Zero-day Vulnerability Database
Zero-day vulnerabilities discovered: 20
Remote code execution in Microsoft Office
CVE-2017-11826
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling malicious content. A remote attacker can send a specially crafted .doc file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Note: the vulnerability is being actively exploited.
The weakness was reported to Microsoft by researchers at China-based security firm Qihoo 360. The experts said they first observed an attack exploiting this vulnerability on September 28. The attacks targeted a small number of the company’s customers and they involved malicious RTF files.
Software: Microsoft Office
Remote code execution in Microsoft .NET Framework
CVE-2017-8759
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to uncpecified error when processing untrusted input. A remote unauthenticated attacker can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was detected by FireEye researchers. The attacker used Microsoft Office RTF document to leverage RCE in .NET Framework and deploy FINSPY malware. The malicious document “Проект.doc†(MD5: fe5c4d6bb78e170abf5cf3741868ea4c) had Russian name and might have been used to target a Russian speaker.
Software: Microsoft .NET Framework
Known/fameous malware:
FINSPY
Remote code execution in Windows Search service
CVE-2017-8543
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when Windows Search handles objects in memory. A remote unauthenticated attacker can send specially crafted messages to the Windows Search service and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Windows
Remote code execution when processing .LNK files in Microsoft Windows
CVE-2017-8464
Improper input validation
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to an error when processing .LNK files. A remote attacker can create a specially crafted .LNK file and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability is being actively exploited in the wild.
Software: Windows
Buffer overflow in Microsoft Windows RDP for Windows XP/2003
CVE-2017-0176
Buffer overflow
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to a boundary error in the Smart Card authentication code in gpkcsp.dll within Windows Remote Desktop services. A remote attacker can send specially crafted packets to the vulnerable system, trigger buffer overflow and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to gain complete control over the affected system.
Note: this vulnerability was publicly disclosed by the Shadow Brokers hacking team along with a fully functional exploit known as "“EsteemAudit".
The vulnerability is being exploited in the wild.
The vulnerability was disclosed by the Shadow Brokers hacking team.
Software: Windows
Known/fameous malware:
EsteemAudit
Two remote code execution vulnerabilities when processing EPS files in Microsoft Office
CVE-2017-0262
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when processing EPS wiles within Microsoft Office documents. A remote unauthenticated attacker can create a specially crafted document, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current victim.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was used by APT28 team along with another zero-day CVE-2017-0263.
Software: Microsoft Office
Known/fameous malware:
GAMEFISH
Multiple vulnerabilities in Win32.sys in Microsoft Windows
CVE-2017-0263
Elevation of privilege
The vulnerability allows a local user to elevate privileges on the system.
The vulnerability exists due to boundary error in Win32k.sys driver. A local user can escalate privileges on the system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was used by APT28 team along with another zero-day CVE-2017-0262.
Software: Windows
Known/fameous malware:
GAMEFISH
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2017-0222
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Note: the vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Two remote code execution vulnerabilities when processing EPS files in Microsoft Office
CVE-2017-0261
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error when processing EPS images within Microsoft Office files. A remote attacker can create a specially crafted Office file with malicious EPS image, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was used by Turla and an unknown financially motivated actor.
Software: Microsoft Office
Known/fameous malware:
SHIRIME
NETWIRE
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/2017-2605
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261
https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
https://blogs.technet.microsoft.com/msrc/2017/05/09/coming-together-to-address-encapsulated-postscri...
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2017-0210
Cross-domain scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of another domain.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: this vulnerability is being exploited in the wild.
Software: Microsoft Internet Explorer
Remote code execution in Microsoft Office
CVE-2017-0199
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can create a specially crafted Office document, trick the victim into opening it with Microsoft Office or WordPad and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in compromise vulnerable system.
Note: the vulnerability is being actively exploited.
The detected samples are organized as Word files containing Dridex botnet ID 7500 (more specially, RTF files with “.doc†extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack dates to late January, according to McAfee.
