Zero-day vulnerabilities discovered: 14
ASLR bypass
The vulnerability allows a remote attacker to bypass certain security restrictions.Software: Microsoft Office
Sugnature verification bypass
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Software: Windows
Links:
https://blogs.technet.microsoft.com/srd/2013/12/10/ms13-098-update-to-enhance-the-security-of-authen...
https://technet.microsoft.com/en-us/library/security/ms13-098.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=64079
http://blog.talosintel.com/2013/12/microsoft-update-tuesday-december-2013.html
http://blog.trendmicro.com/trendlabs-security-intelligence/december-patch-tuesday-addresses-tiff-vul...
http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
https://www.corero.com/resources/files/security_advisories/advisory_CNS_IPS_Microsoft_nVerifyTrust_C...
https://www.symantec.com/connect/blogs/microsoft-patch-tuesday-december-2013
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000559.aspx
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The vulnerability was discovered by the Adallom company and the attack was dubbed "Ice Dagger". The attackers used the vulnerability to steal Microsoft Office 365 authentication token. The victim of the unnamed company received an email with a link to attachment, located on a hidden server within TOR network. The vulnerability was reported to Microsoft in late May 2013.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/ms13-104.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=64092
http://blog.talosintel.com/2013/12/microsoft-update-tuesday-december-2013.html
https://www.scmagazine.com/patch-tuesday-update-addresses-24-bugs-including-exploited-tiff-zero-day/...
http://news.softpedia.com/news/Newly-Patched-Office-365-Vulnerability-Used-in-Ice-Dagger-Targeted-At...
http://it.toolbox.com/blogs/securitymonkey/flaw-in-microsoft-office-365-allows-perfect-crime-58421
Privilege escalation
The vulnerability allows a local attacker to obtain elevated privileges on the target system.Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the Reader sandbox.
Kaspersky Lab revealed the vulnerability was used in Epic Turla (cyber-espionage campaigns).
Software: Windows
Known/fameous malware:
PDF:Exploit.CVE-2013-5065.A
Gen:Trojan.Heur.FU.ku3@aSHWAmji
Links:
https://www.fireeye.com/blog/threat-research/2013/12/cve-2013-33465065-technical-analysis.html
https://www.fireeye.com/blog/threat-research/2013/11/ms-windows-local-privilege-escalation-zero-day-...
https://technet.microsoft.com/en-us/library/security/2914486.aspx
https://blogs.technet.microsoft.com/msrc/2013/11/27/microsoft-releases-security-advisory-2914486/
https://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/
https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Kernel-is-calling-a-zero(day)-pointer-%E2%80...
https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
http://securityaffairs.co/wordpress/20092/hacking/windows-xp-zero-day.html
https://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerabilit...
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attac...
https://www.scmagazine.com/windows-xp-zero-day-under-active-attack/article/543166/
https://www.fireeye.jp/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-zero-day-attacks-in...
https://securingtomorrow.mcafee.com/mcafee-labs/product-coverage-and-mitigation-for-cve-2013-5065/
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerabilty was introduced on 07.27.2005, but publically disclosed later by Xiaobo Chen and Dan Caselden of FireEye.
The vulnerability has been exploited by the APTgroup behind the 2009 Aurora attack. The exploit uses a technique ROP (return-oriented-programming). According to FireEye, the attack has a link to the infrastructure used in Operation DeputyDog and Operation Ephemeral Hydra, which began in August and targeted organizations in Japan.
Software: InformationCardSigninHelper Class ActiveX control
Links:
https://technet.microsoft.com/en-us/library/security/ms13-090.aspx
https://www.fireeye.com/blog/threat-research/2013/11/new-ie-zero-day-found-in-watering-hole-attack.h...
https://blogs.technet.microsoft.com/msrc/2013/11/11/activex-control-issue-being-addressed-in-update-...
https://blogs.technet.microsoft.com/srd/2013/11/12/technical-details-of-the-targeted-attack-using-ie...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27146
http://eromang.zataz.com/2015/12/23/cve-2013-3918-cardspaceclaimcollection-activex-integer-underflow...
http://www.darkreading.com/new-ie-vulnerability-found-in-the-wild-sophisticated-web-exploit-follows/...?
http://www.securityweek.com/microsoft-patches-vulnerability-attackers-used-target-ie-users
https://blog.threattrack.com/a-look-inside-a-cve-2013-3918-exploit/
https://www.fireeye.jp/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-zero-day-attacks-in...
http://www.zdnet.com/article/ie-zero-day-used-by-cyber-arms-dealers-and-chinese-hackers/
https://support.ixiacom.com/about-us/news-events/corporate-blog/completing-deputydog-apt
http://www.darkreading.com/vulnerabilities---threats/fireeye-releases-2013-lab-performance-stats/d/d...
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The meta date of the files were set to October 17, 2013, which may suggest a creation time of this exploit.
Attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan. The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/2896666.aspx
https://technet.microsoft.com/en-us/library/security/ms13-096
https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-micro...
https://securingtomorrow.mcafee.com/business/security-connected/updates-and-mitigation-to-cve-2013-3...
https://blogs.technet.microsoft.com/srd/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-...
https://www.fireeye.com/blog/threat-research/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both...
https://www.crowdstrike.com/blog/analysis-cve-2013-3906-exploit/
http://www.primalsecurity.net/analysis-of-malicious-document-using-cve-2013-3906/
http://blog.trendmicro.com/trendlabs-security-intelligence/how-to-avoid-the-latest-microsoft-office-...
http://securityaffairs.co/wordpress/19460/hacking/microsoft-cve-2013-3906-zero-day.html
https://www.symantec.com/connect/forums/if-sep-daily-definition-covers-exploit-cve-2013-3906
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Used in Pawn Storm campaign.
A zero-day was used in highly targeted, low-volume attacks in Korea,
Hong Kong, and the United States, as early as September 18th, 2013.
Software: Microsoft Internet Explorer
Links:
https://technet.microsoft.com/en-us/library/security/ms13-080.aspx
https://blogs.technet.microsoft.com/srd/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limi... https://technet.microsoft.com/library/security/ms13-080 http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-pawn-storm-fast-facts
https://blogs.forcepoint.com/security-labs/zero-day-attack-internet-explorer-cve-2013-3897-goes-high...
http://blog.talosintel.com/2013/10/ie-zero-day-cve-2013-3897-youve-been.html
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=607
https://www.symantec.com/security_response/vulnerability.jsp?bid=62811
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27102
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-3897-analysis-of-yet-another-i...
http://eromang.zataz.com/2015/12/23/cve-2013-3897-microsoft-internet-explorer-cdisplaypointer-use-af...
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/MS13_080_CDISPLAYPOINTER
https://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-targeted-attacks-against-korea...
http://www.benhayak.com/2013_11_01_archive.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Technical-Aspects-of-Exploiting-IE-Zero-Day-...
https://krebsonsecurity.com/2013/10/adobe-microsoft-push-critical-security-fixes-3/#more-23010
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability used ROP-chain technique and was exploited in Campaign Operation DeputyDog.
The vulnerability was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.
Software: Microsoft Internet Explorer
Links:
https://technet.microsoft.com/en-us/library/security/2887505
https://technet.microsoft.com/en-us/library/security/ms13-080
https://blogs.technet.microsoft.com/srd/2013/09/17/cve-2013-3893-fix-it-workaround-available/
https://blogs.technet.microsoft.com/srd/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limi...
https://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/
https://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-...
https://www.f-secure.com/en/web/labs_global/cve-2013-3893
https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-...
https://www.symantec.com/security_response/vulnerability.jsp?bid=62453
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70073
http://eromang.zataz.com/2015/12/22/cve-2013-3893-microsoft-internet-explorer-setmousecapture-uaf/
https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-part-2-zero-day-exploit-ana...
https://sgros-students.blogspot.com/2014/01/exploiting-and-analysing-cve-2013-3893.html
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/product-coverage-and-mitigation...
https://securityintelligence.com/trusteers-exploit-prevention-stops-attacks-targeting-new-ie-zero-da...
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-3893-analysis-of-the-new-ie-0-...
http://tipstrickshack.blogspot.com/2013/10/exploit-for-all-ie-versioncve-2013-3893.html
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability reffers to "Waterring hole attack".
Software: Microsoft Internet Explorer
Links:
https://h41382.www4.hpe.com/gfs-shared/downloads-226.pdf
https://technet.microsoft.com/en-us/library/security/ms13-055.aspx
https://www.fireeye.com/blog/threat-research/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-explo...
https://www.symantec.com/security_response/vulnerability.jsp?bid=60975
http://www.zdnet.com/article/microsoft-admits-internet-explorer-flaw-targeted-by-hackers/
https://securingtomorrow.mcafee.com/mcafee-labs/new-zero-day-attack-copies-earlier-flash-exploitatio...
http://www.computerworld.com/article/2483926/microsoft-windows/targeted-attacks-exploit-now-patched-...
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-3163-internet-explorer-vulnera...
https://blogs.technet.microsoft.com/srd/2013/07/10/running-in-the-wild-not-for-so-long/
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability was reported by Andrew Lyons and Neel Mehta of Google Inc.
Using the samples provided by Microsoft, Romang scoured Google’s cache and found the earliest document that attempted to fetch the exploit dated from February, 2013. The document referenced territory disputes between China and the Philippines.
However, Romang uncovered another Word document created in 2009 that, according to Google’s Virus Total service, would also exploit the flaw Microsoft patched. The file’s title “The corruption of Mahathir†referred to a Malaysian politician, fitting Microsoft’s list of possible targets. Both documents to a Bridging Links URL.
The vulnerability might have been spotted in the wild, with campaigns starting as early as 2009. Microsoft believe attacks were limited to Indonesia and Malaysia.
Software: Microsoft Office
Known/fameous malware:
Trojan.Mdropper.
Links:
https://technet.microsoft.com/en-us/library/security/ms13-051.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=60408
https://www.symantec.com/connect/blogs/microsoft-office-cve-2013-1331-coverage
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-1331-a-zero-day-disclosed.html
http://eromang.zataz.com/2013/06/13/ms13-051-cve-2013-1331-what-we-know-about-microsoft-office-zero-...
https://threatpost.com/important-office-2003-zero-day-deserves-second-look/100990/
https://blogs.technet.microsoft.com/srd/2013/06/11/ms13-051-get-out-of-my-office/
http://dataprotectioncenter.com/general/microsoft-office-cve-2013-1331-coverage/
http://blog.trendmicro.com/trendlabs-security-intelligence/light-june-2013-patch-tuesday-is-no-reaso...
Privilege escalation
The vulnerability allows a local attacker to obtain elevated privileges on the target system.Tavis Ormandy, a Google security engineer, reported a critical bug to Microsoft only five days before going public.
The vulnerability has being used by Carbanak group.
Software: Windows
Known/fameous malware:
Cidox/Rovnix Bootkit
PowerLoader
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability has been exploited in watering hole attack against Department of Labor (DoL). Used in Pawn Storm campaign.
Software: Microsoft Internet Explorer
Links:
https://www.fireeye.com/blog/threat-research/2013/05/ie-zero-day-is-used-in-dol-watering-hole-attack...
https://technet.microsoft.com/en-us/library/security/2847140.aspx
https://technet.microsoft.com/en-us/library/security/ms13-may.aspx
https://technet.microsoft.com/en-us/library/security/ms13-038
https://nakedsecurity.sophos.com/2013/05/09/microsoft-rushes-out-cve-2013-1347-fix-it-for-the-latest...
https://securityintelligence.com/cve-2013-1347-microsoft-internet-explorer-cgenericelement-object-us...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26721
http://stopmalvertising.com/malware-reports/cve-2013-1347-new-internet-explorer-8-0-day-used-in-wate...
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF
https://krebsonsecurity.com/2013/05/zero-day-exploit-published-for-ie8/
https://blogs.forcepoint.com/security-labs/internet-explorer-zero-day-vulnerability-cve-2013-1347-up...
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000479.aspx
https://blog.qualys.com/laws-of-vulnerabilities/2013/05/04/new-0-day-in-microsoft-internet-explorer-...
https://www.threatconnect.com/blog/threatconnect-gets-root-targeted-exploitation-campaigns/
Cross-site scripting
The vulnerability allows a remote attacker to obtain elevated privileges on the target system.Software: Microsoft SharePoint Server
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Software: Microsoft Silverlight
Known/fameous malware:
Exploit kits: Angler, Archie, Astrum, Fiesta, Hanjuan, Infinity (Exploit kit), Neutrino, Nuclear Pack, RIG.
Links:
https://technet.microsoft.com/en-us/library/security/ms13-022.aspx
https://www.zscaler.com/blogs/research/exploit-kits-anatomy-silverlight-exploit
https://www.checkpoint.com/downloads/partners/TCC-Silverlight-Jan2015.pdf
https://www.symantec.com/security_response/vulnerability.jsp?bid=58327
http://journeyintoir.blogspot.com/2014/05/cve-2013-0074-3896-silverlight-exploit.html
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27612
http://www.vxsecurity.sg/2014/06/18/technical-tear-down-fiesta-exploit-kit-silverlight-exploit-cve-2...
http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-a-silverlight-exploit/
https://blog.malwarebytes.com/threat-analysis/2014/05/malvertising-campaign-on-popular-site-leads-to...
http://blogs.cisco.com/security/angling-for-silverlight-exploits
https://www.scmagazine.com/more-exploits-including-silverlight-attack-packed-in-nuclear-kit/article/...
http://arstechnica.com/security/2014/05/move-over-java-drive-by-attacks-exploiting-microsoft-silverl...