Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - Bernadette Irinco (Technical Communications)

    Patch-Tuesday_grayInternet Explorer and Microsoft Windows are some of the affected applications addressed in this month’s round of security updates.  For their July patch Tuesday, Microsoft has released six security bulletins, two of which are tagged as ‘critical’.  The three other bulletins are rated as ‘important’ and one bulletin as ‘moderate.’

    MS14-037 resolves about 23 vulnerabilities found existing in Internet Explorer, which may lead to remote code execution when exploited successfully via a specially crafted webpage. These vulnerabilities affect Internet Explorer versions 6 to 11. One of the vulnerabilities covered in this bulletin is Extended Validation (EV) Certificate Security Feature Bypass Vulnerability (CVE-2014-2783), which has been disclosed publicly. However, as of this posting no exploit is seen in the wild abusing this particular vulnerability.

    While Microsoft isn’t saying if the latest IE vulnerabilities affect IE 6 on Windows XP, we can reasonably suppose that it is affected since IE 6 on Windows Server 2003 is vulnerable. Users with Windows XP and have OfficeScan with the Intrusion Defense Firewall running are protected against attacks using these vulnerabilities.

    Another critical bulletin, MS14-038 addresses vulnerability in Microsoft Windows. If exploited, attackers can also execute remote code via a specially crafted Journal file. As such, this can compromise the security of user systems. Bulletins which are rated as ‘important’ also affect Microsoft Windows and pose risks since it may lead to elevation of privilege once exploited by remote attackers.

    Adobe has also rolled out its security patches for vulnerabilities found in Adobe Flash Player. When exploited, these vulnerabilities can allow a remote attacker from compromising the system and consequently, taking control of it.  These vulnerabilities are covered under the following CVEs:

    • CVE-2014-0537
    • CVE-2014-0539
    • CVE-2014-4671

    Users are strongly advised to update their Adobe Flash Player to its latest version. Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities via the following DPI rules:

    • 1006123 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1765)
    • 1006124 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2787)
    • 1006114 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2795)
    • 1006115 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2797)
    • 1006116 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2801)
    • 1006125 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2804)

    We highly recommend users to apply these patches immediately. For additional information on these security bulletins, visit our Threat Encyclopedia page.

    Posted in Vulnerabilities | Comments Off on Microsoft Rolls Out Updates for IE, Microsoft Windows in July Patch Tuesday

    When people discuss the Internet of Everything (IoE), it refers to the introduction of computing power and networking capabilities to previously “dumb” devices like television sets, cars, pedometers, and appliances. Many believe that it is the next big thing in tech, and it offers users a wide array of benefits, allowing them to save time, money, or even improve their lives.  These gadgets range from the merely nice to have, all the way to mission critical tools.

    However, the Internet connectivity and computing power of these devices – the very things that makes them “smart” – introduces security risks as well. For instance, in smart TVs facial and speech recognition features are problematic in terms of privacy. Self-driving cars may be hacked and cause injure to their occupants or passers-by. Pervasive wearable tech, while useful to their owners, may be considered a privacy threat by bystanders.

    We’ve earlier talked about the factors that will influence the proliferation of smart devices in homes. These factors include market pressures, regional availability and cultural acceptance. Smart home devices are being marketed and are readily available, whether in stores or online. In addition, in some markets broadband providers are also selling these devices to their existing customers, adding home automation to existing Internet and cable TV plans.

    Cybercriminals go after the platforms and devices that are popular with users. However, while smart devices may be the “next big thing”, they have not yet been broadly adopted. In our 2014 predictions, we noted that there is no “killer app” that many users will consider a must-have; such an “killer app” would lead to a wide-scale adoption of smart devices.

    However, the numbers of people adopting smart devices will only grow. These early adopters need to be aware of the various security risks of these devices – not only to their personal information and privacy, but also to their safety and well-being.

