Zero-day Vulnerability Database
Zero-day vulnerabilities discovered: 11
Remote code execution in Microsoft Windows
CVE-2008-4844
Use-after-free
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer. A remote attacker can construct a specially crafted Web page, trick the victim into viewing it, trigger memory corruption and execute arbitrary code via DSO bindings involving an XML Island, XML DSOs, or Tabular Data Control (TDC) in a crafted HTML or XML document.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Internet Explorer
Links:
https://technet.microsoft.com/library/security/ms08-078
https://technet.microsoft.com/library/security/961051
https://secunia.com/advisories/33089
http://marc.info/?l=bugtraq&m=123015308222620&w=2
http://www.kb.cert.org/vuls/id/493881
https://securityandthe.net/2008/12/17/its-official-ms08-78-fixing-critical-ie-bug/
Remote code execution in Microsoft Word
CVE-2008-4841
Stack-based buffer overflow
The vulnerability alows a remote authenticated attacker to execute arbitrary code on the target system.The weakness exists due to stack overflow when parsing a malicious document. A remote attacker can create a specially crafted Word file containing a malformed list structure, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft WordPad
Known/fameous malware:
Exploit: Win32/CVE-2008-4841
Links:
https://technet.microsoft.com/library/security/960906
https://technet.microsoft.com/en-us/library/security/ms09-010.aspx
https://www.us-cert.gov/ncas/alerts/TA09-104A
http://www.openwall.com/lists/oss-security/2009/01/21/9
https://www.suse.com/security/cve/CVE-2008-4841
http://contagiodump.blogspot.com/2010/04/cve-2008-4841-wordpad-text-converter.html
Two remote code execution vulnerabilities in Microsoft Windows
CVE-2008-2249
Integer Overflow or Wraparound
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow when processing malformed WMF image file. By persuading the victim to open a specially crafted WMF image file containing a malformed header, a remote attacker can cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
Software: Windows
Known/fameous malware:
Bloodhound.Exploit.214.
Links:
https://technet.microsoft.com/en-us/library/security/ms08-071.aspx
http://seclists.org/fulldisclosure/2008/Dec/283
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://ae.norton.com/security_response/print_writeup.jsp?docid=2008-121611-4833-99
https://www.cnet.com/news/microsoft-fixes-28-flaws-6-are-critical/
https://www.qualys.com/research/security-alerts/2008-12-09/microsoft/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Remote code execution in Microsoft Windows
CVE-2008-4250
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow during path canonicalization in Windows Server service. By sending a specially crafted RCP request, a remote attacker can cause memory corruption and execute arbitrary code with privileges of system account.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Windows
Known/fameous malware:
Trojan (Gimmiv.A) and a Trojan searching for non-patched machines on LAN (Arpoc.A)
W32.Downadup aka ConямБcker
W32.Downadup.B
W32.Fujacks.CE
W32.Neeris.C
W32.Wapomi.B
Links:
http://marc.info/?l=bugtraq&m=122703006921213&w=2
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23179
http://blog.disects.com/2014/05/metasploit-gaining-access-using-ms08.html
http://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_server_service_allows_code_execut...
http://www.bleepingcomputer.com/forums/t/401254/norton-blocked-an-attack-by-os-attack-ms-windows-ser...
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Remote code execution in Microsoft Windows
CVE-2008-3704
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a buffer overflow in the Masked Edit ActiveX Control. A remote attacker can construct a specially crafted Web page, trick the victim into viewing it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Masked Edit ActiveX Control
Remote code execution in Microsoft Word
CVE-2008-2244
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when handling malformed Word files. A remote attacker can create a specially crafted Word file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was being used in a 2008 Summer Olympics-themed attack.
Software: Microsoft Word
Links:
https://technet.microsoft.com/en-us/library/security/ms08-042.aspx
https://technet.microsoft.com/library/security/953635
https://isc.sans.edu/diary/Unpatched+Word+Vulnerability/4696
https://blogs.technet.microsoft.com/msrc/2008/07/08/msrc-blog-microsoft-security-advisory-953635/
https://www.cnet.com/news/microsoft-fixes-26-flaws-with-11-patches-six-are-critical/
http://blog.trendmicro.com/trendlabs-security-intelligence/let-the-games-begin/
http://cnii.cybersecurity.my/main/resources/vdb/VDB-1-NWS_JULY_07081.pdf
https://www.mycert.org.my/en/services/advisories/mycert/2008/main/detail/591/index.html
Remote code execution in Microsoft Access
CVE-2008-2463
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow in the ActiveX control for the Snapshot Viewer for Microsoft Access. A remote attacker can construct a specially crafted Web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Office
Known/fameous malware:
JS/Exploit.CVE-2008-2463.A
Exploit kits using this vulnerability: Eleonore and Siberia.
Links:
https://technet.microsoft.com/en-us/library/security/ms08-041.aspx
https://www.botnets.fr/wiki/CVE-2008-2463
https://blogs.technet.microsoft.com/msrc/2008/07/07/snapshot-viewer-activex-control-vulnerability/
http://www.kb.cert.org/vuls/id/837785
https://cve.circl.lu/cve/CVE-2008-2463
https://www.cnet.com/news/microsoft-fixes-26-flaws-with-11-patches-six-are-critical/
Remote code execution in Microsoft Windows Internet Printing Service
CVE-2008-1446
Integer overflow
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow in Windows Internet Printing Protocol (IPP) implementation. By sending a specially crafted HTTP POST request, a remote authenticated attacker can cause memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
According to US CERT, the targeted attacks were spotted on May 2, 2008.
Software: Windows
Privilege escalation in Microsoft Windows
CVE-2008-1436
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper security restrictions on security tokens in the Microsoft Distributed Transaction Coordinator (MSDTC) service. By sending a specially crafted request to the MSDTC service, an attacker can access privileged security tokens and execute code with privileges of SYSTEM account.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: this vulnerability was being actively exploited.
The vulnerability was used in Operation Iron Tiger, a cyber espionage campaign carried out by Chinese hackers on United States Defense Contractors.
Software: Windows
Links:
https://technet.microsoft.com/library/security/951306
http://www.securityfocus.com/archive/1/archive/1/497168/100/0/threaded
http://www.securityfocus.com/archive/1/archive/...
https://technet.microsoft.com/en-us/library/security/ms09-012.aspx
http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html
https://blogs.technet.microsoft.com/msrc/2008/04/17/msrc-blog-microsoft-security-advisory-951306/
https://www.erai.com/CustomUploads/ca/wp/2015_12_wp_operation_iron_tiger.pdf
Remote code execution in Microsoft Jet
CVE-2007-6026
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in Jet database engine when parsing .mdb files. A remote attacker can create a specially crafted .mdb file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is publicly disclosed since 2005, however an attack vector was introduced only in 2008. The vulnerability is being actively exploited.The vulnerability initially had three CVEs: CVE-2005-0944, CVE-2007-6026 and CVE-2008-1092.
The issue has been introduced on 02/17/2000. The vulnerability was handled as a non-public zero-day exploit for at least 2832 days.
Software: Microsoft Jet
Known/fameous malware:
Trojan.Acdropper.C
The issue has been introduced on 02/17/2000. The vulnerability was handled as a non-public zero-day exploit for at least 2832 days.
Links:
http://news.softpedia.com/news/Latest-Vulnerability-Attacks-Steer-Clear-of-Vista-SP1-but-Not-XP-SP3-...
https://www.symantec.com/security_response/writeup.jsp?docid=2008-032803-4407-99
https://co.norton.com/security_response/print_writeup.jsp?docid=2008-032619-5301-99
https://technet.microsoft.com/library/security/950627
https://technet.microsoft.com/library/security/ms08-028
Multiple vulnerabilities in Microsoft Excel
CVE-2008-0081
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a boundary error when handling macros in Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Excel
Known/fameous malware:
mx97:cve-2008-0081 virus
Exploit-MSExcel.p