Vulnerabilities and exploits

As promised in Microsoft’s July Advance Notification, Microsoft ships seven security bulletins this month (MS13-052 – MS13-058). At least 34 CVE are being patched. Six of the Security Bulletins are rated “critical” due to remote code execution issues. The vulnerabilities being fixed this month enable RCE across all versions of Windows operating systems, but most of these serious flaws have all been privately reported and there is no indication that they are publicly known or exploited yet. Some however, are publicly known and drew attention from a number of exploit developers. The kernel mode vulnerability, CVE-2013-3172 is publicly known, along with another kernel mode bug publicly disclosed by Tavis Ormandy in May. Unfortunately, an exploit abusing that vulnerability was touched up by another contributor and then already integrated into metasploit for public distribution and use. It’s also interesting that the update for the kernel mode TrueType Font Parsing CVE-2013-3129 bug effects code paths in seven different software packages (Office, Lync, Visual Studio, .NET, Silverlight, and “Windows components”) updated separately by Security Bulletins MS13-052, MS13-053, and MS13-054.

Over the last few years, we have been monitoring a cyber-espionage campaign that has successfully compromised more than 350 high profile victims in 40 countries. The main tool used by the threat actors during these attacks is NetTraveler, a malicious program used for covert computer surveillance

According to KSN data, Kaspersky Lab products detected and neutralized 1 345 570 352 threats in Q1 2013.

Microsoft released a long list of updates for Microsoft software today. The most interesting appear to be those patching Internet Explorer and the kernel software vulnerabilities. In all, ten critical “use-after-free” vulnerabilities are patched in IE along with one important Information Disclosure vulnerability, and three elevation of privilege vulnerabilities are being patched as well. Almost

The experience of many information security officers shows that only a small portion of security incidents take place as a result of meticulously planned and sophisticated targeted attacks, while most incidents are due to a lack of effective security and control measures.

While researching PlugX propagation with the use of Java exploits we stumbled upon one compromised site that hosted and pushed a malicious Java applet exploiting the CVE 2013-0422 vulnerability. The very malicious Java application was detected heuristically with generic verdict for that vulnerability and it would have been hardly possible to spot that particular site

A new-ish Flash exploit is on the loose for attack around the web. This time, the attackers have compromised a caregiver site providing support for Tibetan refugee children and are spreading malware signed with Winnti stolen certificates with Flash exploits.

Microsoft released two Bulletins this month patching 3 critical vulnerabilities. Along with these immediate issues, they released five other Bulletins rated “Important”. It appears that the two critical Bulletins address use-after-free vulnerabilities that can all be attacked through Internet Explorer. For the Windows workstation environments, all versions of Internet Explorer need to be patched asap,

Microsoft released two Bulletins this month patching 3 critical vulnerabilities. Along with these immediate issues, they released five other rated “Important”. It appears that the two Bulletins address use-after-free vulnerabilities that can all be attacked through Internet Explorer.

On March 4th we spotted a large number of unusual emails being blocked by our Linux Mail Security product.

Microsoft releases nine March Security Bulletins. Four of the Bulletins are rated critical, but of the 20 vulnerabilities being patched, 12 are rated critical and enable remote code execution and elevation of privilege. Microsoft software being patched with critical priority include Internet Explorer, Silverlight, Visio Viewer, and SharePoint. So, pretty much every consumer running Windows, and lots of Microsoft shops, should be diligently patching systems today.

Together with our partner CrySyS Lab, we’ve discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim’s PC. While inspecting one of the C&C servers of Miniduke, we have found files that were not related to the C&C code, but seemed to be

This is the topic that cybercriminals are speculating about and using as a hook to infect victims. The campaign is based on the Blackhole v2.0

New Adobe PDFs exploiting CVE-2013-0640 drop sophisticated malware known as “MiniDuke”.

We’ve recently experienced yet another case of a root certificate authority (CA from now on) losing control of its own certificates. And yet again, we have been waiting for either the CA or the browser to do something about it. This whole mess stems, once again, from both a governance and a technical problem. First,