Patch Tuesday

Today Microsoft released 2 bulletins addressing 8 vulnerabilities affecting Windows and Microsoft Office products. Both of the bulletins are rated important meaning some users interaction is needed to exploit the vulnerability and allow remote code execution. One thing that this month’s updates have in common is that they both are addressing issues that require some social engineering and there are no network based attack vectors. However neither one is addressing Advisory 981169 the vulnerability in VBScript pertaining to IE. This is where a user visiting a specially crafted webpage will be presented with a popup asking to press the F1 key to become infected.

MS10-016 affects Windows XP SP2, SP3, Vista SP1, SP2 and Windows 7 32 and 64bit versions. It addresses a vulnerability in movie maker versions 2.1 and 6.0 that ships with both in XP and Windows Vista. Version 2.6 is also vulnerable and can be freely downloaded and installed from the web. For users who have version 2.6 installed on a supported versions of Windows including 7, you will be offered the update. However Movie Maker 2.6 is optional on Windows 7 so if you don’t have this installed you are not affected and don’t need the bulletin. For those users who do have it installed, to become infected users would need to open a specially crafted Movie Maker project file.

MS10-016 also affects Microsoft Producer 2003. This is a free download but has what Microsoft calls a “limited distribution” so they are not currently offering an update to resolve the issue.

This seems a little odd to me. I mean no matter how “limited” why would you not want to fix the issue. Not only is it a bug in your software but it leaves users vulnerable and isn’t that what we are trying to prevent? With that said a current workaround is to disassociate the project file type from the application. This isn’t a complete fix but Microsoft says it adds an extra layer of security.

MS10-017 is addressing issues in multiple versions of Microsoft Office for both Windows and Mac. On the Windows platform the versions affected are Office XP, 2003 and 2007 along with supported versions of Excel viewer and SharePoint 2007. The Mac versions affected are 2004, 2008 and open XML file format converter for the Mac. To take advantage of this exploit there will need to be some user interaction by opening a specially crafted file.

As always I suggest downloading and installing the bulletins at your earliest convenience.

Patch Tuesday

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox