Zero-day vulnerabilities discovered: 8
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.This vulnerability was described by Eric Romang and FireEye through Malware Protection Cloud.
The vulnerability has been exploited in watering hole attacks against Council on Foreign Relations (CFR) website 26.12.2012. The attack appears to be closely related to attacks in June 2012 that were targeting visitors of a major hotel chain and other attacks associated with the Elderwood Project.
Software: Microsoft Internet Explorer
Links:
https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-det...
https://technet.microsoft.com/library/security/ms13-008
https://technet.microsoft.com/library/security/2794220
http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-...
https://blogs.technet.microsoft.com/srd/2012/12/31/microsoft-fix-it-available-for-internet-explorer-...
https://blogs.technet.microsoft.com/srd/2012/12/29/new-vulnerability-affecting-internet-explorer-8-u...
https://www.alienvault.com/blogs/labs-research/new-internet-explorer-zeroday-was-used-in-the-dol-wat...
http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-...
https://nakedsecurity.sophos.com/2012/12/31/zero-day-vulnerability-in-internet-explorer-being-used-i...
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks and gain elevated privileges.Software: Microsoft Office InfoPath
Links:
https://technet.microsoft.com/en-us/library/security/ms12-066.aspx
http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_10_10_2012.pdf
http://www.securityweek.com/recently-patched-html-sanitization-flaw-linked-hotmail-xss-vulnerability
http://www.trendmicro.com.ru/vinfo/ru/threat-encyclopedia/vulnerability/2293/microsoft-windows-html-...
http://www.tripwire.com/vert/vert-alert/vert-alert-october-9-2012/
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000380.aspx
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability was found exploited in the wild and discovered by Eric Romang.
A real-world attack using the vulnerability first appeared in a blog post in Sep.14, 2012. The vulnerability was used by "Nitro" hacking group.
Software: Microsoft Internet Explorer
Links:
https://technet.microsoft.com/library/security/2757760
https://technet.microsoft.com/en-us/library/security/ms12-063
https://blogs.technet.microsoft.com/mmpc/2012/09/21/what-you-need-to-know-about-cve-2012-4969/
http://www.sevenforums.com/system-security/260613-should-i-remove-cve-2012-4969-a.html
http://krebsonsecurity.com/tag/cve-2012-4969/
https://www.f-secure.com/en/web/labs_global/cve-2012-4969
https://barracudalabs.com/2012/09/internet-explorer-0day-exploit-cve20124969-its-what-you-cant-see-t...
http://security.stackexchange.com/questions/21237/need-help-on-understanding-obfuscated-code-in-cve-...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25947
http://contagiodump.blogspot.com/2012/09/cve-2012-4969-internet-explorer-0day.html
http://www.antiy.net/p/sample-of-cve-2012-4969/
https://www.securestate.com/blog/2012/09/21/threat-alert-internet-explorer-zero-day-cve-2012-4969
https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2012-4969-and-the-Unnamed-Admin-Panel/
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Favorite hackers' vulnerability for years has been exploited along with CVE-2012-1856, CVE-2015-1641, CVE-2015-1770 in an APT campaign against journalists and human rights workers in Tibet, Hong Kong and Taiwan.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/ms12-060
https://blog.ropchain.com/2015/07/27/analyzing-vupens-cve-2012-1856/
http://www.securityweek.com/cve-2012-0158-exploited-attacks-targeting-government-agencies-europe-asi...
http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-rat-uwarrior/
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25966
https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
https://threatpost.com/apt-targeting-tibetans-packs-four-vulnerabilities-in-one-compromise/117493/
https://www.hackread.com/skype-malware-saves-screenshots-records-conversations/
https://www.grahamcluley.com/advanced-malware-logs-skype-calls-steals-files-removable-drives/
https://securingtomorrow.mcafee.com/mcafee-labs/threat-actors-use-encrypted-office-binary-format-eva...
https://www.symantec.com/security_response/vulnerability.jsp?bid=54948
https://blogs.technet.microsoft.com/srd/2012/08/14/ms12-060-addressing-a-vulnerability-in-mscomctl-o...
http://varzia.com/blog/keyboy-malware-used-in-targeted-attacks-in-asia/
Untrusted Search Path
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability was being actively exploited since mid-March, 2012. The targeted attacks were focusing on Japanese organizations.
Software: Microsoft Office
Links:
https://technet.microsoft.com/library/security/ms12-046
https://www.symantec.com/connect/blogs/microsoft-patch-tuesday-july-2012
https://www.trustwave.com/Resources/SpiderLabs-Blog/Microsoft-Patch-Tuesday-July-2012-%E2%80%93-TLS-...
https://www.symantec.com/connect/blogs/targeted-attacks-exploit-vba-vulnerability-july-ms-tuesday
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.A functional exploit with shellcode appeared on PasteBin on 8.06.12 - four days before the Microsoft patch release.
The vulnerability was reported by adept with nickname Dark Son and researcher Yichong Lin.
Software: Microsoft Internet Explorer
Known/fameous malware:
Trojan.Naid.
Links:
https://technet.microsoft.com/en-us/library/security/ms12-037
https://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid
https://www.alienvault.com/blogs/labs-research/ongoing-attacks-exploiting-cve-2012-1875
https://threatpost.com/exploit-code-surfaces-cve-2012-1875-internet-explorer-bug-061812/76702/
http://breakthesecurity.cysecurity.org/2012/06/cve-2012-1875-hacking-windows-using-ms12-037-internet...
http://www.ehackingnews.com/2012/06/cve-2012-1875-exploit-for-remote-code.html
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/MS12_037_SAME_ID
http://eromang.zataz.com/2012/06/13/ms12-037-internet-explorer-same-id-vulnerability-metasploit-demo...
http://www.cio.com/article/2394927/security0/attack-code-published-for-two-actively-exploited-vulner...
http://www.infosecisland.com/blogview/21670-Symantec-Internet-Explorer-Zero-Day-Exploit-in-the-Wild....
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.One of the vulnerabilities used by Aurora group.
The attackers used the CVE-2010-2884 and CVE-2012-1889 0-day exploits to specifically target visitors to Amnesty International Hong Kong site
20.06.2012 SophosLabs determined that the website of a European aeronautical parts supplier had been hacked and delivered exploit for CVE-2012-1889.
TrendMicro observed the vulnerability targeting Chinese high school webpage.
Software: Microsoft XML Core Services
Links:
https://technet.microsoft.com/library/security/2719615
https://technet.microsoft.com/library/security/ms12-043
https://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsored-exploit/
https://www.symantec.com/connect/blogs/cve-2012-1889-action
http://blog.trendmicro.com/trendlabs-security-intelligence/technical-analysis-of-cve-2012-1889-explo...
http://blog.trendmicro.com/trendlabs-security-intelligence/technical-analysis-of-cve-2012-1889-explo...
http://blog.trendmicro.com/trendlabs-security-intelligence/technical-analysis-of-cve-2012-1889-explo...
http://www.welivesecurity.com/2012/06/20/cve2012-1889-msxml-use-after-free-vulnerability/
https://www.experts-exchange.com/questions/27793137/After-Friday's-Rounds-of-Patches-from-Microsoft-...
http://contagiodump.blogspot.com/2012/07/brian-mariani-high-tech-bridge-htbridge.html
http://www.darknet.org.uk/2012/06/windows-xml-core-services-exploit-attacked-in-the-wild-cve-2012-18...
http://www.infoworld.com/article/2617287/malware/widely-used-web-attack-toolkit-exploits-unpatched-m...
https://nakedsecurity.sophos.com/2012/06/29/zero-day-xml-core-services-vulnerability-included-in-bla...
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000352.aspx
https://nakedsecurity.sophos.com/2012/06/29/zero-day-xml-core-services-vulnerability-included-in-bla...
http://thehackernews.com/2012/09/operation-aurora-other-zero-day-attacks.html
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Researchers based in Asia noticed these malicious documents in Japan and Taiwan before they started showing up/targeting USA companies.
The vulnerability appeared to operate in 2014 in the Western Australian time zone. Examples of such groups include the 'Shiqiang Gang' (as reported by McAfee), 'PLEAD' (as reported by Trend Micro), 'NetTraveler' (as reported by Kaspersky) and 'APT12' (as reported by FireEye).
The vulnerability has been exploited in Red October attacks in 2012 and attacks targeting Chinese media organizations, personnel at government agencies in Europe, Middle East and Central Asia in 2013. The exploit was successfully used in breach attack against NewYork Times in August of 2013. The vulnerability was still exploited in 2016. Exploit for this vulnerability was used in Pawn Storm campaign as well.
Software: Microsoft Office
Known/fameous malware:
TROJ_DROPPER.IK
BKDR_HGDER.IK.
Links:
https://technet.microsoft.com/library/security/ms12-027
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/CVE-2012-0158-An-Anatomy-of-a-Prol...
https://securingtomorrow.mcafee.com/mcafee-labs/cve-2012-0158-exploit-in-the-wild/
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-exploitation-seen-in-variou...
https://sentinelone.com/item-news/cve-2012-0158-allocated-2011-patched-2012-still-actively-exploited...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25656
https://www.virusbulletin.com/blog/2014/10/cve-2012-0158-continues-be-used-targeted-attacks/
https://www.alienvault.com/blogs/security-essentials/cmstar-apt-malware-cve-2012-0158
http://contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html
http://blog.9bplus.com/same-cve-2012-0158-different-builder/
http://blog.malwaretracker.com/2013/08/cve-2012-0158-exploit-evades-av-in-mime.html
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-now-being-used-in-more-tibe...
https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
https://blogs.sophos.com/2016/07/01/the-word-bug-that-just-wont-die-cve-2012-0158-the-cybercrime-gif...