Software

Microsoft Updates October 2013

Microsoft’s 2013 Treehouse of Horror Bulletins include a long list of fixes for memory corruption vulnerabilities effecting mostly previous versions of the software, and not the latest versions. Of immediate interest to most Windows users are the critical vulnerabilities being patched in Internet Explorer, multiple Windows drivers, and the .Net Framework which even effects the latest versions of Windows 8 and Windows Server 2012. Systems administrators at organizations also may pay immediate attention to the critical vulnerabilities in the Windows Common Control Library patched by MS13-083, which enables server side ASP.NET webapp exploitation on 64 bit systems. MS13-080 through MS13-087 include four Bulletins rated critical and four Bulletins rated Important addressing 26 vulnerabilities.

208214089

Much of the list of ghoulish October Bulletins appears to be similar to September’s list, but the news of note this month is that the Internet Explorer vulnerabilities CVE-2013-3893 and CVE-2013-3897 are being exploited as a part of targeted attacks. We have been monitoring the situation in Japan and southeastern asia, where attackers have been using exploits that succesfully pop Internet Explorer versions 8 and 9.

It’s somewhat surprising that the Office vulnerabilities effecting Office 2003 and 2007 are only being rated “important” this month being patched with MS13-084, MS13-085, and MS13-086, considering that Microsoft Excel and Word have been leading vectors of spearphishing attacks for the past year or so. The vulnerabilities enable remote code execution on systems where the user is duped into opening the attachment.

Interesting and unusual is this month’s Windows Common Control Library vulnerability effecting only x64 ASP.NET web applications. Attackers may send a pre-authentication web request to web applications attacking integer overflow vulnerability CVE-2013-3195 enabling remote code execution. System admins following best practices may end up with process running on their web servers with local user rights.

Full ghastly October Bulletin details on Microsoft’s site here. Microsoft’s Update software is a convenient and easy way to update your system software every month. If you are running Microsoft software, please go ahead and do so now.208193615

Microsoft Updates October 2013

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox