Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Bernadette Irinco (Technical Communications)




    Patch-Tuesday_gray14 security bulletins addressing vulnerabilities in Internet Explorer, Microsoft Office, Microsoft Windows, Microsoft Windows Object Linking and Embedding (OLE), and Microsoft .NET Framework among others. Out of these security bulletins, four are tagged as Critical and 8 are rated as Important.

    One of the notable bulletins is MS14-065, which fixes several vulnerabilities in Internet Explorer. All supported versions of the browser are affected by these vulnerabilities, which could lead to remote code execution.

    Another crucial bulletin is MS14-064 that resolves vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE), including those covered in CVE-2014-6352, related to Sandworm attacks. This CVE was released because a new exploit reportedly bypassed the security update for CVE-2014-4114. Last October, Microsoft patched vulnerabilities in CVE-2014-4114, however, after a week new attacks leveraging these vulnerabilities were seen in the wild.

    Server administrators should be especially concerned about MS14-066 as well. This vulnerability in Microsoft Schannel (the implementation of SSL/TLS in Windows) has a significant vulnerability that allows for attackers to run code on an effected system if specially crafted packets are sent to it. This attack can be compared to Shellshock, which could be exploited using a similar method.

    Aside from Microsoft, Adobe also released a security update for Adobe Flash Player that could lead to an attacker taking control on the affected systems. As such, users are advised to update to the latest version of Adobe Flash Player.

    Users are recommended to apply these patches immediately for these vulnerabilities. Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities following DPI rules:

    • 1006324 – Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332)
    • 1006290 – Microsoft Windows OLE Remote Code Execution Vulnerability
    • 1006291 – Microsoft Windows OLE Remote Code Execution Vulnerability -1
    • 1006292 – Microsoft Windows OLE Remote Code Execution Vulnerability Over SMB
    • 1006294 – Microsoft Windows OLE Remote Code Execution Vulnerability Over WebDAV
    • 1006315 – Microsoft Windows OLE Remote Code Execution Vulnerability -2
    • 1006321 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4143)
    • 1006330 – Microsoft Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2014-6323)
    • 1006332 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6337)
    • 1006329 – Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6339)
    • 1006333 – Microsoft Internet Explorer Cross-Domain Information Disclosure Vulnerability (CVE-2014-6340)
    • 1006334 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6341)
    • 1006331 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6342)
    • 1006340 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6343)
    • 1006341 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6344)
    • 1006338 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6347)
    • 1006335 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6348)
    • 1006336 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6351)
    • 1006337 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6353)
    • 1006327 – Microsoft Schannel Remote Code Execution Vulnerability (CVE-2014-6321)
    • 1006339 – Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2014-4118)
    • 1006323 – Microsoft Office Remote Code Execution Vulnerability (CVE-2014-6333)
    • 1006322 – Microsoft Office Bad Index Remote Code Execution Vulnerability (CVE-2014-6334)
    • 1006320 – Microsoft Office Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6335)
    • 1000552 – Generic Cross Site Scripting(XSS) Prevention
    • 1001126 – DNS Domain Blocker

    For more information on the bulletins and its corresponding Trend Micro solutions, visit the Threat Encyclopedia Page.

     
    Posted in Vulnerabilities |



    Three out of nine security bulletins in today’s Microsoft Patch Tuesday are marked as Critical while the rest are tagged as Important The patches address vulnerabilities found in Internet Explorer, and Microsoft .NET Framework, including the zero-day exploit affecting Microsoft Windows. MS14-060 discusses the Sandworm zero-day vulnerability, which was reported hours earlier.

    Based on our analysis, attackers may use this vulnerability to create/execute malware payloads, given that it not too difficult to exploit. Attackers can just know the format and create their own PowerPoint exploit. Trend Micro detects the exploit as TROJ_MDLOAD.PGTY, and its payloads as INF_BLACKEN.A and BKDR_BLACKEN.A. Currently, it is believed that this zero-day was used in cyber attacks against European sectors and industries.

    Another critical vulnerability that users need to note is MS14-056 which fixes several vulnerabilities in Internet Explorer. Once successfully exploited, this could possibly lead to remote code execution. Similarly, MS14-057, another bulletin tagged as Critical could lead to remote code execution when successfully exploited by remote attackers.

    Adobe also released security updates today to address vulnerabilities affecting certain versions of ColdFusion and Adobe Flash Player. These are covered under the following CVEs:

    • CVE-2014-0558
    • CVE-2014-0564
    • CVE-2014-0569
    • CVE-2014-0570
    • CVE-2014-0571
    • CVE-2014-0572

    We highly recommend users to patch their systems and update their Adobe products to its latest versions. The Sandworm zero-day highlights the importance of patching as this can be used by cybercriminals and threat actors to infiltrate the network and potentially steal confidential company data and other type of information.

    Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities following DPI rules:

    • 1006267 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4126)
    • 1006268 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4127)
    • 1006269 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4128)
    • 1006270 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4129)
    • 1006271 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4130)
    • 1006282 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4132)
    • 1006274 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4133)
    • 1006279 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4134)
    • 1006273 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4138)
    • 1006283 – Microsoft Word And Office Web Apps Remote Code Execution Vulnerability (CVE-2014-4117)
    • 1000552 – Generic Cross Site Scripting(XSS) Prevention
    • 1006290 – Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
    • 1006291 – Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1

    Users may visit our Threat Encyclopedia page for more details on these security bulletins.

    Update as of October 16, 2014, 5:45 P.M.:

    The Sandworm vulnerability has been linked to attacks against specific SCADA systems. Read more about this in our post titled Sandworm to Blacken: The SCADA Connection.

     
    Posted in Malware, Vulnerabilities | Comments Off



    Patch-Tuesday_grayFor this month’s patch Tuesday, Microsoft released four security bulletins, addressing flaws found in Internet Explorer, Microsoft .NET Framework, Microsoft Windows, and Microsoft Lync server.  One bulletin is rated as ‘Critical’ while the rest are tagged as ‘Important’.

    One of the notable bulletins in this month’s cycle is MS14-052, which addresses thirty-six vulnerabilities found in Internet Explorer. IE 6 to 11 are affected by these vulnerabilities.

    MS14-053 resolves issues found in the Microsoft .NET Framework that could allow denial of service once exploited successfully by attackers. Similarly, when the vulnerabilities addressed in MS14-055 are leveraged by attackers it could also lead to denial of service. On the other hand, Adobe also plans to release security updates addressing vulnerabilities in Adobe Flash Player and Adobe Reader and Acrobat by September 15.

    Although this month’s security updates are relatively few compared to the previous months, it is highly advisable to update systems with the latest patches to protect it  from threats leveraging such vulnerabilities.

    Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage vulnerabilities discussed in MS14-052 via the following DPI rules:

    • 1006164 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2799)
    • 1006219 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4065)
    • 1006224 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4080)
    • 1006227 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4081)
    • 1006230 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4082)
    • 1006221 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4084)
    • 1006229 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4086)
    • 1006222 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4087)
    • 1006225 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4088)
    • 1006220 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4089)
    • 1006223 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4092)
    • 1006226 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4094)
    • 1006228 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4095)

    The rules above also protect users of Internet Explorer on Windows XP, which is no longer being supported by Microsoft.

    For more information on these security bulletins, visit our Threat Encyclopedia page.

     
    Posted in Vulnerabilities | Comments Off



    Patch-Tuesday_grayMicrosoft has rolled out nine security bulletins for their August Patch Tuesday. Two bulletins are rated as Critical, while the rest are rated as Important. Microsoft Windows, Internet Explorer, Microsoft SQL Server, and Microsoft .NET Framework are some of the affected applications that these bulletins covered.

    One of the most notable bulletins in this month’s cycle is MS14-051, which addresses 26 vulnerabilities found in Internet Explorer. The other Critical bulletin is MS14-043, which resolves problems in Windows Media Center, a component of Microsoft Windows. The vulnerabilities resolved in these bulletins, if exploited, could lead to arbitrary code being run on affected systems. Many of these vulnerabilities are in older versions of Internet Explorer (versions 6-8), which

    The bulletins rated as Important covered a wide variety of applications, including Microsoft SharePoint Server, Microsoft SQL Server, and Microsoft Windows. It’s also worth noting that from this point forward, users of Windows 8.1 and Windows Server 2012 R2 must have installed the April update to these operating systems in order to receive security updates.

    Adobe also follows the same second-Tuesday-of-the-month patching cycle as Microsoft; they released released patches for vulnerabilities affecting Adobe Reader/Acrobat and Adobe Flash Player. These vulnerabilities are covered under the following CVEs:

    • CVE-2014-0538
    • CVE-2014-0540
    • CVE-2014-0541
    • CVE-2014-0542
    • CVE-2014-0543
    • CVE-2014-0544
    • CVE-2014-0545

    Users are highly recommended to update their Adobe Flash Player and Adobe Reader and Acrobat to its latest versions. Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities discussed in MS14-051 via the following DPI rules:

    • 1006175 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2823)
    • 1006176 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2824)
    • 1006165 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4050)
    • 1006177 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4057)
    • 1006166 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4063)

    We encourage users to immediately apply these patches on their systems. For more information on these security bulletins, visit our Threat Encyclopedia page.

     
    Posted in Vulnerabilities | Comments Off



    While new threats are emerging that hit new avenues or targets like PoS systems and cryptocurrencies, old threats like phishing remains to be an effective means of gathering user data. A simple spam email that leverages holidays, online shopping, release of anticipated gadgets, and hot/current news items can redirect unsuspecting users to survey scams and phishing pages that ask for their credentials and personal identifiable information (PII). A very recent example of this is the attacks we saw leveraging the interest around the World Cup.

    Phishing pages often mimicked legitimate banks’ websites to trick users into thinking that they’re inputting their information to the real banks or companies. As an example, the research done by Trend Micro experts on the Russian underground has revealed the amount of information gathered by a cybercriminal that “specializes” on stealing such information. On the other hand, spear phishing, a more dangerous variant of phishing, is primarily utilized for targeted attack campaigns. These malicious emails use contextually relevant subjects, and send to employees of various functions in order to penetrate the network.

    To avoid becoming victims of phishing and other nefarious threats that come with it, we created the video below to educate users on how you can spot phishing scams. It specifically looks at a phishing operation in Brazil that leveraged on the recently concluded 2014 World cup and hosted phishing site templates, malware, and victims’ personal documents in an online sharing site.

    This is the first of our Cybercrime Exposed series of videos, which aims to expose the inner workings of the latest threats today to arm users with awareness. Stay tuned for the next episodes to be released within the next few months.

    Update August 8, 2014: Check out the part 2 of our Cybercrime Exposed video series, entitled Cybercrime Exposed Part 2: When Adware Goes Bad – A Closer Look at Adware

     
    Posted in Bad Sites, Malware, Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice