 ActiveX control (pdg2.dll). A remote attacker can create a specially crafted web page, trick the victim into visiting it, cause a stack-based buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Vulnerability was reported as zero-day by DSWLab. This is the same vulnerability as CVE-2007-5807.
Software: SSReader
Remote code execution in Ourgame GLWorld ActiveX control
CVE-2007-5722
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling overly long argument passed tp ConnectAndEnterRoom() method in GlobalLink GLCHAT.GLChatCtrl.1 ActiveX control, used by Ourgame GLWorld. A remote attacker can create a specially crafted web page, trick the victim into visiting it, cause a stack-based buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
First in the wild exploitation was reported in October 2007. This vulnerability was used during mass SQL injection attack on web sites in China and Taiwan.
Software: GLWorld
Known/fameous malware:
JS:CVE-2007-5722-A/ Bloodhound.Exploit.164.
Links:
http://www.pcworld.com/article/146048/article.html
http://essaymonster.net/science/78930-networking-attacks-and-denial-of-service-computer.html
https://forums.spybot.info/showthread.php?61404-Thousands-of-sites-infected-archive/page3
https://www.f-secure.com/weblog/archives/00001432.html
https://www.f-secure.com/weblog/archives/00001427.html
https://betanews.com/2008/05/19/ten-thousand-servers-hit-in-sql-injection-hack/
http://www.infoworld.com/article/2651107/security/update--mass-sql-injection-attack-targets-chinese-...
Privilege escalation in Macrovision SafeDisc driver for Microsoft Windows
CVE-2007-5587
Buffer overflow
The vulnerability allows a local user to escalation privileges on vulnerable system.
The vulnerability exists due to incorrect handling of configuration parameters within Macrovision SafeDisc SECDRV.SYS driver, shipped by default with Windows XP and Windows 2003 operating systems. A local user pass specially crafted parameters to METHOD_NEITHER IOCTL and execute arbitrary code on the target system with elevated privileges.
Successful exploitation of this vulnerability allows a local unprivileged user to elevate his privileges and gain administrative access to vulnerable system.
Note: the vulnerability is being actively exploited.
Software: Windows
Links:
http://www.securityfocus.com/archive/1/archive/1/482482/100/0/threaded
https://downloads.avaya.com/css/P8/documents/100063289
https://threats.kaspersky.com/en/vulnerability/KLA10257/
https://www.tenable.com/plugins/index.php?view=single&id=29311
https://technet.microsoft.com/en-us/library/security/ms07-067.aspx
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/security-advisories/(ms07-067)%20vuln...
https://www.dshield.org/diary/Windows%2BXP%2Band%2B2003%2Blocal%2Bprivilege%2Bescalation%2Bvulnerabi...
https://blogs.technet.microsoft.com/msrc/2007/11/05/msrc-blog-security-advisory-944653/
Remote code execution in RealNetworks RealPlayer
CVE-2007-5601
Stack-based buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing playlist names passed via "Import()" method to RealPlayer IERPCtl ActiveX control (ierpplug.dll). A remote attacker can create a specially crafted web page, trick the victim into opening it, cause stack-based buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Exploit code for this vulnerability was used during Chinese weekend compromise campaign in May 2008.
Software: RealPlayer
Links:
https://www.symantec.com/connect/blogs/realplayer-exploit-loose
http://www.kb.cert.org/vuls/id/871673
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=22629
http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-weekend-compromise/
http://www.pcworld.com/article/146048/article.html
http://www.sudosecure.com/malicious-site-analysis-for-dota11cn-injection/
Remote code execution via URI handlers in Microsoft Windows
CVE-2007-3896
OS command injection
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insufficient filtration of URIs in Shell32.dll when open applications via URL handlers (e.g. mailto:). A remote attacker can create a specially crafted URI, containing invalid sequence of % characters, trick the victim to click on it and execute arbitrary system commands with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Windows
Remote code execution in Microsoft Word
CVE-2007-3899
Memory corruption
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malformed strings in Word document. A remote attacker can create a specially crafted MS Word document, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Word
Remote command execution in eWire PHP component
CVE-2007-4925
OS command injection
The vulnerability allows a remote attacker to execute arbitrary commands on vulnerable system.
The vulnerability exists due to insufficient sanitization of user-supplied input passed via "paymentinfo" HTTP GET parameter to "simplePHPLinux/3payment_receive.php" script. A remote attacker can send a specially crafted HTTP Get request to vulnerable script and execute arbitrary OS commands on vulnerable system with privileges of the web server.
Successful exploitation of the vulnerability allows to execute arbitrary commands and compromise vulnerable system.
Note: this vulnerability is being actively exploited.
The weakness was shared 03/15/2007. The vulnerability was originally reported as zero-day by FortConsult A/S. Security patch was never issued by the vendor.
Software: Payment Client
Remote code execution when handling ZIP files in Lhaz
CVE-2007-4428
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing ZIP files. A remote attacker can create a specially crafted .zip archive, trick the victim into opening it, cause buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Lhaz
Known/fameous malware:
Exploit-LHAZ.a
Remote code execution in JustSystems Ichitaro
CVE-2007-4246
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing malicious documents. A remote attacker can create a specially crafted document, trick the victim into opening it, cause buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Ichitaro
Known/fameous malware:
Trojan.Tarodrop.D
SQL injection in phpMyForum
CVE-2007-4107
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.
The vulnerability exists due to insufficient sanitization of user-supplied data passed editpost.php script. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.
Successful exploitation may allow an attacker to gain complete control over vulnerable website.
Note: this vulnerability is being actively exploited.
The vulnertability was reported by Reini Urban via vendor's forum after discovery of zero-day exploitation.
Software: phpMyForum
Buffer overflow in Lhaca File Archiver
CVE-2007-3375
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in Lhaca File Archiver when processing .lzh archives. A remote attacker can create a specially crafted .lzh file, trick the victim into opening it, cause stack-based buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: File Archiver
Known/fameous malware:
Trojan.Lhdropper
Remote code execution in Microsoft DNS server
CVE-2007-1748
Stack-based buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing RPC requests in Microsoft Windows DNS server, which contain long zone name parameter with escaped octal strings.
A remote attacker can send a specially crafted RPC request to vulnerable DNS server, cause stack-based buffer overflow and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Windows Server
Remote code execution in JustSystems Ichitaro
CVE-2007-1938
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing malicious documents. A remote attacker can create a specially crafted document, trick the victim into opening it, cause buffer overflow and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Ichitaro
Arbitrary file upload in phpWiki
CVE-2007-2025
Unrestricted file upload
The vulnerability allows a remote attacker to execute arbitrary OS commands on vulnerable system.
The vulnerability exists due to insufficient sanitization of filename extension in lib/plugin/UpLoad.php when uploading files via UpLoad feature. A remote attacker can use php3 extension to bypass implemented protection mechanism, upload and execute malicious PHP file on vulnerable system.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary OS commands vulnerable system with privileges of the web server account.
Note: this vulnerability is being actively exploited.
Harold Hallikainen has reported that the upload page fails to properly check the extension of the uploaded files. This vulnerability was exploited along with CVE-2007-2024.
Software: PhpWiki
Arbitrary file upload in phpWiki
CVE-2007-2024
Unrestricted file upload
The vulnerability allows a remote attacker to execute arbitrary OS commands on vulnerable system.
The vulnerability exists due to insufficient sanitization of filename extension in lib/plugin/UpLoad.php when uploading files via UpLoad feature. A remote attacker can use php3, php4, or php5 extension to bypass implemented protection mechanism, upload and execute malicious PHP file on vulnerable system.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary OS commands vulnerable system with privileges of the web server account.
Note: this vulnerability is being actively exploited.
Harold Hallikainen has reported that the upload page fails to properly check extension of uploaded files. This vulnerability was exploited along with CVE-2007-2025.
Software: PhpWiki
Remote code execution in Microsoft Windows
CVE-2007-0038
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling cursor, animated cursor, and icon formats. A remote attacker can create a specially crafted malicious cursor or icon file, cause buffer overflow and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered in the wild by McAfee.
Software: Windows
Links:
http://www.priveon.com/dmdocuments/PV-A-070003A.pdf
http://www.securityfocus.com/archive/1/464339/100/0/threaded
https://isc.sans.edu/diary/Windows+Animated+Cursor+Handling+vulnerability+-+CVE-2007-0038/2534
https://technet.microsoft.com/library/security/935423
https://technet.microsoft.com/en-us/library/security/ms07-017.aspx
Remote code execution in Microsoft Word
CVE-2007-0870
Memory corruption
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malformed stream in Word document. A remote attacker can create a specially crafted MS Word document, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
According to CERT, this vulnerability has been actively exploited in the wild before official patch release.
Software: Microsoft Word
Links:
http://www.kb.cert.org/vuls/id/332404
http://www.firstpost.com/business/biztech/business-tech/security/mcafee-solutions-for-windows-vulner...
https://technet.microsoft.com/en-us/library/security/933052.aspx
https://www.cnet.com/news/microsoft-fixes-nineteen-flaws-in-seven-patches-all-are-considered-critica...
https://nakedsecurity.sophos.com/2008/04/12/ole2-a-popular-malware-delivery-mechanism/
http://about-threats.trendmicro.com/ArchiveVulnerability.aspx?language=tw&name=(MS07-024)%20VULNERAB...
http://www.pcworld.com/article/130629/article.html
http://www.esecurityplanet.com/patches/article.php/3671041/Three-Critical-Fixes-For-Windows.htm
https://www.symantec.com/connect/tr/blogs/microsoft-patch-tuesday-may-2007?page=1
Buffer overflow in Microsoft Excel
CVE-2007-0671
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malformed records in Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The attack was reported on February 2007. The exploit dropped malware that used www.top10member.com C&C server. According to TrendMicro, the malware functionality was very similar to BKDR_SYKIPOT.B.
Software: Microsoft Excel
Known/fameous malware:
Exploit-MSExcel.h.
Links:
https://www.symantec.com/security_response/writeup.jsp?docid=2007-021911-2650-99
https://www.symantec.com/connect/blogs/latest-office-zero-day-vulnerability
https://technet.microsoft.com/en-us/library/security/ms07-015.aspx
https://technet.microsoft.com/library/security/932553
http://blog.trendmicro.com/trendlabs-security-intelligence/the-sykipot-campaign/
Remote code execution in Microsoft Word
CVE-2007-0515
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability is caused by boundary error when processing malformed function in Word files. A remote attacker can create a specially crafted Word file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Word
Known/fameous malware:
Backdoor.Trojan Downloader
Backdoor.Pcclient.B (MCID 8260)
Backdoor.Ginwui.E (MCID 8890)
Trojan.Mdropper.W
Links:
http://blogs.quickheal.com/cve-2007-0515-exploit-targeted-attack/
https://technet.microsoft.com/en-us/library/security/ms07-014.aspx
https://www.symantec.com/connect/blogs/watch-exploit-targeted-attack-video
https://www.symantec.com/security_response/writeup.jsp?docid=2007-020511-5519-99
http://blogs.quickheal.com/cve-2007-0515-exploit-targeted-attack/
Buffer overflow in Internet Explorer VML
CVE-2007-0024
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in Vgx.dll library when handling Vector Markup Language (VML) tags. A remote attacker can create a specially crafted web page, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Privilege escalation in Mac OS X
CVE-2007-0117
Improper file permissions handling
The vulnerability allows a local user to escalation privileges on vulnerable system.
The vulnerability exists in diskutil tool within DiskManagement framework when handling BOM files. A local user can create a specially crafted BOM file, run diskutil with specially crafted BOM file and replace permissions for arbitrary files on vulnerable system.
Successful exploitation of this vulnerability allows a local unprivileged user to elevate his privileges and gain root access to vulnerable system.
Note: the vulnerability is being actively exploited.
Software: macOS
Remote code execution in Microsoft Word
CVE-2006-6561
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability is caused by boundary error when processing an unchecked word count in Word files. A remote attacker can create a specially crafted Word file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
This vulnerability was publicly disclosed by Disco Jonny.
Software: Microsoft Word
Known/fameous malware:
Bloodhound.Exploit.108.
Links:
https://technet.microsoft.com/en-us/library/security/ms07-014.aspx
https://blogs.technet.microsoft.com/msrc/2006/12/15/update-on-current-word-vulnerability-reports/
https://www.symantec.com/security_response/writeup.jsp?docid=2006-121412-1329-99
https://www.symantec.com/connect/blogs/word-those-word-vulnerabilities
Remote code execution in Microsoft Word
CVE-2006-6456
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability is caused by boundary error when handling Word files with a specially crafted data structure. A remote attacker can create a specially crafted Word file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Word
Known/fameous malware:
Trojan.Mdropper.U
Links:
https://technet.microsoft.com/library/security/ms07-014
https://blogs.technet.microsoft.com/msrc/2006/12/10/new-report-of-a-word-zero-day/
http://www.kb.cert.org/vuls/id/166700
https://blogs.technet.microsoft.com/msrc/2006/12/15/update-on-current-word-vulnerability-reports/
https://www.symantec.com/connect/blogs/word-those-word-vulnerabilities
Remote code execution in Microsoft Word
CVE-2006-5994
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability is caused by boundary error when handling Word files with a specially crafted string. A remote attacker can create a specially crafted Word file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Word
Known/fameous malware:
Bloodhound.Exploit.106
Remote code execution in Microsoft XML Core Services
CVE-2006-5745
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error in XMLHTTP ActiveX control within Microsoft XML Core Services. A remote unauthenticated attacker can trick the victim to open a specially crafted web page and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited.
The issue was discovered in the wild by ISS xForce.
Software: Microsoft XML Core Services
Remote code execution in Visual Studio WMIObjectBroker2 ActiveX control
CVE-2006-4704
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to incorrect handling of input data in Microsoft WMIScriptUtils.WMIObjectBroker2 ActiveX control (WmiScriptUtils.dll), bundled with Visual Studio 2005. A remote unauthenticated attacker can trick the victim to open a specially crafted web page or HTML file and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited.
This vulnerability was publicly reported by Michal Bucko and H D Moore.
Software: Visual Studio
Remote code execution in WebViewFolderIcon ActiveX control in Microsoft Windows
CVE-2006-3730
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper validation of input parameters passed to vulnerable setSlice() method in WebViewFolderIcon ActiveX control (Web View). A remote attacker can create a specially crafted web page, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Windows
Remote code execution in Microsoft PowerPoint
CVE-2006-4694
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability is caused by a boundary error when parsing malformed records within the PowerPoint file. A remote attacker can create a specially crafted .ppt file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
It has been reported that the attack vector involves SlideShowWindows.View.GotoNamedShow.
Software: Microsoft PowerPoint
Known/fameous malware:
Exploit:Win32/Controlppt.W, Exploit:Win32/Controlppt.X, and Exploit-PPT.d/Trojan.PPDropper.F.
Remote code execution in Microsoft Windows
CVE-2006-4868
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to incorrect handling of input data in Vector Markup Language (VML) implementation (VGX.dll) in Microsoft Windows. A remote unauthenticated attacker can trick the victim to open a specially crafted web page or HTML file and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited.
This vulnerability was reported by Sunbelt Software.
Software: Windows
Known/fameous malware:
Bloodhound.Exploit.78
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2006-4777
Heap-based buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to heap-based buffer overflow within DirectAnimation Path ActiveX control (daxctle.ocx) when handling unexpected input. A remote attacker can create a specially crafted web page, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Multiple vulnerabilities in Microsoft Word
CVE-2006-4534
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.The weakness is due to stack-based buffer overflow. By persuading the victim to load and open a specially crafted Word document containing a malformed string, a remote attacker can execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
This vulnerability was reported by Juha-Matti Laurio.
Software: Microsoft Office
Known/fameous malware:
Trojan.Mdropper.Q
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2006-4446
Heap-based buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to heap-based buffer overflow in DirectAnimation.PathControl ActiveX control (daxctle.ocx) when handling unexpected input. A remote attacker can create a specially crafted web page, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Remote code execution in JustSystems Ichitaro
CVE-2006-4326
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.The weakness is due to stack-based buffer overflow. By persuading the victim to open a modified document, a remote attacker can execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Ichitaro
Known/fameous malware:
Trojan.Tarodrop.
Buffer overflow in Microsoft Windows Server service
CVE-2006-3439
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in Microsoft Windows Server Service. A remote attacker can send a specially crafted packet to port 139/TCP or 445/TCP, trigger boundary error and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Windows
Remote code execution in Microsoft VBA
CVE-2006-3649
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.The weakness is due to buffer overflow. By persuading the victim to open a malicious Office document containing Visual Basic for Applications (VBA) script, a remote attacker can execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
The weakness was disclosed 08/08/2006 by Ka Chun Leung with Symantec.
Software: Microsoft Office
Known/fameous malware:
Trojan.Mdropper.N
Links:
http://www.microsoft.com/technet/security/Bulletin/MS06-047.mspx
ftp://ftp.cerias.purdue.edu/pub/advisories/ciac/q-fy06/q-274.Vul.in.Microsoft.Visual.Basic.txt
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/security-advisories/(ms06-047)%20vul...
https://www.symantec.com/content/en/us/enterprise/collateral/tech_briefs/11310863_HTTST_tb.pdf
Remote code execution in Microsoft PowerPoint
CVE-2006-3590
Memory corruption
The vulnerability allows a remote user to execute arbitrary code on the target system.The weakness is due to memory corruption in mso.dll. By persuading the victim to open a specially crafted PPT file, containing a malformed shape container, a remote attacker can execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in complete compromise of vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft PowerPoint
Known/fameous malware:
PPDropper.B Trojan.
Bloodhound.Exploit.79
Links:
https://blogs.securiteam.com/index.php/archives/508
http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx
http://www.microsoft.com/technet/security/advisory/922970.mspx
http://blogs.technet.com/msrc/archive/2006/07/14/441893.aspx
https://www.symantec.com/security_response/writeup.jsp?docid=2006-092614-1828-99&tabid=2
https://ae.norton.com/security_response/print_writeup.jsp?docid=2006-092614-1828-99
https://forums.whatthetech.com/index.php?showtopic=66223
Multiple vulnerabilities in Microsoft Office
CVE-2006-1540
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malformed strings in Office documents. A remote attacker can create a specially crafted Office file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Office
Multiple vulnerabilities in Microsoft Excel
CVE-2006-1301
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to incorrect handling of input data when processing a malformed SELECTION record within Excel file. A remote unauthenticated attacker can trick the victim to open a specially crafted Excel file and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability was being actively exploited.Software: Microsoft Excel
Multiple vulnerabilities in Microsoft Excel
CVE-2006-3059
Remote code execution
The vulnerability allows a remote user to execute arbitrary code on the target system.The weakness is due to a stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName() function. By persuading the victim to open a specially crafted Excel file, a remote attacker can cause DoS conditions or execute arbitrary code via a long hyperlink.
Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Excel
Known/fameous malware:
Mdropper.J Trojan.
Links:
https://technet.microsoft.com/en-us/library/security/ms06-037.aspx
http://www.kb.cert.org/vuls/id/394444
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/security-advisories/(ms06-037)%20vul...
https://home.mcafee.com/virusinfo/virusprofile.aspx?key=140010
https://blogs.technet.microsoft.com/msrc/2006/06/24/an-update-on-recent-public-issues/
https://www.cnet.com/news/buffer-overflow-in-microsoft-hyperlink-object-library/
Remote code execution in Microsoft Word
CVE-2006-2492
Remote code execution
The vulnerability allows a remote user to execute arbitrary code on the target system.The weakness is due to buffer overflow. By persuading the victim to open a specially crafted Word file containing a malformed object pointer, a remote attacker can execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Word
Known/fameous malware:
Mdropper.H Trojan.
SmartTag exploit.
Links:
https://technet.microsoft.com/en-us/library/security/ms06-027.aspx
https://blogs.technet.microsoft.com/msrc/2006/05/20/a-quick-check-in-on-the-word-vulnerability/
https://blogs.microsoft.com/microsoftsecure/2011/09/28/targeted-attacks-and-the-need-to-keep-documen...
http://www.networkworld.com/article/2266902/lan-wan/microsoft--rogue--security--software-a-rising-th...
https://www.theguardian.com/technology/blog/2010/apr/26/microsoft-security-intelligence-report
http://www.bcs.org/content/conWebDoc/11820
http://rbach.net/blog/index.php/msft-security-report/
http://garwarner.blogspot.com/2009/04/microsoft-security-intelligence-report.html
https://www.itnews.com.au/news/taiwanese-gang-exploits-microsoft-word-81693
http://www.marketwired.com/press-release/MessageLabs-Intelligence-Targeted-Attack-Report-Criminal-Ri...
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2006-1359
Memory corruption
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in createTextRange() DHTML method when handling unexpected user input for radio button control. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.Note: this vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Known/fameous malware:
Kaspersky - Exploit.JS.CVE-2006-1359.d
Ikarus - Exploit.JS.CVE-2006-1359.d
Nod32 - JS/Exploit.CVE-2006-1359
Remote code execution in Microsoft Windows GDI
CVE-2005-4560
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in Microsoft Graphical Device Interface library (GDI32.DLL) when handling .wmf files. A remote attacker can create a specially crafted .wmf image file with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
This vulnerability was disclosed on December 27, 2005. We have decided however to include it into 2006 year due to very close timing.
Software: Windows