Zero-day Vulnerability Database
Zero-day vulnerabilities discovered: 8
Remote code execution in Microsoft Windows
CVE-2011-3402
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers. A remote attacker can create a specially crafted Word document or web page containing font data, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This vulnerability was being actively exploited by the Stuxnet in Duqu attack.
Software: Windows
Known/fameous malware:
Win32/Exploit.CVE-2011-3402.G
W32.Duqu
Links:
https://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25272
https://media.ccc.de/v/29c3-5417-en-cve_2011_3402_analysis_h264
https://securelist.com/blog/incidents/31445/the-mystery-of-duqu-part-two-23/
https://securingtomorrow.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%e2%80%93-further-tales...
https://technet.microsoft.com/library/security/2639658
https://technet.microsoft.com/library/security/ms11-087
https://blogs.technet.microsoft.com/msrc/2011/11/03/microsoft-releases-security-advisory-2639658/
https://www.f-secure.com/v-descs/exploit_w32_cve_2011_3402_a.shtml
https://krebsonsecurity.com/tag/cve-2011-3402/
http://yomuds.blogspot.com/2012/11/cve-2011-3402-and-cool-exploit-kit_28.html
http://blog.crysys.hu/2013/01/encryption-related-to-duqu-font-expoit-cve-2011-3402/
https://blogs.forcepoint.com/security-labs/cve-2011-3402-vulnerability-truetype-font-parsing
https://www.totaldefense.com/security-blog/tag/cve-2011-3402
Denial of service in Microsoft RDP
CVE-2011-1968
Denial of service
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to an error in the Remote Desktop Protocol when processing a sequence of malicious packets. A remote attacker can send a specially crafted RDP packets, gain access to an object that was not properly initialized or is deleted and cause the system to stop responding and restart.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Privilege escalation in Microsoft Windows
CVE-2011-1249
Privilege escalation
The vulnerability allows a local user to gain elevated privileges on the target system.
The vulnerability exists due to improper validation of input passed from user mode to the kernel in the Ancillary Function Driver (afd.sys). By running a malicious application, a local attacker with valid login credentials can execute arbitrary code with system privileges.
Successful exploitation of this vulnerability will allow the local attacker to obtain elevated privileges on vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms11-046.aspx
https://www.fireeye.com/blog/threat-research/2014/10/two-targeted-attacks-two-new-zero-days.html
https://www.manageengine.com/products/desktop-central/patch-management/Windows-7-Ultimate-Edition/Wi...
http://www.hackingtutorials.org/exploit-tutorials/mingw-w64-how-to-compile-windows-exploits-on-kali-...
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2011-1255
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error related to time element when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: According to experts from M86, the vulnerability was exploited in targeted attacks before the official patch release from Microsoft.
According to experts from M86, this vulnerability was exploited in targeted attacks before the official patch release from Microsoft.
Software: Microsoft Internet Explorer
Links:
http://news.softpedia.com/news/Recently-Patched-IE-Flaw-Exploited-as-Zero-Day-208646.shtml
http://digcert.com/docs/symantec/symantec_report_2012.htm
http://securityaffairs.co/wordpress/44749/cyber-crime/operation-dust-storm.html
https://technet.microsoft.com/en-us/library/security/ms11-050.aspx
Multiple vulnerabilities in Microsoft Windows
CVE-2012-0181
Improper input validation
The vulnerability allows a local user to obtain elevated privileges on the target system.
The vulnerability exists due to improper managing of Keyboard Layout files by the kernel-mode driver (win32k.sys). A local attacker can execute arbitrary code on vulnerable system with SYSTEM privileges.
Successful exploitation of this vulnerability will allow the local attacker to obtain elevated privileges on vulnerable system.
Note: the vulnerability was being actively exploited.
According to Trustwave this is a zero-day.
A private exploit has been developed by Cr4sh and been published 2 weeks after the advisory.
CVE-2012-0181 fixes an issue alluded to on exploitdb site on Nov. 21, 2011, fixed July 10, 2012.
Software: Windows
A private exploit has been developed by Cr4sh and been published 2 weeks after the advisory.
CVE-2012-0181 fixes an issue alluded to on exploitdb site on Nov. 21, 2011, fixed July 10, 2012.
Links:
https://technet.microsoft.com/en-us/library/security/ms12-034
https://blogs.technet.microsoft.com/srd/2012/05/08/ms12-034-duqu-ten-cves-and-removing-keyboard-layo...
https://www.symantec.com/security_response/vulnerability.jsp?bid=53326
http://www.zdnet.com/article/linux-trailed-windows-in-patching-zero-days-in-2012-report-says/
https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-Security-Report/?dl=1
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2011-0094
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error when handling layout objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This vulnerability was reported to iDefense by anonymous. NSS was ready to pay for exploit for this vulnerability $100-500.
The vulnerability was used to compromise Philippines human rights website.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit:Win32/CVE-2011-0094.A
The vulnerability was used to compromise Philippines human rights website.
Links:
https://technet.microsoft.com/en-us/library/security/ms11-018.aspx
http://www.verisign.com/en_US/security-services/security-intelligence/vulnerability-reports/articles...
http://krebsonsecurity.com/tag/cve-2011-0094/
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/1971/layouts-handling-memory-co...
http://telussecuritylabs.com/threats/show/TSL20110414-01
https://www.symantec.com/connect/tr/blogs/government-and-human-rights-websites-fall-victim-targeted-...
http://www.infoworld.com/article/2620728/security/nss-labs-offers-reward-money-for-fresh-exploits.ht...
Information disclosure in MHTML in Microsoft Windows
CVE-2011-0096
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.The vulnerability exists due to insufficient sanitization of user-input passed via MIME-formatted requests for content blocks within a document. A remote attacker can trick the victim to follow a specially crafted "MHTML:" link and execute arbitrary HTML and script code in userтАЩs browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
The vulnerability was originally disclosed on the WooYun website.
Software: Windows
Known/fameous malware:
exploit:win32/cve-2011-0096 trojan horse.
Links:
https://technet.microsoft.com/library/security/ms11-026
https://blogs.technet.microsoft.com/srd/2011/01/28/more-information-about-the-mhtml-script-injection...
https://blogs.technet.microsoft.com/msrc/2011/01/28/microsoft-releases-security-advisory-2501696/
http://blog.qisupport.com/exploitwin32cve-2011-0096-trojan-virus-how-to-remove/
https://www.removemalwaretip.com/windows-8/clear-exploitwin32cve-2011-0096-trojan-from-your-windows-...
http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=62646
https://blog.qualys.com/laws-of-vulnerabilities/2011/01/27/microsoft-advisory-on-client-side-xss-250...
https://blogs.forcepoint.com/security-labs/month-threat-webscape-march-2011
Remote code execution in Microsoft Internet Explorer
CVE-2011-1345
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling onPropertyChange function calls. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was firstly disclosed by VUPEN in January 22, 2011.
This issue was disclosed as part of the Pwn2Own 2011 contest.
Using this vulnerability Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win CanSecWest hacker challenge ($15,000 cash prize and a new Windows laptop) in March 9-11 in Vancouver, British Columbia.
The issue has been introduced in 03/05/2008.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit:JS/CVE-2011-1345.
This issue was disclosed as part of the Pwn2Own 2011 contest.
Using this vulnerability Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win CanSecWest hacker challenge ($15,000 cash prize and a new Windows laptop) in March 9-11 in Vancouver, British Columbia.
The issue has been introduced in 03/05/2008.
Links:
https://technet.microsoft.com/en-us/library/security/ms11-018
http://www.computerworld.com/article/2506697/cybercrime-hacking/safari--ie-hacked-first-at-pwn2own.h...
https://twitter.com/aaronportnoy/statuses/45642180118855680
http://www.zdnet.com/article/pwn2own-2011-ie8-on-windows-7-hijacked-with-3-vulnerabilities/
https://archive.cert.uni-stuttgart.de/bugtraq/2011/04/msg00159.html
https://packetstormsecurity.com/files/100469/Microsoft-Internet-Explorer-Property-Change-Memory-Corr...