Zero-day Vulnerability Database

Change view:

Zero-day vulnerabilities discovered: 365

Backdoor in NetSarang software

Backdoor

The vulnerability allows a remote attacker to gain complete control over affected system.

The weakness exists due to presence of backdoor functionality in the nssock2.dll library. After installation, the backdoor ShadowPad activates itself by sending a DNS TXT request for a specific domain. After successful activation, a remote attacker can gain full access to the affected system.

The backdoor has the ability to connect to a malicious C&C server and executed commands, sent by malicious actors.

The backdoor was discovered on August 4, 2017 by Kaspersky Labs researchers.
i

A backdoor code was detected in NetSarang software on August 4, 2017. Next day, on August 5 the developer has released an update to resolve the issue. As of August 15, there is an evidence, that the code has being utilized by one instance in Hong Kong.

The malicious code was delivered to the vendor's clients  by compromising the software update mechanism. The backdoor was included into updates, issued on July 18, 2017. The update contained ShadowPad backdoor.

Software: Xftp, Xshell, Xmanager, Xmanager Enterprise

Known/fameous malware:

ShadowPad backdoor

A backdoor code was detected in NetSarang software on August 4, 2017. Next day, on August 5 the developer has released an update to resolve the issue. As of August 15, there is an evidence, that the code has being utilized by one instance in Hong Kong.

The malicious code was delivered to the vendor's clients  by compromising the software update mechanism. The backdoor was included into updates, issued on July 18, 2017. The update contained ShadowPad backdoor.

Privilege escalation in Linux kernel
CVE-2017-7533

Race condition

The vulnerability allows a local user to execute arbitrary code with escalated privileges.

The vulnerability exists due to a race condition in the fsnotify implementation in the Linux kernel through 4.12.4. A local user can create an application, which leverages simultaneous execution of the inotify_handle_event and vfs_rename functions and trigger memory corruption and denials of service attack or execute arbitrary code on the target system with root privileges.

Successful exploitation of this vulnerability may allow a local user to obtain elevated privileges on the system.

Note: this vulnerability is being active exploited in the wild for 32-bit systems in August 2017.

Software: Linux kernel

Backdoor in Web Developer Google Chrome extension

Backdoor

The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.

The vulnerability exists due to presence of backdoor code in Web Development Google Chrome extension 0.4.9, distributed via Google Web Store.


i

The browser extension for Google Chrome has been hijacked on Google Web Store.

Software: Web Developer (Chrome extension)

The browser extension for Google Chrome has been hijacked on Google Web Store.

Backdoor in Copyfish Google Chrome extension

Backdoor

The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.

The vulnerability exists due to presence of backdoor code in Copyfish Google Chrome extension 2.8.5, distributed via Google Web Store.


i

The browser extension has been hijacked on Google Web Store.

Software: Copyfish (Chrome extension)

The browser extension has been hijacked on Google Web Store.

Backdoor in Social Fixer Google Chrome extension

Backdoor

The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.

The vulnerability exists due to presence of backdoor code in Social Fixer Google Chrome extension 20.1.1, distributed via Google Web Store.


i

The browser extension was hijacked on July 3, 2017 and a backdoor was distributed via Google Web Store. The attackers have published non-existing version of the extension 20.1.1.

Software: Social Fixer (Chrome extension)

The browser extension was hijacked on July 3, 2017 and a backdoor was distributed via Google Web Store. The attackers have published non-existing version of the extension 20.1.1.

Multiple vulnerabilities in Drupal
CVE-2017-6922

Security restrictions bypass

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to insufficient file protection. A remote attacker can bypass access restrictions and view private files that have been uploaded by an anonymous user but not permanently attached to content on the site.

Successful exploitation of the vulnerability may result in access bypass.

Note: The vulnerability was being actively exploited for spam purposes.
i

There are confirmed reports indicating that this vulnerability has been publicly exploited in spam campaigns. The attackers were creating accounts, uploading files with spam links to advertise or influence SEO rankings.

Software: Drupal

There are confirmed reports indicating that this vulnerability has been publicly exploited in spam campaigns. The attackers were creating accounts, uploading files with spam links to advertise or influence SEO rankings.

Backdoor in Chrometana Google Chrome extension

Backdoor

The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.

The vulnerability exists due to presence of backdoor code in Chrometana Google Chrome extension 1.1.3, distributed via Google Web Store.


i

The browser extension was hijacked on Google Web Store. That update included alert10.js, malware that opens popups saying you have a virus.

Software: Chrometana (Chrome extension)

The browser extension was hijacked on Google Web Store. That update included alert10.js, malware that opens popups saying you have a virus.

Remote code execution when processing .LNK files in Microsoft Windows
CVE-2017-8464

Improper input validation

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to an error when processing .LNK files. A remote attacker can create a specially crafted .LNK file and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: the vulnerability is being actively exploited in the wild.

Software: Windows

Remote code execution in Windows Search service
CVE-2017-8543

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when Windows Search handles objects in memory. A remote unauthenticated attacker can send specially crafted messages to the Windows Search service and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited in the wild.

Software: Windows

Backdoor in Infinity New Tab Google Chrome extension

Backdoor

The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.

The vulnerability exists due to presence of backdoor code in Infinity New Tab Google Chrome extension 3.12.3, distributed via Google Web Store.


i

The browser extension was hijacked on Google Web Store. The injected script was displaying and advertisement via alert10.js script, informing victims that their PC has been infected with malware and suggesting to purchase fake antivirus.

Software: Infinity New Tab (Chrome extension)

The browser extension was hijacked on Google Web Store. The injected script was displaying and advertisement via alert10.js script, informing victims that their PC has been infected with malware and suggesting to purchase fake antivirus.

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2017-0222

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Note: the vulnerability is being actively exploited.

Software: Microsoft Internet Explorer

Multiple vulnerabilities in Win32.sys in Microsoft Windows
CVE-2017-0263

Elevation of privilege

The vulnerability allows a local user to elevate privileges on the system.

The vulnerability exists due to boundary error in Win32k.sys driver. A local user can escalate privileges on the system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

i

The vulnerability was used by APT28 team along with another zero-day CVE-2017-0262.

Software: Windows

Known/fameous malware:

GAMEFISH

The vulnerability was used by APT28 team along with another zero-day CVE-2017-0262.

Two remote code execution vulnerabilities when processing EPS files in Microsoft Office
CVE-2017-0262

Type confusion

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when processing EPS wiles within Microsoft Office documents. A remote unauthenticated attacker can create a specially crafted document, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current victim.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited in the wild.

i

The vulnerability was used by APT28 team along with another zero-day CVE-2017-0263.

Software: Microsoft Office

Known/fameous malware:

GAMEFISH

The vulnerability was used by APT28 team along with another zero-day CVE-2017-0263.

Remote code execution in QNAP QTS

Improper access control

The vulnerability allows a remote attacker to compromise vulnerable device.

The vulnerability exists due to unknown error, which leads to QNAP device compromise. Vulnerability details are not disclosed yet.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable device.

Note: the vulnerability is being actively exploited in the wild.

i

QNAP reported a security issue involving unauthorized access to the QNAP devices. Several QNAP NAS devices running QTS have been injected with XMR mining programs, specifically from mineXMR.com.

Software: QNAP QTS

QNAP reported a security issue involving unauthorized access to the QNAP devices. Several QNAP NAS devices running QTS have been injected with XMR mining programs, specifically from mineXMR.com.

Remote command injection in Ghostscript
CVE-2017-8291

Type confusion

The vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on a targeted system.

The weakness exists due to type confusion error when processing user-supplied parameters passed to the .rsdparams and .eqproc functions in ghostscript. A remote attacker can submit a specially crafted .eps document, execute code in the context of the ghostscript process and bypass -dSAFER protection.

Successful exploitation of the vulnerability may result in system compromise.

Note: this vulnerability is being exploited in the wild.

Software: Ghostscript

Remote code execution in IMAP server in IBM Lotus Domino
CVE-2017-1274

Stack-based buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing mailbox names in the EXAMINE IMAP command. A remote authenticated attacker can send an EXAMINE IMAP command containing an overly long mailbox name, trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak.

The list of affected products, according to software vendor:

  • IBM Domino 9.0.1 through 9.0.1 Feature Pack 8 Interim Fix 1
  • IBM Domino 9.0 through 9.0 Interim Fix 7
  • IBM Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 16
  • IBM Domino 8.5.2 through 8.5.2 Fix Pack 4
  • IBM Domino 8.5.1 through 8.5.1 Fix Pack 5

i

The exploit code was disclosed by the Shadow Brokers leak.

Software: IBM Domino

Known/fameous malware:

EMPHASISMINE exploit

The exploit code was disclosed by the Shadow Brokers leak.

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2017-0210

Cross-domain scripting

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of another domain.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Note: this vulnerability is being exploited in the wild.

Software: Microsoft Internet Explorer

Two remote code execution vulnerabilities when processing EPS files in Microsoft Office
CVE-2017-0261

Use-after-free

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error when processing EPS images within Microsoft Office files. A remote attacker can create a specially crafted Office file with malicious EPS image, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.

Note: this vulnerability is being actively exploited in the wild.

i

The vulnerability was used by Turla and an unknown financially motivated actor.

Software: Microsoft Office

Known/fameous malware:

SHIRIME
NETWIRE

The vulnerability was used by Turla and an unknown financially motivated actor.

Remote code execution in Microsoft Office
CVE-2017-0199

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote unauthenticated attacker can create a specially crafted Word or RTF files containing Dridex botnet ID 7500, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in compromise vulnerable system.

Note: the vulnerability is being actively exploited.

i

The detected samples are organized as Word files containing Dridex botnet ID 7500 (more specially, RTF files with “.doc” extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack dates to late January, according to McAfee.
According to FireEye, the malware leveraging this vulnerability was used to target Russian-speaking victims. As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads.

This vulnerability was also used by Patya.A ransomware in malware outbreak on 27 June, 2017 as one of the attack vectors.

Software: Microsoft Office

Known/fameous malware:

Malware.Binary.Rtf
Dridex botnet
FINSPY
LATENTBOT
Petya.A

The detected samples are organized as Word files containing Dridex botnet ID 7500 (more specially, RTF files with “.doc” extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack dates to late January, according to McAfee.
According to FireEye, the malware leveraging this vulnerability was used to target Russian-speaking victims. As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads.

This vulnerability was also used by Patya.A ransomware in malware outbreak on 27 June, 2017 as one of the attack vectors.

Remote code execution in Cluster Management Protocol in Cisco IOS and IOS XE
CVE-2017-3881

Improper input validation

The vulnerability allows a remote attacker to gain access to vulnerable device.

The vulnerability exists due to improper input validation in Cisco Cluster Management Protocol (CMP) implementation and failure to restrict usage of CMP-specific Telnet options only to internal, local communications between cluster members. A remote unauthenticated attacker can send specially crafted CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections and cause the affected device to reload or obtain full control over vulnerable device.

Successful exploitation of this vulnerability may allow an attacker to gain full access to vulnerable device.

Note: information about this vulnerability was publicly disclosed by WikiLeaks documents dubbed CIA Vault 7.

i

The vulnerability was disclosed by WikiLeaks in documents dubbed CIA Vault 7. It is believed that this vulnerability was used by CIA agents to penetrate government and corporate networks.

Software: Cisco IOS

The vulnerability was disclosed by WikiLeaks in documents dubbed CIA Vault 7. It is believed that this vulnerability was used by CIA agents to penetrate government and corporate networks.

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2017-0149

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when accessing objects in memory. A remote unauthenticated attacker can create a specially crafted web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited in the wild.

Software: Microsoft Internet Explorer

Information disclosure in Microsoft XML Core Services
CVE-2017-0022

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to improper handling of objects in memory by Microsoft XML Core Services (MSXML). A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it and test for the presence of files on disk.

Successful exploitation of this vulnerability results in information disclosure.

Note: the vulnerability was being actively exploited.

i

This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. The vulnerability was reported to Microsoft in September 2016. The first malware sample, discovered in the wild, is connected with AdGholas campaign in July 2016. The exploit came back again in September 2016 with the Neutrino exploit kit.

Software: Microsoft XML Core Services

Known/fameous malware:

Neutrino exploit kit

This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. The vulnerability was reported to Microsoft in September 2016. The first malware sample, discovered in the wild, is connected with AdGholas campaign in July 2016. The exploit came back again in September 2016 with the Neutrino exploit kit.

Multiple vulnerabilities in Microsoft Windows
CVE-2017-0005

Privilege escalation

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to improper handling of objects in memory by Windows Graphics Device Interface (GDI). A local attacker can run a specially crafted application, gain elevated privileges and execute arbitrary code on the affected system.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was used by Zirconium cyber-espionage group against older versions of Windows.

Software: Windows

The vulnerability was used by Zirconium cyber-espionage group against older versions of Windows.

Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0143

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

i

On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.

It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.

On May 12, 2017 the malicious team has hit over 100,000 organizations in 150 countries. The hackers encrypted files from the target system and demanded 300-600$.

Software: Windows

Known/fameous malware:

WannaCry (Wana Decryptor) malware (the hackers added .WCRY extention to the targte files). The malware is believed to be connected to Lazarus Group from North Korea.
EternalBlue exploit.

On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.

It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.

On May 12, 2017 the malicious team has hit over 100,000 organizations in 150 countries. The hackers encrypted files from the target system and demanded 300-600$.

Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0146

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability has been exploited in the wild and is publicly known as EternalChampion exploit.

i

On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.

Software: Windows

Known/fameous malware:

EternalChampion exploit

On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.

Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0147

Information disclosure

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and gain access to potentially sensitive data.

Successful exploitation of this vulnerability may allow an attacker to gain access to potentially sensitive information.

Note: this vulnerability has been exploited in the wild and is publicly known as EternalChampion exploit.

i

On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.

Software: Windows

Known/fameous malware:

EternalChampion exploit

On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.

Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0144

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

i

On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.

It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.

This vulnerability was used to spread WannaCry and NotPetya ransomwere.

Software: Windows

Known/fameous malware:

EternalRomance exploit
WannaCry
NotPetya

On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.

It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.

This vulnerability was used to spread WannaCry and NotPetya ransomwere.

Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0145

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

i

On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.

It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.

Software: Windows

Known/fameous malware:

EternalSynergy exploit

On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.

It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.

Backdoor in Web Paint Google Chrome extension

Backdoor

The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.

The vulnerability exists due to presence of backdoor code in Web Paint Google Chrome extension 1.2.1, distributed via Google Web Store.


i

The browser extension was hijacked on Google Web Store. The attackers were able to distributed malware to the extension user's. The attack occurred around March 1, 2017.

Software: Web Paint (Chrome extension)

The browser extension was hijacked on Google Web Store. The attackers were able to distributed malware to the extension user's. The attack occurred around March 1, 2017.

Multiple vulnerabilities in cPanel
CVE-2017-5613

Format string vulnerability

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a format string error within cgiemail and cgiecho binaries when processing template files. A remote authenticated attacker can create a specially crafted file, containing form string specifiers and execute arbitrary code on the target system.

Successful exploitation may allow an attacker to compromise vulnerable system.

Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak. The exploit is known as ElegantEagle.

i

The exploit code was disclosed by the Shadow Brokers leak dubbed ElegantEagle, exploiting vulnerability in cgiemail.

Software: cPanel

Known/fameous malware:

ElegantEagle exploit

The exploit code was disclosed by the Shadow Brokers leak dubbed ElegantEagle, exploiting vulnerability in cgiemail.

Multiple vulnerabilities in Adobe Flash Player
CVE-2016-7892

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: this vulnerability is being actively exploited in the wild.

Software: Adobe Flash Player

Remote code execution in Mozilla Firefox
CVE-2016-9079

Use-after-free

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing SVG animation in nsSMILTimeContainer::NotifyTimeChange() function. A remote attacker can create a specially crafted web page, host malicious SVG file on it and execute arbitrary code on vulnerable system.

Successful exploitation may allow an attacker to gain complete control over vulnerable system.

Note: this vulnerability is being publicly exploited against Tor Browser users.

i

Exploited in the wild against TOR Browser users. Exploit code was publicly disclosed as well before Mozilla released the patch.

Software: Tor Browser

Exploited in the wild against TOR Browser users. Exploit code was publicly disclosed as well before Mozilla released the patch.

Remote code execution in Jenkins
CVE-2016-9299

LDAP injection

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to the flaw in the remoting module when handling malicious objects. A remote attacker can transfer a specially crafted serialized Java object to the Jenkins CLI, make Jenkins connect to an attacker-controlled LDAP server, bypass existing protection mechanisms and execute arbitrary code on vulnerable system.

Successful exploitation of the vulnerability results in arbitrary code excution on the vulnerable system.

Note: the vulnerability was being actively exploited.


Software: Jenkins

Multiple vulnerabilities in Microsoft Graphics Component
CVE-2016-7256

Memory Corruption

A remote attacker can execute arbitrary code on the target system.

The vulnerability exists due to incorrect handling of objects in memory in Windows font library when processing Open Type fonts. A remote attacker can create a specially crafted font file and cause memory corruption.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on vulnerable system with privileges of the current user.

Note: this vulnerability is being actively exploited in the wild.

i

The vulnerability started to appear on the radar in June 2016 as it was used in "low-volume attacks primarily focused on targets in South Korea". A successful attack exploited a flaw in the Windows font library to elevate privileges, and to install a backdoor on target systems called Hankray.

Software: Windows

Known/fameous malware:

Trojan Horse Exp.CVE-2016-7256.

The vulnerability started to appear on the radar in June 2016 as it was used in "low-volume attacks primarily focused on targets in South Korea". A successful attack exploited a flaw in the Windows font library to elevate privileges, and to install a backdoor on target systems called Hankray.

Privilege escalation in Windows 10
CVE-2016-7255

Privilege escalation

The vulnerability allows a local user to gain elevated privileges on the target system.

The weakness is due to improper handling of objects in memory by win32k.sys. By sending a specially crafted system call NtSetWindowLongPtr(), a local attacker can set index GWLP_ID to WS_CHILD value on a window handle with GWL_STYLE and execute arbitrary code with system privileges.

Successful explotation of the vulnerability results in privilege escalation.

Note: this vulnerability is being actively exploited in the wild.

i

The zero-day was being actively exploited by Russian hackers (APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Sofacy).

Software: Windows

The zero-day was being actively exploited by Russian hackers (APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Sofacy).

Remote code execution in Adobe Flash Player
CVE-2016-7855

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when handling .swf files. A remote attacker can trick the victim to visit a website or open a file with malicious Flash file and execute arbitrary code on the target system with privileges of the current user.

Note: this vulnerability was being actively exploited in the wild.

i

The vulnerability was disclosed by Neel Mehta and Billy Leonard of the Google Threat Analysis Group.

The vulnerability was exploited by Russian hacker group APT28.

Software: Adobe Flash Player

The vulnerability was disclosed by Neel Mehta and Billy Leonard of the Google Threat Analysis Group.

The vulnerability was exploited by Russian hacker group APT28.

Privilege escalation in Linux kernel
CVE-2016-5195

Privilege escalation

The vulnerability allows a  local user to obtain elevated privileges on the target system.
The weakness is due to race condition in the kernel memory subsystem in the management of copy-on-write operations on read-only memory mappings that lets attackers to overwrite kernel memory and gain kernel-level privileges.
Successful exploitation of the vulnerability results in gaining of root privileges on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was discovered by security researcher Phil Oester and is called "DIRTY COW".
It is believed that the vulnerability was being exploited in the wild for quite some time.

Software: Linux kernel

The vulnerability was discovered by security researcher Phil Oester and is called "DIRTY COW".
It is believed that the vulnerability was being exploited in the wild for quite some time.

Remote code execution in Microsoft Office
CVE-2016-7193

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling of malicious RTF files by Microsoft Word. A remote attacker can create a specially crafted RTF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability will result in arbitrary code execution.

Note: the vulnerability was being actively exploited.

Software: Microsoft Word

Multiple vulnerabilities in Microsoft Edge
CVE-2016-7189

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into downloading it, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability will result in arbitrary code execution.

Note: the vulnerability was being actively exploited.

Software: Microsoft Edge

Multiple vulnerabilities in Microsoft Windows
CVE-2016-3393

Arbitrary code execution

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the Graphics Device Interface (GDI) component. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability has been used by an APT group Kaspersky Lab call FruityArmor. Victims have been identified in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.

Software: Windows

The vulnerability has been used by an APT group Kaspersky Lab call FruityArmor. Victims have been identified in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2016-3298

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The vulnerablity exists due to improper handling of objects in memory by the Internet Messaging API. A remote attacker can create a specially crafted content, trick the victim into opening it, bypass security restrictions and determine the existence of arbitrary files.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Proofpoint researchers Will Metcalf and Kafeine first detected and reported CVE-2016-3298 in April 2016 as part of a “GooNky” infection chain along with CVE-2016-3351, but the information disclosure vulnerability was most likely already in use by the AdGholas group.

CVE-2016-3298 and CVE-2016-3351 were reported to Microsoft between October and December of 2015.


Software: Microsoft Internet Explorer

Known/fameous malware:

Exploit Kit: Neutrino

Proofpoint researchers Will Metcalf and Kafeine first detected and reported CVE-2016-3298 in April 2016 as part of a “GooNky” infection chain along with CVE-2016-3351, but the information disclosure vulnerability was most likely already in use by the AdGholas group.

CVE-2016-3298 and CVE-2016-3351 were reported to Microsoft between October and December of 2015.


Information disclosure when handling IKEv1 packets in Cisco products
CVE-2016-6415

Information disclosure

The vulnerability allows a remote user to access potentially sensitive information on the target system.

The weakness exists due to insufficient checks of IKE packats when handling ISAKMP requests. By sending specially crafted IKEv1 packets  to the IKE service via IPv4 or IPv6 a malicious user can obtain memory contents.

Successful exploitation of the vulnerability leads to confidential information disclosure on the vulnerable system.

Note: this vulnerability was being actively exploited in the wild. It was disclosed as part of Equation Group Leak and is reffered as BENIGNCERTAIN exploit.

i

The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group on Saturday 13 August 2016. The exploit code was dubbed BENIGNCERTAIN and presumably was used by NSA operatives to infiltrate networks of government organizations and private companies.

Software: Cisco IOS

Known/fameous malware:

BENIGNCERTAIN

The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group on Saturday 13 August 2016. The exploit code was dubbed BENIGNCERTAIN and presumably was used by NSA operatives to infiltrate networks of government organizations and private companies.

Multiple vulnerabilities in Microsoft Internet Explorer and Edge
CVE-2016-3351

Memory corruption

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to boundary error when handling of malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and gain access to arbitrary data.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Microsoft has known about CVE-2016-3351 since 2015.
Exploited By AdGholas and GooNky Malvertising Groups.

Software: Microsoft Internet Explorer

Microsoft has known about CVE-2016-3351 since 2015.
Exploited By AdGholas and GooNky Malvertising Groups.

Remote code execution in InPage

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists within text processor when parsing .inp files. A remote attacker can create a specially crafted .inp file, trick the victim to open it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in full system compromise.

Note: this vulnerability is being actively exploited in the wild against financial institutions in Asia.

Not patched
i

Exploit code was used in targeted attacks against financial institutions in Asia. Victims of these attacks have been observed in U.K., U.S, Myanmar, Sri-Lanka and Uganda. The sector for the victims include both financial and governmental institutions.

Attacks are similar to attacks exploiting vulnerabilities in the Hangul Word Processor against government targets in South Korea.

Software: InPage

Known/fameous malware:

Zeus-type malware.

Exploit code was used in targeted attacks against financial institutions in Asia. Victims of these attacks have been observed in U.K., U.S, Myanmar, Sri-Lanka and Uganda. The sector for the victims include both financial and governmental institutions.

Attacks are similar to attacks exploiting vulnerabilities in the Hangul Word Processor against government targets in South Korea.

Multiple vulnerabilities in Apple iOS
CVE-2016-4655

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper input validation. A remote attacker can run a specially crafted application, bypass security restrictions and obtain portions of kernel memory.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.


i

The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by “Pegasus”, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).

Software: Apple iOS

Known/fameous malware:

Trident exploit.

The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by “Pegasus”, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).

Multiple vulnerabilities in Apple iOS
CVE-2016-4656

Memory corruption

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to a boundary error when processing a malicious application. A local attacker can run a specially crafted application, trigger memory corruption and execute arbitrary code with SYSTEM privileges.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: the vulnerability was being actively exploited.

i

The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by “Pegasus”, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).

Software: Apple iOS

Known/fameous malware:

Trident exploit.

The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by “Pegasus”, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).

Multiple vulnerabilities in Apple iOS
CVE-2016-4657

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error in WebKit. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: the vulnerability was being actively exploited.

i

The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by “Pegasus”, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).

Software: Apple iOS

Known/fameous malware:

Trident exploit.

The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by “Pegasus”, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).

Remote code execution in Cisco ASA Appliances
CVE-2016-6366

SNMP remote code execution

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when handling SNMP packets. A remote attacker with knowledge of SNMP community string can cause buffer overflow and cause the target device to reload or execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in full compromise of affected system.

The following models of CISCO ASA appliances are affected:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco PIX Firewalls
  • Cisco Firewall Services Module (FWSM)

Note: this is a zero-day vulnerability, discovered after security breach of The Equation Group. The exploit code for this vulnerability was publicly exposed and is referred as EXTRABACON Exploit.

i

The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group in 2013. The exploit code was dubbed ExtraBacon and presumably used by NSA operatives to infiltrate networks of government organizations and private companies.

Software: Cisco ASA Series

Known/fameous malware:

ExtraBacon.

The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group in 2013. The exploit code was dubbed ExtraBacon and presumably used by NSA operatives to infiltrate networks of government organizations and private companies.

Local buffer overflow in CLI parser in Cisco ASA Appliances
CVE-2016-6367

CLI parser buffer overflow

The vulnerability allows a local user to cause denial of service or execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the command-line interface (CLI) parser. A local authenticated user can trigger buffer overflow and reload the affected device or execute arbitrary code on the target system.

Successful exploitation of this vulnerability will allow a local user to execute arbitrary code on vulnerable system.

The following models of CISCO ASA appliances are affected:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco PIX Firewalls
  • Cisco Firewall Services Module (FWSM)

Note: this is a zero-day vulnerability, discovered after security breach of The Equation Group. The exploit code for this vulnerability was publicly exposed and is referred as EPICBANANA Exploit.

i

The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group in 2013. The exploit code was dubbed BENIGNCERTAIN and presumably was used by NSA operatives to infiltrate networks of government organizations and private companies

Firstly the vulnerability received a patch back in 2011.

Software: Cisco PIX Firewall

Known/fameous malware:

EPICBANANA.

The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group in 2013. The exploit code was dubbed BENIGNCERTAIN and presumably was used by NSA operatives to infiltrate networks of government organizations and private companies

Firstly the vulnerability received a patch back in 2011.

Remote code execution in Fortinet FortiOS and FortiSwitch
CVE-2016-6909

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exist due to a boundary error within cookie parser. A remote attacker can send a specially crafted HTTP request, cause memory corruption and execute arbitrary code on vulnerable system.

Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to vulnerable system.

Note:the vulnerability was being actively exploited.

i

Information about zero-day vulnerabilities in Cisco and FortiOS products was exposed after NSA data leak in August 2016. The tools bear digital signatures that match those used by the Equation Group, a group that has alleged links to the NSA. The incident highlights the risk of hoarding zero-day vulnerabilities.

EGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and exploits disclosed on 2016/08/14 by a group known as the Shadow Brokers.

Software: FortiOS

Information about zero-day vulnerabilities in Cisco and FortiOS products was exposed after NSA data leak in August 2016. The tools bear digital signatures that match those used by the Equation Group, a group that has alleged links to the NSA. The incident highlights the risk of hoarding zero-day vulnerabilities.

EGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and exploits disclosed on 2016/08/14 by a group known as the Shadow Brokers.

Security bypass in Mozilla Firefox
CVE-2015-4495

Security bypass

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper input validation. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, bypass same-origin policy and inject arbitrary JavaScript into the built-in PDF Viewer to gain access to arbitrary files on the system.

Successful exploitation of this vulnerability may result in access to local files and privilege escalation, leading to system compromise.

Note: the vulnerability was being actively exploited.
i

In August 2016 Mozilla bug-tracking service was hacked. Hackers were able to steal information about not yet patched vulnerabilities in Mozilla Firefox and use one of them in a targeted attack against users of Russian news website.

The malicious exfiltration server, hosted in Ukraine, has been online since July 27, 2015.

The vulnerability was reported by researcher Cody Crews.

Software: Mozilla Firefox

Known/fameous malware:

JS/Exploit.CVE-2015-4495 (ESET).

In August 2016 Mozilla bug-tracking service was hacked. Hackers were able to steal information about not yet patched vulnerabilities in Mozilla Firefox and use one of them in a targeted attack against users of Russian news website.

The malicious exfiltration server, hosted in Ukraine, has been online since July 27, 2015.

The vulnerability was reported by researcher Cody Crews.

Remote code execution in Adobe Flash Player
CVE-2016-4171

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.


i

The vulnerability was reported by Anton Ivanovn of Kaspersky.
Used by ScarCruft hacking team in Operation Daybreak and Operation Erebus as suggested by Kaspersky Lab.

It has been used in targeted attacks carried out by a new ScarCruft APT group operating primarily against high-profile victims in China, South Korea, India, Russia, Nepal, Romania, and Kuwait.

Software: Adobe Flash Player

The vulnerability was reported by Anton Ivanovn of Kaspersky.
Used by ScarCruft hacking team in Operation Daybreak and Operation Erebus as suggested by Kaspersky Lab.

It has been used in targeted attacks carried out by a new ScarCruft APT group operating primarily against high-profile victims in China, South Korea, India, Russia, Nepal, Romania, and Kuwait.

Arbitrary file upload in WP Mobile detector

Arbitrary file upload

The vulnerability allows a remote attacker to upload arbitrary files to compromise the target system.

The weakness exists due to the failure to validate and sanitize input. A remote attacker can send a request toresize.php or timthumb.php inside the plugin directory with the backdoor URL that contains a PHP code.

Successful exploitation of the vulnerability may result in malicious files uploading and vulnerable system compromising.

Note: the vulnerability was being actively exploited.
i

Researchers at Sucuri said that attacks against WordPress sites running the plugin started on May 26.

Software: WP Mobile detector

Researchers at Sucuri said that attacks against WordPress sites running the plugin started on May 26.

Remote denial of service in Cisco IOS
CVE-2016-1409

Improper input validation

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a logic error when parsing IPv6 Neighbor Discovery (ND) packets, sent directly to the device. A remote attacker can send specially crafted IPv6 traffic to the affected device and cause the device to stop processing IPv6 traffic.

Successful exploitation of the vulnerability will result in denial of service attack.

Note: according to Cisco, this vulnerability is being exploited in the wild.

Not patched

Software: Cisco IOS XR

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2016-0189

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Used to target South Korean organizations.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.

Software: Microsoft Internet Explorer

Known/fameous malware:

Exploit kit: Magnitude, Neutrino, RIG, Sundown.

Used to target South Korean organizations.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.

Remote code execution in Adobe Flash Player
CVE-2016-4117

Type confusion

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Note: the vulnerability was being actively exploited.
i

The vulnerability was reported by Genwei Jiang.
The zero-day was used by the Pawn Storm and APT3 cyber espionage groups in Operation Erebus campaign and seen in payloads included with CryptXXX, Cerber and DMA Locker ransomware, as well as the Gootkit Trojan.

Software: Adobe Flash Player

Known/fameous malware:

Exploit kit: Angler, Magnitude, Neutrino, RIG.

The vulnerability was reported by Genwei Jiang.
The zero-day was used by the Pawn Storm and APT3 cyber espionage groups in Operation Erebus campaign and seen in payloads included with CryptXXX, Cerber and DMA Locker ransomware, as well as the Gootkit Trojan.

Remote code execution in ImageMagick
CVE-2016-3714

Input validation error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to insufficient filtering for filename passed to delegate's command. A remote attacker can create a specially crafted image containing shell metacharacters, trick the victim into opening it via application using ImageMagick, will trigger an input validation flaw and execute arbitrary shell commands with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Code execution vulnerability in ImageMagick was found by Nikolay Ermishkin from Mail.Ru Security Team while researching original report.
Security researcher Behrouz Sadeghipour discovered that the vulnerability was present in the web domain belonging to Polyvore.

The vulnerabilily is dubbed "ImageTragick".

Software: ImageMagick

Code execution vulnerability in ImageMagick was found by Nikolay Ermishkin from Mail.Ru Security Team while researching original report.
Security researcher Behrouz Sadeghipour discovered that the vulnerability was present in the web domain belonging to Polyvore.

The vulnerabilily is dubbed "ImageTragick".

Multiple vulnerabilities in Microsoft Windows
CVE-2016-0165

Privilege escalation

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.

Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

The Badlock vulnerability.

Software: Windows

The Badlock vulnerability.

Multiple vulnerabilities in Microsoft Windows
CVE-2016-0167

Privilege escalation

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.

Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

Used to  compromise organizations in the USA and Canada. First attacks were detected in 08.03.2016.

Software: Windows

Known/fameous malware:

PUNCHBABY or PUNCHTRACK Trojan.

Used to  compromise organizations in the USA and Canada. First attacks were detected in 08.03.2016.

Microsoft Security Update for Adobe Flash Player
CVE-2016-1019

Type confusion

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error when handling .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Note: the vulnerability was being actively exploited.
i

The weakness was presented by Kafeine (EmergingThreats/Proofpoint), Genwei Jiang (FireEye, Inc.) and Clement Lecigne (Google).

According to FireEye, on April 2, Kafeine provided details on a version of the Magnitude Exploit Kit that was originally believed to be exploiting known Adobe Flash vulnerabilities.

Software: Adobe Flash Player

Known/fameous malware:

Magnitude, Neutrino and Nuclear Pack Exploit Kit.
Cerber and DMA Locker ransomware.

The weakness was presented by Kafeine (EmergingThreats/Proofpoint), Genwei Jiang (FireEye, Inc.) and Clement Lecigne (Google).

According to FireEye, on April 2, Kafeine provided details on a version of the Magnitude Exploit Kit that was originally believed to be exploiting known Adobe Flash vulnerabilities.

Multiple vulnerabilities in Adobe Flash Player
CVE-2016-1010

Integer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Note: the vulnerability was being actively exploited.
i

The vulnerability was reported by Anton Ivanov from Kaspersky Lab. The vulnerability was used by the ScarCruft group in Operation Daybreak campaign.

Software: Adobe Flash Player

Known/fameous malware:

Used in Angler Exploit Kit.

The vulnerability was reported by Anton Ivanov from Kaspersky Lab. The vulnerability was used by the ScarCruft group in Operation Daybreak campaign.

Multiple vulnerabilities in Adobe Flash Player
CVE-2016-0984

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

According to Kasperksy Lab report, this vulnerability has bein actively exploited in the wild by BlackOasis APT actor.

i

According to Kaspersky Lab, this vulnerability has being exploited in the wild by BlackOasis actor in June 2015.

Software: Adobe Flash Player

According to Kaspersky Lab, this vulnerability has being exploited in the wild by BlackOasis actor in June 2015.

Privilege escalation in Linux kernel
CVE-2016-0728

Use-after-free error

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to use-after-free error in the join_session_keyring() function in security/keys/process_keys.c when handling keyring object reference counting by Linux kernel's key management subsystem. A local attacker can overflow the usage field via a specially crafted object and execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The critical Linux kernel flaw (CVE-2016-0728) has been identified by a group of researchers at a startup named Perception Point.
The vulnerability has existed since 2012, but was disclosed in January, 2016.

Software: Linux kernel

The critical Linux kernel flaw (CVE-2016-0728) has been identified by a group of researchers at a startup named Perception Point.
The vulnerability has existed since 2012, but was disclosed in January, 2016.

Remote code execution in Microsoft Silverlight
CVE-2016-0034

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error when parsing strings with a malicious decoder that can return negative offsets. A remote attacker can create a specially crafted content, trick the victim into opening it, replace unsafe object headers with contents provided by an attacker and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

On July 5, 2015, a large amount of data from one company was leaked to the Internet with a hacker known as “Phineas Fisher” claiming responsibility for the breach.

Software: Microsoft Silverlight

Known/fameous malware:

Used in Angler, Hunter, RIG and Sundown Exploit Kit.

On July 5, 2015, a large amount of data from one company was leaked to the Internet with a hacker known as “Phineas Fisher” claiming responsibility for the breach.

Multiple vulnerabilities in Adobe Flash Player
CVE-2015-8651

Integer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Adobe Flash Player

Known/fameous malware:

Exploit kits: Angler, Neutrino, Nuclear Pack and RIG

Two backdoors in Juniper ScreenOS
CVE-2015-7755

Authentication bypass

The vulnerability allows a remote attacker to bypass authentication on the target system.

The weakness exists due to presence of backdoor in Juniper ScreenOS code. A remote attacker can enter a password "<<< %s(un='%s') = %u" during a SSH or TELNET session and obtain administrative access to the device.

Successful exploitation of the vulnerability results in unauthorized access to the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Revealed during source code review by the vendor.

Software: Juniper ScreenOS

Revealed during source code review by the vendor.

Two backdoors in Juniper ScreenOS
CVE-2015-7756

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to usage of insecure encryption keys. A remote attacker can with ability to monitor VPN traffic can intercept and decrypt it.

Successful exploitation of the vulnerability results in information disclosure on the target system.

Note: the vulnerability was disclosed as part of two backdoors during internal source code audit.
i

Revealed during source code review by the vendor.

Software: Juniper ScreenOS

Revealed during source code review by the vendor.

Remote PHP code execution in Joomla!
CVE-2015-8562

Remote PHP code execution

The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.

The vulnerability exists due to insufficient filtration of HTTP User-Agent header and filter-search HTTP POST parameter before storing them into database. A remote unauthenticated attacker can permanently inject and execute arbitrary PHP code on the target system with privileges of the web server.

Successful exploitation of this vulnerability will allow a remote attacker to gain complete control over the vulnerable web application and execute arbitrary PHP code on the target system.

Note: this is a zero-day vulnerability and it is being exploited in the wild.

i

The vulnerability was used to compromise vulnerable websites for 16000 (sometimes - 20000) times per day.

Software: Joomla!

The vulnerability was used to compromise vulnerable websites for 16000 (sometimes - 20000) times per day.

Multiple vulnerabilities in Microsoft Windows
CVE-2015-6175

Memory corruption

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to boundary error when handling of objects in kernel memory. A local attacker can execute a specially crafted program, trigger memory corruption and gain SYSTEM privileges.

Successful exploitation of this vulnerability results in privilege escalation on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Windows

Security bypass Oracle Java SE
CVE-2015-4902

Security bypass

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to unknown error related to the Java SE Deployment component. A remote attacker can bypass the click-to-play protection in Java.

Successful exploitation of the vulnerability results in security bypass on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

Exploited by the Fancy Bear APT.

This was quite useful in Pawn Storm, as it used exploits targeting these vulnerabilities to carry out targeted attacks against North Atlantic Treaty Organization (NATO) members and the White House earlier this year.

Software: Java SE

Exploited by the Fancy Bear APT.

This was quite useful in Pawn Storm, as it used exploits targeting these vulnerabilities to carry out targeted attacks against North Atlantic Treaty Organization (NATO) members and the White House earlier this year.

Remote code execution in Adobe Flash Player
CVE-2015-7645

Type confusion

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

Was used in Pawn Storm Campaign Targeting Foreign Affairs Ministries. Exploited by the Fancy Bear APT.
The vulnerability was reported by Peter Pi of Trend Micro.

Software: Adobe Flash Player

Known/fameous malware:

Exploit Kits: Angler, Hunter, Magnitude, Neutrino, Nuclear Pack, RIG, Spartan.

Was used in Pawn Storm Campaign Targeting Foreign Affairs Ministries. Exploited by the Fancy Bear APT.
The vulnerability was reported by Peter Pi of Trend Micro.

Multiple vulnerabilities in Microsoft Office
CVE-2015-2545

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when parsing malformed images. A remote attacker can create a file containing a specially crafted image file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

CVE-2015-2545 fuels around 17% of attacks in Microsoft Office.

Used to target organisations in China.

Software: Microsoft Office

CVE-2015-2545 fuels around 17% of attacks in Microsoft Office.

Used to target organisations in China.

Multiple vulnerabilities in Microsoft Windows
CVE-2015-2546

Memory corruption

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to boundary error in ATMFD.dll in Win32k.sys. A local attacker can execute a specially crafted program, trigger memory corruption and gain SYSTEM privileges.

Successful exploitation of the vulnerability may result in full control of the vulnerable system.


Note: the vulnerability was being actively exploited.

i

The vulnerability was reported by FireEye researcher Wang Yu.

Software: Windows

The vulnerability was reported by FireEye researcher Wang Yu.

Remote code execution in Microsoft Windows Media Center
CVE-2015-2509

Arbitrary code execution

The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper handling of Media Center link (.mcl) files. A remote attacker can create a specially crafted Media Center link (.mcl) file that references malicious code, trick the victim into opening it and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability results in system compromise.

Note: the vulnerability was being actively exploited.

i

This vulnerability is related to a previously unreported zero-day exploit discovered in the Hacking Team leaked emails. Trend Micro researchers (Aaron Luo, Kenney Lu, and Ziv Chang) discovered the exploit and subsequently reported their findings to Microsoft.

Software: Windows Media Center

This vulnerability is related to a previously unreported zero-day exploit discovered in the Hacking Team leaked emails. Trend Micro researchers (Aaron Luo, Kenney Lu, and Ziv Chang) discovered the exploit and subsequently reported their findings to Microsoft.

Remote code execution in Hangul Word Processor
CVE-2015-6585

Type confusion

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to type confusion error. A remote attacker can create a specially crafted HWPX file containing a set of directories and XML files, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.

Note: this vulnerability is being actively exploited.

i

Trojan.Volgmer.B. Attackers from North Korea exploited the vulnerability HANGMAN in a word processor popular with the South Korea's government to steal the documents and upload them to a C&C server.
North Korea attack in June dubbed "Macktruck".

Software: Hancom Office

Trojan.Volgmer.B. Attackers from North Korea exploited the vulnerability HANGMAN in a word processor popular with the South Korea's government to steal the documents and upload them to a C&C server.
North Korea attack in June dubbed "Macktruck".

Remote code execution in Microsoft Internet Explorer
CVE-2015-2502

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling Javascript and HTML tables within the layout cache. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

The vulnerability has been exploited in watering hole attacks against compromised website belonging to an evangelical church in Hong Kong to deliver Korplug malware.

Software: Microsoft Internet Explorer

Known/fameous malware:

Korplug malware.

The vulnerability has been exploited in watering hole attacks against compromised website belonging to an evangelical church in Hong Kong to deliver Korplug malware.

Privilege escalation in Microsoft Windows
CVE-2015-1769

Privilege escalation

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper processing of symbolic links by Mount Manager. By inserting a specially crafted USB device into the system, an attacker can create arbitrary files and execute malicious code with SYSTEM privileges.

Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

Attackers used USB to infect computers with the malware at the Natanz uranium enrichment facility in Iran.
The .LNK vulnerability was also exploited by the Equation Group, uncovered by researchers at Kaspersky Lab.

Software: Windows

Known/fameous malware:

Fanny

Attackers used USB to infect computers with the malware at the Natanz uranium enrichment facility in Iran.
The .LNK vulnerability was also exploited by the Equation Group, uncovered by researchers at Kaspersky Lab.

Multiple vulnerabilities in Microsoft Office
CVE-2015-1642

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing Microsoft Office documents. A remote unauthenticated attacker can create a specially crafted Office document, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

i

The vulnerability was discovered by Yong Chuan, Koh of MWR Labs.

Software: Microsoft Office

The vulnerability was discovered by Yong Chuan, Koh of MWR Labs.

Remote code execution in Microsoft Windows
CVE-2015-2426

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to buffer overflow in Windows Adobe Type Manager library when processing OpenType fonts. A remote attacker can create a specially crafted document or website with embedded malicious OpenType font, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: the vulnerability was being actively exploited.

i

The exploit code was revealed after Hacking Team data leak.
The vulnerability was reported by FireEye's Genwei Jiang and Google Project Zero's Mateusz Jurczyk.

The vulnerability has being exploited by Eugene Ching of Qavar Security on the January 2015.

Software: Windows

The exploit code was revealed after Hacking Team data leak.
The vulnerability was reported by FireEye's Genwei Jiang and Google Project Zero's Mateusz Jurczyk.

The vulnerability has being exploited by Eugene Ching of Qavar Security on the January 2015.

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2015-2425

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

The exploit code was revealed after Hacking Team data leak.

Software: Microsoft Internet Explorer

The exploit code was revealed after Hacking Team data leak.

Remote code execution in Oracle Java SE
CVE-2015-2590

Remote code execution

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to unknown error in Libraries component. A remote attacker can execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in full control of the vulnerable system.

Note: the vulnerability was being actively exploited.



i

The attacks were launched by a cyberespionage group known as Pawn Storm or APT28 targeting the White House and members of the North Atlantic Treaty Organization (NATO) back in April 2015.
The group has been active since 2007 and typically targets military, government and media organizations.


Software: Java SE

The attacks were launched by a cyberespionage group known as Pawn Storm or APT28 targeting the White House and members of the North Atlantic Treaty Organization (NATO) back in April 2015.
The group has been active since 2007 and typically targets military, government and media organizations.


Two remote code execution vulnerabilities in Adobe Flash Player
CVE-2015-5122

“Use-after-free” error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in the ActionScript 3 opaqueBackground class. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

The exploit code was revealed after Hacking Team data leak. The exploit was used against Japanese organizations.
The vulnerability was reported by Dhanesh Kizhakkinan of FireEye as well as Peter Pi of TrendMicro.

Software: Adobe Flash Player

Known/fameous malware:

Exploit kits: Angler EK - 2015-07-11 Neutrino - 2015-07-13 Nuclear Pack - 2015-07-14 RIG - 2015-07-14 Magnitude - 2015-07-15 NullHole - 2015-07-22 Spartan - 2015-09-11

The exploit code was revealed after Hacking Team data leak. The exploit was used against Japanese organizations.
The vulnerability was reported by Dhanesh Kizhakkinan of FireEye as well as Peter Pi of TrendMicro.

Two remote code execution vulnerabilities in Adobe Flash Player
CVE-2015-5123

“Use-after-free” error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in the ActionScript 3 BitmapData class. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

The exploit code was revealed after Hacking Team data leak.

Software: Adobe Flash Player

Known/fameous malware:

SWF_EKSPLOYT.EDF. (TrendMicro).

The exploit code was revealed after Hacking Team data leak.

Remote code execution in Adobe Flash Player
CVE-2015-5119

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

The exploit code was revealed after Hacking Team data leak. Was also used in phishing campaigns conducted by two Chinese advanced persistent threat (APT) groups: APT3 and APT18.
The vulnerability was reported by Google Project Zero and Morgan Marquis-Boire.

Software: Adobe Flash Player

The exploit code was revealed after Hacking Team data leak. Was also used in phishing campaigns conducted by two Chinese advanced persistent threat (APT) groups: APT3 and APT18.
The vulnerability was reported by Google Project Zero and Morgan Marquis-Boire.

Arbitrary code execution in Microsoft Windows
CVE-2015-2387

Memory corruption

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to boundary error in the Adobe Type Manager module (ATMFD.dll). A local attacker can execute a specially crafted application, trigger memory corruption, bypass OS-level sandboxing and execute arbitrary code with SYSTEM privileges.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The exploit code was revealed after Hacking Team data leak.
Public exploit code for this vulnerability became available as part of the Hacking Team leaks on July 5, 2015.

Software: Windows

The exploit code was revealed after Hacking Team data leak.
Public exploit code for this vulnerability became available as part of the Hacking Team leaks on July 5, 2015.

Remote code execution in Microsoft Office
CVE-2015-2424

Heap-based buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to heap-based buffer overflow when processing Office files. A remote attacker can create a specially crafted Office file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.


i

The vulnerability reffers to the APT28 and Operation Pawn Storm and was used in cyber espionage campaign by Tsar Team.

Software: Microsoft Office

Known/fameous malware:

Trojan.Win32.Sofacy.

The vulnerability reffers to the APT28 and Operation Pawn Storm and was used in cyber espionage campaign by Tsar Team.

Remote code execution in Adobe Flash Player
CVE-2015-3113

Heap-based buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

Exploited by a China-based cyberespionage group. Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign.

Software: Adobe Flash Player

Known/fameous malware:

Magnitude exploit kit.

Exploited by a China-based cyberespionage group. Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign.

Multiple vulnerabilities in Microsoft Windows
CVE-2015-2360

Memory corruption

The vulnerability allows a local attacker to obtain elevated privileges on the target system.

The weakness exists due to boundary error. A local attacker can run a specially crafted program to trigger memory corruption and acquire administrative privileges.

Successful exploitation of the vulnerability results in privilege escalation on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Expoited by Duqu 2.0 and used in attack against the Kaspersky Lab to hack their internal networks in early spring 2015.

Software: Windows

Expoited by Duqu 2.0 and used in attack against the Kaspersky Lab to hack their internal networks in early spring 2015.

PHP code execution in H-fj Mt-phpincgi
CVE-2015-2945

Arbitrary PHP code execution

The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.

The weakness exists due to improper validation of input when performing an unserialize() call. A remote attacker can send a specially crafted URL request, inject and execute arbitrary PHP code on the system.

Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Mt-phpincgi

Multiple vulnerabilities in Microsoft Windows
CVE-2015-1701

Privilege escalation

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to improper access control. A local attacker can create a specially crafted application, execute a callback in userspace and use data from the System token to execute arbitrary code on the system with root privileges.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was combined with CVE-2015-3043 to perform Operation "Russian Doll".

Exploited by Russia’s APT28 (Fancy Bear APT) in cyber espionage campaign on the U.S defense contractors, European security companies and Eastern European government entities.

Software: Windows

The vulnerability was combined with CVE-2015-3043 to perform Operation "Russian Doll".

Exploited by Russia’s APT28 (Fancy Bear APT) in cyber espionage campaign on the U.S defense contractors, European security companies and Eastern European government entities.

Multiple vulnerabilities in Adobe Flash Player
CVE-2015-3043

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

Attackers exploited the vulnerabilities together to attack a government entity to and steal politically sensitive data that is a known target of the Russian group (APT campaign).

Software: Adobe Flash Player

Attackers exploited the vulnerabilities together to attack a government entity to and steal politically sensitive data that is a known target of the Russian group (APT campaign).

Multiple vulnerabilities in Microsoft Office
CVE-2015-1641

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling rich text format files. A remote attacker can create a specially crafted RTF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

The vulnerability accounts for nearly 66% of attacks using Office Word.

APT attacks, targeting Tibetans, Uyghurs, human rights groups in Taiwan and Hong Kong, and journalists.

Software: Microsoft Office

The vulnerability accounts for nearly 66% of attacks using Office Word.

APT attacks, targeting Tibetans, Uyghurs, human rights groups in Taiwan and Hong Kong, and journalists.

Two remote code execution vulnerabilities in Microsoft Windows
CVE-2015-0096

Insecure dll. library loading

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the way Microsoft Windows parses shortcuts. A remote attacker can place a specially crafted .dll file along with an icon file on a remote SMB or WebDav share, trick the victim into opening that document and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: the vulnerability was being actively exploited.

i

According to Trustwave it is a zero-day.
Vulnerability CVE-2015-0096 is a continuation of CVE-2010-2568, which was believed to have been patched by MS10-046. However, it was not completely and we see this with MS15-018. At the time of the patch release there were fully functional exploits for this particular vulnerability.

Software: Windows

According to Trustwave it is a zero-day.
Vulnerability CVE-2015-0096 is a continuation of CVE-2010-2568, which was believed to have been patched by MS10-046. However, it was not completely and we see this with MS15-018. At the time of the patch release there were fully functional exploits for this particular vulnerability.

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2015-0071

Security bypass

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to failure to use Address Space Layout Randomization (ASLR). A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass ASLR mechanism and predict memory locations that if connected with another vulnerability allows to execute arbitrary code.

Successful exploitation of this vulnerability results in security bypass on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Allegedly, Chinese hackers combined it with a remote-code execution vulnerability in Adobe Flash to infect visitors to the Forbes website with malware since November, 2014.

Software: Microsoft Internet Explorer

Known/fameous malware:

JS:CVE-2015-0071-A.

Allegedly, Chinese hackers combined it with a remote-code execution vulnerability in Adobe Flash to infect visitors to the Forbes website with malware since November, 2014.

Stored cross-site scripting in FancyBox for WordPress
CVE-2015-1494

Stored cross-site scripting

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-input. A remote attacker can send a specially crafted HTTP request to vulnerable website and permanently store arbitrary HTML and JavaScript code on it. The code will be executed in browser of every website visitor.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Note: the vulnerability was being actively exploited.

i

The vulnerability was notified by Konstantin Kovshenin and Gennady Kovshenin.

Software: FancyBox

The vulnerability was notified by Konstantin Kovshenin and Gennady Kovshenin.

Multiple vulnerabilities in Adobe Flash Player
CVE-2015-0313

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

The vulnerability was used during malwertising campaign against visitors of dailymotion.com.

Software: Adobe Flash Player

Known/fameous malware:

SWF_EXPLOIT.MJST
Hanjuan Exploit Kit

The vulnerability was used during malwertising campaign against visitors of dailymotion.com.

Cross-site scripting in Microsoft Internet Explorer
CVE-2015-0072

Cross-site scripting

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-input passed via vectors involving an IFRAME element. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of another website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Note: the vulnerability was being actively exploited.
i

CVE-2015-0072 was apparently reported to Microsoft on Oct. 13, 2014, however David Leo disclosed the details of this vulnerability to the popular Full Disclosure security mailing list on Jan. 31, 2015.

Software: Microsoft Internet Explorer

Known/fameous malware:

Exploit: HTML/CVE-2015-0072.A

CVE-2015-0072 was apparently reported to Microsoft on Oct. 13, 2014, however David Leo disclosed the details of this vulnerability to the popular Full Disclosure security mailing list on Jan. 31, 2015.

Remote code execution in Adobe Flash Player
CVE-2015-0311

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

The vulnerability was discovered by French security researcher “Kafeine”.
It was actively being exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. It was used by Angler EK and infected at least 1,800 known domains.

Software: Adobe Flash Player

Known/fameous malware:

SWF/Exploit.CVE-2015-0311.N(2)
Trojan.Swifi (Symantec)
Angler EK

The vulnerability was discovered by French security researcher “Kafeine”.
It was actively being exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. It was used by Angler EK and infected at least 1,800 known domains.

Security bypass in Adobe Flash Player
CVE-2015-0310

Security bypass

The vulnerability allows a remote attacker to circumvent memory address randomization on the target system.

The weakness exists due to memory leak error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption, bypass memory address randomization on the Windows platform and obtain sensitive information.

Note: the vulnerability was being actively exploited.

i

The vulnerability was discovered and reported by security researcher Kafeine.
The vulnerability was used in attacks against older versions of Flash Player.

Software: Adobe Flash Player

Known/fameous malware:

Angler EK.

The vulnerability was discovered and reported by security researcher Kafeine.
The vulnerability was used in attacks against older versions of Flash Player.

Privilege escalation in Microsoft Windows
CVE-2015-0016

Path traversal

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The weakness exists due to insufficient validation of user-supplied input within TS WebProxy Windows component. A remote attacker can trick the victim into downloading a specially crafted file and execute it with privileges of the current user.  

Successful exploitation of the vulnerability may result in full control of the vulnerable system.

Note: the vulnerability was being actively exploited.

i

The vulnerability was being used in CNACOM campaign targeting government organization in Taiwan.

Software: Windows

Known/fameous malware:

Exploit.Win32.CVE-2015-0016.

The vulnerability was being used in CNACOM campaign targeting government organization in Taiwan.

Multiple vulnerabilities in Adobe Flash Player
CVE-2014-9163

Stack-based buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was discovered by the researcher ‘bilou’, who reported the bug through HP’s Zero Day Initiative (ZDI).

Has been used in a watering hole attack against US Defense and Financial Services firms, where it was hosted on the compromised Forbes.com website.

Software: Adobe Flash Player

Known/fameous malware:

Trojan.Win32.Bergard.A.

The vulnerability was discovered by the researcher ‘bilou’, who reported the bug through HP’s Zero Day Initiative (ZDI).

Has been used in a watering hole attack against US Defense and Financial Services firms, where it was hosted on the compromised Forbes.com website.

Two vulnerabilities in Siemens SIMATIC WinCC
CVE-2014-8551

Improper input validation

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper input validation when processing packets sent to the WinCC server. A remote unauthenticated attacker can send a specially crafted packet and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: this vulnerability has been exploited in targeted attacks.

i

The vulnerability has been exploited in targeted attacks involving BlackEnergy Trojan.

Software: Siemens SIMATIC WinCC

Known/fameous malware:

BlackEnergy

The vulnerability has been exploited in targeted attacks involving BlackEnergy Trojan.

Privilege escalation in Microsoft Windows
CVE-2014-6324

Privilege escalation

The vulnerability allows a remote authenticated attacker to obtain elevated privileges on the target system.

The weakness exists due to the failure to properly validate signatures in the Kerberos ticket by the Microsoft Kerberos KDC implementation. A remote attacker can forge a ticket and elevate an unprivileged domain user account to a domain administrator account.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Exploited by Duqu.

The vulnerability was reported by Qualcomm Information Security & Risk Management team.

Software: Windows

Exploited by Duqu.

The vulnerability was reported by Qualcomm Information Security & Risk Management team.

Remote code execution in JustSystems Ichitaro
CVE-2014-7247

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow when processing documents. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.


i

According TrendMicro and Symantec this is a zero-day.

Backdoors Emdivi, Korplug and ZXshell were used in the cyberespionage campaign,“Operation CloudyOmega,” to target Japanese organisations.

Software: Ichitaro

Known/fameous malware:

Emdivi
Korplug
ZXshell

According TrendMicro and Symantec this is a zero-day.

Backdoors Emdivi, Korplug and ZXshell were used in the cyberespionage campaign,“Operation CloudyOmega,” to target Japanese organisations.

Privilege escalation in Microsoft Windows
CVE-2014-4077

Privilege escalation

The vulnerability allows a remote authenticated attacker to obtain elevated privileges on the target system.

The weakness exists due to improper access control in Microsoft implementation of Input Method Editor (IME) for Japanese language. A remote attacker can create a specially crafted file designed to invoke a vulnerable sandboxed application, trick the victim into opening it, gain elevated privileges and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

CVE-2014-4077 used in targeted attack in the wild to bypass Adobe Reader Sandbox via binary hijacking using malicious DIC file.

Software: Windows

CVE-2014-4077 used in targeted attack in the wild to bypass Adobe Reader Sandbox via binary hijacking using malicious DIC file.

Remote code execution in Microsoft Windows
CVE-2014-6352

Code injection

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error when handling malicious Office files. A remote attacker can create a specially crafted Microsoft Office file containing the malicious OLE object, trick the victim into opening it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Microsoft first received information about this vulnerability through coordinated vulnerability disclosure. Zero-day was initially found and reported to McAfee by James Forshaw of Google Project Zero.

The vulnerability is publicly known as "Sandworm" and has been exploited by the Chinese against Taiwan.

Software: Windows

Known/fameous malware:

Trojan.Mdropper. (Symantec).

Microsoft first received information about this vulnerability through coordinated vulnerability disclosure. Zero-day was initially found and reported to McAfee by James Forshaw of Google Project Zero.

The vulnerability is publicly known as "Sandworm" and has been exploited by the Chinese against Taiwan.

Privilege escalation in Microsoft Windows
CVE-2014-4113

Privilege escalation

The vulnerability allows a local attacker to obtain elevated privileges on the target system.

The weakness exists due to improper handling of objects in memory by kernel-mode driver (win32k.sys). A local attacker can run a specially crafted application to gain elevated privileges and take complete control of the system.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was apparently found and reported to Microsoft by both СrowdStrike and FireEye.
The vulnerability has been actively exploited in the wild for at least five month by highly advanced adversary group named HURRICANE PANDA.

Software: Windows

Known/fameous malware:

Nuclear Exploit Kit.

The vulnerability was apparently found and reported to Microsoft by both СrowdStrike and FireEye.
The vulnerability has been actively exploited in the wild for at least five month by highly advanced adversary group named HURRICANE PANDA.

Remote code execution in Microsoft Windows
CVE-2014-4114

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error when processing OLE objects. A remote attacker can create a specially crafted OLE object, attach it to a document (e.g. PowerPoint file), trick the victim into opening it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The zero-day vulnerability is being claimed to have been used in early September in possible campaigns against NATO, Ukrainian government organizations, Western European government organization, Energy Sector firms (specifically in Poland), European telecommunications firms, United States academic organizations.
Files in the SandWorm exploit hilighted by iSIGHT Partners include a malicious executable from a known malware family, namely the BlackEnergy Trojan.

Software: Windows

Known/fameous malware:

Dyreza Trojan.
SandWorm
BlackEnergy Trojan.

The zero-day vulnerability is being claimed to have been used in early September in possible campaigns against NATO, Ukrainian government organizations, Western European government organization, Energy Sector firms (specifically in Poland), European telecommunications firms, United States academic organizations.
Files in the SandWorm exploit hilighted by iSIGHT Partners include a malicious executable from a known malware family, namely the BlackEnergy Trojan.

Remote code execution in Microsoft Windows
CVE-2014-4148

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper input validation when processing TrueType fonts in kernel-mode driver (win32k.sys). A remote attacker can create a specially crafted font file, place it on a web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was highly exploited by advanced adversary group named HURRICANE PANDA.

Software: Windows

The vulnerability was highly exploited by advanced adversary group named HURRICANE PANDA.

Multiple vulnerabilities in Adobe Flash Player
CVE-2014-8439

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

An Adobe Flash vulnerability was discovered in October and promptly patched. The exploits in the Nuclear and Angler kits were detected by the French researcher Kafeine shortly after the company released an update on Oct.14. Despite a patch on 14, October 2014, the vulnerability was not completely mitigated. The vulnerability was patched again in November, 25.


Software: Adobe Flash Player

Known/fameous malware:

Troj/SWFExp-CD.
Exploit kits: Angler, Nuclear, and Astrum.

An Adobe Flash vulnerability was discovered in October and promptly patched. The exploits in the Nuclear and Angler kits were detected by the French researcher Kafeine shortly after the company released an update on Oct.14. Despite a patch on 14, October 2014, the vulnerability was not completely mitigated. The vulnerability was patched again in November, 25.


Multiple vulnerabilities in OpenSSL
CVE-2014-3566

Information disclosure

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to usage of insecure SSLv3 protocol in OpenSSL. A remote attacker can force the current connection between user and server to be downgraded to SSLv3 protocol and then use padding-oracle attack on Cypher-block chaining (CBC) mode to decrypt encrypted communication.

Successful exploitation of the vulnerability may allow an attacker to read encrypted communications in clear text.

Note: The vulnerability is known as POODLE.
i

The vulnerability was used in the attack called Poodle against Docker.

Software: OpenSSL

The vulnerability was used in the attack called Poodle against Docker.

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2014-4123

Privilege escalation

The vulnerability allows a remote attacker to obtain elevated privileges on the target system.

The weakness exists due to the failure to properly validate permissions. A remote attacker can gain elevated privileges and execute arbitrary code on the affected system.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.


i

CrowdStrike first detected the attacks in spring.
The zero-day reported by CrowdStrike was also reported by FireEye.
The issue has been introduced in 07/27/2005.
The vulnerability was handled as a non-public zero-day exploit for at least 3366 days.

Exploited by Hurricane Panda.

Software: Microsoft Internet Explorer

CrowdStrike first detected the attacks in spring.
The zero-day reported by CrowdStrike was also reported by FireEye.
The issue has been introduced in 07/27/2005.
The vulnerability was handled as a non-public zero-day exploit for at least 3366 days.

Exploited by Hurricane Panda.

Remote code execution in FreePBX
CVE-2014-7235

Code injection

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error in the legacy FreePBX ARI Framework module/Asterisk Recording Interface (ARI). A remote attacker can bypass the authentication process and execute arbitrary code with administrative privileges.

Successful exploitation results in arbitrary code execution on the vulnerable system.

Note: this vulnerability was being actively exploited.


Software: FreePBX

Multiple RCE vulnerabilities in GNU Bash aka Shellshock
CVE-2014-6271

Command injection

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to incorrect parsing of environment variables. A remote attacker can execute arbitrary code on the target system as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Successful exploitation may allow an attacker to gain complete control over vulnerable system.

Exploitation example:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Note: this vulnerability was being actively exploited in the wild.

i

Shellshock is a variety of vulnerabilities in GNU Bash implementation caused by incomplete patches after official release of the fix and public disclosure of the vulnerability. There were 5 failed attempts in total to fix this Shellshock bugs until it was finally patched in version bash43-027, released on October 1, 2014.

Some of these vulnerabilities were exploited in the wild before the patch, which makes them zero-days. These vulnerabilities are covered under the following CVEs:

CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

Giving the nature of the vulnerabilities and attack vectors we have decided to cover these vulnerabilities under one description and count them as one zero-day vulnerability.

Software: Bash

Shellshock is a variety of vulnerabilities in GNU Bash implementation caused by incomplete patches after official release of the fix and public disclosure of the vulnerability. There were 5 failed attempts in total to fix this Shellshock bugs until it was finally patched in version bash43-027, released on October 1, 2014.

Some of these vulnerabilities were exploited in the wild before the patch, which makes them zero-days. These vulnerabilities are covered under the following CVEs:

CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

Giving the nature of the vulnerabilities and attack vectors we have decided to cover these vulnerabilities under one description and count them as one zero-day vulnerability.

Information disclosure in Microsoft Internet Explorer
CVE-2013-7331

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to information disclosure vulnerability in Microsoft XMLDOM ActiveX component. A remote attacker can create a specially crafted Web page, trick the victim into visiting it and check for the presence of local drive letters, directory names, files, as well as internal network addresses or websites.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

PoC-code for this vulnerability was available since at least April 25, 2013.

Software: Microsoft Internet Explorer

Known/fameous malware:

Exploit kits: Angler, Rig, Nuclear, Styx.

PoC-code for this vulnerability was available since at least April 25, 2013.

Remote code execution in Adobe Acrobat and Adobe Reader
CVE-2014-0546

Security bypass

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper input validation when processing .pdf files. A remote attacker can create a specially crafted file, trick the victim into opening it, bypass sandbox restrictions and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was discovered by Costin Raiu and Vitaly Kamluk of Kaspersky Labs.

Exploited by Animal Farm group.

Software: Adobe Reader

The vulnerability was discovered by Costin Raiu and Vitaly Kamluk of Kaspersky Labs.

Exploited by Animal Farm group.

Privilege escalation in Microsoft Internet Explorer
CVE-2014-2817

Privelege escalation

The vulnerability allows a remote attacker to obtain elevated privileges on the target system.

The weakness exists due to the failure to properly validate permissions. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, gain elevated privileges and execute arbitrary code on the affected system.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft Internet Explorer

Privilege escalation in Microsoft Windows
CVE-2014-1807

Privilege escalation

The vulnerability allows a local attacker to obtain elevated privileges on the target system.

The weakness exists due to improper use of the ShellExecute API function. A local attacker can run a specially crafted application within the context of the Local System account and gain elevated privileges.

Successful exploitation of the vulnerability results in privilege escalation on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Windows

Two remote code execution vulnerabilities in Microsoft Internet Explorer
CVE-2014-1815

“Use-after-free” error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

CVE-2014-1815 was reported to Microsoft by Clement Lecigne, a security engineer who works for Google in its Swiss office.

The vulnerability was used in the phishing campaign started on or about July 21, 2014 and primarily targeting the energy industry.

Software: Microsoft Internet Explorer

CVE-2014-1815 was reported to Microsoft by Clement Lecigne, a security engineer who works for Google in its Swiss office.

The vulnerability was used in the phishing campaign started on or about July 21, 2014 and primarily targeting the energy industry.

Privilege escalation in Microsoft Windows
CVE-2014-1812

Privilege escalation

The vulnerability allows a remote authenticated attacker to obtain elevated privileges on the target system.

The weakness exists due to the method passwords are distributed when configured using group policy preference. A remote authenticated attacker can obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Windows

Security bypass in Microsoft Office
CVE-2014-1809

Security bypass

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper implementation of Address Space Layout Randomization (ASLR) features in MSCOMCTL. By persuading a victim to visit a specially-crafted Web site or open an application or Office document with a specially-crafted ActiveX control embedded within it, an attacker could exploit this vulnerability to bypass ASLR and execute another attack that otherwise would have been blocked by ASLR.

Successful exploitation of the vulnerability results in security bypass on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The issue has been introduced in 01/30/2007.

Software: Microsoft Office

The issue has been introduced in 01/30/2007.

Remote code execution in Adobe Flash Player
CVE-2014-0515

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow, caused by improper bounds checking by the pixel bender component. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

A sample of the first exploit was detected on April 14, while a sample of the second came on April 16. The first exploit was initially recorded by KSN on April 9, when it was detected by a generic heuristic signature.

The disclosed vulnerability was actively exploited and relates to attack via the website of Syrian Ministry of Justice in September, 2013.

Software: Adobe Flash Player

Known/fameous malware:

Exploit:SWF/CVE-2014-0515

A sample of the first exploit was detected on April 14, while a sample of the second came on April 16. The first exploit was initially recorded by KSN on April 9, when it was detected by a generic heuristic signature.

The disclosed vulnerability was actively exploited and relates to attack via the website of Syrian Ministry of Justice in September, 2013.

Remote code execution in Microsoft Internet Explorer
CVE-2014-1776

“Use-after-free” error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability uses a heap-spray technique. Used in Pawn Storm campaign.
Used by APT groups.

Software: Microsoft Internet Explorer

The vulnerability uses a heap-spray technique. Used in Pawn Storm campaign.
Used by APT groups.

Multiple vulnerabilities in Microsoft Word and Office Web Apps
CVE-2014-1761

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling RTF-formatted data. A remote attacker can create a specially crafted RTF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Used in Pawn Storm campaign, attacks against government agencies in Taiwan.

Software: Microsoft Office

Known/fameous malware:

Trojans like Dridex or Dyreza and ransomware like cryptolocker or Teslacrypt.

Used in Pawn Storm campaign, attacks against government agencies in Taiwan.

Remote code execution in Microsoft Internet Explorer
CVE-2014-0307

“Use-after-free” error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when accessing an object in memory. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The flaw was most likely introduced in August 2013. The vulnerability was reported to vendor - 2014-02-04.
Private fully functional exploit code existed long before the vendor released security patch. We consider this vulnerability a zero-day.

Software: Microsoft Internet Explorer

Known/fameous malware:

JS/Exploit.CVE-2014-0307.

The flaw was most likely introduced in August 2013. The vulnerability was reported to vendor - 2014-02-04.
Private fully functional exploit code existed long before the vendor released security patch. We consider this vulnerability a zero-day.

Remote code execution in Microsoft Internet Explorer
CVE-2014-0324

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

On Feb. 11, FireEye researchers identified a zero-day exploit in Internet Explorer 10.

The exploit was being used in Operation SnowMan that compromised the U.S. Veterans of Foreign Wars website.


Software: Microsoft Internet Explorer

Known/fameous malware:

Elderwood exploit kit.

On Feb. 11, FireEye researchers identified a zero-day exploit in Internet Explorer 10.

The exploit was being used in Operation SnowMan that compromised the U.S. Veterans of Foreign Wars website.


Multiple vulnerabilities in Adobe Flash Player
CVE-2014-0502

Double free

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to double free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Wen Guanxing of Venustech, The Google Security Team and FireEye were working at the vulnerability.
FireEye dubbed the attack exploiting the vulnerability "Operation GreedyWonk".
The vulnerability was exploited to compromise sites of:

  • Peterson Institute for International
  • Economics American Research Center in Egypt
  • Smith Richardson Foundation
TrendMicro uses CVE-2014-0498 in some reports to cover exploit used in Operation GreedyWonk. But we believe this is the same vulnerability and we will refer to it as CVE-2014-0502.

Software: Adobe Flash Player

Known/fameous malware:

Elderwood exploit kit.

Wen Guanxing of Venustech, The Google Security Team and FireEye were working at the vulnerability.
FireEye dubbed the attack exploiting the vulnerability "Operation GreedyWonk".
The vulnerability was exploited to compromise sites of:
  • Peterson Institute for International
  • Economics American Research Center in Egypt
  • Smith Richardson Foundation
TrendMicro uses CVE-2014-0498 in some reports to cover exploit used in Operation GreedyWonk. But we believe this is the same vulnerability and we will refer to it as CVE-2014-0502.

Remote code execution in Microsoft Internet Explorer
CVE-2014-0322

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error related to GIFAS. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

A zero-day exploit hosted on a breached website based in the U.S Military. The vulnerability was used in the wild as part of "Operation SnowMan".

Software: Microsoft Internet Explorer

Known/fameous malware:

Trojan.Malscript
Trojan.Swifi.
Backdoor.Moudoor
Elderwood exploit kit.

A zero-day exploit hosted on a breached website based in the U.S Military. The vulnerability was used in the wild as part of "Operation SnowMan".

Multiple vulnerabilities in TYPO3
CVE-2014-6293

SQL Injection

The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable website and execute arbitrary SQL commands in web application database.

Successful exploitation may allow an attacker to gain unauthorized access to the vulnerable system.

Note: this vulnerability was being actively exploited.

Software: TYPO3

Known/fameous malware:


Information disclosure in Microsoft XML Core Services
CVE-2014-0266

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper enforcement of cross-domain policies. A remote attacker can create a specially crafted Web page, trick the victim into visiting it using Internet Explorer, bypass cross-domain security restrictions and read local files or content from web domains the victim is authenticated with.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Microsoft and FireEye first discussed this issue in November, 2013.

Software: Microsoft XML Core Services

Microsoft and FireEye first discussed this issue in November, 2013.

Multiple vulnerabilities in Microsoft .NET Framework
CVE-2014-0295

ASLR bypass

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to missing Address Space Layout Randomization (ASLR) features in certain components. A remote attacker can create a specially crafted Web site, trick the victim into opening it, bypass security restrictions and execute another attack.

Successful exploitation of the vulnerability results in security bypass on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft .NET Framework

Denial of service in Apache Struts
CVE-2014-0050

Infinite loop

The vulnerability allows a remote attacker to cause DoS conditions on the target system.

The weakness exists due to boundary error when handling Content-Type HTTP header for multipart requests. By sending a specially crafted Content-Type header, containing 4092 characters in "boundary" field, a remote attacker can cause the application to enter into an infinite loop.

Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

On April 24, 2014, the Apache Software Foundation (ASF) released an advisory warning that a patch issued in March, 2 for a zero-day vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerabilities (CVE-2014-0094 or CVE-2014-0050).

Software: Apache Struts

On April 24, 2014, the Apache Software Foundation (ASF) released an advisory warning that a patch issued in March, 2 for a zero-day vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerabilities (CVE-2014-0094 or CVE-2014-0050).

Remote code execution in Adobe Flash Player
CVE-2014-0497

Integer underflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer underflow when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Exploited by DarkHotel APT.

The vulnerability survived for 84 days after update in November 2013.

Software: Adobe Flash Player

Exploited by DarkHotel APT.

The vulnerability survived for 84 days after update in November 2013.

Remote code execution in JustSystems Sanshiro
CVE-2014-0810

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a boundary error when processing office documents. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger buffer overflow and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Sanshiro

Remote code execution in GE Proficy CIMPLICITY HMI
CVE-2014-0751

Improper access control

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper access control and incorrect validation of the szScreen field when processing file uploads within the CimWebServer component. A remote unauthenticated attacker can upload and execute arbitrary file on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: this vulnerability has been exploited in targeted attacks.

i

According to ICS-CERT, the vulnerability has been exploited in the wild since at least since January 2012. The vulnerability has been exploited in Sandworm campaign.

Software: CIMPLICITY

Known/fameous malware:

BlackEnergy

According to ICS-CERT, the vulnerability has been exploited in the wild since at least since January 2012. The vulnerability has been exploited in Sandworm campaign.

SQL Injection in OpenX Source Revive Adserver
CVE-2013-7149

SQL injection

The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to the XML-RPC script using the "what" parameter and view, add, modify or delete information in the back-end database.

Successful exploitation may allow an attacker to gain unauthorized access to the vulnerable system.

Note: this vulnerability was being actively exploited.

i

The vulnerability was discovered and reported to Revive Adserver team by Florian Sander.

The vulnerability is considered to be connected with attacks on web site centralpark[.]com and high-traffic site clipconverter[.]cc

Software: Revive Adserver

The vulnerability was discovered and reported to Revive Adserver team by Florian Sander.

The vulnerability is considered to be connected with attacks on web site centralpark[.]com and high-traffic site clipconverter[.]cc

Information disclosure in Microsoft Office
CVE-2013-5054

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an error in handling of a specially crafted response when opening a malicious Office file. A remote attacker can create a specially crafted file using, host it on remote website, trick the victim into opening it and gain access to tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was discovered by the Adallom company and the attack was dubbed "Ice Dagger". The attackers used the vulnerability to steal Microsoft Office 365 authentication token. The victim of the unnamed company received an email with a link to attachment, located on a hidden server within TOR network. The vulnerability was reported to Microsoft in late May 2013.

Software: Microsoft Office

The vulnerability was discovered by the Adallom company and the attack was dubbed "Ice Dagger". The attackers used the vulnerability to steal Microsoft Office 365 authentication token. The victim of the unnamed company received an email with a link to attachment, located on a hidden server within TOR network. The vulnerability was reported to Microsoft in late May 2013.

Signature validation bypass in Microsoft Windows
CVE-2013-3900

Sugnature verification bypass

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper validation of PE file digests during Authenticode signature verification within WinVerifyTrust function. A remote attacker can create specially crafted signed PE file, trick the victim into executing it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Windows

ASLR bypass in Microsoft Office
CVE-2013-5057

ASLR bypass

The vulnerability allows a remote attacker to bypass certain security restrictions.

The weakness exists due to improper implementation of Address Space Layout Randomization (ASLR) within HXDS Office shared component. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and bypass the ASLR security feature.

Successful exploitation of the vulnerability may result in attacker's access to the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft Office

Two remote code execution vulnerabilities in Adobe Flash Player
CVE-2013-5331

Type confusion

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error. A remote attacker can create a specially crafted Web site or . swf file, trick the victim into visiting it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was reported by Adobe as being exploited in the wild. The attackers used Microsoft Word documents with embedded malicious Flash (.swf) content.

Software: Adobe Flash Player

Known/fameous malware:

Troj/SWFExp-CH (Sophos)
Trojan horse Exploit_c.YZX (AVG)
Exploit.Win32.CVE-2013 (Ikarus)
HEUR:Exploit.SWF.CVE-2013-5331.a (Kaspersky)
Exploit:Win32/CVE-2013-5331 (Microsoft)
SWF/Exploit.CVE-2013-5331.A trojan (Eset)
Trojan.Mdropper (Symantec)

The vulnerability was reported by Adobe as being exploited in the wild. The attackers used Microsoft Word documents with embedded malicious Flash (.swf) content.

Privilege escalation in Microsoft Windows
CVE-2013-5065

Privilege escalation

The vulnerability allows a local attacker to obtain elevated privileges on the target system.

The weakness exists due to improper validation of input by the NDProxy.sys kernel component. A local attacker with valid login credentials can use a malicious application to gain kernel privileges and execute arbitrary code on the system.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the Reader sandbox.

Kaspersky Lab revealed the vulnerability was used in Epic Turla (cyber-espionage campaigns).

Software: Windows

Known/fameous malware:

PDF:Exploit.CVE-2013-5065.A
Gen:Trojan.Heur.FU.ku3@aSHWAmji

Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the Reader sandbox.

Kaspersky Lab revealed the vulnerability was used in Epic Turla (cyber-espionage campaigns).

Remote code execution in Microsoft Windows
CVE-2013-3918

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to out-of-bounds memory access within InformationCardSigninHelper Class ActiveX control (icardie.dll). A remote attacker can create specially crafted Web page that passes an overly long string argument to vulnerable ActiveX component, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerabilty was introduced on 07.27.2005, but publically disclosed later by Xiaobo Chen and Dan Caselden of FireEye.
The vulnerability has been exploited by the APTgroup behind the 2009 Aurora attack. The exploit uses a technique ROP (return-oriented-programming). According to FireEye, the attack has a link to the infrastructure used in Operation DeputyDog and Operation Ephemeral Hydra, which began in August and targeted organizations in Japan.

Software: InformationCardSigninHelper Class ActiveX control

The vulnerabilty was introduced on 07.27.2005, but publically disclosed later by Xiaobo Chen and Dan Caselden of FireEye.
The vulnerability has been exploited by the APTgroup behind the 2009 Aurora attack. The exploit uses a technique ROP (return-oriented-programming). According to FireEye, the attack has a link to the infrastructure used in Operation DeputyDog and Operation Ephemeral Hydra, which began in August and targeted organizations in Japan.

Remote code execution in Microsoft Graphics Component
CVE-2013-3906

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious images. A remote attacker can create specially crafted TIFF image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The meta date of the files were set to October 17, 2013, which may suggest a creation time of this exploit.

Attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan. The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.

Software: Microsoft Office

The meta date of the files were set to October 17, 2013, which may suggest a creation time of this exploit.

Attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan. The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.

Privilege escalation in Google Android
CVE-2013-6282

Privilege escalation

The vulnerability allows a local attacker to obtain elevated privileges on the target system.

The weakness exists due to an error in the put_user/get_user kernel API. A local attacker can use a malicious application to read and write kernel memory and gain kernel privileges on the system.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was exploited against Android devices in October and November 2013. The vulnerability is originally in SE Linux kernel.

Software: Google Android

Known/fameous malware:

Gooligan.

The vulnerability was exploited against Android devices in October and November 2013. The vulnerability is originally in SE Linux kernel.

Backdoor in D-Link routers
CVE-2013-6026

Security bypass

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to an error in the alpha_auth_check() function. By setting the user agent string to xmlset_roodkcableoj28840ybtide, an attacker can send an HTTP request to bypass authentication and obtain administrative access to the device.

Successful exploitation of the vulnerability results in full access to the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Dir-100

Remote code execution in Microsoft Internet Explorer
CVE-2013-3897

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to user-after-free vulnerability in the CDisplayPointer object. A remote attacker can create a specially crafted Web page containing, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Used in Pawn Storm campaign.
A zero-day was used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013.

Software: Microsoft Internet Explorer

Used in Pawn Storm campaign.
A zero-day was used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013.

Remote code execution in Microsoft Internet Explorer
CVE-2013-3893

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in SetMouseCapture implementation. A remote attacker can create specially crafted JavaScript, place it on a Web page, trick the victim into visiting it using Internet Explorer, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability used ROP-chain technique and was exploited in Campaign Operation DeputyDog.

The vulnerability was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.

Software: Microsoft Internet Explorer

The vulnerability used ROP-chain technique and was exploited in Campaign Operation DeputyDog.

The vulnerability was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.

Security bypass in vBulletin
CVE-2013-6129

Security bypass

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to an error in the upgrade.php script. By using the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, a remote attacker can create administrative accounts.

Successful exploitation of the vulnerability results in security bypass on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: vBulletin

Known/fameous malware:

PHP/Exploit.CVE-2013-6129.A virus.

Security bypass in Google Android
CVE-2013-7372

Security bypass

The vulnerability allows a renote attacker to bypass security restriction on the target system.

The weakness is due to the use of an incorrect offset value by the engineNextBytes function in Apache Harmony, as used in the Java Cryptography Architecture (JCA) in Android . A remote attacker can leverage the resulting PRNG predictability, defeat cryptographic protection mechanisms and launch further attacks on the system.

Successful exploitation of the vulnerablity results in security bypass on the vulnerable system.
i

The vulnerability in Android's component Apache Harmony led to multiple compromises of a bitcoin transactions.

Software: Google Android

The vulnerability in Android's component Apache Harmony led to multiple compromises of a bitcoin transactions.

PHP code execution in OpenX Revive Adserver
CVE-2013-4211

Arbitrary PHP code execution

The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.

The weakness exists due to compromise of the source code package. A remote attacker can create a specially crafted request with a rot13'd and reversed payload and send it to the target system to execute arbitrary PHP code.

Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability has been exploited from November 2012 till August 2013.

Software: Revive Adserver

The vulnerability has been exploited from November 2012 till August 2013.

Denial of service in ISC BIND
CVE-2013-4854

Denial of service

The vulnerability allows a remote attacker to cause DoS conditions on the target system.

The weakness exists due to an error in the RFC 5011 implementation in rdata.c when parsing RDATA within a DNS query. By using a query with a malformed RDATA section that is not properly handled during construction of a log message, a remote attacker can cause an assertion failure and named daemon exit.

Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

We are aware of in the wild exploitation of this vulnerability before official patch release.
This vulnerability was discovered by Maxim Shudrak.

Software: ISC BIND

We are aware of in the wild exploitation of this vulnerability before official patch release.
This vulnerability was discovered by Maxim Shudrak.

Arbitrary file upload in Joomla!
CVE-2013-5576

Arbitrary file upload

The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.

The weakness exists due to improper validation of file extensions by the media.php and index.php scripts. A remote attacker can create a specially crafted HTTP request, upload a malicious PHP script and execute arbitrary PHP code.

Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The weakness was disclosed 08/01/2013 by Jens Hinrichsen.

Software: Joomla!

The weakness was disclosed 08/01/2013 by Jens Hinrichsen.

Remote code execution in Microsoft Internet Explorer
CVE-2013-3163

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in CBlockContainerBlock. A remote attacker can create specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability reffers to "Waterring hole attack".

Software: Microsoft Internet Explorer

The vulnerability reffers to "Waterring hole attack".

Remote code execution in Oracle Java SE
CVE-2013-2465

Array indexing error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an array indexing error in the storeImageArray() function in awt.dll. A remote attacker can execute arbitrary code with privileges of the current user or targeted application process.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The exploit was released by security research group Packet Storm Security.

Software: Java SE

Known/fameous malware:

Styx exploit kit, previously known as Kein
Fiesta EK

The exploit was released by security research group Packet Storm Security.

Remote code execution in JustSystems Ichitaro
CVE-2013-3644

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow when processing office documents. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Symantec has seen the exploitation being used in targeted attacks since May, but it has been limited to users in Japan and the volume of attacks has been minimal.

Software: Ichitaro

Known/fameous malware:

Trojan.Tarodrop.M.

Symantec has seen the exploitation being used in targeted attacks since May, but it has been limited to users in Japan and the volume of attacks has been minimal.

Denial of service in ntp.org ntp
CVE-2013-5211

Denial of service

The vulnerability allows a remote attacker to cause DoS conditions on the target system.

The weakness exists due to an error in the monlist feature in ntp_request.c. By sending a specially crafted REQ_MON_GETLIST or REQ_MON_GETLIST_1 request, a remote attacker can consume available CPU resources and cause the server to crash.

Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

This vulnerability was the cause of a record-sized NTP reflection attack in late 2013 and early 2014. We consider this a zero-day vulnerability as it was exploited in the wild before the official patch release.

Software: ntp

This vulnerability was the cause of a record-sized NTP reflection attack in late 2013 and early 2014. We consider this a zero-day vulnerability as it was exploited in the wild before the official patch release.

Remote code execution in Microsoft Office
CVE-2013-1331

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow when processing malicious PNG files. A remote attacker can create specially crafted file, trick the victim into opening it using an affected version of Microsoft Office, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was reported by Andrew Lyons and Neel Mehta of Google Inc.

Using the samples provided by Microsoft, Romang scoured Google’s cache and found the earliest document that attempted to fetch the exploit dated from February, 2013. The document referenced territory disputes between China and the Philippines.
However, Romang uncovered another Word document created in 2009 that, according to Google’s Virus Total service, would also exploit the flaw Microsoft patched. The file’s title “The corruption of Mahathir” referred to a Malaysian politician, fitting Microsoft’s list of possible targets. Both documents to a Bridging Links URL.

The vulnerability might have been spotted in the wild, with campaigns starting as early as 2009. Microsoft believe attacks were limited to Indonesia and Malaysia.

Software: Microsoft Office

Known/fameous malware:

Trojan.Mdropper.

The vulnerability was reported by Andrew Lyons and Neel Mehta of Google Inc.

Using the samples provided by Microsoft, Romang scoured Google’s cache and found the earliest document that attempted to fetch the exploit dated from February, 2013. The document referenced territory disputes between China and the Philippines.
However, Romang uncovered another Word document created in 2009 that, according to Google’s Virus Total service, would also exploit the flaw Microsoft patched. The file’s title “The corruption of Mahathir” referred to a Malaysian politician, fitting Microsoft’s list of possible targets. Both documents to a Bridging Links URL.

The vulnerability might have been spotted in the wild, with campaigns starting as early as 2009. Microsoft believe attacks were limited to Indonesia and Malaysia.

Privilege escalation in Microsoft Windows
CVE-2013-3660

Privilege escalation

The vulnerability allows a local attacker to obtain elevated privileges on the target system.

The weakness exists due to the failure to properly initialize a pointer for the next object in a certain list by the EPATHOBJ::pprFlattenRec function within kernel-mode driver (win32k.sys). A local attacker can use multiple FlattenPath function calls to obtain write access to the PATHRECORD chain and execute arbitrary code on the system with elevated privileges.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Tavis Ormandy, a Google security engineer, reported a critical bug to Microsoft only five days before going public.
The vulnerability has being used by Carbanak group.

Software: Windows

Known/fameous malware:

Cidox/Rovnix Bootkit
PowerLoader

Tavis Ormandy, a Google security engineer, reported a critical bug to Microsoft only five days before going public.
The vulnerability has being used by Carbanak group.

Directory traversal in Adobe ColdFusion
CVE-2013-3336

Directory traversal

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper validation of the user-supplied input. A remote attacker can create specially crafted HTTP request containing "dot dot" sequences (/../) and view contents of arbitrary files on vulnerable system.

Successful exploitation of the vulnerability may allow an attacker to obtain potentially sensitive information and compromise vulnerable system.

Note: the vulnerability was being actively exploited.

Software: ColdFusion

Remote code execution in Microsoft Internet Explorer
CVE-2013-1347

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in the CGenericElement object. A remote attacker can create specially crafted Web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability has been exploited in watering hole attack against Department of Labor (DoL). Used in Pawn Storm campaign.

Software: Microsoft Internet Explorer

The vulnerability has been exploited in watering hole attack against Department of Labor (DoL). Used in Pawn Storm campaign.

Cross-site scripting in Microsoft SharePoint Server
CVE-2013-1289

Cross-site scripting

The vulnerability allows a remote attacker to obtain elevated privileges on the target system.

The weakness exists due to an error related to the way HTML strings are sanitized by HTML Sanitization components. A remote attacker can create a specially crafted URL, trick the victim into opening it, take actions on the targeted site or read restricted content and obtain sensitive information with elevated privileges.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft SharePoint Server

PHP inlcuding in Roundcube Webmail
CVE-2013-1904

PHP including

The vulnerability allows a remote attacker to include arbitrary files on the target system.

The weakness exists due to improper sanitization of user-supplied data within "steps/mail/sendmail.inc" script when parsing "generic_message_footer" HTTP parameter passed to "/index.php" script. A remote attacker can send a specially crafted HTTP request to the "index.php" script, include and execute arbitrary PHP script on the affected server.

Successful exploitation of the vulnerability may lead to system compromise.

Note: the vulnerability was being actively exploited.

Software: Roundcube

Known/fameous malware:

Exploit-FHV!CVE2013-1493 (McAfee)
Exp/20131493-G (Sophos)
Exp/20131493-A (Sophos)
Exploit.Java.CVE-2013-1493.gen (Kaspersky)
Java/CVE_2013_1493.NT!exploit

Remote code execution in Microsoft Silverlight
CVE-2013-0074

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when rendering an HTML object. A remote attacker can create a specially crafted Web site containing a malicious Silverlight applicationt, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft Silverlight

Known/fameous malware:

Exploit kits: Angler, Archie, Astrum, Fiesta, Hanjuan, Infinity (Exploit kit), Neutrino, Nuclear Pack, RIG.

Remote code execution in Oracle Java SE
CVE-2013-1493

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to multiple integer and buffer overflows in the color management (CMM) functionality within the 2D component. A remote attacker can create specially crafted Web page, trick the victim into visiting it, trigger memory corruption using an image with crafted raster parameters and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability allows a remote user to execute arbitrary code on the target system via MC Rat (Trojan). The vulnerability was found with the help of Malware Protection Cloud (MPC).

The vulnerability turned out to have been exploited in Sun Shop Campaign and related to breach at security firm Bit9.

Software: Java SE

Known/fameous malware:

Trojan.Naid, Trojan.Dropper (Symantec).

The vulnerability allows a remote user to execute arbitrary code on the target system via MC Rat (Trojan). The vulnerability was found with the help of Malware Protection Cloud (MPC).

The vulnerability turned out to have been exploited in Sun Shop Campaign and related to breach at security firm Bit9.

Multiple vulnerabilities in Adobe Flash Player
CVE-2013-0643

Arbitrary code execution

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error when handling permissions of the Flash Player Firefox sandbox. A remote attacker can create specially crafted Web site serving malicious Flash (SWF) content, trick the victim into visiting it, bypass the sandbox restrictions and execute arbitrary code outside the sandbox with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Adobe Flash Player

Multiple vulnerabilities in Adobe Flash Player
CVE-2013-0648

Arbitrary code execution

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error in the ExternalInterface ActionScript feature. A remote attacker can create specially crafted Web site serving malicious Flash (SWF) content, trick the victim into visiting it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Adobe Flash Player

Two remote code execution vulnerabilities in Adobe Acrobat and Adobe Reader
CVE-2013-0640

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious files. A remote attacker can create specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The sandbox vulnerability was dubbed as "666" by FireEye. CVE-2013-0640 and CVE-2013-0641 have been exploited in MiniDuke, Zegost, PlugX Malware Campaign attacks.

Software: Adobe Reader

The sandbox vulnerability was dubbed as "666" by FireEye. CVE-2013-0640 and CVE-2013-0641 have been exploited in MiniDuke, Zegost, PlugX Malware Campaign attacks.

Two remote code execution vulnerabilities in Adobe Acrobat and Adobe Reader
CVE-2013-0641

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow when handling malicious files. A remote attacker can create specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The sandbox vulnerability was dubbed as "666" by FireEye. CVE-2013-0640 and CVE-2013-0641 have been exploited in MiniDuke, Zegost, PlugX Malware Campaign attacks.

Software: Adobe Reader

The sandbox vulnerability was dubbed as "666" by FireEye. CVE-2013-0640 and CVE-2013-0641 have been exploited in MiniDuke, Zegost, PlugX Malware Campaign attacks.

Two remote code execution vulnerabilities in Adobe Flash Player
CVE-2013-0633

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow in ActiveX version of Flash Player. A remote attacker can create specially crafted .swf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was reported to Adobe by Sergey Golovanov and Alexander Polyakov of Kaspersky.
The vulnerability was being used in a series of targeted attacks mostly against human rights activists and political dissidents from Africa and the Middle East.

Software: Adobe Flash Player

Known/fameous malware:

Exploit: SWF/CVE-2013-0633.

The vulnerability was reported to Adobe by Sergey Golovanov and Alexander Polyakov of Kaspersky.
The vulnerability was being used in a series of targeted attacks mostly against human rights activists and political dissidents from Africa and the Middle East.

Two remote code execution vulnerabilities in Adobe Flash Player
CVE-2013-0634

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in Flash Player for Firefox. A remote attacker can create specially crafted .swf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was discovered by Shadowserver Foundation.

The exploit was used in a cyber espionage campaign dubbed “LadyBoyle".

Software: Adobe Flash Player

The vulnerability was discovered by Shadowserver Foundation.

The exploit was used in a cyber espionage campaign dubbed “LadyBoyle".

Remote code execution in JustSystems Ichitaro
CVE-2013-0707

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing office documents. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Ichitaro

Remote code execution in Oracle Java SE
CVE-2013-0422

Arbitrary code execution

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to errors involving Java Management Extensions (JMX) MBean components. A remote attacker can create specially crafted Web site containing a malicious Java applet, trick the victim into opening it, invoke the setSecurityManager() function and execute arbitrary code outside the sandbox with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The CVE-2013-0422 exploit has also been identified as distributing GameHack and Banki malicious code. The vulnerability was used by Blackhole, Cool Exploit, and Nuclear exploit kits.

Software: Java SE

Known/fameous malware:

TROJ_REVETON.RJ
TROJ_REVETON.RG.

The CVE-2013-0422 exploit has also been identified as distributing GameHack and Banki malicious code. The vulnerability was used by Blackhole, Cool Exploit, and Nuclear exploit kits.

Multiple vulnerabilities in Adobe ColdFusion
CVE-2013-0632

Authentication bypass

The vulnerability allows a remote attacker to bypass authentication and gain unauthorized access to vulnerable system.

The vulnerability exists due to an error within administrator.cfc. A remote unauthenticated attacker can access Adobe ColdFusion application using a default empty password, login to the RDS component and leverage this session to access administrative web interface.

Successful exploitation of this vulnerability results in unauthorized access to Adobe ColdFusion.

Note: the vulnerability was being actively exploited.
i

The vulnerability was used to compromise website of the Washington state Administrative Office of the Courts (AOC).

Software: ColdFusion

The vulnerability was used to compromise website of the Washington state Administrative Office of the Courts (AOC).

Multiple vulnerabilities in Adobe ColdFusion
CVE-2013-0631

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper access control. A remote attacker can gain access to important data.

Note: the vulnerability was being actively exploited.

Software: ColdFusion

Multiple vulnerabilities in Adobe ColdFusion
CVE-2013-0629

Authentication bypass

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to an error in authentication process, when a password is not configured. A remote unauthenticated attacker can gain unauthorized access to restricted directories.

Successful exploitation of this vulnerability results in unauthorized gaining access to the directories.

Note: the vulnerability was being actively exploited.

Software: ColdFusion

Multiple vulnerabilities in Adobe ColdFusion
CVE-2013-0625

Authentication bypass

The vulnerability allows a remote attacker to bypass authentication and execute arbitrary code on the target system.

The vulnerability exists due to improper authentication, when password is not configured. A remote unauthenticated attacker can bypass authentication process and execute arbitrary code on the target system.

Note: the vulnerability was being actively exploited.

Software: ColdFusion

Remote code execution in Microsoft Internet Explorer
CVE-2012-4792

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when handling the CDwnBindInfo object and attempting to access an object in memory that has not been initialized or has been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

This vulnerability was described by Eric Romang and FireEye through Malware Protection Cloud.

The vulnerability has been exploited in watering hole attacks against Council on Foreign Relations (CFR) website 26.12.2012. The attack appears to be closely related to attacks in June 2012 that were targeting visitors of a major hotel chain and other attacks associated with the Elderwood Project.

Software: Microsoft Internet Explorer

This vulnerability was described by Eric Romang and FireEye through Malware Protection Cloud.

The vulnerability has been exploited in watering hole attacks against Council on Foreign Relations (CFR) website 26.12.2012. The attack appears to be closely related to attacks in June 2012 that were targeting visitors of a major hotel chain and other attacks associated with the Elderwood Project.

Phishing attack in Opera browser
CVE-2012-6467

Improper input validation

The vulnerability allows a remote attacker to perform phishing attacks.
 
The vulnerability exists due to improper input validation when processing Internet shortcuts, referenced by IMG or other inline elements. A remote attacker can create a specially crafted web page, trick the victim into visiting it and perform a phishing attack.

Note: the vulnerability was being actively exploited.

Software: Opera

Arbitrary file upload in Atomymaxsite
CVE-2012-6498

Arbitrary file upload

The vulnerability allows a remote attacker to cause arbitrary code execution on the original server.

The weakness exists due to improper validation of file extensions in "index.php" script when uploading files. A remote attacker can upload arbitrary file with .php extension and execute it on the system with privileges of the web server.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: the vulnerability was being actively exploited.

i

The vulnerability was reported by ThaiCERT as a zero-day targeting websites across the country.

Software: Atomymaxsite

The vulnerability was reported by ThaiCERT as a zero-day targeting websites across the country.

XSS in HTML Sanitization Component in Microsoft Office products
CVE-2012-2520

Cross-site scripting

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks and gain elevated privileges.

The vulnerability exists due to insufficient sanitization of user-input within HTML Sanitization Component. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Note: the vulnerability was being actively exploited.

Software: Microsoft Office InfoPath

Remote code execution in Microsoft Internet Explorer
CVE-2012-4969

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in the CMshtmlEd::Exec function in mshtml.dll. A remote attacker can create a specially crafted Web site, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was found exploited in the wild and discovered by Eric Romang.

A real-world attack using the vulnerability first appeared in a blog post in Sep.14, 2012. The vulnerability was used by "Nitro" hacking group.

Software: Microsoft Internet Explorer

The vulnerability was found exploited in the wild and discovered by Eric Romang.

A real-world attack using the vulnerability first appeared in a blog post in Sep.14, 2012. The vulnerability was used by "Nitro" hacking group.

Remote code execution in Oracle Java SE
CVE-2012-4681

Error Handling

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper handling of Rhino Javascript errors. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and bypass sandbox restrictions to download and execute arbitrary code  with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The researchers of FireEye began investigation of the vulnerability after Twitter post made by Joshua J. Drake on August, 26.

Software: Java SE

The researchers of FireEye began investigation of the vulnerability after Twitter post made by Joshua J. Drake on August, 26.

Remote code execution in Adobe Flash Player
CVE-2012-1535

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when parsing malicious files. A remote attacker can create a specially crafted Flash (.swf) file embedded in a Microsoft Word (.doc) file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was reported by Alexander Gavrun. The exploit was used by Aurora Group.

Software: Adobe Flash Player

Known/fameous malware:

Exploit:SWF/CVE-2012-1535.A.

The vulnerability was reported by Alexander Gavrun. The exploit was used by Aurora Group.

Remote code execution in Windows Common Controls
CVE-2012-1856

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in MSCOMCTL.OCX ActiveX control. A remote attacker can create a specially crafted Web page that passes an overly long string argument, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Favorite hackers' vulnerability for years has been exploited along with CVE-2012-1856, CVE-2015-1641, CVE-2015-1770 in an APT campaign against journalists and human rights workers in Tibet, Hong Kong and Taiwan.


Software: Microsoft Office

Favorite hackers' vulnerability for years has been exploited along with CVE-2012-1856, CVE-2015-1641, CVE-2015-1770 in an APT campaign against journalists and human rights workers in Tibet, Hong Kong and Taiwan.


Arbitrary file upload in MoinMoin
CVE-2012-6081

Arbitrary file upload

The vulnerability allows a remote authenticated attacker to compromise system.

The weakness exists due to insufficient validation of the filename extension when uploading files twikidraw (action/twikidraw.py) and anywikidraw (action/anywikidraw.py) actions. A remote authenticated attacker with write permissions can upload and execute arbitrary file with executable extension.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was exploited to compromise Debian's wiki and Python documentation website in December, 2012. The exploitation's method used is based on an exploit from Pastebin.

Software: MoinMoin

The vulnerability was exploited to compromise Debian's wiki and Python documentation website in December, 2012. The exploitation's method used is based on an exploit from Pastebin.

Insecure DLL loading in SIMATIC STEP 7 and PCS 7
CVE-2012-3015

DDL hijacking

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insecure DDL loading mechanism when processing STEP 7 files in SIMATIC STEP 7 and SIMATIC PCS 7 software. A remote attacker can trick the victim into opening a SETP 7 file from a remote SMB or WebDAV share, which hosts malicious .dll file, and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: the vulnerability has been exploited in the wild by Stuxnet malware in 2010.

i

The vulnerability was used by Stuxnet along with CVE-2010-2772.

Software: SIMATIC STEP 7

Known/fameous malware:

Stuxnet

The vulnerability was used by Stuxnet along with CVE-2010-2772.

Remote code execution in Microsoft Office
CVE-2012-1854

Untrusted Search Path

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the way Microsoft Office loads .dll libraries when opening Office documents (such as a .docx file). A remote attacker can place a specially crafted .dll file along with Microsoft Office document on a remote SMB or WebDAV share, trick the victim into opening that document and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was being actively exploited since mid-March, 2012. The targeted attacks were focusing on Japanese organizations.

Software: Microsoft Office

The vulnerability was being actively exploited since mid-March, 2012. The targeted attacks were focusing on Japanese organizations.

Remote code execution in Microsoft XML Core Services
CVE-2012-1889

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in XML Core Services (MSXML) when attempting to access an object in memory that has not been initialized. A remote attacker can create a specially crafted Web site, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

One of the vulnerabilities used by Aurora group.

The attackers used the CVE-2010-2884 and CVE-2012-1889 0-day exploits to specifically target visitors to Amnesty International Hong Kong site

 20.06.2012 SophosLabs determined that the website of a European aeronautical parts supplier had been hacked and delivered exploit for CVE-2012-1889.

TrendMicro observed the vulnerability targeting Chinese high school webpage.

Software: Microsoft XML Core Services

One of the vulnerabilities used by Aurora group.

The attackers used the CVE-2010-2884 and CVE-2012-1889 0-day exploits to specifically target visitors to Amnesty International Hong Kong site

 20.06.2012 SophosLabs determined that the website of a European aeronautical parts supplier had been hacked and delivered exploit for CVE-2012-1889.

TrendMicro observed the vulnerability targeting Chinese high school webpage.

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2012-1875

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a use-after-free error related to same id property when attempting to access objects that have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

A functional exploit with shellcode appeared on PasteBin on 8.06.12 - four days before the Microsoft patch release.
The vulnerability was reported by adept with nickname Dark Son and researcher Yichong Lin.

Software: Microsoft Internet Explorer

Known/fameous malware:

Trojan.Naid.

A functional exploit with shellcode appeared on PasteBin on 8.06.12 - four days before the Microsoft patch release.
The vulnerability was reported by adept with nickname Dark Son and researcher Yichong Lin.

Remote code execution in Oracle Java SE
CVE-2012-1723

Improper Input Validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error in the HotSpot bytecode verifier. By using untrusted Java Web Start applications and untrusted Java applets in a client deployment, a remote attacker can execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was exploited by BlackHole Exploit Toolkit after official patch.
The vulnerability was made public by Michael ‘mihi’ Schierl.
According to Brian Krebs, the exploit was used in targeted attacks before official patch from Oracle.

Software: Java SE

Known/fameous malware:

Trojan.Maljava.

The vulnerability was exploited by BlackHole Exploit Toolkit after official patch.
The vulnerability was made public by Michael ‘mihi’ Schierl.
According to Brian Krebs, the exploit was used in targeted attacks before official patch from Oracle.

Remote code execution in PHP
CVE-2012-2376

Buffer overflow

The vulnerability allows a remote attacker to cause DoS conditions or execute arbitrary code on the target system.

The weakness exists due to buffer overflow in the com_print_typeinfo function. A remote attacker can send a specially crafted arguments, trigger incorrect handling of COM object VARIANT types and cause the target application to crash or execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Bug with Variant type parsing was originally discovered by Condis. There is evidence this vulnerability was being exploited in the wild before official patch release.

Software: PHP

Known/fameous malware:

Trojan.Filecoder

Bug with Variant type parsing was originally discovered by Condis. There is evidence this vulnerability was being exploited in the wild before official patch release.

Remote code execution in Adobe Flash Player
CVE-2012-0779

Type Confusion

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to object type confusion error when processing .swf files. A remote attacker can create a specially crafted .swf file, trick the victim into opening it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

This vulnerability has been exploited in the wild as part of the "World Uyghur Congress Invitation.doc" e-mail attack.

Software: Adobe Flash Player

Known/fameous malware:

TROJ_SCRIPBRID.A; backdoor BKDR_INJECT.EVL.

This vulnerability has been exploited in the wild as part of the "World Uyghur Congress Invitation.doc" e-mail attack.

Arbitrary code execution in Linux kernel
CVE-2012-2319

Buffer overflow

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow in the driver within HFS plus filesystem. By using a specially crafted Hierarchical File System (HFS) filesystem, a local attacker can trigger memory corruption and execute arbitrary code with system privileges.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

This is a zero-day according to Trustwave.

CVE-2012-2319 is a follow-up to CVE-2009-4020; issues in the HFS file system were detailed and patched on Dec. 3, 2009, but HFSPlus was left vulnerable until May 4, 2012.

Software: Linux kernel

This is a zero-day according to Trustwave.

CVE-2012-2319 is a follow-up to CVE-2009-4020; issues in the HFS file system were detailed and patched on Dec. 3, 2009, but HFSPlus was left vulnerable until May 4, 2012.

Remote command injection in PHP
CVE-2012-2311

OS command injection

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to error when parsing QUERY_STRING parameters within PHP-CGI-based application (sapi/cgi/cgi_main.c). A remote attacker can send specially crafted HTTP request with query string, contain a %3D sequence but no = (equals sign) character, inject and execute arbitrary OS commands on vulnerable system with privileges of the web server.

Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.

This vulnerability is a result of an incomplete fix for SB2012050301.

Note: the vulnerability was being actively exploited.
i

Also known as CVE-2012-1823.The patch for the original vulnerability CVE-2012-1823 was accidentally disclosed before the official release however did not fix the issue. The vulnerability became widely discussed in the public and used in real-world attacks. It took several days for the developers to issue a proper security patch.

The vulnerability was being exploited by Linux worm (Linux.Darlloz) in 2013 to target the Internet of things (IoT) devices.


Software: PHP

Known/fameous malware:

Linux.Darlloz

Also known as CVE-2012-1823.The patch for the original vulnerability CVE-2012-1823 was accidentally disclosed before the official release however did not fix the issue. The vulnerability became widely discussed in the public and used in real-world attacks. It took several days for the developers to issue a proper security patch.

The vulnerability was being exploited by Linux worm (Linux.Darlloz) in 2013 to target the Internet of things (IoT) devices.


TNS Listener Poison Attack in Oracle Database
CVE-2012-1675

Spoofing attack

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error in the TNS listener service. A remote attacker can register an existing instance or service name, use man-in-the-middle techniques and read, inject or modify transmitted data.

Successful exploitation of this vulnerability may result in unauthorized access to entire database.

Note: the vulnerability was being actively exploited.

i

Joxean Koret discovered this vulnerability in 2008 and publicly disclosed in 2012.

The vulnerability was used in "TNS Listener Poison Attack"

Software: Oracle Database

Joxean Koret discovered this vulnerability in 2008 and publicly disclosed in 2012.

The vulnerability was used in "TNS Listener Poison Attack"

Remote code execution in MSCOMCTL.OCX ActiveX control in Microsoft Office
CVE-2012-0158

Stack-based buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow in MSCOMCTL.OCX ActiveX control. A remote attacker can create a specially crafted Web page that passes an overly long string argument, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Researchers based in Asia noticed these malicious documents in Japan and Taiwan before they started showing up/targeting USA companies.

The vulnerability appeared to operate in 2014 in the Western Australian time zone. Examples of such groups include the 'Shiqiang Gang' (as reported by McAfee), 'PLEAD' (as reported by Trend Micro), 'NetTraveler' (as reported by Kaspersky) and 'APT12' (as reported by FireEye).

The vulnerability has been exploited in Red October attacks in 2012 and attacks targeting Chinese media organizations, personnel at government agencies in Europe, Middle East and Central Asia in 2013. The exploit was successfully used in breach attack against NewYork Times in August of 2013. The vulnerability was still exploited in 2016. Exploit for this vulnerability was used in Pawn Storm campaign as well.

Software: Microsoft Office

Known/fameous malware:

TROJ_DROPPER.IK
BKDR_HGDER.IK.

Researchers based in Asia noticed these malicious documents in Japan and Taiwan before they started showing up/targeting USA companies.

The vulnerability appeared to operate in 2014 in the Western Australian time zone. Examples of such groups include the 'Shiqiang Gang' (as reported by McAfee), 'PLEAD' (as reported by Trend Micro), 'NetTraveler' (as reported by Kaspersky) and 'APT12' (as reported by FireEye).

The vulnerability has been exploited in Red October attacks in 2012 and attacks targeting Chinese media organizations, personnel at government agencies in Europe, Middle East and Central Asia in 2013. The exploit was successfully used in breach attack against NewYork Times in August of 2013. The vulnerability was still exploited in 2016. Exploit for this vulnerability was used in Pawn Storm campaign as well.

Command injection in WebGlimpse
CVE-2012-1795

Command injection

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The weakness exists due to insufficient sanitization of user-supplied data passed via the "query" HTTP GET parameter to "/webglimpse.cgi" script. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary OS commands on vulnerable system.

Exploitation example:

http://[host]/webglimpse.cgi?query=%27%26command+and+arguments+go+here%26%27

Successful exploitation may allow an attacker to gain complete control over vulnerable system.

Note: this vulnerability is being actively exploited.

i

The vulnerability was reported by Kevin Perry.

Software: Webglimpse

The vulnerability was reported by Kevin Perry.

Multiple vulnerabilities in Adobe Flash Player
CVE-2012-0767

Cross-site scripting

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-input.A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Note: the vulnerability was being actively exploited.
i

The vulnerability was used to target Webmail accounts.

Software: Adobe Flash Player

The vulnerability was used to target Webmail accounts.

SQL injection in Parallels Plesk Panel
CVE-2012-1557

SQL injection

The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in the back-end database.

Successful exploitation may allow an attacker to gain unauthorized access to the vulnerable system.

Note: this vulnerability is being actively exploited.

i

The vulnerability may be tied to the DarkLeech attack campaign.

Software: Plesk

The vulnerability may be tied to the DarkLeech attack campaign.

SQL Injection in TYPO3
CVE-2012-1071

SQL Injection

The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in the back-end database.

Successful exploitation may allow an attacker to gain complete control over vulnerable system.

Note: this vulnerability is being actively exploited.

i

Raphael Noailles discovered and reported this issue.

Software: TYPO3

Raphael Noailles discovered and reported this issue.

Remote code execution in Oracle Java SE
CVE-2012-3213

Error Handling

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper handling of Rhino Javascript errors. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and execute arbitrary code with privileges of the current user via untrusted Java Web Start applications and untrusted Java applets.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was disclosed by James Forsha.
Exploited by Wild Neutron.

Software: Java SE

Known/fameous malware:

Exploit.Java.CVE-2012-3213.b.

The vulnerability was disclosed by James Forsha.
Exploited by Wild Neutron.

Remote code execution in FreeBSD
CVE-2011-4862

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow in the encrypt_keyid() function of telnetd. A remote attacker can send a very large encryption key to telnetd daemon, trigger buffer overflow and execute arbitrary code with root privileges.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: FreeBSD

Remote code execution in Adobe Acrobat and Adobe Reader
CVE-2011-4369

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the PRC component. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Adobe Reader

Known/fameous malware:

EvilBunny

Remote code execution in Adobe Acrobat and Adobe Reader
​CVE-2011-2462

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling Universal 3D (U3D) data. A remote attacker can create a specially crafted .pdf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

This 0-day vulnerability was discovered by Lockheed Martin’s Computer Incident Response Team and was found that it is part of a targeted attack. The sample of the exploit analyzed by the researchers appears to come from Barclay’s bank in New York City.

Software: Adobe Reader

Known/fameous malware:

Trojan Sykipot.

This 0-day vulnerability was discovered by Lockheed Martin’s Computer Incident Response Team and was found that it is part of a targeted attack. The sample of the exploit analyzed by the researchers appears to come from Barclay’s bank in New York City.

Remote code execution in Microsoft Windows
CVE-2011-3402

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers. A remote attacker can create a specially crafted Word document or web page containing font data, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

This vulnerability was being actively exploited by the Stuxnet in Duqu attack.

Software: Windows

Known/fameous malware:

Win32/Exploit.CVE-2011-3402.G
W32.Duqu

This vulnerability was being actively exploited by the Stuxnet in Duqu attack.

Multiple vulnerabilities in Adobe Flash Player
CVE-2011-2444

Cross-site scripting

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-input passed via a crafted URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Note: the vulnerability was being actively exploited in click-jacking campaigns.

i

Reported by Huzaifa S. Sidhpurwala.
That vulnerability shares some traits with an earlier Flash flaw that was used to target Gmail accounts in June.

Software: Adobe Flash Player

Reported by Huzaifa S. Sidhpurwala.
That vulnerability shares some traits with an earlier Flash flaw that was used to target Gmail accounts in June.

Remote code execution in Oracle Java SE
CVE-2011-3544

Error Handling

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper handling of Rhino Javascript errors. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and execute arbitrary code with privileges of the current user via untrusted Java Web Start applications and untrusted Java applets.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

According to Trend Micro, this is a zero-day .The vulnerability was discovered by Michael Schierl.

Software: Java SE

Known/fameous malware:

Exploit:Java/CVE-2011-3544.

According to Trend Micro, this is a zero-day .The vulnerability was discovered by Michael Schierl.

Denial of service in Apache HTTP Server
CVE-2011-3192

Resource exhaustion

The vulnerability allows a remote attacker to cause DoS conditions on the target system.

The weakness exists due to an error in the ByteRange filter when processing malicious requests in Apache HTTP server. A remote attacker can send a specially crafted HTTP request containing an overly large Range header, exhaust all available memory resources and trigger the application to crash.

Successful exploitation of the vulnerability results in denial service on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability is known as "Apache Killer".

Software: Apache HTTP Server

The vulnerability is known as "Apache Killer".

Denial of service in Microsoft RDP
CVE-2011-1968

Denial of service

The vulnerability allows a remote attacker to cause DoS conditions on the target system.

The weakness exists due to an error in the Remote Desktop Protocol when processing a sequence of malicious packets. A remote attacker can send a specially crafted RDP packets, gain access to an object that was not properly initialized or is deleted and cause the system to stop responding and restart.

Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Windows

Remote code execution in Valenok Mongoose
CVE-2011-2900

Stack-based buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow, caused by improper bounds checking by the put_dir() function when processing malicious requests. A remote attacker can send a specially crafted HTTP PUT request, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability is being exploited in the wild against Ubiquisys routers. Fully functional exploit code was made publicly available on August 2, 2011.

Software: Mongoose

The vulnerability is being exploited in the wild against Ubiquisys routers. Fully functional exploit code was made publicly available on August 2, 2011.

Arbitrary file upload Binarymoon TimThumb
CVE-2011-4106

Arbitrary file upload

The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.

The vulnerability exists due to improper storing of content in the cache directory when processing input. A remote attacker can send a specially crafted HTTP request containing a white-listed domain in the src parameter, upload a malicious PHP script and execute arbitrary PHP code.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary PHP code on the vulnerable system.

Note: the vulnerability was being actively exploited.

Not patched
i

The exploit was announced by Mark Maunder.

Software: TimThumb

The exploit was announced by Mark Maunder.

Multiple vulnerabilities in Apple iOS
CVE-2011-0226

Integer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow when handling of Type 1 fonts by FreeType. A remote attacker can send a specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: the vulnerability was being actively exploited.

i

Exploited in the wild via malicious PDF files.

Software: Apple iOS

Exploited in the wild via malicious PDF files.

Remote code execution in JustSystems Ichitaro
CVE-2011-1331

Heap-based buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow when handling malformed files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

According to Symantec the first exploitation of the vulnerability was discovered on 2009-03-19.

Software: Ichitaro

Known/fameous malware:

Trojan.Tarodrop.L

According to Symantec the first exploitation of the vulnerability was discovered on 2009-03-19.

Remote code execution in Adobe Flash Player
CVE-2011-2110

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an array indexing error in the ActionScript3 AVM2 verification logic. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

This is the same vulnerability that was used for attacks against Korean based organizations.
The vulnerability wasd exploited to compromise legitimate websites (including an Indian government site, a US airport site, and an aerospace site).

Software: Adobe Flash Player

This is the same vulnerability that was used for attacks against Korean based organizations.
The vulnerability wasd exploited to compromise legitimate websites (including an Indian government site, a US airport site, and an aerospace site).

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2011-1255

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error related to time element when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: According to experts from M86, the vulnerability was exploited in targeted attacks before the official patch release from Microsoft.
i

According to experts from M86, this vulnerability was exploited in targeted attacks before the official patch release from Microsoft.

Software: Microsoft Internet Explorer

According to experts from M86, this vulnerability was exploited in targeted attacks before the official patch release from Microsoft.

Privilege escalation in Microsoft Windows
CVE-2011-1249

Privilege escalation

The vulnerability allows a local user to gain elevated privileges on the target system.

The vulnerability exists due to improper validation of input passed from user mode to the kernel in the Ancillary Function Driver (afd.sys). By running a malicious application, a local attacker with valid login credentials can execute arbitrary code with system privileges.

Successful exploitation of this vulnerability will allow the local attacker to obtain elevated privileges on vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Windows

Cross-site scripting in Adobe Flash Player
CVE-2011-2107

Cross-site scripting

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-input. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of website hosting an .swf file.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Note: the vulnerability was being actively exploited.
i

The pay for an exploit might be around $5k-$10k at the moment.

Software: Adobe Flash Player

The pay for an exploit might be around $5k-$10k at the moment.

Security bypass in Plone
CVE-2011-1950

Security bypass

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper checking for authorization by plone.app.user. A remote attacker can modify the properties of arbitrary accounts.

Successful exploitation of the vulnerability may result in attacker's access to the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Plone

Denial of service in Apache Subversion
CVE-2011-1752

Null pointer dereference

The vulnerability allows a remote attacker to cause DoS conditions on the target system.

The weakness exists due to NULL pointer dereference in the mod_dav_svn module when processing baselined WebDAV resources. A remote attacker can create a specially crafted request, send it to the victim and cause the Subversion server to crash.

Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was discovered by Joe Schaefer.

Software: Subversion

The vulnerability was discovered by Joe Schaefer.

Multiple vulnerabilities in Adobe Flash Player
CVE-2011-0618

Integer Overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

According to Symantec the first exploitation of the vulnerability was discovered on 2010-01-03.

Software: Adobe Flash Player

Known/fameous malware:

Bloodhound.Exploit.412

According to Symantec the first exploitation of the vulnerability was discovered on 2010-01-03.

Multiple vulnerabilities in Adobe Flash Player
CVE-2011-0627

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the Flash Player authplay.dll component. A remote attacker can create a specially crafted Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: this vulnerability is being actively exploited.
i

There are reports of malware attempting to exploit this vulnerability via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform.

Software: Adobe Flash Player

There are reports of malware attempting to exploit this vulnerability via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform.

Multiple vulnerabilities in Microsoft Windows
CVE-2012-0181

Improper input validation

The vulnerability allows a local user to obtain elevated privileges on the target system.

The vulnerability exists due to improper managing of Keyboard Layout files by the kernel-mode driver (win32k.sys). A local attacker can execute arbitrary code on vulnerable system with SYSTEM privileges.

Successful exploitation of this vulnerability will allow the local attacker to obtain elevated privileges on vulnerable system.

Note: the vulnerability was being actively exploited.

i

According to Trustwave this is a zero-day.
A private exploit has been developed by Cr4sh and been published 2 weeks after the advisory.

CVE-2012-0181 fixes an issue alluded to on exploitdb site on Nov. 21, 2011, fixed July 10, 2012.

Software: Windows

According to Trustwave this is a zero-day.
A private exploit has been developed by Cr4sh and been published 2 weeks after the advisory.

CVE-2012-0181 fixes an issue alluded to on exploitdb site on Nov. 21, 2011, fixed July 10, 2012.

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2011-0094

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when handling layout objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

This vulnerability was reported to iDefense by anonymous. NSS was ready to pay for exploit for this vulnerability $100-500.

The vulnerability was used to compromise Philippines human rights website.

Software: Microsoft Internet Explorer

Known/fameous malware:

Exploit:Win32/CVE-2011-0094.A

This vulnerability was reported to iDefense by anonymous. NSS was ready to pay for exploit for this vulnerability $100-500.

The vulnerability was used to compromise Philippines human rights website.

Remote code execution in Adobe Flash Player
CVE-2011-0611

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in authplay.dll component. A remote attacker can create a specially Flash (.swf) file embedded in a Microsoft Word (.doc) file, trick the victim into opening it, trigger memory corruption, and execute arbitrary code on the system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability has being used during 1 month before disclosure. The campaign started with spam emails enticing users to open its attachment, typically a Microsoft Word document (or a zip file of a Microsoft Word document), which contained inside the malicious Flash exploit.

Software: Adobe Flash Player

Known/fameous malware:

Microsoft - Exploit:SWF/CVE-2011-0611.C, NOD32 - JS/Exploit.Pdfka.OXL.Gen, Symantec - Trojan.Pidief, Ikarus - Exploit.JS.ShellCode.

The vulnerability has being used during 1 month before disclosure. The campaign started with spam emails enticing users to open its attachment, typically a Microsoft Word document (or a zip file of a Microsoft Word document), which contained inside the malicious Flash exploit.

SQL injection in Webempoweredchurch Wec Discussion
CVE-2011-1722

SQL injection

The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.

The vulnerability exists due to insufficient sanitization of user-supplied data passed editpost.php script. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in the back-end database.

Successful exploitation may allow an attacker to gain complete control over vulnerable website.

Note: this vulnerability is being actively exploited.


i

The vulnerability was disclosed by Helmut Hummel.
Matthias Hunstock discovered and reported the issue.

Software: Wec Discussion

The vulnerability was disclosed by Helmut Hummel.
Matthias Hunstock discovered and reported the issue.

Remote code execution Adobe Flash Player
CVE-2011-0609

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in authplay.dll component. A remote attacker can create a specially Flash (.swf) file embedded in a Microsoft Excel (.xls) file, trick the victim into opening it, trigger memory corruption, and execute arbitrary code on the system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was used o target RSA. Two phishing emails with Microsoft Excel document with exploit were sent to two different groups of employees. The document with exploit code was named "2011 Recruitment plan.xls".

Software: Adobe Flash Player

Known/fameous malware:

Exploit:SWF/CVE-2011-0609
Kaspersky Lab products detected the variants as “Trojan-ropper.MSExcel.SWFDrop”.

The vulnerability was used o target RSA. Two phishing emails with Microsoft Excel document with exploit were sent to two different groups of employees. The document with exploit code was named "2011 Recruitment plan.xls".

Security bypass in Pivot
CVE-2011-1035

Security bypass

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to an error in the Reset my password feature. A remote attacker can guess the username and modify the victim's password.

Successful exploitation of the vulnerability may result in security bypass on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was reported by Hans F. Nordhaug.

Software: PivotX

The vulnerability was reported by Hans F. Nordhaug.

Information disclosure in MHTML in Microsoft Windows
CVE-2011-0096

Cross-site scripting

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-input passed via MIME-formatted requests for content blocks within a document. A remote attacker can trick the victim to follow a specially crafted "MHTML:" link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


i

The vulnerability was originally disclosed on the WooYun website.

Software: Windows

Known/fameous malware:

exploit:win32/cve-2011-0096 trojan horse.

The vulnerability was originally disclosed on the WooYun website.

Remote code execution in Microsoft Internet Explorer
CVE-2011-1345

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling onPropertyChange function calls. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was firstly disclosed by VUPEN in January 22, 2011.

This issue was disclosed as part of the Pwn2Own 2011 contest.
Using this vulnerability Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win CanSecWest hacker challenge ($15,000 cash prize and a new Windows laptop) in March 9-11 in Vancouver, British Columbia.

The issue has been introduced in 03/05/2008.

Software: Microsoft Internet Explorer

Known/fameous malware:

Exploit:JS/CVE-2011-1345.

The vulnerability was firstly disclosed by VUPEN in January 22, 2011.

This issue was disclosed as part of the Pwn2Own 2011 contest.
Using this vulnerability Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win CanSecWest hacker challenge ($15,000 cash prize and a new Windows laptop) in March 9-11 in Vancouver, British Columbia.

The issue has been introduced in 03/05/2008.

Remote code execution in Microsoft Internet Explorer
CVE-2010-3971

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when parsing CSS styles. A remote attacker can create a specially crafted web page containing Cascading Style Sheet that refers to itself recursively, cause memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.

Note: this vulnerability is being actively exploited.

i

The vulnerability appears to be connected to the group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits in 2012. After examining of the geographical location of the targets for CVE-2010-3971, these attack attempts bear a close resemblance to those targeting CVE-2010-3962, another Internet Explorer issue that was dubbed as the Weekend Warrior.

Software: Microsoft Internet Explorer

Known/fameous malware:

Virus HTML:CVE-2010-3971-A

The vulnerability appears to be connected to the group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits in 2012. After examining of the geographical location of the targets for CVE-2010-3971, these attack attempts bear a close resemblance to those targeting CVE-2010-3962, another Internet Explorer issue that was dubbed as the Weekend Warrior.

Privilege escalation in Windows Task Scheduler
CVE-2010-3338

Privilege escalation

The vulnerability allows a local user obtain elevated privileges on vulnerable system.

The vulnerability exists in Windows Task Scheduler when running scheduled tasks within the intended security context. A local user can create a specially crafted task and execute arbitrary code on vulnerable system with privileges of the local system account.

Successful exploitation of this vulnerability may allow a local user to obtain full access to vulnerable system.

Note: this vulnerability is being actively exploited.

i

The vulnerability was used by Stuxnet.

Software: Windows

Known/fameous malware:

W32.Stuxnet TDL-4 rootkit (TDSS) Trojan.Generic.KDV.128306

The vulnerability was used by Stuxnet.

Directory traversal in nBill
CVE-2010-4270

Directory traversal

The vulnerability allows a remote attacker to view contents of arbitrary files on the server.

The vulnerability exists due to insufficient filtration of user-supplied input in "/administrator/components/com_nbill/admin.nbill.php" and "/components/com_nbill/nbill.php" scripts. A remote attacker can send specially crafted HTTP request, containing directory traversal sequences (e.g. “../”) and view contents of arbitrary file on vulnerable server.

Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to potentially sensitive information.

Note: this vulnerability is being actively exploited against Joomla! installations.


Software: nBill

Two remote code execution vulnerabilities in JustSystems Ichitaro
CVE-2010-3915

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when handling specially crafted office documents. A remote attacker can create a specially crafted document, trick the victim into opening it, cause buffer overflow and execute arbitrary code on vulnerable system.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

i

According to Trend Micro, a pair of vulnerabilities of the code execution type namely CVE-2010-3916 and CVE-2010-3915 was uncovered during September 2010 as 0-day flaws.

Software: Ichitaro

Known/fameous malware:

TROJ_DROPPER.QVA

According to Trend Micro, a pair of vulnerabilities of the code execution type namely CVE-2010-3916 and CVE-2010-3915 was uncovered during September 2010 as 0-day flaws.

Two remote code execution vulnerabilities in JustSystems Ichitaro
CVE-2010-3916

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to unknown error when handling specially crafted office documents. A remote attacker can create a specially crafted document, trick the victim into opening it, cause unspecified error and execute arbitrary code on vulnerable system.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

i

According to Trend Micro, a pair of vulnerabilities of the code execution type namely CVE-2010-3916 and CVE-2010-3915 was uncovered during September 2010 as 0-day flaws.

Software: Ichitaro

Known/fameous malware:

Trojan.Tarodrop.

According to Trend Micro, a pair of vulnerabilities of the code execution type namely CVE-2010-3916 and CVE-2010-3915 was uncovered during September 2010 as 0-day flaws.