• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Network   »   TippingPoint Threat Intelligence and Zero-Day Coverage – Week of April 11, 2016

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of April 11, 2016

  • Posted on:April 15, 2016
  • Posted in:Network, Security
  • Posted by:
    Elisa Lippincott (Global Threat Communications)
0

If you’re a fan of The Walking Dead television show and watched the recent season finale, you were subject to one crazy cliffhanger involving Negan, his bat “Lucille” and an unknown victim. According to Wikipedia, the use of cliffhangers was rare on American television before 1980. One of the first big cliffhangers asked the question “Who shot J.R.?” and then you had to wait until the next season of the show “Dallas” to find out. The ultimate goal of including a cliffhanger in a television show is to keep viewers coming back for more, but sometimes they’re used when the renewal of a show is uncertain or an actor asks for too much money and they’re suddenly killed off the show. But what if the cliffhanger on a show is never resolved? Many television shows have ended on a cliffhanger with no resolution or explanation for one reason or another, so you’ll never know if Tony Soprano dies or not in “The Sopranos,” or if Sam Beckett ever makes it home in “Quantum Leap.”

Imagine if you had an unresolved “cliffhanger” in your network. Will that malware exfiltrate my sensitive data? Will that software vulnerability ever be patched? Unfortunately, unresolved “cliffhangers” in the network are more common than you think. While many software vendors patch vulnerabilities to prevent those security “cliffhangers,” our customers are able to get a “sneak peek” of a resolution with our zero-day filters. We’ve had zero-day filters for several of the vulnerabilities patched today by Microsoft and Adobe, providing protection to our TippingPoint customers ahead of everyone else. We also have filters for a “cliffhanger” that generated a lot of hype, but ended up more of a bust. There was a lot of buzz around the Badlock bug last month, which was described as a vulnerability that can be abused in man-in-the-middle attacks in file server environments. But in the end, it ended up not being a critical vulnerability as originally described. But just because the “ending” wasn’t that great doesn’t mean you shouldn’t patch. Microsoft and Samba both released patches today for Badlock and we have filters in this week’s Digital Vaccine as well:

  • 24259: RPC: Windows SAMR Man-in-the-Middle Vulnerability (Badlock)
  • 24260: RPC: SamrValidatePassword Method Using Unencrypted Authentication Level

Adobe Flash Player Zero-Day Vulnerability (CVE-2016-1019)

Last week, Adobe released an out-of-band patch for CVE-2016-1019, which attempts to exploit a type confusion vulnerability in Adobe Flash. The specific flaw exists with the handling of references in the FileReference objects. As early as March 31, 2016, researchers here at Trend Micro saw a zero-day attack included in the code of Magnitude Exploit Kit that leads to Locky ransomware, a crypto-ransomware that abuses macros in document files to hide its malicious code.

Last week, TippingPoint released DVToolkit CSW file “CVE-2016-1019.csw” to address the vulnerability. Customers can download the CSW from the TippingPoint Threat Management Center. In this week’s Digital Vaccine package, the CSW file will be made obsolete by the following filter:

  • 24253: HTTP: Adobe Flash FileReference Type Confusion Vulnerability

The following resources provide more information on this critical zero-day vulnerability:

  • Blog: Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player
  • Blog: A Look Into Adobe Flash Player CVE-2016-1019 Zero-Day Attack
  • eWeek: Adobe Working on Zero-Day, Pwn2Own Patches for Flash
  • Adobe Security Advisory: Security Advisory for Adobe Flash Player

Microsoft Patch Tuesday Update

This week’s Digital Vaccine (DV) package includes coverage for the Microsoft Security Bulletins released on or before April 12, 2016. The following table maps Digital Vaccine filters to the Microsoft Security Bulletins. Filters designated with an asterisk (*) shipped prior to this week’s package, providing zero-day protection for our customers:

Bulletin #

CVE #

Digital Vaccine Filter #

Status

MS14-021

CVE-2014-1776

23879

MS16-028

CVE-2016-0117

23807

MS16-030

CVE-2016-0092

24030

MS16-042

CVE-2016-0122

24130

MS16-042

CVE-2016-0127

24127

MS16-047

CVE-2016-0128

24259

MS16-047

CVE-2016-0128

24260

MS16-046

CVE-2016-0135

24120

MS16-042

CVE-2016-0136

24132

MS16-042

CVE-2016-0139

24133

MS16-039

CVE-2016-0143

24134

MS16-039

CVE-2016-0145

24129

MS16-040

CVE-2016-0147

24138

MS16-041

CVE-2016-0148

24263

MS16-048

CVE-2016-0151

24121

MS16-044

CVE-2016-0153

24137

MS16-037

CVE-2016-0154

24116

MS16-038

CVE-2016-0154

24116

MS16-038

CVE-2016-0155

24114

MS16-038

CVE-2016-0156

24118

MS16-038

CVE-2016-0157

*22747

MS16-038

CVE-2016-0158

*24036

MS16-037

CVE-2016-0159

24113

MS16-037

CVE-2016-0160

24263

MS16-038

CVE-2016-0161

24135

MS16-037

CVE-2016-0164

24105

MS16-039

CVE-2016-0165

24131

MS16-037

CVE-2016-0166

24115

MS16-039

CVE-2016-0167

24139

MS16-049

CVE-2016-0150

–

Insufficient information

MS16-037

CVE-2016-0162

–

Insufficient information

MS16-045

CVE-2016-0088

–

Insufficient information

MS16-045

CVE-2016-0089

–

Insufficient information

MS16-045

CVE-2016-0090

–

Insufficient information

 

Adobe Security Bulletins Update

This week’s Digital Vaccine (DV) package also includes coverage for the Adobe Security Bulletins released on April 7, 2016. The following table maps Digital Vaccine filters to the Adobe Security Bulletins. Filters designated with an asterisk (*) shipped prior to this week’s package, providing zero-day protection for our customers:

Bulletin #

CVE #

Digital Vaccine Filter #

Status

APSB 16-10

CVE-2016-1006

24136

APSB 16-10

CVE-2016-1011

24254

APSB 16-10

CVE-2016-1012

24255

APSB 16-10

CVE-2016-1013

24256

APSB 16-10

CVE-2016-1014

24258

APSB 16-10

CVE-2016-1015

*24027

APSB 16-10

CVE-2016-1016

*24024

APSB 16-10

CVE-2016-1017

*24025

APSB 16-10

CVE-2016-1018

*24022

APSB 16-10

CVE-2016-1019

24253

 

Zero Day Initiative Represented at ISSW 2016

This past weekend, the Infosec Southwest conference was held in Austin, Texas. One of our ZDI researchers, WanderingGlitch, spoke on “Leaking Windows Kernel Pointers.” According to WanderingGlitch, as part of reversing win32k.sys to understand the User-Mode Callback mechanism, he found several kernel information leaks. As it turns out, there were several situations where the kernel was readily returning kernel pointers to user land. His session focused on how user-mode callbacks operate and provided a description of the information leaks vulnerability and how prevalent they are. He followed with a detailed description of how to take advantage of CVE-2015-0094.

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap posted on the Trend Micro Simply Security blog!

Zero-Day Filters

There are six new zero-day filters covering three vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative web site.

Foxit (1)

  • 24090: HTTP: Foxit Reader XFA remerge Use-After-Free Vulnerability (ZDI-16-215)

Microsoft (4)

  • 24030: HTTP: Microsoft Windows OleLoadPicture Memory Corruption Vulnerability (ZDI-16-181)
  • 24113: HTTP: Microsoft Internet Explorer AddRow Memory Corruption Vulnerability (ZDI-16-231)
  • 24115: HTTP: Microsoft Internet Explorer CMediaEngine Use-After-Free Vulnerability (ZDI-16-230)
  • 24263: SMB: api-ms-win-appmodel-runtime-l1-1-0 dll File Access via SMB (ZDI-16-234)

Solarwinds (1)

  • 24046: HTTP: SolarWinds Network Configuration Manager Vulnerable ActiveX Control Instantiation (ZDI-14-133)

Updated Existing Zero-Day Filters

This section highlights specific filter(s) of interest in this week’s Digital Vaccine package that have been updated as a result of a vendor issuing a patch for a vulnerability found via the Zero Day Initiative.

Today’s featured filters include all four of the Adobe Vulnerabilities that were found at Pwn2Own 2016, making Adobe the first vendor to fix all of their vulnerabilities found during the event:

  • 24022: HTTP: Adobe Flash JPEG-XR Buffer Overflow Vulnerability (Pwn2Own ZDI-16-228)
  • 24024: HTTP: Adobe Flash NetConnection Type Confusion Vulnerability (Pwn2Own ZDI-16-226)
  • 24025: HTTP: Adobe Flash LoadVars Use-After-Free Vulnerability (Pwn2Own ZDI-16-225)
  • 24027: HTTP: Adobe Flash Transform Use-After-Free Vulnerability (Pwn2Own ZDI-16-227)

Related posts:

  1. TippingPoint Threat Intelligence and Zero-Day Coverage – Week of December 12, 2016
  2. TippingPoint Threat Intelligence and Zero-Day Coverage – Week of December 19, 2016
  3. TippingPoint Threat Intelligence and Zero-Day Coverage – Week of December 26, 2016
  4. TippingPoint Threat Intelligence and Zero-Day Coverage – Week of April 4, 2016

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Digital Transformation is Growing but May Be Insecure for Many
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.