Zero-day Vulnerability Database

Change view

Zero-day vulnerabilities discovered: 14

ASLR bypass in Microsoft Office
CVE-2013-5057

ASLR bypass

The vulnerability allows a remote attacker to bypass certain security restrictions.

The weakness exists due to improper implementation of Address Space Layout Randomization (ASLR) within HXDS Office shared component. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and bypass the ASLR security feature.

Successful exploitation of the vulnerability may result in attacker's access to the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft Office

Signature validation bypass in Microsoft Windows
CVE-2013-3900

Sugnature verification bypass

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper validation of PE file digests during Authenticode signature verification within WinVerifyTrust function. A remote attacker can create specially crafted signed PE file, trick the victim into executing it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Windows

Information disclosure in Microsoft Office
CVE-2013-5054

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an error in handling of a specially crafted response when opening a malicious Office file. A remote attacker can create a specially crafted file using, host it on remote website, trick the victim into opening it and gain access to tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was discovered by the Adallom company and the attack was dubbed "Ice Dagger". The attackers used the vulnerability to steal Microsoft Office 365 authentication token. The victim of the unnamed company received an email with a link to attachment, located on a hidden server within TOR network. The vulnerability was reported to Microsoft in late May 2013.

Software: Microsoft Office

The vulnerability was discovered by the Adallom company and the attack was dubbed "Ice Dagger". The attackers used the vulnerability to steal Microsoft Office 365 authentication token. The victim of the unnamed company received an email with a link to attachment, located on a hidden server within TOR network. The vulnerability was reported to Microsoft in late May 2013.

Privilege escalation in Microsoft Windows
CVE-2013-5065

Privilege escalation

The vulnerability allows a local attacker to obtain elevated privileges on the target system.

The weakness exists due to improper validation of input by the NDProxy.sys kernel component. A local attacker with valid login credentials can use a malicious application to gain kernel privileges and execute arbitrary code on the system.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the Reader sandbox.

Kaspersky Lab revealed the vulnerability was used in Epic Turla (cyber-espionage campaigns).

Software: Windows

Known/fameous malware:

PDF:Exploit.CVE-2013-5065.A
Gen:Trojan.Heur.FU.ku3@aSHWAmji

Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the Reader sandbox.

Kaspersky Lab revealed the vulnerability was used in Epic Turla (cyber-espionage campaigns).

Remote code execution in Microsoft Windows
CVE-2013-3918

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to out-of-bounds memory access within InformationCardSigninHelper Class ActiveX control (icardie.dll). A remote attacker can create specially crafted Web page that passes an overly long string argument to vulnerable ActiveX component, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerabilty was introduced on 07.27.2005, but publically disclosed later by Xiaobo Chen and Dan Caselden of FireEye.
The vulnerability has been exploited by the APTgroup behind the 2009 Aurora attack. The exploit uses a technique ROP (return-oriented-programming). According to FireEye, the attack has a link to the infrastructure used in Operation DeputyDog and Operation Ephemeral Hydra, which began in August and targeted organizations in Japan.

Software: InformationCardSigninHelper Class ActiveX control

The vulnerabilty was introduced on 07.27.2005, but publically disclosed later by Xiaobo Chen and Dan Caselden of FireEye.
The vulnerability has been exploited by the APTgroup behind the 2009 Aurora attack. The exploit uses a technique ROP (return-oriented-programming). According to FireEye, the attack has a link to the infrastructure used in Operation DeputyDog and Operation Ephemeral Hydra, which began in August and targeted organizations in Japan.

Remote code execution in Microsoft Graphics Component
CVE-2013-3906

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious images. A remote attacker can create specially crafted TIFF image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The meta date of the files were set to October 17, 2013, which may suggest a creation time of this exploit.

Attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan. The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.

Software: Microsoft Office

The meta date of the files were set to October 17, 2013, which may suggest a creation time of this exploit.

Attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan. The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.

Remote code execution in Microsoft Internet Explorer
CVE-2013-3897

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to user-after-free vulnerability in the CDisplayPointer object. A remote attacker can create a specially crafted Web page containing, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Used in Pawn Storm campaign.
A zero-day was used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013.

Software: Microsoft Internet Explorer

Used in Pawn Storm campaign.
A zero-day was used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013.

Remote code execution in Microsoft Internet Explorer
CVE-2013-3893

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in SetMouseCapture implementation. A remote attacker can create specially crafted JavaScript, place it on a Web page, trick the victim into visiting it using Internet Explorer, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability used ROP-chain technique and was exploited in Campaign Operation DeputyDog.

The vulnerability was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.

Software: Microsoft Internet Explorer

The vulnerability used ROP-chain technique and was exploited in Campaign Operation DeputyDog.

The vulnerability was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.

Remote code execution in Microsoft Internet Explorer
CVE-2013-3163

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in CBlockContainerBlock. A remote attacker can create specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability reffers to "Waterring hole attack".

Software: Microsoft Internet Explorer

The vulnerability reffers to "Waterring hole attack".

Remote code execution in Microsoft Office
CVE-2013-1331

Buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow when processing malicious PNG files. A remote attacker can create specially crafted file, trick the victim into opening it using an affected version of Microsoft Office, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was reported by Andrew Lyons and Neel Mehta of Google Inc.

Using the samples provided by Microsoft, Romang scoured Google’s cache and found the earliest document that attempted to fetch the exploit dated from February, 2013. The document referenced territory disputes between China and the Philippines.
However, Romang uncovered another Word document created in 2009 that, according to Google’s Virus Total service, would also exploit the flaw Microsoft patched. The file’s title “The corruption of Mahathir†referred to a Malaysian politician, fitting Microsoft’s list of possible targets. Both documents to a Bridging Links URL.

The vulnerability might have been spotted in the wild, with campaigns starting as early as 2009. Microsoft believe attacks were limited to Indonesia and Malaysia.

Software: Microsoft Office

Known/fameous malware:

Trojan.Mdropper.

The vulnerability was reported by Andrew Lyons and Neel Mehta of Google Inc.

Using the samples provided by Microsoft, Romang scoured Google’s cache and found the earliest document that attempted to fetch the exploit dated from February, 2013. The document referenced territory disputes between China and the Philippines.
However, Romang uncovered another Word document created in 2009 that, according to Google’s Virus Total service, would also exploit the flaw Microsoft patched. The file’s title “The corruption of Mahathir†referred to a Malaysian politician, fitting Microsoft’s list of possible targets. Both documents to a Bridging Links URL.

The vulnerability might have been spotted in the wild, with campaigns starting as early as 2009. Microsoft believe attacks were limited to Indonesia and Malaysia.

Privilege escalation in Microsoft Windows
CVE-2013-3660

Privilege escalation

The vulnerability allows a local attacker to obtain elevated privileges on the target system.

The weakness exists due to the failure to properly initialize a pointer for the next object in a certain list by the EPATHOBJ::pprFlattenRec function within kernel-mode driver (win32k.sys). A local attacker can use multiple FlattenPath function calls to obtain write access to the PATHRECORD chain and execute arbitrary code on the system with elevated privileges.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Tavis Ormandy, a Google security engineer, reported a critical bug to Microsoft only five days before going public.
The vulnerability has being used by Carbanak group.

Software: Windows

Known/fameous malware:

Cidox/Rovnix Bootkit
PowerLoader

Tavis Ormandy, a Google security engineer, reported a critical bug to Microsoft only five days before going public.
The vulnerability has being used by Carbanak group.

Remote code execution in Microsoft Internet Explorer
CVE-2013-1347

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in the CGenericElement object. A remote attacker can create specially crafted Web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability has been exploited in watering hole attack against Department of Labor (DoL). Used in Pawn Storm campaign.

Software: Microsoft Internet Explorer

The vulnerability has been exploited in watering hole attack against Department of Labor (DoL). Used in Pawn Storm campaign.

Cross-site scripting in Microsoft SharePoint Server
CVE-2013-1289

Cross-site scripting

The vulnerability allows a remote attacker to obtain elevated privileges on the target system.

The weakness exists due to an error related to the way HTML strings are sanitized by HTML Sanitization components. A remote attacker can create a specially crafted URL, trick the victim into opening it, take actions on the targeted site or read restricted content and obtain sensitive information with elevated privileges.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft SharePoint Server

Remote code execution in Microsoft Silverlight
CVE-2013-0074

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when rendering an HTML object. A remote attacker can create a specially crafted Web site containing a malicious Silverlight applicationt, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft Silverlight

Known/fameous malware:

Exploit kits: Angler, Archie, Astrum, Fiesta, Hanjuan, Infinity (Exploit kit), Neutrino, Nuclear Pack, RIG.