Zero-day Vulnerability Database
Zero-day vulnerabilities discovered: 8
Remote code execution in Microsoft Internet Explorer
CVE-2012-4792
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error when handling the CDwnBindInfo object and attempting to access an object in memory that has not been initialized or has been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This vulnerability was described by Eric Romang and FireEye through Malware Protection Cloud.
The vulnerability has been exploited in watering hole attacks against Council on Foreign Relations (CFR) website 26.12.2012. The attack appears to be closely related to attacks in June 2012 that were targeting visitors of a major hotel chain and other attacks associated with the Elderwood Project.
Software: Microsoft Internet Explorer
The vulnerability has been exploited in watering hole attacks against Council on Foreign Relations (CFR) website 26.12.2012. The attack appears to be closely related to attacks in June 2012 that were targeting visitors of a major hotel chain and other attacks associated with the Elderwood Project.
Links:
https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-det...
https://technet.microsoft.com/library/security/ms13-008
https://technet.microsoft.com/library/security/2794220
http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-...
https://blogs.technet.microsoft.com/srd/2012/12/31/microsoft-fix-it-available-for-internet-explorer-...
https://blogs.technet.microsoft.com/srd/2012/12/29/new-vulnerability-affecting-internet-explorer-8-u...
https://www.alienvault.com/blogs/labs-research/new-internet-explorer-zeroday-was-used-in-the-dol-wat...
http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-...
https://nakedsecurity.sophos.com/2012/12/31/zero-day-vulnerability-in-internet-explorer-being-used-i...
XSS in HTML Sanitization Component in Microsoft Office products
CVE-2012-2520
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks and gain elevated privileges.The vulnerability exists due to insufficient sanitization of user-input within HTML Sanitization Component. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in userтАЩs browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability was being actively exploited.
Software: Microsoft Office InfoPath
Links:
https://technet.microsoft.com/en-us/library/security/ms12-066.aspx
http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_10_10_2012.pdf
http://www.securityweek.com/recently-patched-html-sanitization-flaw-linked-hotmail-xss-vulnerability
http://www.trendmicro.com.ru/vinfo/ru/threat-encyclopedia/vulnerability/2293/microsoft-windows-html-...
http://www.tripwire.com/vert/vert-alert/vert-alert-october-9-2012/
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000380.aspx
Remote code execution in Microsoft Internet Explorer
CVE-2012-4969
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in the CMshtmlEd::Exec function in mshtml.dll. A remote attacker can create a specially crafted Web site, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was found exploited in the wild and discovered by Eric Romang.
A real-world attack using the vulnerability first appeared in a blog post in Sep.14, 2012. The vulnerability was used by "Nitro" hacking group.
Software: Microsoft Internet Explorer
A real-world attack using the vulnerability first appeared in a blog post in Sep.14, 2012. The vulnerability was used by "Nitro" hacking group.
Links:
https://technet.microsoft.com/library/security/2757760
https://technet.microsoft.com/en-us/library/security/ms12-063
https://blogs.technet.microsoft.com/mmpc/2012/09/21/what-you-need-to-know-about-cve-2012-4969/
http://www.sevenforums.com/system-security/260613-should-i-remove-cve-2012-4969-a.html
http://krebsonsecurity.com/tag/cve-2012-4969/
https://www.f-secure.com/en/web/labs_global/cve-2012-4969
https://barracudalabs.com/2012/09/internet-explorer-0day-exploit-cve20124969-its-what-you-cant-see-t...
http://security.stackexchange.com/questions/21237/need-help-on-understanding-obfuscated-code-in-cve-...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25947
http://contagiodump.blogspot.com/2012/09/cve-2012-4969-internet-explorer-0day.html
http://www.antiy.net/p/sample-of-cve-2012-4969/
https://www.securestate.com/blog/2012/09/21/threat-alert-internet-explorer-zero-day-cve-2012-4969
https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2012-4969-and-the-Unnamed-Admin-Panel/
Remote code execution in Windows Common Controls
CVE-2012-1856
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in MSCOMCTL.OCX ActiveX control. A remote attacker can create a specially crafted Web page that passes an overly long string argument, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Favorite hackers' vulnerability for years has been exploited along with CVE-2012-1856, CVE-2015-1641, CVE-2015-1770 in an APT campaign against journalists and human rights workers in Tibet, Hong Kong and Taiwan.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/ms12-060
https://blog.ropchain.com/2015/07/27/analyzing-vupens-cve-2012-1856/
http://www.securityweek.com/cve-2012-0158-exploited-attacks-targeting-government-agencies-europe-asi...
http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-rat-uwarrior/
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25966
https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
https://threatpost.com/apt-targeting-tibetans-packs-four-vulnerabilities-in-one-compromise/117493/
https://www.hackread.com/skype-malware-saves-screenshots-records-conversations/
https://www.grahamcluley.com/advanced-malware-logs-skype-calls-steals-files-removable-drives/
https://securingtomorrow.mcafee.com/mcafee-labs/threat-actors-use-encrypted-office-binary-format-eva...
https://www.symantec.com/security_response/vulnerability.jsp?bid=54948
https://blogs.technet.microsoft.com/srd/2012/08/14/ms12-060-addressing-a-vulnerability-in-mscomctl-o...
http://varzia.com/blog/keyboy-malware-used-in-targeted-attacks-in-asia/
Remote code execution in Microsoft Office
CVE-2012-1854
Untrusted Search Path
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to the way Microsoft Office loads .dll libraries when opening Office documents (such as a .docx file). A remote attacker can place a specially crafted .dll file along with Microsoft Office document on a remote SMB or WebDAV share, trick the victim into opening that document and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was being actively exploited since mid-March, 2012. The targeted attacks were focusing on Japanese organizations.
Software: Microsoft Office
Links:
https://technet.microsoft.com/library/security/ms12-046
https://www.symantec.com/connect/blogs/microsoft-patch-tuesday-july-2012
https://www.trustwave.com/Resources/SpiderLabs-Blog/Microsoft-Patch-Tuesday-July-2012-%E2%80%93-TLS-...
https://www.symantec.com/connect/blogs/targeted-attacks-exploit-vba-vulnerability-july-ms-tuesday
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2012-1875
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a use-after-free error related to same id property when attempting to access objects that have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
A functional exploit with shellcode appeared on PasteBin on 8.06.12 - four days before the Microsoft patch release.
The vulnerability was reported by adept with nickname Dark Son and researcher Yichong Lin.
Software: Microsoft Internet Explorer
Known/fameous malware:
Trojan.Naid.
The vulnerability was reported by adept with nickname Dark Son and researcher Yichong Lin.
Links:
https://technet.microsoft.com/en-us/library/security/ms12-037
https://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid
https://www.alienvault.com/blogs/labs-research/ongoing-attacks-exploiting-cve-2012-1875
https://threatpost.com/exploit-code-surfaces-cve-2012-1875-internet-explorer-bug-061812/76702/
http://breakthesecurity.cysecurity.org/2012/06/cve-2012-1875-hacking-windows-using-ms12-037-internet...
http://www.ehackingnews.com/2012/06/cve-2012-1875-exploit-for-remote-code.html
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/MS12_037_SAME_ID
http://eromang.zataz.com/2012/06/13/ms12-037-internet-explorer-same-id-vulnerability-metasploit-demo...
http://www.cio.com/article/2394927/security0/attack-code-published-for-two-actively-exploited-vulner...
http://www.infosecisland.com/blogview/21670-Symantec-Internet-Explorer-Zero-Day-Exploit-in-the-Wild....
Remote code execution in Microsoft XML Core Services
CVE-2012-1889
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in XML Core Services (MSXML) when attempting to access an object in memory that has not been initialized. A remote attacker can create a specially crafted Web site, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
One of the vulnerabilities used by Aurora group.
The attackers used the CVE-2010-2884 and CVE-2012-1889 0-day exploits to specifically target visitors to Amnesty International Hong Kong site
20.06.2012 SophosLabs determined that the website of a European aeronautical parts supplier had been hacked and delivered exploit for CVE-2012-1889.
TrendMicro observed the vulnerability targeting Chinese high school webpage.
Software: Microsoft XML Core Services
The attackers used the CVE-2010-2884 and CVE-2012-1889 0-day exploits to specifically target visitors to Amnesty International Hong Kong site
20.06.2012 SophosLabs determined that the website of a European aeronautical parts supplier had been hacked and delivered exploit for CVE-2012-1889.
TrendMicro observed the vulnerability targeting Chinese high school webpage.
Links:
https://technet.microsoft.com/library/security/2719615
https://technet.microsoft.com/library/security/ms12-043
https://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsored-exploit/
https://www.symantec.com/connect/blogs/cve-2012-1889-action
http://blog.trendmicro.com/trendlabs-security-intelligence/technical-analysis-of-cve-2012-1889-explo...
http://blog.trendmicro.com/trendlabs-security-intelligence/technical-analysis-of-cve-2012-1889-explo...
http://blog.trendmicro.com/trendlabs-security-intelligence/technical-analysis-of-cve-2012-1889-explo...
http://www.welivesecurity.com/2012/06/20/cve2012-1889-msxml-use-after-free-vulnerability/
https://www.experts-exchange.com/questions/27793137/After-Friday's-Rounds-of-Patches-from-Microsoft-...
http://contagiodump.blogspot.com/2012/07/brian-mariani-high-tech-bridge-htbridge.html
http://www.darknet.org.uk/2012/06/windows-xml-core-services-exploit-attacked-in-the-wild-cve-2012-18...
http://www.infoworld.com/article/2617287/malware/widely-used-web-attack-toolkit-exploits-unpatched-m...
https://nakedsecurity.sophos.com/2012/06/29/zero-day-xml-core-services-vulnerability-included-in-bla...
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000352.aspx
https://nakedsecurity.sophos.com/2012/06/29/zero-day-xml-core-services-vulnerability-included-in-bla...
http://thehackernews.com/2012/09/operation-aurora-other-zero-day-attacks.html
Remote code execution in MSCOMCTL.OCX ActiveX control in Microsoft Office
CVE-2012-0158
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in MSCOMCTL.OCX ActiveX control. A remote attacker can create a specially crafted Web page that passes an overly long string argument, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Researchers based in Asia noticed these malicious documents in Japan and Taiwan before they started showing up/targeting USA companies.
The vulnerability appeared to operate in 2014 in the Western Australian time zone. Examples of such groups include the 'Shiqiang Gang' (as reported by McAfee), 'PLEAD' (as reported by Trend Micro), 'NetTraveler' (as reported by Kaspersky) and 'APT12' (as reported by FireEye).
The vulnerability has been exploited in Red October attacks in 2012 and attacks targeting Chinese media organizations, personnel at government agencies in Europe, Middle East and Central Asia in 2013. The exploit was successfully used in breach attack against NewYork Times in August of 2013. The vulnerability was still exploited in 2016. Exploit for this vulnerability was used in Pawn Storm campaign as well.
Software: Microsoft Office
Known/fameous malware:
TROJ_DROPPER.IK
BKDR_HGDER.IK.
The vulnerability appeared to operate in 2014 in the Western Australian time zone. Examples of such groups include the 'Shiqiang Gang' (as reported by McAfee), 'PLEAD' (as reported by Trend Micro), 'NetTraveler' (as reported by Kaspersky) and 'APT12' (as reported by FireEye).
The vulnerability has been exploited in Red October attacks in 2012 and attacks targeting Chinese media organizations, personnel at government agencies in Europe, Middle East and Central Asia in 2013. The exploit was successfully used in breach attack against NewYork Times in August of 2013. The vulnerability was still exploited in 2016. Exploit for this vulnerability was used in Pawn Storm campaign as well.
Links:
https://technet.microsoft.com/library/security/ms12-027
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/CVE-2012-0158-An-Anatomy-of-a-Prol...
https://securingtomorrow.mcafee.com/mcafee-labs/cve-2012-0158-exploit-in-the-wild/
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-exploitation-seen-in-variou...
https://sentinelone.com/item-news/cve-2012-0158-allocated-2011-patched-2012-still-actively-exploited...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25656
https://www.virusbulletin.com/blog/2014/10/cve-2012-0158-continues-be-used-targeted-attacks/
https://www.alienvault.com/blogs/security-essentials/cmstar-apt-malware-cve-2012-0158
http://contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html
http://blog.9bplus.com/same-cve-2012-0158-different-builder/
http://blog.malwaretracker.com/2013/08/cve-2012-0158-exploit-evades-av-in-mime.html
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-now-being-used-in-more-tibe...
https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
https://blogs.sophos.com/2016/07/01/the-word-bug-that-just-wont-die-cve-2012-0158-the-cybercrime-gif...