Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2012
    S M T W T F S
    « Apr   Jun »
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for May 8th, 2012




    While seven bulletins from Microsoft is generally a “light” release, bulletin MS12-034 surprisingly addresses a number of vulnerabilities found in the Windows operating system, MS Office, Silverlight, and .NET Framework. Of note, Microsoft mentions that this particular bulletin supersedes MS11-087, the bulletin meant to address the Win32k TrueType Font (TTF) vulnerability that was used by the DUQU malware back in November 2011. Read more on the DUQU attack in this Threat Encyclopedia page.

    As elaborated in the Microsoft blog post, MS12-034 lists down several versions of affected software as the TTF vulnerability also directly or indirectly affects these software.  Trend Micro Deep Security users can apply rules 1005009 – Win23k TrueType Font Parsing Vulnerability (CVE-2012-0159) and 1005009 – .NET Framework Buffer Allocation Vulnerability (CVE-2012-0162) to ensure protection from attacks that might use these vulnerabilities. More information on patched MS vulnerabilities this month are found here in the Threat Encyclopedia.

    In other vulnerability news, Oracle issued a security alert that brings to attention a vulnerability in TNS listener, which is found in several versions of the Oracle Database Server. Oracle recommends to its customers to apply workarounds found in their customer portal. The vulnerable component also affects other Oracle products such as the Oracle E-Business Suite. Trend Micro Deep Security users are protected from attacks that might use this particular vulnerability by applying rule 1004995 – Oracle Database TNS Listener Poison Attack Vulnerability.

    Lastly, Adobe released a security update for Adobe Flash Player for Windows, Macintosh, Linux, and Android operating systems. As of this writing, Trend Micro is investigating attacks that are actively using CVE-2012-0779, which is addressed by Adobe’s security update. Applying rule 1005000 – Adobe Flash Player Object Confusion Vulnerability (CVE-2012-0779) ensures protection from exploits using CVE-2012-0779.

    Update as of May 11, 2012, 7:55 AM PST

    The following additional Deep Security rules have been issued to ensure protection against attacks using some of the aforementioned vulnerabilities:

    • 1005019 – Restrict Microsoft Office File With Linked SWF has been added to protect against attacks using the vulnerability in CVE-2012-0779
    • 1004997 – Detected Too Many Oracle TNS Service Register Requests has been added to protect again attacks using the vulnerability in CVE-2012-1675
     
    Posted in Vulnerabilities | Comments Off



    Targeted Attack Uses Recent Adobe Flash Player Vulnerability (CVE-2012-0779)

    Reports of a targeted attack surfaced recently. One such attack arrives as an email message that trick users into executing a malicious attachment. The malicious attachment, as expected, is a file that exploits CVE-2012-0779, found in several versions of Adobe Flash Player. Exploitation results to a possible attacker taking over the infected system.

    We came across a .DOC file that spoofs a professional organization. When executed, the attachment file detected as TROJ_SCRIPBRID.A, connects to a URL to access the .SWF files that exploit this Flash Player vulnerability and drops a backdoor unto the system. Trend Micro detects the .SWF files as SWF_LOADER.EHL while the backdoor is detected as BKDR_INJECT.EVL. The said backdoor connects to its command-and-control (C&C) server to receive commands from a remote user.

    The vulnerability stated in CVE-2012-0779 is found on specific versions of Adobe Flash Player that run on Windows, Macintosh, Linux and even Android OS. Described by Adobe as an object confusion vulnerability, successfully exploiting this software bug may lead to application crash. It also permits a possible attacker to take control the infected system.

    To address this, Adobe recommends users to update their Adobe Flash Player to the latest version. Trend Micro Deep Security users must apply the rule 1004995 – Oracle Database TNS Listener Poison Attack Vulnerability to effectively prevent attacks. More about this vulnerability and the corresponding solution may be found in Adobe’s security bulletin page.

    Flashback Variant Exploits CVE-2012-0507

    The other notable vulnerability we’ve reported since last month is CVE-2012-0507, which was actively used in the Flashback attacks that plagued Mac users. In particular, OSX_FLASHBCK.AB was found to exploit this vulnerability that allows arbitrary code execution by a remote attacker.

    Further investigation by my colleague Sumit Soni reveals that CVE-2012-0507 is vulnerability in Java Runtime Enviroment (JRE) that stems from the Java Security Sandbox component Byte-code verifier. This component guarantees the type safety imposed by the language semantics, which prevents an untrusted code to access memory it should not access, so that all the resource accesses is requested by the code itself.

    To be more specific, this is a type safety vulnerability in AtomicReferenceArray class implementation. AtomicReferenceArray ensures that the array couldn’t be updated simultaneously by different threads. However, it does not properly check if the array is of an expected Object[] type. A malicious Java application or applet then could use this flaw to cause the Java Virtual Machine (JVM) to crash or bypass the Java sandbox restrictions. An attacker may manually construct a serialized object graph and insert any array into an AtomicReferenceArray instance and then use the AtomicReferenceArray.set() method to write an arbitrary reference to violate type safety.

    Exploiting this vulnerability allows a Java applet to bypass JVM sandbox restrictions and achieve execution with full privileges.This can be easily exploitable because it is a logical flaw in the code supplied with vulnerable JRE. This vulnerability affects a wide range of web browsers and platform including Windows, Linux, OSX, Solaris.

    Trend Micro protects users from this threat via the Trend Micro™ Smart Network Protection™, which detects and deletes the related malware. Trend Micro Deep Security also protects users via rule 1004955 – Oracle Java SE Remote Java Runtime Environment Vulnerability (CVE-2012-0507).

    Update as of May 11, 2012, 7:55 AM PST

    Rule 1005019 – Restrict Microsoft Office File With Linked SWF has been issued to protect against attacks using the vulnerability CVE-2012-0779.

     
    Posted in Malware, Targeted Attacks, Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice