Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • Email Subscription

  • About Us


    Author Archive - Bernadette Irinco (Technical Communications)




    July proves to be pretty busy for both software vendors and security researchers as various zero-day vulnerabilities were reported. In this month’s patch Tuesday, Microsoft addressed the recently discovered zero-day vulnerability in Internet Explorer that also emerged from the Hacking Team leak. The said vulnerability, covered in MS15-065 and rated as ‘critical’, could allow attackers to take control of the system once successfully exploited.  In addition, a proof-of-concept (PoC) code has been spotted by one of our threats researchers. All in all, Microsoft released a total of 14 security bulletins, 4 of which are tagged as ‘critical’ and the rest as ‘important’.

    Adobe has also rolled out its security patches to fix the recent slew of  Flash zero-day vulnerabilities that also came out of the Hacking team leak.  Both Adobe Flash Player zero-day vulnerabilities assigned with CVE-2015-5122 and CVE-2015-5123 respectively can allow an attacker to take control of the affected system once successfully exploited.  Our researchers are continuously monitoring any vulnerabilities and exploits that may arise from the whopping 440GB of leaked emails from Hacking team.

    Oracle also joined the bandwagon and released its own security updates to fix the Java zero-day exploit (designated with CVE-2015-2590), which was the first in nearly two years.  This zero-day exploit was used in the targeted attack campaign, Operation Pawn Storm that often hit military and defense contractors from the US and its allies among others.  Oracle’s patch update also contains fixes to address the other 193 new vulnerabilities.

    Trend Micro solutions

    Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities with the following DPI rules:

    • 1006750 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1733)
    • 1006754 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1738)
    • 1006831 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2397)
    • 1006832 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2401)
    • 1006833 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2406)
    • 1006835 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2408)
    • 1006837 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2411)
    • 1006839 – Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2015-2421)
    • 1006840 – Microsoft SQL Server Remote Code Execution Vulnerability (CVE-2015-1762)
    • 1006841 – Microsoft Windows VBScript Memory Corruption Vulnerability (CVE-2015-2372)
    • 1006842 – Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-1729)
    • 1006843 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2383)
    • 1006845 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2383)
    • 1006846 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2388)
    • 1006847 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2389)
    • 1006848 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2390)
    • 1006849 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2391)
    • 1006850 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1742)
    • 1006851 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2403)
    • 1006852 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2404)
    • 1006853 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2422)
    • 1006857 – Oracle Java SE Remote Code Execution Vulnerability (CVE-2015-2590)
    • 1006859 – Adobe Flash Player BitmapData Remote Code Execution Vulnerability (CVE-2015-5123)
    • 1006867 – Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-2413)
    • 1006868 – Microsoft Internet Explorer JScript9 Memory Corruption Vulnerability (CVE-2015-2419)
    • 1006869 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2425)
    • 1006872 – Microsoft Windows DLL Planting Remote Code Execution Vulnerability (CVE-2015-2369)
    • 1006873 – Microsoft Excel ASLR Bypass Vulnerability (CVE-2015-2375)
    • 1006874 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2376)
    • 1006875 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2377)
    • 1006876 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2379)
    • 1006877 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2380)
    • 1006878 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2415)
    • 1006879 – Microsoft Windows Graphics Component EOP Vulnerability (CVE-2015-2364)
    • 1006880 – Microsoft Windows OLE Elevation Of Privilege Vulnerability (CVE-2015-2416)
    • 1006881 – Microsoft Windows OLE Elevation Of Privilege Vulnerability (CVE-2015-2417)

    Users are strongly advised to update their software and systems with the latest patches from Microsoft, Adobe, and Oracle. For additional information on these security bulletins, visit our Threat Encyclopedia page.

     

     

     
    Posted in Vulnerabilities |



    Patch-Tuesday_gray14 security bulletins addressing vulnerabilities in Internet Explorer, Microsoft Office, Microsoft Windows, Microsoft Windows Object Linking and Embedding (OLE), and Microsoft .NET Framework among others. Out of these security bulletins, four are tagged as Critical and 8 are rated as Important.

    One of the notable bulletins is MS14-065, which fixes several vulnerabilities in Internet Explorer. All supported versions of the browser are affected by these vulnerabilities, which could lead to remote code execution.

    Another crucial bulletin is MS14-064 that resolves vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE), including those covered in CVE-2014-6352, related to Sandworm attacks. This CVE was released because a new exploit reportedly bypassed the security update for CVE-2014-4114. Last October, Microsoft patched vulnerabilities in CVE-2014-4114, however, after a week new attacks leveraging these vulnerabilities were seen in the wild.

    Server administrators should be especially concerned about MS14-066 as well. This vulnerability in Microsoft Schannel (the implementation of SSL/TLS in Windows) has a significant vulnerability that allows for attackers to run code on an effected system if specially crafted packets are sent to it. This attack can be compared to Shellshock, which could be exploited using a similar method.

    Aside from Microsoft, Adobe also released a security update for Adobe Flash Player that could lead to an attacker taking control on the affected systems. As such, users are advised to update to the latest version of Adobe Flash Player.

    Users are recommended to apply these patches immediately for these vulnerabilities. Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities following DPI rules:

    • 1006324 – Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332)
    • 1006290 – Microsoft Windows OLE Remote Code Execution Vulnerability
    • 1006291 – Microsoft Windows OLE Remote Code Execution Vulnerability -1
    • 1006292 – Microsoft Windows OLE Remote Code Execution Vulnerability Over SMB
    • 1006294 – Microsoft Windows OLE Remote Code Execution Vulnerability Over WebDAV
    • 1006315 – Microsoft Windows OLE Remote Code Execution Vulnerability -2
    • 1006321 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4143)
    • 1006330 – Microsoft Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2014-6323)
    • 1006332 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6337)
    • 1006329 – Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6339)
    • 1006333 – Microsoft Internet Explorer Cross-Domain Information Disclosure Vulnerability (CVE-2014-6340)
    • 1006334 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6341)
    • 1006331 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6342)
    • 1006340 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6343)
    • 1006341 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6344)
    • 1006338 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6347)
    • 1006335 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6348)
    • 1006336 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6351)
    • 1006337 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6353)
    • 1006327 – Microsoft Schannel Remote Code Execution Vulnerability (CVE-2014-6321)
    • 1006339 – Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2014-4118)
    • 1006323 – Microsoft Office Remote Code Execution Vulnerability (CVE-2014-6333)
    • 1006322 – Microsoft Office Bad Index Remote Code Execution Vulnerability (CVE-2014-6334)
    • 1006320 – Microsoft Office Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6335)
    • 1000552 – Generic Cross Site Scripting(XSS) Prevention
    • 1001126 – DNS Domain Blocker

    For more information on the bulletins and its corresponding Trend Micro solutions, visit the Threat Encyclopedia Page.

     
    Posted in Vulnerabilities | Comments Off on November Patch Tuesday: Microsoft Rolls Out 14 Security Bulletins



    Three out of nine security bulletins in today’s Microsoft Patch Tuesday are marked as Critical while the rest are tagged as Important The patches address vulnerabilities found in Internet Explorer, and Microsoft .NET Framework, including the zero-day exploit affecting Microsoft Windows. MS14-060 discusses the Sandworm zero-day vulnerability, which was reported hours earlier.

    Based on our analysis, attackers may use this vulnerability to create/execute malware payloads, given that it not too difficult to exploit. Attackers can just know the format and create their own PowerPoint exploit. Trend Micro detects the exploit as TROJ_MDLOAD.PGTY, and its payloads as INF_BLACKEN.A and BKDR_BLACKEN.A. Currently, it is believed that this zero-day was used in cyber attacks against European sectors and industries.

    Another critical vulnerability that users need to note is MS14-056 which fixes several vulnerabilities in Internet Explorer. Once successfully exploited, this could possibly lead to remote code execution. Similarly, MS14-057, another bulletin tagged as Critical could lead to remote code execution when successfully exploited by remote attackers.

    Adobe also released security updates today to address vulnerabilities affecting certain versions of ColdFusion and Adobe Flash Player. These are covered under the following CVEs:

    • CVE-2014-0558
    • CVE-2014-0564
    • CVE-2014-0569
    • CVE-2014-0570
    • CVE-2014-0571
    • CVE-2014-0572

    We highly recommend users to patch their systems and update their Adobe products to its latest versions. The Sandworm zero-day highlights the importance of patching as this can be used by cybercriminals and threat actors to infiltrate the network and potentially steal confidential company data and other type of information.

    Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities following DPI rules:

    • 1006267 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4126)
    • 1006268 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4127)
    • 1006269 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4128)
    • 1006270 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4129)
    • 1006271 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4130)
    • 1006282 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4132)
    • 1006274 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4133)
    • 1006279 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4134)
    • 1006273 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4138)
    • 1006283 – Microsoft Word And Office Web Apps Remote Code Execution Vulnerability (CVE-2014-4117)
    • 1000552 – Generic Cross Site Scripting(XSS) Prevention
    • 1006290 – Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
    • 1006291 – Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1

    Users may visit our Threat Encyclopedia page for more details on these security bulletins.

    Update as of October 16, 2014, 5:45 P.M.:

    The Sandworm vulnerability has been linked to attacks against specific SCADA systems. Read more about this in our post titled Sandworm to Blacken: The SCADA Connection.

     
    Posted in Malware, Vulnerabilities | Comments Off on October 2014 Patch Tuesday Fixes Sandworm Vulnerability



    Patch-Tuesday_grayFor this month’s patch Tuesday, Microsoft released four security bulletins, addressing flaws found in Internet Explorer, Microsoft .NET Framework, Microsoft Windows, and Microsoft Lync server.  One bulletin is rated as ‘Critical’ while the rest are tagged as ‘Important’.

    One of the notable bulletins in this month’s cycle is MS14-052, which addresses thirty-six vulnerabilities found in Internet Explorer. IE 6 to 11 are affected by these vulnerabilities.

    MS14-053 resolves issues found in the Microsoft .NET Framework that could allow denial of service once exploited successfully by attackers. Similarly, when the vulnerabilities addressed in MS14-055 are leveraged by attackers it could also lead to denial of service. On the other hand, Adobe also plans to release security updates addressing vulnerabilities in Adobe Flash Player and Adobe Reader and Acrobat by September 15.

    Although this month’s security updates are relatively few compared to the previous months, it is highly advisable to update systems with the latest patches to protect it  from threats leveraging such vulnerabilities.

    Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage vulnerabilities discussed in MS14-052 via the following DPI rules:

    • 1006164 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2799)
    • 1006219 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4065)
    • 1006224 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4080)
    • 1006227 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4081)
    • 1006230 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4082)
    • 1006221 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4084)
    • 1006229 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4086)
    • 1006222 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4087)
    • 1006225 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4088)
    • 1006220 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4089)
    • 1006223 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4092)
    • 1006226 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4094)
    • 1006228 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4095)

    The rules above also protect users of Internet Explorer on Windows XP, which is no longer being supported by Microsoft.

    For more information on these security bulletins, visit our Threat Encyclopedia page.

     
    Posted in Vulnerabilities | Comments Off on September 2014 Patch Tuesday Includes Fixes for Critical IE Vulnerabilities



    Patch-Tuesday_grayMicrosoft has rolled out nine security bulletins for their August Patch Tuesday. Two bulletins are rated as Critical, while the rest are rated as Important. Microsoft Windows, Internet Explorer, Microsoft SQL Server, and Microsoft .NET Framework are some of the affected applications that these bulletins covered.

    One of the most notable bulletins in this month’s cycle is MS14-051, which addresses 26 vulnerabilities found in Internet Explorer. The other Critical bulletin is MS14-043, which resolves problems in Windows Media Center, a component of Microsoft Windows. The vulnerabilities resolved in these bulletins, if exploited, could lead to arbitrary code being run on affected systems. Many of these vulnerabilities are in older versions of Internet Explorer (versions 6-8), which

    The bulletins rated as Important covered a wide variety of applications, including Microsoft SharePoint Server, Microsoft SQL Server, and Microsoft Windows. It’s also worth noting that from this point forward, users of Windows 8.1 and Windows Server 2012 R2 must have installed the April update to these operating systems in order to receive security updates.

    Adobe also follows the same second-Tuesday-of-the-month patching cycle as Microsoft; they released released patches for vulnerabilities affecting Adobe Reader/Acrobat and Adobe Flash Player. These vulnerabilities are covered under the following CVEs:

    • CVE-2014-0538
    • CVE-2014-0540
    • CVE-2014-0541
    • CVE-2014-0542
    • CVE-2014-0543
    • CVE-2014-0544
    • CVE-2014-0545

    Users are highly recommended to update their Adobe Flash Player and Adobe Reader and Acrobat to its latest versions. Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities discussed in MS14-051 via the following DPI rules:

    • 1006175 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2823)
    • 1006176 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2824)
    • 1006165 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4050)
    • 1006177 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4057)
    • 1006166 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4063)

    We encourage users to immediately apply these patches on their systems. For more information on these security bulletins, visit our Threat Encyclopedia page.

     
    Posted in Vulnerabilities | Comments Off on August 2014 Patch Tuesday Includes Two Critical Updates


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice