Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Pawan Kinger (Director, Deep Security Labs)

    We’ve gotten a number of questions from customers who are concerned about the Remote Desktop Protocol (RDP) vulnerability addressed by Microsoft on Tuesday with their security bulletin MS12-020. We wanted to take a moment to update you on this.

    This bulletin addresses a critical, remote execution vulnerability affecting Microsoft Windows systems that have RDP enabled. While this is not enabled by default on Windows systems, RDP provides remote access functionality that many environments utilize, thus potentially putting them at risk. This vulnerability is highly critical because it can be exploited even by unauthenticated users. Another fact that’s special about this vulnerability is that it affects all versions of Windows. Hence, it’s important to take mitigating steps.

    Trend Micro customers who run Deep Security or the Intrusion Defense Firewall (IDF) who have applied the latest updates have protections against attempts to exploit this vulnerability; specifically Deep Security update DSRU12-006 with the rule name 1004949 – Remote Desktop Protocol Vulnerability (CVE-2012-0002) and IDF update 12007) . These updates were released on Tuesday March 13 and Wednesday March 14 , respectively. Trend Micro Deep Security and IDF customers can also turn off remote desktop sharing conveniently on systems where it’s not required by applying the rule 1002508 – Application Control For RDP.

    As a member of the Microsoft Active Protections Program (MAPP), Trend Micro received information from Microsoft as part of their regular security update release process to provide these protections to Trend Micro customers.

    As part of their regular security update process, Trend Micro customers should regularly update these products to get the latest protections against exploits for these vulnerabilities.

    In accordance with Microsoft’s guidance, Trend Micro customers are encouraged to test and deploy the Microsoft security updates as soon as possible. More detailed information about the vulnerabilities addressed in this security update is available from Microsoft at their Security Research and Defense blog.

    Update as of March 16, 2012, 11:58 p.m. (PST)

    We wanted to update to make customers aware of reports that there is now Proof-of-Concept code available for MS12-020. Once again we urge customers to test and deploy this update as soon as possible.

    We also wanted customers to know that Trend Micro Threat Management Services helps provide protections against attempts to exploit this vulnerability using following TDA patterns:

    • Network Content Inspection Pattern (NCIP) 1.11595
    • Network Content Correlation Pattern (NCCP) 1.11579

    Finally, as an additional protection, customers may want to evaluate blocking access RDP (TCP port 3389) or watching for traffic scans and abnormalities on that port.

    Update as of March 21, 2012 12:56 AM (PST)

    Trend Micro customers may refer to the Threat Encyclopedia for further details on the corresponding solution.


    In recent years, we have seen client-side software heavily targeted by hackers in search of vulnerabilities. 2011 saw these threats become more complex and sophisticated. We saw attackers increasingly use zero-day vulnerabilities, some of which have been particularly critical. Examples of these include the vulnerability Duqu exploited (CVE-2011-3402); a Java vulnerability (CVE-2011-3544); or Adobe zero-day vulnerabilities, which were exploited in the wild.

    The exploit attacks we saw this year were targeted, original, sophisticated, and well controlled.

    Among the applications most targeted in the wild were Adobe Acrobat, Reader, and Flash Player; Java Runtime Environment (JRE)/Java Development KIT (JDK); and Internet Explorer. Exploit kits like Black Hole and Phoenix were really prompt to pick exploits for these applications and go after users with high success rates. We also saw browser vendors release patches several times within the year to patch critical vulnerabilities.

    Attacks were successful because a high percentage of users still used unpatched versions of vulnerable software. According to a CSIS study, 37% of users still browse the web with unsecured Java versions. A Zscaler survey also reported that 56% of enterprise users utilize vulnerable versions of Adobe products, putting the onus on security administrators to deploy virtual patching products such as Trend Micro Deep Security or the OfficeScan IDF plug-in.

    Read the rest of this entry »


    Microsoft has released an advisory alerting its users about a critical vulnerability in ASP.NET (CVE-2011-3414). An attacker could potentially bring down a server (Denial of Service) with specially crafted requests. Given that all versions of ASP.NET are vulnerable, its exposure is pretty big. This advisory was in response to a public advisory presented in the 28th Chaos Communication Congress.

    The root cause of the problem lies in hash collisions. Most web applications use hashes to store user supplied inputs/form parameters. The inputs are supplied by users; hence attackers can control what values are eventually filled in the hashes. In this particular attack, the attacker sends too many key value pairs with colliding keys. If the hash implementation of the language is not randomized, it can result in numerous hash collisions, given that a lot of colliding entries are sent. The resolution of these collisions results in very high CPU usage.

    An interesting aspect of this attack is that it doesn’t only affect Microsoft products. Several other web applications, such as Apache Tomcat, Apache Geronimo, Oracle web applications, PHP using python, ruby, Java are also vulnerable to this same issue. It’s not a specific vulnerability but a fundamental software flaw with the implementation of hash algorithms.

    Trend Micro customers need not worry, as Deep Security provides protection with the rule 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414). For more details, user may refer to Trend Micro security advisory page in our Threat Encyclopedia.

    Because of its severity, users are also advised to immediately update their systems before they usher in the new year.

    Update as of January 9, 2012,11:00 PM PST

    The Microsoft out of band update also addressed three other vulnerabilities:


    This vulnerability is a domain spoofing/open redirect vulnerability in Forms Authentication feature in the .Net Form Authentication. An attacker can use crafted URL to redirect the users to any website without the users’ knowledge. The attack vector can be a crafted link, which leads to a phishing attack to steal the sensitive information from the user like login credentials.

    Websites with ASP.Net installed are at risk from this vulnerability. Microsoft .NET Framework 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 are also vulnerable to this.


    This vulnerability is an authentication bypass flaw in ASP.Net. An attacker who successfully exploited this vulnerability can gain complete access to targeted users’ accounts and run any arbitrary commands with its privileges.

    Trend Micro Deep Security provides zero day protection against such attacks using it’s heuristic based rule like ‘1000128 – HTTP Protocol Decoding‘.


    This vulnerability pertains to a specific configuration of ASP.Net. A system with sliding expiration enabled is only vulnerable to this. Once successfully exploited, an attacker can gain access to arbitrary user accounts on the system by sending specially crafted requests.

    The following rules in Trend Micro Deep Security provide protection to Trend Micro customers:

    • 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414)
    • 1004887—Microsoft ASP.NET Framework Forms Authentication URI Spoofing Vulnerability (CVE-2011-3415)
    • 1000128—HTTP Protocol Decoding


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice