All Posts

9 posts

Update5 – HackingTeam 0-day for Flash

Update5: Adobe has added a second vulnerability to APSA15-04, CVE-2015-5123, which TrendMicro has found. PoC code is available but not integrated into ExploitKits yet.

Update4: Adobe has acknowledged in APSA15-04 another 0-day for Flash originating in the data dump from HackingTeam. Security researcher Webdevil documents his finding in a tweet. Adobe credits Dhanesh Kizhakkian from FireEye who documented the PoC found in the datadump and notified Adobe (first?). Adobe expects to address the vulnerability next week (during normal Patch Tuesday maybe?). According to @Kafeine the vulnerability is already in use in the Angler Exploit Kit.

Update3: Adobe has released the patch for the HackingTeam 0-day, CVE-2015-5119. Beyond that vulnerability the update APSB15-16 also addresses 42 other vulnerabilities of which 27 can be used to reach remote code execution. Users of Google Chrome get their Flash update automatically, as are users of IE11 and IE11 from Microsoft. Users of other browsers needs to install patch manually, i.e. for Firefox, Opera and Safari. Install as quickly as possible to neutralize the exploits that are available in the major ExploitKits already.

In addition Adobe has pre-announced a new version of Adobe Reader (APSB15-15) for next Tuesday that will address critical vulnerabilities as well.

Update2: Adobe acknowledged the bug in APSA15-03 and will make an update available on Wednesday, July 8th. Excellent, quick reaction. Google is credited for reporting the bug now called CVE-2015-5119. Security researcher @kafeine reports that the Angler, Fiddler, Nuclear and Neutrino ExploitsKIts have added CVE-2015-5119 to their lineup. Patch as quickly as possible or think about adding EMET to your workstations.

Update: EMET 4.1 (last available version for XP) in its default configuration takes care of the attack on Windows XP. EMET is a good additional security tool to install once you are fully patched. It monitors for certain attack patterns and neutralizes them – if the exploit uses any of the common ways to execute shellcode EMET users have a good chance to get away unharmed.

Continue reading …

New Internet Explorer 0-day – Update2

Update2: MS14-021 has now been published. Note that differently from a normal update it is not cumulative (i.e. it only addresses this particular vulnerability CVE-2014-1776, which is common for an out-of-band update such as this one) and it is recommended to install the latest cumulative update before applying MS14-021, i.e. MS14-018 for most versions of Windows, but MS14-012 for IE11 on Windows 7 and Windows 8.

While attacks continue to be targeted, we recommend installing this update as soon as possible, rather than waiting 2 weeks for next Patch Tuesday.

Update: Microsoft will release an out-of-band patch for Internet Explorer later today, and it will include an update for Windows XP. Good news for users of the operating system that went EOL last month. Stay tuned for more news.

Original: Microsoft just published security advisory 2963983 which acknowledges limited exploits against a 0-day vulnerability in Internet Explorer (IE). The vulnerability CVE-2014-1776 affects all versions of IE starting with version 6 and including version 11, but the currently active attacks are targeting IE9, IE10 and IE11. The attack vector is a malicious web page that the targeted user has to access with one of the affected browsers.

Continue reading …

Comparing Windows XP Usage by Country, Industry

Tomorrow marks the end of support for Windows XP by Microsoft. There are multiple reasons why we still see XP in use today: the cost of upgrading can be daunting and machines may run critical legacy apps dependent on XP. There is also a lack of awareness of the size and state of the XP device population. Lastly, there are governments and other large organizations who have chosen to buy extended support for the OS from Microsoft. 

Continue reading …

New 0-day out for Microsoft Word – Update2

Update2: McAfee published an analysis of an exploit for CVE-2014-1761. Very interesting and eye-opening, as everything is controlled through the RTF document itself:

  • The attackers use an listoverridecount level of 25, which is outside of the 0,1 or 9 specified in the standard. This confuses the RTF handler in Word and makes it possible to control the content of the program counter of the processor.
  • This gives the attacker the basis for arbitrary code execution. In this case the attackers are able to point the program counter to machine code that is included in the document itself, which makes the exploit very self-contained, no additional setup files are needed.

Conclusion: Patch this as quickly as possible, i.e. next Tuesday. The attacks are real and happening now. The exploit does not look that hard to replicate with the information provided. Beyond patching it makes sense to disable RTF opening any way, which is what the FixIt in KB2953095 does. It certainly looks as if there is more potential for this type of vulnerability that can be found with relatively little investment into file fuzzing. See Charlie Miller’s presentation on "dumb fuzzing" for some initial reading.

Continue reading …

New Internet Explorer 0-day out in the Wild – Update

Update 2: Microsoft just published KB2934088 which acknowledges the vulnerability in Internet Explorer 9 and 10 and publishes a Fixit, that uses the MSHTML Shim mechanism to patch Internet Explorer. MSHTML Shim was originally developed for application compatibility, but has been successfully used for a number of security problems in the past year. Microsoft has a post at their SRD blog that explains vulnerable versions, plus the defensive options available.

Update: It seems both Internet Explorer 9 and 10 are affected. That equates to a large share of all users, just over 30 %. Implementing EMET makes a lot of sense, since it has deflects this attack and has countred last year the known 0-days of this type last as well.

Original: On Patch Tuesday, when Microsoft released new versions of Internet Explorer (6-11) addressing 24 vulnerabilities, FireEye detected a previously unknown attack on IE10 at the website of the Veterans of Foreign Wars ( The attack is using a Adoeb Flash Object to setup the environment for the rest of the exploit. Currently this 0-day vulnerability (CVE-2014-0322) only applies to Internet Explorer 10, other versions are not affected. EMET, as many times during the IE 0-days of last year, is also successful in preventing the exploit from running successfully, but this time because it actually checks for its presence and aborts if EMET is found.

Stay tuned for more updates.

November 2013 Patch Tuesday Preview

Microsoft has announced that next week’s November 2013 Patch Tuesday will have eight security bulletins covering both the Windows operating system and Microsoft Office software. In addition, we have a high priority item with the current 0-day vulnerability in a graphics library that is used by Microsoft Office and older versions of Windows, with no patch available so far, but a relatively low impact workaround.

Continue reading …

September 2013 – New IE 0-day – Update

Update 3: A Metasploit module has been posted for this vulnerability, it is currently limited to Windows 7 and IE9, but as Wei Chen points out in his post on the Rapid7 community site, all version of IE are infected. Fireeye has also detected three more groups that have started to use CVE-2013-3893 in their attacks and provide more insight in their blog post. Installing the Fix-It that Microsoft has provided in their KB2887505 artice is now even more importnant.

Update 2: FireEye has posted more technical information on the exploits and their geographical distruibution. They believe the first attacks were registered on August 19th. They also identfied the group that is running the exploit campaign as the same that attacked bit9 some time ago, because they used the same e-mail address to register the C&C domains in both cases.

Update: Microsoft has published a post on the SRD blog that provides technical background information on the exploit. They also point out that the Enhanced Mitigation Experience Toolkit (EMET) is preventing the exploit, as it has multiple cases in the past already, for example in MS13-038 and MS13-008, previous 0-days for Internet Explorer, addressed in May and January of this year respectively. EMET should be high on your list of additional security tools to deploy.

BTW, QualysGuard detects this vulnerability as QID 100164.

Original: Microsoft just issued security advisory KB2887505 to address an actively exploited vulnerability in Internet Explorer (IE). The KB provides a Fix-It solution that uses the appcompat shim to patch the mshtml.dll. The current cases are targeting only Windows XP and Windows 7 running IE8 and IE9, but other versions are also affected by the vulnerability.

Continue reading …

Defense for the 0-Day in IE8

Microsoft is currently dealing with an exploit (KB2847140) for a 0-day vulnerability in Internet Explorer (IE). Machines attacked by this exploit will yield full control to the attacker and allow him to install more advanced malware such as the well known RAT Poison Ivy. The exploit was first discovered last Wednesday on a website of the Department of Labor specialized in nuclear technology. It has since spread to other websites and is now also available in Metasploit. The exploit works only against IE version 8 (IE8), which limits the exposure to about 42% of all systems, according to last count from our BrowserCheck service.


IE8 is the latest version available on Windows XP, and was also the original version installed on Windows 7. This explains the rather high numbers that we are seeing for this older browser. Windows 7 users have access to IE9, which is not affected by this attack and has a much better security architecture. Upgrading to IE9 is a straightforward way to defend against the attack.

Continue reading …

April 2013 Patch Tuesday

April has turned out to be a rather slow month for Patch Tuesday. There are nine bulletins addressing a total of 13 vulnerabilities, but only two of the bulletins are rated “critical,” a category that means an attacker can get control over the targeted machine. The remaining bulletins are all rated “important,” in large part because they require the attacker to have access to the targeted machine in order to exploit the flaws.

Continue reading …