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

    Posted in Internet of Things, Social | Comments Off on Understanding the Internet of Everything

    Patch-Tuesday_grayTwo out of seven bulletins in today’s Microsoft Patch Tuesday are tagged as critical while the rest are marked as important. The critical bulletins addressed a number of vulnerabilities found existing in Microsoft Office and Internet Explorer, which when exploited could allow remote code execution, thus compromising the security of the systems.

    Perhaps the most interesting bulletin here is MS14-035, which resolves flaws in Internet Explorer versions 6 to 11, can be abused via a specially crafted web page and can possibly lead to attackers gaining more user rights on the affected systems. The bulletin only patches the vulnerability for Server 2003, but the vulnerability almost certainly exists in the now-unsupported Windows XP as well.

    This is the sort of problem what we warned about earlier this year: newly discovered vulnerabilities will now be wide-open for use by attackers. This particular problem will only get worse over time.

    Another critical bulletin, MS14-036, also fixes flaws existing in Microsoft Windows, Microsoft Office, and Microsoft Lync or a platform for video messaging and conference. Any specially crafted webpage or file could possibly compromise the system.

    MS14-032 also addresses vulnerabilities in Microsoft Lync or a platform for video messaging and conference, which can lead to information disclosure when exploited. Another notable bulletin is MS14-031, which also addressed vulnerabilities in Microsoft Windows and can possibly lead to denial of service when exploited by cybercriminals.

    On the other hand, Adobe also rolls out one security bulletin to resolve issues in Adobe Flash Player, covered under the following CVEs. This brings the current version of Adobe Flash Player to

    • CVE-2014-0531
    • CVE-2014-0532
    • CVE-2014-0533
    • CVE-2014-0534
    • CVE-2014-0535
    • CVE-2014-0536

    We highly recommend users to apply these security patches and upgrade their Adobe products to its latest versions. This is to prevent their systems from being infected with threats leveraging vulnerabilities discussed in these security bulletins.

    Users may also visit our Trend Micro Threat Encyclopedia page to know more about the appropriate Deep Security solutions.

    Posted in Vulnerabilities | Comments Off on June 2014 Patch Tuesday Resolves Critical Flaws in Internet Explorer, Microsoft Office

    OpenSSL has recently released six security updates addressing vulnerabilities found in OpenSSL. As of this writing, there is no reported exploit leveraging these vulnerabilities in the wild. The security patches cover the following vulnerabilities:

    • SSL/TLS MITM vulnerability (CVE-2014-0224)
    • DTLS recursion flaw (CVE-2014-0221)
    • DTLS invalid fragment vulnerability (CVE-2014-0195)
    • SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
    • SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
    • Anonymous ECDH denial of service (CVE-2014-3470)

    When SSL/TLS MITM vulnerability is exploited via man-in-the-middle attacks, it can allow remote attacker to change traffic from any vulnerable client and server. Note that both client and server have to be vulnerable for this vulnerability to be exploited successfully, making this less serious than the Heartbleed vulnerability. Another notable bulletin is DTLS invalid fragment vulnerability, which can execute arbitrary code if exploited, thus compromising the security of the system. In addition, the DTLS recursion flaw (CVE-2014-0221) can be abused by remote attackers to cause denial-of-service (DoS) attacks.

    Accordingly, servers with OpenSSL 1.0.1 and 1.0.2-beta1 are vulnerable. OpenSSL servers earlier than 1.0.1 are also encouraged to upgrade to the following versions:

    • OpenSSL 0.9.8 SSL/TLS users should upgrade to 0.9.8za
    • OpenSSL 1.0.0 SSL/TLS users should upgrade to 1.0.0m
    • OpenSSL 1.0.1 SSL/TLS users should upgrade to 1.0.1h

    While these OpenSSL vulnerabilities are different from the Heartbleed bug which affected a number of websites and mobile applications, they also pose security risks to users. As such, web administrators are strongly advised  to patch their systems with the latest security updates from OpenSSL to mitigate the risks of possible threats leveraging these vulnerabilities.

