Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)
2015-07-15T00:00:00
ID OPENVAS:1361412562310805811 Type openvas Reporter Copyright (C) 2015 Greenbone Networks GmbH Modified 2017-01-20T00:00:00
Description
This host is missing an important security
update according to Microsoft Bulletin MS15-070.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_ms_word_ms15-070.nasl 5053 2017-01-20 13:10:56Z cfi $
#
# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)
#
# Authors:
# Thanga Prakash S <tprakash@secpod.com>
#
# Copyright:
# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.805811");
script_version("$Revision: 5053 $");
script_cve_id("CVE-2015-2379", "CVE-2015-2380", "CVE-2015-2424");
script_tag(name:"cvss_base", value:"9.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_tag(name:"last_modification", value:"$Date: 2017-01-20 14:10:56 +0100 (Fri, 20 Jan 2017) $");
script_tag(name:"creation_date", value:"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)");
script_tag(name:"qod_type", value:"executable_version");
script_name("Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)");
script_tag(name:"summary", value:"This host is missing an important security
update according to Microsoft Bulletin MS15-070.");
script_tag(name:"vuldetect", value:"Get the vulnerable file version and check
appropriate patch is applied or not.");
script_tag(name:"insight", value:"Multiple flaws are due to improper handling
of files in the memory.");
script_tag(name:"impact", value:"Successful exploitation will allow remote
attackers to run arbitrary code in the context of the current user.
Impact Level: System/Application");
script_tag(name:"affected", value:"
Microsoft Word 2007 Service Pack 3 and prior,
Microsoft Word 2010 Service Pack 2 and prior,
Microsoft Word 2013 Service Pack 1 and prior.");
script_tag(name:"solution", value:"Run Windows Update and update the listed
hotfixes or download and update mentioned hotfixes in the advisory from the
below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070");
script_tag(name:"solution_type", value:"VendorFix");
script_xref(name : "URL" , value : "https://support.microsoft.com/en-us/kb/3054996");
script_xref(name : "URL" , value : "https://support.microsoft.com/en-us/kb/3054973");
script_xref(name : "URL" , value : "https://support.microsoft.com/en-us/kb/3054990");
script_xref(name : "URL" , value : "https://technet.microsoft.com/en-us/library/security/MS15-070");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
script_family("Windows : Microsoft Bulletins");
script_dependencies("secpod_office_products_version_900032.nasl");
script_mandatory_keys("SMB/Office/Word/Version");
exit(0);
}
include("version_func.inc");
## variable Initialization
winwordVer = "";
winwordVer = get_kb_item("SMB/Office/Word/Version");
## Microsoft Office Word 2007/2010/2013
if(winwordVer && winwordVer =~ "^(12|14|15).*")
{
if(version_in_range(version:winwordVer, test_version:"12.0", test_version2:"12.0.6726.4999") ||
version_in_range(version:winwordVer, test_version:"14.0", test_version2:"14.0.7153.5001") ||
version_in_range(version:winwordVer, test_version:"15.0", test_version2:"15.0.4737.1002"))
{
security_message(0);
exit(0);
}
}
{"id": "OPENVAS:1361412562310805811", "bulletinFamily": "scanner", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "published": "2015-07-15T00:00:00", "modified": "2017-01-20T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "type": "openvas", "lastseen": "2017-07-02T21:11:46", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "617e6f50c56eaa4331691c7265607b87"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "9bc2513a9afb621223fc7b827b4730e3"}, {"key": "href", "hash": "edb0556a59a18ed6b6e2464eb93a43b5"}, {"key": "modified", "hash": "1bd2437e51c65f396d573496bf505abf"}, {"key": "naslFamily", "hash": "c9898bc973bfffca5119f1a3bfa73a8d"}, {"key": "pluginID", "hash": "361910b6fb469730e56758bd54ea77df"}, {"key": "published", "hash": "b0ca152f2b27a812e2f2b87d3fe780f8"}, {"key": "references", "hash": "bb6754d79f2132b0e347144186a9bc7d"}, {"key": "reporter", "hash": "1e898993712db5cf9f9a110102684025"}, {"key": "sourceData", "hash": "dbaad86219df8ed5ae8594dfb7671a12"}, {"key": "title", "hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "07f1af6b15f2505dc85e1f9d70626636d35883999d6c163aba28aea12185a88d", "viewCount": 0, "enchantments": {"vulnersScore": 2.8}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 5053 2017-01-20 13:10:56Z cfi $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 5053 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-20 14:10:56 +0100 (Fri, 20 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"\n Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## variable Initialization\nwinwordVer = \"\";\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message(0);\n exit(0);\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "pluginID": "1361412562310805811"}
{"result": {"cve": [{"id": "CVE-2015-2424", "type": "cve", "title": "CVE-2015-2424", "description": "Microsoft PowerPoint 2007 SP3, Word 2007 SP3, PowerPoint 2010 SP2, Word 2010 SP2, PowerPoint 2013 SP1, Word 2013 SP1, and PowerPoint 2013 RT SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka \"Microsoft Office Memory Corruption Vulnerability.\"", "published": "2015-07-14T17:59:35", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424", "cvelist": ["CVE-2015-2424"], "lastseen": "2017-09-22T10:42:10"}, {"id": "CVE-2015-2379", "type": "cve", "title": "CVE-2015-2379", "description": "Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Office for Mac 2011, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka \"Microsoft Office Memory Corruption Vulnerability.\"", "published": "2015-07-14T17:59:13", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379", "cvelist": ["CVE-2015-2379"], "lastseen": "2017-09-22T10:42:09"}, {"id": "CVE-2015-2380", "type": "cve", "title": "CVE-2015-2380", "description": "Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, and Word 2013 RT SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka \"Microsoft Office Memory Corruption Vulnerability.\"", "published": "2015-07-14T17:59:14", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380", "cvelist": ["CVE-2015-2380"], "lastseen": "2017-09-22T10:42:09"}], "symantec": [{"id": "SMNTC-75744", "type": "symantec", "title": "Microsoft Office CVE-2015-2424 Memory Corruption Vulnerability", "description": "### Description\n\nMicrosoft Office is prone to a remote memory-corruption vulnerability because it fails to properly handle objects in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft PowerPoint 2007 SP3 \n * Microsoft PowerPoint 2010 Service Pack 2 (32-bit editions) \n * Microsoft PowerPoint 2010 Service Pack 2 (64-bit editions) \n * Microsoft PowerPoint 2013 RT Service Pack 1 \n * Microsoft PowerPoint 2013 Service Pack 1 (32-bit editions) \n * Microsoft PowerPoint 2013 Service Pack 1 (64-bit editions) \n * Microsoft Word 2007 SP3 \n * Microsoft Word 2010 Service Pack 2 (32-bit editions) \n * Microsoft Word 2010 Service Pack 2 (64-bit editions) \n * Microsoft Word 2013 Service Pack 1 (32-bit editions) \n * Microsoft Word 2013 Service Pack 1 (64-bit editions) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "published": "2015-07-14T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75744", "cvelist": ["CVE-2015-2424"], "lastseen": "2018-03-14T00:21:44"}, {"id": "SMNTC-75645", "type": "symantec", "title": "Microsoft Office CVE-2015-2379 Memory Corruption Vulnerability", "description": "### Description\n\nMicrosoft Office is prone to a remote memory-corruption vulnerability because it fails to properly handle objects in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2010 Service Pack 2 (32-bit editions) \n * Microsoft Office 2010 Service Pack 2 (64-bit editions) \n * Microsoft Office for Mac 2011 \n * Microsoft Word 2007 SP3 \n * Microsoft Word 2010 Service Pack 2 (32-bit editions) \n * Microsoft Word 2010 Service Pack 2 (64-bit editions) \n * Microsoft Word 2013 RT Service Pack 1 \n * Microsoft Word 2013 Service Pack 1 (32-bit editions) \n * Microsoft Word 2013 Service Pack 1 (64-bit editions) \n * Microsoft Word Viewer \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "published": "2015-07-14T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75645", "cvelist": ["CVE-2015-2379"], "lastseen": "2018-03-14T22:42:47"}], "openvas": [{"id": "OPENVAS:1361412562310805810", "type": "openvas", "title": "Microsoft Office PowerPoint Remote Code Execution Vulnerability (3072620)", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "published": "2015-07-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805810", "cvelist": ["CVE-2015-2424"], "lastseen": "2017-07-19T10:52:45"}, {"id": "OPENVAS:1361412562310805814", "type": "openvas", "title": "Microsoft Office Word Viewer Memory Corruption Vulnerability (3072620)", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "published": "2015-07-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805814", "cvelist": ["CVE-2015-2379"], "lastseen": "2017-07-10T10:51:59"}, {"id": "OPENVAS:1361412562310805923", "type": "openvas", "title": "Microsoft Office Excel Remote Code Execution Vulnerabilities-3072620 (Mac OS X)", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "published": "2015-07-16T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805923", "cvelist": ["CVE-2015-2376", "CVE-2015-2379"], "lastseen": "2017-07-02T21:11:50"}], "threatpost": [{"id": "OFFICE-JAVA-PATCHES-ERASE-LATEST-APT-28-ZERO-DAYS/113825", "type": "threatpost", "title": "Office, Java Patches Erase Latest APT 28 Zero Days", "description": "An APT group thought to be tied to Russia is flying against conventional wisdom, having as recently as the last three weeks dropped its sixth zero-day in the past four months.\n\nGiven the underground value of unpatched and unreported vulnerabilities, this is highly unusual behavior, even for a state-sponsored cyberespionage team.\n\n### Related Posts\n\n#### [Threatpost News Wrap, August 19, 2016](<https://threatpost.com/threatpost-news-wrap-august-19-2016/120003/> \"Permalink to Threatpost News Wrap, August 19, 2016\" )\n\nAugust 19, 2016 , 9:00 am\n\n#### [EFF Blasts Microsoft Over \u2018Malicious\u2019 Windows 10 Rollout Tactics](<https://threatpost.com/eff-blasts-microsoft-over-malicious-windows-10-rollout-tactics/120006/> \"Permalink to EFF Blasts Microsoft Over \u2018Malicious\u2019 Windows 10 Rollout Tactics\" )\n\nAugust 18, 2016 , 4:38 pm\n\n#### [Latest Windows UAC Bypass Permits Code Execution](<https://threatpost.com/latest-windows-uac-bypass-permits-code-execution/119887/> \"Permalink to Latest Windows UAC Bypass Permits Code Execution\" )\n\nAugust 15, 2016 , 3:35 pm\n\nNonetheless, [APT 28](<https://threatpost.com/russian-apt28-group-linked-to-nato-political-attacks/109049>), also known by other nicknames such as Tsar Team, Operation Pawn Storm, and Sednit, has been a busy gang targeting government agencies and military operations with a host of Adobe Flash, Microsoft and Java-based zero-days at their disposal.\n\nThis week alone, two zero-days attributed to this team disappeared when they were [patched by Microsoft](<https://threatpost.com/microsoft-patches-hacking-team-windows-kernel-zero-day/113788>) and Oracle in Office and Java respectively. Researchers at [iSight Partners](<http://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/>) reported the Office zero-day to Microsoft on June 30 and it was patched on Tuesday in [MS15-070](<https://technet.microsoft.com/en-us/library/security/MS15-070>), an Office security bulletin that patched 13 other vulnerabilities in the software. Later that night, [Oracle erased a Java zero-day](<https://threatpost.com/oracle-patches-java-zero-day/113792>) in its quarterly Critical Patch Update that was used against a U.S.-based defense contractor and foreign military outfits. It was the first Java zero day actively exploited in the wild since 2013, experts said.\n\nAPT 28 keeps a vast arsenal of malware and domains under its control, according to researchers Brian Bartholomew and Jonathan Leathery of iSight.\n\n\u201cThis indicates it\u2019s not a handful of guys; this is an organization managing this stuff,\u201d Bartholomew said, adding that the group has also been known to use cryptocurrency such as Bitcoin to buy domains in order to hide registration information and remain anonymous. \u201cIt\u2019s hard to manage that much infrastructure that they own.\u201d\n\nFive of the half-dozen zero days, Bartholomew said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach.\n\n\u201cThey actually rewrote it, which is interesting. It\u2019s not just a copy of the [Hacking Team] proof of concept with their own shell code added,\u201d Bartholomew said.\n\nThe Office zero day, CVE-2015-2424, was likely still under development since iSight researchers said it was still fairly buggy and unreliable. It was likely spread via spear phishing emails, specifically targeting individuals or groups within sensitive organizations. The lure found by iSight was a Word document purporting to be an analysis of the Iran nuclear deal.\n\n\u201cIt\u2019s a heap corruption vulnerability in Office where it\u2019s mishandling an object in memory, which allowed for remote code execution from the weaponized document,\u201d Leathery said, adding that the message also included a CNN article on the Iran deal published June 28. The likely targets were the former Soviet republic of Georgia.\n\nThe payload is a variant of the Sofacy or Sednit Trojan, which immediately opens a backdoor to a number of attacker-controlled domains where stolen data is sent. Some of the domains, iSight said, are benign or do not belong to the APT group, a false-flag of sorts. The targets are government agencies in Eastern Europe or NATO, along with critical industries such as nuclear, telecommunications, defense industrial base and diplomatic interests.\n\nThe group is not only adept at gathering intelligence from foreign interests, but also focuses on internal dissidents and threats to national security in Russia, iSight said. One counter-terrorism operation attributed to this group is the so-called Cyber Caliphate hacktivist operation, where hackers posing as ISIS supporters set up lures via social media or forums trying to attract those sympathetic to the Islamic State. Once some confidence is established with a target via direct messaging, APT 28 would entice them to install an application that was malicious and allowed them to monitor the dissidents\u2019 activities.\n\nDespite the fact that this particular Office\u2014and Java\u2014zero day has been patched, iSight believes APT 28 is well resourced and has more at its disposal.\n\n\u201cThis throws a wrench in their plans; usually they can get a few months out of a zero day before a patch is out,\u201d Bartholomew said. \u201cIt\u2019s unprecedented using this many zero days, but at the same time, they have access to developers who can build these or have the resources to buy them.\u201d", "published": "2015-07-16T13:46:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/", "cvelist": ["CVE-2015-5119", "CVE-2015-2424"], "lastseen": "2016-09-04T20:45:11"}], "kaspersky": [{"id": "KLA10632", "type": "kaspersky", "title": "\r KLA10632Multiple vulnerabilities in Microsoft Office\t\t\t ", "description": "### *CVSS*:\n9.3\n\n### *Detect date*:\n07/14/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft office. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, gain privileges or execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Office 2007 Service Pack 3 \nMicrosoft Office 2010 Service Pack 2 \nMicrosoft Office 2013 Service Pack 1 \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office for Mac 2011 \nMicrosoft Excel Viewer 2007 Service Pack 3 \nMicrosoft Office Compatibility Pack Service Pack 3 \nMicrosoft Word Viewer \nMicrosoft SharePoint Server 2007 Service Pack 3 \nMicrosoft SharePoint Server 2010 Service Pack 2 \nMicrosoft SharePoint Server 2013 Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS15-070](<https://technet.microsoft.com/en-us/library/security/MS15-070>) \n\n\n### *Impacts*:\nACE \n\n### *CVE-IDS*:\n[CVE-2015-2380](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2380>) \n[CVE-2015-2378](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2378>) \n[CVE-2015-2379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2379>) \n[CVE-2015-2375](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2375>) \n[CVE-2015-2376](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2376>) \n[CVE-2015-2377](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2377>) \n[CVE-2015-2415](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2415>) \n[CVE-2015-2424](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2424>) \n\n\n### *Microsoft official advisories*:\n[MS15-070](<https://technet.microsoft.com/en-us/library/security/MS15-070>)\n\n### *KB list*:\n[3072620](<http://support.microsoft.com/kb/3072620>) \n[2837612](<http://support.microsoft.com/kb/2837612>) \n[2965283](<http://support.microsoft.com/kb/2965283>) \n[2965208](<http://support.microsoft.com/kb/2965208>) \n[2965281](<http://support.microsoft.com/kb/2965281>) \n[2965209](<http://support.microsoft.com/kb/2965209>) \n[3073865](<http://support.microsoft.com/kb/3073865>) \n[3054981](<http://support.microsoft.com/kb/3054981>) \n[3054968](<http://support.microsoft.com/kb/3054968>) \n[3054996](<http://support.microsoft.com/kb/3054996>) \n[3054990](<http://support.microsoft.com/kb/3054990>) \n[3054861](<http://support.microsoft.com/kb/3054861>) \n[3054949](<http://support.microsoft.com/kb/3054949>) \n[3054958](<http://support.microsoft.com/kb/3054958>) \n[3054973](<http://support.microsoft.com/kb/3054973>) \n[3054963](<http://support.microsoft.com/kb/3054963>) \n[3054971](<http://support.microsoft.com/kb/3054971>) \n[3054999](<http://support.microsoft.com/kb/3054999>)", "published": "2015-07-14T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10632", "cvelist": ["CVE-2015-2377", "CVE-2015-2378", "CVE-2015-2376", "CVE-2015-2375", "CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380", "CVE-2015-2415"], "lastseen": "2018-02-19T21:29:00"}], "nessus": [{"id": "SMB_NT_MS15-070.NASL", "type": "nessus", "title": "MS15-070: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3072620)", "description": "The remote Windows host has a version of Microsoft Office, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, SharePoint Server, or Microsoft Office Compatibility Pack installed that is affected by multiple vulnerabilities :\n\n - An ASLR bypass vulnerability exists in Microsoft Excel due to memory being released in an unintended manner. A remote attacker can exploit this by convincing a user to open a specially crafted Excel (.xls) file, allowing the attacker to more reliably predict the memory offsets of specific instructions in a given call stack. The attacker can then utilize this information to more easily exploit additional vulnerabilities.\n (CVE-2015-2375)\n\n - Multiple remote code execution vulnerabilities exist due to improper handling of objects in memory. A remote attacker can exploit these vulnerabilities by convincing a user to open a specially crafted file, resulting in the execution of arbitrary code in the context of the current user. (CVE-2015-2376, CVE-2015-2377, CVE-2015-2379, CVE-2015-2380, CVE-2015-2415, CVE-2015-2424)\n\n - A remote code execution vulnerability exists in Microsoft excel due to improper handling of the loading of dynamic link library (DLL) files. A remote attacker can exploit this vulnerability by placing a specially crafted DLL file in the user's current working directory and then convincing the user to launch a program designed to load the DLL, resulting in the execution of arbitrary code in the context of the current user.\n (CVE-2015-2378)", "published": "2015-07-14T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84739", "cvelist": ["CVE-2015-2377", "CVE-2015-2378", "CVE-2015-2376", "CVE-2015-2375", "CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380", "CVE-2015-2415"], "lastseen": "2017-10-29T13:36:40"}, {"id": "MACOSX_MS15-070_OFFICE_2011.NASL", "type": "nessus", "title": "MS15-070: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3072620)", "description": "The remote Mac OS X host has a version of Microsoft Excel installed that is affected by multiple remote code execution vulnerabilities due to improper handling of objects in memory. A remote attacker can exploit these vulnerabilities by convincing a user to open a specially crafted file, resulting in the execution of arbitrary code in the context of the current user.", "published": "2015-07-14T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84740", "cvelist": ["CVE-2015-2376", "CVE-2015-2379"], "lastseen": "2017-10-29T13:46:00"}]}}