Software

Patch Tuesday October 2012 – More Microsoft Word Spearphish Risks

Today’s Microsoft updates include a few fixes for remote code execution, and several fixes for escalation of privilege and denial of service flaws. The priority for both general folks and corporate customers running Windows and Office will be to roll out MS12-064 effecting Microsoft Office immediately. Vulnerability CVE-2012-2528 and CVE-2012-0182 is patched by this bulletin, and -2528 predictably will be attacked with more malformed rtf formatted documents. These sorts of files have been delivered with a .doc extension, previously exploiting CVE-2012-0158. This 0158 vulnerability has been heavily exploited with spearphish in a large variety of serious targeted attacks this summer. Accordingly, expect to see more of this new vulnerability exploited with spearphish from the APT. Another vulnerability in Word is being patched, but is comparably difficult to reliably exploit.

Microsoft is also releasing a bulletin for a vulnerability in Microsoft Works. This code exposes a heap overflow but is a much lower priority because of the level of difficulty in building a reliable exploit.

Another major problem, but not anywhere near as serious, is within Microsoft Sharepoint, InfoPath, and the Microsoft Office WebApps service. A person could craft malicious content and send it to a user, sending just enough data to elevate their privileges to admin on the system.

Depending on your environment, you may look into the other handful of patches immediately. Microsoft presents October’s MS SQL, Kerberos, and Kernel Bulletins here.

Patch Tuesday October 2012 – More Microsoft Word Spearphish Risks

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox