Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • Email Subscription

  • About Us


    Author Archive - Abigail Pichel (Technical Communications)




    Adobe has just released an update to address a vulnerability found in its Flash Player browser plug-in. In its security advisory (APSB15-14), Adobe notes that this vulnerability “is being actively exploited in the wild via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.”

    The critical flaw (CVE-2015-3113) could potentially allow an attacker to take control of the affected system. The affected software versions are the following:

    • Adobe Flash Player 18.0.0.161 and earlier versions for Windows and Mac
    • Adobe Flash Player Extended Support Release version 13.0.0.292 and earlier 13.x versions for Windows and Macintosh
    • Adobe Flash Player 11.2.202.466 and earlier 11.x versions for Linux

    Adobe has stated that the latest version of Flash Player Desktop Runtime for Windows and Mac (v. 18.0.0.194) will address this issue. Users who may be unsure of the version of their Flash software may use this link to check.

    Adobe Flash Player on Google Chrome and Internet Explorer on Windows 8.1 and later should automatically update to the latest version.  Updates, including those for Windows XP, are also available in the Adobe Flash Player Download Center. We would also recommend that users opt for automatic updates whenever possible so that their applications are updated as soon as possible.

    We will update this entry should any additional information be made available.

    Update as of June 24, 2015, 8:12 A.M. (PDT):

    Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006810 – Adobe Flash Player Heap Buffer Overflow Vulnerability (CVE-2015-3113)

    More information can also be found in our entry, New Adobe Zero-Day Shares Same Root as Older Flaws.

    Update as of June 26, 2015, 3:10 P.M. PDT (UTC-7):

    Trend Micro solutions are available to help protect users against threats that may leverage this vulnerability. Endpoint products detect malware that attempt to exploit this vulnerability as SWF_EXPLOYT.S. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.

    Below are the SHA1 hashes related to this threat:

    • 5f6a2521c6bfd5becfefc3a3db74d0a23d382f0e
    • 5f28787f60c5f8d9f3aa9163975422d1ff55f460
     



    This month’s Patch Tuesday can be considered lighter than last month’s, with only eight security bulletins released for June. Of the eight, two are considered Critical while the remaining are rated Important.

    Just like last month, there is a critical, cumulative update for Internet Explorer. MS015-056 aims to resolve vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. According to the bulletin, the patch addresses the vulnerability by:

    • Preventing browser histories from being accessed by a malicious site
    • Adding additional permission validations to Internet Explorer
    • Modifying how Internet Explorer handles objects in memory

    The first bullet point above is worth paying attention to. Previously, it was possible for an attacker who lured a victim to a malicious (or compromised) web site and access the user’s browser history. Obviously, many users would find this disclosure somewhat troubling. This vulnerability has now been patched, and there are no indications it was exploited in the wild.

    The second critical update addresses a vulnerability found in Windows, specifically Windows Media Player (MS015-057). The vulnerability could allow remote code execution if a specially crafted file is opened in Windows Media Player. The remaining six patches address vulnerabilities that affect several Windows components, Microsoft Office, and Microsoft Exchange Server.

    More information about these bulletins and their corresponding Trend Micro solutions are posted at our Threat Encyclopedia Page: June 2015 – Microsoft Releases 8 Security Advisories.

    Update for Adobe

    Adobe has also released a security update (APSB15-11) for Adobe Flash Player for Windows, Macintosh, and Linux. According to Adobe, the updates “address vulnerabilities that could potentially allow an attacker to take control of the affected system.”

    We urge users to patch their endpoints and servers as soon as possible. Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities with the following DPI rules:

    • 1006657-Adobe Flash Player Remote Integer Overflow Vulnerability (CVE-2014-0569) – 2
    • 1006745-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1687)
    • 1006747-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1730)
    • 1006748-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1731)
    • 1006749-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1732)
    • 1006751-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1735)
    • 1006752-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1736)
    • 1006753-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1737)
    • 1006755-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1740)
    • 1006756-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1741)
    • 1006757-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1742)
    • 1006758-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1744)
    • 1006759-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1745)
    • 1006760-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1747)
    • 1006761-Microsoft Internet Explorer Elevation Of Privilege Vulnerability (CVE-2015-1748)
    • 1006762-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1750)
    • 1006763-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1751)
    • 1006764-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1752)
    • 1006765-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1753)
    • 1006766-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1755)
    • 1006767-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1766)
    • 1006769-Microsoft Office Use After Free Vulnerability (CVE-2015-1759)
    • 1006770-Microsoft Office Use After Free Vulnerability (CVE-2015-1760)
    • 1006771-Microsoft Office Uninitialized Memory Use Vulnerability (CVE-2015-1770)
    • 1006772-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3096)
    • 1006773-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3098)
    • 1006774-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3099)
    • 1006775-Adobe Flash Player Remote Code Execution Vulnerability (CVE-2015-3100)
    • 1006776-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3102)
    • 1006777-Adobe Flash Player Use After Free Vulnerability (CVE-2015-3103)
    • 1006778-Adobe Flash Player Integer Overflow Vulnerability (CVE-2015-3104)
    • 1006779-Adobe Flash Player Out Of Bound Write Vulnerability (CVE-2015-3105)
    • 1006780-Adobe Flash Player Use After Free Vulnerability (CVE-2015-3106)
    • 1006781-Adobe Flash Player Memory Corruption Vulnerability (CVE-2015-3108)
    • 1006782-Microsoft Windows HTML Application Denial Of Service Vulnerability
     
    Posted in Vulnerabilities |



    Ransomware continues to make waves, especially with the rise of file-encrypting ransomware like CryptoLocker. However, we are seeing yet another alarming development for this malware: it is now targeting mobile devices.

    Reveton Makes a Comeback

    In early May, it was reported that this mobile ransomware was the product of the Reveton gang. Reveton was one of the many cybercrime groups that spread police ransomware, which hit Europe and the U.S. and consequently spread to the other parts of the world.

    It now appears that these cybercrime groups have decided to include mobile users in their intended victims. Our earlier efforts  resulted in some of those behind these attacks being arrested, but not all of these cybercriminals are now behind bars – and some have expanded their efforts into mobile malware.

    This is detected as ANDROIDOS_LOCKER.A and can be downloaded through a specific URL. The domain contains words like “video” and “porn,” which can give an idea of how users wound up on the site.

    The malware will monitor the screen activity when a device is active or running. Based on the analysis of its code, it tries to put its UI on top of the screen when the device is unlocked. People will not be able to uninstall the malicious app by traditional uninstall means as one would normally do because the system or even the AV UI is always “covered” by the malware’s UI.

    It also tries to connect to several URLs that are its command-and-control servers. These are currently inaccessible. However, one URL was found to display pornographic content.  The ransomware appears to be capable of sending information to these C&C servers albeit a limited function because it only has few permissions.

    These URLs are hosted in two IP addresses located in the U.S. and in the Netherlands. Further analysis reveals that these IP addresses also host other malicious URLs, though not related to this particular malware.

    The Continued Migration to Mobile and Best Practices

    Over the last couple of years, “desktop” malware have continued to make their way to mobile endpoints. We reported last March that we encountered Bitcoin-mining malware that targets Android devices. To avoid these threats, we strongly suggest that you disable your device’s ability to install apps from sources outside of Google Play and double check the developer of the app you want to download and be very meticulous of the app reviews to verify apps’ legitimacy.

    This setting can be found under Security in the system settings of Android devices. On-device security solutions (like Trend Micro Mobile Security) provide an additional layer of protection that detects even threats which arrive outside of authorized app stores.

    With additional analysis from Yang Yang and Paul Pajares

     



    Patch-Tuesday_grayThis month’s Patch Tuesday features eight bulletins, the most number of bulletins released for the year so far. Out of the eight bulletins, two are rated as ‘critical’ and the remaining, ‘important.’ While Microsoft may have released an out-of-band update for Windows XP to address a (then) zero-day vulnerability, updates for that OS are noticeably absent for this rollout.

    Aside from the eight bulletins, this Patch Tuesday also includes the out-of-band security patch that was released two weeks ago addressing an Internet Explorer zero-day vulnerability. But that isn’t the only update concerning Internet Explorer. One of the two ‘critical’ updates, MS14-029, addresses two privately reported vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

    The second ‘critical’ update (MS14-022) addresses multiple vulnerabilities in Microsoft Office server and productivity software. According to Microsoft, “[t]he most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.”

    Two updates address vulnerabilities concerning Microsoft Office. MS14-023 resolves vulnerabilities that could allow for remote code execution if a user opens an Office file in the same network directory as a specially crafted library file. MS14-024, meanwhile, resolves a vulnerability that could security feature bypass if a user “views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer.” The remaining updates address vulnerabilities that could allow elevation of privilege and denial of service if exploited.

    Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page for further information. Two rules for Trend Micro Deep Security and Trend Micro Intrusion Defense Firewall plugin for OfficeScan have also been created and are available for use by system administrators:

    • 1006034 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0310)
    • 1006056 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1815)

    Update as of 7:26 PM, June 12, 2014

    Adobe has also released security updates to address vulnerabilities affecting Adobe Flash Player. Once these vulnerabilities are successfully exploited, remote attackers can potentially control the system. We highly advised users to update their Adobe Flash Player to version 13.0.0.214.

    Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities via the following DPI rules:

    • 1006062 – Adobe Acrobat And Reader Use-after-free Vulnerability (CVE-2014-0527)
    • 1006070 – Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515) – 1
    • 1006066 – Adobe Reader Unspecified Security Bypass Vulnerability (CVE-2014-0512)
     
    Posted in Vulnerabilities | Comments Off on May 2014 Patch Tuesday Rolls Out 8 Bulletins



    Adobe has released a security advisory regarding a zero-day vulnerability (CVE-2014-0515) found in the program Adobe Flash. According to the advisory, the updates pertain to “Adobe Flash Player 13.0.0.182 and earlier versions for Windows, Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh and Adobe Flash Player 11.2.202.350 and earlier versions for Linux.”

    Adobe has also acknowledged that an exploit for this zero-day exists, targeting Flash players on the Windows platform. If exploited, the zero-day could allow a remote attacker to take control of the system.

    Users should install the update as soon as they can. They can check out the version of Flash installed through a page in the Adobe website. Updates for Flash via Internet Explorer and Google Chrome will be done automatically but you may require restarting the browser. For users who rely on browsers other than Internet Explorer, they will need to install the update twice (one for IE and another for the other browser). Microsoft has also released a security advisory related to this vulnerability. For downloading updates, we encourage users to rely on Adobe’s official site as “Adobe updates” are often used by bad guys to deliver malware and other threats to users.

    We will continue to monitor this threat and provide new information as necessary.

    Update as of May 2, 2014, 4:00 AM PDT

    We have obtained samples of this attack in the wild. We detect these malicious files as SWF_EXPLOIT.RWF. We believe that this is being used in targeted attacks, as a specific version of Cisco MeetingPlace Express has to be installed for this attack to work.

    In addition to detecting these malicious files, our browser exploit prevention technology (present in Titanium 7) has rules that proactively detect websites that contain exploits related to this vulnerability. Products with the ATSE (Advanced Threats Scan Engine), such as Deep Discovery,  have heuristic rules which detect attacks using this vulnerability. These attacks are detected as HEUR_SWFJIT.B with ATSE pattern 9.755.1107 since April 22.

    Update as of May 07, 2014, 10:48 P.M. PDT

    Trend Micro Deep Security and OfficeScan Intrusion Defense Firewall (IDF) have released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

    • 1006031 – Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515)
    • 1006044 – Restrict Adobe Flash File With Embedded Pixel Bender Objects
     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice