Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We’re entering our Year in Review period. Now’s the time to look back on the top stories from 2019 and think about what we learned.
In the vulnerability space, Talos researchers were just as busy as always. We disclosed more than one vulnerability per working day this year, many of which were in internet-of-things and ICS devices. For more on what we can take away from the year in vulnerability disclosures, check out our post here.
Speaking of vulnerabilities, we had many more to add to the yearly count this week. There’s too many to name here, but some highlights include a remote code execution bug in Apple’s Safari web browser and a denial-of-service in the Linux kernel.
Microsoft also disclosed its own set of vulnerabilities as part of the last Patch Tuesday of 2019. Check out our breakdown of the most notable bugs here and our Snort rules to protect against exploitation of them here. Talos discovered two of the bugs patched this month, both in Windows Remote Desktop Protocol in older versions of Windows.
Title:Microsoft discloses two critical bugs as part of monthly security update
**Description:**Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month’s Patch Tuesday covers 25 vulnerabilities, two of which are considered critical. This month’s security update covers security issues in a variety of Microsoft services and software, including Remote Desktop Protocol, Hyper-V and multiple Microsoft Office products.
**Snort SIDs:52402, 52403, 52410, 52411, 52419, 52420
** ****Title:AMD ATI Radeon ATIDXX64.DLL shader functionality sincos denial-of-service vulnerability
**Description:**Cisco Talos recently discovered a denial-of-service vulnerability in a specific DLL inside of the AMD ATI Radeon line of video cards. This vulnerability can be triggered by supplying a malformed pixel shader inside a VMware guest operating system. Such an attack can be triggered from VMware guest usermode to cause an out-of-bounds memory read on vmware-vmx.exe process on host, or theoretically through WEBGL.
**Snort SIDs:**51461, 51462 (By Tim Muniz)
SHA 256:64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b
**MD5:**42143a53581e0304b08f61c2ef8032d7
**Typical Filename:**myfile.exe
**Claimed Product:**N/A
**Detection Name:Pdf.Phishing.Phishing::malicious.tht.talos
** ****SHA 256:f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
**MD5:**c5608e40f6f47ad84e2985804957c342
**Typical Filename:**FlashHelperServices.exe
**Claimed Product:Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd **
****SHA 256:3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
**MD5:**47b97de62ae8b2b927542aa5d7f3c858
**Typical Filename:**qmreportupload.exe
Claimed Product: qmreportupload **Detection Name: Win.Trojan.Generic::in10.talos **
****SHA 256:c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
**MD5:**e2ea315d9a83e7577053f52c974f6a5a
Typical Filename:c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin **Claimed Product: **N/A **Detection Name:W32.AgentWDCR:Gen.21gn.1201 **
****SHA 256:15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
**MD5:**799b30f47060ca05d80ece53866e01cc
**Typical Filename:**mf2016341595.exe
**Claimed Product:**N/A
**Detection Name:**W32.Generic:Gen.22fz.1201
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.