Zero-day Vulnerability Database

Change view

Zero-day vulnerabilities discovered: 11

Multiple vulnerabilities in Microsoft Graphics Component
CVE-2016-7256

Memory Corruption

A remote attacker can execute arbitrary code on the target system.

The vulnerability exists due to incorrect handling of objects in memory in Windows font library when processing Open Type fonts. A remote attacker can create a specially crafted font file and cause memory corruption.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on vulnerable system with privileges of the current user.

Note: this vulnerability is being actively exploited in the wild.

i

The vulnerability started to appear on the radar in June 2016 as it was used in "low-volume attacks primarily focused on targets in South Korea". A successful attack exploited a flaw in the Windows font library to elevate privileges, and to install a backdoor on target systems called Hankray.

Software: Windows

Known/fameous malware:

Trojan Horse Exp.CVE-2016-7256.

The vulnerability started to appear on the radar in June 2016 as it was used in "low-volume attacks primarily focused on targets in South Korea". A successful attack exploited a flaw in the Windows font library to elevate privileges, and to install a backdoor on target systems called Hankray.

Privilege escalation in Windows 10
CVE-2016-7255

Privilege escalation

The vulnerability allows a local user to gain elevated privileges on the target system.

The weakness is due to improper handling of objects in memory by win32k.sys. By sending a specially crafted system call NtSetWindowLongPtr(), a local attacker can set index GWLP_ID to WS_CHILD value on a window handle with GWL_STYLE and execute arbitrary code with system privileges.

Successful explotation of the vulnerability results in privilege escalation.

Note: this vulnerability is being actively exploited in the wild.

i

The zero-day was being actively exploited by Russian hackers (APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Sofacy).

Software: Windows

The zero-day was being actively exploited by Russian hackers (APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Sofacy).

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2016-3298

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The vulnerablity exists due to improper handling of objects in memory by the Internet Messaging API. A remote attacker can create a specially crafted content, trick the victim into opening it, bypass security restrictions and determine the existence of arbitrary files.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Proofpoint researchers Will Metcalf and Kafeine first detected and reported CVE-2016-3298 in April 2016 as part of a тАЬGooNkyтАЭ infection chain along with CVE-2016-3351, but the information disclosure vulnerability was most likely already in use by the AdGholas group.

CVE-2016-3298 and CVE-2016-3351 were reported to Microsoft between October and December of 2015.


Software: Microsoft Internet Explorer

Known/fameous malware:

Exploit Kit: Neutrino

Proofpoint researchers Will Metcalf and Kafeine first detected and reported CVE-2016-3298 in April 2016 as part of a тАЬGooNkyтАЭ infection chain along with CVE-2016-3351, but the information disclosure vulnerability was most likely already in use by the AdGholas group.

CVE-2016-3298 and CVE-2016-3351 were reported to Microsoft between October and December of 2015.


Multiple vulnerabilities in Microsoft Windows
CVE-2016-3393

Arbitrary code execution

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the Graphics Device Interface (GDI) component. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability has been used by an APT group Kaspersky Lab call FruityArmor. Victims have been identified in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.

Software: Windows

The vulnerability has been used by an APT group Kaspersky Lab call FruityArmor. Victims have been identified in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.

Multiple vulnerabilities in Microsoft Edge
CVE-2016-7189

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into downloading it, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability will result in arbitrary code execution.

Note: the vulnerability was being actively exploited.

Software: Microsoft Edge

Remote code execution in Microsoft Office
CVE-2016-7193

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling of malicious RTF files by Microsoft Word. A remote attacker can create a specially crafted RTF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability will result in arbitrary code execution.

Note: the vulnerability was being actively exploited.

Software: Microsoft Word

Multiple vulnerabilities in Microsoft Internet Explorer and Edge
CVE-2016-3351

Memory corruption

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to boundary error when handling of malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and gain access to arbitrary data.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Microsoft has known about CVE-2016-3351 since 2015.
Exploited By AdGholas and GooNky Malvertising Groups.

Software: Microsoft Internet Explorer

Microsoft has known about CVE-2016-3351 since 2015.
Exploited By AdGholas and GooNky Malvertising Groups.

Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2016-0189

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

Used to target South Korean organizations.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.

Software: Microsoft Internet Explorer

Known/fameous malware:

Exploit kit: Magnitude, Neutrino, RIG, Sundown.

Used to target South Korean organizations.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.

Multiple vulnerabilities in Microsoft Windows
CVE-2016-0167

Privilege escalation

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.

Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

Used to  compromise organizations in the USA and Canada. First attacks were detected in 08.03.2016.

Software: Windows

Known/fameous malware:

PUNCHBABY or PUNCHTRACK Trojan.

Used to  compromise organizations in the USA and Canada. First attacks were detected in 08.03.2016.

Multiple vulnerabilities in Microsoft Windows
CVE-2016-0165

Privilege escalation

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.

Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

i

The Badlock vulnerability.

Software: Windows

The Badlock vulnerability.

Remote code execution in Microsoft Silverlight
CVE-2016-0034

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error when parsing strings with a malicious decoder that can return negative offsets. A remote attacker can create a specially crafted content, trick the victim into opening it, replace unsafe object headers with contents provided by an attacker and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

On July 5, 2015, a large amount of data from one company was leaked to the Internet with a hacker known as тАЬPhineas FisherтАЭ claiming responsibility for the breach.

Software: Microsoft Silverlight

Known/fameous malware:

Used in Angler, Hunter, RIG and Sundown Exploit Kit.

On July 5, 2015, a large amount of data from one company was leaked to the Internet with a hacker known as тАЬPhineas FisherтАЭ claiming responsibility for the breach.