    We will update this entry for any developments on the OpenSSL vulnerabilities.

    Update as of 12:14 PM, June 6, 2014

    Trend Micro Deep Security protects users from these vulnerabilities via the following DPI rules:

    • 1006088 – OpenSSL SSL/TLS Man In The Middle Security Bypass Vulnerability
    • 1006090 – Detected Fragmented DTLS Request
    • 1006084 – GnuTLS “read_server_hello()” Memory Corruption Vulnerability

    Update as of 5:17 PM, June 6, 2014

    Note that the following DPI rule protects against SSL/TLS MITM vulnerability (CVE-2014-0224):

    • 1006088 – OpenSSL SSL/TLS Man In The Middle Security Bypass Vulnerability

    On the other hand, DPI rule “1006091 – Detected Fragmented DTLS Message”  addresses the  following vulnerabilities:

    • DTLS invalid fragment vulnerability (CVE-2014-0195)
    • DTLS recursion flaw (CVE-2014-0221)

    Users are also protected from vulnerability covered under CVE-2014-3466, which can allow denial of service or execution of arbitrary code when exploited via this DPI rule:

    • 1006084 – GnuTLS “read_server_hello()” Memory Corruption Vulnerability
    Posted in Vulnerabilities | Comments Off on Security Advisory: Patch Systems with the Latest Security Updates from OpenSSL

    Targeted attacks are known to use zero-day exploits. However, old vulnerabilities are still frequently exploited. In fact, based on cases analyzed in the second half of 2013, the most exploited vulnerability in this time frame was CVE-2012-0158, a Microsoft Office vulnerability that was patched in April 2012. This shows how important applying the latest patches and security updates are in mitigating the risks posed by these threats.

    Figure 1. Most commonly exploited vulnerabilities related to targeted attacks


    Our findings (based on cases that we have analyzed) indicate that 80% of targeted attack-related incidents affect government institutions. This is followed by the IT sector (both hardware and software) and the financial services (banks).  In terms of countries affected, Taiwan and Japan are the two most hit by targeted attacks.

    In addition, we also monitor the locations of various IP addresses that accessed known C&C servers associated with targeted attacks. Our data show that Taiwan, Japan, and the United States were the most targeted countries.

    Figure 2. Countries with the most number of users who accessed C&C servers related to targeted attacks

    Tools of the Trade

    Nearly 60% of malware used in targeted attacks are Trojans or Trojan spyware. These types of malware steal user credentials that provide the gateway for threat actors to exploit other areas of a penetrated network. This is followed by backdoors (22%) employed to establish C&C communications and lead to the next stages of targeted attacks. It is also interesting to note that almost 10% of malware related to targeted attacks run only on 64-bit platforms.

    Figure 3. Non 64- and 64-bit malware distribution

    Spear phishing is still the most seen entry point for targeted attacks. These email messages use relevant-sounding subjects that trick users into opening it and the file attachments therein that serve as malware carriers.  In our 2014 prediction, we noted that mobile devices will also be leveraged by threat actors to gain entry to networks.

    Custom Defense against Targeted Attacks

    Although targeted attacks are difficult to detect, this task can be made easier with solutions that use advanced threat detection technology that can detect, analyze, and respond to attacks that traditional antivirus signature-based solutions and blacklisting are not capable of.

    Targeted attacks often leave traces that can serve as indicators of compromise. As such, enterprises and large organizations are encouraged to build their own threat intelligence capability, which they can incorporate into their own existing security solutions.

    For more details on the trends in targeted attacks in the second half of 2013, read the full report here.

     To get the latest news on targeted attacks, visit Threat Intelligence Resources – Targeted Attacks. 

    Posted in Targeted Attacks | Comments Off on Targeted Attack Trends: A Look At 2H 2013


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice