Zero-day Vulnerability Database

Change view

Zero-day vulnerabilities discovered: 20

Privilege escalation in Microsoft Windows
CVE-2014-6324

Privilege escalation

The vulnerability allows a remote authenticated attacker to obtain elevated privileges on the target system.

The weakness exists due to the failure to properly validate signatures in the Kerberos ticket by the Microsoft Kerberos KDC implementation. A remote attacker can forge a ticket and elevate an unprivileged domain user account to a domain administrator account.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Exploited by Duqu.

The vulnerability was reported by Qualcomm Information Security & Risk Management team.

Software: Windows

Exploited by Duqu.

The vulnerability was reported by Qualcomm Information Security & Risk Management team.

Privilege escalation in Microsoft Windows
CVE-2014-4077

Privilege escalation

The vulnerability allows a remote authenticated attacker to obtain elevated privileges on the target system.

The weakness exists due to improper access control in Microsoft implementation of Input Method Editor (IME) for Japanese language. A remote attacker can create a specially crafted file designed to invoke a vulnerable sandboxed application, trick the victim into opening it, gain elevated privileges and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

CVE-2014-4077 used in targeted attack in the wild to bypass Adobe Reader Sandbox via binary hijacking using malicious DIC file.

Software: Windows

CVE-2014-4077 used in targeted attack in the wild to bypass Adobe Reader Sandbox via binary hijacking using malicious DIC file.

Remote code execution in Microsoft Windows
CVE-2014-6352

Code injection

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error when handling malicious Office files. A remote attacker can create a specially crafted Microsoft Office file containing the malicious OLE object, trick the victim into opening it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Microsoft first received information about this vulnerability through coordinated vulnerability disclosure. Zero-day was initially found and reported to McAfee by James Forshaw of Google Project Zero.

The vulnerability is publicly known as "Sandworm" and has been exploited by the Chinese against Taiwan.

Software: Windows

Known/fameous malware:

Trojan.Mdropper. (Symantec).

Microsoft first received information about this vulnerability through coordinated vulnerability disclosure. Zero-day was initially found and reported to McAfee by James Forshaw of Google Project Zero.

The vulnerability is publicly known as "Sandworm" and has been exploited by the Chinese against Taiwan.

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2014-4123

Privilege escalation

The vulnerability allows a remote attacker to obtain elevated privileges on the target system.

The weakness exists due to the failure to properly validate permissions. A remote attacker can gain elevated privileges and execute arbitrary code on the affected system.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.


i

CrowdStrike first detected the attacks in spring.
The zero-day reported by CrowdStrike was also reported by FireEye.
The issue has been introduced in 07/27/2005.
The vulnerability was handled as a non-public zero-day exploit for at least 3366 days.

Exploited by Hurricane Panda.

Software: Microsoft Internet Explorer

CrowdStrike first detected the attacks in spring.
The zero-day reported by CrowdStrike was also reported by FireEye.
The issue has been introduced in 07/27/2005.
The vulnerability was handled as a non-public zero-day exploit for at least 3366 days.

Exploited by Hurricane Panda.

Remote code execution in Microsoft Windows
CVE-2014-4148

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper input validation when processing TrueType fonts in kernel-mode driver (win32k.sys). A remote attacker can create a specially crafted font file, place it on a web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was highly exploited by advanced adversary group named HURRICANE PANDA.

Software: Windows

The vulnerability was highly exploited by advanced adversary group named HURRICANE PANDA.

Remote code execution in Microsoft Windows
CVE-2014-4114

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error when processing OLE objects. A remote attacker can create a specially crafted OLE object, attach it to a document (e.g. PowerPoint file), trick the victim into opening it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The zero-day vulnerability is being claimed to have been used in early September in possible campaigns against NATO, Ukrainian government organizations, Western European government organization, Energy Sector firms (specifically in Poland), European telecommunications firms, United States academic organizations.
Files in the SandWorm exploit hilighted by iSIGHT Partners include a malicious executable from a known malware family, namely the BlackEnergy Trojan.

Software: Windows

Known/fameous malware:

Dyreza Trojan.
SandWorm
BlackEnergy Trojan.

The zero-day vulnerability is being claimed to have been used in early September in possible campaigns against NATO, Ukrainian government organizations, Western European government organization, Energy Sector firms (specifically in Poland), European telecommunications firms, United States academic organizations.
Files in the SandWorm exploit hilighted by iSIGHT Partners include a malicious executable from a known malware family, namely the BlackEnergy Trojan.

Privilege escalation in Microsoft Windows
CVE-2014-4113

Privilege escalation

The vulnerability allows a local attacker to obtain elevated privileges on the target system.

The weakness exists due to improper handling of objects in memory by kernel-mode driver (win32k.sys). A local attacker can run a specially crafted application to gain elevated privileges and take complete control of the system.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was apparently found and reported to Microsoft by both СrowdStrike and FireEye.
The vulnerability has been actively exploited in the wild for at least five month by highly advanced adversary group named HURRICANE PANDA.

Software: Windows

Known/fameous malware:

Nuclear Exploit Kit.

The vulnerability was apparently found and reported to Microsoft by both СrowdStrike and FireEye.
The vulnerability has been actively exploited in the wild for at least five month by highly advanced adversary group named HURRICANE PANDA.

Information disclosure in Microsoft Internet Explorer
CVE-2013-7331

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to information disclosure vulnerability in Microsoft XMLDOM ActiveX component. A remote attacker can create a specially crafted Web page, trick the victim into visiting it and check for the presence of local drive letters, directory names, files, as well as internal network addresses or websites.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

PoC-code for this vulnerability was available since at least April 25, 2013.

Software: Microsoft Internet Explorer

Known/fameous malware:

Exploit kits: Angler, Rig, Nuclear, Styx.

PoC-code for this vulnerability was available since at least April 25, 2013.

Privilege escalation in Microsoft Internet Explorer
CVE-2014-2817

Privelege escalation

The vulnerability allows a remote attacker to obtain elevated privileges on the target system.

The weakness exists due to the failure to properly validate permissions. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, gain elevated privileges and execute arbitrary code on the affected system.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft Internet Explorer

Security bypass in Microsoft Office
CVE-2014-1809

Security bypass

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper implementation of Address Space Layout Randomization (ASLR) features in MSCOMCTL. By persuading a victim to visit a specially-crafted Web site or open an application or Office document with a specially-crafted ActiveX control embedded within it, an attacker could exploit this vulnerability to bypass ASLR and execute another attack that otherwise would have been blocked by ASLR.

Successful exploitation of the vulnerability results in security bypass on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The issue has been introduced in 01/30/2007.

Software: Microsoft Office

The issue has been introduced in 01/30/2007.

Privilege escalation in Microsoft Windows
CVE-2014-1812

Privilege escalation

The vulnerability allows a remote authenticated attacker to obtain elevated privileges on the target system.

The weakness exists due to the method passwords are distributed when configured using group policy preference. A remote authenticated attacker can obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Windows

Two remote code execution vulnerabilities in Microsoft Internet Explorer
CVE-2014-1815

“Use-after-free†error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

CVE-2014-1815 was reported to Microsoft by Clement Lecigne, a security engineer who works for Google in its Swiss office.

The vulnerability was used in the phishing campaign started on or about July 21, 2014 and primarily targeting the energy industry.

Software: Microsoft Internet Explorer

CVE-2014-1815 was reported to Microsoft by Clement Lecigne, a security engineer who works for Google in its Swiss office.

The vulnerability was used in the phishing campaign started on or about July 21, 2014 and primarily targeting the energy industry.

Privilege escalation in Microsoft Windows
CVE-2014-1807

Privilege escalation

The vulnerability allows a local attacker to obtain elevated privileges on the target system.

The weakness exists due to improper use of the ShellExecute API function. A local attacker can run a specially crafted application within the context of the Local System account and gain elevated privileges.

Successful exploitation of the vulnerability results in privilege escalation on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Windows

Remote code execution in Microsoft Internet Explorer
CVE-2014-1776

“Use-after-free†error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability uses a heap-spray technique. Used in Pawn Storm campaign.
Used by APT groups.

Software: Microsoft Internet Explorer

The vulnerability uses a heap-spray technique. Used in Pawn Storm campaign.
Used by APT groups.

Multiple vulnerabilities in Microsoft Word and Office Web Apps
CVE-2014-1761

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling RTF-formatted data. A remote attacker can create a specially crafted RTF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Used in Pawn Storm campaign, attacks against government agencies in Taiwan.

Software: Microsoft Office

Known/fameous malware:

Trojans like Dridex or Dyreza and ransomware like cryptolocker or Teslacrypt.

Used in Pawn Storm campaign, attacks against government agencies in Taiwan.

Remote code execution in Microsoft Internet Explorer
CVE-2014-0324

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

On Feb. 11, FireEye researchers identified a zero-day exploit in Internet Explorer 10.

The exploit was being used in Operation SnowMan that compromised the U.S. Veterans of Foreign Wars website.


Software: Microsoft Internet Explorer

Known/fameous malware:

Elderwood exploit kit.

On Feb. 11, FireEye researchers identified a zero-day exploit in Internet Explorer 10.

The exploit was being used in Operation SnowMan that compromised the U.S. Veterans of Foreign Wars website.


Remote code execution in Microsoft Internet Explorer
CVE-2014-0307

“Use-after-free†error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when accessing an object in memory. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The flaw was most likely introduced in August 2013. The vulnerability was reported to vendor - 2014-02-04.
Private fully functional exploit code existed long before the vendor released security patch. We consider this vulnerability a zero-day.

Software: Microsoft Internet Explorer

Known/fameous malware:

JS/Exploit.CVE-2014-0307.

The flaw was most likely introduced in August 2013. The vulnerability was reported to vendor - 2014-02-04.
Private fully functional exploit code existed long before the vendor released security patch. We consider this vulnerability a zero-day.

Remote code execution in Microsoft Internet Explorer
CVE-2014-0322

Use-after-free error

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error related to GIFAS. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

A zero-day exploit hosted on a breached website based in the U.S Military. The vulnerability was used in the wild as part of "Operation SnowMan".

Software: Microsoft Internet Explorer

Known/fameous malware:

Trojan.Malscript
Trojan.Swifi.
Backdoor.Moudoor
Elderwood exploit kit.

A zero-day exploit hosted on a breached website based in the U.S Military. The vulnerability was used in the wild as part of "Operation SnowMan".

Multiple vulnerabilities in Microsoft .NET Framework
CVE-2014-0295

ASLR bypass

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to missing Address Space Layout Randomization (ASLR) features in certain components. A remote attacker can create a specially crafted Web site, trick the victim into opening it, bypass security restrictions and execute another attack.

Successful exploitation of the vulnerability results in security bypass on the vulnerable system.

Note: the vulnerability was being actively exploited.

Software: Microsoft .NET Framework

Information disclosure in Microsoft XML Core Services
CVE-2014-0266

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper enforcement of cross-domain policies. A remote attacker can create a specially crafted Web page, trick the victim into visiting it using Internet Explorer, bypass cross-domain security restrictions and read local files or content from web domains the victim is authenticated with.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Microsoft and FireEye first discussed this issue in November, 2013.

Software: Microsoft XML Core Services

Microsoft and FireEye first discussed this issue in November, 2013.