TippingPoint Threat Intelligence and Zero-Day Coverage – Week of April 11, 2016

If you’re a fan of The Walking Dead television show and watched the recent season finale, you were subject to one crazy cliffhanger involving Negan, his bat “Lucille” and an unknown victim. According to Wikipedia, the use of cliffhangers was rare on American television before 1980. One of the first big cliffhangers asked the question “Who shot J.R.?” and then you had to wait until the next season of the show “Dallas” to find out. The ultimate goal of including a cliffhanger in a television show is to keep viewers coming back for more, but sometimes they’re used when the renewal of a show is uncertain or an actor asks for too much money and they’re suddenly killed off the show. But what if the cliffhanger on a show is never resolved? Many television shows have ended on a cliffhanger with no resolution or explanation for one reason or another, so you’ll never know if Tony Soprano dies or not in “The Sopranos,” or if Sam Beckett ever makes it home in “Quantum Leap.”

Imagine if you had an unresolved “cliffhanger” in your network. Will that malware exfiltrate my sensitive data? Will that software vulnerability ever be patched? Unfortunately, unresolved “cliffhangers” in the network are more common than you think. While many software vendors patch vulnerabilities to prevent those security “cliffhangers,” our customers are able to get a “sneak peek” of a resolution with our zero-day filters. We’ve had zero-day filters for several of the vulnerabilities patched today by Microsoft and Adobe, providing protection to our TippingPoint customers ahead of everyone else. We also have filters for a “cliffhanger” that generated a lot of hype, but ended up more of a bust. There was a lot of buzz around the Badlock bug last month, which was described as a vulnerability that can be abused in man-in-the-middle attacks in file server environments. But in the end, it ended up not being a critical vulnerability as originally described. But just because the “ending” wasn’t that great doesn’t mean you shouldn’t patch. Microsoft and Samba both released patches today for Badlock and we have filters in this week’s Digital Vaccine as well:

Adobe Flash Player Zero-Day Vulnerability (CVE-2016-1019)

Last week, Adobe released an out-of-band patch for CVE-2016-1019, which attempts to exploit a type confusion vulnerability in Adobe Flash. The specific flaw exists with the handling of references in the FileReference objects. As early as March 31, 2016, researchers here at Trend Micro saw a zero-day attack included in the code of Magnitude Exploit Kit that leads to Locky ransomware, a crypto-ransomware that abuses macros in document files to hide its malicious code.

Last week, TippingPoint released DVToolkit CSW file “CVE-2016-1019.csw” to address the vulnerability. Customers can download the CSW from the TippingPoint Threat Management Center. In this week’s Digital Vaccine package, the CSW file will be made obsolete by the following filter:

The following resources provide more information on this critical zero-day vulnerability:

Microsoft Patch Tuesday Update

This week’s Digital Vaccine (DV) package includes coverage for the Microsoft Security Bulletins released on or before April 12, 2016. The following table maps Digital Vaccine filters to the Microsoft Security Bulletins. Filters designated with an asterisk (*) shipped prior to this week’s package, providing zero-day protection for our customers:

Adobe Security Bulletins Update

This week’s Digital Vaccine (DV) package also includes coverage for the Adobe Security Bulletins released on April 7, 2016. The following table maps Digital Vaccine filters to the Adobe Security Bulletins. Filters designated with an asterisk (*) shipped prior to this week’s package, providing zero-day protection for our customers:

Zero Day Initiative Represented at ISSW 2016

This past weekend, the Infosec Southwest conference was held in Austin, Texas. One of our ZDI researchers, WanderingGlitch, spoke on “Leaking Windows Kernel Pointers.” According to WanderingGlitch, as part of reversing win32k.sys to understand the User-Mode Callback mechanism, he found several kernel information leaks. As it turns out, there were several situations where the kernel was readily returning kernel pointers to user land. His session focused on how user-mode callbacks operate and provided a description of the information leaks vulnerability and how prevalent they are. He followed with a detailed description of how to take advantage of CVE-2015-0094.

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap posted on the Trend Micro Simply Security blog!

Zero-Day Filters

There are six new zero-day filters covering three vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative web site.

Foxit (1)

Microsoft (4)

Solarwinds (1)

Updated Existing Zero-Day Filters

This section highlights specific filter(s) of interest in this week’s Digital Vaccine package that have been updated as a result of a vendor issuing a patch for a vulnerability found via the Zero Day Initiative.

Today’s featured filters include all four of the Adobe Vulnerabilities that were found at Pwn2Own 2016, making Adobe the first vendor to fix all of their vulnerabilities found during the event: