Zero-day Vulnerability Database

Change view:

Zero-day vulnerabilities discovered: 20

Multiple vulnerabilities in Microsoft Windows
CVE-2009-2501

Heap-based buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow in GDI+ when handling PNG image file. A remote attacker can create a specially crafted PNG image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

According to Symantec the first exploitation of the vulnerability was discovered on 2009-01-07.

Software: Windows

Known/fameous malware:

Bloodhoud.Exploit.277

According to Symantec the first exploitation of the vulnerability was discovered on 2009-01-07.

Multiple vulnerabilities in Microsoft Windows
CVE-2009-3126

Integer Overflow or Wraparound

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow in GDI+ when handling PNG image file. A remote attacker can create a specially crafted PNG image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
i

According to Symantec the first exploitation of the vulnerability was discovered on 2009-01-27.

Software: Windows

Known/fameous malware:

Bloodhound.Exploit.278.

According to Symantec the first exploitation of the vulnerability was discovered on 2009-01-27.

Two remote code execution vulnerabilities in Microsoft Windows
CVE-2009-0555

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing malformed Advanced Systems Format (ASF) files. A remote attacker can create a specially crafted audio file that uses the Windows Media Speech code, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Windows Media Format Runtime

Two vulnerabilities in Microsoft IIS FTP server
CVE-2009-3023

Stack-based buffer overflow

The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow in FTP server. A remote authenticated attacker can send a specially crafted FTP NLST command containing a wildcard that references a subdirectory, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The issue has been introduced in 06/02/1998. The weakness was publicly disclosed on August 31, 2009 by Kingcope. The vulnerability was handled as a non-public zero-day exploit.

Software: Microsoft IIS

The issue has been introduced in 06/02/1998. The weakness was publicly disclosed on August 31, 2009 by Kingcope. The vulnerability was handled as a non-public zero-day exploit.

Denial of service in Microsoft .NET Framework
CVE-2009-1536

Denial of service

The vulnerability allows a remote attacker to cause DoS conditions on the target system.

The weakness exists due to incorrect managing of request scheduling by ASP.NET. By sending multiple HTTP requests, a remote attacker can trigger the Web server to crash.

Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft .NET Framework

Remote code execution in Microsoft Windows
CVE-2009-2493

Improper initialization

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper initialization in the Microsoft Active Template Library (ATL) when handling objects from data streams related to unsafe usage of OleLoadFromStream() function. A remote attacker can create a specially crafted Web site that instantiates a vulnerable component or control using the IE browser, trick the victim into viewing it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft Active Template Library

Remote code execution in Microsoft Office Web Components
CVE-2009-1136

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in Office Web Components ActiveX Control when handling parameter values. A remote attacker can create a specially crafted Web page, trick the victim into viewing it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft Office

Remote code execution in Microsoft Video ActiveX Control
CVE-2008-0015

Stack-based buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow in the Microsoft Video ActiveX Control, msvidctl.dll. By persuading a victim to visit a specially crafted Web page, a remote attacker can trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability has been exploited in the wild since June 11, 2009 (as discovered by X-Force) and was touted by the media and by SANS as being exploited in the wild on July 6, 2009.

According to Symantec research first exploitation of the vulnerability was detected on 2008-12-28.

Software: Microsoft Video ActiveX Control

Known/fameous malware:

HTML/CVE-2008-0015
Bloodhoud.Exploit.259

The vulnerability has been exploited in the wild since June 11, 2009 (as discovered by X-Force) and was touted by the media and by SANS as being exploited in the wild on July 6, 2009.

According to Symantec research first exploitation of the vulnerability was detected on 2008-12-28.

Multiple vulnerabilities in Microsoft Excel
CVE-2009-1134

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow when parsing the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing a malformed record pointer, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
i

The vulnerability has been exploited over a year and was reported to vendor on 2009-03-26.
According to Symantec the first exploitation of the vulnerability was discovered on 2008-07-25.

Software: Microsoft Excel

Known/fameous malware:

Bloodhound.Exploit.254.

The vulnerability has been exploited over a year and was reported to vendor on 2009-03-26.
According to Symantec the first exploitation of the vulnerability was discovered on 2008-07-25.

Multiple vulnerabilities in Microsoft Excel
CVE-2009-0561

Integer Overflow or Wraparound

The vulnerability alows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow when parsing the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing a malformed object record, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
i

According to Symantec the first exploitation of the vulnerability was discovered on 11.01.2009.

Software: Microsoft Excel

Known/fameous malware:

Bloodhound.Exploit.251

According to Symantec the first exploitation of the vulnerability was discovered on 11.01.2009.

Multiple priviledge escalation vulnerabilities in Microsoft Windows
CVE-2009-1123

Privilege escalation

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to improper validation of changes in certain kernel objects. By running a malicious application, a local attacker can submit malformed calls to the Windows Kernel and execute arbitrary code in kernel mode.

Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.

Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
i

This vulnerability was used by Equation group in attacks, which involved Fanny malware. The exploit is later added to Stuxnet malware. Initially discovered by Kaspersky Lab in December 2008.

Microsoft bulletin describing 4 vulnerabilities is not clear on which vulnerability was used during the attacks. We are aware of at least two publicly disclosed exploits from this bulletin used by different malware in targeted attacks during Operation Pawn Storm and Turla.

The CVEs covered in this bulletin: CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126. At least one of them has being exploited in the wild before official security patch.

Software: Windows

Known/fameous malware:

Exploit kits: Fanny, Stuxnet, Turla.

This vulnerability was used by Equation group in attacks, which involved Fanny malware. The exploit is later added to Stuxnet malware. Initially discovered by Kaspersky Lab in December 2008.

Microsoft bulletin describing 4 vulnerabilities is not clear on which vulnerability was used during the attacks. We are aware of at least two publicly disclosed exploits from this bulletin used by different malware in targeted attacks during Operation Pawn Storm and Turla.

The CVEs covered in this bulletin: CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126. At least one of them has being exploited in the wild before official security patch.

Remote code execution in Microsoft DirectX
CVE-2009-1537

Null byte interaction error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to NULL byte error in DirectX. A remote attacker can create a specially crafted QuickTime media file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft DirectX

Known/fameous malware:

Exploit:JS/Mult.BM
Exploit:Win32/CVE-2009-1537

Multiple vulnerabilities in Microsoft Powerpoint
CVE-2009-0556

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malformed PowerPoint files. A remote attacker can create a specially crafted PowerPoint file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: this vulnerability was being actively exploited.

Software: Microsoft PowerPoint

Remote code execution in Microsoft Windows
CVE-2009-0084

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing a malformed JPEG file. A remote attacker can create a specially crafted JPEG file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: this vulnerability is being actively exploited.
i

According to Symantec the first exploitation of the vulnerability was discovered on 2008-10-23.

Software: Microsoft DirectX

According to Symantec the first exploitation of the vulnerability was discovered on 2008-10-23.

Multiple vulnerabilities in Microsoft Windows
CVE-2009-0087

Memory corruption

The vulnerability alows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow when process documents in Microsoft WordPad and Microsoft Office converter. A remote attacker can create a specially crafted Word file containing a malformed data, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was handled as a non-public zero-day exploit for at least 3344 days. The issue has been introduced in 02/17/2000.
The vulnerability was firstly disclosed in June 17, 2008.

Software: Windows

The vulnerability was handled as a non-public zero-day exploit for at least 3344 days. The issue has been introduced in 02/17/2000.
The vulnerability was firstly disclosed in June 17, 2008.

Multiple vulnerabilities in Microsoft Windows
CVE-2009-0078

Privilege escalation

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to insufficient security protections in Windows Management Instrumentation (WMI) providers. Accessing the computer under the context of a NetworkService or LocalService account an attacker can obtain privileged security tokens and execute code with privileges of SYSTEM account.

Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control over the affected system.

Note: this vulnerability was being actively exploited.
i

Knows as Token Kidnapping.

Software: Windows

Knows as Token Kidnapping.

Multiple vulnerabilities in Microsoft Windows
CVE-2009-0079

Privilege escalation

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to improper isolation of processes in the RPCSS service. Accessing the computer under the context of a NetworkService or LocalService account an attacker can obtain privileged security tokens and execute code with privileges of SYSTEM account.

Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.

Note: this vulnerability was being actively exploited.


i

Known as "Token Kidnapping".

Software: Windows

Known as "Token Kidnapping".

Multiple vulnerabilities in Microsoft Windows
CVE-2009-0080

Privilege escalation

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to incorrect placing of access control lists (ACLs) on threads in the current ThreadPool. By leveraging incorrect thread ACLs an attacker can access NetworkService or LocalService account, obtain elevated privileges and execute code with privileges of SYSTEM account.

Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.

Note: this vulnerability was being actively exploited.
i

Known as "Token Kidnapping".

Software: Windows

Known as "Token Kidnapping".

Two vulnerabilities in Microsoft IIS FTP server
CVE-2009-2521

Improper input validation

The vulnerability allows a remote authenticated attacker to cause DoS conditions on the target system.

The weakness exists due to an error when processing recursive directory listing commands by the FTP Service. By sending a specially crafted LIST command containing wildcard characters, a remote attacker can trigger the FTP service to crash.

Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The issue has been introduced in 02/17/2000. The weakness was disclosed on 09/04/2009 by Kingcope.

Software: Microsoft IIS

The issue has been introduced in 02/17/2000. The weakness was disclosed on 09/04/2009 by Kingcope.

Remote code execution in Microsoft Excel
CVE-2009-0238

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when parsing the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing a malformed object, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: this vulnerability was being actively exploited.

Software: Microsoft Excel

Known/fameous malware:

TROJ_MDROPPER.XR (TrendMicro)
Exploit - MSExcel.r (McAfee)
Trojan.Mdropper.AC (Symantec)

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.