Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Abigail Pichel (Technical Communications)




    Microsoft has released a security bulletin announcing of a zero-day vulnerability affecting Microsoft Word. Furthermore, the company states that there are “limited, targeted attacks directed at Microsoft Word 2010.” If exploited, this vulnerability (CVE-2014-1761) could allow a remote attacker to execute commands remotely via specially crafted files and email messages.

    Microsoft has also released preliminary details of the vulnerability and the exploit code. The vulnerability is exploited if a user opens an RTF file in Microsoft Word or previews or opens an RTF email message in Microsoft Outlook using Microsoft Word as the email viewer. It should be noted that Microsoft Word is the default email reader for Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.

    Several workarounds were included in Microsoft’s initial bulletin, including disabling opening of RTF files and enforcing Word to always open said type of file in Protected View. A fixtool has also been made available to help address the vulnerability while Microsoft works on a more permanent solution.

    What’s interesting is that Microsoft Word 2003 is listed as one of the affected software for this particular vulnerability—just a couple of weeks before support for Microsoft Office 2003 ends on April 8th.  We advise users to upgrade to later versions of the software to continue receiving security updates.

    We are currently looking into this vulnerability and will provide further information as appropriate. Trend Micro Deep Security has released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

    • 1005990 – Microsoft Word RTF Remote Code Execution Vulnerability (CVE-2014-1761)

    Update as of April 4, 2014, 3:08 P.M. PDT

    Exploits related to this vulnerability are detected by Trend Micro as the following:

    • HEUR_RTFEXP.A
    • TROJ_ARTIEF.NSA
    • TROJ_ARTIEF.NSB
     



    Patch-Tuesday_gray

    Microsoft has released five bulletins for the month, with two rated as critical and the remaining, important. A notable inclusion in this month’s release is MS14-012. This bulletin addresses the Internet Explorer zero-day vulnerability (CVE-2014-0322) discovered last month. If exploited, the vulnerability could allow attackers to victimize users with a drive-by download. This vulnerability was used in targeted attacks, using a “hybrid exploit” wherein the malicious code was split between JavaScript and Adobe Flash.

    The remaining “Critical” bulletin is MS14-013. If exploited, this vulnerability could allow attackers remote code execution in the application programming interface DirectShow via specially crafted image files. MS14-014, meanwhile, addresses a security concern for Microsoft Silverlight for both Windows and Mac users. Though Silverlight is no longer being developed by Microsoft, support for this program will continue until October 2021.

    Two vulnerabilities, CVE-2014-0300 and CVE-2014-0323, are addressed by the bulletin MS14-015. If exploited, these could allow attackers to execute a malicious application, provided they have a valid logged-in session. MS14-016 fixes the vulnerability that could allow attackers a security feature bypass if they make multiple attempts to match passwords to a user account.

    This month’s Patch Tuesday marks the looming end-of-support for Windows XP. Come April, Windows XP will no longer receive security patches for their computers, making them vulnerable to all sorts of attacks. We recommend that users to update their OS to newer versions of Windows to continue to receive protection via security patches.

    Adobe has also released updates in time for Patch Tuesday, with security updates for Adobe Flash Player.

    We encourage users to apply these updates as soon as possible. Additional information may also be found in the Trend Micro Threat Encyclopedia page. Appropriate rules for Trend Micro Deep Security have also been created and are available for use by system administrators.

     
    Posted in Vulnerabilities | Comments Off



    Patch-Tuesday_gray

    This month’s Patch Tuesday features seven bulletins, with four rated as critical. Updates for Internet Explorer take the spotlight as one bulletin, MS14-010, addresses 24 vulnerabilities in Internet Explorer. These vulnerabilities could result in remote code execution, which could allow an attacker the same user rights as the current user.

    A second bulletin, MS14-007, addresses a separate vulnerability in Direct2D that can trigger remote code execution by opening a malicious website in Internet Explorer or opening an email attachment.

    The remaining critical vulnerability of most importance for most users is MS14-011, which patches a vulnerability in the VBScript scripting engine. If exploited, this could also trigger remote code execution.

    Another critical bulletin, MS14-008, affects Microsoft Forefront for Exchange. While this product is now discontinued, Microsoft has promised security updates until December 2015. Three other bulletins released today were rated as important by Microsoft.

    Other vendors have also been busy patching flaws in their software. Last week, Adobe released a patch to Flash Player to deal with reported in-the-wild vulnerabilities, and this week Shockwave Player received an update as well.

    Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page for further information. Appropriate rules for Trend Micro Deep Security have also been created and are available for use by system administrators.

     
    Posted in Vulnerabilities | Comments Off



    Patch-Tuesday_gray
    The first Patch Tuesday of the year is relatively light, with Microsoft rolling out only four bulletins for the month. Despite the small figure, users must update their systems immediately to avoid possible  threats leveraging software vulnerabilities.

    Included in this month’s release are updates for three privately reported vulnerabilities found in Microsoft Office. If exploited, these vulnerabilities could allow an attacker to gain the same user rights as the current user. Such access could prove damaging, especially to those with administrative user rights.

    This month’s release also addresses two vulnerabilities that deal with elevation of privilege. The last bulletin addresses an issue affecting Microsoft Dynamics AX that can allow denial of service if the vulnerability is exploited.

    January 2014 marks one of the last months that Windows XP will receive patches.  As previously reported, Microsoft is ending its support of this particular OS on April 2014, a good few months away. Users and enterprises should seriously consider migrating to later versions of Windows to continue receiving patches for vulnerabilities.

    Two other tech companies have also released patches and updates. Oracle has rolled out a Critical Patch Update containing 144 new vulnerability fixes for multiple products. Adobe, meanwhile, released fixes for Adobe Flash Player, Adobe Reader, and Adobe Acrobat.

    Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page.

     
    Posted in Vulnerabilities | Comments Off



    We recently came across a CryptoLocker variant that had one notable feature—it has propagation routines.

    Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants. The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants.

    Aside from its propagation technique, the new malware bears numerous differences from known CryptoLocker variants. Rather than relying on a downloader malware—often UPATRE— to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites. Uploading the malware in P2P sites allows bad guys to easily infect systems without the need to create (and send) spammed messages.

    Further analysis of WORM_CRILOCK reveals that it has a stark difference compared to previous variants. The malware has foregone domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware. Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains. This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability.

    The differences between this particular CRILOCK variant and the others have led some researchers to believe that this malware is the product of a copycat. Regardless of its creator, WORM_CRILOCK.A shows that this could become the new favored attack method of cybercriminals.

    Users should avoid using P2P sites to get copies of software. They should always download software from official and/or reputable sites. Given WORM_CRILOCK’s ability to spread via removable drives, users should also exercise caution when using flash drives and the like. Users should never connect their drives into unfamiliar or unknown machines. Our blog entry, Defending Against CryptoLocker, discusses at length additional ways of protecting a computer and a network against CryptoLocker malware.

    Trend Micro uses AEGIS (behavior monitoring) to detect and block all threats related to this malware. For more information on ransomware’s background, you may visit this page. You may also refer to our FAQ page on Cryptolocker for a more comprehensive view about the malware.

    With additional insights from Mark Manahan and Jimelle Monteser 

     
    Posted in Malware | 1 TrackBack »


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice