Zero-day Vulnerability Database
Zero-day vulnerabilities discovered: 20
Two remote code execution vulnerabilities in Microsoft Windows
CVE-2009-0555
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when processing malformed Advanced Systems Format (ASF) files. A remote attacker can create a specially crafted audio file that uses the Windows Media Speech code, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows Media Format Runtime
Multiple vulnerabilities in Microsoft Windows
CVE-2009-3126
Integer Overflow or Wraparound
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow in GDI+ when handling PNG image file. A remote attacker can create a specially crafted PNG image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
According to Symantec the first exploitation of the vulnerability was discovered on 2009-01-27.
Software: Windows
Known/fameous malware:
Bloodhound.Exploit.278.
Links:
https://technet.microsoft.com/en-us/library/security/ms09-062.aspx
https://nakedsecurity.sophos.com/2009/10/14/microsoft-adobes-october-2009-security-updates/
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2009-101906-3351-99
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple vulnerabilities in Microsoft Windows
CVE-2009-2501
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to heap-based buffer overflow in GDI+ when handling PNG image file. A remote attacker can create a specially crafted PNG image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
According to Symantec the first exploitation of the vulnerability was discovered on 2009-01-07.
Software: Windows
Known/fameous malware:
Bloodhoud.Exploit.277
Links:
http://www.its.ms.gov/Services/SecurityAlerts/2009-10-14-multiple_vulnerabilities_in_gdi_could_allow...
https://technet.microsoft.com/en-us/library/security/ms09-062.aspx
https://nakedsecurity.sophos.com/2009/10/14/microsoft-adobes-october-2009-security-updates/
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Two vulnerabilities in Microsoft IIS FTP server
CVE-2009-3023
Stack-based buffer overflow
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in FTP server. A remote authenticated attacker can send a specially crafted FTP NLST command containing a wildcard that references a subdirectory, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The issue has been introduced in 06/02/1998. The weakness was publicly disclosed on August 31, 2009 by Kingcope. The vulnerability was handled as a non-public zero-day exploit.
Software: Microsoft IIS
Denial of service in Microsoft .NET Framework
CVE-2009-1536
Denial of service
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to incorrect managing of request scheduling by ASP.NET. By sending multiple HTTP requests, a remote attacker can trigger the Web server to crash.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft .NET Framework
Remote code execution in Microsoft Windows
CVE-2009-2493
Improper initialization
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to improper initialization in the Microsoft Active Template Library (ATL) when handling objects from data streams related to unsafe usage of OleLoadFromStream() function. A remote attacker can create a specially crafted Web site that instantiates a vulnerable component or control using the IE browser, trick the victim into viewing it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Active Template Library
Links:
https://technet.microsoft.com/library/security/973882
http://www.adobe.com/support/security/advisories/apsa09-04.html
https://technet.microsoft.com/en-us/library/security/ms09-055.aspx
http://www.itsecdb.com/oval/definition/oval/org.mitre.oval/def/6621/ATL-COM-Initialization-Vulnerabi...
http://blogs.adobe.com/psirt/?p=52
Remote code execution in Microsoft Office Web Components
CVE-2009-1136
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in Office Web Components ActiveX Control when handling parameter values. A remote attacker can create a specially crafted Web page, trick the victim into viewing it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Office
Links:
https://technet.microsoft.com/library/security/973472
https://isc.sans.edu/diary/Vulnerability+in+Microsoft+Office+Web+Components+Control+Could+Allow+Remo...
https://blogs.technet.microsoft.com/msrc/2009/07/13/microsoft-security-advisory-973472-released/
https://technet.microsoft.com/en-us/library/security/ms09-043.aspx
http://www.zerodayinitiative.com/advisories/ZDI-09-054/
http://www.securiteam.com/cves/2009/CVE-2009-1136.html
http://stateofsecurity.com/wp-content/uploads/2009/07/ExploitRA071409.pdf
Remote code execution in Microsoft Video ActiveX Control
CVE-2008-0015
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in the Microsoft Video ActiveX Control, msvidctl.dll. By persuading a victim to visit a specially crafted Web page, a remote attacker can trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has been exploited in the wild since June 11, 2009 (as discovered by X-Force) and was touted by the media and by SANS as being exploited in the wild on July 6, 2009.
According to Symantec research first exploitation of the vulnerability was detected on 2008-12-28.
Software: Microsoft Video ActiveX Control
Known/fameous malware:
HTML/CVE-2008-0015
Bloodhoud.Exploit.259
According to Symantec research first exploitation of the vulnerability was detected on 2008-12-28.
Links:
https://technet.microsoft.com/en-us/library/security/972890
https://technet.microsoft.com/en-us/library/security/ms09-032.aspx
https://isc.sans.edu/diary/0-day+in+Microsoft+DirectShow+%28msvidctl.dll%29+used+in+drive-by+attacks...
https://blogs.technet.microsoft.com/srd/2009/08/11/ms09-037-why-we-are-using-cves-already-used-in-ms...
https://www.symantec.com/security_response/writeup.jsp?docid=2009-070605-3347-99
http://www.pandasecurity.com/mediacenter/malware/social-engineering-pdfs-and-banking-trojans/
http://tpmitigation.sourceforge.net/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple vulnerabilities in Microsoft Excel
CVE-2009-0561
Integer Overflow or Wraparound
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow when parsing the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing a malformed object record, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
According to Symantec the first exploitation of the vulnerability was discovered on 11.01.2009.
Software: Microsoft Excel
Known/fameous malware:
Bloodhound.Exploit.251
Links:
https://technet.microsoft.com/en-us/library/security/ms09-021.aspx
https://www.symantec.com/security_response/writeup.jsp?docid=2009-061802-2317-99&tabid=2
https://www.symantec.com/security_response/writeup.jsp?docid=2009-061802-2317-99
http://telussecuritylabs.com/threats/show/TSL20090609-22
https://www.youtube.com/watch?v=-X51L07fk48
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple vulnerabilities in Microsoft Excel
CVE-2009-1134
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when parsing the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing a malformed record pointer, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
The vulnerability has been exploited over a year and was reported to vendor on 2009-03-26.
According
to Symantec the first exploitation of the vulnerability was discovered on 2008-07-25.
Software: Microsoft Excel
Known/fameous malware:
Bloodhound.Exploit.254.
According to Symantec the first exploitation of the vulnerability was discovered on 2008-07-25.
Links:
https://downloads.avaya.com/css/P8/documents/100062475
http://www.securityfocus.com/archive/1/archive/1/504213/100/0/threaded
https://technet.microsoft.com/en-us/library/security/ms09-021.aspx
https://books.google.com.ua/books?id=1E0SCAAAQBAJ&pg=PA275&lpg=PA275&dq=CVE-2009-1134&source=bl&ots=...
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple priviledge escalation vulnerabilities in Microsoft Windows
CVE-2009-1123
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper validation of changes in certain kernel objects. By running a malicious application, a local attacker can submit malformed calls to the Windows Kernel and execute arbitrary code in kernel mode.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
This vulnerability was used by Equation group in attacks, which involved Fanny malware. The exploit is later added to Stuxnet malware. Initially discovered by Kaspersky Lab in December 2008.
Microsoft bulletin describing 4 vulnerabilities is not clear on which vulnerability was used during the attacks. We are aware of at least two publicly disclosed exploits from this bulletin used by different malware in targeted attacks during Operation Pawn Storm and Turla.
The CVEs covered in this bulletin: CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126. At least one of them has being exploited in the wild before official security patch.
Software: Windows
Known/fameous malware:
Exploit kits: Fanny, Stuxnet, Turla.
Microsoft bulletin describing 4 vulnerabilities is not clear on which vulnerability was used during the attacks. We are aware of at least two publicly disclosed exploits from this bulletin used by different malware in targeted attacks during Operation Pawn Storm and Turla.
The CVEs covered in this bulletin: CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126. At least one of them has being exploited in the wild before official security patch.
Remote code execution in Microsoft DirectX
CVE-2009-1537
Null byte interaction error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to NULL byte error in DirectX. A remote attacker can create a specially crafted QuickTime media file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft DirectX
Known/fameous malware:
Exploit:JS/Mult.BM
Exploit:Win32/CVE-2009-1537
Links:
https://blogs.technet.microsoft.com/srd/2009/05/28/new-vulnerability-in-quartz-dll-quicktime-parsing...
https://blogs.technet.microsoft.com/msrc/2009/05/28/microsoft-security-advisory-971778-vulnerability...
https://technet.microsoft.com/en-us/library/security/ms09-028.aspx
https://isc.sans.edu/forums/diary/Microsoft+DirectShow+vulnerability/6481/
https://technet.microsoft.com/library/security/971778
https://www.security-database.com/detail.php?alert=CVE-2009-1537
http://www.marketwired.com/press-release/skyrecon-identifies-two-vulnerabilities-in-windows-directsh...
http://doa.alaska.gov/ets/security/S_Advisory/SA2009-028.pdf
https://technet.microsoft.com/library/security/ms09-028
Multiple vulnerabilities in Microsoft Powerpoint
CVE-2009-0556
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling malformed PowerPoint files. A remote attacker can create a specially crafted PowerPoint file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft PowerPoint
Links:
https://technet.microsoft.com/en-us/library/security/ms09-017.aspx
http://www.zerodayinitiative.com/advisories/ZDI-09-019/
http://contagiodump.blogspot.com/2010/07/jul-8-cve-2009-0556-china-and-cheonan.html
https://blog.qualys.com/laws-of-vulnerabilities/2009/05
https://www.lexsi.com/securityhub/1-2-3-patch-day-2/?lang=en
https://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/663/index.html
http://www.welivesecurity.com/2014/10/31/two-recently-patched-adobe-flash-vulnerabilities-now-used-e...
https://www.auscert.org.au/render.html?it=10978
https://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/663/index.html
https://www.symantec.com/connect/blogs/microsoft-patch-tuesday-may-2009
https://blogs.technet.microsoft.com/msrc/2009/05/12/may-2009-bulletin-release/
https://blogs.technet.microsoft.com/srd/2009/05/12/ms09-017-an-out-of-the-ordinary-powerpoint-securi...
Multiple vulnerabilities in Microsoft Windows
CVE-2009-0080
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to incorrect placing of access control lists (ACLs) on threads in the current ThreadPool. By leveraging incorrect thread ACLs an attacker can access NetworkService or LocalService account, obtain elevated privileges and execute code with privileges of SYSTEM account.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: this vulnerability was being actively exploited.
Known as "Token Kidnapping".
Software: Windows
Multiple vulnerabilities in Microsoft Windows
CVE-2009-0079
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper isolation of processes in the RPCSS service. Accessing the computer under the context of a NetworkService or LocalService account an attacker can obtain privileged security tokens and execute code with privileges of SYSTEM account.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: this vulnerability was being actively exploited.
Known as "Token Kidnapping".
Software: Windows
Multiple vulnerabilities in Microsoft Windows
CVE-2009-0078
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to insufficient security protections in Windows Management Instrumentation (WMI) providers. Accessing the computer under the context of a NetworkService or LocalService account an attacker can obtain privileged security tokens and execute code with privileges of SYSTEM account.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control over the affected system.
Note: this vulnerability was being actively exploited.
Knows as Token Kidnapping.
Software: Windows
Multiple vulnerabilities in Microsoft Windows
CVE-2009-0087
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when process documents in Microsoft WordPad and Microsoft Office converter. A remote attacker can create a specially crafted Word file containing a malformed data, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was handled as a non-public zero-day exploit for at least 3344 days. The issue has been introduced in 02/17/2000.
The vulnerability was firstly disclosed in June 17, 2008.
Software: Windows
The vulnerability was firstly disclosed in June 17, 2008.
Remote code execution in Microsoft Windows
CVE-2009-0084
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error when processing a malformed JPEG file. A remote attacker can create a specially crafted JPEG file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability is being actively exploited.
According to Symantec the first exploitation of the vulnerability was discovered on 2008-10-23.
Software: Microsoft DirectX
Two vulnerabilities in Microsoft IIS FTP server
CVE-2009-2521
Improper input validation
The vulnerability allows a remote authenticated attacker to cause DoS conditions on the target system.The weakness exists due to an error when processing recursive directory listing commands by the FTP Service. By sending a specially crafted LIST command containing wildcard characters, a remote attacker can trigger the FTP service to crash.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
The issue has been introduced in 02/17/2000. The weakness was disclosed on 09/04/2009 by Kingcope.
Software: Microsoft IIS
Remote code execution in Microsoft Excel
CVE-2009-0238
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when parsing the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing a malformed object, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Excel
Known/fameous malware:
TROJ_MDROPPER.XR (TrendMicro)
Exploit - MSExcel.r (McAfee)
Trojan.Mdropper.AC (Symantec)
Links:
https://technet.microsoft.com/en-us/library/security/968272.aspx
https://technet.microsoft.com/en-us/library/security/ms09-009.aspx
https://www.symantec.com/security_response/writeup.jsp?docid=2009-022310-4202-99
https://www.secureworks.com/blog/research-20953
https://www.us-cert.gov/ncas/alerts/TA09-104A
http://blog.trendmicro.co.jp/archives/2596
https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2009/av09-018-eng.aspx
https://downloads.avaya.com/css/P8/documents/100063922
https://www.paulstechtalk.com/2009/04/microsoft-released-april-patch-list-for-patch-tuesday/