Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Pawan Kinger (Director, Deep Security Labs)

    Much is being talked about the Oracle fix being incomplete for the recent Java 0-day for CVE-2013-0422. In this post, we would like to take this opportunity to clear a few items around it.

    Based on our analysis, we have confirmed that the fix for CVE-2013-0422 is incomplete. There are two issues in this CVE. One is with the findclass method of com.sun.jmx.mbeanserver.MBeanInstantiator class. The other is with invokeWithArguments() method of the java.lang.invoke.MethodHandle class. Oracle has fixed the latter but findclass method can still be used to get a reference to restricted classes. To simplify, the issue in findclass method still leaves a hole that could be used with another new vulnerability.

    We would also like to clarify another point, this time concerning CVE-2012-3174. As opposed to some reports, it is NOT the issue with the Reflection API. The Reflection API issue is fixed as a part of CVE-2013-0422. To quote the National Vulnerabilities Database (NVD) verbatim “NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422.”

    Read the rest of this entry »


    News of the ‘unknown’ and underground zero-day in Adobe Reader is all over the Internet. Because of its supposed noteworthy features, including the capability to defeat Adobe’s sandbox feature, users are alarmed – and rightfully so. Fortunately, the situation is not without hope.

    With this entry, my aim is to explain to our customers what this exploit means to them and what protective measures can be implemented.

    Let us understand the threat situation first. How serious is it? There are claims of a zero-day exploit affecting versions 10 and 11 of Adobe Reader and is reportedly being sold in the underground for USD 30,000 – 50,000. Why so much money? This zero-day bypasses the sandbox protection technology that Adobe introduced in ver. 10. It executes even if JavaScript is disabled in the software. The only interaction it requires is for a user to open a .PDF document and the bug is triggered when the browser is closed.

    There is news that this bug is being exploited in specific targeted attacks. There is also news that it will soon be incorporated in the notorious BlackHole Exploit Kit. Once it gets added, there is a chance of widespread exploitation via the exploit kit.

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on Guard Against Sandbox-Bypassing Adobe Reader Zero-Day

    Recently, security researcher Sergei Golubchik reported a security issue in MySQL in which an attacker could log in to a MySQL database using literally any password. With this entry, I would like to take some time to explain the issue to our customers. The problem is serious in affected systems – but the exposure surface is not very large.

    First things first: to exploit the vulnerability, all you need to know is a valid user name on the target MySQL database. The user name root would be available in most cases but it can be any user. Once you have that, a one-liner shell script can try repeated login attempts for you. Within seconds, you will be through with the welcome message from MySQL server and it will be waiting to accept your commands. The metasploit module dumps the password hashes and one can crack all the passwords after stealing the hash.

    The root cause of the vulnerability is that when a hash calculated on the user supplied credentials is checked against the actual hash. While comparing the hashes using memcmp, it is assumed that the return value would be -1, 0 or 1. But this changes if gcc, a popular C language compiler, uses SSE optimization which improves standard compiler. Without the optimization, the function memcmp would return only -1, 0 or 1. By using the SSE optimization, however, the generated return values can be higher than 1. But since the return value is collected in a bool (a char variable actually), only the last byte is collected. If that value turns out to be 0, the authentication would go through.

    Vulnerability Limited to Linux Systems

    Fortunately, only a small subset of MySQL versions is vulnerable. Note that the official MySQL builds are not affected. The exposure is limited to systems running on Linux, which have their glibc optimized with SSE. If you are running MySQL on Windows, there’s no need to worry at all. Red Hat Enterprise Linux (RHEL) has officially confirmed that they are not vulnerable. For reference, a list of affected and non-affected platforms is available on HD Moore’s blog.

    Although this exploit is limited to specific platforms, we recommend that users should regularly update their servers and observe best computing practices. The server should allow connections only from localhost or specific IPs, which really need to communicate to the server. These can be changed in the MySQL settings.

    Trend Micro customers using Deep Security should apply the update 12-015 and apply the following two rules to detect and prevent the possible use of this technique to attack your server.

    • 1005045 – MySQL Database Server Possible Login Brute Force Attempt
    • 1005063 – Restrict MySQL Database Access
    Posted in Exploits, Vulnerabilities | Comments Off on MySQL Password Verification Bypasses CVE-2012-2122

    We’ve gotten a number of questions from customers who are concerned about the Remote Desktop Protocol (RDP) vulnerability addressed by Microsoft on Tuesday with their security bulletin MS12-020. We wanted to take a moment to update you on this.

    This bulletin addresses a critical, remote execution vulnerability affecting Microsoft Windows systems that have RDP enabled. While this is not enabled by default on Windows systems, RDP provides remote access functionality that many environments utilize, thus potentially putting them at risk. This vulnerability is highly critical because it can be exploited even by unauthenticated users. Another fact that’s special about this vulnerability is that it affects all versions of Windows. Hence, it’s important to take mitigating steps.

    Trend Micro customers who run Deep Security or the Intrusion Defense Firewall (IDF) who have applied the latest updates have protections against attempts to exploit this vulnerability; specifically Deep Security update DSRU12-006 with the rule name 1004949 – Remote Desktop Protocol Vulnerability (CVE-2012-0002) and IDF update 12007) . These updates were released on Tuesday March 13 and Wednesday March 14 , respectively. Trend Micro Deep Security and IDF customers can also turn off remote desktop sharing conveniently on systems where it’s not required by applying the rule 1002508 – Application Control For RDP.

    As a member of the Microsoft Active Protections Program (MAPP), Trend Micro received information from Microsoft as part of their regular security update release process to provide these protections to Trend Micro customers.

    As part of their regular security update process, Trend Micro customers should regularly update these products to get the latest protections against exploits for these vulnerabilities.

    In accordance with Microsoft’s guidance, Trend Micro customers are encouraged to test and deploy the Microsoft security updates as soon as possible. More detailed information about the vulnerabilities addressed in this security update is available from Microsoft at their Security Research and Defense blog.

    Update as of March 16, 2012, 11:58 p.m. (PST)

    We wanted to update to make customers aware of reports that there is now Proof-of-Concept code available for MS12-020. Once again we urge customers to test and deploy this update as soon as possible.

    We also wanted customers to know that Trend Micro Threat Management Services helps provide protections against attempts to exploit this vulnerability using following TDA patterns:

    • Network Content Inspection Pattern (NCIP) 1.11595
    • Network Content Correlation Pattern (NCCP) 1.11579

    Finally, as an additional protection, customers may want to evaluate blocking access RDP (TCP port 3389) or watching for traffic scans and abnormalities on that port.

    Update as of March 21, 2012 12:56 AM (PST)

    Trend Micro customers may refer to the Threat Encyclopedia for further details on the corresponding solution.


    In recent years, we have seen client-side software heavily targeted by hackers in search of vulnerabilities. 2011 saw these threats become more complex and sophisticated. We saw attackers increasingly use zero-day vulnerabilities, some of which have been particularly critical. Examples of these include the vulnerability Duqu exploited (CVE-2011-3402); a Java vulnerability (CVE-2011-3544); or Adobe zero-day vulnerabilities, which were exploited in the wild.

    The exploit attacks we saw this year were targeted, original, sophisticated, and well controlled.

    Among the applications most targeted in the wild were Adobe Acrobat, Reader, and Flash Player; Java Runtime Environment (JRE)/Java Development KIT (JDK); and Internet Explorer. Exploit kits like Black Hole and Phoenix were really prompt to pick exploits for these applications and go after users with high success rates. We also saw browser vendors release patches several times within the year to patch critical vulnerabilities.

    Attacks were successful because a high percentage of users still used unpatched versions of vulnerable software. According to a CSIS study, 37% of users still browse the web with unsecured Java versions. A Zscaler survey also reported that 56% of enterprise users utilize vulnerable versions of Adobe products, putting the onus on security administrators to deploy virtual patching products such as Trend Micro Deep Security or the OfficeScan IDF plug-in.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice