Adobe released an out-of-band update for two critical zero-day vulnerabilities just a few days in advance to its regular monthly patch cycle. The Buffer overflow vulnerability (CVE-2013-0633), which exists in Flash Player can lead to remote code execution or denial of service conditions when exploited. This vulnerability, which has been exploited in the wild, targets Windows systems via ActiveX version of Flash Player. These attacks have been intended to deceive users by embedding malicious Flash (.SWF) file in Microsoft Word documents.

Another vulnerability being exploited in the wild is the remote memory-corruption vulnerability covered in CVE-2013-0634. Once successfully exploited, it can lead to remote code execution or application crash. According to the Adobe advisory, these vulnerabilities are currently being exploited in the wild via sending crafted .SWF files as email attachments or by tricking the user to click a URL. Trend Micro detects these exploits as TROJ_MDROP.REF. When executed, this malware drops a backdoor detected as BKDR_PLUGAX.A. This backdoor, in turn, has the capability to gather information such as computer name, hostname, and OS version among others. It can also download and load plugins and send and receive information from a malicious website thus compromising the security of the system. Here’s the list of affected product versions:

• Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh
• Adobe Flash Player 11.2.202.261 and earlier versions for Linux
• Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x
• Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x

Just last month, we reported on the Java zero-day exploit employed by toolkits, Cool Exploit Kit (CEK) and Blackhole Exploit Kit (BHEK). Java released an update to address this zero-day exploit. Ironically, cybercriminals are quick to jump in and abused this opportunity to make a malware that poses as an update for Java.

Read the rest of this entry »

In the last month of the year, MySQL has been flooded by a set of zero-day exploits. This set was revealed by Kingcope and he has published proof-of-concept (POCs) for all these vulnerabilities.

The newly discovered set of 0-days affects MySQL in multiple ways, such as application crash/denial of service, privilege escalation, authentication bypass, remote root on Windows systems, and heap/stack overrun. These vulnerabilities have been acknowledged by the vendor and assigned to CVE ids CVE-2012-5611, CVE-2012-5612, CVE-2012-5613, CVE-2012-5614, and CVE-2012-5615 respectively.

Two of the critical security issues, ExploitDB: 23073 & 23083 in MySQL allow remote authenticated attackers to get the shell of a Windows system by sending specially crafted requests.

Below are the rest of the critical issues:

• (CVE-2012-5611). This is triggered by sending an overly long argument to GRANT FILE command, which in turn leads to stack buffer overflow. It permits remote attackers to execute arbitrary code or may even cause database crash. However, to exploit this vulnerability valid username and password are required.
• (CVE-2012-5612). A heap buffer overflow vulnerability caused by a series of crafted commands like USE, SHOW TABLES, DESCRIBE, CREATE TABLE, DROP TABLE, ALTER TABLE, DELETE FROM, UPDATE, SET PASSWORD, etc. If exploited, it allows a remote, authenticated attacker with low privileges to change a current user’s password to an undefined value.
• (CVE-2012-5614). This leads to a service crash via SELECT command with an UpdateXML command containing XML with a large number of unique, nested elements. The successful exploitation of this vulnerability also needs to be authenticated by a valid username and password.
• (CVE-2012-5615). Enumeration vulnerability exists in MySQL which lets remote attackers to learn all valid usernames based on the error messages generated.
• (CVE-2012-5613). This is not considered as a security bug since it’s a result of misconfiguration, however, it can lead to remote authenticated users gaining administrator privileges. In this case, an attacker with ‘FILE’ privilege is leveraged to create a new user that has full access similar to the MySQL administrator.

Read the rest of this entry »

Apart from the regular monthly patch release Microsoft issued yesterday, which included a patch for relatively large number of vulnerabilities in Internet Explorer (MS12-037), Microsoft also reported another IE vulnerability that has no patch available yet. MS Security Advisory (2719615) specifically identifies the Microsoft XML (MSXML) Core Services as the vulnerable part. MSXML provides a set of W3C compliant XML APIs which allows users to use JScript, VBScript and Microsoft development tools to develop XML 1.0 standard applications.

There exists a remote code execution vulnerability in Microsoft XML Core Services due to accessing a COM object in an uninitialized memory. When successfully exploited, an attacker could execute arbitrary code in the context of the logged-on user.

As mentioned above, MSXML Core Services also provides a set of APIs to access certain COM objects to simplify Document Object Model tasks such as managing namespaces. An attacker can craft these websites to host a malicious webpage invoking affected MSXML APIs, which in turn accesses a COM object in memory that has not been initialized. The vulnerability is exploited when a user opens these crafted webpages using IE. Users might stumble upon these pages as clickable links in a specially crafted email or instant message.

Trend Micro Deep Security customers should apply the rule 1005061 – Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889) to block the access to websites serving malicious webpages invoking affected MSXML COM objects that access vulnerable JavaScript methods. In addition, protection for vulnerabilities in MS12-037 are found in this Threat Encyclopedia page. Both rules are also available for OfficeScan with the Intrusion Defense Firewall plugin.

We are investigating reports of attacks where these two vulnerabilities are supposedly being used. This entry will be updated for developments on the investigation.

Update as of 2:38 PM PST

Trend Micro detects and removes the malware JS_DLOADER.HVN, which is found to exploit the vulnerability in MS Security Advisory (2719615). More information on the malware will be posted in succeeding updates.

Update as of June 14, 2012, 7:51 AM PST

The malware JS_LOADER.HVN is found to exploit the vulnerability in CVE-2012-1875, which is included and patched in MS12-037 bulletin. This malicious script downloads other malware on affected systems. Trend Micro users are protected from infections of this malware.

Update as of June 15, 2012, 1:37 AM PST

• The initially given detection name (JS_DLOADER.HVN) has been replaced with JS_LOADER.HVN.
• JS_LOADER.HVN exploits CVE-2012-1875 and not CVE-2012-1889, as stated in the previous update.