According to FireEye, the malware leveraging this vulnerability was used to target Russian-speaking victims. As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads.
This vulnerability was also used by Patya.A ransomware in malware outbreak on 27 June, 2017 as one of the attack vectors.
Software: Microsoft Office
Known/fameous malware:
Malware.Binary.Rtf
Dridex botnet
FINSPY
LATENTBOT
Petya.A
According to FireEye, the malware leveraging this vulnerability was used to target Russian-speaking victims. As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads.
This vulnerability was also used by Patya.A ransomware in malware outbreak on 27 June, 2017 as one of the attack vectors.
Links:
https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
Remote code execution in Microsoft IIS 6.0
CVE-2017-7269
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in ScStoragePathFromUrl() function in the WebDAV service when processing overly long HTTP header beginning with "If: <http://" in a PROPFIND request. A remote unauthenticated attacker can trigger buffer overflow and execute arbitrary code on the target system with privileges of the IIS service.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild in July and August 2016.
There are reports that this vulnerability is being actively exploited in the wild against legacy installations of Microsoft IIS 6.0 in July and August 2016. At the time of publication the product was no longer supported by the vendor. However Microsoft has decided to release a security patch to address this issue on June 13, 2017.
Software: Microsoft IIS
Known/fameous malware:
EXPLODINGCAN
There are reports that this vulnerability is being actively exploited in the wild against legacy installations of Microsoft IIS 6.0 in July and August 2016. At the time of publication the product was no longer supported by the vendor. However Microsoft has decided to release a security patch to address this issue on June 13, 2017.
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0145
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
Software: Windows
Known/fameous malware:
EternalSynergy exploit
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0144
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
This vulnerability was used to spread WannaCry and NotPetya ransomwere.
Software: Windows
Known/fameous malware:
EternalRomance exploit
WannaCry
NotPetya
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
This vulnerability was used to spread WannaCry and NotPetya ransomwere.
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0147
Information disclosure
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and gain access to potentially sensitive data.
Successful exploitation of this vulnerability may allow an attacker to gain access to potentially sensitive information.
Note: this vulnerability has been exploited in the wild and is publicly known as EternalChampion exploit.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
Software: Windows
Known/fameous malware:
EternalChampion exploit
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0146
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability has been exploited in the wild and is publicly known as EternalChampion exploit.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
Software: Windows
Known/fameous malware:
EternalChampion exploit
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0143
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
On May 12, 2017 the malicious team has hit over 100,000 organizations in 150 countries. The hackers encrypted files from the target system and demanded 300-600$.
Software: Windows
Known/fameous malware:
WannaCry (Wana Decryptor) malware (the hackers added .WCRY extention to the targte files). The malware is believed to be connected to Lazarus Group from North Korea.
EternalBlue exploit.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
On May 12, 2017 the malicious team has hit over 100,000 organizations in 150 countries. The hackers encrypted files from the target system and demanded 300-600$.
Multiple vulnerabilities in Microsoft Windows
CVE-2017-0005
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper handling of objects in memory by Windows Graphics Device Interface (GDI). A local attacker can run a specially crafted application, gain elevated privileges and execute arbitrary code on the affected system.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was used by Zirconium cyber-espionage group against older versions of Windows.
Software: Windows
Information disclosure in Microsoft XML Core Services
CVE-2017-0022
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to improper handling of objects in memory by Microsoft XML Core Services (MSXML). A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it and test for the presence of files on disk.
Successful exploitation of this vulnerability results in information disclosure.
Note: the vulnerability was being actively exploited.
This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. The vulnerability was reported to Microsoft in September 2016. The first malware sample, discovered in the wild, is connected with AdGholas campaign in July 2016. The exploit came back again in September 2016 with the Neutrino exploit kit.
Software: Microsoft XML Core Services
Known/fameous malware:
Neutrino exploit kit
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2017-0149
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when accessing objects in memory. A remote unauthenticated attacker can create a specially crafted web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer