Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Dianne Lagrimas (Technical Communications)

    While seven bulletins from Microsoft is generally a “light” release, bulletin MS12-034 surprisingly addresses a number of vulnerabilities found in the Windows operating system, MS Office, Silverlight, and .NET Framework. Of note, Microsoft mentions that this particular bulletin supersedes MS11-087, the bulletin meant to address the Win32k TrueType Font (TTF) vulnerability that was used by the DUQU malware back in November 2011. Read more on the DUQU attack in this Threat Encyclopedia page.

    As elaborated in the Microsoft blog post, MS12-034 lists down several versions of affected software as the TTF vulnerability also directly or indirectly affects these software.  Trend Micro Deep Security users can apply rules 1005009 – Win23k TrueType Font Parsing Vulnerability (CVE-2012-0159) and 1005009 – .NET Framework Buffer Allocation Vulnerability (CVE-2012-0162) to ensure protection from attacks that might use these vulnerabilities. More information on patched MS vulnerabilities this month are found here in the Threat Encyclopedia.

    In other vulnerability news, Oracle issued a security alert that brings to attention a vulnerability in TNS listener, which is found in several versions of the Oracle Database Server. Oracle recommends to its customers to apply workarounds found in their customer portal. The vulnerable component also affects other Oracle products such as the Oracle E-Business Suite. Trend Micro Deep Security users are protected from attacks that might use this particular vulnerability by applying rule 1004995 – Oracle Database TNS Listener Poison Attack Vulnerability.

    Lastly, Adobe released a security update for Adobe Flash Player for Windows, Macintosh, Linux, and Android operating systems. As of this writing, Trend Micro is investigating attacks that are actively using CVE-2012-0779, which is addressed by Adobe’s security update. Applying rule 1005000 – Adobe Flash Player Object Confusion Vulnerability (CVE-2012-0779) ensures protection from exploits using CVE-2012-0779.

    Update as of May 11, 2012, 7:55 AM PST

    The following additional Deep Security rules have been issued to ensure protection against attacks using some of the aforementioned vulnerabilities:

    • 1005019 – Restrict Microsoft Office File With Linked SWF has been added to protect against attacks using the vulnerability in CVE-2012-0779
    • 1004997 – Detected Too Many Oracle TNS Service Register Requests has been added to protect again attacks using the vulnerability in CVE-2012-1675
    Posted in Vulnerabilities | Comments Off

    The Flashback malware discovered last week is raising doubts over the security of the Mac platform. The Trojan, detected by Trend Micro as OSX_FLASHBCK.AB, continues to be a hot topic in the computing industry and it opposes Apple’s own concept that their Mac OS are threat-proof. But this attack, along with an onslaught of malware and targeted attacks, put Apple’s self-proclaimed security into perspective.

    Flashback is not only a piece of malware but a family of Trojans, and most recently, backdoors. It was first uncovered on October 2011 masquerading as a Flash Player installer. The next variants we have seen were dropped by malicious Java files that exploited Java vulnerabilities. Flashback variants typically modify the content of a web browser. They do this by exploiting Java vulnerabilities.

    Specifically, OSX_FLASHBCK.AB comes from malicious Java files that exploit CVE-2012-0507. The said vulnerability has been patched for Windows environments as early as February this year. Apple released the same patch to its Mac users this month.

    Based on Trend Micro’s Smart Protection Network data below, users from the United States are the most affected by OS_FLASHBCK.AB:

    Read the rest of this entry »

    Posted in Exploits, Mac, Malware, Vulnerabilities | Comments Off

    Microsoft released today six bulletins addressing several vulnerabilities for the month of April. Of note, the update patching Internet Explorer versions 6-9 and the update addressing the Windows Common Controls ActiveX control, which is used in a number of Microsoft programs such MS Office.

    This MSRC blog entry reports that there have been some attacks using the MS12-027 vulnerability. While these attacks were not elaborated, the report claims attackers are using specially crafted MS Office documents to exploit this vulnerability. MS Office 2007 and MS Office 2010 users can actively protect their computers by disabling ActiveX controls via the Trust Center Settings > ActiveX Settings. More details of this workaround are found in the MSRC blog.

    Note that the vulnerability described in the MS12-027 bulletin also affects several versions of Visual FoxPro, Commerce Server, BizTalk Server, as well as SQL Server. It is highly recommended to apply updates whenever possible.

    Bulletin MS12-023, on the other hand, provides protection from five identified vulnerabilities in Internet Explorer 6, 7, 8, and 9 versions. This particular update includes a multi-layered approach of defense against the five vulnerabilities found in Internet Explorer. More information on the said vulnerabilities can be found in this Threat Encyclopedia page.

    Trend Micro Deep Security users are protected from attacks using MS12-023 by applying the following rules:

    • 1004970 – Microsoft Internet Explorer ‘OnReadyStateChange’ Remote Code Execution Vulnerability (CVE-2012-0170)
    • 1004971 – VML Style Remote Code Execution Vulnerability (CVE-2012-0172)
    • 1004975 – Microsoft Internet Explorer ‘selectAll’ Remote Code Execution Vulnerability (CVE-2012-0171)

    In addition, Deep Security also protects users from exploits using MS12-027 via 1004973 – MSCOMCTL.OCX RCE Vulnerability (CVE-2012-0158) and 1004977 – Microsoft Windows MSCOMCTL.OCX Remote Code Execution Vulnerability (CVE-2012-0158). Moreover, Deep Security provides a layer of protection for systems that cannot be patched or updated right away. Using its vulnerability shielding feature, systems hosting critical applications or legacy systems that cannot be updated immediately are protected from any attack using any of the vulnerabilities mentioned.

    A complete list of rules for this month’s patches is found in this Threat Encyclopedia page.

    Posted in Vulnerabilities | Comments Off

    We’re nearing the opening of the 2012 Summer Olympics, which will be held this time in London in July. As the event starts to go in full swing, cybercriminals start mounting their scams and schemes to get users to click.

    Users dreaming of watching the closing ceremonies of the London 2012 Olympics live may find the said offer hard to resist as Visa Golden Space is supposedly inviting users to join a lottery for a chance to win a travel package for the said event. Note that the said offer is non-existent.

    Read the rest of this entry »


    Before one could get hired, spammers made sure you remember your school days. And they do this by way of celebrating Classmates’ Day, as seen on the spreading message below:


    Clicking on the continue link takes you to the following legitimate-looking Web page:


    After which, a download dialog box appears, prompting you to download a file to be able to see the video:


    In true spammer-malware author fashion, the downloaded file is an executable, which Trend Micro detects as a TSPY_PAPRAS variant.

    This post will be updated as more information on the analysis of the downloaded file comes in.

    Posted in Spam | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice