Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    Author Archive - Pawan Kinger (Director, Deep Security Labs)

    News of the ‘unknown’ and underground zero-day in Adobe Reader is all over the Internet. Because of its supposed noteworthy features, including the capability to defeat Adobe’s sandbox feature, users are alarmed – and rightfully so. Fortunately, the situation is not without hope.

    With this entry, my aim is to explain to our customers what this exploit means to them and what protective measures can be implemented.

    Let us understand the threat situation first. How serious is it? There are claims of a zero-day exploit affecting versions 10 and 11 of Adobe Reader and is reportedly being sold in the underground for USD 30,000 – 50,000. Why so much money? This zero-day bypasses the sandbox protection technology that Adobe introduced in ver. 10. It executes even if JavaScript is disabled in the software. The only interaction it requires is for a user to open a .PDF document and the bug is triggered when the browser is closed.

    There is news that this bug is being exploited in specific targeted attacks. There is also news that it will soon be incorporated in the notorious BlackHole Exploit Kit. Once it gets added, there is a chance of widespread exploitation via the exploit kit.

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on Guard Against Sandbox-Bypassing Adobe Reader Zero-Day

    Recently, security researcher Sergei Golubchik reported a security issue in MySQL in which an attacker could log in to a MySQL database using literally any password. With this entry, I would like to take some time to explain the issue to our customers. The problem is serious in affected systems – but the exposure surface is not very large.

    First things first: to exploit the vulnerability, all you need to know is a valid user name on the target MySQL database. The user name root would be available in most cases but it can be any user. Once you have that, a one-liner shell script can try repeated login attempts for you. Within seconds, you will be through with the welcome message from MySQL server and it will be waiting to accept your commands. The metasploit module dumps the password hashes and one can crack all the passwords after stealing the hash.

    The root cause of the vulnerability is that when a hash calculated on the user supplied credentials is checked against the actual hash. While comparing the hashes using memcmp, it is assumed that the return value would be -1, 0 or 1. But this changes if gcc, a popular C language compiler, uses SSE optimization which improves standard compiler. Without the optimization, the function memcmp would return only -1, 0 or 1. By using the SSE optimization, however, the generated return values can be higher than 1. But since the return value is collected in a bool (a char variable actually), only the last byte is collected. If that value turns out to be 0, the authentication would go through.

    Vulnerability Limited to Linux Systems

    Fortunately, only a small subset of MySQL versions is vulnerable. Note that the official MySQL builds are not affected. The exposure is limited to systems running on Linux, which have their glibc optimized with SSE. If you are running MySQL on Windows, there’s no need to worry at all. Red Hat Enterprise Linux (RHEL) has officially confirmed that they are not vulnerable. For reference, a list of affected and non-affected platforms is available on HD Moore’s blog.

    Although this exploit is limited to specific platforms, we recommend that users should regularly update their servers and observe best computing practices. The server should allow connections only from localhost or specific IPs, which really need to communicate to the server. These can be changed in the MySQL settings.

    Trend Micro customers using Deep Security should apply the update 12-015 and apply the following two rules to detect and prevent the possible use of this technique to attack your server.

    • 1005045 – MySQL Database Server Possible Login Brute Force Attempt
    • 1005063 – Restrict MySQL Database Access
    Posted in Exploits, Vulnerabilities | Comments Off on MySQL Password Verification Bypasses CVE-2012-2122

    We’ve gotten a number of questions from customers who are concerned about the Remote Desktop Protocol (RDP) vulnerability addressed by Microsoft on Tuesday with their security bulletin MS12-020. We wanted to take a moment to update you on this.

    This bulletin addresses a critical, remote execution vulnerability affecting Microsoft Windows systems that have RDP enabled. While this is not enabled by default on Windows systems, RDP provides remote access functionality that many environments utilize, thus potentially putting them at risk. This vulnerability is highly critical because it can be exploited even by unauthenticated users. Another fact that’s special about this vulnerability is that it affects all versions of Windows. Hence, it’s important to take mitigating steps.

    Trend Micro customers who run Deep Security or the Intrusion Defense Firewall (IDF) who have applied the latest updates have protections against attempts to exploit this vulnerability; specifically Deep Security update DSRU12-006 with the rule name 1004949 – Remote Desktop Protocol Vulnerability (CVE-2012-0002) and IDF update 12007) . These updates were released on Tuesday March 13 and Wednesday March 14 , respectively. Trend Micro Deep Security and IDF customers can also turn off remote desktop sharing conveniently on systems where it’s not required by applying the rule 1002508 – Application Control For RDP.

    As a member of the Microsoft Active Protections Program (MAPP), Trend Micro received information from Microsoft as part of their regular security update release process to provide these protections to Trend Micro customers.

    As part of their regular security update process, Trend Micro customers should regularly update these products to get the latest protections against exploits for these vulnerabilities.

    In accordance with Microsoft’s guidance, Trend Micro customers are encouraged to test and deploy the Microsoft security updates as soon as possible. More detailed information about the vulnerabilities addressed in this security update is available from Microsoft at their Security Research and Defense blog.

    Update as of March 16, 2012, 11:58 p.m. (PST)

    We wanted to update to make customers aware of reports that there is now Proof-of-Concept code available for MS12-020. Once again we urge customers to test and deploy this update as soon as possible.

    We also wanted customers to know that Trend Micro Threat Management Services helps provide protections against attempts to exploit this vulnerability using following TDA patterns:

    • Network Content Inspection Pattern (NCIP) 1.11595
    • Network Content Correlation Pattern (NCCP) 1.11579

    Finally, as an additional protection, customers may want to evaluate blocking access RDP (TCP port 3389) or watching for traffic scans and abnormalities on that port.

    Update as of March 21, 2012 12:56 AM (PST)

    Trend Micro customers may refer to the Threat Encyclopedia for further details on the corresponding solution.


    In recent years, we have seen client-side software heavily targeted by hackers in search of vulnerabilities. 2011 saw these threats become more complex and sophisticated. We saw attackers increasingly use zero-day vulnerabilities, some of which have been particularly critical. Examples of these include the vulnerability Duqu exploited (CVE-2011-3402); a Java vulnerability (CVE-2011-3544); or Adobe zero-day vulnerabilities, which were exploited in the wild.

    The exploit attacks we saw this year were targeted, original, sophisticated, and well controlled.

    Among the applications most targeted in the wild were Adobe Acrobat, Reader, and Flash Player; Java Runtime Environment (JRE)/Java Development KIT (JDK); and Internet Explorer. Exploit kits like Black Hole and Phoenix were really prompt to pick exploits for these applications and go after users with high success rates. We also saw browser vendors release patches several times within the year to patch critical vulnerabilities.

    Attacks were successful because a high percentage of users still used unpatched versions of vulnerable software. According to a CSIS study, 37% of users still browse the web with unsecured Java versions. A Zscaler survey also reported that 56% of enterprise users utilize vulnerable versions of Adobe products, putting the onus on security administrators to deploy virtual patching products such as Trend Micro Deep Security or the OfficeScan IDF plug-in.

    Read the rest of this entry »


    Microsoft has released an advisory alerting its users about a critical vulnerability in ASP.NET (CVE-2011-3414). An attacker could potentially bring down a server (Denial of Service) with specially crafted requests. Given that all versions of ASP.NET are vulnerable, its exposure is pretty big. This advisory was in response to a public advisory presented in the 28th Chaos Communication Congress.

    The root cause of the problem lies in hash collisions. Most web applications use hashes to store user supplied inputs/form parameters. The inputs are supplied by users; hence attackers can control what values are eventually filled in the hashes. In this particular attack, the attacker sends too many key value pairs with colliding keys. If the hash implementation of the language is not randomized, it can result in numerous hash collisions, given that a lot of colliding entries are sent. The resolution of these collisions results in very high CPU usage.

    An interesting aspect of this attack is that it doesn’t only affect Microsoft products. Several other web applications, such as Apache Tomcat, Apache Geronimo, Oracle web applications, PHP using python, ruby, Java are also vulnerable to this same issue. It’s not a specific vulnerability but a fundamental software flaw with the implementation of hash algorithms.

    Trend Micro customers need not worry, as Deep Security provides protection with the rule 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414). For more details, user may refer to Trend Micro security advisory page in our Threat Encyclopedia.

    Because of its severity, users are also advised to immediately update their systems before they usher in the new year.

    Update as of January 9, 2012,11:00 PM PST

    The Microsoft out of band update also addressed three other vulnerabilities:


    This vulnerability is a domain spoofing/open redirect vulnerability in Forms Authentication feature in the .Net Form Authentication. An attacker can use crafted URL to redirect the users to any website without the users’ knowledge. The attack vector can be a crafted link, which leads to a phishing attack to steal the sensitive information from the user like login credentials.

    Websites with ASP.Net installed are at risk from this vulnerability. Microsoft .NET Framework 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 are also vulnerable to this.


    This vulnerability is an authentication bypass flaw in ASP.Net. An attacker who successfully exploited this vulnerability can gain complete access to targeted users’ accounts and run any arbitrary commands with its privileges.

    Trend Micro Deep Security provides zero day protection against such attacks using it’s heuristic based rule like ‘1000128 – HTTP Protocol Decoding‘.


    This vulnerability pertains to a specific configuration of ASP.Net. A system with sliding expiration enabled is only vulnerable to this. Once successfully exploited, an attacker can gain access to arbitrary user accounts on the system by sending specially crafted requests.

    The following rules in Trend Micro Deep Security provide protection to Trend Micro customers:

    • 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414)
    • 1004887—Microsoft ASP.NET Framework Forms Authentication URI Spoofing Vulnerability (CVE-2011-3415)
    • 1000128—HTTP Protocol Decoding


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice