Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • Email Subscription

  • About Us


    Author Archive - Abigail Pichel (Technical Communications)




    When it was announced that Microsoft Edge would replace Internet Explorer in Windows 10, a lot of members in the tech industry took notice. Internet Explorer has been, admittedly, a well-known target for vulnerabilities for years. We noted that in 2014 alone, a total of 243 memory corruption vulnerabilities in Internet Explorer were disclosed and patched.

    But weeks after its official release, it seems like Microsoft Edge is still working out some kinks, as one of the “Critical” security updates for this month applies to the new browser. MS15-091 is a cumulative security update for Microsoft Edge. According to the bulletin, the update addresses vulnerabilities, the most severe of which could “allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.”

    This month’s Patch Tuesday brings another cumulative security update for Internet Explorer (MS15-079). Like that of Microsoft Edge’s, the patch addresses vulnerabilities that could allow remote code execution. The two other “Critical” updates also involve remote code execution: one for Microsoft Office (MS15-081) and the other for a Microsoft graphics component (MS15-080). Aside from the four “Critical” vulnerabilities, this month’s Patch Tuesday has ten “Important” updates, bringing the total to fourteen for August.

    Adobe has also released a security update (APSB15-19), which addresses vulnerabilities for Adobe Flash Player. According to the bulletin, the updates “address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”

    Users are strongly advised to update their software and systems with the latest patches from Microsoft and Adobe. For additional information on these security bulletins, visit our Threat Encyclopedia page.

    Trend Micro solutions

    Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities with the following DPI rules:

    • 1006624-Microsoft Office Component Use After Free Vulnerability (CVE-2015-1642)
    • 1006928-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2442)
    • 1006929-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2443)
    • 1006930-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)
    • 1006931-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2446)
    • 1006932-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2448)
    • 1006933-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2450)
    • 1006934-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2451)
    • 1006935-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2452)
    • 1006936-Microsoft Office Graphics Component Remote Code Execution Vulnerability (CVE-2015-2431)
    • 1006937-Microsoft Office Memory Corruption Vulnerability (CVE-2015-2467)
    • 1006938-Microsoft Office Memory Corruption Vulnerability (CVE-2015-2468)
    • 1006939-Microsoft Office Memory Corruption Vulnerability (CVE-2015-2469)
    • 1006940-Microsoft Office Integer Underflow Vulnerability (CVE-2015-2470)
    • 1006941-Microsoft Office Memory Corruption Vulnerability (CVE-2015-2477)
    • 1006944-Microsoft Windows OpenType Font Parsing Vulnerability (CVE-2015-2432)
    • 1006945-Microsoft Windows TrueType Font Parsing Vulnerability (CVE-2015-2456)
    • 1006946-Microsoft Windows OpenType Font Parsing Vulnerability (CVE-2015-2458)
    • 1006947-Microsoft Windows OpenType Font Parsing Vulnerability (CVE-2015-2459)
    • 1006948-Microsoft Windows OpenType Font Parsing Vulnerability (CVE-2015-2460)
    • 1006949-Microsoft Windows OpenType Font Parsing Vulnerability (CVE-2015-2461)
    • 1006950-Microsoft Windows OpenType Font Parsing Vulnerability (CVE-2015-2462)
    • 1006951-Microsoft Windows TrueType Font Parsing Vulnerability (CVE-2015-2463)
    • 1006952-Microsoft Windows TrueType Font Parsing Vulnerability (CVE-2015-2464)
    • 1006955-Microsoft Windows TrueType Font Parsing Vulnerability (CVE-2015-2435)
    • 1006956-Microsoft Windows TrueType Font Parsing Vulnerability (CVE-2015-2455)
     
    Posted in Vulnerabilities |



    Adobe has just released an update to address a vulnerability found in its Flash Player browser plug-in. In its security advisory (APSB15-14), Adobe notes that this vulnerability “is being actively exploited in the wild via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.”

    The critical flaw (CVE-2015-3113) could potentially allow an attacker to take control of the affected system. The affected software versions are the following:

    • Adobe Flash Player 18.0.0.161 and earlier versions for Windows and Mac
    • Adobe Flash Player Extended Support Release version 13.0.0.292 and earlier 13.x versions for Windows and Macintosh
    • Adobe Flash Player 11.2.202.466 and earlier 11.x versions for Linux

    Adobe has stated that the latest version of Flash Player Desktop Runtime for Windows and Mac (v. 18.0.0.194) will address this issue. Users who may be unsure of the version of their Flash software may use this link to check.

    Adobe Flash Player on Google Chrome and Internet Explorer on Windows 8.1 and later should automatically update to the latest version.  Updates, including those for Windows XP, are also available in the Adobe Flash Player Download Center. We would also recommend that users opt for automatic updates whenever possible so that their applications are updated as soon as possible.

    We will update this entry should any additional information be made available.

    Update as of June 24, 2015, 8:12 A.M. (PDT):

    Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006810 – Adobe Flash Player Heap Buffer Overflow Vulnerability (CVE-2015-3113)

    More information can also be found in our entry, New Adobe Zero-Day Shares Same Root as Older Flaws.

    Update as of June 26, 2015, 3:10 P.M. PDT (UTC-7):

    Trend Micro solutions are available to help protect users against threats that may leverage this vulnerability. Endpoint products detect malware that attempt to exploit this vulnerability as SWF_EXPLOYT.S. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.

    Below are the SHA1 hashes related to this threat:

    • 5f6a2521c6bfd5becfefc3a3db74d0a23d382f0e
    • 5f28787f60c5f8d9f3aa9163975422d1ff55f460
     



    This month’s Patch Tuesday can be considered lighter than last month’s, with only eight security bulletins released for June. Of the eight, two are considered Critical while the remaining are rated Important.

    Just like last month, there is a critical, cumulative update for Internet Explorer. MS015-056 aims to resolve vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. According to the bulletin, the patch addresses the vulnerability by:

    • Preventing browser histories from being accessed by a malicious site
    • Adding additional permission validations to Internet Explorer
    • Modifying how Internet Explorer handles objects in memory

    The first bullet point above is worth paying attention to. Previously, it was possible for an attacker who lured a victim to a malicious (or compromised) web site and access the user’s browser history. Obviously, many users would find this disclosure somewhat troubling. This vulnerability has now been patched, and there are no indications it was exploited in the wild.

    The second critical update addresses a vulnerability found in Windows, specifically Windows Media Player (MS015-057). The vulnerability could allow remote code execution if a specially crafted file is opened in Windows Media Player. The remaining six patches address vulnerabilities that affect several Windows components, Microsoft Office, and Microsoft Exchange Server.

    More information about these bulletins and their corresponding Trend Micro solutions are posted at our Threat Encyclopedia Page: June 2015 – Microsoft Releases 8 Security Advisories.

    Update for Adobe

    Adobe has also released a security update (APSB15-11) for Adobe Flash Player for Windows, Macintosh, and Linux. According to Adobe, the updates “address vulnerabilities that could potentially allow an attacker to take control of the affected system.”

    We urge users to patch their endpoints and servers as soon as possible. Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities with the following DPI rules:

    • 1006657-Adobe Flash Player Remote Integer Overflow Vulnerability (CVE-2014-0569) – 2
    • 1006745-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1687)
    • 1006747-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1730)
    • 1006748-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1731)
    • 1006749-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1732)
    • 1006751-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1735)
    • 1006752-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1736)
    • 1006753-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1737)
    • 1006755-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1740)
    • 1006756-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1741)
    • 1006757-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1742)
    • 1006758-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1744)
    • 1006759-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1745)
    • 1006760-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1747)
    • 1006761-Microsoft Internet Explorer Elevation Of Privilege Vulnerability (CVE-2015-1748)
    • 1006762-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1750)
    • 1006763-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1751)
    • 1006764-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1752)
    • 1006765-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1753)
    • 1006766-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1755)
    • 1006767-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1766)
    • 1006769-Microsoft Office Use After Free Vulnerability (CVE-2015-1759)
    • 1006770-Microsoft Office Use After Free Vulnerability (CVE-2015-1760)
    • 1006771-Microsoft Office Uninitialized Memory Use Vulnerability (CVE-2015-1770)
    • 1006772-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3096)
    • 1006773-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3098)
    • 1006774-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3099)
    • 1006775-Adobe Flash Player Remote Code Execution Vulnerability (CVE-2015-3100)
    • 1006776-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3102)
    • 1006777-Adobe Flash Player Use After Free Vulnerability (CVE-2015-3103)
    • 1006778-Adobe Flash Player Integer Overflow Vulnerability (CVE-2015-3104)
    • 1006779-Adobe Flash Player Out Of Bound Write Vulnerability (CVE-2015-3105)
    • 1006780-Adobe Flash Player Use After Free Vulnerability (CVE-2015-3106)
    • 1006781-Adobe Flash Player Memory Corruption Vulnerability (CVE-2015-3108)
    • 1006782-Microsoft Windows HTML Application Denial Of Service Vulnerability
     
    Posted in Vulnerabilities |



    Ransomware continues to make waves, especially with the rise of file-encrypting ransomware like CryptoLocker. However, we are seeing yet another alarming development for this malware: it is now targeting mobile devices.

    Reveton Makes a Comeback

    In early May, it was reported that this mobile ransomware was the product of the Reveton gang. Reveton was one of the many cybercrime groups that spread police ransomware, which hit Europe and the U.S. and consequently spread to the other parts of the world.

    It now appears that these cybercrime groups have decided to include mobile users in their intended victims. Our earlier efforts  resulted in some of those behind these attacks being arrested, but not all of these cybercriminals are now behind bars – and some have expanded their efforts into mobile malware.

    This is detected as ANDROIDOS_LOCKER.A and can be downloaded through a specific URL. The domain contains words like “video” and “porn,” which can give an idea of how users wound up on the site.

    The malware will monitor the screen activity when a device is active or running. Based on the analysis of its code, it tries to put its UI on top of the screen when the device is unlocked. People will not be able to uninstall the malicious app by traditional uninstall means as one would normally do because the system or even the AV UI is always “covered” by the malware’s UI.

    It also tries to connect to several URLs that are its command-and-control servers. These are currently inaccessible. However, one URL was found to display pornographic content.  The ransomware appears to be capable of sending information to these C&C servers albeit a limited function because it only has few permissions.

    These URLs are hosted in two IP addresses located in the U.S. and in the Netherlands. Further analysis reveals that these IP addresses also host other malicious URLs, though not related to this particular malware.

    The Continued Migration to Mobile and Best Practices

    Over the last couple of years, “desktop” malware have continued to make their way to mobile endpoints. We reported last March that we encountered Bitcoin-mining malware that targets Android devices. To avoid these threats, we strongly suggest that you disable your device’s ability to install apps from sources outside of Google Play and double check the developer of the app you want to download and be very meticulous of the app reviews to verify apps’ legitimacy.

    This setting can be found under Security in the system settings of Android devices. On-device security solutions (like Trend Micro Mobile Security) provide an additional layer of protection that detects even threats which arrive outside of authorized app stores.

    With additional analysis from Yang Yang and Paul Pajares

     



    Patch-Tuesday_grayThis month’s Patch Tuesday features eight bulletins, the most number of bulletins released for the year so far. Out of the eight bulletins, two are rated as ‘critical’ and the remaining, ‘important.’ While Microsoft may have released an out-of-band update for Windows XP to address a (then) zero-day vulnerability, updates for that OS are noticeably absent for this rollout.

    Aside from the eight bulletins, this Patch Tuesday also includes the out-of-band security patch that was released two weeks ago addressing an Internet Explorer zero-day vulnerability. But that isn’t the only update concerning Internet Explorer. One of the two ‘critical’ updates, MS14-029, addresses two privately reported vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

    The second ‘critical’ update (MS14-022) addresses multiple vulnerabilities in Microsoft Office server and productivity software. According to Microsoft, “[t]he most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.”

    Two updates address vulnerabilities concerning Microsoft Office. MS14-023 resolves vulnerabilities that could allow for remote code execution if a user opens an Office file in the same network directory as a specially crafted library file. MS14-024, meanwhile, resolves a vulnerability that could security feature bypass if a user “views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer.” The remaining updates address vulnerabilities that could allow elevation of privilege and denial of service if exploited.

    Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page for further information. Two rules for Trend Micro Deep Security and Trend Micro Intrusion Defense Firewall plugin for OfficeScan have also been created and are available for use by system administrators:

    • 1006034 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0310)
    • 1006056 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1815)

    Update as of 7:26 PM, June 12, 2014

    Adobe has also released security updates to address vulnerabilities affecting Adobe Flash Player. Once these vulnerabilities are successfully exploited, remote attackers can potentially control the system. We highly advised users to update their Adobe Flash Player to version 13.0.0.214.

    Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities via the following DPI rules:

    • 1006062 – Adobe Acrobat And Reader Use-after-free Vulnerability (CVE-2014-0527)
    • 1006070 – Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515) – 1
    • 1006066 – Adobe Reader Unspecified Security Bypass Vulnerability (CVE-2014-0512)
     
    Posted in Vulnerabilities | Comments Off on May 2014 Patch Tuesday Rolls Out 8 Bulletins


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice